ARIN 53 Public Policy and Members Meeting, Day 2 Transcript - Tuesday, 16 April 2024

This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Opening and Announcements

Hollis Kara: Welcome back, everybody.

We’re happy to have you here today for day two of ARIN 53. I am Hollis Kara; you met me yesterday. You’re gonna see me a lot again today, welcoming a lot of folks on the stage. So let’s go through a few reminders before we get things started.

First of all, if we could get a round of applause for our elected volunteers, our Board of Trustees, Advisory Council and Number Resource organization Number Council members.


These folks fill vital roles in the ARIN community. And we couldn’t do the work that we accomplish without them.

For those of us who are just tuning in today, a couple of quick reminders about the virtual meeting. If you are joining us online, you may use Chat to converse with your fellow virtual attendees.

But when we come to the open discussion points in the agenda, please be sure to use Q&A so that we can read those into the room as part of the discussion.

If you’re typing a lengthy comment, feel free to raise your hand so we know you’re typing, so we can wait for your question to come through. I do recommend that if you have a question that comes to mind early in the presentation, you go ahead and get that typed in and queued up just to help keep things moving.

Our Virtual Help Desk is open. It will remain open until 9:30. If you need help with anything stop by. Des will be happy to help you out. If you like our visuals at the meeting, feel free to pop into the Help Desk and tell Des you think he’s cool, because he’s the one who made all the neat stuff for our branding this meeting. Sorry, Des.

Hopefully we won’t have another fire drill today, but as with yesterday, if Zoom disconnects, switch to the livestream. We’ll keep you apprised when Zoom will be available to rejoin. If you cannot access Zoom or the livestream, keep an eye on your email. We will be updating you on when we will be back in the water so that you can rejoin virtually.

For my in-person folks, you’re welcome to join the Zoom. Please make sure that you’re disconnected from audio and your device is muted so that nothing weird happens. But you’re quite welcome to join there and talk to our virtual attendees if you like.

When we get to question-and-answer sessions or other discussion points in the agenda, please remember, if you’re joining us virtually, that you need to provide your name and affiliation at the beginning of your questions or comments. If you’re approaching the microphone in the room, also please lead with that information. Try to speak slowly and clearly.

Today let’s see if we can get a little bit closer to the microphone and work on using our big voices because it was hard yesterday for some of our online attendees to make out some of what was being said in the room.

Wi-Fi information, if you haven’t found it already, it’s on the registration desk outside, for those who are here.

We’re livestreaming. Presentations are up on the Meeting Materials page. If you prefer to download those or open them up in your browser to take a look at those rather than following along on the screen, you’re welcome to do that. Some of the detailed slides can be a little hard to follow. And a live transcript is also available if you need that.

And then we get back to thank yous. First to our Network Sponsor, C&W Business. If we could get a round of applause.


Our Bronze Sponsor, IPv4.Global by Hilco Streambank.


And, of course, absolutely vital, our Webcast Sponsor, Google.


Standards of Behavior are still in effect.

Everybody did a good job of being on their best behavior yesterday, so I’m looking forward to another day of congenial conversation as we work through our agenda. Just be reminded.

And if you have a question or concern, please, for those who are here on site, direct yourselves to the signs at the front of the room – maybe during the break; it would look a little bit weird while things are going on – but you can find information to contact any of our designated individuals who can assist you with a report of a complaint or concern. Similarly, if you’re joining us online and you encounter an issue, that information is available on the ARIN 53 website as well.

What’s on the agenda? We’re going to kick off the morning strong with some updates from ARIN. We’ve got Engineering, Information Security, Routing Security and updates from our 2023 grant recipients.

We’ll take a break and come back with some interesting reports. We’ve got an update from the Number Resource Organization RPKI Program Manager. It will be a great opportunity for her to introduce herself to you and hear a little bit about what’s going on in that space.

And then we’ll have updates from all four of the other RIRs, break for lunch. We’ll come back. We’ve got five policies on the docket today. So get your thoughts in order and your questions and comments ready.

We’ll have a short update on plans for training initiatives here in 2024. And then our Chief Customer Officer’s update, a break, a Legal update, a final open microphone, and then we’ll be done for the day.

So with that I’d like to welcome our first speaker, Mark Kosters, our CTO, to give an Engineering update.


Engineering Update

Mark Kosters: First, I’m going to put the mic lower. Second of all, can you see me?

Everyone can see me, right?


I am short. And the third thing, I want to tell you guys something. I’ve been working here for ARIN for, I don’t know, a bazillion years, and this is the first for me. I’ve never spoke first on a Tuesday morning.

So, I’m kind of nervous. So, if you all could just help me out, from time to time, I don’t know, act confused, look around, I don’t know. We’ll figure this out together. I might be confused myself. We’ll see.

All right, so let’s go ahead and get started with the Engineering Update here. And that’s me. And what I want to talk about are the services that ARIN provides. I think a lot of people don’t know all the things that ARIN does.

And one of the things that we had in a security audit many years ago, is people said, wow, you have a pretty substantial attack surface because of all the services ARIN has. And each service that ARIN provides is a potential attack surface.

We worked through that, and the audit went just fine. But one of the things I wanted to do is share this with you, so you sort of understand all the services we have.

Give you some statistics of some of the services that we have, software releases and improvements we’ve made since the last time we spoke, and the challenges, and what’s next.

Can everyone hear me just fine? Can people hear me remotely?

Okay. Let’s talk about the services that ARIN provides. Everyone knows about RPKI. That’s Brad’s baby, Brad Gorman’s baby. Wait, we have a bunch of things that’s going on there.

So, you had the provisioning aspect. And you have all the ways that you provide access to the data that RPKI has. It has multiple ways of doing it. And essentially you have two ways of disseminating the information – rsync, which is a really old protocol; and then you have this other protocol called RRDP that you can actually use. Again, multiple ways of having an attack surface there, but it’s all okay.

We have ARIN Online. Okay, who here has not used ARIN Online? I see one hand. Does everybody here, have they logged in before? Has everybody logged in before? I’m looking. Okay. Good, good.

Thank you. I know it’s Tuesday morning, after Monday night.

All right. Who here has 2FA on their accounts? All right, I’m seeing more hands. So, if you logged in, you have 2FA. If you logged in years ago, and say you have an ARIN account and haven’t logged in lately, go ahead and log in. Try now. See if it works. Let me know if you have 2FA after you’re finished.

All right. So that’s another thing we have. A part of that is we have a RESTful provisioning API that a lot of people use. And we’ll see a graph showing its use here shortly.

Email templates, which are going away – so this is one of the things I’m really excited about.

When I started doing this work in 1993, that was state of the art. No, I take that back. I started doing this stuff in 1991. That was state of the art, man, doing templates. There’s nothing better.

But that’s gone now, and I’m very happy to see it go. And, of course, we have lots of reports that come out of this – Whowas, Bulkwhowas, Bulkwhois, Whowas, et cetera.

Directory services, we have essentially three ways to share the same data. We have Whois, which is off of Port 43, which is a traditional port for Whois, which is a very old protocol. It’s actually older than me.

There’s Whois-RWS, which works off of port 80 and 443. So, HTTP and HTTPS for those who don’t like the numbers. And Registration Data Access Protocol, RDAP, which also works on port 80, HTTP, and 443, HTTPS.

So, then you have the DNS. It works off of port 53. And you have the IRR that works off of various ports, some of which I can’t remember, and email.

So those are the things we basically have that are publicly available. Am I missing any?

Looking around, I’m not seeing anything. Good.

Let’s talk about other services we have. We have the Mailing List. We have the ARIN website. We have the Vault, which has all the historical information.

And then we have an OT&E environment. This is a place for you to test and make sure that your RPKI stuff that you’re going to do is going to work. And you could actually do this test in a place where it won’t impact production.

So, a lot of people have taken advantage of this. A lot of people are using in as sort of a canary to make sure their services work in production, which is fine. But it’s out there for everybody as well.

And we have FTP. Hint, hint, hint, I’d like to see this go away. Hint, hint, hint, I’d like to see this go away some day. This is really old protocol. And of course, ARIN Online.

Other things that we have internally, So we have ARIN Online staff interface; we call it Management. We do security and performance monitoring – I’m going around clockwise – cloud-based tools that we have out there as well.

And then we have a bazillion environments. So, we have basically everyday tests that go on. We have long-running tests. We have regression tests. We have burn-in tests. And all these things require different environments.

So, within engineering, we may have one external environment, which we also have a mirror of that internally to test. But we also have various other environments that we do as part of our testing for the framework to make sure that when we put these services out there, they’re good to go.

Email, analytics and infrastructure tools. And infrastructure tools – who here uses things like Atlassian products, like Confluence and Jira? There’s a lot, right? And actually, ARIN is one of the places that uses these tools, too. And it’s quite heavyweight but it does a great job for tracking things within our organization.

Statistics: Okay, Here we go. Boy, this looks pretty consistent. These are the number of people that come in to ARIN Online and set up new accounts. And we have, on average, 12 to 13,000 every year that come in and set up new accounts. Hey, that’s great.

So, this year, it’s kind of interesting.

That number’s gone down just a bit, and we’ll see what happens by the end of the year or in the fall meeting and see if this actually continues or not. I thought it was sort of interesting as I was putting together the numbers, that the numbers that we have in 2024 are very similar to the numbers that we had in 2008.

Here we have ARIN Online logins. There’s a few people, I’ve said this many times, that come into ARIN and say, “Wait a minute, what am I doing, I don’t need this.” They log in once and they’re done.

There’s a lot of people that get to that state.

But as we go on through this, as we do this report historically, more and more people are going into the 16-plus category. And I think I need a revision this in the future to show a different way of showing how people are progressing through their ARIN Online accounts.

MFA: This is mandatory for ARIN. And you can see what people choose to use here. And, of course, you have TOTP as being the main sort of useful two-factor authenticator to use. And actually, that’s my favorite as well.

So that’s what I use for my various other accounts. I personally will never log into a bank if they do not have 2FA or MFA. I will not use that bank. And, likewise, ARIN has done the same thing. You can see here that FIDO2 has a little bit, that there’s a significant amount of SMS. And, of course, the majority is actually TOTP.

Provisioning transactions: I sort of alluded to this earlier. More and more people are going from templates to RESTful interface. You can see that number starting to climb for RESTful. This will be the last time I show this slide. I’m very happy because next time there will be no templates. So, there’s no need to actually show this.

Whois and Whois-RWS: So I talked a little bit earlier about the different sort of directory services we offer, right? And we have three tools that do the same thing, and they all have their various vintages.

Whois actually comes from the 1980s.

Whois-RWS came from the mid-2000s – actually a little bit later, more like 2008. And what Whois-RWS is, is basically a web form of Whois, and it’s in a structured format. But you can see that Whois has a tremendous amount of traffic. You can see here that we’re close to the top in terms of number of queries we serve. And we end up serving about 5,000 queries per second on our Whois cluster. That’s a good number.

Whois-RWS shows about a thousand. It’s a newer protocol. People don’t use it as much. It’s actually fully featured. Has all the features plus more than Whois. But people just like using Whois, mainly to do scraping, I presume, and for other uses.

Here’s RDAP. And one of the things I noticed after I put this together, I didn’t use the same sort of criteria, the queries per second, on the side. But it’s much lower. RDAP has the newest protocol. It doesn’t have all the features. And we’re going to be talking about this shortly, what features we need to add yet. But it’s starting to grow as well.

I actually wrote down the numbers because I’m getting old and I forget things like this, but we have right now IPv4 on RDAP is approximately 250 queries per second, Whereas the v6 equivalent is 35 per second.

This also gives the differentiation. We have dual stack for everything, and it gives you an idea who is coming over IPv4 and IPv6. This is sort of an illustrative sort of thing. And you can see the earlier spikes, and those are essentially abuse that we tamped down. And occasionally we see abuse now and we take care of it.

But we actually have some pretty good tools in place that I talked about earlier. A concept called tar pitting, for example, if you come at us with a lot of queries per second, we’ll actually slow you down be saying, “Here’s your threshold, and anything over that threshold will slowly eek it out over a period of time.” So, you’ll still get your answers, but you won’t get them as fast as you perhaps wanted. But that also keeps the other parts of the general public continuing to have access to that service.

DNS, giving you a different color here.

Hopefully it wakes you up. I saw a lot of people pop their eyes up out of their screens on that one.

Here you have, basically, people that are coming in and looking at our DNS cluster. It’s just normal. It is normal traffic. Most of the traffic is PTR queries, which is the yellow on the bottom graph.

The top graph basically shows you how many queries per second that we have, which is essentially 10,000 per second.

All right. So, I just wanted to show that to you to show you, “Hey, here’s some of the traffic that we serve.” And this is a primary traffic maker for ARIN.

Releases and improvements: Secure routing enhancements. We had some user interface improvements since the last meeting. The RIR Object, which was accidentally taken away was actually added back into the interface for route and route6 lists. And I think Brad may be talking about that more.

Transfers, when we started up this thing about transfers, we were, like, “We don’t know how many transfers there are going to be, so we aren’t sure exactly how much we should automate it.”

When we first set it up, we thought, “Hey, we should be kind of conservative with this and maybe we’ll just ad hoc these things into the database.” And ad hocking things in the database, we test every sort of non-automated way of putting things into the database. We test it before we actually put it in production.

But it’s actually an arduous process, it’s more than one and two. And we’re seeing there’s a lot more AS’s that are transferred from Internet registry to Internet registry.

Here we decided to actually automate this, so it’s no longer potentially error prone and actually put into the system, and also frees up some DBA time.

We have Open-Source Template Processor, which was released after this meeting. For those who are stuck on the email templates and have to do something, this gives them an out, so that you can still do templates locally. But if you use this really cool tool, it will actually translate that into a RESTful API and send it out to us.

Ongoing. We continue to have SOC 2 audits; Christian going to be next to talk more about that. And we’re actually going to be increasing this. I’m taking this away, aren’t I, Christian?

We have PCI audit, which is a regular occurrence as well. And what this means is ARIN has to make sure that systems are up to date, that are under support, and make sure that we have everything really tamped down. We have lots of auditing put into place to make that happen.

We’ve also done lots of reduction of technical debt. And we have had a large focus on that in the last six months. So, there’s been a lot of work that we’ve been using.

And technical debt is always here. Every organization has this that’s dealing in the computer industry – whether it be hardware, software, whatever. It’s something we continually have to work on. And we’re making our provisioning systems more highly available. And we’re going to Kubernetes, which I think is the next slide.

System improvements, end-of-life boxes, we keep on getting rid of them. We’ve rolled out new hardware to our public-facing sites.

If you go now to our systems, they used to be bare metal boxes, essentially OS on a particular box. And then the application like Whois and Whois-RWS would run on top of it.

We’re now gone to a virtualized instance with a pretty heavy duty hardware out there. So, this is a big undertaking that’s been accomplished. And what I like about it is none of you all noticed, hopefully. Anyone notice? Good.

So, one of the things we’re doing with this is we’re using Red Hat OpenShift to make these things happen.

What’s next and challenges. Geolocation within RDAP. So, one of the things that’s happened over time, and there’s been multiple – there’s been a number of suggestions dealing with geolocation – is, “Hey, how are we…” – and there’s people asking ARIN – “Hey, is there a way that you can actually tell us who has what IP address at what location?”

And this is something that people in IETF have been working on, and there’s an engineering office and myself, Jasdip, who have been looking at this and going, “Hey, there’s a way of doing this that doesn’t really involve ARIN so much.”

Before you were looking at this and saying, “ARIN should hold all this geolocation stuff for all these IP addresses.” And that seems to be outside the realm of possibility for ARIN.

We started looking around. There’s an RFC, 9092, which describes how IP addresses can be sort of defined in terms of geographic location, and how to use them and how to find out about them. And the big thing is discovery; is “Where do I find these things for this particular ISP?”

That’s where RDAP comes into question. Is RDAP can say, “Hey, this set of IP addresses is operated by this particular ISP or enterprise, and this is how you find out what the geolocations of those IP addresses are.” You basically pull down a CSV file and off you go.

So, this is going through the IETF process right now. It’s on version 4. I think we’re close to finished. And this will be a standard sometime very soon.

RIPE is actually very interested about this.

This is something they’re excited about, as well as APNIC. And the rest of the regional registries will also be going onboard with this as well as we work on working on a common interface for directory services in the future, using RDAP.

What’s coming up ahead? Secure routing enhancements, more RPKI integration with RPKI, more routing intelligence with IRR – and Brad will be talking more about that soon. Email template retirement, talked about that; a new fee calculator or estimator – I think John Sweeting has mentioned before. And this is future fee changes based on Board action. There’s a consultation out there right now. We’ll see what the results are. And depending on what the results are we’ll go ahead and make changes.

Standards work, we are working on IETF on standards that impact ARIN and we’re working mainly in two areas – RDAP with directory services and, of course, RPKI. And on RDAP, we have a couple of areas that are not – with these two areas that I’m going to talk about in a moment – RIR search and reverse search. When these two concepts are done, there will be full-feature parity between Whois and RDAP. That means that you can actually use RDAP for doing anything that you’re using Whois today, and hopefully in an easier way.

And this is something that hopefully is an aspirational goal, that each Internet regional registry will be doing this. And, by the way, all domain registries are going to be doing this as well. So, they’re under contract with ICANN to actually push out RDAP.

Whois, it’s a loss leader for them. I don’t know how long they’ll keep it up. But that’s something that probably will go by the wayside for domain registries. So, we’re going to start seeing more and more people starting to use this.

Ongoing, SOC 2 audits, broadening ARIN Online starting Q4 of this year. We have a recurring PCI audit that happens. We have lots of internal tools that we keep updating. And, of course, reduction of technical debt.

So here we have our challenges over time.

And in the previous meetings before ARIN 51, there were a lot of operational things. One was, “Man, people are really using Whois, and it’s really kind of hurting us.” And we really need to work on tamping that down.

“Why are people hitting us?” Well, people are using us for various reasons. Security firms were using us. Who knows what else? But as time went on, you could see that we have more and more things being added to the list. Of course you can just read this list.

But the big thing that we have here that’s been added is our production site for provisioning is at a colo, but its backup facility and all our internal tools I talked about earlier - all the various environments, development environments and stuff like that - are all in the computer room in our office.

And so, there’s a move underway to actually put this out and put it in a colo someplace in the DC area and remove this computer room from our office space. This is something that, there’s a lot of facilities overhead that has to be done. We have lots of AC challenges that happen and other things that go on within that room as well. So, it would be a welcome sort of thing to see that computer room move.

That’s a big challenge because ARIN has to keep on running. You can’t just take it down for three weeks to move your equipment. So that’s something that we’ve done before as we moved to our current office space, and we’ll do again moving to the colo.

So, with that, I am finished. Is there any questions?

Hollis Kara: Folks, if you have questions for Mark, please feel free to approach the microphone if you’re here in the room or start typing if you are online.

Adair Thaxton: Adair Thaxton, Internet2. You said that RRDP is adding geolocation. How does this work with yesterday’s objections to Recommended Draft Policy 2023-4? And people had stated privacy concerns with adding the geolocation for some people.

Mark Kosters: Okay. Okay. Just to make sure – we’re full of acronyms here, right? I think you said RRDP. I think you meant RDAP.

Adair Thaxton: I did.

Mark Kosters: Okay. So, RDAP is a directory service protocol. And it does give geographic information. All ARIN does is give the location where that file is that an ISP maintains. If an ISP decides not to serve that data, they don’t have to.

It basically removes that sort of constraint, if you will, from us to whoever is providing that service. Hopefully that answers your question. Excellent. Okay, next.

Hollis Kara: We have one question online.

Beverly Hicks: Matthew Collins, from DgtlFutures and ARIN 52 Fellow. Regarding geolocation are we talking about general location or precise location?

Mark Kosters: Probably the best thing to do is to read that RFC. Read RFC 9092 and see what it says.

Beverly Hicks: Thank you.

Mark Kosters: I think, again, that’s defined by the ISP.

Yes, Chris.

Chris Woodfield: Chris Woodfield,, ARIN AC. Back to the 2FA registrations, I’m curious if you saw an uptick in 2FA registrations in January in the wake of the rather public compromise of a RIPE, of a carrier’s RIPE account.

Mark Kosters: So, previous to that, the compromise on RIPE, is that we already had it mandatory. So, when you came in, if you had not had 2FA set up, you were forced at that point in time to actually set it up.

We just saw people actually coming in, if they hadn’t logged in for a year, year and a half or since 2FA became mandatory, they went ahead and they had to do it. There wasn’t this rush, “Oh, my gosh, I need to turn it on,” because it was optional. It was mandatory. People who were using it on a regular basis, they actually came in and had to do it. We didn’t actually see so much of a rush.

Chris Woodfield: But you did see a decent number of people who hadn’t logged in in a while logging in in order to do that?

Mark Kosters: Oh, yeah, of course.

Chris Woodfield: Makes sense. Thanks.

Mark Kosters: Thank you, Chris.

Hollis Kara: One more online and then go back to the floor.

Beverly Hicks: Tom Bonar, TDS Telecom, from ARIN Online. Using MFA, is there a plan to move away from SMS as a 2FA/MFA option? There are several exploits of this technology including one that was just announced yesterday.

John Curran: John Curran here, ARIN CEO. There is plans for anyone who has concerns about this can institute plans right now to move away by not using SMS for your two-factor validation. If that’s a concern for you, you can protect yourself by simply not using two factor, using TOTP or another method.

As for whether you wish to force other people not to use SMS, that’s a great question. We actually had a consultation on this question. And as a result of the consultation, there were people saying, “In order to get two-factor authentication out there for all ARIN accounts, we need to have something that’s approachable, and not everyone is going to use two-factor that requires a token hardware/software validation.”

So, we had a consultation on that and the output was we’re going to maintain SMS. At this time there’s no view to revisit that consultation in the near future. A few years down the road, if the world has changed, we might pick it up. But that’s a question that’s asked and answered. Thank you.

Mark Kosters: Thank you, John. So, Louie?

Louie Lee: Good morning, Mark. Thanks. Louie Lee, Google Fiber, ISP. So, we do publish a geolocation file and we only go down as far as – so RFC specifies, allows you to do IP, then country, then region, which, in the US, we use the state and then city. And that’s as far as I go.

So, with the RDAP, we’re talking about just adding the URL to my file that I publish on my own website.

So, ARIN has no actual activity in publishing the location of an IP address. They’re just doing a pointer to my file where I control exactly how much detail I want to publish to the world, where MaxMind and other actual geolocation providers, they’ll take that data and add other signals to maybe further define where that IP is.

But that’s not none of my business. I don’t want to do that in terms of privacy. So other companies, like, say, Uber may use that information to further precisely locate where you are. But that’s nothing I want to touch, and that’s nothing that ARIN wants to touch.

Mark Kosters: Correct. John.

John Curran: So just to follow up on this, what Mark was talking about is a different way of publishing the URL of the geofeed file, as Louie points out.

So how you get that URL so you can figure out the geofeed information for IP addresses, you can get it a number of ways and we’re proposing another way to do that. But the contents of the file are set by the ISP.

Now, obviously if ISPs are publishing geographic location information for pieces of their IP address space, there’s privacy concerns. That’s independent of how you go and get that file, whether you find that file via some web interface or whether you find it from RDAP.

As to the contents of that file and the privacy implications, the IETF has actually taken up this matter at length. There’s an Internet standards tracker called RFC 9092 on finding and using geofeed data. And it does have a privacy consideration section that provides specific advice to the ISPs about what implications are of various contents depending how detailed they get.

People who are concerned about the contents of geofeed files – not how we find them, but the contents of them – probably want to look at that IETF RFC, and if they don’t think it’s sufficient participate in that process. That’s the current discussion of privacy and geofeed files.

Mark Kosters: Thank you, John. Hans Petter.

Hans Petter Holen: Hans Petter Holen, CEO of RIPE NCC. Since the security incident from January was mentioned, I thought I’d add some comments to that.

First, I want to have a positive callout for ARIN for setting the standard here and making two-factor mandatory, because that’s something that we should have done a long time ago. We had two-factor available for 10 years, but we did not enforce it on people.

When that is said, there is no security mechanism that’s going to be 100 percent secure. If you read the communication around this incident – and we’re soon publishing our final report on this – the breach happened at the end user computer. Malware stealing credentials from browser caches or whatever there.

So that’s an advice to everybody here, be vigilant about the security of your endpoint because you can easily imagine that even with two-factor, if your computer is infected, you could intercept two-factor mechanisms as well.

So there are attacks against any, or most, known security mechanisms. There are some that are even more secure. So, I think be vigilant. Make sure you have control over your computer, your credentials, your second factor, whether that’s your mobile phone number that you just changed so that’s it reissued in two years to another, or your email address because your domain expired.

There’s a lot of factors here that the end users need to be really careful about taking care of. And we can do a lot as RIRs, but eventually we need everybody to be vigilant here. Thank you.

Mark Kosters: Thank you, Hans Petter.

Hollis Kara: Nothing. Not seeing any further questions, Mark, Thank you very much.


The discussion got the audience all primed for you, Christian. Come on up.

I’d like to welcome our Chief Information Security Officer, Christian Johnson, who’s going to talk a little bit more about information security, particularly at ARIN.

Information Security Update

Christian Johnson: Good morning, can you hear me okay? Questionable. Okay. We’ll roll with it.

Good morning. I just want to acknowledge how beautiful it was outside this morning. When I got up it was amazing, and I said I haven’t seen the color blue like that since I was someplace else. It’s just fantastic out there. So thank you, Barbados. Pretty amazing.

I’m Christian Johnson. I’m the Chief Information Security Officer for ARIN. I’m going to spin through a couple of slides. And I want to also say thank you to Mark for introducing a couple of topics that I’m going to unfold a little bit more as a part of the conversation.

I’ll give a quick security overview. I’ll skip the first piece. I have that in there just every time for the sake of those who aren’t at each one of these meetings. We may run fast and loose with some of the terminology when we talk about whether it’s information or computer or data security. We’re sort of talking about the same thing, and if we really need to split the hair there, then we can do so deliberately and have a conversation.

I wanted to do a couple of things differently and talk about a couple of things that I haven’t spoken about previously. And that’s a little bit of the who and the how, not just what we’ve been accomplishing at ARIN.

We have three major groups of folks at the company that are doing some part of security. First and foremost, that’s the Engineering team under Mark that’s doing a lot of the hands-on security activities, whether that’s literally making sure that a switch is flipped or that something is configured properly to make sure that the security is happening, that an endpoint device is configured properly, that kind of thing.

On the other end of the spectrum is the Risk and Cybersecurity Committee. And they look at more than cybersecurity, but in the context of this conversation, they’re looking at cybersecurity risks, they’re looking at the mitigations that the organization has in place to make sure that, one, we are considering everything that we need to be considering; and, two, that the mitigations we have in place are actually effective towards the risks that we’re identifying.

Sort of sitting in the middle of that, between those two groups, is the Information Security team. I use the word “team” loosely. That’s myself and the Information Security Manager, Anthony Clark.

We’re primarily looking at policy, the policies that we have in place that support what Engineering has to do, what the company has to do business-wise and the objectives we have there, and also looking at those compliance frameworks, like PCI, looking at SOC 2 requirements and things like that.

What we need to be successful security-wise, and how we build those in and how we create a compromise between the business objectives and the security objectives. It’s not new, we’ve been doing it for a while.

That’s the “who.” The “how” of that is, I kind of look at it – focus on the basics, right? – any one of the security, big security reports that gets published, whether it’s IBM or it’s Verizon or any other vendor that likes to put out an annual report, will say that one of the key vectors for attack in any organization is that the organization isn’t doing the fundamental security things properly. And so that’s one of the key things that we focus on here is looking at the fundamentals.

The security-minded infrastructure, that really talks a lot to what Mark was talking about in terms of tech debt and reviewing tech debt. And we’re trying to resolve as much of that as we can. While we can never get rid of it all, the further we can stay forward on the wave there, the better for us.

Staff, sensitizing staff to security threats really talks about a lot of the information assurance training and exercises that we do, monthly phishing exercises that we run within the organization, information security and information awareness training that we provide the staff and new hires when they come in.

Enhancing reporting, making sure everyone knows what the right thing is in terms of reporting, but also providing better tools to make it even easier to report.

And then when we start looking at the threat identification and removal, remediation of vulnerabilities, we’ll talk a little bit more about some of this, but we also have a lot of robust tools in place to help facilitate that. And we’re doing more than ever now in terms of identifying and remediating the vulnerabilities that we find.

When you’re doing those basics and you’re doing them well and you feel comfortable doing them, then these other things start to become a lot easier, having the exercises that we run.

And we talked about some of this at ARIN 52 in San Diego. We are running multiple incident response exercises per year now. One’s generally a technical one where we’re sitting with the engineers and we’re doing incident response drills of different scenarios and different variables there to drill our reflexes and our responses to those things, exercising our plans and our procedures.

As was mentioned, again, in San Diego, we had a Board-level incident response exercise last September, where it was facilitated, where it was a response to a malware exercise. And the executive team and the trustees worked together as we would have in an actual incident response exercise. That was actually set to take place during an ARIN meeting when we would actually have staff in different locations. So there was a couple of different layers of complexity that we enjoyed as a part of that.

Of course, the security audits, we’ve been talking about those. Mark touched on those. One that I will add in here is the annual penetration test that we run, which we’re getting set to run again soon, where we actually bring in a third-party vendor to look at our networks the way that an aggressor would and tell us where they found the weak point so we can address those weak points.

Our SOC 2 audit, which I’ll get into, is another one of those. Within all of these things that we do, that gives us the opportunity to find areas where we can improve. And as a part of that, we go through and we update, we review and update all of our security controls. We update our policies. We update our procedures on at least an annual basis.

Usually that’s done right after an exercise. If there’s a lesson learned from that, we go right in and update the document or the control, what have you, so that we’re in a better posture, more resilient posture moving forward.

This is not one I’m going to dive too deep into because I provide this every conference as well. But just for those who haven’t had the luxury of attending the previous ones, we have three separate compliance frameworks that we look at.

One is the NIST, that’s the National Institute of Standards and Technology, under the Department of Commerce. They’ve created, in particular, the cybersecurity framework that we used previously, in previous iterations of that, even before they created the cybersecurity security framework under that name. We used their information to model the security controls that we have in place at the organization.

We have a SOC 2 program that’s in place. That’s voluntary, that was requested by the community, that we look at certifying under the SOC 2 program for North America. That’s certifying a service that we provide.

PCI is a little bit different in that’s mandatory, that’s not voluntary like SOC 2. The fact that we use payment card data, that we accept payment cards on our platform, requires us to be certified under the PCI DSS standard.

So, SOC 2. The scope of that is really when we do an audit, the auditor is looking at our overall organizational security as well as specifically in this case just RPKI as a service. They have not historically been looking at all of our other services or offerings. And we’ll talk a little bit more about that.

When we were in San Diego, we had completed the audit but we had not received our report yet. We got that on October 31. And we looked at the report – it’s not like we didn’t realize it until we got the report.

We’d had it in mind, but the report that you get back from the auditor has a lot of technical details in it. It’s not something that you really want to hang on your website and invite people to review that and consider where your strong points and your weak points are, right?

So within the SOC program that is run, there’s another report. And I’m not going to get into all the variations of SOC, but SOC 3 report is a publicly releasable version of your SOC 2 report. So in having the conversation around it, there was also sort of a nexus of time where we were getting a lot of requests for security questionnaires from customers. That’s a big trend within the security community, is you’ve got all these security departments. And by the way, some of the security departments at these companies are larger than all of ARIN put together.

So they’ve got a team of dozens of people that are emailing what they perceive as their vendors just going down a list and saying I need you to answer a 300-question security questionnaire.

And that can be painful when you have the number of customers that ARIN has, right, where you have dozens per month reaching out to you because that’s when their calendar comes due and asks you to fill out each year – not an update, but to fill it out again each year.

So what we did is we got the SOC 3 report, we hung it on our website – it’s publicly releasable – so that we can turn to the SOC 3 report and reference that and say, please reference our SOC 3 report. If there’s anything else you need besides that, then let us know and we can go from there.

That has done, I believe it’s done a tremendous level of, brought a tremendous level of relief to that sort of line of inquiry and those requests that we were getting.

I’ve talked about SOC 2. And I don’t know how many people have actually been a part of this level of audit before. I just wanted to throw a couple of numbers out. I don’t have fancy graphs or anything like that, but it’s making me think maybe I should.

There were over 200 security controls across the organization that we have to respond to as a part of our SOC 2 audit. That’s not the maximum. That’s just how many we’re required to respond to as a part of what we are certifying within ARIN.

That’s 200 security controls. About half of them sit within Mark’s domain in Engineering, and the other half are sprinkled across HR, they’re sprinkled across Finance. Information Security has some that we’re providing. The customer domain as well. So John Sweeting’s team is also answering inquiries there.

The short of it is is that as a part of our SOC 2 audit that ended this last October, we provided our auditor over 1,000, over 1,000 artifacts that supported that SOC 2 audit across the entire company.

Those could be copies, as simple as copies of existing policies or documents that we have. And in some cases that requires an actual engineer to go into a dashboard and take a screen shot of configurations for an individual user’s endpoint protection so that we can provide proof that that’s up and running appropriately.

It takes a lot of time. That’s one of the reasons why we collect data the course of the year, as well as work with our auditor for approximately two and a half months to complete the audit.

It’s a substantial level of effort just for RPKI right now.

The calendar is an annual calendar we recertify every year. The calendar is running from October, the beginning of October, to the end of September of the following year. It’s a good transition to the next, the PCI.

There’s a lot of things that are different but our calendar is the same, that’s a plus. That runs October to September as well.

The scope, however, is different. It does cover a good bit of organizational security, but it’s looking specifically at ARIN Online because that’s where the payment card data — or elements of ARIN Online — that’s where the payment card data is touching.

So I will say that the security controls — that could be misread really bad if you didn’t have the context — the security controls are similar to SOC 2. And in some places they are wildly different than SOC 2.

An example I can offer is a SOC 2 requirement says that for every end user you have a unique username and password that you use, right? We were talking – I’m not getting into multifactor authentication, that’s separate, but you should have a unique username and password.

Well if you think about PCI and what that’s covering, that’s any organization that accepts payment card information. That could include the gas pump. When you go and you fill up your tank and you swipe your card, there is no requirement for end users to have a username and password.

Whether you use a PIN or you use a ZIP code or something like that might vary as to whether or not you’re using a debit card or a credit card. So that’s one of the differences, employees of the organization are required to have unique usernames and passwords under PCI. But under SOC 2, it’s everyone, anyone who touches the system. There’s some things that just vary between the two.

One of the great things about the PCI program that we started is that it has a requirement for quarterly vulnerability scanning, and that has allowed us to stand up effectively in the last year a pretty robust vulnerability scanning and remediation program within ARIN, which is fantastic because that really does support some good fundamental security within the organization to identify our vulnerabilities and to address them.

So this is the roadmap. I have made one slight change to this since I presented it in San Diego. A quick recap. The blue things are programs already in place. We started the SOC 2 program specifically for RPKI at the beginning of 2022.

PCI started for ARIN Online at the beginning of 2023. The change here is I added in the prep time. There’s two little blocks in front of ARIN Online for SOC 2, which as Mark mentioned, we’re looking at sort of unfolding that program, that SOC 2 program, to encompass ARIN Online as well, which is not an inconsequential effort.

We’ve been working, and that’s why I added the prep in here, we’ve been working since the beginning of the year just to make sure – go through validate, examine, review, everything – to make sure that it’s even ready to go into the SOC 2 program so that we’re not spinning our wheels trying to fix things once we’re under the audit period.

And I say that because also it’s — the audit observation period starts at the end of 2024. I don’t want people confused thinking that ARIN Online will automatically be SOC 2 certified by the end of the year. That’s when it’s going to start the certification observation period. So we’re really not looking until the end of 2025, next year, for it to be certified at the earliest.

So our information security page, this sort of touches on the ways that we communicate with the community. We do issue blogs when there are pertinent blogs to put out.

The information security page, I highly recommend folks, if there’s any residual interest in what we’re doing or what initiatives we have, which some of the specific security controls we put in place, go check out what’s on the information security page. It tells you what we do to secure your data.

There’s also a section on there about what you can do to help secure your data. And also, as I mentioned earlier, the SOC 3 report is linked on there. And there’s also instructions.

If your organization believes that you still need to get the data, the more specific data out of the SOC 2 Type II report, there are directions on there for how to get that or how to request it from the organization. But you can download the SOC 3 report from there.

And that is all I have. Are there any questions or comments?

Hollis Kara: Microphones are open if anybody has a question for Christian. I do see we have one in online.

Beverly Hicks: Mohibul Mahmud: Looking forward to the roadmap you outlined. What are the key priorities for ARIN security strategies in the upcoming year, especially with the planned SOC 2 Type II audits for ARIN Online and other services?

Christian Johnson: Right, so I mentioned ARIN Online, that would be the next in the queue. And I think that it would be great if the community had specific priorities that they felt should be first up. Would be good to hear that from the community as to what they felt were more important or most important.

The one thing that I will put out, that other services piece is on that roadmap. I’ll go back only so that I can reference it in context. We can see what I’m talking about.

We have ARIN Online going on there. The other service is illustrative of how we can roll additional things in there. I could be wrong, but I don’t think the community wants me to start rolling other services into the program until we successfully complete our ARIN Online certification under SOC 2.

So my recommendation is is that we would get ARIN Online up and running and complete that at the end of 2025 successfully, and then make a close examination of the next services that we want to roll in, which we would probably kick off at the beginning of 2026.

It would seem logical from my perspective, but obviously if the community has priorities that they want to be addressed, that’s how we got into the SOC 2 business to begin with, is because the community said that they wanted it.

Hollis Kara: Awesome. Front microphone.

Robert Seastrom: Rob Seastrom, I chair the ARIN Board of Trustees Risk and Cyber Committee. Thank you very much. I would like to double down on something you said about hearing from the community and speak briefly to the SOC 2.

The SOC 2 certifications are an area in which ARIN is saving the membership money. If you’ve ever been lucky enough – and I use the term jokingly – to be involved in getting cyber insurance for a company, the cyber insurance corporations get very touchy about vendors that don’t show that they can be trusted to sit with the grownups at the grownups table.

And the SOC 2 is how we show that. And it would absolutely be represented – or reflected in cyber insurance costs across the entire membership if once cyber insurance companies started realizing, “Hey, you know, we have millions of dollars worth in aggregate, potentially billions of dollars worth of addresses under management, and this organization does not have proper cybersecurity security controls or demonstrating proper cybersecurity controls.”

So thank you for all the work that you and your group do.

Christian Johnson: And you as well, thank you R.S.

Hollis Kara: Seeing no further questions,

Christian. I think we’re all down. Thank you.

Christian Johnson: Thank you very much. (Applause.)

Hollis Kara: We’re running a little bit behind schedule, but we’ve got time to at least invite Mr. Gorman up to the stage, Brad Gorman, our Senior Product Owner, Routing Security, to give a Routing Security Update.

Routing Security Update

Brad Gorman: Thank you, Hollis. Again, my name is Brad Gorman. I’m going to talk about a subject that’s near and dear to me. It’s routing security and the work that we’ve been doing at ARIN for our community and for the global RPKI community.

I’m going to go over the RPKI, how it works very briefly, and some of the key work that’s being done in the industry. Going to go over the numbers at ARIN, how our community is deploying and using RPKI, and then go over some of the new features that we’ve developed and are under development to further your opportunity and ability to use our RPKI services.

So RPKI has come of age. It’s not make believe. It’s not something that you might want to try. It’s a reality.

Basic benefits of RPKI, it provides operators another way, another source of information where they can make more informed routing decisions. What does that mean?

Not just the table of what’s going on in the Internet, not the third-party websites that are taking a look at things. It gives resource holders the ability and the opportunity to make statements about their resources and where they should come from and how they should work. So that is the key foundation of what RPKI is about.

It gives those resource holders the opportunity to have another venue, another method with which to get that information out about how my resources should be seen and viewed by you and what you should do with it when it gets there. And the current action and opportunity that RPKI provides is it’s reducing the surface that people who want to attack and want to do nefarious things with your resources. And it also protects you from just the common occurrence, human error. We all make mistakes. That’s what RPKI is doing for us today.

So really the numbers tell the story. Earlier this month on April 4, I guess, is the number I’ve got there, more than 49 percent of all Internet announcements on the global BGP table are covered by RPKI ROAs. People have made statements about that information, and that is a huge landmark.

We are about to cross 50 percent. And from the beginnings of RPKI to the deployment levels that we have today, it’s nothing but good and it’s up and to the right moving to the future.

Now IPv6 announcements passed that 50 percent threshold late last fall. And we are positive and anxious for the RPKI deployments to move forward in that direction as well.

So RPKI is on the U.S. government’s radar. The current administration had set out an initiative early in 2023 that the public sector needed to find a way to protect their resources in the purposes of national security and keeping critical infrastructure up in business.

That led to a notice of inquiry put out by the FCC which the community and agencies worked together and continue to communicate on where we wanted to go and how we wanted to deploy that.

And coming out of that, RPKI and the securing of BGP has become a key point in the Office of the National Cybersecurity Director. And working with everyone, they are facilitating and promoting the use of routing security services.

And to that point, BGP and RPKI are the two factors that they’re identifying where they want to work and where we want to go forward in the future.

So not only is it active in public sector, it’s active in the standards community.

The IETF is where RPKI found its beginnings. The standards of RPKI were first accepted and ratified in 2012. So it’s been a long time. Deployment started slowly.

But really we’ve seen a lot of work and a lot of activity in the last four or five years with people deploying. But the furthering of standards, the learning from the lessons of deployment and the history of the way it’s worked, this community is really moving forward, fixing the things from the past, moving forward with new ideas.

And some of the things that were recently touched and things that are in motion, the last big standard that was released is a best common practice on how you want to handle creating your ROAs.

And then some of the proposed standards that are coming through are just further enhancements of what is in place and what we see as a community, the direction we want to go to bolster and make RPKI even better for you.

So what does it look like in the ARIN region?

It’s very positive, but I just want to review the three services that we offer to our customers related to RPKI.

The two functional, main functional ones are hosted RPKI, which is where a resource holder, a customer organization can make a first step into using RPKI services. But you can tell that most of the ARIN organizations use this hosted RPKI because the responsibility for all the heavy lift is done by ARIN. And the resource holder only has to create, make their statements, create their ROAs for their resources, and it’s a 98 percent number of ARIN organizations that use hosted RPKI.

The flipside of the simplicity of hosted is delegated RPKI. Delegated RPKI is for an organization who wants to maintain and keep more control of the cryptographic components. They want to maintain much closer to their central infrastructure of how they handle their RPKI configurations and the way they want to deploy. Certainly just as valid of a feature and a capability, but it comes along with the requirements of maintaining high availability services.

You should really have a staff that’s knowledgeable on how RPKI works, and even have infrastructure that’s available to be put in place to get it running on their site.

The middle of the road is, the colloquial term is hybrid RPKI, but what we call it is the Repository Publication Service. This is a slice of delegated RPKI where that organization still wants to maintain its control of the cryptographic components of RPKI, but they do not want to take the responsibility of the high availability services and the critical pieces of RPKI that if that uptime isn’t maintained could have significant impacts to an RPKI deployment and infrastructure for their resources.

So as of, again, the 4th of this month, there are 4,900 – over 4,900 organizations that have signed up for and are using our RPKI services.

And you can see again in the numbers, the number of hosted organizations far outweighs the number of delegated organizations. Again, it’s that ease of use, simple, flip the switch, make your statements.

And it’s not just small companies. It’s large companies. It’s people who understand and recognize that ARIN’s service is really good, that they don’t have to improve upon the services that we’re running.

And it really is a good feeling to know that that feeling and impression and the services we do really are working, that they feel confident in using our products.

And I wanted to just call out a little bit, the repository service, like I said, is a subset of delegated. As you can tell now, 50 percent of the organizations who have selected delegated are using this easier option of asking ARIN to run a repository and keep the protocols up so their information is visible to the outside world.

And like every financial person likes, the numbers in the graph is up and to the right, so I’m just as happy.

So with regards to addresses in ARIN’s repository and how they are showing up in the numbers for RPKI usage, within ARIN’s responsibility, the resources that have been allocated to ARIN and are in ARIN’s registry, the number is right around 1.5 billion IP addresses.

The number of resources that are under a contract, these are the RSA or LRSA contracts, and that is a prerequisite for using advanced routing security services at ARIN, notably RPKI and the authenticated Internet Routing Registry.

So when you start throwing these numbers together, you look at how many resources are covered and how many of those resources are protected.

So from the large number, we can get to about 35 or 34 percent of those 1.56 billion IPs are protected by statements made in RPKI, or at least they’re called out in statements made by RPKI.

But then when you look and dig deeper into the ones that have been certified and are authorized to use our RPKI services, that number starts to approach 50 percent, and that really makes us feel good.

That number has been increasing. That number is likely going to jump even further ahead. ARIN has been doing a lot of work in getting more addresses registered. Last year and even the end of 2022, there was a lot of messaging and assistance being given to organizations who needed to sign agreements for their legacy resources.

There’s been a lot of work going in that direction, and we see nothing but further adoption moving forward.

By organizational structure, by entity type, you can see here – I’m not going to read all the way through the numbers – but as far as how the U.S. government is using the percentage of resources that they have and then the percentage of adoption of RPKI being measured by the number of resources that are covered by RPKI statements.

So the government numbers, the educational institution numbers, a lot of those were impacted or are impacted by resources that are not under agreement. But when you start looking at the private sector and the commercial infrastructure, you can tell that out of what is – the number of organizations that have adopted versus the amount of resources that are covered, it is way out of whack with what’s up there. But the reason is those ISPs, the service providers, that private sector adoption and deployment of RPKI really is widespread.

So we had a couple of consultations in the last year, and going into last year. The first one was related to a service that we initially rolled out in the fall of last year. We pulled it back and reevaluated how we were offering that service.

So we had a consultation on integrating RPKI and IRR services was concluded. And what we came out with is a service that we are going to offer customers that as they create ROAs for their resources, we’re going to give them the option to create IRR route objects.

And the foundational goal here is to bring those two data sets of routing security information together and keep them in a way that we can bolster the reliability and the updated information in those two resources. Coming out of that, we came up with a number of additional capabilities that we were going to offer our customers.

There will be an organizational selector where an Org can agree to, “Hey, I want creating these objects to be standard. I want that to be the path with which to move forward.” But they also have the ability to turn that default off. Something that’s going to be available to users at the UI.

Organizations will also have, as going through the creation process, the ability to say, “Well, for this one I don’t want to create this object.”

We’re going to give people the opportunity to look back at what they have already created in ROAs and compare it with what objects that are matching their resources and give them the opportunity to say, “Hey, I would like to go and look at all of these and then pick the ones that I want to bring up to this new feature and bring them into parity of one another.”

But the key things that we’re doing here is we’ve given that resource holder a number of points in place during the processes they can evaluate whether they want to move forward with this feature or not.

The next big thing that’s coming is a way for ARIN to show additional information on the state of an organization’s view of the outside world of how they’re presenting their RPKI information.

Right now we give an organization knowledge that they’ve created a ROA. We’ve heard from a number of places that we would like to hear more. So the key that’s coming out of this one is we’re going to be giving much more information associated with current state of RPKI validity, of their announcements to the outside world.

We’re going to give the opportunity for an organization to look at what might not be an optimal configuration and offer suggestions on how to bring that data together in a way that they’re happy with the way it is.

We’re going to give suggestions on how current announcements look and say, “Hey, wouldn’t it be a good idea?” or “This is a suggestion of what you might want to do about making your statements moving forward.” So in our development pipeline, the two main

bullets, the outcome from the consultations, moving forward into the future, there are significant enhancements that we’re going to be working into the web interface. We’re going to be putting together bringing capabilities and features that are available to API users into using the web user interface, sorting, working out services.

These are some really exciting things that I think are coming that people are really going to enjoy.

And we heard yesterday about the NRO creating and establishing a working group for bringing RPKI together with all of the other RIRs and presenting a common usable or at least simplified interface that a global organization with resources in multiple places will be able to have a common experience moving forward.

So that kind of work, as we move forward, there are representatives from every RIR in this Working Group. Myself and Mark Kosters are the representatives from ARIN.

But we work with our counterparts moving forward. And this kind of work may get prioritized moving forward, but just wanted to let you know it’s there and we’re thinking of you, and that’s where we want to be.

And I’m over time. So if you have any questions, there’s the email address for my team, where we can field the what-if or the in-depth what’s going on. Please reach out to us there.

And for anyone who is in Barbados tomorrow at the conclusion of the ARIN meeting, in between and beginning of the CaribNOG meeting in the afternoon, I will be hosting a deployathon. So for anyone who is interested in moving forward and getting hands on and making RPKI changes, between 10:30 and 12 I will be back in this room and everyone is welcome to come in, but really it’s going to be focused on people who have control of their resources, control of the organization, and want to make changes in-house today. Thank you very much.

Hollis Kara: Thank you, Brad. Alright, we did have a couple of questions come in online that I’d like to give you a chance to field. But for folks in the room, if you plan to catch Brad at the break that would be great.

Beverly Hicks: Kevin Blumberg, The Wire: Have you considered notifications via email to RPKI IRR updates? I have concerns with any set-and-forget service. I’d like to see the awesome system working as expected.

Brad Gorman: Okay, and thanks for the question, Kevin.

Yes, being built into that BGP/RPKI intelligence tool is the title I think that was on the slide, there will be options available for notifications and the type of notifications that an organization would like to see.

We’ve all been guilty of maybe carpet bombing or loading people’s in-boxes with a lot of emails that maybe get lost. So for the purposes of keeping abreast of what’s going on with your configurations, you’ll be able to opt in for the guided messages.

Beverly Hicks: Thank you. Tony Tauber: How many of the organizations that came under LRSA in 2023 resulted in RPKI enrollment? I would like, if possible, to see those results in terms of numbers of organizations, proportion of those new organizations, coverage increase, things like that.

Brad Gorman: You know what Tony, again, that’s a good litmus test of how the progress is going. I have not compiled that information together, but for you and anyone who is interested with respect to what we can share, I’ll be able to put that together and just feel free to ask.

Hollis Kara: Alright, that looks like all the questions. Thank you, Brad.


We made Brad talk extra fast this morning.

Thank you for trying to get us a little closer to back on schedule.

Unfortunately we’re not going to have time to show you all the grant videos right now but we have time to squeak one in before break.

So we’re going to click on ahead. We’re going to come back to the first two, and we’re going to start with the Open Source RegCtl project that’s being run by FullCtl. So if we’re ready to roll the video?

2023 Community Grant Project Reports

Open Source PrefixCtl and RegCtl Update, FullCtl

(via video)

Chris Grundemann: Oh, hi there. Man, I really wish I was in Barbados right now – but I’m not. However, I can provide you with an update on our community grant and what we’ve been doing with the money here at FullCtl. So, first of all, thank you for bearing with me with this recorded presentation.

I know that that can be kind of a snooze fest sometimes. Hopefully this will be interesting content and it will keep you awake. Now, while I’m not in Barbados, I have been there before, actually to the hotel you’re all staying at, for a previous ARIN/CaribNOG event.

Hopefully you’re staying for CaribNOG. And if you are, I highly recommend, on Friday night, go down the beach a little bit to Harbour Lights and dance on the beach.

For now, let’s dive into this Community Grant Update on our project to open-source PrefixCtl and RegCtl. The agenda is where we’ll start here, and we’re going to do a little bit of introductions first, and then I’ll tell you who/what is FullCtl.

Then obviously we’ll dive into why we’re even talking, why I’m here, why you’re listening to this recording right now, specifically diving into RegCtl, PrefixCtl, what can they do, and when are they due.

So introductions. Real quickly, myself, Chris Grundemann, my co-founder and partner, Matt Griswold, we started a company called FullCtl. We both have a little over a couple of decades of experience in our related fields of expertise.

I’ve been involved in ARIN for a long time. So I’m sure there are a bunch of friendly faces there in the audience that I can’t quite see. But hi, friends. How are you doing? With that, I’ll just dive right in.

FullCtl is basically a software development shop focused on automation for networks, but specifically automation for interconnection. I’ll leave it there. If you want to know more, please feel free to go to, and you can learn a lot more about FullCtl.

But I’m sure you’re wondering, why? Why are we being subjected to this video recording right now? Why are you, Chris, coming down on our fun and talking to us right now?

Well, the answer is FullCtl is one of the 2023 ARIN Community Grant recipients. And our grant is specifically funding, as I think I mentioned, two tools – PrefixCtl, which is already built and has been open-sourced, but I might have stolen the fun of the presentation there, and also RegCtl, which is coming soon.

Although PrefixCtl is the one we completed first, I want to start the presentation with RegCtl. These are a bunch of famous Reges. They’re not the Reges we’re talking about.

RegCtl is short for registration control, and really the idea here is to build a tool that will provide reliable, standardized output of registration data – and all the registration data. Right?

So the ROA stuff for RPKI, but also RDAP and Whois-type information around AS numbers, IP addresses, domain and entity information, kind of all the things that you get from a registry. Now, why?

Why do we think there’s a need for RegCtl? Why was this grant paid out to us, and why have we been working on this problem?

Well, there’s a few things here, right?

Now, John Sweeting paid me to say that RIRs are doing an excellent job. No, just kidding. It was John Curran. No.


Luckily, they’re friends of mine, so hopefully I can kid a little bit. But really the RIRs are doing a great job, but the whole point of having Regional Internet Registries is that they can serve their region’s needs directly and specifically.

Now, what that means is, if you’re an international organization who’s doing routing across the globe, you may have found that this data is not exactly the same in each RIR. So if you’re pulling down RDAP or Whois information from ARIN versus RIPE or LACNIC versus AFRINIC, you might see that the data is formatted slightly differently.

And so if you’re running scripts against this, if you’re trying to parse that data and use it for other purposes, you can run into some problems, right?

Each RIR is a little bit different. There’s kind of two different classes, and there’s work going on to make this better and better. There are standards involved. But as far as, like, the data schema itself, we’ve been talking about this in the IETF for years now, and there’s still kind of not really a specifically standardized data schema that can be really automated against. And so that can cause problems if you’re writing scripts against this, right?

Also, change happens. So RIRs change things, to make things better, improvements over time. Again, if you’ve written software against an RIR database, if you’re pulling Whois or RDAP data down and they make a change, it’s not really their problem that your script doesn’t work anymore. So having a consistent source of data may be interesting. Right?

Also, there have been outages in the past. And things like RPKI, especially, are super sensitive to this, right, because if the trust anchor goes away, essentially the idea is that everything fails open, which is better than failing closed, definitely, but it can cause problems.

If that trust anchor goes away, wouldn’t it be nice to be able to roll back a few minutes or even a day and look at what that ROA information looked like before that anchor went away and be able to maintain your filters through any potential RIR outages that might happen in the future. Right?

Well, that is exactly what RegCtl is built or will be built to do – consistent, normalized registration data. Specifics here: It’s going to be an open-source project. You are welcome to help us define the standard schema, and obviously we’ll release the code to the community.

You can take a sneak peek at the schema now. This is written in Python. It leverages OpenAPI 3.1. There’s a link here on the screen. On those docs you can see kind of the schema itself and how the data is laid out.

We’re open to any feedback on that as we move forward. So, that’s RegCtl. It’s your solution for standardized and reliable RDAP and ROA information. And it’s coming soon.

We’ll talk a little bit more about specific dates and things like that, but this is part of what we promised to the ARIN community in our Community Grant work, is to produce an open-source version of RegCtl, which is coming.

Now, why is it coming? Well, there is more.

PrefixCtl. Now, before I dive into what the details of PrefixCtl are, let’s first look at some additional problems, or potential problems, challenges, we’ll call them, with registration data access. Right? So not the data itself, but maybe the access.

So one thing is, if you are trying to update registration data and it fails, you don’t get any feedback. Also, if you’re pulling information, if you’re querying RDAP information, you get this “no less, no more,” right?

So if you ask for, you know, what is the deal with this one specific prefix? It doesn’t happen to tell you that maybe prefixes underneath that are SWIPed or prefixes above that are owned by somebody else, it just gives you exactly what you asked for, which is as it should, but there are reasons why you may want more context along with your data.

Also, there’s some availability challenges here as well. If you’re trying to troubleshoot software that is, again, using, updating or pulling data here, there’s rate limits involved, which again, the RIRs need to protect themselves. It makes total sense. However, it is hostile to debugging. And there can be stale data there as well.

So these are some challenges that we’ve seen here, and these are kind of fundamental challenges to the access to the data. As you may have guessed, PrefixCtl is the answer, from our perspective anyway. So PrefixCtl basically manages prefix sets.

Now I don’t want to get too wrapped up in the terminology there, right, there are routing artifacts called AS-SETs and prefix sets. We’re just talking about sets of prefixes. Now, they could be prefix sets, and they could tie into, you know, underneath of AS-SETs and be part of an AS-cone, but really these sets of prefixes are things that you want to work on, right?

And so PrefixCtl manages these sets of prefixes and it includes that Whois data we were talking about, but also IRR data, also rating data. It can pull down that RDAP data and complement it with these additional sources of information to give you more context.

Why? Why would we do any of this, right? A big part of it is just answering questions. If you need to know who is responsible for a resource, what’s the status of that resource? And what’s the status across all the RIRs? Are there sub-allocations on this prefix, right?

All those sort of any/or questions. Is this routed somewhere? And compare and contrast these kind of different bits of context with it. Those are questions that a lot of us as network operators have from time to time, and this whole system is designed to kind of jam in there and provide those answers, right? Cross-RIR queries. Recursive queries. Enriching the dataset.

This combination of RegCtl and PrefixCtl, just like Albert Einstein here, they’re neither clever nor gifted, but they allow you to be very, very curious and pull down more information. So RegCtl plus PrefixCtl, your solution for standardized, normalized, and contextualized RDAP and ROA information management.

But wait a minute, Chris – I know you’re thinking this – wasn’t this supposed to be an update for a Community Grant? It is, but the real reason I’m not in Bridgetown right now is because I’m in the Bahamas, non-extradition company – non-extradition country, that is – because we spent all the money and we actually need another grant. Obviously I’m just joking.

Here’s the status: RegCtl, coming soon.

Why is it coming soon? Because it requires PrefixCtl. PrefixCtl and managing those prefixes is kind of the foundational layer here. And we at FullCtl really follow the Unix philosophy of having each tool do one job and do it really, really well.

So that’s why there’s two different tools here. PrefixCtl, which we built during the first half of the grant period and has now been open sourced – and I’ll talk about that in a second – which is going to support the development of RegCtl, which will come August/September, sometime in the fall of 2024, this year.

Now, PrefixCtl, as I just mentioned, is available now. There’s the code here: And again, all the controls are actually “ctl.” And this is going to enable RegCtl plus some other things. But as part of this update, I really want to give you a look at what PrefixCtl looks like.

So here is the GUI. Now, again, this is available as open-source software. This is what it looks like when you run it. Now, we also have this set up as a service. And I’ll get to this later, but you can actually use the service, try out the service, look at what it looks like for free. We’ve got kind of open accounts there for a kind of unlimited trial period, if you want to kind of go in, poke around, play with it, see what PrefixCtl can do for you before you download that software and run it for yourself.

Few things here. You can see the way we have it set up, PrefixCtl on the upper left there.

You can select different tools in our portal. I’ve got this set right now for my personal organization. It’s set up to be multitenant, so yYou can have multiple organizations set up. And then obviously it’s multiuser as well, you can see in the upper right-hand corner. Then within this, you can search for a specific prefix.

Right now I’ve got this demo prefix set set up for demonstration. And there’s the 10/8, 192.168/16. You can see some IPv6 addresses in there as well. It does both, obviously.

And if you want to add a new prefix set, you click on that little yellow-greenish button that says “Add Prefix Set" right there in kind of the almost top right. And this modal pops up. You can name the prefix set. You put a description in. If you want to, you can automatically import the prefixes in the prefix set from an IRR.

If you’re going to do that, you obviously need to put in the AS-SET that you’re going to import from and what source IRR you actually want to source from. Or you can leave those two things blank, leave that checkbox blank, and just manually enter the prefixes yourself.

You save that, and Bob is your uncle. Now, if you want to just manually add prefixes to your prefix set, you can click the bulk create prefixes right there and it allows you to put them in here. As it says, you can add multiple prefixes. They can be separated by a comma, a space, or a new line.

You drop those in there, hit save, and then boom, they all will just show up in that set. So basically what you’ve got here with PrefixCtl is not only the foundation for RegCtl, but a repository or a database of prefix data. So you can keep all these prefixes.

Now, you can do different sets, right? Maybe you want to match a prefix set directly up to an AS-SET for yourself and have that in there. Maybe you want to maintain prefix sets or sets of prefixes for your customers or anybody else that you want to kind of keep an eye on, because then what PrefixCtl does is it provides an API into that data and an extensible metadata framework around this.

So now you have this kind of core, shall I say, source of truth for prefix data, which can be used for all kinds of things.

Some ideas: Maybe your own Whowas service. Right? If you want to keep track of a certain prefix and how it’s allocated over time. Also BGP monitoring is another obvious use case here where you can tie something like BGP Tools into the prefix set and be monitoring how it’s being used, if there’s hijacking going on or who’s advertising the prefix over time, if it’s being accepted in different places, that kind of stuff.

Reputation monitoring is another possible use case here. If you want to check against various spam registries or other kind of, you know, dark lists, things – places where IP addresses show up that aren’t being used for nefarious purposes, and just all kinds of monitors.

In any case, that’s it for me. Hopefully I gave you a good snapshot of why we’re building these tools, why they’re important to the ARIN community as well as the broader routing and interconnection community across the globe, and what we’ve been doing with this Community Grant over the past few months, and what we’re going to do over the next several months to get you RegCtl out there on GitHub, open-sourced, for your use and pleasure.

If you need to follow up with any questions, I’d love to hear from you – Again, it’s f-u-l-l-c-t-l. And have a great time in Barbados.


Hollis Kara: All right. Thank you, Chris, for a great video presentation. We are going to go to break, and we will be back at 11:00. So see you then, and enjoy getting a breath of fresh air, or refreshing your coffee and stretching your legs.


Hollis Kara: All right. I think we’re going to go ahead and get rolling. Welcome back. Hope you enjoyed the break.

We are going to continue on the schedule, the agenda as posted for after the break. We will be fitting in the rest of the grant presentations a little bit later today.

So with that note, I would like to welcome, via video, Sofia Silva Berenguer, the RPKI Program Manager to give an update on the NRO RPKI Program.

NRO RPKI Program Update

(via video)

Sofia Silva Berenguer: Hello, my name is Sofia, and I’m the NRO RPKI Program Manager. And in this presentation, I will be sharing with you about the new NRO RPKI Program.

Before I get started, I wanted to take a moment to introduce myself. Some of you may know me from some RIR, probably ARIN conference, a while ago. I was hired by LACNIC in 2010 as hostmaster and policy development officer, and then I had a couple of technical roles. But in 2015, I moved to Spain to do my master’s. I have a master’s in telematics engineering, and I did some research on interconnection at the autonomous system level. And I then ended up working for APNIC.

I was originally hired as a data scientist, but after a little while, I was offered the opportunity of becoming a product manager, and that gave me an opportunity to rethink my career, I guess, as I was interacting more with people instead of routers and servers.

I realized I was really curious about human behavior, and I started studying ontological coaching. And as I became an ontological coach, I started doing some coaching at APNIC, and I eventually became a productivity coach as part of the HR team, and that’s what I was doing until December.

But in January this year, I started this new role as the RPKI Program Manager for the NRO. So that’s a bit about me. Probably more than enough for this presentation, but I just wanted to offer some background.

So what I will be covering today is a brief introduction to this new NRO program, who the program team is, what is it that we’re trying to achieve, and how you can get in touch with us and learn more about this program.

To start with, I’m sure a lot of you are already familiar with the NRO, but in case you’re not, I thought I would include a slide on the NRO. The NRO is the Number Resource Organization that brings together the five Regional Internet Registries like ARIN, for example, and the other four regional registries, to actively contribute to an open, stable and secure Internet. And now specifically about this RPKI program.

I wanted to talk briefly about why it is important and why there’s focus on this space. We know that there’s currently some diversity in the way the RPKI system has been implemented by the five RIRs.

There’s some inconsistencies there, differences in the services offered or in the way the services are offered, and I included some screen shots just to offer a couple of examples of inconsistencies that have been identified and documented.

There is a MANRS document that lists ROA management requirements and security standards for operators of RPKI services. For example, the RIRs. And in the first annex of that document, there’s a table that’s a bit out of date.

It’s from July 2021 and things have changed since then. But just as an example, the table shows the compliance status for those requirements and standards described in the document for the different RIRs.

And you can see there, probably not on my slide because it’s a bit small, but if you do go to the document, I have included the URL. You will see that there are some differences in the compliance status on those requirements and standards.

Another example is in the Krill documentation where the interaction with the parent is described. Depending on what the RIR is the parent for the CA that is being set up, the interactions have been different.

So another set of inconsistencies that is described there. So in 2022, the NRO went through a Strategic Review Process, and one of the outcomes was an agreement to focus on providing a robust, coordinated and secure RPKI service.

So the NRO RPKI Program was created with the purpose of providing a more consistent and uniformly secure, resilient and reliable RPKI service. And although I believe we will be offering benefits probably to the broad Internet community, I think, in particular, we can benefit those entities, network operators, in particular, probably, that are interacting with more than one RIR to create RPKI objects, certificates and ROAs, and maybe experiencing some barriers to RPKI adoption because of the inconsistencies that we mentioned.

The Program Team, the main part of the Program Team, I can say, are the RPKI experts from the five RIRs that come together into what we call the RPKI Steering Group.

As I mentioned, I’m the RPKI Program Manager. The Executive Council of the NRO is part of the Program Team with the role of being executive sponsors for the program, and we will also be interacting as part of this program with other RPKI Subject Matter Experts from the RIRs.

I included a slide with the names of the Steering Group members because I know you probably know Mark Kosters and Brad Gorman from ARIN, and we also have some representatives from the other RIRs who you may know as well.

So these are the people that I will be more closely working with. And what it is that we’re trying to achieve: As I mentioned, the purpose of the program is to provide a more consistent and uniformly secure, resilient and reliable RPKI service.

And since I started this job in early January this year, I’ve been having some conversations with people from the technical community, with Steering Group members, trying to catch up because, as I mentioned, I was working in human resources until December.

So I’ve been trying to catch up with where things are at in the RPKI space, what the main challenges are nowadays, and I’ve been having some sessions with the Steering Group discussing what are the more specific outcomes that we may be able to achieve in order to achieve that bigger purpose.

So some areas, some outcomes that we have been discussing: First of all is we need to really understand what the community thinks that a single global RPKI system looks like. So we talked about inconsistencies, and there are inconsistencies at different levels, right? So there’s inconsistencies on the services offered, but there may be also inconsistencies on the way those services are offered or some specific features are offered, for example, through API endpoints.

So we’re trying to understand what are the problems that are really worth solving. The second outcome is around better understanding and improving the transparency of the robustness of the RPKI system.

So we will be discussing what are the aspects of the robustness of the system that we want to measure, and we will eventually make them public to improve transparency.

Then the third outcome is around security and the consistency in the space of security. So it’s about first understanding and documenting the current state of things in terms of security of the RPKI system, and the components that each RIR is responsible for, and then getting recommendations from security experts and input from the community on where we should be, and then prioritize that so we can close those gaps.

And finally, and this presentation is part of that last outcome – and it’s probably a big part of my role as a program manager – is to keep the technical community informed and engaged throughout the program. So this is about sharing with the technical community what we’re working on, progress that we’re making, but also requesting input so that we can make decisions informed about what the technical community really needs and wants from the RIRs working in better collaboration and coordination.

And the second part of that outcome that is about addressing or responding to concerns in a coordinated way.

So we acknowledge that each RIR has their own community, but then we would like to see the global technical community as a whole, and from the RPKI Program Team to be able to respond in a coordinated way.

And as I mentioned, we really want to hear from you, from the technical community. We will be asking for more specific input as we start working on some initiatives that we have been discussing. We will need to validate specific assumptions. We will need input on specific initiatives so that we can prioritize.

But in the meanwhile, there’s a big question that I would like to put out there for anyone who would like to answer, and it is that I would like to understand what are those big obstacles, those barriers for RPKI adoption that could be solved through better coordination and collaboration among the RIRs.

So if you would like to answer that question, please reach out to that email address on the slide, or if you have any other general ideas, feedback, initiatives, work that you think we should be looking at or we should consider, please feel free to reach out to that email as well. And if you would like to learn a bit more about this program, the NRO website has been updated with information about the RPKI program.

At this stage, it’s probably very similar to what I shared today, but we will be using that page to share updates on progress. And as I mentioned, probably specific requests for input will be done through that page as well.

And there’s also a blog article about the RPKI program that was posted through the five RIR blogs. I have included the URL to the article in the ARIN blog, so feel free to check that if you want to read a bit more about the program. That’s it for me. Thanks a lot for your attention.

Hollis Kara: Thank you, Sofia. I will note for those of you who want to keep up with developments as things progress with the NRO RPKI Program, a couple things that I can recommend are subscribing to the blog. Because as Sofia has things to publish, we’ll share them on our blog. Also, if you’re subscribed to ARIN Announce, you’ll probably see announcements there as well as new developments come up.

So hopefully with your existing communication platforms you will have access to the information that you need. All right.

Oh, yes absolutely. Can we give her a round of applause? Sorry.


It was a long process to bring Sofia onboard and we’re really happy to have her. It’s great to be working with her in this capacity, and we’re doing everything at the regional level to support her.

Regional Registry Updates. We have a mix of video and in-person presentations for you, but we’ll have presentations from each of the other four RIRs.

We’re going to lead off with a video update from AFRINIC from Musa Stephen Honlue.

Regional Internet Registry Updates


(via video)

Musa Stephen Honlue: Hello to all participants attending the ARIN 53 meeting taking place in Barbados. My name is Musa Stephen Honlue, and I’m the Project Manager and Transformation Lead at AFRINIC.

I can’t unfortunately attend in person. However, I’m very, very pleased to bring to you some updates from AFRINIC.

AFRINIC is the fifth RIR in the RIR ecosystem, established in Mauritius since 2005. We currently serve 56 economies in Africa and the Indian Ocean.

AFRINIC is powered by 44 dedicated staff who have been keeping this organization running despite the problems.

By now, you must have heard about the difficulties faced by AFRINIC. Allow me to give you a heads-up and some updates about our situation. Like many organizations, AFRINIC currently is having several litigations with some of our resource members.

And we have registered 59 court cases where 33 of them have been resolved, while 26 are ongoing before the court of law in Mauritius. This situation has left us without a current Board and no CEO. On the 15th and 17th of May, next month, the case of appeal opposing Cloud Innovation and AFRINIC on the appointment of an official receiver will be heard.

Now, back to business. As mentioned earlier, AFRINIC’s staff has been working hard to keep the lights on, bringing value to our members and all the stakeholders through three pillars: One, services to our members; two, building the Internet community; and three, improving our technical services and infrastructure.

Let me walk you through our achievements in 2023. In 2023, membership grew by 187, bringing the total number to 2,290 members when we ended 2023.

To new and existing members, we were able to allocate a little bit more than 199,000 IPv4 addresses, 117 IPv6 prefixes, and 186 ASNs. In order to get this stuff at member services, a little bit more than 26,000 support tickets with 86.83 percent of these tickets attended within the SLC of 48 hours.

In terms of service adoption, 118 new members adopted RPKI in 2023, bringing the total number to 555. While the total number of ROAs grew by 189 percent, taking it to a total of more than 8,000 ROAs in the RPKI system. 73.8 percent of our members were using the IRR system to securely announce their prefixes with Route and Route6 objects.

As of this, two RIRs, namely APNIC and AFRINIC, are left with IPv4 allocatable space. At AFRINIC, we are left with less than 0.07 percent of a /8. And since 2020, in January, we started our phase two of our soft-landing policy. This means that every resource allocation for IPv4 is between the frame of /24 to /22.

Since the inception of AFRINIC, our capacity building team has been busy around the continent upskilling engineers. To increase our reach and efficiency, we took a strategy move in 2019 whereby we started developing online courses.

And as of date, we have 15 online courses, eight in English and seven in French. Our courses are mainly, but not limited to, IPv6. We also have courses on IRR, RPKI, and we plan to develop more courses to make the Internet more scalable, more accessible, more robust and more secure.

In 2023, our courses attracted 4,800 new enrollments. Out of this number, we made 1,727 learners, who rated our courses 4.7 on a scale of 5. And we scored an NPS of 43.7.

All right. Now that’s 2023. Let’s move to 2024 and see what we have as planned and what accomplishments we have had so far.

So far, we have had 38 new members in 2024.

I want to use this opportunity to clear out some doubts about whether AFRINIC is still onboarding new members. The answer is yes. We are still getting new members.

The reason why: We had 187 new members in 2023, and now, in 2024, quarter one, we already have 38 new members. We have also received 191 new enrollments on our online courses.

In 2024, thanks to our deployment support team, we have been able to help four new organizations to deploy IPv6 on their networks. Those who need support, please scan the QR code on screen to submit your request and we will get back to you through our expert engineers.

In terms of certifications, even, we already ran one through the support of the ICT regulator in Malawi, MACRA, and another one is in the pipeline with Nigeria. So far, we’ve registered 35 certification candidates. 23 of them already took their test, out of which 14 were successful and nine were unfortunate.

Those interested in testing their IPv6 skills, don’t hesitate to scan the QR code on the screen and purchase your exam. We also use our online courses to organize what we call the cohort-based training where, in three weeks – that’s 21 days – our expert trainers help engineers to prepare for and take their IPv6 certification exams.In 2023, we had two such cohort-based trainings. In 2024, we are planning six of them, three in English and three in French.

Policy-wise, our Policy Development Working Group, PDWG, mainly works on mailing lists, and the number of subscribers is approximately 1,000. While we have three policies awaiting ratification by the board, and the RPKI AS0 policy currently being implemented by our staff.

We have kickstarted the implementation of the final phase for our IPv6 policy as specified in the CPM this year in quarter two.

In 2023, we kickstarted the AFRINIC webinar series and had nine sessions where more than 2,700 unique participants attended.

In 2024, we plan to have 15 sessions of our webinar series. We have run four so far. Our targets is a minimum of 4,000 unique participants across all the webinars in 2024 and an NPS of 65. We hope to get there.

If you’re interested in our webinar series, please scan the QR code on the screen and you can read more about the upcoming sessions. Please, feel free to register and join us. Also please do share this information with your friends, families and colleagues.

In 2024, our ambition for our blogging platform,, is to make it a reference point for technical information in the region. So, in this regard, we are planning to publish at least 150 articles on various Internet protocols, the trends in the industry, and how the Internet can be used to foster growth on the continent.

We are looking forward to the community participation, and in our plan, we want at least 30 percent of our articles to come from the community. And in terms of readership, we are aiming at at least 1,000 readers per article that we publish.

Our collaboration with stakeholders is moving well, and currently we have several ongoing projects. With the government of the Gambia, we are working in enhancing the Internet exchange point. We have submitted our contribution to the World Summit of Information Security for their 20-year review project.

What is ongoing with ATU on their project to train and certify 100 government engineers across the region so that they can help to deploy IPv6 on the continent. This is in support to the ATU Resolution 180 on IPv6 advancement on the continent.

With the SADC, we are revamping the exchange point in Madagascar and have been appointed or designated as facilitators for the SADC IXP forums.

To efficiently keep contact with our members, we will be running the Resource Member Contact Update Project aiming at at least 75 percent of our members contact updated so that we can easily reach them for information and collaboration.

See, there is no registry without reliable services and infrastructure. Our IT department is ensuring that our services are up and running so that our members and the Internet community can smoothly access the Internet for their day-to-day activities, state affairs and run profitable businesses.

In this regards, we are pushing very, very hard to keep our services available on an average of four 9s, that’s 99.99 percent of the time.

In 2024, we will conduct two audits, one general audit and one security audit. The outcome of these audits will inform an action plan to further improve our IT services.

We started in 2023 to upgrade our data centers, and we’re successful for two upgrades. In 2024, we’ll continue the data center upgrades. We’ll move more services to the cloud so that we can improve availability and uptime.

And we will also improve redundancy for critical services. Our RDAP and Whois services are about to be present at two Internet exchange points in 2024 and keep improving this in subsequent years.

Thank you for taking the time to follow this video. I hope it was informative. Feel free to reach out with your questions at

I can’t end this video without thanking you all for the continued and unwavering support. Also, I want to thank especially and particularly the AFRINIC staff for their relentless support and resilience in keeping the registry running during this hard time.

Cheers. Asante sana. Shukran. (unintelligible). Ngiyabonga.


Hollis Kara: Let’s have a big round – on your feet for the AFRINIC staff.

(Rising applause.)

All right. Thank you. Really appreciate it. Such a dynamic video. It was great to see all the hard work that’s going on in that region.

Next, I’d like to invite up Paul Wilson – he’s already here. He’s ready – the Director General of APNIC to update us on what’s happening at APNIC.

APNIC Update

Paul Wilson: I’m not ready to follow Musa’s musical introduction. I’m not quite ready for that but it was well done.

Thanks to AFRINIC and AFRINIC staff. Thanks to everyone here. Thanks to ARIN. It’s great to be in Barbados for the first time for me. Very nice place.

So the APNIC update. I’ve got a few things to talk about. We have just launched a new strategic plan from this year that’s come with a new structure of pillars of our strategic activities, which are value streams of registry and development and enablers of engagement and capability, as this is a fairly major restructure.

It represents the two sides of APNIC that have always existed side by side, much more clearly between the registry side and the development side, and both of those are pretty well defined by APNIC’s original bylaws as part of APNIC’s mission, both of those supported by engagement and capability.

We’ve got four senior directors now as part of a restructure, one in charge of each of those four pillars. We now, from now on, reporting according to those pillars and the work streams within them.

So I’ll go through, mostly for the purpose of this presentation, the registry pillar. Here’s what our resource delegations look like over the last 10 years. Pretty steady.

The delegations here are split up according to the subregions of the APNIC region. The last little green part shows you a numerical projection for the rest of the year, but I think you can just see that the IPv4 and IPv6 allocations or delegations are running fairly steadily over these few years.

The axis on the left of IPv4 is twice the scale as the IPv6 one. You could probably half that IPv6 chart for the sake of comparison.

Transfers are interesting. We’ve got transfers of different kinds. Intra, within APNIC transfers, inter-RIR transfers, mergers and acquisitions, which are all reported here. There’s no real pattern to those.

This is the last 10 years, again, of transfers that we’ve been processing. The orange line is the total count of transfers. It’s been sort of up at about seven or 800 transfers per year and running at the same rate for this year so far.

Something we were hearing about yesterday in the Internet Number Status Report is the available pools. APNIC was shown as having .15. Not .15 percent, but .15 of a /8. And that’s the beginning of this year, or round about early 2024 that you see.

The sawtooth here is the reclamation of address space firstly into our reserve pool, and then from reserved into the actual available pool, which is what you’re seeing here. So the big jumps are transfers from reserved into available.

So we did 700,000 IPs becoming available in early 2024. That’s taken us back up to around .15.

We’re coming towards the end of this year, early next year, with another 1.4 million which have been reserved since last year into the available pool. We’ve really got an ongoing supply.

The projection forward of the slope, it just shows the historical rate of allocation of that address space, but it’s taken us out to 2029 on the current policies, which, of course, determine the rate of consumption completely.

But you can see here, what’s happened here is a result of our reclamation process. We had a pretty extensive process of reclaiming or accounting for historical address space held by several thousand different organizations since the early days of APNIC. The summary there shows that we had 7 million addresses. We had 4.8 million retained by the custodians of those addresses, but we were able to recycle, or put into reserve, 2.5 million IP addresses.

That process has been concluded as of the end of last year. We’re now just processing the last bits. Well, in fact, the last bits include 1.8 million that still need to be put into the available pools. That’s where we are with IPv4.

Our membership at APNIC is just past 10,000 direct members. You’ve got to bear in mind we’ve got NIRs in the APNIC region that account for another 15,000 organizations so we’ve got 25,000 who are being served in total.

Australia has got more than anyone. The number there actually comes from – the increase comes from most of those historical allocations having been held by Australians and a lot of those coming into the membership as a result. But all the rest of the economies of our region are shown there.

Moving on to product development. We’ve got a public roadmap of the product development activities of APNIC.

A couple of years ago, we introduced a formal product development process. Actually, Sofia was very involved with that as a product manager as well.

But we’ve got a public roadmap. We show here the activities which are next in line and those which are in progress, and those which are done, numbering zero, for 2024.

If you go back to 2023, then everything is done and there’s a long list there of all the individual product development activities on the roadmap.

I could go into these. I don’t think I’ve got time to look at absolutely every one of these particular product goals that are listed here. But the point is that we actually, in our planning, we lay out the roadmap goals for the year, but we also have a very clear statement that that list of product roadmap goals is going to change during the course of the year.

So we have additional goals, actually, which are added during the year. We tend to report which goals were completed and which are still in progress, and the different product categories. This is registry products. The additional goals added, which include things like Policy Proposal implementations, which are unpredictable, which tend to get added in the year, and anything else that comes along.

That’s the way we report registry products. Membership products, which are primarily the MyAPNIC portal, and a couple of other things which are involved with serving our membership as opposed to the registry products which tend to be RPKI and Whois, so forth.

Again, product roadmap goals completed, in progress and the additional ones completed. That’s how we’re reporting those products.

We have information products as well which includes REx, the Resource Explorer; DASH, which is the dashboard for AS health; a notification service which is being used these days to push notifications out via different channels including SMS, actually, but also WhatsApp and emails, that push notifications out that, for instance, identify our members as the source of honeynet attack traffic.

That’s a fairly new and fairly popular service now that people are able to subscribe to alerts that let them know if their networks are sourcing traffic at the AS level.

And the APNIC Academy is the other set of products which are to do with both our online and face-to-face training product offerings.

Okay. This is the policy process. So it’s a policy meeting. A few things on our policy process here. We illustrate the PDP, I think like all the other RIRs, a cyclical process, which includes bringing proposals to the community before meetings and then during meetings, having the discussions, and then, depending on the results of those, then we’re implementing those policies, where we’re putting them into production and then coming back in a circle to reevaluate them again.

We’ve got one of our membership products is the Orbit Platform. We took the HyperKitty online web-based Mailing List archive and we’re juicing that up with more functionality, kind of social media functionality, to try and get people more engaged with mailing lists because a lot of people don’t like the email method and so they can get access to email lists through Orbit.

A lot of others, on the other hand, are absolutely nailed to mailing lists and won’t leave them. We really had to do something to bring the two together. But the policy and other discussions are happening via Orbit these days.

We did hear about this from the policy lineup yesterday, but just very briefly. We had just one policy approved at APNIC 56, which is at September last year, which was an easy access to IPv4 – IPv6 /48 assignments for members that was passed by the EC but with a provision, because although it was a Policy Proposal, it had an expectation of a charging feature, which the resources should not be – members should not need to pay extra for these /48s.

So that was agreed by the APNIC EC to fulfill the expectation there, even though it was out of band.

There were a couple of other policy proposals which were either withdrawn or abandoned completely, reviewing yet again our IPv4 delegation size from /23 back to /24. As I said before, the slope of our consumption will change, of course, if any of these policies related to IPv4 allocations are changed over the coming years. And some proposed changes to the PDP.

Moving on to the latest meeting, which was the beginning of this year, we had a policy proposed and approved for smaller assignments to IXPs, for temporary IP resource allocations for events like conferences and exhibitions so forth.

We had no consensus on temporary IPv4 transfers or IPv6 auto-allocation to match IPv4 requests, which either of these policies could come back in future meetings. So they’ve simply not been agreed. They haven’t been abandoned or withdrawn.

For more on the APNIC PDP, there’s the Policy Development Process, the SIG guidelines and the link to Orbit on this slide.

Under the engagement pillar, we’ve got really pretty extensive activities and systems for tracking our engagements. I could go into a lot of the elements of the dashboard here, but this simply illustrates one part of the dashboard, which is our subregional engagements which happen through the four different subregions, or what we regard as across the entire region, and global engagements as well under a lot of different categories.

And the light blue there on the right is training. So by far the most popular engagement that we conduct these days is training. The total number of events there is about 80, or total number of engagements there is about 80 total so far this year. So it’s a pretty busy area.

Our capability is the final pillar in the APNIC strategic structure. We had a few changes and a few developments in this area. One of them was a structural change which has been underway for quite some time which is a change to the actual company structure that supports APNIC.

We’ve got now, rather than the Director General being relied on to hold a single share in APNIC in trust for the APNIC Board, we’ve now got a Trustee company which is the holder of the sole share of the APNIC and the EC, the elected EC members are the Directors of that company.

We also had a number of resolutions to change our bylaws, which were passed at the beginning of this year. Sorry, at the last meeting prior to that, which were important because they provided some more constraints on nominations to the APNIC EC.

And they’re a response driven by the community to the fact that we had a fairly explicit kind of hostile takeover bid that was launched through our election process some time ago. I say hostile because of the nature of the campaign and the nature of the proposals that these people were bringing, but it caused concern amongst the membership as to who was actually able to nominate and under what circumstances.

The members then proposed a number of resolutions to change our bylaws and those bylaws changes were agreed by the members at 90-plus percent supporting every case but for an 89 percent support for one of those.

There’s been a fairly fundamental change to address some of the issues that are going on out there in the environment.

Organizational structure and review and restructure in response to the strategic plan. We’ve completed ISO 9001 and ISO 27001 audits. We’ve got those quality systems in place, and we’ve got no non-conformances in either of those.

We’ve got activity planning and, of course, the annual reporting that’s being completed this year.

We had an EC election which returned three members to the EC at the election at the beginning of this year. That was after the bylaws changes, which brought some order to that election.

And finally, as you’ve heard, as you may have heard, I’m moving on from APNIC. This will be my last presentation to the ARIN community, at least as the APNIC DG. There’s a recruitment process underway, which I understand is going quite well so far and expect it to produce a result in the course of this year.

That, I think, is all from me, but to say please stay in touch. We’ve got a survey happening, which is open to all members and all stakeholders around the world in APNIC.

We’ve got our next meeting coming up in New Zealand, in Wellington, at the end of August, early September. We’ve got a blog. We’ve got a podcast.

We’ve got Orbit and all of those channels for you if you wish to stay in touch with APNIC.

Thank you very much. (Applause.)

Hollis Kara: Thank you, Paul.

Bill Sandiford: Don’t go anywhere yet. So your last bullet point there kind of stole the thunder here.

For those of you that haven’t heard or don’t know Paul, Paul has been a leader in the community, not just the APNIC community, but the RIR community and the Internet governance community as a whole.

After a very successful multi-decades career as DG of APNIC, he’s moving on. I just wanted to take a moment, and on behalf of the ARIN community, our members, our staff, past and present, thank you for your involvement with the community over the years and wish you a successful retirement. I’m sure everybody will join me in doing so.

(Rising applause)

Hollis Kara: Awesome. All right. We’re going to pivot to video quickly, with an update from LACNIC from Kevon [Swift].


(via video)

Kevon Swift: Blessed good morning to everyone. And thank you very much for this opportunity to deliver this LACNIC Update to you.

As many of you may know, my name is Kevon Swift. I’m head of Public Safety Affairs at LACNIC and, of course, liaison for Caribbean matters. And we do express our apologies for not being able to be there with you face to face on this occasion as we are all called away to a retreat in Uruguay at this time. But we are there with you in spirit.

So for this morning’s update, we’re going to talk about three topics, three topics that go beyond our registry services.

Firstly, we’re going to be talking about promoting and enriching an inclusive, bottom-up Internet governance model. Namely, the Líderes Program, and then a subsequent step called the Policy Shapers Initiative.

Secondly, we’re going to be talking about our new Research and Development Ambassadors Program. It’s a program which encourages collaboration among technical leaders in our community.

And last but not least, I’m going to talk about LACNIC 41, our upcoming first event of 2024 in Panama City. So on to Internet governance initiatives.

The Líderes Program aims to provide funding and mentoring to selected professionals in the region to researchabout Internet governance issues from the perspective of their own communities.

And, for example, these issues that they discuss are things that are discussed in multiple Internet governance spaces. So, for instance, at the regional global levels, when we talk about Internet for all or we approach the issues of cybersecurity or risks of Internet fragmentation, the idea is to be able to empower professionals from the Latin American and Caribbean region to be able to conduct research from their perspective.

And this research follows a duly scrutinized methodology which our mentors ensure that the selected persons follow. So we have received 76 applications to date, and this is a program that is launched every year, just one cycle per year, and then from those selected persons, they have three months to develop these research outputs and then we publish those outputs on a portal, which is hosted on the LACNIC website.

So just to give you a sense as to the progression in this Internet governance space, we start with the Líderes Program and then we encourage those who successfully complete the Líderes Program to take part of our online Internet governance course.

In the LACNIC campus, we have a course called Introduction to Internet Governance. This course is available in English and Spanish, and it’s self-paced.

It lasts for about five weeks, and it’s a trusted Internet governance from the perspective at highlighting the contributions of actors from Latin America and the Caribbean.

And then last but not least, once these leaders have completed the Introduction to Internet Governance course, they’re encouraged to move on to the Policy Shapers Program.

And Policy Shapers, let’s see exactly what this Policy Shapers Initiative is about. It’s about attracting budding reference people from different sectors in our community and then accompanying them in their insertion into the world of Internet governance.

So the first step, once the líderes, the leaders have completed their research and they’ve done the Internet Governance online course, their first step, once they apply and they’re selected, is to attend LACNIC’s first annual event.

The second step to that is that they will have to either complete the Inter-American Diploma Course on Human Rights to Privacy and Protection of Personal Data.

This course is offered by the Inter-American Institute of Human Rights, or they can also opt for a Diplo Foundation course for candidates that are English speaking, or non-Spanish speaking in our case.

Last but not least, in this Policy Shapers track, they’re encouraged to do the Internet Governance Diploma, or DiGI, which is offered by the Center for Technology and Society by the University of San Andrés in Buenos Aires.

We’re going to move on now to another important topic area for us, the Research and Development Ambassadors Program. This is a fairly new program at LACNIC, and what the R&D Ambassadors Program does is that it seeks to formalize collaboration among technical leaders in the community and LACNIC to achieve our strategic objectives by advancing Internet infrastructure development in Latin America and the Caribbean.

So this program identifies professionals who are interested in carrying out research and development. And once this is aligned with LACNIC’s infrastructure development priorities, they’re selected, and then there are many benefits to being a Research and Development Ambassador, which include the possibility of presenting results at a LACNIC event, development of their personal brand, and a budget for the ambassador to undertake other tasks in popularizing their findings.

So this is a mutually beneficial program for those who are very much invested in the research fields with research capacities, and the idea is that we are able to empower them and give them these opportunities which, of course, will benefit our priorities as well for Internet infrastructure development.

The technological capabilities or other capacities to be enhanced with this program include the deployment of LACNIC anycast DNS servers or DNS root zone servers. We also seek to deploy measurement platforms. We’re also looking at the deployment of BGP collectors at Internet exchange points or other networks of interest.

We also think about the deployment of technologies considered critical by LACNIC. So obviously IPv6, RPKI validation, DNS, DNSSEC adoption. Fifth, we look at strengthening local technical capacities through the organization of workshops, tutorials and meetings.

And last but not least, promotion of regional research activities. It is all-inclusive. It is a comprehensive program initiative to encourage, again, independent researchers to develop their work on the one hand and also contribute to what we look at within the LACNIC community.

And last but not least, I would like to encourage all of you at ARIN to come out to LACNIC 41. It’s our first event for the year, which will be taking place from 6th to 10th of May in none other than Panama City.

And I would like to encourage all of you here to come to the event. You can either attend in person or you can attend remotely. We have been having very successful hybrid events since the pandemic, and we just want to encourage all of you to come and be a part of what we are discussing as part of the numbers community within Latin America and the Caribbean.

And with that, the presentation comes to a close. For further information on LACNIC 41, please visit the URL you see on the screen there,, and you have all the information available.

I encourage you to register as soon as possible, and of course book and make your travel arrangements to come to Panama City.

So thank you very much. Again, a nice and warm greetings from my part, from my part of the Caribbean – well, right now in Uruguay – to all of you gathered there in Barbados.

And I do wish you a very fruitful and a very successful rest of your meeting.


Hollis Kara: All right. Round of applause. (Applause.)

All right. And we’re going to wrap up our RIR updates with an update on happenings at RIPE NCC brought to you us by Hans Petter Holen, Managing Director.


Hans Petter Holen: Thank you. So now I’m between you and lunch and have four minutes left. So – I can get 15. So you have to wait for lunch. Hmm.


I’m Hans Petter Holen, Managing Director and CEO of RIPE NCC, the Regional Internet Registry for Europe, Middle East and Central Asia.

I’ve been in this position for almost four years. Although I’ve been part of the community since mid-’90s. So I’ve known the RIPE NCC and the RIR system for a long time.

So what have we been doing? We’re doing a lot of different activities besides the registry.

You’ve heard about the registry earlier on. You heard about RPKI. We also do Internet measurement tools. We have a measurement network of more than 10,000 small probes that can do measurements in the Internet as large. We do collect all BGP data from various measurement points alone, and we present this by various means, among others, RIPE-stat, where you can kind of type in your favorite Internet number resource and we will show you how we see that in the different views around.

We also run one of the root name servers, K-root. We have a publication, RIPE Labs. We do training and certification. We’re the Secretariat of the RIPE community. And we do Public Policy engagement.

We’re in our third year of our five-year strategy. The RIPE NCC was set up by the community to support the community. That’s our first objective.

Secondly, to operate a registry. And then thirdly, to enable our members to operate the Internet. So that’s kind of the three main things.

In order to do this, we need a stable organization like finances, like governance and so on. And nothing is possible without engaged staff.

This year, we have picked four out of these objectives or the more detailed objectives. The first one being able to turn our data that we have collected not only in the registry but also from the measurement services into insights.

So we’re building now a pipeline to get data from all these different sources into various tools to do analytics, both for ourselves to improve our decision-making, but also ultimately for our members and community at large.

Now, stability is important, and you may have heard me talk about sanctions and political unrest. I thought we should have recovered from the Ukraine war a long time ago. It’s still ongoing. The terrible situation in the Middle East between Palestine and Israel, and this is affecting not only staff and friends, but also the political stability of our service region and the whole world.

So we have a lot of challenges in this area, and this also touches on cybersecurity that was mentioned here earlier today.

So it says here we’ve recently published our Annual Report and Financial Report. It’s actually going to be published tomorrow. So I’m a bit early with this one.

And last year, as you may know, we focused a lot on finding ways to be more prudent in spending of our money. So my CFO now goes by Chief Frugal Officer.


So it may not sound as a big thing to limit the spending to 38 million when our budget was 40 million. I mean, this is a lot of money, in general, but we managed to do that. And this year we’re staying at the same level. So that means that in order to be able to raise salaries, to meet inflation and performance and promotions and so on, we had to find additional savings in other operating expenses.

Now, we’re right now in the discussion of the charting scheme for next year. So if you want entertainment, please read our Members Discuss List.

Compliance, I think I have a slide on that further on. So I’ll leave that.

We still allocate resources, mainly IPv6, of course, but we still have some bits and pieces of IPv4 that comes in on the waiting list. We don’t have anything in reserves, but if something is returned to us, we keep it for six months or so before we assign it to the first one on the waiting list.

We do events across our service region. As you can see from the map here, it’s a huge region, and we do not only the two RIPE meetings a year, but also regional meetings. We do government roundtables, both in Europe, Southeast Europe, in the Middle East, and we do in-person trainings across the service region. So trying to reach out and meet 20,000-plus members across 70-plus countries is part of what’s keeping us busy.

Security and compliance. We have initiatives. Longer term, next year, we hope to have finished an ISO 27001 certification as well. Short term, we’re working on a SOC 2 audit. It started last week. I was audited myself on Friday, and I hope to have the draft report just before the RIPE meeting.

So we’re following closely behind ARIN here.

RPKI is the first focus area out and the first report is a Type 1 report and then follows Type 2 and Type 3, going down the lane. We’re not using exactly the American standards, but they’re very similar. We’ve chosen the international framework, [ISO], which is, for all practical purposes, the same thing.

So as we have talked about already, the single sign-on incident that we had and securing or logging into our services by enforcing two-factor. That’s been a heavy lifting because we started by shifting the whole technology behind this from a product that didn’t support all the features we want to now an open-source solution based on keylock, so we can support multiple types of multifactors going forward.

Then sanctions. I have a further slide on this later on, but that is really shaping us. Not only because of sanctions, which is a criminal offense so I can get in jail if I violate them, ultimately, but also because banks do their own risk assessments and they do not want to see money from ultra high-risk countries or from anybody on any sanction list.

Even though US sanctions don’t apply to me, banks do not want to see money – even though it’s 1550 Euros – so it’s a tiny amount – they do not want us to receive that. So I have an issue with collecting from all my members.

So, yeah, I talked a bit about this. This is about balancing. When I was interviewed for this position, the recruiter asked me what do you think will be the biggest challenge as managing director of the RIPE NCC, and I said the geopolitical situation. And little did I know.

We do publish a quarterly sanctions report, and that may be worth reading if you’re interested in this. We have automatic detection and scanning of all our members and users. So we have detected more than a thousand potentially sanctioned entities.

So we have investigated some of them and concluded that we have two that are definitely sanctions, but we still have 800 that we have not yet investigated because the investigation is actually very fine, not only whether the company’s on the sanctions list – that’s trivial – but whether any of their directors or any of the controlling parties that owns more than 51 percent or the directors of the controlling party, and then you can do that recursively, as far up as you want to do.

So this is very interesting. If there is a party somewhere in Europe, we can look it up in an online business registry. If it’s in more exotic countries, we’d actually have to contact the members and say, “hey, we believe you’re sanctioned, can you please prove you’re not?” And that leads to very interesting discussions.

I talked a bit about data measurement and tools. Some of the things we’re working on there is, if you want to do analytics, you need to know your data quality.

You also need to know whether the data that you’re analyzing covers what you want to measure and analyzing, and whether you have properly targeted what you want to measure and that you have the right position.

Out of this, we aim then to be able to tell stories about what’s happening in the Internet based on the data that we collect.

RIPE Labs is a platform where, in the old days it would be the magazine that you would read when you have time. Today it’s a blog. And we accept publications from all our members, and we also publish things there ourselves.

One of the articles that may be of interest to you to read is the work that we have done on the so-called legacy space over the last 10 years and what the current status of that is, saying that there are some part of that space that is under our responsibility that we have not fully been able to reach and have a dialogue with the holders of.

We do share reports. One interesting one is on the Internet exchanges in the Arab-speaking parts of the Middle East, and that’s been very well received by governments and the policymakers in this region as well as the industry, and it’s all about keeping traffic local, fostering interconnection, attracting global cloud and content providers and becoming a hub for exchanging traffic.

We’ve recently started regional meetings in Central Asia. If you think about those countries, they’re landlocked. In past times, their way out to the world was – and still is – through Russia. They may not be entirely comfortable with that, and bringing them around a table in an open community meeting and get the big telcos to talk about how do we interconnect between the countries so we’re not dependent on any third country has been a very good process that we have now gotten started.

Sanctions. We have funded research by Digital Medusa to look into the effect of sanctions on the Internet through times, and this is really worthwhile to read and see how different sanctions have affected the Internet over time and how it should be done and how it shouldn’t be done.

Also this hopefully serves as a good discussion document when we sit down with governments and also for the governments to understand exactly what they’re doing.

We see that during the sanctions on Russia, it took a while but the industry pushed for it. This was not a push from the RIPE NCC but more the telecommunications industry, that there was written an exemption into this sanction of the Russian parties exempting telecommunication services.

So clearly the decision makers decided, well, it was not really the intent to hamper communication, which has been a long tradition in our industry.

Now, in the US, you can apply for OFAC licenses. There is no such mechanism in Europe. So they actually have to update the sanctions regulations in order to do this.

So we have this in place for Russia, but we are now working to get this in place for other sanctions as well, particularly with Syria and Iran.

If you don’t want to read the RIPE Labs, you can listen to RIPE Labs. So we have podcasts where we interview people about the interesting ideas. So feel free to subscribe to those.

We have redesigned our website. One thing is that it’s got a slightly new look and feel but we have moved the whole publication engine to a modern framework so that we have flexibility and can scale it on all sizes of screens and whatever, and then we are working on improving the structure and readability of it all.

And through the transition, we have maintained, hopefully, all links so that it should be completely not visible to external parties. Well, it’s visible.

Email is something that we are relying on and has been talked about here. But spam is something we don’t like. The big players, Google, Yahoo, and Microsoft have now introduced new protections in their systems.

Hi, Louie. You’re not doing the antispam stuff.

But that puts restrictions on how their anti-spam measures see a certain domain. If we don’t adhere to what is mostly the best practices in the industry that will affect our ability to reach our members in those email services.

We are now really questioning whether we can rely on email with tens of thousands of members and then looking at how we can bring in new audiences and how we will communicate and discuss in the future.

What concerns me, since I’ve grown up with email and have been kind of reluctant to move to new platforms, although, yes, I am on Snapchat and whatever, having the discussions, the parallel discussion on, for instance, a charging scheme now going on both on the mailing list and on the Telegram channel, it’s kind of like it’s fragmented.

People on Telegram say, well, email isn’t fast enough. So they want to propose changes, have them acted upon faster than email. I’m kind of thinking, gee, the bottleneck here isn’t email, it’s how fast my CFO can update the Excel spreadsheet and analyze the impacts of a change in the proposal.

So we need to kind of think about how can we really find a good way of discussing this that is practical but also gives quality into the decision-making process.

It also has been proposed that Mastodon is the answer to everything. I don’t know about that. But we’re exploring new channels for our communication.

Events going ahead. If you want to go directly from here to the next conference, you can fly to Athens, Greece, where we have a southeast Europe meeting beginning of next week. If you’re really from the old times, that’s older than me, you may have used EARN in the old days.

And they have a memorial meeting or sort of reunion on this Sunday. So that’s also a possibility.

RIPE 88 is in Krakow, in Poland, and we have the Central Asia Peering Forum in Kyrgyzstan, and we have not yet announced RIPE 89 or MINOG 2024.

So with that, please join us in Krakow at RIPE 88. And that was all for me.


Hollis Kara: Thank you so much. Thank you, Hans Petter.

I do suggest, the folks that are here, if you have any questions about the presentations from either Paul or Hans Petter, that you find them at lunch or on the break. I’m sure they’d be happy to chat in a little more depth about happenings in their respective regions.

With that, we are going to break for lunch. Just a reminder, in-person attendees, if you walk out the door, you’ll trip over the tables. Head that way. Try not to fall. The meeting will resume at 1:30 p.m.

If you are on the Zoom, please just leave the window open or just rejoin after lunch. The room will not be secured, so please make sure that you secure your personal belongings while we are on break. See you back at 1:30.

(Lunch 12:13 p.m.)

Hollis Kara: Welcome back, everyone. I hope you enjoyed the break. We are getting ready to roll into our Policy Discussion block of the afternoon.

Before we get started, I’d like to get a round of applause for our sponsors, C&W Business, IPv4.Global by Hilco Streambank, and Google.


Once again, a reminder. Standards of behavior are in place for this session and all sessions. It’s pretty straightforward. Be courteous. And let’s have a great open dialogue about these policies.

So first up, I’d like to invite Alison Wood to come up and present on Recommended Draft Policy 2023-5, Clean-Up of NRPM, lots of numbers.

Policy Block 2

Alison Wood: Hello. Hello, everyone. My name is Alison Wood. It’s so nice to see you guys back from lunch.

I am presenting on Policy RDP ARIN-2023-5. Kendrick and I have been working on this. And likely this is the last time you’re going to see this policy presented. I presented it at ARIN 52.

I would encourage all of you to come up to the mic and let me know what you think.

I know we have several Fellows in here, couple of first timers and a lot of veterans. So, I would love to know your opinion on this policy as soon as I get done presenting it. Me and Kendrick.

This policy is a reflection of the work – I’m sorry, I’ll speak slower – that the NRPM Working Group did to clarify and clean up the NRPM. So, this policy covers four different sections of the NRPM.

The changes are somewhat editorial in nature, but these are not necessarily editorial changes, and four changes in one policy is a lot. So, we’ve decided to present it to you guys rather than just doing it as an editorial change.

Again, we’re working on some clarity, and we’re removing some unnecessary text from the NRPM.

Okay. This slide kind of covers my whole thing, but we’re going to talk about it briefly here. In Section 4.3.4, we would like to completely delete that section and retire it.

Section 4.4 and 6.10.1 reference the fee schedule, and the NRPM is not about fees. So, we’re taking that text out of the NRPM.

And for Section 4.10, we’re going to talk about that one in a moment, but we’ve revised the text and removed the word “block.”

Specifically, at ARIN 52, several members of the community came to the mic and suggested that we remove the word “block.” So, it did say a /24 block will be allocated. Thanks to feedback from the mic, we have removed that text. So that’s just a heads-up for you guys to come to the mic and give me more information.

All right. That’s what I just said. Here, 4.3.4, it’s going to be retired. So, the text in red is the text that will be removed from the NRPM, and it will be replaced with “retired.”

All right. Section 4.4, micro-allocation. Again, this is not a technical change to policy. It just removes any reference to fees from the NRPM.

All right. Okay. So, Section 4.10. So, the heading of 4.10 is Dedicated IPv4 Block to Facilitate IPv6 Deployment. The text that we are changing in this section is to take away the statement, “This block will be subject to a minimum and maximum size allocation of a /24,” and we’re changing that to say “a /24 will be allocated.”

Please note the word “block” is still in the header of this policy or of this section of the NRPM. So, if you feel that maybe that should be removed, I’d love to hear from you at the microphone at the conclusion of this.

All right. That was more of 4.10.

6.10.1, Micro-Allocations for Critical Infrastructure. Again, there’s a reference to fees in this part of the NRPM, and again the NRPM does not reference fees. So, we are omitting that sentence from the NRPM.

This was brought about in August of 2023, right after my birthday. It became Draft Policy in September, and it became a Recommended Draft in October of 2023. So likely after this meeting the Advisory Council will vote on this policy.

Staff and Legal found this to be simple and minor and easy to implement. Says the text is clear and understandable after the changes have been made. No legal issues, and just an update to public documentation.

So, this AC Assessment of Conformance is a recap of what we just discussed. So, it’s cleanup. It’s mostly editorial in nature. We’re deleting a few parts and updating a “/24 block” to a “/24.”

Again, simplifying cleanup. It’s very awesome. There’s a lot of work that went into this working group.

I put a lot of requests for comment on PPML and the feedback that I got was that members of the community felt this was mostly just editorial in nature. There was a lot of support for these changes, and everyone felt it was just simplification and clarification.

So, community, I would like to know if you feel that the word “block” should be removed from 4.10 in the header, and I would love to know if you support this policy as written.

It’s a race to the microphones.

Hollis Kara: All right, folks, microphones are open.

Alison Wood: Look at you guys. I’m so proud of you. We took the feedback from ARIN 52 and implemented it. So, what you say today is very impactful.

Bill Sandiford: All right. Microphones are open. Get your comments in online. We’ll start over here on the right side.

Namra Naseer: Thank you. I’m Namra, currently at ColumbiaUniversity of New York. Fellow and first-timer. I actually support this and thank you so much for your work on this about the 4.10, remove the block ledger from the heading. I also suggest we do that obviously because it does not make sense if it’s not in the text.

Out of curiosity, I really want to know why was the fee thing already in this document. Was it serving any purpose before or not in your opinion?

Alison Wood: That’s a very good question. Could someone who came before me comment on why there was reference to fees in the NRPM?

Bill Sandiford: There may not be anybody in this room still when that was put in. It’s historical. It was just there for a very long time. Long time ago.

Alison Wood: That’s a great question. Thank you so much.

Bill Sandiford: We’ll go to the left side here.

Brad Fecker: Brad Fecker, state of Oregon. I support this as written except for Section 4.10. I also agree that “block” should be removed from the name.

Alison Wood: Okay. Thanks, Brad.

Bill Sandiford: Online.

Beverly Hicks: David Farmer, University of Minnesota. All good changes. Support as written. But, yes, remove “block” from the title as well.

Alison Wood: Thank you, David.

Beverly Hicks: I have multiple others if you want.

Bill Sandiford: Go ahead.

Beverly Hicks: Celeste Anderson, Pacific Wave. I would recommend removing the header block to be edited.

Bill Sandiford: Okay. Keep going.

Beverly Hicks: Atefeh Mohseni, Harness, Inc., ARIN 53 Fellow. Support as written.

And Kevin Blumberg, The Wire. Will these /24 changes in 4.10 need any – change any need requirements?

Alison Wood: No. It’s a nontechnical, editorial update. Thank you, Kevin. That’s a great question.

Bill Sandiford: All right, we’ll go to the right side.

Doug Camin: Doug Camin, Coordinated Care Services, Inc., and ARIN AC. Support this as written and also would support removing “block” from the header.

Alison Wood: Thank you, Doug. And you’re one of the suggesters of removing the word “block” at the last meeting. Thank you again.

Bill Sandiford: Again, on the right side.

Adair Thaxton: Adair Thaxton, Internet2. There are two other occurrences of the word “block” in Section 4.10. Are those candidates for removal as well?

Alison Wood: Absolutely. We’re gonna review it as soon as this meeting is complete. And the changes of just removing the word “block” don’t affect the policy or the NRPM. So, we are able to remove those without having to go get another legal.

Bill Sandiford: Last call. Comments, get your comments in online and we’ll take an online comment now.

Beverly Hicks: Harlan Raleigh, Citizen Support. Support as written if “block” is removed.

And Matthew Cowen, ARIN 52 Fellow. Support as written with “block” removed from the title.

Alison Wood: Perfect Thank you very much. You guys were awesome coming to the mic. Thank you.

Bill Sandiford: All right. Seeing no more people on the mic, no more online, we’ll call our counters out, and we’ll ask all those who are in favor of this Policy Proposal, please raise your hand highly or indicate appropriately online.

Hollis Kara: If you’re not seeing the polling feature appear in your Zoom, you are welcome to state your support or nonsupport of this policy in the chat.

Bill Sandiford: Okay. And those against, please indicate now.


Survey says…

Michael Abejuela: Michael Abejuela, ARIN General Counsel. We had 68 in the room, 65 remote. For Recommended Draft Policy 2023-5, Clean-Up of NRPM Sections 4.3.4, 4.4, 4.10 and 6.10.1, we had 55 for and zero against.

Alison Wood: Thank you.

Bill Sandiford: Thank you, everyone. The AC will take this into consideration.

Hollis Kara: Thank you, Alison and Bill.

“Nonsupport” feels like a really weird thing to say. It just occurred to me after I said it.

Next up, Chris Woodfield is going to present on 2023-7: Clarifications of NRPM Sections 4.5 and 6.11 Multiple Discrete Networks.

Chris Woodfield: Hello, everybody, I’m Chris Woodfield, the ARIN AC. I’m here to present, as Hollis mentioned, ARIN 2023-7. This if, memory serves, is another work product of the AC’s NRPM Working Group.

And it is – I would call this one, similar to the last one – almost editorial. But we’re presenting it here because whenever there is – we don’t want to have really any ambiguity over policy that is – if it’s going to be an editorial, we want to be sure. So, when there’s ambiguity, we will bring it here.

Elizabeth Goodson is my co-shepherd on this one. So, thank you for your assistance.

The problem statement is that the current text does not adhere to the existing style guide.

This is largely a stylistic change, but with some specific word substitutions as well to conform to current style and terminologies.

I am not going to read the entirety of the current policy language because, as you can see, it is quite dense. And the section has terms that are numbered substatements which will be corrected, which is corrected in the proposed policy.

We don’t use this style anymore in the NRPM, but the language is specific to the Multiple Discrete Networks Policy, which, if you’re not familiar is a policy by which an organization can receive different allocations for different discrete sections of their network.

The main use case would be an organization that has multiple networks that they’re managing but getting allocations as a single account when, let’s say, your network No. 1 needs an additional IP blocks but your network No. 2 does not. You may not qualify for additional space with the totality of the two and the total allocations. But if you have an aggregate, for example, you still need to add additional space, but you can’t easily move space from your own allocation, which was the origin of the Multiple Discrete Network Policy, which has evolved but not terribly much over the years since it’s been implemented.

The second section of this policy, as current as it is, there’s subsection 6 and subsection 7, lots of small text there, apologies for that. And subsections 8, 9, and 10, also small text.

So, the way that the incoming policy is reworking this is clarifying the language a little bit but not in ways that is intended to change policy or practices, but also make a more paragraph-centric presentation of the same text.

So, you see we do not have the numbered bullet lists anymore. We have just paragraphs instead. Subheads where needed are bulleted, but we don’t have 10 of them. At this point it’s almost entirely the same text with one key change that I will come to in a minute.

And this final subhead of the criteria, I believe this was points No. 4 through 10 in the original policy, have been made into a paragraph.

Still somewhat dense but maybe a little bit more readable, but definitely more conforming to our current style.

The key change in terminology is that this policy replaces the word “registration” with “allocation” in conformance with current practices where the term “allocation” is the official term of art for IP resources allocated to ARIN organizations.

And there is also this policy, this policy exists in both Section 4 for IPv4 and in Section 6 for IPv6. So, we’re doing more or less exactly the same style change in 6.11, which is the IPv6-specific part of this Multiple Discrete Networks Policy.

Here we actually have a combination of bullet points and numbered. So that does not read very well as is. So definitely a candidate for reformatting. And here again we’ve moved to paragraphs, bullet points, and a shorter paragraph but more bullet points. So hopefully a lot clearer and easier to read.

So, the history of this, it’s background, we accepted this as a draft in September 2023. I presented this in October, in case if you have a little bit of déjà vu.

At that meeting, there were some recommended - the feedback recommended some changes to the policy as written. Those changes were made, and with those changes we advanced to Recommended Draft Policy. So this, as John is fond of saying, this may be the last time you’ll see this before it’s adopted.

So, our Staff and Legal Review came back positive, but also calling out the edit where the term “allocation” was used to reflect a deprecation of the word “assignment.” The actual word “assignment” does not appear in the original policy; the word “registration” is used, which is even more out of standard than assignment, I would suspect.

So that is one terminology change that is bumping this out of the editorial category. And implementable, no material legal issues, three months, update the documentation, internal procedures. This is a fairly standard, clean Staff and Legal.

And here’s our conformance policy, from when we adopted this as a Recommended Draft Policy. We will move to the impact. And this is the point where I’ll call back to the “almost editorial.”

As mentioned, the NRPM is deprecating the word “assignment” in favor of the word “allocation,” so we’ve adopted that terminology here as well. A policy that was presented yesterday, 2022-12, also removes the word “assignment” and replaces with “allocation” as well.

We’ve recognized a potential race condition, if you look at the policy language just in the right way, where this policy would be more conformant with the existing language if 2022-12 was adopted before this policy was adopted or alongside this policy.

But the Board does not adopt policies in blocks. So given that there is a little bit of ambiguity here, we are considering holding off on recommending this policy to the Board until 2022-12 is either adopted or abandoned. At this point it will probably be adopted based on yesterday’s feedback.

And if that happens, then this is 100 percent editorial, and we could put it through that process. But at this point we can’t really – we’re just ambiguous, the editorial question is just ambiguous enough that we’d rather put it through the full PDP instead. So, we’d rather – the AC’s preference is to take 2022-12 first and then queue this one afterwards.

Going back to the history of this, the original language had an additional paragraph that you also saw yesterday, which was the definition of Organization ID or OrgID. The feedback in ARIN 52 was to remove that language and present and submit that as a separate policy, which we have done.

So, the language here has been changed to remove that definition and that is going through the PDP independently. The revised policy language has support in the PPML, and we are coming here to get support in the room to decide on next steps.

So, the questions for the community are: A, do you support this policy as written? And two, does this new language add clarity to the NRPM sections that are being revised or not?

Hollis Kara: All right.

Chris Woodfield: That’s all I’ve got for now.

Hollis Kara: Wonderful, microphones are open, so if you have a question or comment, please approach the mics. If you are joining us online, please feel free to start typing. And I’ll hand it off to Bill.

Bill Sandiford: Start with the right microphone.

Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. I oppose the draft’s proposal as written, because I completely support all the substantive material about the policy that you included in the last few slides, that’s great.

As an editorial change, I don’t think it adds clarity. Now, bullets three, four and five absolutely should have been sub-bullets under bullet two – must meet the following criteria or examples. Three, four and five in the old text were examples and should have been indented.

In the new text, you have “must meet the following criteria, colon, new paragraph.” There’s no examples. There’s a new paragraph, which is a completely new thought.

And then you have “examples which may result” and three bullet points. That’s great. And then what looked to me like potentially additional criteria, or it might just be other parts of policy. I can’t tell whether it’s one criterion or 17 based on the fact that it’s a block of text. So, I don’t think it’s clear enough to advance.

Bill Sandiford: Thanks, Lee. Right microphone.

Doug Camin: Doug Camin, Coordinated Care Services, Inc., and ARIN AC member and the shepherd of 2022-12, or lead shepherd. I support the idea of waiting for this policy to move forward based on 2022-12. I do think that it would be advantageous for us to, even if 2022-12 advances, that we should still – we should not consider this an editorial policy. It should just go through the regular process.

It’s been presented and I think it’s been through a couple of iterations in policy meetings. So, it can be carried forward through that process, including changes such as what Mr. Howard just suggested as well.

Chris Woodfield: To be clear, there was no statement of intention to shift this to editorial, just commenting that the only reason that it’s not editorial, if 2022-12 had already gone through and was part of the NRPM today, our feeling – our belief – is that this would be editorial. But that’s not the case, therefore not editorial. And there’s no intention to shift it to the editorial processes at any point.

Doug Camin: Got it. Thanks for the clarity.

Bill Sandiford: Anything online? Last call for comments in the room and online. Left side.

Kat Hunter: Kat Hunter, ARIN AC. Just to clarify for the community, we do not pass policy on the basis of hoping that another policy happens. So, when you’re deciding whether you want to support a policy or not, keep that in mind. Do you support it as written if it were to be put in on its own with nothing else happening.

Bill Sandiford: Thanks, Kat.

All right. Recommended Draft Policy. Are the counters ready? All right. So, all those in favor of this policy, please raise your hand now or indicate online.

All right. All those opposed. Make sure to hold your hands nice and high. Thank you.

Bill Sandiford: Yesterday’s birthday boy says…?

Michael Abejuela: Michael Abejuela, General Counsel. We had 67 in the room, 64 remote. Recommended Draft Policy ARIN 2023-7: Clarification of NRPM Sections 4.5 and 6.11, 17 for and 20 against.

Bill Sandiford: All right. Thank you. AC will take that information under advisement, thanks.

Lee Howard: Point of order.

Bill Sandiford: Yes.

Lee Howard: Would you please request that when people are indicating their support or opposition to a proposal that they keep their hands raised nice and high for the entire duration because I saw some hands going up and down.

Bill Sandiford: That’s why I said, please hold your hands nice and high.

Lee Howard: And you have to keep them up.

Bill Sandiford: I could see them going down myself.

Hollis Kara: All right, thank you, Bill and Chris.


All right. Next up, I’d like to invite Alicia Trotman to come up and present on Recommended Draft Policy 2023-6: ARIN Waitlist Qualification.

Alicia Trotman: Good afternoon, everyone. I promise to speak slowly.

So, this afternoon I’m here to present ARIN 2023-6: ARIN Waitlist Qualification. And myself and Matthew Gamble, I am the primary shepherd, Matthew is my secondary shepherd.

As we all know, IPv6 – sorry, IPv4 addresses are now exclusively issued from the Wait List since the depletion of the free pool. This policy seeks to make explicit the relationship between the Wait List policy and the qualifications for the Wait List, specifically in Section 4.2.

As you can see here this is the current text. I won’t read to you the current text.

So, this policy is all part of the hard work of the NRPM working group. And this is simply to simplify the relationship between the Wait List and the qualifications for the Wait List.

So, the policy statement: ARIN staff will evaluate the Wait List requests against the requirements of the otherwise applicable Section 4 policies.

Initially, there was a lot more to the qualification policy that was going to be added. But as you will see later on, what we got back from Staff and Legal, they made some suggestions.

So, this is the policy statement here. And I’ll give you a bit of history. The proposal, we received it on the 16th of August 2023. It became a Draft Policy on 26 September 2023. It was revised based on the Staff and Legal on February 27th, 2024. And we got it in just before this meeting on the 26th of March 2024 as a recommended draft.

So, it’s possible that this may be the last time that you’re going to see this being presented, depending on our next meeting and what is decided and community support.

So, Staff and Legal: This was a pretty clean Staff and Legal. The impact on the ARIN registry operations and services, none. Legal, no material legal issues. However, they did have a suggestion.

This was not in our slides; however they suggest that it was a bit wordy and there were other examples that were given that they said were not necessary. So, we simplified the text that was going to be added in that section.

Implementation time period: Estimated three months. Implementation requirements, staff training and updates to the public documentation.

This is the conformance statement for this particular policy. And this policy is found to be fair, impartial, technically sound. And this is what we’re looking for, and this is why it has become a recommended draft today.

So, this particular slide, the policy impact, I love that we’re now putting these in our slide decks because it gives you an overview and it’s what this policy is about; it’s actually what we’re trying to accomplish with this.

So, the policy adds a new section, Section Qualification. This new subsection seeks to clarify qualification requirements for the IPv4 Waiting List based on Section 4 policy.

And this would be a great help to newcomers as well as Fellows to understand exactly what our policies are trying to accomplish.

Community feedback: Generally positive.

Since our last ARIN 52 meeting, we haven’t really had a lot of activity and feedback for this particular policy, but I’m hoping today that we do get a lot.

And this, I’ve come to the end of the presentation, and the question that I have for the community is does the community agree with the language as written? Thank you.

Hollis Kara: Thank you, Alicia. We’ll wait for Bill to come up to the stage. Microphones are open if folks would like to queue up if there are questions or comments on this one. Same for our virtual participants, time to start typing.

Bill Sandiford: All right. Microphones are open. We’ll start on the right-side microphone.

Rayshorn Richardson: Rayshorn Richardson, Eknotec Services. I agree with this policy statement. My question is, will the qualification requirements be listed along with this under the subsection, or will it be on a separate document?

Alicia Trotman: No, it was felt that it was already within the document, and giving examples was a bit confusing. So, we’re not going to add this – the text that’s there is what’s going to be added.

Rayshorn Richardson: Okay.

Bill Sandiford: Microphones remain open.

Any online comments? Go ahead.

Beverly Hicks: David Farmer, University of Minnesota. I support this as written.

Bill Sandiford: Thank you. Right-side microphone.

Namra Naseer: Namra, Fellow, and I’m from Columbia University. I just have a question. When we say it’s confusing, I’m wondering who is it confusing for.

Alicia Trotman: We have a lot of newcomers.

Us in the community who might be used to these sections and know what end users are and what different – it’s easy for us.

But when you have new people that come in and they read the NRPM, we try to make it as simple for the novice who this is the first time seeing this stuff.

So, it’s kind of like that. The NRPM is not just for engineers and people in this space; it’s for anyone to understand what the policies are all about.

Namra Naseer: But was there any way that it was verified, getting that feedback, that it is confusing for us? Just wondering.

Alicia Trotman: I’m not sure how the Working Group would have identified what data they would have used. But just reading it, if it seems a bit ambiguous and confusing to you, then you should address it. That’s the best way to answer it.

Namra Naseer: Perfect.

Bill Sandiford: Online.

Beverly Hicks: Matthew Cowen, dgtlfutures and ARIN 52 Fellow. I support this as written.

And Atefeh Mohseni, ARIN 53 Fellow. Support as written.

Bill Sandiford: Thank you. Right microphone.

Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. Support as written. I think removing the additional examples is being redundant. The other qualifications in the same section of the policy manual makes sense. Having – it makes more sense to cross-reference to the official block and section of policy rather than give examples of what’s covered under different sections of policy.

Bill Sandiford: Thank you. Right microphone again.

Rookayya Gulmahamed: Hi, Rookayya, for the record, and hello.

It says Wait List. I was wondering if end users can still join the Wait List on special case basis, or is it closed? How does it work?

Alicia Trotman: I’m going to leave that question for ARIN operations.

Bill Sandiford: John?

John Sweeting: John Sweeting, ARIN CCO. The question was, can end users get on the Wait List. And the answer is yes. Any member, any customer of ARIN can qualify for the Wait List.

They can qualify under an ISP policy or the end-user policy. But that’s what RSD, Registrations Services Department, will ask them which they want to be qualified under. They will state, and that will be portions of Section 4 that they look at to evaluate them.

That’s why using the examples in this here would be confusing because they wouldn’t know if they were for ISPs or end users without going to that section.

Rookayya Gulmahamed: Thank you.

Bill Sandiford: Online. Last call for microphones as well.

Beverly Hicks: Robert Hoppenfeld, Up In Two LLC. Support as written.

And Jonathan Stewart, Why does it say “otherwise”? Wouldn’t all applicable Section 4 policies be more clear?

Would you like me to repeat that?

Bill Sandiford: It would be helpful to know where he’s referring to it. I’m not sure if its here.

Hollis Kara: I think you need to go to the line of the policy text. Right there.

Beverly Hicks: It says “otherwise applicable.” He was suggesting “all applicable.”

Matthew Wilder: Matthew Wilder, ARIN AC. At the time a member of the NRPM Working Group that put together this policy. So, “otherwise,” sort of refers to if it weren’t for the waiting list. That’s where the “otherwise” comes in. That’s why it’s “otherwise applicable.”

Bill Sandiford: Thank you. All right. If there’s no more online, we’ll get our vote talliers ready.

All right. All those in favor of the policy as written, please raise your hand and indicate online.

All those opposed. Okay. Thank you.

Michael Abejuela: Michael Abejuela, ARIN General Counsel. We had 72 in the room, 65 remote. Recommended Draft Policy, ARIN 2023-6: ARIN Waitlist Qualification. 50 for and zero against. Close vote.

Bill Sandiford: Thank you, everybody. The ARIN AC will take it under advisement.

Hollis Kara: Thank you, Alicia and Bill.


All right. Here we go. Next up, Gerry George with Draft Policy ARIN 2023-8: Reduce 4.1.8 Maximum Allocation.

Draft Policy ARIN 2023-8: Reduce 4.1.8 Maximum Allocation

Gerry George: Okay. We’re looking at the Policy 2023-8. And this is about reducing the maximum allocation from a /22 to /24 on the Waiting List. I’m working on this policy as shepherd with Brian Jones as my co-shepherd.

The problem statement, and I will try not to read everything in there. But the gist of it is to have a reduction from /22 as the allocation, as maximum allocation on the Waiting List to a /24.

So, the proposed changes on the policy – and a lot of it is simply changing the text from where it says /22 to saying /24 and related and associated references.

So, you’re changing from the maximum size aggregate and at the end of that sentence where it said, “at any one time is a /22” to now say “will qualify for a/24.” And a removal of the subsequent sentence that says, “organizations will be able to elect a smaller block size,” because that really doesn’t matter anymore.

Second portion is, once again, a change from referencing /22 to referencing a /24. And you see the changes in here. And removing the sentence, the follow-up sentence that says, “multiple requests are not allowed at an organization – are not allowed currently on the Wait List, must wait 90 days,” et cetera, et cetera, et cetera.

Then also removing the sentence that says about the restrictions for entities and adding the sentence, “Waiting List recipients must demonstrate the need for a /24 on an operating network.”

So, the proposed text is listed. So, the previous slides showed the various changes. And now those next two slides – this slide and the next one – will show the aggregate of the changes across all of the policy changes. Okay?

And then we also have a couple more changes listed. And this one is actually from Section 4.2.2 where it actually is impacted by that change.

So, at the end of the sentence, “…up to a /22,” the change says to replace that text with a /24. And removing the sentence that also references a /22 as appropriate.

So, the history of this policy, it was proposed back in September 2023. It became a Draft Policy in November and changes were made in February of 2024.

So, the policy impact: The IPv4 Waiting List times will remain at least three years as it currently is if we all continue to increase. The runout will eventually happen unless organizations return IP addresses or the space is returned to ARIN, or everyone shifts over to IPv6 and there’s no longer a need for IPv4.

The number of transfers and the cost of IPs could be impacted. And if this policy is implemented, the IP Waiting List size would be reduced.

Now, the next slide actually goes to community feedback. But before I get to that, I want to give you some statistics on what happened. At ARIN 52 in San Diego, John Sweeting made a presentation, and he explained that the Waiting List had grown to over 700 requests. And at the time – right now it’s over 800 – and he asked the community whether this was okay and whether changes should be made to impact that.

One suggestion at the microphone was to reduce the maximum request size from a /22 to a smaller, either a /23 or a /24.

I think Jon Worley created the chart that showed how it impacted the request. And that is part – still is part of John Sweeting’s ARIN 52 presentation and the slides are available on the ARIN website.

So, for example, if the first organization on the Waiting List were waiting for a /22, and a /22 then became available, then one organization would get an allocation. If it’s reduced to a /23 or – sorry, to a /24 – then the first four organizations would receive a /24 from the available /22.

So, in summary, the stats would show that in 2024, Q1, 199 requests were filled. 305 requests would have been filled if that change were made – sorry, if the change to a /23 were made. And that’s a 53 percent increase or change. Or 532 requests would have been filled for a /24. That’s a 167 percent move.

So, we did get community feedback, and it ranged on both sides from whether this was even needed, would it solve the problem, or leave it alone and make no changes at all.

And some of the questions were, would there be a significant impact on the Wait List. We also had one commenter who said, “If we simply move across to – if everyone moved across to IPv6, then this problem goes away.” But we know that’s not really going to happen immediately.

So, we have to address the current issue. So do you think that this policy is needed or is it intended – or is its intended effect adequately addressed elsewhere. Should anything be done at all?

So, the question to you as a community, do you think the AC should continue to work on this policy? And please rush up to the microphones.

Hollis Kara: All right, folks, that’s your invitation. Head to the microphones or start typing.

Bill Sandiford: All right. We’ll start with the right side.

Adair Thaxton: Adair Thaxton, Internet2. My mom was an English teacher. I’m going to be deeply and apologetically pedantic here. The maximum size aggregate that an organization may qualify for is a /24. When you say “may,” do you mean “will qualify for” or “could possibly qualify for, but could also possibly qualify for a larger block size?”

Gerry George: John, do you want to take this? Hand off the hot potato.

John Sweeting: John Sweeting, ARIN CCO. The maximum aggregate that can or may qualify for, if you’re an English major, would be a /24.

Bill Sandiford: We’re online.

Beverly Hicks: Kevin Blumberg, the Wire. I support the / 24 change. I strongly urge that text be added that your qualification is based on current policy and may change between when you got on the Wait List and when you were approved.

Want more?

Bill Sandiford: Sure.

Beverly Hicks: Robert Hoppenfeld, Up In Two, LLC. If we’re already on the Waiting List for something larger than a /24, will our current request be reduced even if we have been waiting a long time for that larger block.

Bill Sandiford: John Curran?

John Curran: In the past, the ARIN Advisory Council and community came forth with a policy to change the Wait List and they changed the policy. The Board ratified the change.

And it was unclear as to how entities already on the Wait List would be impacted by that policy. This resulted in a multi-quarter, maybe multi-year adventure of making the policy text more clear in that regard and eventually rectifying the situation.

So, if you do change the Waiting List policy, I would suggest that the addressing of those on the list be explicit in the proposed policy.

That doesn’t answer your question at all. But the fact that it should be in there is probably a requirement.

Bill Sandiford: Right microphone.

Kaitlyn Pellak: Hi everyone, Kaitlyn Pellak, with Amazon Web Services. I had a question about the removal of the condition of source transfer under Section 8.3. I’m just wondering – forgive me because my afternoon caffeine may not have kicked in, so maybe I’m missing something – but to me it reads that if we remove that section, we’re essentially saying that somebody could transfer resources and then immediately go to get on the Wait List and apply for a /24. That may be the intention, I’m just not sure if that was part of the intention of that statement.

Gerry George: No, I don’t think it was the intention, but it will be discussed.

Bill Sandiford: Left side.

Andrew Dul: Andrew Dul, 8 Continents Networks. I would just point out, again, that we need to be explicit about what happens with those on the Wait List and the policy that’s not currently clear in the current text.

I don’t necessarily support the policy today. I don’t necessarily think it’s necessary. But others might. But at least clarify what happens for those on the Wait List.

Bill Sandiford: Right side.

Tina Morris: Tina Morris, AWS. For a fun trivia fact, that modification of the policy was made in the room over there last time we were in Barbados.

But I would say I’m not in support of this policy, and I think it creates a lot of drama without really that much benefit because those that don’t get their needs satisfied will just go back to the end of the list and they’ll be left in this in-between state having some space to solve their problems but not enough. And the list will not get shorter because of this, in my opinion.

Bill Sandiford: Online.

Beverly Hicks: Mohibul Mahmud, from Microsoft, ARIN 52 Fellow. Could you clarify a bit how this proposed /24 ensures fair access to IPv4 resources for smaller organizations without exacerbating the backlog.

Gerry George: Well, applicants would have to go through the exigent criteria. And that criteria would already have the facilities for ensuring fair access.

Bill Sandiford: We’ll go over to the right microphone.

Rookayya Gulmahamed: Rookayya Gulmahamed, Government of PEI. You mentioned earlier that if this policy is not implemented runout will eventually happen unless organization (indiscernible). So, I was wondering if you guys plan to you implement the policy as a workaround, as in, like, if organizations can return their IP addresses in, say, X amount of time just to keep it going.

Gerry George: Could you repeat the last part of it?

Rookayya Gulmahamed: If you intend to implement the policy as a workaround, like, just to have the IP addresses –

Gerry George: To get IPv4s coming back in?

Rookayya Gulmahamed: Exactly, yeah.

Gerry George: That would certainly be welcomed if companies switch to IPv6 and they no longer need the IPv4s, to return them to the pool. That would definitely be welcomed. And it would help other companies who have a need for IPv4s to suddenly make it available.

Rookayya Gulmahamed: Thank you.

Bill Sandiford: I think it’s welcome but probably unlikely. Online.

Beverly Hicks: Atefeh Mohseni, ARIN 53 Fellow. I think the AC should continue on this policy. Regarding the text, I suggest keeping the subject to ARIN’s minimum allocation size in Section 4.2.2.

I have more if you want.

Bill Sandiford: Keep going.

Beverly Hicks: Laurens Flock from Laurens Technologies, LLC. I strongly support the /24 change as written, as I see the great advantage to more requests being fulfilled and the use of bigger blocks being segmented down to smallers.

And Alan Rowley. Agree with a /24 but wording would need to be clarified as “may” and other words don’t make black and white criteria. If I could get a /22 even though the policy says /24, in short, we need to make it absolute.

Want more?

Bill Sandiford: Keep going.

Beverly Hicks: Matthew Cowen, dgtlfutures and ARIN 52 Fellow: I agree the answer is IPv6, but I support this as written as it may continue to incentivize moving towards to IPv6.

I’m done now.

Bill Sandiford: Great. Last call in the room. Last call online. Right side microphone.

Rayshorn Richardson: Rayshorn Richardson, Eknotec Services, ARIN 53 Fellow. How do you vote in a situation where you agree with some aspect of the policy or the Draft Policy, while you may still have questions about others?

Gerry George: Since at this point it’s not up for a vote, you post on the PPML, and you express your support and your dissent and so on.

Rayshorn Richardson: Okay, understand.

Bill Sandiford: Right side again.

Doug Camin: Doug Camin, Coordinated Care Services, Inc., and ARIN AC. I do support the idea of reducing the Wait List size as a means of further encouraging the movement to IPv6. And I understand that there are other vehicles for people to get space if they need for transitional space like 4.10 and other vehicles through the NRPM.

But I do think that, in the idea of moving this along and trying to continue that push towards v6, this would be just another small step in the way to do that. Thank you.

Bill Sandiford: John.

John Curran: Just to go back on something that came up, someone asked about the removal in 8.3 of conditions on the source of the transfer because this proposal is removing a section. If you could put it up, Section 8.3, conditions on the source of the transfer, the proposal is to, part of this text is to remove that. And someone was asking why are we removing a condition that’s effectively in 8.3.

I note if the full proposal was adopted, the full proposal has text earlier that says an entity that ever held IPv4 space, other than special use, received under Section 4.4 or 4.10 are not eligible to apply. So, by definition, sources of transfers are unable to use – if this change were to be applied – all sources of transfers are permanently prohibited from using the Wait List.

So, it becomes redundant in the section on transfers that it’s being removed because it’s redundant. It no longer would operate. The Wait List policy itself would prohibit anyone who had any of these, including alternate sources. That’s why, I think that’s why the removal isn’t a problem, I guess, is what I’m saying.

Bill Sandiford: Thank you, John. Any more comments online?

Seeing none, thank you, everybody. The AC will take your feedback under advisement.

Gerry George: I’d like to say thank you.

This is my first policy presentation. Thanks for being kind.


Hollis Kara: Good job, Gerry. And thank you, Bill.

It’s a race to the podium. All right. Leif Sawyer, come on up here. We’ve got 2024-2: Whois Data Requirements.

Draft Policy 2024-2: WHOIS Data Requirements

Leif Sawyer: Hello and good afternoon, everyone, and hello to everyone on remote. Okay, I already hit it.

Draft Policy ARIN 2024-2. I’m Leif Sawyer, and Daniel Schatte is my co-shepherd on this one. I’m not a privacy expert, so I amencouraging all you privacy experts out there in the audience to rush up to the microphone at the end.

We have a long problem statement here. And I will summarize it on the second page, which is, currently there are no ARIN policies that clearly define what organization and associated Point of Contact information must be provided and registered in the public Whois.

So, the policy statement here seeks to modify Section 3.8.1 to include the following sentence as written there. It adds a new Section 3.8.2, which requires specific organizational record information.

In 3.8.3, the Point of Contact record, creation. And it talks about this being generally visible in the public Whois.

It does hold out for exceptions in NRPM 3.3 and…

We add 3.8.4, required Point of Contact record information.

So quick history on this. It was received in February, just after our initial meeting face to face. It was accepted as a Draft Policy just last month.

Quick policy impact. I’ll talk a little bit about what concerns have been brought up here. The 3.8.2 section, the new section here, defines the registration data required for an organizational record. Some folks have thought that that might be considered an operational change for ARIN, telling ARIN how to operate.

We will get that feedback from ARIN staff further on in the process. That’s not for us to decide, but that’s just a concern that has come up.

3.8.3 contains a potential conflict versus 3.2 and 3.3. 3.2 defines how an Org sets up their distributed information service and allowing for certain but differing privacy protections between customers and subscribers.

3.3 talks about how Orgs may designate certain points of contact as private from ARIN Whois, as long as at least one Point of Contact is viewable. Notice it does not say “distributed” information system there.

Overall, there may be potential exposure of PII data. Currently that data is either not published or is redacted as private in the current Whois and distributed systems.

Let’s see. I have a couple other notes here. I’m trying to think if I need to – the follow-up to that last 3.8.3 is that 3.8.3 defines all Point of Contact information to be Org information, organizational identifying information, and not private information, which is an interesting thing to happen because if you have a small business, a sole proprietorship, or a dba, now your personal information is no longer personal. It is corporate information.

So, we’ve had one statement of support on PPML, and no other feedback.

So, the questions for you: Do you believe this policy to be in scope for the NRPM? And if so, are you in support of this policy and its continuing progression?

Hollis Kara: All right, folks. Microphones are open.

We already have one come in from online if you would like to start there. It’s up to you, Bill.

Bill Sandiford: I’ll start on the right side.

Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. I do think this is in scope or at least largely in scope for policy manual. There’s a section – weird organization. You have instructions for creating a POC record, following the section on validating POC information. That seems like an odd way to organize things.

And there’s a parochial thing where you say, in talking about address, you say city, state, zip or equivalent. Let’s be a little bit less US-centric state and state slash province and postal code rather than ZIP code. Thank you.

Bill Sandiford: Right side again

Matthew Wilder: Matthew Wilder, ARIN AC, Telus. This is a – I mean, registration is an important function. This is the American meeting, American Registry for Internet Numbers, last I checked.

I think this policy is in scope. I remember (indiscernible) AC, and this will be in my mind when we adopt, drafted at least. The thing I want to say is right now a lot of the POC and organization definition stuff is actually in Section 2 definitions. And so, I think putting it into directory services of Section 3 makes a lot of sense.

And I think it’s also going to be good to have our community talk more about registration and its importance to the community as a whole. Thank you.

Leif Sawyer: Thank you.

Bill Sandiford: Online.

Beverly Hicks: Gabriel Andrews, US Federal Bureau of Investigations. Speaking in support of this policy. Non-personally identifying Whois data is valuable to network operators, researchers, cybersecurity practitioners and others, but it can also be invaluable to law enforcement’s ability to keep the public safe from threats and harm that we become aware of.

For example, when we see a new IP address, communicate with known ransomware, command and control infrastructure. And we have approximately 48 hours to identify who that IP belongs to and alert them of an incoming attack before the ransomware is deployed.

The availability of non-PII Whois information is enabling to us to turn an IP into a conversation that can be the difference between a victim saved and a victim harmed.

I have one more if you want.

Bill Sandiford: Go ahead.

Beverly Hicks: Kevin Blumberg, The Wire. Do not support. This is either operational or a requirement in RSA. It may create a direct conflict with recent Supreme Court of Canada requirements and ARIN.

Bill Sandiford: Right side.

Doug Camin: Doug Camin, Coordinated Care Services, Inc., and ARIN AC. I generally support the idea of putting this information in here. This may be more of a concern with how it would be implemented to prevent companies from putting essentially, like, shell contact information in, so that you end up with a bunch of non-useable contact information.

So, I don’t know if that could be addressed in policy, but I do think that’s a concern if it were to be adopted and to be implemented.

Leif Sawyer: I can address some of that. Currently the text does state in the addition that only a representative, an official representative of the organization may create the organizational record. So, for all of the POCs.

Doug Camin: Yeah, but in a strict legal sense, what can happen is you can get a lawyer who has a P.O. Box in Delaware, to use a US example, and that can be – and you could be four levels removed from anybody who actually looks at anything.

Leif Sawyer: There’s nothing in the policy that prevents that. That’s correct.

Bill Sandiford: Anything Online? Go ahead.

Beverly Hicks: Jonathan Stewart: On Proposed Policy 2023-8, Section 4.1.8, changing from a /22 to a /24 – wait. We’re going backwards. I’m going to pull that one back. Sorry.

Bill Sandiford: No worries. Last call in the room and for online comments.

Seeing and hearing none, thank you for your feedback. The AC will take it under advisement. Thank you.

Hollis Kara: Thank you, Leif and Bill.


Thank you, everyone, for playing. This concludes the policy block.

We’re going to go back to Grant Reports.

And we’re going to start with – there we go – James Harr from Internet2 on their IPv6 test pod.

2023 Community Grant Project Reports

IPv6 Test Pod Project Update, Internet2

(via video)

James Harr: Hello, everyone. Thank you for attending the IPv6 Test Pod Project Update. I’m James Harr. I work as an automation developer and network engineer for Internet2. And I’m delighted to be able to present here.

I’m sure the weather’s much nicer there than it is here in Nebraska. So a little bit about Internet2. Internet2 is a national research and education network for the U.S.

We run an optical and packet backbone, 46 POPs around the U.S., and our backbone is largely 400 GigE, and we connect to members and connectors at 100 gig – 100 gig and 400 gig Ethernet.

We also – what we do as a mission is we are here to connect the research and education institutions in the U.S., and we also connect them to other national research and education networks around the world.

We also operate what we call an Internet2 peering exchange, and that connects our members and connectors to cloud and commercial peers. We also do Layer 2 and Layer 3 VPN solutions for people to connect to our network.

Another division in Internet2 is called InCommon. Internally we call it the Trust & Identity. So we have a federated single sign-on across all of our members.

So if you are attending university in one location – if you’re attending one university and you need to log in to a course management system in another university, we actually – it federates through us so you can sign onto your home institution and pull up course content or other things at the other, at another university.

We also operate the eduroam federation services. So eduroam is an SSID that members can use to log in once at their home campus on Wi-Fi, and when they are attending another university or at another campus, their mobile phone or their laptops will just connect to the Wi-Fi, authenticate back to their home campus, and networking just usually works.

We’re also a community-run organization. We are a 501(c)(3), and we have members on our board. We have a board of advisers that’s made up of our members. It’s an organization I’m very proud to work for.

So on our agenda for this talk, we’re going to talk a little bit about what some events, what I think are major events in IPv6, ways that we measure IPv6 adoption.

We’re going to look at IPv6-only networks and technologies that can aid in transitioning to IPv6-only networks and why you would want to do that.

We are also going to take a look at the IPv6 Test Pod Project, which is a project that is made possible by the ARIN Community Grants Program, and I’m very happy to be a recipient of that.

And then we’re also going to take a quick look at the project status, where this project’s at and some hurdles we’ve run into and kind of where we’re looking at going.

So when we’re looking – IPv6 has been around for a while, let’s just put that plainly. And I think everybody really would like to see it moved along a little bit further than it is. 1998 was the original draft standard. 2011 and 2012 were a couple of IPv6 launch events that some major cloud providers put together and sort of said we’re going to enable IPv6 on our home pages, and largely they were nonevents.

All the technologies sort of did what it did. There were some problems as always, but it worked pretty well.

And after that, in 2015, ARIN’s free IPv4 pool was depleted, and that’s sort of a big signal. And you know we’ve still been using IPv4 since then.

In 2020, the U.S. government mandated that all of its internal departments go IPv6-only, or at least a percentage of IPv6-only networks, and that doesn’t necessarily affect people outside the U.S., but it is a pretty big signal that this is where we want to go, and the U.S. government’s a pretty large institution and having all of its internal departments move that direction, that’s a big signal.

And actually most recently, in March, there was also a really good draft RFC that was about operating IPv6-only networks that came out of the IPv6 Operations IETF group.

And it’s worth reading if this is something you’re interested in. It has a lot of lessons and common things that people will want to do. So if we want to move to IPv6, there’s a number of ways of measuring adoption.

Sort of the one that I’ve always gone to has been Potaroo’s IPv6 Prefix Announcements to really track how many networks are advertising it. The other way is to look at end user traffic. And this is an example from Google showing the percentage of traffic that is IPv6.

And as always, it’s a line up and to the right. There’s some advancements and there’s some dips in it, but for the most part it’s just kind of increasing slowly,slower than I’d like, but it keeps increasing.

There’s some other sources that track IPv6 usage, Akamai, Cloudflare, the Internet Society all have ways of measuring it. And they all show anywhere from like 2 to 50 percent depending on the day of the week, depending on the users of that network.

And when I think of ways of measuring IPv6 adoption, this is really the metric that I think matters the most in the end. All the other stuff that we measure does matter, but this is the one that really shows where we’re at in terms of adoption, in my mind.

So when we’re looking at IPv6 adoption in Internet2, when I joined, I found the amount of IPv6 adoption somewhat lacking. And this is looking at a handful of networks that we connect to and the amount of traffic that we see from that network that is IPv4, IPv6, and there’s some reasons why it may not show IPv6 as a separate routing table, and it could end up – we could not see – traffic could get routed around these links for some reasons.

But most of our member networks do advertise IPv6, but there’s a good number of them that we only see a trickle of IPv6 usage, which doesn’t really match up to what Google and Akamai will see in larger Internets.

So anecdotally, talking to a few of these networks, I’ve noticed that if the network deploys IPv6 to end users, you will see kind of in these green cells on the right, you’ll see that percentage jump way up in terms of how much traffic is IPv6 coming from that member connecter.

And so what is actually the barrier to rolling this out to end users? And before we go there, I’m going to – ultimately, I don’t know the answer to that question, but before we go there, I’d like to talk a little bit about IPv6-only networks and things that can really help push forward IPv6 deployment to the end users.

So why would you do IPv6-only? I’m going to make the argument that this is really where we want to be. Dual-stack is really not the end game. Nobody really wants to be operating two networks at once.

Obviously you’re going to have to support IPv4 connectivity, but it doesn’t need to be the whole network.

It can be a subset of the network. I think that there’s a lot of – people are coming to the realization that it’s operationally simpler to operate an IPv6-only network. And I think there’s also a lot of issues that don’t get hidden when you’re running an IPv6-only network.

Happy Eyeballs is a great technology. It will ensure that when you’re connected to dual-stack networks, if one of them is broken, it will fail over to the other network. And that’s great, but it also hides some issues. I think when you hide issues, it sort of prevents them from being fixed.

And the other reason is, if you’re operating an IPv6-only network, you’re going to have to have transition mechanisms to still access IPv4 services. But over time the burden on those transition mechanisms to connect to the IPv4 Internet, they’re going to decrease over time.

So if you’re looking at sort of an architectural level, you can start adding more complexity to your network to deal with IPv4 and the crunch that we’re slowly running into, or you can sort of – one of the options is, let’s take a serious look at IPv6-only networks and let’s implement technologies that the burden on those things will ease over time.

So over time there’s been a few technologies that have emerged that have made this possible for client networks. And we’ll go through each of these, but the ones I’m really going to focus on are NAT64, DNS64, and 464XLAT.

Until about a year and a half ago I didn’t really understand how 464XLAT could be used in a client network.

And it turns out that this was sort of the thing that made me really interested in this, because it makes it seem like it’s actually something that might make it possible for someone to operate an IPv6-only network. And then there’s supporting technologies that I might be able to mention, we’ll see how we’re doing on time.

But all these technologies really support the client side of things. The server side I’m not as worried about. People know how to deploy servers in dual-stack environments.

A lot of server software does not necessarily run Happy Eyeballs. So if something’s broken, it just breaks and you need to fix it. And even, there’s even been some efforts to run IPv6-only server networks, but I think in the client networks, I think especially in enterprises and campus networks, I think that’s really kind of one area – that’s the area I want to focus on on this grant.

So looking at the technologies that we have and sort of that combination, the ways to combine these and to make something work, there’s this combination using NAT64 and DNS64, and what this is is you will have a DNS64 resolver, just any recursive resolver.

And what it will do is, when a client that it knows is on an IPv6-only network makes a query to DNS and that DNS entry only has an A record, what it’s going to do is it’s going to synthesize a AAAA response.

And so it’s going to use what’s called the – it’s going to use a NAT64 prefix, and it’s going to embed the IPv4 address inside of it. You can see this in the example.

But in essence what we’re doing is we’re spoofing an IPv6 response to a query when there is no IPv6 network. What happens then is that the traffic from the client flows through some NAT64 appliance that will look at that address that the client’s connecting to, extract the IPv4 address that it really wants to connect to, and then translate that to a dual-stack network. We’ve run experiments with this in the past. It does work.

There’s some software that refuses to connect over IPv6. It’s either like a socket option or an address family selection that it’s explicitly said, “No, I must connect to IPv4.”

But more and more software is actually working with this. And I think it’s a surprising amount that works properly with this. So this is one way of actually offering dual-stack service to an IPv6-only client device.

This one was the one again that really surprised me, is 464XLAT. This is where – and especially, specifically the one that we’re going to look at is where a client device has what’s called a CLAT in it.

And the CLAT, what it will do is – it’s a driver or piece of software on the client device that presents an IP address to the client. So this device actually thinks it has an IPv4 address, but when it sends IPv4 packets out, it gets routed through this service that’s on the device on the laptop or phone that translates it into an IPv6 formatted packet.

The source address is the client device, and the destination address is again that prefix with the IPv4 address embedded in it. It then gets routed through a NAT64 box or appliance, and that’s what I have here.

I think there’s other options for this. But this actually seemed to, in my testing, seemed to work pretty well. And so the piece of software that you run on this doesn’t actually even know that it’s getting routed over IPv6. It doesn’t have to select an IPv6 address.

And in fact, you can ping – if you open up a terminal, you can ping an IPv4 address, and it works. And that’s a very bizarre thing. But it works really well.

Now, there’s different ways of configuring 464XLAT. There’s currently in router, in IPv6 router advertisements, there is an option called PREF64. It’s a prefix for 6-to-4 translation.

And to my knowledge right at this time it’s not supported in quite a few network operating systems.

Support’s improving, but it’s not quite there yet since it’s somewhat of a new standard. And the OS support varies from phones to laptops, laptop operating systems.

The other way that I’ve seen used is a Special Use Domain Name called that only responds with an IPv4 address. And i you as a client query that for a AAAA record, IPv6 record, and you get one, well, that’s probably going to be your NAT64 prefix. And this can also be used to configure that CLAT for use with 464XLAT. So a little bit of a story for me.

I decided to experiment with these things. I set up a network at home for playing around with these. And for the machines that I’ve been testing, the support for 464XLAT has been pretty broad; iOS, Android, and macOS all seem to work just out of the box. Doesn’t take any configuration on the client device.

I can set up the network so it’s just automatically detected. Windows apparently has support on LTE interfaces only. But I think there’s some efforts in order to make that available on all wired and wireless Ethernet connections to Windows machines, which would be really fantastic because I think this is a support story, a way to support IPv6-only networks.

It’s a really good story for how you can deploy this in an enterprise or other network without really – in a really seamless way, ultimately. And in Linux, there’s tools that support this.

But in my experimentation with different Linux distributions, there hasn’t been one that comes with 464XLAT support right out of the box. And if I’m wrong about this, please correct me.

So in these networks, there’s some problems that tend to – that can happen. If the server doesn’t have an IPv6 address, for example, DNS64 – sorry, IPv6-only obviously isn’ going to work.

DNS64 and NAT64, I listed – I mentioned some of the problems that can happen there. And 464XLAT covers even more of the problem space.

And I’m sure there’s other problems that can come up, but these are just some of the ones that I ran into. And that’s, I think, a lot of the issues that I’ve seen is that when you go to troubleshoot these things, everybody runs into sort of an independent set of problems and there’s a lot of experimentation that it takes.

And when I went through and I set up these networks – I’ve been in network engineering probably since around 2009, 2010, and it took me a while to get these test networks set up.

And I set them up in my home lab. Yeah, I have a home lab. Not everybody has that. And I had the time and the patience to set it up and I had the background to set it up. And it still took me a while, and it was a big pain. And so I thought there’s got to be a better way to test this.

And this is where the IPv6 Test Pod Grant comes in. And as I mentioned, I mentioned a little bit about getting the lab set up. So one of the big hurdles is actually getting access to IPv6. And I have a fiber to the home ISP and it still doesn’t support IPv6 natively. And so that was a challenge getting that set up.

It supports 6 RD, but it’s not documented well, and the support helped for that for my ISP doesn’t actually even really realize that it’s there. So that was kind of a build-your-own solution. It works, but it’s still, it’s a challenge to get access to IPv6 in many cases.

Next, you have to understand and really be able to set up all of these different pieces. And it’s not one – from my experience, you can’t really set all these things up in a home router.

There’s not a single appliance right now that can sort of take care of all these options in a way that’s out of the box and easy to set up.

And then once you get this test environment set up, you better hope that you accounted for all the different scenarios that you really wanted to test, because if you want to test dual stack, you want to test DNS64, NAT64, if you want to test without DNS64, that’s another set of configuration that you might have to set up.

Getting these different test environments can be kind of a pain. And ultimately there’s a few enthusiasts that will do this at home but not many that will do it as part of their day job. So you still have to do all that. And it takes time.

So what the grant intends to do – ARIN awarded the grant to us. It’s about $7,000. And what I wanted to do is make a device that effectively it’s a little box that you can plug in.

It’ll spin up several SSIDs to test with. It will get IPv6 service through a tunnel, and you can just start hopping on and testing.

And originally I intended this for three networks, including DNS64 and NAT64. We might add more as other sort of combinations, you know, like if we’re looking for templates to deploy IPv6-only networks, another one might emerge.

And so the idea is you can set something up and someone can test and it doesn’t take – either test the client application, test the device to make sure that it works.

And it’s really set up to be a plug-and-play solution where you just get it, you plug it in, these networks spin up, and then you can just start using it.

This is inspired a little bit by the RIPE Atlas probes because they’re small, inexpensive devices that just tend to work.

You might have to troubleshoot them a little bit, but it’s not a lot of setup on the user’s part.

And so what kinds of networks or what kinds of users are we looking at targeting?

Like I mentioned before, I have a decent amount of network engineering experience, and it took me a while. A lot of application developers really don’t know anything about IPv6. But they might want to make sure that their application works in an IPv6-only environment, whether they’re developing this application to distribute in sort of a – in a consumer environment where they’re giving it out to anybody, or they’re inside of an enterprise or a company that just needs to distribute it to internal users.

They may be looking for a way to test it and see if there’s any problems hiding. You could be an IT support person that again doesn’t necessarily have the network engineering background but still wants to test it, or even a network engineer who wants to research this but just doesn’t have enough time to set it up or may not have the hardware.

And these devices really aren’t meant to support it long term, but they’re meant to sort of increase the comfort level with IPv6-only networks, reveal any problems and give people an opportunity to troubleshoot; whereas, if you spend weeks setting up an IPv6-only test network in your production environment and it doesn’t work, making changes to that test environment can take some time. And it’s a lot of effort to do that in an organization that may have some change controls procedures.

So with the project timeline – so this is the way we divided it up. So the first six months are really there to purchase the initial batch of test hardware, evaluate software, set up a tunnel termination service, and make sure that everything works.

Again, picking out the hardware is going to be an important piece because there’s a lot of different hardware out there, and you can find a lot of really good hardware that’s low cost; for example, Intel, there’s these little Intel N95 or N100 processor PCs that you can get that come in that price point, and we just need to load software on them.

But we need to make sure that the device works. We need to make sure that the software stack works and that it can be something that’s easy to configure and send out. So in sort of the middle area, we’re collecting applications. We’re going to configure and distribute devices and sort of evaluate how it’s working initially, how the technology stack is working, and finally part of the grant we want to gather feedback from participants, what worked about the project, what didn’t work, what worked about the technologies and the configurations and what didn’t, and we want to summarize that in a report and make it available to everybody to – make it available to everybody so that we can all learn from each other.

And so we’re still kind of in that month – I think we’re in month four. We have the initial batch of hardware, and it’s in testing. We’ve kind of settled on OpenWrt as sort of the platform to put this in, mostly because it’s Linux-based.

It supports configuring Wi-Fi networks. We may still change that but it seems to be working pretty well. We’re working with our legal department to make sure that when we collect applications that little things like Internet2 is not held liable for if you do something destructive with this. Don’t do something destructive with this.

Just sort of those little things to make sure that we have that in the application for anybody who wants to participate in this.

But it’s moving along. We finally got over some hurdles. Also, we originally wanted to put the tunnel termination service in AWS, but it turns out that it’s actually a little difficult to get an entire prefix routed to a VM in AWS.

You can get it routed to a virtual private network or virtual private cloud in AWS, but it’s not as easy to get it routed into that VM, get the entire prefix.

So we want to give users – it is a tunneling service, but we want to give users the best experience possible so we don’t want to apply NAT on top of IPv6 if we can help it. So we’re setting up some virtual machines on our own infrastructure and getting a prefix routed to that for the project.

We’re getting really close to collecting applications, and there will be more info – like if you’re interested in this, there’s ways to participate.

As always you can contact me directly if you’re interested in applying for one. We’re going to have a website up soon, and we’re going to start doing publications to sort of socialize this and make sure that people have an opportunity to apply, and we’ll have a mailing list set up. It’ll be linked to it from this website.

And so I think that’s really where the project is. I was hoping to be further along with it, but I think it’s making progress and I’m still excited about it.

I’m looking forward to sending these devices out, seeing what testing can be done, what problems people run into, and really, I think, hoping that people will get comfortable with the idea of using IPv6-only networks and have a roadmap, either have a roadmap or develop a roadmap that you can share to how you can deploy this and really sort of push forward IPv6 adoption, because ultimately we’re going to get there.

It’s just a matter of how smoothly we get there. And I think it’s one of those things that’s really important.

So thank you, everyone, for listening. And like always, get in touch if you have any questions or if you would like to know more. Thank you.


Hollis Kara: Thank you, James, for a great presentation. Just to remind folks, the slides that were just presented are available on the meetings materials page currently. The video will also be part of our meeting report and the live transcript of the video will also be posted as part of the meeting report in about 10 business days. So look forward to that.

And next up, before we head to break, I’d like to get our last grant report in. This one from Harlan Stenn from the Network Time Foundation.

NTP TCP Services Daemon Project Update, Network Time Foundation

(via video)

Harlan Stenn: Hello, I’m Harlan Stenn from Network Time Foundation. And this is my interim grant report for the NTP TCP Services Daemon Project.

The first thing I wanted to do was put a slide up – Dave Mills died back in January, and I’m thrilled that I got to work with him for, work closely with him for 30-some-odd years, and I just wanted to get this out there because NTP is the result of everything he’s done.

So for a little bit of background. NTP is a UDP-based protocol, and for years that’s been the only way to monitor and manage NTP, and we’re looking to implement a TCP services interface to NTP, not only for monitoring and management, but also because we need a TCP server to do ephemeral key exchange for things like the Network Times Security mechanism.

We knew we also wanted TCP because it’s going to give us much better security and avoid denial-of-service attacks and give us more robust information as well, and it makes sense to do that from a single small daemon that hands things off to various ports and dispatches other system daemons to take care of things instead of trying to integrate it into NTP.

So the first thing we needed to do here was to get the code for NTP TCP services and friends into our development branch so that other people can easily look at it and test it and perhaps even develop it. And the first step toward getting that working is to finish synchronizing our development branch with our stable branch because, for the last several years, we’ve been doing development internally only, and it’s time to put that back out to the public.

We have integrated a half a dozen of these stable releases into dev already, and in one more sync commit, this part will be finished.

So once the stable and dev branches are done, as I mentioned, all of our ongoing development for TCP service will be on the public dev branch, and we expect that part to be up and running sometime in April, which is coming up – well, I guess if you’re seeing this, it is April. Or in May. And we’re on track with the overall implementation schedule.

And we greatly appreciate receiving the ARIN Community Grant. It’s enabled us to do this work. It helps NTF, the NTP Project, and pretty much the entire ARIN community.

And we’re looking forward to seeing more secure NTP traffic as a result of this work as well. And that’s how you can find us. And you can send questions to the email address there. I thank you very much.


Hollis Kara: Alright. That concludes our grant presentations. We are going to go to break because I do need to give our transcriptionists an opportunity to let their ears breathe and to flex their fingers.

But we will be back in 30 minutes to wrap up the day with our final presentation, Open Microphone, so please enjoy the break.


Michael Abejuela: Thank you, Hollis.

Hello, everybody. Good afternoon. Welcome back from the break, and acknowledging that Hollis and I are the ones standing between Open Mic and the beach, I will try to keep this very brief.

All right. So as Hollis said, I’m General Counsel for ARIN. I wanted to do a quick introduction of the in-house legal team. We have, Jenny Fulmer here on site with us. She is right there. She’s our staff attorney.

Then back at home, holding down the fort, is Jennifer Lee. And wanted to recognize that after a little over seven years of experience with ARIN, she was promoted to Deputy General Counsel at the beginning of this year, so just wanted to recognize her in that wonderful accomplishment.


So we’re going to go over an overview of activities for the legal department. This is by no means an exhaustive list of what we do because, as you can imagine, legal can touch a lot of different things.

But this is a little window into some of the things that take up our time. As you can see, there are four items that we’re going to go over today.

For administrative and operational. So not shockingly, the lawyers actually like to review contracts. Well, maybe we don’t like to review contracts, but it is one of our obligations that we have to do.

We look at the vendor contracts across the ARIN organization. Those can be anything from the contracts that were in connection with holding this meeting, to provider contracts, to anything else that we can do that helps the ARIN organization.

We also support our Chief Human Resources Officer, who is here with the HR department. As you can imagine, there are things that pop up there. So whenever she needs us, we’re there ready to help her out.

Due diligence with Registration Services. So this is one of the things that does take a lot of our time. As you imagine, we do a lot of – we manage a lot of requests in the Registration Services Department, and so whenever they need assistance looking at legal documents, whether it’s with transfers, organization recoveries, we’re there to help out and really analyze all those documents and information that’s provided.

Then the last is legal and compliance filings. So there are a lot of things that we have to do on an annual basis like our annual report, annual fees to maintain our corporate status, and any other compliance filings, we’re there to assist.

So another thing that takes up a bit of our time is support to the ARIN volunteers. Jennifer, as Deputy General Counsel, and I do a lot of work supporting the Board, and the Board committees, the various Board committees that you’ve heard about. As General Counsel, and the past couple of years I’ve served as Board Secretary. So we assist with that.

Jenny, as a staff attorney, one of her responsibilities is supporting the AC and Eddie Diego, our Policy Analyst. So she assists with making sure we’re going and navigating the Policy Development Process. As you well may know, when the PDP, there’s a little section that asks for Staff and Legal Reviews. So we do that as well. Then if there’s any kind of general legal advice, then we’re there to provide that.

Then with the NRO NC, as you heard with Kevin Blumberg’s presentation, there’s quite a bit of work going on there, particularly with ICP-2. Our legal team looks at anything that needs support there, but also, we work with the legal teams of the other RIRs to go through that process, and there’s quite a bit of legal issues that pop up. So we’re there and ready to help them whenever we need to.

Fraud investigations. So I won’t go too much into this in detail, but one of the things that we do, as many of you may know, there’s a fraud reporting process with ARIN. So if you suspect Internet number resource fraud, you can actually report those instances, and we will investigate those and see if there’s anything that we need to do on that front.

We assist RSD and the director there whenever those come in, and John Sweeting’s team, with the Customer Experience and Strategy Department. So if there’s any fraud reports, we work hand in hand to make sure we investigate those; and if there’s anything we need to take action with, we will. If it reaches to a certain level, we can even refer that out.

We also do internal reviews of suspected fraud. So it’s not just whenever we receive an external report. If we are looking through documents that are provided and they look a little bit that there could possibly be fraud – and we’ve seen that before – we will take a look at that again working with the Registration Services Department and the CXS department to process those.

Lastly, cooperating with outside parties. So there are often external fraud investigations that can be done by law enforcement, intellectual property rights holders that are potentially trying to enforce their rights. They may come to us with various requests.

So one of the things we try to make clear here is that with regard to requests for public information, which we have a lot of that, whether it’s Whois, whether it’s certification of records so that they can use them in their investigations, we’re ready, willing and able to do that.

However, if they’re looking for information that is not public, our team reviews any subpoenas or requisite services of process to be able to look at that and see if there’s any responsive information there.

Legislative. So it’s legislative, regulatory and pretty much government affairs. One of the things that the General Counsel’s Office does is it oversees the ARIN Government Affairs Department.

So you heard earlier from Einar Bohlin, the Vice President of Government Affairs, and a lot of work they’re doing. I won’t repeat a lot of what he said back then, but we do monitor about developing efforts in places like the International Telecommunications Union, the ITU, as well as the IGF. We have people who are there on the ground who are monitoring all those efforts to see what might be impactful to ARIN and ARIN’s mission.

Then on top of that, we look through and monitor the legislation that might be coming out. So whether it’s in various countries or within the United States. In the United States, we also have 50 states that also have their own legislatures. So we are constantly checking to see if there’s anything that would be impactful to the performance of our mission or providing the services that we have for all of you.

One thing to note, when ARIN does provide any kind of submission, any response to a request for comment or notice of inquiry, we do maintain that on our website. So it’s in full transparency, you can see what those positions are and how we’ve responded. If you just go to the website, you’ll be able to see a copy of whatever’s there.

Nice and brief. And that’s it, unless anybody has any questions.

Hollis Kara: All right. Microphones are open.

Does anyone have any questions for Michael? Virtual or in the room.

Michael Abejuela: Going, going –

Hollis Kara: Have to give online a little longer.

I don’t think so. Nope. Michael, you are free to go.

Michael Abejuela: Thank you so much. (Applause.)

Training Initiatives

Hollis Kara: All right. Well, I am going to give a brief presentation on the status of training initiatives at ARIN.

Now, this is something you’ve heard us talk about a lot over the years, and we’ve been iterating over time, kind of growing our position. I just want to share – we talked a lot about it in San Diego – kind of where we’re at as of now and where we’re hoping to be by the end of the year.

So, sneak peek. We have successfully contracted and onboarded an LMS. We’re in the process of starting to populate it. For the purposes of this exercise, let’s call it ARIN Academy. Subject to change. Everything you see is proof of concept. Not permanent, so don’t get too attached.

Then I’ll talk a little bit about how you can get involved in this process of developing our training, and kind of what the steps are as we prepare to launch it.

So, let’s take a look. Sneak peek. Someday soon you will be able to set up a login and go to the ARIN Academy, which may have a change of name. But that’s okay for now, where you will find things like courses on ARIN online basics, IPv6 address planning, RPKI, and other topics as we identify and define them.

All right. So, once you set up your account and log in, you’ll have a cool dashboard where you’ll be able to track all kinds of interesting things, your status and courses, any badges you might have earned.

We have a lot of ways we can introduce gamification, as well as certificates, which you’ll be able to download. Those will be things to assert that you’ve completed full courses so that you can say that you have gone through and learned all the things that you need to know to successfully operate in ARIN Online or to utilize our RPKI, or IRR, or other things.

So that’s kind of that. A little bit closer look because we like to drill in. Yes. Badges. Various accomplishments. See if I’ve got everything. Certificates of completion. Those are important. We’re going to make those look really snazzy, suitable for framing. You’ll be able to download those. You’ll be able to keep track of your progress, which means you can come in and out. You don’t have to come in and finish something end-to-end to complete it. It will save your work.

Then you’ll be able to create checklists, or be sent checklists, you could belong to an entity, a group like say, for instance, we decided that there were specific things we wanted to make sure all of our Qualified Facilitators knew how to do, we could set up a course list for them, push that out and then they would have a way to track that they are completing that work.

Then, of course, there’s a library, which will hopefully have things in it.

Now, when you dive into a course, you’ll be able to see all the modules associated, track your completion status, and basically just see that you’re completing everything successfully.

So where are we going to start? How are we starting to fill this thing out? What we’re doing is we’re taking some of the things we’ve created over the years as micro-learnings, we’re making sure they’re up to date, and then we’re starting to pull them in. The process I am referring to as modularizing because learning modules.

Basically, what we’re doing is we’re taking videos. We’re adding – Bev, what’s the term? There’s a training word. I just lost it.

Beverly Hicks: Knowledge checks.

Hollis Kara: Knowledge checks. We’re adding knowledge checks so that you can verify that you’ve been paying attention and basically verify that you’ve taken what you need to from that material.

Now, eventually we will replace those with more sophisticated learning modules, but that’s just to kind of get us out the door and help everybody get their feet wet and start doing things.

Once we get some of those initial videos transitioned in, we’ll start taking the things that are longer-form webinars that are currently available on-demand and start taking them through a similar process.

That’s when you’ll see us start to work on things like IPv6 Address Planning, Routing Security, and training on our various APIs and IRR. That’s that.

This is where I need your help. When I say I, I mean the whole team. If you have ideas for things that you think ARIN should be creating training modules on, is the email to send those suggestions to. Similarly, once we start building these things out, there’s going to be an opportunity for folks to come in and do a little test driving, a little beta testing, kind of check it out before we release it to the wild.

If you’re interested in that, same address,, and when we’re ready and have something that we need folks to take a look at, we’ll reach back out to you and get you hooked up to do it.

And then once we launch, to help spread the word. Share it within your organizations, other people you know who use ARIN services that might benefit from this, point them in the right direction so they can take advantage of these great materials.

“So, okay, cool, Hollis, that’s nice, sounds good, when is it going to happen?” Excellent question.

So, once we finish up with this meeting, we’re going to be able to reinitiate the process of staffing. Right now, it’s Bev is our training department, with some support from the rest of the Comms Team, and subject matter experts across the organization.

As you can imagine that kind of makes it a little bit hard to make quick progress. So, we are looking to add an instructional design specialist position to the team. If you know somebody, send them our way. You should be seeing that job posting sometime in early May, hopefully.

We’re going to continue that transition process I talked about of pulling in the videos that exist, and we’re going to start working on the content refreshes of the webinars, basically to get those things ready to take them into a training format.

So, we’re going to be going back and check because most of those have been out there for a year or two now, more or less, and they probably need the tires kicked and a little bit of buffing and polishing. So that’s that. That’s our plan for Q2.

Once we hit into Q3, we’re going to have to shift focus just a little bit. One of the really nice things about the platform that we have contracted is that it has the ability for us to stand up training both for our customers and for our internal staff.

We do have some requirements for staff training, compliance trainings and things like that that we’re planning to bring into the LMS this year, which means we have to take a pause and build out the staff training side of the portal and get folks set up to do that compliance training, and then hopefully while that’s happening we’ll be at a stage where we can be running user testing on some of the customer-facing training.

Ideally, if everything goes well – so everybody cross their fingers – by the time we get to Toronto for ARIN 54, we’re going to be able to show you a live demo of some of that training and we’ll be looking to launch the first course before the end of the year, and then we’ll be following on with routing security training, IPv6 address planning and others in 2025. So that’s the road map. That’s really it.

I’m really excited to finally be at the point where we’re ready to take this plunge into more formal training and happy if there are any questions or comments about what you’ve seen here. Don’t have to do it now. I know everybody wants to get out the door, but feel free to contact Bev or I at all during the rest of the meeting and we’re happy to talk, or if you want to come to the microphone, you could do that. But you don’t. So that’s okay. I’m not hurt, I promise.

All right. So that said, we’ll now move into Open Microphone, John, Bill, either/or/both, Bill. John, Bill. Got them both. They’re heading up this way. So, everybody get their comments and questions ready.

Can we maybe just three, can we do three? All right. We’ll try.

Open Microphone

Bill Sandiford: Microphones are open.

Microphones are closed. No, I’m just kidding.

(Laughter.) Microphones are open.

Nothing online. Right side microphone.

Namra Naseer: Hello. Namra, Fellow, newcomer, University of New York. It’s a general question. I have been looking at the policy processes, and there is this point about staff training. So, I’m just wondering what that process looks like, like when there is a change that has been adopted or approved, what does the staff have to do to come for the implementation purposes, what does that look like? Can there be a conflict, maybe?

John Sweeting: John Sweeting, ARIN CCO. It really depends. If the policy changes our system, the ARIN Online, there has to be training to all those changes that happen in the code and how it appears.

If it just changes how we review the policies, then we have to have the training on how to review the policy and what that means now, make sure that we don’t follow an old policy and they follow a new.

It can be a long range of things. It can be very simple, or it can be very complicated. Have to have the engineering team, the development team, develops the new interface to support that policy and then we have to have training on that whole interface and all those changes. So, it can be a long time, or it can be a very short time.

John Curran: When we do the Staff and Legal Review of a proposed policy, at the bottom there’s a note regarding implementation that says how many months and what steps that involves. And for the briefest policy, it will say something like updated staff documentation, update the website, update internal training. That’s it.

For a lengthy policy, it might have all of that, plus software development, plus rollout, testing, legal, billing, system changes. So, we’ll assess that when we see – when we’re asked by the AC to do a Staff and Legal Review, we include the implementation impact at the bottom.

Namra Naseer: Makes sense. Thank you.

Bill Sandiford: Anything online? All right.

Beverly Hicks: Laurens Flock from Laurens Technologies Inc.: Love the idea of the training academy. Happy to see this become a thing and see huge potential in improve the overall knowledge in regards to ARIN services.

My question, just to confirm, is this training platform, would it be free of charge and enabling free and open access to this knowledge?

John Curran: Okay. That’s an interesting question because we haven’t yet actually come out and proposed anything.

There’s a certain amount of training that is going to be free by definition, training to make use of ARIN’s services, for example. There’s absolutely no reason to charge you to learn how to use our services when use of our services that is done in an informed manner makes it easier for you and us.

So, there will be significant amounts of free training. I think the more interesting question is, will we move beyond that to some training that is paid? And I can’t predict that.

What it really comes down to is, if we find training that only a small subset of the users both strongly is interested in, is valuable to ARIN to offer, and we don’t want to burden the rest of the community, then we’ll look at that. But that’s a pretty narrow window.

When you do the Venn diagram, we’re a fairly simple organization. Nearly all of our services are used by nearly all of the members.

RPKI may not be used by everyone, but it may eventually be used by a lot of people. I wouldn’t want to preclude that.

On the other hand, I could see – for example, 10 years from now, it might be necessary to have a class for IPv4 laggards on how to get off of IPv4, and I don’t know if we burden the whole industry with that rather than just adding it onto the costs that those old IPv4 people have to pay. So, I can’t foresee the future.

Most of the services are used by all of our members, and so our intention is to make those available and make it useful to everyone. But if we are drawn into niche services, we could have niche training to match.

Bill Sandiford: Last call to approach the microphones. Get your comments online. Right side microphone.

Lee Howard: Lee Howard, IPv4.Global by Hilco Streambank. I had something else to discuss, but it’s almost like you just said my name just now.

Bill Sandiford: It is a long name.

Lee Howard: It is. It does seem to me that the people who have deployed IPv6 are especially interested in training for the people who have not deployed IPv6…

John Curran: That’s another good way of looking at it, right?

Bill Sandiford: …the network effect.

John Curran: At this time we’re not seeing it as a revenue center for that reason.

Lee Howard: The topic I wanted to bring up is I had an idea for a Policy Proposal, and I’m kind of interested in community feedback because I’m not even sure it’s quite ready for draft.

So my thinking was, as I was looking at the leasing market - which is its own interesting special animal right now - it seems to me that we’ve talked about leasing in this community a few times, and what people object to – nobody objects to, I don’t think, somebody leasing addresses for five or 10 years and just spreading the cost of their addresses out over time, a lease-to-own. Nobody really objects to that. That’s sort of a financing approach. That’s good because the addresses are getting used by somebody who actually needs the addresses.

The cases we object to are clearly spammers and hackers and malicious actors. And what I think happens – and maybe – and there’s the gray area of the sneaker proxies and the remote country VPNs and screen scraping and stuff like that where it’s not illegal, it’s maybe unsavory. But those things tend to be the shorter-term activities.

So those leases will be maybe a month or three months or six months, but a smaller time period, compared to spreading the cost out over time.

So, I was trying to think about a policy observing that. I was trying to think about a policy where SWIPs or reassigns that churn in a short-term period might not be usable as justification for additional address space. So, requiring that a reassign that’s lasted for a year or more is justification or it applies towards justification to go get more address space to lease it out.

So, this is my ask of the community is, if we were to do something like that, does that help? Does that help get addresses in the hands of the people who need the addresses, and we think that we want to support them, or does it not help?

John Curran: Okay. You hear a Policy Proposal raised by Lee, and certainly you know how to find him here at the ARIN meeting. If you have thoughts on that, go find him. If anyone wants to speak strongly now, go ahead.

Staff stays out of policy, so I’m not going to comment.

Bill Sandiford: Seeing nobody else in the room. Anything online? Go ahead.

Keino Leitch: Good afternoon. My name is Keino Leitch, first-time visitor to ARIN. I appreciate the offer that was extended to me. I learned a lot today, but I had some questions, just two questions, basically.

As I sat in the room today, I received an email, certified mail, actually, regarding the cancellation of our service.

So, the question is, what is the process and the fees to reinstatement?

John Curran: What’s the process for reinstatement?

Keino Leitch: Yes.

John Curran: If you go online to the ARIN website and look at the banners and pull down fees and take a look, you’ll see reinstatement, revocation of reinstatement is an actual tab that describes the process.

I’ll give it to you at a high level. When you are in a situation where you haven’t paid your fees, you get some notices, email notices, and you get another email notice and you get a more formal notice, and eventually if you ignore all of this, and we get to about 122 days or 142 days – John, what’s the number?

John Sweeting: 127, when we suspend services.

John Curran: Your services will suddenly stop. Your reverse DNS will stop. Other services will stop. If you don’t come to us, at that point you’re now suspended. If you don’t come to that, then you’re in the clock of queue to actually to be revoked. Once that happens, you may not be able to reinstate.

So, there’s a fairly lengthy timeframe. If you find you have an address block that for some reason, for example, the DNS doesn’t work, you need to pick up the phone and call ARIN because we do hold it for you so you can come back in. But that’s not forever.

Keino Leitch: Okay, thank you.

John Curran: John, do you want to add anything?

John Sweeting: John Sweeting, ARIN CCO. I suggest when we go out of here, go talk to Misuk who is at the Help Desk. She will take excellent care of you.

John Curran: That can be solved right out here.

Keino Leitch: Who is Misuk? He or she’s in the room? I’ll make it my priority.

Second question is on the Fellowship Program. I heard a lot of people in the room talking about they were fellowships in prior events. So, what does it take to become a fellowship?

Bill Sandiford: He’s asking about the Fellowship Program.

John Curran: We have a robust Fellowship Program, been running it for years. We do announce before the meetings, when we open up the window to apply for a Fellow, and it’s available.

When you’re an ARIN Fellow, we do some training well before the meetings, you have some background. Then we assign you a mentor who is here with you on site, one of the AC members or one of our Board or a volunteer, who is familiar with ARIN, who is there to answer your questions, and it’s just to help you have a smooth channel for learning about ARIN and so you can bring the information back to your community.

So, we open it up before every meeting, and you fill out a fellowship application and submit it.

John, do you want to say more?

John Sweeting: Again, John Sweeting, ARIN CCO. We actually have our Fellow Program Coordinator here at the meeting, Amanda over there. You should find her and talk to her if you have interest.

I think you’re presenting tomorrow? So, she’ll be presenting something.

Bill Sandiford: I understand we have one last question from online.

Hollis Kara: I’m not sure if this is so much a question or a comment but I’m gonna read it anyway because it came in and I think it’s important to be transparent.

It’s from Huston Bundock. It says, “How can we proceed forward with IPv6 when so much of the Internet still only works with IPv4?”

John Curran: I’m going to take that one.

So, much of the Internet is still IPv4. No one’s saying that you should not use IPv4.

But in addition to using IPv4, you should use IPv6. It’s that simple. And a lot of people say much of the Internet isn’t IPv6. Well, that’s true, but right now, in the US, for example, about 50 percent of the queries that go to Google, Google tells me are coming over IPv6, and that number has been increasing fairly steadily year over year.

If you have a website which is just IPv4 reachable, most mobile phones don’t connect to you. They connect to a server somewhere and the server connects to you. It’s by definition. The phones are in a lot of places are IPv6, some are IPv6/IPv4, but some are IPv6-only. That mobile phone has to go to a server to get a IPv4 address to go find you.

So, if you actually want the best connection for your customers, you’ll make sure your website, your media, all that, is connected, your mail server, with both IPv4 and IPv6 publicly.

That doesn’t mean necessarily every desktop in your institution, university, company, has to be IPv4 and IPv6. A lot of people are going to connect with one or the other. But if you’re serving data to the Internet, very much become familiar with IPv6. Make sure the information you put on the Internet is also IPv6-connected.

If we all did that, we actually wouldn’t care about IPv4. So, you’re actually helping the migration by getting all the content dual-homed, IPv4/IPv6. Thank you.

Bill Sandiford: All right. That will conclude the Open Microphone session. Thank you, everybody.

John Curran: Thank you.


Closing and Adjournment

Hollis Kara: All right. Before everybody runs away, I’ll go through this, these last things quickly. Thank you, everyone, for joining us today. Another shout-out to our sponsors: C&W Business, IPv4.Global by Hilco Streambank and Google.


Just a reminder that the ARIN 53 Meeting Survey is open. You will get a link to that in your reminder email. You’ll be getting a reminder email that will have the link in it. Please go ahead and complete that. You’ll stand a chance of winning a set of Bose QuietComfort Ultra headphones. Gotta think before we start to talk.

Okay. Just gotta get through one more day, guys. We will be back tomorrow. Breakfast for folks here will begin at 8:00. The meeting will begin at 9:00. Stick around, at 10:30 our RPKI Deployathon will be available on site only, unfortunately, with some of the work that’s happening with that. We’re not able to livestream it. But for folks who are local, stick around, and we thank you for being here and being part of ARIN 53. Have a great day.


(Meeting adjourned at 4:17 p.m.)