ARIN 55 Public Policy and Members Meeting, Day 1 Transcript - Monday, 28 April 2025

Skip to main text Jump to related content
This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Opening and Announcements

Hollis Kara: We on? We are on. It’s looking like about that time. If folks want to take a seat, we can get this show started. Thank you, John.

How’s everybody doing this morning? Okay.

Try again. How is everybody doing this morning? (Applause.)

Thank you. Alright. I’m Hollis Kara, I’m ARIN’s Communications Director, and I’m here to welcome you to ARIN 55. Whether you’re joining us in person or online, we’ve got some opening announcements to go through before we proceed into today’s agenda.

First off, do I have my Board members in the room? Board members, if you want to stand, stand. If you don’t, you can just wave.

ARIN absolutely relies on all the support and help of our Board members both in our day-to-day work and in supporting these meetings. So I’d like to thank Dan; Nancy; John Curran, our president; Ron, Peter, Hank, Tina, Bill, Rob, and Chris. Thank you, everybody. If I could get a round of applause for our Board.

(Applause.) Thank you.

Also very important, our Advisory Council. This is really their show. I’m just here to help them put it on. I’m not going to read all these names ‘cause we’d be here for a minute.

But these 15 folks do a lot of work both here at the meetings and throughout the year to support the Policy Development Process. You’ll be seeing a lot of them on stage as we go through the policy proposals today at the meeting and tomorrow.

Oh yeah, you know, if you want to stand up. True, true, true. Alright. Stand up. They do have ribbons. Give them a round of applause. Oh, my gosh.

(Applause.)

You’ll notice our Board and our AC have ribbons. For folks who are on site, if you have questions or want to talk to them about anything with their roles or about the policies or any of that stuff, find them at the breaks, at the social. They’re happy to chat.

Last but not least, I’d like to thank our volunteers from the Number Resource Organization Number Council – Kevin, Nick, and Amy. Want to wave? Stand up.

(Applause.)

These folks are involved in some very important global coordination work which you’re going to be hearing a lot about later today. They’re also going to be having a topic table at lunch, and they’ll be happy, happy to talk to you about their work in this organization.

Alright. Attendees. Numbers are looking pretty good. We have 146 in-person registrants and 250 folks registered to join us online. Thank you all very much for being part of ARIN 55.

We also have our Fellows. We have a big group of Fellows. Fellows, you want to stand up? You don’t have to, but if you want to – Hey, Fellows!

(Applause.)

I’m not going to steal Amanda’s thunder. She’s going to tell you all a lot more about our Fellowship Program, but we’re very happy to have you here. ARIN’s hosted its Fellowship for quite a while, and it’s a great way for folks to get onboarded into the community.

With that, we did have a meeting orientation last week. We like to do it a little bit ahead of schedule to give folks a chance to catch up and do some homework on policy before we get here to the meeting.

We do also ask that folks fill out a survey on their way out of the room. And then we have a drawing for a $100 Visa card. Do we have a winner, Bev?

Beverly Hicks: We do have a winner, Alberto Herbas.

Hollis Kara: Let’s hear it for Alberto, joining us virtually. We’ll get that in the mail to you.

(Applause.)

Virtual attendees, if you were at the orientation, this is going to sound excruciatingly familiar. But if this is new to you, let’s go through it real quick.

You’re on the Zoom, hopefully. You will have many opportunities to chime in throughout the day during Q&As and discussion periods. If you would like to do that, please raise your hand or use Q&A. Lead with your name and affiliation.

Do take advantage of chat as an opportunity to talk amongst yourselves. We do have a chat host from staff who will be there to assist you throughout the meeting.

We also have a Virtual Help Desk, which is open until 9:30 this morning. It will be open again tomorrow morning and during the lunch breaks throughout the week, Wednesday morning as well.

If you’re having any issues finding information, accessing the meeting, anything, pop by there. Talk to our help desk.

Now, I hate to jinx things. Things have been going so smoothly with setup. But I do want to go over real quickly what to do if for some reason Zoom drops. First off, let’s verify that it’s not on your end. Try to connect again. If that’s not working, we do encourage you to head over to the webcast. The link to the livestream is on the ARIN 55 site.

If Zoom is, in fact, down, you’ll be definitely hearing about it there because we’ll be talking about it here. If you try to access the webcast and you can’t get that either, I’m having a worse day than you are.

We’ll be, unfortunately, probably having more dad jokes in the room. We’ve done this before. I know I can count on my in-person attendees. But we will be – look for your email from the meeting email when it’s ready to rejoin.

That was mostly coherent. You got it. I haven’t had enough caffeine. I’ve got to balance it on meeting days. Never mind.

Anyway, so if you’re here – I didn’t do it right. In-person audio. Please, if you’re going to join the Zoom so you can talk to our virtual attendees, mute your mic, disconnect from audio. You’re welcome to log in to the Zoom to talk to the virtual attendees in chat.

Reminder, one, talk slower than I’ve been talking. I’m going to hear about it from Denise on the first break. When you approach the microphone and are queued to begin your comments, please lead off with your name and affiliation. And, of course, do that as well with any virtual comments. That’s just for the live transcript so we know who said what, because that’s important. And we do publish a record of the meeting.

Alright. Hopefully everybody found the meeting Wi-Fi with no problem. If you’re having issues, please, you can check in with the folks at the registration desk and they can help you out.

There will be three table topics at lunch today. We have two policy topics. One is on Section 6, Allocation and Assignment Language, the other on Critical Internet Infrastructure Allocations.

And as I mentioned, the NRO NC is deep in work on a review of the ICP-2, which is Internet Coordination Policy 2. It is the policy that establishes – is used to establish RIRs. There’s a consultation open on that. That’s all I’m going to say because I could go off on a tangent. I’ve been helping them out a lot lately. They’ll have a table topic if you would like to discuss that with them.

We’ll have a social tonight for folks on site. We hope you’ll join us at the Discovery Place Science Museum. The social will be from 7:00 to 10:00. It’s a short walk from the hotel. You need to wear your badge. There are maps at the registration desk. And we are asking that people try to collect and walk in large parties. We’ve arranged to have extra security between here and the hotel just to make sure everybody feels comfortable and safe walking back and forth. But stick with the group.

Emergency evacuation. Alright. In the event of an emergency, please use the nearest available exit and follow instructions from hotel staff. Which is not me. Don’t ask me. I don’t know. Look for someone on staff. They’re super helpful. My guess is down the escalator and out the doors. I could be wrong. And if we get a shelter in place, stay in here. We’ll hang out.

Navigation. If you go to the Meeting Materials page, which is available on the ARIN 55 site, you will be able to find all the presentations that are slated to be given over the course of the meeting. They’re already there in PDF, if you prefer to view them on your laptop versus looking at the screen. Sometimes the resolution in the feed can be a little bit hard so it’s easier if you can look at the presentations natively.

Live transcripts and webcast are running. Links to that are also on the meeting website. That’s what the meeting website looks like. That’s the navigation. And, yep, most of the stuff you’re looking for is going to be right there under Program Information.

And, again, as I said, Meeting Materials also has the Orientation Guide from orientation last week, the Policy Discussion Guide, our agenda, all the presentation slides and – we always get dinged about acronyms. It’s tough. There are a lot of long phrases in this industry that we shorten and state in acronyms quite frequently. We try not to. We do our best. Sometimes it happens anyway.

Get the Acronym Guide out. Make a bingo card. Have fun.

In-person attendees, you’ve got your own drop-down. Virtual attendees, you’ve got your own drop-down with things that are maybe of special interest or need to you.

We have a keynote this morning, looking forward to welcoming – you don’t have to come up yet, don’t panic – Leslie Daigle is here. She’s going to be talking about strengthening Internet integrity through collaborative solutions for cybersecurity challenges. I got a sneak peek at her slides. It should be a really good talk. So get ready for that.

Once I’m done up here chattering, we’ll have a Welcome from our Board chair and our President and CEO, our Financial Report, and then keynote and a Government Affairs update. Take a break, reload on coffee. Come back for our Policy Experience Report, Regional Policy update and AC Update and On-Docket Report.

And then we’ll go to lunch. Take advantage of those table topics. Come back, we’ll hit our first policy session of the meeting. We have four policies. We have about an hour to get through those before we proceed into the Number Resource Organization update and the Address Supporting Organization update.

You’ll get it when we get there. They’re kind of the same thing but not really. Again, we’re not going to go down that path right now.

We’ll take a break. We’ll have one final Internet Number Resource Status Report. And then we will close with an Open Microphone that’s not on there.

And topic, timing of discussion. So today, because there are other things that follow after it that people are specifically tuning in to see, we are going to keep the policy block to an hour.

Tomorrow we have a little bit more flexibility. So if we find that the policy discussions need to go long, we can just extend the block and slide from there. So we will make sure that we give ample time to discuss the policies that are on the docket for this meeting.

We do have Standards of Behavior. You may have noticed when you registered you were asked to check a box acknowledging them. We take them seriously. Basically, it just means we want to treat everybody with courtesy and respect and remember that we’re all here with the same goal in mind, which is to support the ARIN community in making good policy for our region.

And to help us make sure we do that, I’d like to welcome Stacy Goodwin Lightfoot. She’s our ombudsperson. Our ombuddy, Wade Hinton, unfortunately was unable to be with us, but he sent his friend Stacy. And I’m going to let her tell you a little bit about herself.

(Applause.)

Stacey Goodwin Lightfoot: Thank you to the one person who started the clap, I appreciate it.

Thank you all so much. My name is Stacy Goodwin Lightfoot. I have found my long-lost cousin in Melissa Goodwin here.

But I’m here representing Hinton & Company, and I am serving as your ombuds for this conference to ensure that I’m a neutral resource and a confidential resource for you all, to support a positive environment and also to help you all navigate any concerns that you may have throughout this conference.

So I’m here representing Hinton & Company. I have known Wade for almost 40 years, if you can believe it. I’m only 42. I’m just kidding. But my 9:00-to-5:00 job, I am the vice chancellor for access and engagement at the University of Tennessee at Chattanooga where I foster collaborations, problem solve, work on inclusive practices there.

I’m also over the Office of Equal Opportunity and Accessibility. We deal with ADA situations on campus for faculty and staff. And also we are just here to create a great environment on campus for all those who visit UTC.

So I am used to working in a high-stakes, fast-paced environment and dynamic environments like this one. And so while I am not a tech expert – I do feel smarter after meeting many of you all yesterday – I do understand that sometimes wires can get crossed.

That was a joke that I practiced yesterday with the Board. They didn’t laugh either.

(Laughter.)

So I thought I would try it again with you all. I’m going to work on that. I really am.

But I do want you all to know, if anything comes up, big or small, I am here to help you navigate those conversations discreetly and confidentially and informally. That is the role of the ombud.

My information is up on the screen. You can send me a text. You can send an email. But there’s also a private room where we can have conversations in the back.

But I’m extremely excited to sit through your meetings today and learn more about the Internet. Thank you.

(Applause.)

Hollis Kara: Thanks, Stacy.

Alright. And with that, we’re into more audience participation. Can I get a big round of applause to thank our Network Sponsor, Spectrum?

(Applause.)

Our Webcast Sponsor, Google? (Applause.)

Our Platinum Sponsor, AWS? (Applause.)

And our Silver Sponsor, IPXO. (Applause.)

Thank you, all our sponsors.

And with that, I would like to invite John Curran to come up and welcome you to ARIN 55.

Welcome from ARIN’S President and CEO

John Curran: Thank you, Hollis.

Good morning. I’m John Curran, president and CEO of ARIN. Some of you probably recognize that. I’m very pleased to be here and welcome you to ARIN 55 in Charlotte. I’m pleased to be here in person.

I have attended almost every ARIN meeting, but I missed our Toronto meeting. As people may remember, I was unable to travel due to illness.

Apparently, they put me up as a 6-foot-tall head on the screen, sort of a talking face of God or something. Much better to be here in person.

I see a lot of faces I recognize. I see some new faces. And I’m just thrilled to be able to join you again. I don’t expect to miss any other meetings. But caution was called for, so I was cautious.

I just want to say we have a great schedule for the next three days. You’ve gone through today. The following days we’re going to have more policy work. We’re going to be talking about the ICP-2 work that’s going on. We’ll get a bunch of updates from the various departments and the programs that we run at ARIN. I think people will find those interesting.

We have most of our team here in terms of leadership. If you have, at any time, any questions on how ARIN is doing, what we’re doing, feel free to ask. I’m available as a resource at any time. I want to make sure people know, since I’m here in person, take advantage of me. I’m very happy to be here.

With that, that concludes my comments. I want to turn it promptly over to our Board chair, Bill Sandiford, who will have some opening remarks and then some presentations. Thank you.

(Applause.)

It’s all yours, sir.

Bill Sandiford: It’s a tough act to follow to get up on stage and follow the talking face of God.

(Laughter.)

Alright, everybody, good morning. I hope everyone had a good time last night at the welcome reception. It’s nice to see everybody here. I’ll keep the remarks part short. Just very warm welcome from the Board of Trustees. All of us are around should you need us for anything, and should you wish to chat.

I don’t have my slides for the next presentation.

Hollis Kara: Do we have Bill’s slides?

Bill Sandiford: I’m advancing and I’m getting Nancy already. It’s like I’m done.

Beverly Hicks: Give me just a second. I’m not sure what happened. Can we flip-flop while I get that presentation?

Bill Sandiford: Sure.

Hollis Kara: You okay with that? Why don’t we do that, then. We’ll get that presentation moved over. Bill, if we want to kick to Nancy we can.

Bill Sandiford: Stacy had her jokes, that steals mine. I was about to tell you that I’m here to give you the most boring presentation of the day, the Board of Trustees Report. But then I’ll use it to introduce the most exciting presentation of the day, Nancy Carter and the Finance Committee.

Hollis Kara: Come on up, Nancy. At least they’re not expecting much when you come back.

(Laughter.) (Applause.)

Good morning, Nancy.

Financial Report

Nancy Carter: Good morning. Good morning, everybody. Really great to see all of you here in Charlotte. The weather here has been such a nice surprise. You won’t understand this, but it was three degrees in Ottawa this morning, which is cold. Three degrees, I don’t know what it translates to. Quick, Bill. But anyway, cold. So I’m enjoying the weather here. It’s great. It’s 38 Fahrenheit? Ooh.

Anyway, it’s also Election Day in Canada. So to all my Canadian friends who are here, I hope you voted before you left. It’s a big election. The results are important.

So I know this is the moment you’ve all been waiting for since we last met. And we’re all here because we love numbers. So there’s no more fitting start to the ARIN meeting than the financial presentation.

First off, I’d like to start by expressing my gratitude to my colleagues on the Board of Trustees and the ARIN staff whose support has been instrumental to my role as treasurer. I’m particularly thankful to the Financial Services department for their unwavering commitment to producing and developing valuable reports.

My sincere appreciation goes to Brian and the entire FSD team for their efforts. Their enthusiastic support, along with that of Alyssa, greatly facilitates my responsibilities as treasurer.

So today I’m going to update you on the activities of the Finance Committee since last October. I will review ARIN’s financial performance, including revenues and operating expenses. And I’ll provide details of the investment portfolio and then look at our financial position.

And finally, I will also talk about the data center move, which is not something I normally talk about, and our long-term financial plan.

So as you can see, the Finance Committee has met three times since I reported to you in October in Toronto. And I anticipate that we will be back to our monthly committee meetings for the balance of 2025.

We provided oversight of the financial results of the organization. We’ve monitored the investment results in conjunction with our investment advisor. We’ve reviewed the annual tax compliance report and reviewed the Finance Committee charter and the committee’s year-end report to the Board. Most recently, we reviewed the preliminary estimate of the 2026 financial position.

And as I told you in October, the Finance Committee approved the selection of CliftonLarsonAllen, or CLA – there’s a new acronym that’s probably not on the list – as our new audit and tax service provider. They’ll be undertaking the bulk of the audit work starting this month.

We continue also to depend on the expertise and professionalism of our investment advisors at Fiducient. And their performance continues to meet our expectations.

So I’m now going to talk about ARIN’s financial performance. I’ll start by presenting an overview of the key financial performance metrics of 2024. Overall, ARIN had a successful financial year. Starting on the funding side, you can see we had revenues of $28.9 million. This was 1 1/2 percent below our budget expectations.

On the spending side, we recognized expenses of $30.3 million. This was 4 1/2 percent below the operating expense budget. So the variances in revenues and operating expenses combined to result in an operating deficit that was only about 60 percent of the budgeted operating deficit. The actual deficit was $1.4 million compared to what we’ve budgeted at $2.4 million, so that’s great.

Finally, during 2024, our investment income was a respectable $2.4 million, and this was significantly higher than the budget of $1.1 million.

Continuing with some highlights, I’m happy to report that the major driver of ARIN funding, the Registration Services Plan revenues, was on budget at $25.8 million. This represents about 89 percent of our total revenue. So it’s important for these revenues to perform as we expect.

I mentioned that operating expenses were 4 1/2 percent under budget. So driving this variance was a 3 percent under-budget position in salaries and benefits. And I’ll have a bit more on that later.

Finally, the impressive investment gains for the year were driven by a 7 percent gain in the long-term investment portfolio. So we’ll dive into revenues here. So before I share more details on the annual resource registration revenues, let’s look at other revenue sources.

We did expect initial resource registration revenues to decrease in 2024 due to the harmonization of Autonomous System Number billing into the ARIN Registration Services Plan pricing program. That change drove these revenues down a little more than expected.

So the revenues for initial resource distribution were $0.7 million, which was less than the $1.1 million recognized in 2023, and was also 26 percent under budget. Combined transfer source and transfer recipient revenues for the year were $1.6 million. This is consistent with revenue performance in 2023 but was about $100,000 under what we budgeted.

And finally, other revenues were $0.7 million. Like transfer revenues, other revenues were consistent with 2023 but still slightly under budget.

This slide shows the change in the annual run rate since January 1st, 2022, for ARIN’s revenues under the Registration Services Plan. ARIN typically sees customer-driven revenue growth in the Registration Services Plan of 1 1/2 to 2 1/2 percent per year.

So if you look at this slide, you can see that the annual revenue run rate grew 2 1/2 percent from January 2022 to January 2023, and then the revenue run rate grew a further 3.7 percent by January 2024.

And this increase was more than the typical growth due to that harmonization of Autonomous System Numbers that I mentioned earlier into the billing program in October of 2023.

For January 2025, we can see that the revenue run rate grew 6.8 percent to $27.7 million. And this increase was more than the typical growth, partly due to the Registration Services Plan pricing increase in 2025.

So the run rate by January 2025 is $27.7 million, but where is that funding coming from? The annual resources fee – the annual resource fees are billed across 11 Registration Services Plan customer categories. So this slide shows you that every Registration Services Plan customer is important to ARIN’s financial health.

The four small Registration Services Plan service categories account for $13.8 million or 50 percent of the total Registration Services Plan revenues.

So we’ll move on to ARIN’s operating expenses. Managing ARIN’s operating expenses starts with managing the costs of salaries and benefits. The salaries-and-benefits expense for 2024 was $20.9 million, accounting for 69 percent of ARIN’s total operating expenses. So this figure represents a 3 percent increase over the 2023 expenses but is 3 percent lower than the 2024 budget.

ARIN began the year with 98 employees and concluded with 105 at year-end, averaging 102 employees throughout the year. Although the budget was for 106 employees.

This variance in head count resulted in salaries expense being below budget expectations. Additionally, favorable variances in the medical plan contributed to the overall salaries-and-benefits expenses being 3 percent under the budgeted amount.

Engineering operations cost is the second largest operating expense at ARIN. Engineering expenses totaled $4 million in 2024. This was 7 percent below a budget of $4.3 million. And a favorable variance in software expenses was what drove this under-budget position.

The combined total of other expense areas amounted to $5.4 million in 2024, resulting in a position that is 7.5 percent under budget. This favorable variance is primarily attributed to lower-than-anticipated costs in professional services, outreach and Internet industry support expenses.

This chart illustrates significant operating expense budget variances. And as I talked about on the previous slide, the largest contributors to the budget variances are salaries and benefits and engineering operations.

So we can now look at investments, and I’ll summarize the 2024 portfolio activity. The market behaved very well during 2024, which resulted in the ARIN long-term investment fund realizing a 7 percent return, even though the investments are allocated in a very conservative manner across the various investment asset classes.

Interest rates on the operating investment fund money market accounts continued to stay high during 2024. And this led to interest income of $265,000, which is a return of about 5.2 percent. And as expected and budgeted, withdrawals were made from this fund during the year. We paid the second $1 million to the IETF Endowment Fund. IETF, Internet Engineering Task Force. This was anticipated and discussed at the last Member Meeting in Toronto.

Additionally, we transferred $1.7 million into ARIN operations. And this transfer was less than budgeted because of our below-budget operating expense variance that I spoke about earlier.

This chart illustrates the range of annual investment performance in the long-term investment fund over the last six years. We have seen five years of positive investment growth with returns ranging from 7 percent all the way to 20 percent.

In 2022, we experienced a loss of 12 1/2 percent. So the 2024 return of 7 percent is consistent with ARIN’s expectations when considering our low-risk investment preferences.

In February, the Finance Committee convened with the investment advisors to evaluate the targeted asset allocation for 2025. The asset-allocation strategy continues to be conservative, predominantly focusing on fixed-income investments. According to market projections at the time of our evaluation, the anticipated return on the asset allocation for 2025 was estimated at 6 percent.

As discussed, withdrawals were anticipated in the 2024 budget. So $1 million for the contribution to the IETF and a $1.7 million withdrawal to balance the operating budget. As a result, we ended 2024 with $3.1 million in the operating investment fund.

The target operating reserve is set at nine months of annual expenses. It is currently fully funded by our investment balances.

And now for a look at ARIN’s financial position. So as this slide indicates, ARIN’s financial position is remarkably consistent from 2023 to 2024, with total assets increasing only $100,000 to end at $45.2 million.

Our liquid assets, defined as cash, accounts receivable and investments, is a respectable $37 1/2 million at the end of 2024. This is a slight decrease from 2023. And by “slight,” I mean less than 1 percent.

Net assets grew by $1 million during the year. This change results from combining our investment income of $2.4 million and the operating deficit of $1.4 million.

Liabilities decreased by almost a million during the fiscal year, primarily due to the contribution that we made to the IETF Endowment Fund.

And now for other business. The ARIN Engineering team is fully engaged in a project to move the data center, currently operated in the Chantilly headquarters, to a dedicated colocation site better suited to provide the high level of availability required by the community. The 2025 project budget of $2.1 million was approved by the Board of Trustees. I’m very pleased to report that this project is on time and on budget. Congratulations to the engineering team.

My final slide is a reminder of the discussion that we had in October. The Board of Trustees has committed to a 2030 balanced budget, meaning that we plan to manage through a few years of negative net budget positions.

And some of the strategies that the organization is deploying to support that commitment include keeping the head count flat, disciplined spending, and annual price adjustments that are determined based on assessed needs.

Thank you so much for your attention. I’m more than happy to answer any questions. But also I’ll let you know that I’m around over the next few days. If I can help provide any clarity on any of the material that I presented today, and feel free to find me and come chat with me.

Hollis Kara: Alright. (Applause.)

Thank you, Nancy.

If we have any questions in the room, please feel to approach the microphone. Same, the queue is open for online if we have any questions from virtual attendees. Just a second to see. Do we have anything coming in, Beverly?

Beverly Hicks: Nothing here.

Hollis Kara: Alright, Nancy. Folks will find you if they need you. Thank you.

(Applause.)

Real quick, before Bill starts, my apologies for not having your slides available, but I wanted to point out, for folks in the room, I forgot to mention, if you look on your badge, you have a sticker with a QR code.

Nobody is Rickrolling you. We only did that to Brad. But that’s an innovation that actually came from our director of technical services, Brad Gorman, and communication manager, Ashley Perks. And that’s a direct link to the agenda. So that’s there if you want it. With that, over to you, Bill.

Board of Trustees Report

Bill Sandiford: Thank you. Hey, slides.

Good morning again, everyone. Was I right? Was that not the most exciting presentation of the day that you’ve just had from Nancy?

(Applause.)

And now I present to you the most boring presentation of the day. My job is to just quickly run you through – it will only take a few minutes – some of the highlights of the things the Board did this year.

The slides are a bit of slide busters. It’s more just bullets of things we did. Some of them are the same as every year. But it’s our job just to let you know that we’ve taken care of everything that needs to be taken care of.

Early in the year we approved the 2025 budget and took care of the usual housekeeping things that we do at our January meeting every year, like appointing the General Counsels and other tasks like that. We authorize the Treasurer to approve expenses beyond the current budget year. That’s often required for things like these meetings, where they’re planned multi-years in advance, but there’s no budget in place so it requires special consideration.

As always, we adopt minutes of our Board meetings, which are published online, for those of you that wish to do so to go and review. We adopt and update our Strategic Direction Statement every year. And then we look at all sorts of other housekeeping things that need to be taken care of, stuff like updating volunteer travel policies, conflict of interest policies, disclosures, stuff like that.

Obviously annually we take care of confirming the results of our Board of Trustees, Advisory Council, and NRO elections. This year we approved an RFP Task Force Special Committee and did all the usual appointing of Chairs, Treasurers and different Board members to various officer roles that are required for the organization.

We also updated a new Volunteer Code of Conduct. We put in the new Trustee Code of Conduct disclosure form and approved various other items like participant expected behavior for meetings such as this or otherwise.

We looked at our 401(k) charters and various other charters, including the Compensation Committee, Finance Committee, Nomination Committee and Risk & Cybersecurity Committee charters.

Our Board officers were elected and confirmed. We established all our various Board committees that operate throughout the year to make the Board work flow smoothly.

We’ve adopted the election process for this year’s coming election, and we’ve updated our Governance Committee Charter standing rules and our ARIN Volunteer Code of Conduct.

We also ratified policies. This is the policies that go through our Policy Development Process, shepherded by the ARIN Advisory Council, and ultimately come to the Board for adoption. So four policies here that were ratified by the Board through the course of the last year.

And that is the end of the most boring presentation of the day. I open the floor to any questions or comments.

Hollis Kara: Please approach the mics if you have any questions for Bill, or start typing if you are on the Zoom.

Seeing anything?

Bill Sandiford: Seeing and hearing none.

Hollis Kara: Alright, Bill, thank you very much. (Applause.)

Super duper. Rolling right along, I’d like to welcome our keynote speaker to the stage. Leslie Daigle is the CTO of Global Cyber Alliance. She’s going to be talking to us about strengthening Internet integrity. Come on up.

(Applause.)

Keynote: Strengthening Internet Integrity — Collaborative Solutions for Cybersecurity Challenges

Leslie Daigle: Thank you. I’m delighted to be here this morning. I hope this will be at least as exciting as the financial presentation, but we’ll see how it goes.

Yes. So I am the CTO of the Global Cyber Alliance, which is a small not-for-profit that’s dedicated to ensuring improved cybersecurity across the global Internet.

It’s celebrating its 10th anniversary this year. You may never have heard of it, but we’ve been quietly working away for quite some time.

So, talking about strengthening Internet security, first, let’s throw our minds back a little bit. I’m pretty confident that I’m not the only person in this room that can remember when life was a whole lot simpler.

So just to sort of keep things in perspective, when this computer was current and relevant was right about the time that automated banking machines, ATMs, were becoming prevalent at least in the country, so well before we dreamed up this notion of doing banking business from your phone.

It was a much simpler time, and things have progressed an awful lot since that time, both in terms of what we can do, what we consider normal, what we consider imperative to our daily lives, and sadly also in terms of attack surfaces and threats and risks and everything that goes along with it.

So today I’d like to talk about securing the Internet and why it’s hard and important. And I’ll give you some concrete information, some concrete examples of attacks that play out across the globe, just to ground all of this – this is not just sort of mental meanderings – and then give some pointers to some positive approaches that maybe we can consider to improving the state of the world.

And I really do mean the state of the world. The Internet is the world, right?

So as we all know, collaboration is sort of a keyword for the Internet. The Internet was built on collaboration. The very fact that we have a globally connected network comes from the fact that every network works with other networks to do their part of moving your packets from one place to another.

The very reason that we can have a video call from here back home, wherever home might be, is due in large part to that coordinated and shared action, which is sort of the theme for all of what I’m talking about today.

Sadly, it also means that the attack surfaces for bad actors are massive as well and not localized in any particular jurisdiction, which is also going to be a theme of today.

I’m also talking about Internet integrity because we can talk about the Internet and we can talk about securing the Internet, but there isn’t a whole lot of point to it if we aren’t actually achieving something that works seamlessly together to provide a unified whole still. I’ll give some examples of what isn’t Internet integrity as we go along.

But for right now, I want to focus on the fact that, surprise, securing the Internet is hard because the Internet is everything everywhere all at once. And it was that for decades before there was an award-winning movie of the same name.

What does that mean? It means the Internet is oblivious to jurisdictional boundaries. For example, you can use domain names that are registered in one part of the world and then use hosting resources in another part of the world and then have number resources registered in yet another part of the world and be physically somewhere else altogether.

So with that kind of spread, it makes it a challenge because you can impose cybersecurity mandates within your own networks. You can even sometimes sort out some of the problems that are starting from within your own networks, but you can’t address the problems that are outside of your networks.

So it’s sort of like maintaining highways and doing flood mitigation. There’s an awful lot of work that has to be done by a number of actors in order for there actually to be a secure Internet. I think I mentioned it’s hard, right?

So normally when we think of security, we think of putting locks on doors or putting firewalls on networks. It’s block, block, block, stop.

But for the Internet as a whole, and in order to have an Internet that has that kind of integrity that we’re talking about, you can’t just block every IP address that ever sent you a bad packet because if we start doing that, then we have a shredded Internet.

So it’s important still to get security right at the lower layers because you can’t 2FA your way out of a routing issue. You can’t address lower-level cybersecurity threats by applying more layers of security at the application layer.

So this is all part of the “this is hard” part of the talk. You need – you as a network operator need to both rely on and work with other networks. And you need to do things sometimes that aren’t for your network but will help everybody and hope that others are doing the same.

Because whose job is it to stop criminal activity on the Internet? We can say criminal activity, that’s for police officers and the legal system, right?

Well, again, that’s back to the challenge that this global Internet thing that we have has this huge attack surface. And with resources registered in one place and used in another, which jurisdiction actually has the authority to act and can actually stop things? Particularly when what you see from one particular vantage point may not seem that threatening, but it’s only when combined with others it becomes an actual real problem. And I’ll give some examples of that.

So this is why we talk about it as a collective-action problem because bad actors can be anywhere, And no one organization can solve the problem for itself let alone for the world. And usually we have these negative externalities. You have to do something in your network in order for somebody else to have a better security experience.

So we need to have a lot of improvement, a lot of steps taken around the globe, but they can’t be uncoordinated steps. It can’t be mandates in one part of the world that are impacting the whole world.

I don’t think I’m going to get through this talk without saying GDPR. GDPR is a good example of a well-intentioned policy that has impacts well beyond the reach of the jurisdiction in which it was created. Where it’s a European law, it’s impacted the use of the Internet the world over.

With all that, I’ve made you all depressed because we agree it’s a hard problem and it’s messy and it’s ugly and what are we going to do about it? So why do anything about it because it’s hard?

So it’s also important. So why is it important? Why does this matter? And we actually don’t have to ask ChatGPT to do this, but it’s trendy. So let’s.

If you ask ChatGPT why is it important to secure the infrastructure of the Internet, you’re going to find a long list of things. You all know all of these things. It’s all of the little-bitty bits that are threats to the Internet, whether it’s misconfigured firewalls, whether it’s DNS attacks, whether it’s IoT devices with default passwords giving you the Mirai botnet taking down the Dyn services some years ago.

These are all small things in the Internet that combine together to create a mountain of a problem. So all the little things add up to the big things. And so this is on the problem side of the equation. So why does this still matter at a business level?

Well, it matters at a business level because the attacks that stem from all these open threats, open infrastructures and the threats that leverage those problems, they have real business consequences.

So United Health Group, in 2024, they had an attack, cyberattack on their Change Healthcare unit, and they saw a drop of $0.92 a share in the second quarter per “The Wall Street Journal.” $0.92 a share may not sound like a lot to you unless you’re a shareholder.

It’s not just about networking infrastructure businesses. This is important to all businesses in the world. Remember, we’re not back in the original Mac era. Everybody relies on the Internet for all of their business, everybody from banking to law firms and others.

And cybersecurity issues impact business, period. And something that you think is just an outage somewhere turns out to be a route hijack and somebody’s having a really bad day.

I’d like to include the reference to the CrowdStrike issue from last summer here because that was not a cyberattack. But it does give us a very sort of a gut-level sense of how fast some of these things that percolate through systems can impact systems across the world and the level of impact they can have.

If you were trying to travel anywhere in July of 2024 at a particular week, you may have had troubles because most airline systems were CrowdStruck and things were wedged for days, or longer if you were with Delta. So pointers to all the references.

So I said earlier that there are things you shouldn’t do if you want an Internet with integrity. So here’s just one illustration of that.

So this is a screen shot of a webpage when I attempted to download information about my pay stub while I was at the IETF meeting in Thailand. It literally says “we don’t serve IP addresses in Thailand.”

Okay. So paychex.com has decided that they’re not going to serve websites – they’re not going to serve people trying to access from Thailand. That is an example of this Internet don’t have integrity.

Why would Paychex do that? Do they see too many attacks coming from Thailand and decide they have to block the whole country? Possible. Is it that there are regulations in Thailand that are too hard to comply with from Paychex’s perspective, like GDPR, but something else? Is it because Paychex decided, I have no idea why anybody who is using our services would try to reach us from Thailand, so it must be wrong?

Clearly not a good assumption because I happened to be traveling and for whatever reason needed to see my pay stub. Is this actually helpful? I think not. It was actually better than a different site that I tried to access that didn’t even give me the error message, it just timed out.

So Alright. That’s all of the “why it’s hard” and “why it matters.” And, again, you can’t secure the Internet, but maybe together we can make some progress on it.

This is where we start the upbeat part. Right? So because we can do big things together, clearly – we did the Internet, right? And we’re still doing the Internet. The World IPv6 Day and Launch I think were pretty good examples of when competitors come together, little efforts can make big impact.

And the Mutually Agreed Norms for Routing Security is another example of coming together to do the right thing. And I’ll say more about that in a bit.

At the Global Cyber Alliance, we look at the Internet infrastructure in terms of names, numbers and routes, sort of the basic triumvirate of what makes the Internet go.

We have projects that are looking at all of these areas, collecting data in one form or another and working with infrastructure operators to identify what are the actual problems, what can be done about them and how to make progress. So I’ll say more about all of that in a little bit too.

I’m going to focus mostly here in terms of things impacting the numbers side of the house, i.e., IP addresses, because that’s what you’re all interested in.

I have to say at this point that I’m going to fly through a bunch of material just to sort of tell the story. There’s a lot more, and I mean a lot more, in the data. I’m happy to talk about it more offline as well. I’ll be here through tomorrow midday anyway. So happy to talk more if there are things you want to follow up.

But right now I want to say a little bit about what we see in the numbers. So this is 30 seconds in the life of a global honey farm. We have about 200 sensors deployed across the globe that are just listening always on a variety of open ports, accepting any number of passwords to see who’s poking, what are they trying to do, what are the commands they’re trying to run when they get onto our systems. And the red lines and the salmon lines are scouts and attacks. The blue lines are scans.

So some number of scans in the world, scans every day is normal. Everybody is always trying to see how much of the IPv4 space is accessible. But the salmon colored ones and the red ones are bad. These are bad actors.

These are things that – we started this project in 2019 looking to find out what was going on in the world of attacks on IoT devices. So this was sort of in the era of the Mirai botnet and attacks taking down the Dyn system.

And I’ll give you the short answer to what’s going on in the world of IoT attacks: Change passwords. No default passwords, and change them, and then we’re done with the IoT story for a minute.

The important thing we actually discover in all this data, which we’re still collecting six years later, is this stuff is hitting every single open IPv4 port – every single one of them – all day, every day.

So and it’s not sourced from any particular part of the world. It’s sourced from all over. Sometimes it’s masked, whether it’s people using the exit points of these shared VPN tools. Sometimes it’s because you’re leasing out your IPv4 addresses to somebody else. I could have titled this talk “It’s 10 o’clock and do you know where your IPv4 addresses are?” Because do you really know what they’re out there doing?

And this isn’t just little script kitties poking and prodding and having fun, saying, tee-hee, I just tickled a server over on the other side of the globe. These are actual honest-to-goodness attack campaigns.

Last year at this time the FBI was concerned about the Volt Typhoon campaign, where China was – it asserted that China was developing the ability to physically wreak havoc on US critical infrastructure.

And the purpose of that particular attack is to take control of vulnerable routers, modems, cameras around the globe.

So again in our honey farm, when we see these attacks, and we do see attacks, not just against the US but a lot of targets across the globe, we can see what kinds of commands they’re trying to run and what things they’re trying to take over and whatnot.

So we can tell that these are actively attempting to download malware. Although my favorites are the ones that immediately overwrite the .ssh files directory with their own .ssh keys because then we can track them all over. But anyway, off topic.

Another one was the Flax Typhoon attack, a more malicious one in terms of attempting to burrow into the operating system and take over existing legitimate software to remain undetected, primarily targeting Taiwan. And indeed we saw an awful lot of that in our Taiwan sensor, with the largest surge in August of 2023. So lots of that going around in the Internet.

And then more recently, the CAPSAICIN-related campaign where there have been a couple now of spikes of malicious activity specifically targeting old D-Link vulnerabilities. And the fact that these things are actually getting toehold should give you a sense that there’s still an awful a lot of D-Link – old D-Link routers out there possibly deployed in some pretty inaccessible locations.

So you can’t just say patch and update and change out. This is not a practical approach at actually achieving security.

So we had a look to see if we saw anything going on in our honey farm. And, boy howdy, did we. This is from one IP address in Vietnam. It was sustained over several days. It eventually got shut down. Although it has recently popped up from anotherIP address in another country. So somebody out there is really trying to take hold and get in there. So we can see all this with our honey farm.

And one of the questions on our minds is, maybe we could stop some of this traffic before it gets out of your network. Like, by the time we’re seeing it, it’s launched from its home network and landing somewhere else.

So maybe we could take out some of those attacks and campaigns that lead to the expensive and large security challenges for all of the Internet and all of the businesses running on it if we actually stopped them before they left the network.

So here’s some numbers from Q1 of this year. I picked on four random networks that are in this room. These are not specifically those campaigns. This is the attack volume, the red and salmon colored things that we see, from four networks in this room.

Network C is pretty chill. And there are different types of networks here. But if you unpack it and see how that attack traffic has evolved on a weekly basis through Q1 of this year, you can see that there are different things going on from these different networks.

Network C had some more activity towards the end of the quarter. And the colors don’t show up super well on this monitor. They’re a little better – they do show up a little better there. The green and blue networks are kind of interesting because the blue network had an issue going on mid-quarter. But either they took care of it or the attackers decided to back off.

And the green network’s got some work to do because it’s pretty much sustained attacks through the entire year.

Of course, I’m deliberately not saying who these networks are because the point of the exercise is not to name and shame anybody, but just to talk about the fact that there are – different networks are deploying different techniques for addressing threats coming out of their networks. And the impact is variable.

So we’d love to have more detailed conversations with them to say what are you doing or what are you not doing. You can say, “Well, it’s not impacting our bandwidth, so it’s really not a problem. And it’s not impacting my customers, so it’s not really a problem.”

But, again, this kind of behavior is exactly the stuff that causes IP addresses to get blocked. It is exactly the kind of stuff that causes the value of your IP addresses to plummet.

And sometimes it is impacting your customers because this is the graph of one of the networks which is a cloud provider, and we happen to have a sensor or two in that cloud provider. So we can say but it is impacting your customers because we’re your customers and your other customers are trying to attack our sensors. So it is real.

So it’s hard, it’s important, it’s real and what are the ways we can address this and other issues impacting the overall security of the Internet. So in the Internet Integrity Program at the Global Cyber Alliance, we’ve tried to build sort of a blueprint to make a platform out of how can we actually address this kind of problem.

A year ago, we took over the Mutually Agreed Norms for Routing Security activity, which was originated at the Internet Society a little over a decade ago, where the same kind of problem faced routing security. There were standards being developed saying this is how we will secure the routing system that had a slight problem, which was operators couldn’t actually deploy it in an operational context.

So what the Internet Society did was sit down with some operators and say, okay, if you can’t do that, that’s fine, but what can you do?

That’s where the norms, the mutually agreed ones, came into existence, a set of actions that network operators said were the reasonable levels of care and security of the routing system that everybody should be doing.

And, again, there’s the thing. It’s not anybody outside the system saying you should do this, it’s the network operators saying we can do this, then the Internet Society and now GSA promoting the uptake of those norms.

And it’s collective action because it’s not everybody shooting off and saying, I’m going to do this thing and you should follow me, but it’s we’re all doing these small steps. And with that, and now with the measurement through the MANRS Observatory, so networks that sign up to say we are going to do – we subscribe to MANRS actually can be called into account if they don’t, in fact, live up to the actions.

With all of that, we can see the two-line charts are the uptakes overall and the uptake of MANRS, and the red and orange on this are showing the decrease in the incidents and culprits of routing attacks.

And I fully admit this is correlation. It may not be causation. But I’m hoping there’s a certain amount of causation here as well.

In terms of conclusions and takeaways from this, what I’d like you to see is that there really are threats to and in the Internet. Some of them are launching from your own networks. We can help you and you can help others through collaboration. And the best solutions to these things come from industry collaboration and consensus.

So I said that we feel we have a bit of a platform and a blueprint for doing these things, and we do, but it’s about how we can help a community of interested network operators, infrastructure operators identify and do the right thing and then promote it. We’re not trying to visit any requirements on network operators from outside.

And last line before we go to questions, I will take collaboration over blocking any day because I think that’s the path to Internet integrity.

Thank you very much. And I am happy to take questions.

(Applause.)

Hollis Kara: Thank you so much, Leslie. Folks in the room, please feel free to approach the microphones if you have questions. And folks online, please begin typing.

We’re going to take one in the room first, then I’ve got one virtual question in the queue at least.

Nick Nugent: Nick Nugent, University of Tennessee and ASO AC. Thanks very much for your presentation. This is purely curiosity, you say you prefer collaboration over blocking. Any thoughts on regulation, what role, if any, it should play in this?

Leslie Daigle: So regulation, I think, can be really valuable. But, again, because the Internet doesn’t actually line up with regulation and jurisdictional boundaries, it can be really hard to come up with something that fits the whole world.

So a year ago, when the United States Government was looking to regulate around routing security, we joined with the Internet Society, and sort of providing some input to say, look, don’t go beyond what the industry is already doing because if you take a step beyond what has been agreed, you may wind up forcing other networks in other parts of the world outside of your jurisdiction to either step up or disconnect.

So I think the right answer is for there to be regulation that supports the industry’s decision of what is the right direction to go and doesn’t try to get out ahead of the industry.

Nick Nugent: Thank you.

Hollis Kara: Thank you. Real quick, we’d like to take a virtual question.

Beverly Hicks: Sure. Joshua Messenger: “What software stack or sensors are used to help detect attacks? Also, is the data posted or available for the community consumption to help determine our network integrity and reputation?”

Leslie Daigle: So a couple of things there. We were using – Shadowserver does provide some information and they have a globally deployed Internet honey farm as well, and they work with network operators to share what they see.

The sensors that we are using is ProxyPot, which is a honeypot that we developed ourselves, which more or less looks like a Linux platform. But we actually are providing support not only for Telnet and SSH, but we’re also providing support for HTTP, HTTPS and FTPS. So the short answer is it is our own.

To the availability of data, one, talk to Shadowserver; two, we have made agreements with some research institutions to do investigations in our data, and we’re happy to talk to others.

We have posted – at gcaaide.org, we have posted what we’re calling Preliminary Internet Pollution Index, which shows this data on a per-country basis. And we are happy to talk to individual network operators to say – to show them what we’re seeing from their networks.

Hollis Kara: Kevin, over to you.

Kevin Blumberg: Kevin Blumberg, Toronto Internet Exchange. We have a group reason to improve the security at Internet exchanges. We take ownership of that. We were one of the signatories to the original MANRS IXP program.

But as an industry there’s a lot of balls dropped when it comes to taking ownership of the problem: It’s not my problem; you should be dealing with this. You. It’s always a “you,” not a “we” sort of problem.

ARIN has done an exceptional job of improving the ability to turn up ROAs. If you look at doing it five years ago versus today, it’s night and day better.

But ultimately it’s a “you” problem. “You” turn on your ROA. Not “we” turn on the ROAs, not “we” are forcing you to turn on the ROAs, or “we” are investigating and “we” are doing these things. It’s a “you” problem. That’s not moving the bar.

Yes, we’ve gotten to 56. When will we get to 57? When will we get to 80 or 90? The people that have done it have done it. And we need it to get higher. And Canada is awful. It’s into the 30s, by the way. Sorry. As a Canadian, I’m really disappointed with it.

So there needs to be more “we.” And I guess that’s part of what your mission is to do, is to get the “we,” and for this room is to start thinking more about taking the ownership of and not just saying passively “we” support it, “you” are responsible for it. It should be “we” are doing it now all as a group.

Leslie Daigle: Yes. Thank you for that. Because I think it really is a question of – If you take nothing else away from today, understand that we are past the point of being able to ignore all of these problems as “My, that’s a mighty nice attack you’ve got going on there.” If we want an Internet with integrity, then we have to step up together. Definitely. Thank you.

Hollis Kara: Thank you. I see one more question online.

Beverly Hicks: I actually have two.

From Mohibul Mahmud: “Thank you for the insightful remarks. You mentioned the importance of collaboration over blocking to preserve Internet integrity. In your experience, what are some of the practical ways smaller network operators or newer infrastructure players can meaningfully participate in the collective efforts, especially when they may not have the same resources or visibility as the larger operators?”

Leslie Daigle: Yeah, so I think certainly looking at the MANRS.org site and understanding what the MANRS actions are is a good way to get started and engaged.

We are increasingly sort of building out community in MANRS. So it’s not just about participation and then wander off, but it’s actually community and community engagement.

So by participating in that activity, you can actually up-level your own understanding of requirements and resources, and we’re hoping to work more with resources going forward on that particular front.

I see this as a whole suite of activities, not just silos of threats and responses. So I think that that’s one area where smaller countries, smaller networks can get engaged now and then hopefully get engaged in the larger picture as well.

Hollis Kara: To the floor.

John Sweeting: Good morning, everyone. John Sweeting, Chief Experience Officer at ARIN.

One thing you said as kind of a joke, but it really isn’t, do you guys know what your IP addresses are out there doing right now? It’s a big problem.

We at ARIN, we do everything we can to do the data accuracy, make sure people know who is responsible for what addresses; but as you get down the tree and we allocate to our customers, then they reallocate, and then they assign and reassign, and then they have people they let use the addresses, they lease them, they do all kinds of things.

It’s really important to understand what people are doing with your IP addresses that show that you’re the ones responsible for their use.

You’ll hear more about that during this week, but that wasn’t really – it was, but it really isn’t. Know what your IP addresses are doing.

Leslie Daigle: 100 percent.

Hollis Kara: Thank you, John.

We’re going take one more from virtual, then we’ll come to the floor. If anybody else has a question, please approach the mics now; otherwise, we’ll be closing after these next two questions.

Beverly Hicks: Robert Graves: “Would the list of guidelines the operators developed as standards be available for organizations to review and implement?”

Leslie Daigle: Absolutely. Anything that we do in this space would be modeled after what the Internet Society did with MANRS, which was to agree on the set of norms and then publish and promote it.

The thing that we’ve done in the last few months with MANRS is develop what we’re calling the MANRS Development Process, which is an open process for discussing and noting – discussing, improving and noting acceptance of various things.

This is intended to allow us to, for instance, update the MANRS actions as we go forward so it’s not stuck from 10 years ago.

The same kind of approach can be applied to other actions such as for reducing the unwanted traffic out of the different networks.

Hollis Kara: Awesome. Our last question.

Lily Botsyoe: Thank you so much for the presentation. Lily Botsyoe, Ph.D. candidate from the University of Cincinnati and ARIN AC.

Two quick questions. I worked on the MANRS Observatory for a while. It’s amazing. Check it out. It’s really cool.

The first one I had was for research, would there be an opportunity, for instance, to look at how we can also have Fellows come on board for the work you do? Maybe you can speak with Amanda and see, because I’m a past Fellow myself, and some of the things we learned there would – what you’re speaking on, could be good avenues to see the language in cybersecurity and what we do here with numbers and all of that.

The second thing is are we measuring integrity online? If we are, how are we doing it?

Thank you.

Leslie Daigle: So on the first question about research fellowships, we’ve been working with – primarily with particular research institutions. For some reason we have more success with European research organizations.

We’ve tried with a number of US-based ones, and it just never sort of comes to fruition. I think we somehow don’t line up with funding cycles.

That turns out that’s a mode that works better for us at this time than specific fellowships. But we’re always happy to have conversations.

So my email address is in the presentation. I’d be happy to have a follow-up discussion about that.

And then the question of measuring Internet integrity, I think there are a number of efforts around the globe for measuring different aspects of integrity.

The Internet Society’s Pulse platform, for instance, talks about Internet outages and whatnot, and we’re starting with the Internet Pollution Index. I have ambitions to have a network security observatory that measures different aspects of the integrity of the Internet going forward.

Hollis Kara: Awesome. Thank you, Leslie.

Leslie Daigle: Thank you very much. (Applause.)

Hollis Kara: Last chance before I move ahead to the next slide, folks, go ahead and take a second, pull up the Global Cyber Alliance website, put it in your bookmarks. You can find all the information about things Leslie talked about there as well as more information about how to connect with MANRS if you are interested in doing so.

Thank you so much for your time and for a great talk. I appreciate that so much. Hope everyone enjoyed it.

With that, we’ll get back to regular ARIN programming. I’d like to welcome up Einar Bohlin, our Vice President of Government Affairs, to give an update.

Government Affairs Update

Einar Bohlin: Thank you, Hollis. Good morning, everyone.

My name is Einar Bohlin, I’m the Vice President of Government Affairs, and this is our update.

Topics I’m going to go over today include composition of the team, strategic direction, our role, and the World Summit on the Information Society Review+20. That’s a big mouthful. You can say WSIS+20. It’s not a new acronym, but…

So the team is myself; Nate Davis, who’s our Senior Government Affairs Analyst; Leslie Nobile, our Senior Director, Trust and Public Safety; and Bevil Wooding, Director of Caribbean Affairs.

We’re all here today. We’re in the back on this side. We’ll be here all week. If you have any questions about government affairs, what we do or who we work with, please come talk to us.

Strategic direction. So the Strategic Direction Statement document was mentioned by our chairman this morning. This is something the Board produces and reviews to give timely and important guidance to the ARIN organization, and it’s on the ARIN website.

There’s a couple of pieces in it that really speak to the Government Affairs Department and give us guidance on what we do when we do our outreach. That includes protecting the multistakeholder approach to Internet technical coordination in the RIR system, and to proactively engage with governments to support their activities. And to increase outreach and support to our members in the Caribbean.

I’m happy to say that’s our roadmap for the year, and that’s what we do.

So how do we do it? What’s our role? When we’re doing outreach with government people, we try to make sure that the purpose and function of the RIR system is represented and understood.

And key messages that we give to government people — well, backing up a little bit. Most government people have heard of ARIN, have heard of the RIR system or the RIR where they’re located.

But government people come and go, and they’re very curious and they want to know who we are, they want to know what we do, where we came from. So we do have some key messages that we try to get across when we talk to them.

And the first one is that we’re a critical Internet infrastructure operator. And why is that? It’s because we assign Internet number resources, v4 addresses, v6, Autonomous System numbers. And we operate, with the other RIRs , one single global registry. That’s why we’re critical.

And we also facilitate an open, transparent, multistakeholder PDP. Many government people want to know: Where do you get your authority from? How do you create your rules?

And we get an opportunity to explain to them that it’s the community, it’s meetings like this and discussion online that creates the rules for managing number resources.

Switching gears a little bit. This is a little piece about Internet governance history and current events. Twenty years ago, there was a meeting hosted by the United Nations in Tunisia called the World Summit on the Information Society. The point of this meeting, if you go back and read about it, was bridging the digital divide. Today we call that connecting the unconnected.

The UN hosted this meeting. They invited governments and other stakeholders to attend this meeting and come up with a definition for Internet governance. They created the IGF. They produced a document called the Tunis Agenda.

It’s interesting that this document is an agenda because they recognized that it was a plan for the future. Back then there were like 1 billion people connected, and now we have 5, so we’ve made much progress, but there’s still progress to be made.

In this 20-year anniversary of that meeting, there’s a large review taking place of just how much progress or lack of progress has taken place. An interesting thing in the Tunis Agenda is this principle about management of the Internet.

All of this text is from the Tunis Agenda, which was adopted by the UN General Assembly. So it’s still a UN — not a law, but a UN decision.

So management of the Internet encompasses both technical and public policy issues. Policy authority is sovereign right of states. The private sector has an important role in development of technical fields.

So what are policy issues and what are tech issues? Well, tech issues include names and numbers, and names and numbers are still being discussed at the ITU, at the UN. They were discussed 20 years ago, and I engage at the ITU, and names and numbers come up regularly.

We, of course, as an RIR focus on the numbers side. We have friends from ICANN and from the ccTLD industry, especially from CIRA, from our friends from Canada, who cover the names aspect.

Policy issues are — well, they’ve increased in amount and concern for governments. And this isn’t all of them, this is just some highlights of current policy issues, and all of these things are being discussed today at different UN bodies.

So you have content, commerce and taxation, human rights, cybercrime, cybersecurity, and then AI, which is causing many governments to lose their minds. AI is such a big deal because it affects every one of the previous policy issues. They can be better or worse.

So I mentioned IGF, the Internet Governance Forum, was created out of the 2005 meeting. And on that previous slide I showed the policy issues. One thing about those policy issues is they often have an element of, within a large document on AI, for example, or cybercrime, there will be a little paragraph about names and numbers.

So while we don’t get to engage at the UN directly, we have to keep an eye on policy discussions, and we have to count on our government friends to inform us and advise us when something comes up regarding numbers and names.

On the other hand, there’s this United Nations event once a year called the Internet Governance Forum, which was designed to discuss policy issues.

And over the years, the RIRs have participated. We’ve operated a booth. We’ve done workshops. We’ve presented on topics including the RIR system, IPv6, and routing security.

And one of the really cool features of the IGF is that it’s a true multistakeholder discussion forum with multistakeholder organizations including governments, private sector, civil society, technical communities, academia. Everyone there is able to come and join in discussions about the evolution and use of the Internet.

And it would be a real shame if the IGF — as part of the WSIS review, the IGF is up for discussion for whether or not to continue it. It would be a real shame for that not to continue because it’s part of the United Nations and it’s a multistakeholder forum.

And what we’ve seen from some of the other discussions is the United Nations sometimes, and hopefully, thinks about involving other stakeholders in discussions, not at the UN in a General Assembly meeting, but at least early in discussions.

So later this year and during this year, discussions are happening about whether IGF should continue or not. And there’s been some comments about making it permanent, how will it be funded, what will other fora do that are being created, like there’s one being created on AI, how will that impact funding..

So everything I think on my slide is factual. You can find it on the Internet if you do research. I have an opinion about IGF, which is, having been to a couple — an IGF is a very prestigious event for a country. It allows the country to showcase its ability to host a large international meeting, to showcase its development of the Internet in that country. And as long as there are countries willing to host IGFs, which bears the brunt of the cost, then they ought to continue.

And some recent developments and discussions online have indicated that there’s a general feeling that the IGF should be extended.

I’ve included a couple of links here. And as a takeaway, the Government Affairs team is promoting and protecting the RIR system. And if you would like more information from us, please seek us out. Thank you.

(Applause.)

Hollis Kara: Thank you, Einar. The queues are open if we have any questions for Einar, either online or in the room. Give it just a moment in case anybody’s typing. Nope, looks like you answered everybody’s questions. You are free to go.

(Applause.)

Well done, folks, we’ve made it to our first break. We’re going to break now for 30 minutes.

There’s a break set out in the hall. I would ask that all my Fellows and Mentors come up to the stage so we can get a group photo. Otherwise, I will see everyone back at 11:00 for our next session.

(Break from 10:26 AM to 11:00 AM.)

Hollis Kara: Let’s get started with our next presentation. I’d like to welcome up our Chief Experience Officer, John Sweeting, to give the Policy Implementation and Experience Report. (Applause.)

Policy Implementation and Experience Report

John Sweeting: Good morning, everyone. I’m John Sweeting. I’m the Chief Experience Officer at ARIN, and I’m going to talk to you about Policy Implementation and Experience Report. We’re going to focus today on Out of Region Use.

So the policies that we reviewed, I get this input from our director of RSD, Lisa Liedel, and her team. So we’re going to review the wait list, 4.1.8, and Out of Region Use, which is Section 9 of the Number Policy Resource Manual; and also

Micro-Allocations, which is Section 4.4; and Dedicated IPv4 Allocation to Facilitate IPv6 Deployment, 4.10; and, again, Out of Region Use, Section 9, how that plays into those three different policies.

So the ARIN wait list, 4.1.8, the maximum size aggregate that an organization may qualify for at any one time is a /22. And that, of course, depends on a lot of other things: how much space they currently hold, when’s the last time they were on the wait list, how many transfers they got and when they did their transfers.

But one aspect out of it is Out of Region Use, Section 9. So Section 9 basically says that in order to use resources that you get from ARIN outside of the region, like if you have a POP in Europe or in Asia or in South America or somewhere, you must have at least a /22 used within the ARIN region.

So you can see the actual words there, down there at the bottom is where it tells you, hey, at least a /22 must be used in-region.

So the current staff practices are that an organization without any IPv4 resource can receive an initial IPv4 /22 from the Waiting List, but it must entirely be used in the ARIN region and meet all policy requirements.

So that means if you want to apply for a /22 off the wait list and you have a POP in Europe that you want to use one of those /24s for, you really can’t do that. You can’t use that as justification for getting that /22 off the wait list. But if you’re receiving a second /22 from the Waiting List, then you can use that space —— you can use Out of Region Use as justification.

What staff is struggling with is that a lot of people —— I don’t know if it’s a lot, but it’s enough that they brought this to me to present to you —— as people requesting space off the wait list, their first initial space, and they want to use part of that out of region.

So what they would like to know from you, the community, is are the current policies and practices aligned with what the community wants? Is that what the community really wants, that, hey, if you have no space and you want to get on the wait list and you want to get a /22 but you want to use Out of Region Use for part of that /22 as justification for your needs, is that something the community would like to see in policy or not?

We don’t advocate one way or the other, but we just want to know and we want to make sure the community understands that has been a problem for people applying for the wait list.

So should IPv4 addresses from the Waiting List — the other question is should any space from the wait list, Waiting List for the ARIN region be used outside of the ARIN region? So are we doing it right by allowing that second request to say “Yeah, I want to use this out of region” and we say “Okay, that’s justified needs per Section 9, so, yeah, we’ll approve it, and you can get it and you can use it out of region”?

So we’re kind of asking two different questions here: Are we doing it right on letting them get the second allocation for Out of Region Use? And are we doing it right telling them they can’t use any of the first /22 out of region?

So the context here is these questions aim to assess whether the existing policies around IPv4 Waiting List allocation including out of region usage meet the expectations of the community, given the ongoing IPv4 exhaustion. And are these policies still serving the community effectively and as the community envisions that they are being upheld by ARIN and our Registration Services team?

For the Micro-Allocation, which is Section 4.4 of the NRPM, and Dedicated IPv4 Allocation to Facilitate IPv6 Deployment, 4.10, that’s why you know — that long title of 4.10 is why we always say 4.10 space and not dedicated IPv4 allocation to facilitate IPv6 deployment space.

Alright. So for Out of Region Use, so just to recap on the Micro-allocation, Section 4.4, there’s a /15 that’s been reserved — a /15 equivalent because it’s not a full /15 as a /15. It’s pieces of different blocks. It is on our website what those blocks are.

For critical infrastructure providers of the Internet, there’s also a /10, which is a full /10 of space that is reserved for facilitation of IPv6 deployment.

And the way — so the Out of Region, Section 9, doesn’t specifically specify that allowable use, whether in region or out of region. Today, current staff practice today is we are saying that this has to all be used in region. Right, Lisa?

Okay. I just wanted to make sure that we haven’t changed that.

So staff interpretation. These are only for use in the ARIN region. It doesn’t explicitly say that in any of the policies, but as we went through the Policy Development Process on those, that was brought up several times, that these two special pools are for use in the ARIN region and they were reserved specifically for that use and that use specifically in the ARIN region.

So currently requests for resources from these pools for use outside of the ARIN region are not approved.

We do get several requests for both types, both of these pools, the 4.4 and the 4.10, to be used outside of the ARIN region. And it’s usually justification is: Well, our RIR that serves us does not have these special pools, but we would qualify if they did. So we’re asking you if we can qualify with ARIN to get this space to run in IX wherever in the world or to facilitate the deployment of IPv6 anywhere in the world.

Today we tell them no, you don’t.

So questions for the community: Should organizations be allowed to justify 4.4 and 4.10 space outside the ARIN service region?

There’s a little bigger question with 4.10 that we’ve talked about in the past, and that’s leasing 4.10 space. And a lot of that gets leased outside of the ARIN region as well. We don’t need to confuse that with this question here.

This question is strictly, is that what the ARIN community understands the way those policies should be implemented and deployed? So the context aims to assess whether the existing policies around pool allocation and out-of-region usage meet the expectations of the community.

So questions, comments? I don’t see anybody running to the mic except for Kevin. Okay. Now we’re going. We’re probably getting some online. We’re here, we’re asking. That’s what this experience report is about.

Hollis Kara: This is the audience participation portion of this section. Head to the microphones if you’ve got opinions on this topic. And we’ll start, I think, Chris made it to the mic first.

Chris Woodfield: Chris Woodfield, ARIN AC. I’ll point out that regarding the question around 4.4 space, there is policy on the docket — I am the shepherd on the policy; I’ll be talking about it tomorrow — that addresses that exact question.

John Sweeting: Awesome. Thank you. Kevin.

Hollis Kara: Want to come across the room?

Eddie Stauble: Eddie Stauble, IPTrading.

Just to add a little complexity to the Waiting List, I’m proposing an ARIN 2025-3, which is to, for Out of Region Use, reduce that /22 to a /24. I would be against using Out of Region justification for the Waiting List or for 4.4 or 4.10.

John Sweeting: Thank you. Kevin?

Kevin Blumberg: Kevin Blumberg, The Wire. It’s incredible that this has come up a decade after free-pool exhaustion. The benefit or the reason why Out of Region came up in the first place was as a means to give organizations checkboxes in terms of checking off the utilization of their space. It wasn’t about getting new space for out of region.

All of the regions came up with their own soft hard landings a decade ago when it came to their free pools. If a region decided they don’t believe that Internet exchange points needed to have their own space, that was their decision in their region. And coming to this region, who did set aside for that purpose, we could have set aside for other purposes.

I just think it goes away from the spirit of what the Out of Region was in the first place, A; it goes against the entire point of these specified pools, B.

So, no, you’re doing it right. And, again, the purpose of the Out of Region was specifically to allow for justification prior and maybe justification for 8.8 space, not for people to get new space that was solely for out-of-region use.

John Sweeting: Thanks. You, me, and that guy behind you, we were all there on the AC doing these policies. That’s why we have a little bit of history knowing exactly what we were talking about at that point when we passed those policies.

Hollis Kara: Go to virtual.

Beverly Hicks: I have Kate Gerry of NetActuate: “While I think that traditional Wait List space should be at least 50 percent utilized within the ARIN region, I believe that 4.10 and other special space should only be utilized within the ARIN region.”

John Sweeting: Thank you, Kate.

Beverly Hicks: I also have a hand raised for a speaking whenever we’re ready.

John Sweeting: Sure, go ahead. Andrew likes to get the last word.

Beverly Hicks: Jason, you should be able to unmute now.

He put his hand down. Let’s try again. Jason, you should be able to unmute and speak now.

Jason Cook: Jason Cook, Dennis Group. I support, regarding 4.10 usage, I would support requiring an in-region justification and in-region use, but then also allowing out-of-region announcement to facilitate that migration if you have smaller sites there.

So, again, require in-region use, require in-region justification, but also allow it to be announced and used in other small offices or, like other locations that are outside of the region.

John Sweeting: Okay. Thank you very much, Jason. Andrew.

Andrew Dul: Andrew Dul, 8 Continents Networks. I would like to suggest perhaps we think beyond moving the chairs around again and again and again, and that perhaps many of these policies have now run their course.

And without any fees to prevent people from doing arbitrage between the free ARIN pool and the market, that they will just continue to do it with lots of different opportunities for us to continue to be tweaking this text for the next two, three decades? Who knows? So perhaps we should stop doing this and move on to something else.

John Sweeting: Thank you, Andrew. A very fresh perspective on that. But it’s what keeps our days interesting around the ARIN region.

Okay. Anybody else?

Hollis Kara: Got another virtual.

Beverly Hicks: Alan Rowley, Citizens Support: “I do not believe that this should be allowed for Out of Region. Within ARIN, for ARIN region only. Outside of the ARIN region, they can choose to purchase a /whatever pool via their RIR or auction.”

I also have one more. Do you want that?

John Sweeting: Yes, please.

Beverly Hicks: And Tyler O’Meary, no affiliation: “Regarding 4.4 space, in my opinion we should ensure that AnyCast usage out of region is acceptable if it’s also used within region.

John Sweeting: Okay. Thank you very much.

And I just want to note — I forget who came up and said they have — Chris — a policy for Out of Region Use. There’s a few policies talking about Out of Region Use for these different pools. So you’ll hear about that in the policy block this afternoon and tomorrow afternoon.

If there’s no other questions —

Hollis Kara: I think you’re good. The queues are clear. Thank you, John. (Applause.)

Thank you, everyone. Next up we have Eddie Diego, our Policy Analyst. And he’s going to give a Regional Policy Update.

(Applause.)

Regional Policy Update

Eddie Diego: Hello, everyone. I’ll be giving the Regional Policy Update, which consists of policies from AFRINIC, APNIC, LACNIC, and RIPE NCC.

Starting in AFRINIC, as expected, no change since this last presentation was given. But as a refresher, they’ve had RPKI ROAs for unallocated and unassigned AFRINIC address space ratified by their Board and is awaiting implementation.

And the remaining three have all reached consensus and are awaiting review and ratification by their Board. So we’ll continue keeping an eye on these.

Moving on to APNIC, they just had their meeting a couple months ago in February, and the following two proposals were presented. They remain under discussion.

Prop-162: Whois Privacy, removes member organization contact details from APNIC’s bulk Whois data. And prop-163: Enhancing Whois Transparency and Efficiency Through Referral Server, suggests implementing Whois referral server support to automatically redirect to the appropriate RIR database. And that would include any NIR databases where applicable.

Moving over to LACNIC, they also have two proposals under discussion. Temporary Transfers, 2023-7, does basically what it sounds like, suggests temporary transfers of IPv4 addresses.

And brand new, just in time to make it onto this slide deck, is 2025-1, Distribution of Resources to Individuals. LACNIC’s current policy only allows the registration of resources to organizations. So the author’s suggesting allowing the registration of resources to individuals.

I wanted to mention it’s so new that if you go to their website, it actually hasn’t been translated to English yet, so if you’re looking for the English translation, it hasn’t actually posted to their website yet.

Also wanted to mention 2024-4, Log of Allocations from the Pool of IPv4 Addresses Reserved for Critical Infrastructure, was ratified by the Board. And I was going to let you know keep an eye out for its implementation because I heard it’s going to be implemented soon. It ended up being implemented on Friday. So you can now see their log of allocations from the reserve pool for critical infrastructure on their FTP site.

Moving on to RIPE NCC, they also have two proposals under discussion. Revised IPv6 Assignment Policy suggests clarifications to IPv6 assignments policy, including wording, definitions, and requirements.

There’s quite, quite a few updates in this particular proposal. So for details I’d recommend taking a look at the actual policy text, and I’ll have a link to all the proposal links’ websites for the five RIRs in the last slide.

And 2024-2, IPv6 Initial Allocations /28, RIPE NCC’s current initial allocation size for IPv6 is a /32 up to a /29. So this proposal suggests increasing that from a /32 up to a /28.

And this is that slide I mentioned with the links to the five RIR proposal and policy pages, if you’d like to look at more details or look at responses and feedback from the various working groups.

And off the right, the NRO Comparative Policy Overview can be viewed from that link. The NRO maintains an easy-to-follow table where you can sort of get a high-level overview of the various policies, similar policies across the five RIRs.

And that’s all I had. Thank you. (Applause.)

Hollis Kara: Alright. Thank you, Eddie. Do we have any questions for Eddie? Please feel free to approach the microphone or start typing. Nope, I think we’re in the clear. Thank you, Eddie.

(Applause.)

We are cruising ahead at breakneck speed.

Next up I’d like to invite Kat Hunter, the ARIN Advisory Council chair, to give an ARIN AC Update and On-Docket Report.

(Applause.)

Advisory Council Update and On-Docket

Kat Hunter: Thank you, Hollis. Good morning. My name is Kat Hunter, and I am the Advisory Council chair this year. This is the Advisory Council Update and On-Docket Report.

The Advisory Council, or AC, serves in an advisory capacity to the Board of Trustees on Internet number resource policy matters and related matters.

Adhering to the procedures in the Policy Development Process — you’ll hear us say the PDP — the AC forwards consensus-based policy proposals to the Board for ratification.

There’s currently 15 members of the Advisory Council. So this is the 2025 Advisory Council. Like I said, I’m the current chair. Matthew Wilder is the vice chair.

We also have two chairs for working groups.

One is Brian Jones, for the Number Resource Policy Manual Working Group, and Alison Wood is our chair for the Policy Experience Report Working Group.

Welcome to our two newest members this year, Lily Botsyoe and Bill Herrin.

AC members serve a three-year term. Five members are up for reelection each year, typically. Sometimes that changes, depending on whether someone serves partial time, and then we’ll have a one-year fill-in.

AC members whose terms end December 31 of this year: Gerry George, Brian Jones, Kendrick Knowles, Gus Reese, and Alison Wood.

You’ll find the AC at other RIR meetings, you’ll find us observing policy that’s currently under discussion. You’ll also find us at NANOG meetings. You’ll probably see more than one of us at NANOG meetings. The AC sends one person from the Advisory Council, but many of us are a part of the network operations. And you’ll see us there for our day jobs as well.

So you’ll see us at APNIC 59, 60; both of the ARIN meetings, hopefully; NANOG 43, 44; both RIPE meetings; and all three of the NANOG meetings. And you’ll see most of us at the NANOG 95 meeting as well because the meeting with the ARIN and NANOG meetings are back-to-back, so it’s very easy for all of us to attend.

On top of all the policy work we do, we also have some additional volunteering roles. As I mentioned before, we have the two Working Groups: The Number Resource Policy and the PER, or Policy Experience Report, group.

You’ll find us being part of the Nomination Committee, the Grant Selection Committee, and as Fellowship members for each meeting.

So Advisory Council activity. So we have had five proposals come in since the last meeting. Up until about a week ago or two weeks ago, we thought this was three. We had two proposals rush in right after our last March meeting.

Three of the proposals are in draft state. Two of them are currently just proposals. We don’t discuss proposals at the meeting because we’re still in the process of working with the authors at this point. And there’s a lot that happens before we actually take these proposals onto the docket.

So to eliminate a lot of the confusion, we don’t actually talk about the proposals at the meeting. However, there is open mic, so if there’s topics that are relevant to this, you can always discuss them during open mic.

One more note I wanted to make, a couple of these slides have stars next to the draft names. Those were submitted by AC or working groups, and we still are on the same track to have more policy coming in from the community than we have coming in from the working groups or AC members.

So I don’t think I’ve ever seen zero recommended drafts at one of our meetings. The AC has worked really hard to push policy forward that either needs to be moved to the next step and moved to the Board or to be abandoned.

Staff and Legal takes a lot of resources to get those items completed. The AC is working very, very diligently in trying to get these policies in the best state possible before we get the resources to run the Staff and Legal.

So in order for the policies to be recommended, they should be fair, impartial, technically sound, and have some sort of community support at that point. Now, we do have a lot of community support, maybe, from the mailing list, but we don’t always have the same people participating on the mailing list as we do in the meetings.

So some of these policies could potentially be recommended drafts for this meeting, but some people in this community that have attended today may not have seen these policies yet.

So a lot of the shepherds really wanted to give people the opportunity to look at these policies before we moved it to the next step.

That being said, there are eight draft policies. It’s a little better than last meeting. We don’t have, what, 11 or 12 policies to discuss this time. It’s eight. Some of these you’ve definitely seen before.

So we have ARIN 2023-8: Reduce 4.1.8 Maximum Allocation. This is in reference to the wait list and changing the size from /22 to a /24 for what you’d receive.

ARIN 2024-5: Rewrite of NRPM Section 4.4 Micro-Allocations. This is in reference to the critical infrastructure space. If you’re an IX, into peering, are part of this, you definitely need to pay attention to this one. And we need more input on this as well.

ARIN 2024-7: Addition of Definitions for General and Special Purpose IP Addresses. Kaitlyn, thank you for the awesome subject because I don’t think I need to explain that any more than what the title says there.

ARIN 2024-10: Modernization of Registration Requirements. This is for SWIPs and registrations and to change the length of time that is required from seven days to 14 days to get the registration in.

ARIN 2024-11: IPv4 Transition Efficiency Reallocation Policy, ITERP. This is in reference to reassigning 4.10 space to qualified end users.

Draft Policy ARIN 2025-1: Clarify ISP and LIR Definitions and References to the Address Ambiguity in NRPM Text. So this includes definitions and changing some of the places where only LIR is listed or only ISP is listed and really realigning what was intended in that text. There’s a lot of redline in that, but once you see it in the form that they’re going to present it, it makes a lot of sense.

ARIN 2025-2: Clarify 8.5.1 Registration Services Agreement. This removes the RSA versioning from the NRPM text.

ARIN-2025-3: NRPM Section 9, Out of Region Use. This changes the text from a /22 to a /24 for use in the ARIN region before justifying out-of-region use.

So, all of these have sort of passed that proposal state that’s been determined that they are in scope, the problem statement is clear, and that the text that’s changing matches that problem statement.

On top of that, a lot of these also meet some of the recommended requirements at this point.

So policy statistics. Maybe next year we’ll finally be rid of that 2019 bar. So that 2019 bar was when the working groups were actually put in place. There was a backlog of policy to work on. So we were pretty busy during that time. But since then the policy’s generally stayed about the same, maybe even gone down a little bit.

So Advisory Council Working Groups. The Number Resource Policy Manual Working Group is back, but it is not the same that it was when we first started working with it. So that group had the charter changed slightly.

Originally that group was intended to comb through the Number Resource Policy Manual and create policy that they felt was important.

That group since will find text that may need to be changed, go on the Mailing List, make suggestions that they feel may need to be changed and leave it up to the community to make those changes. We’ll give that some time and see what everyone thinks.

There are times when the community thinks it’s a fantastic idea to work on it and then nobody actually authors anything. At that point, then the Number Resource Policy Manual Working Group will write the policy, and you’ll see it come from that group.

In addition, we added one more function to the charter where the Number Resource Policy Working Group will help shepherds when they’re stuck on policy. Sometimes you work on this policy long enough that you get writer’s block.

And we found that the table topics at the ARIN meetings have been extremely successful. And we’ve sort of created a miniature version of that with other AC members to sort of collaborate and get some of these policies moved on.

As I mentioned, Brian Jones is the chair. Lily Botsyoe and Kaitlyn Pellak are on this working group. And Matthew Wilder and Eddie Diego attend in an advisory manner.

The Policy Experience Report Working Group. The chair for this is Alison Wood. Liz Goodson is also on this as well, as is Chris Woodfield. And Matthew Wilder and Eddie Diego also serve in an advisory capacity to this group.

They will actually take the report that you saw from John Sweeting and any input that you give at the meetings and make decisions, sort of similar to the way that the NRPM Working Group does. They’ll make suggestions to the Mailing List: Do we want to work on some of these problems? In addition to that, they’ll listen to what you have to say at the microphone and make decisions based off of that.

So policies submitted from the working groups, this has gone down dramatically. In fairness, we did shelf the NRPM Working Group last year. So there wasn’t really an opportunity for them to submit new policy. But I think both working groups have been very careful to allow the committee to submit the policy themselves first.

So Hollis went over the lunchtime table topics, but I will ask for this again because we are coming close to that time. There is some Section 6 rework. Kaitlyn Pellak and Lily Botsyoe will be running a table on that. And there is a table on the Critical Internet Infrastructure, CII, Allocations. Chris Woodfield and Bill Herrin will be on that one.

And I am not going to be self-serving on this one. The NRO also has their table topic as well for ICP-2.

And that’s it. Any questions or comments?

Hollis Kara: If you have any questions for Kat, please approach the microphones or start typing.

Tina Morris: Tina Morris, AWS and ARIN Board, I guess. Just a comment about the working groups. I was chair of the AC when they were created, and I think they do fantastic work. But caution not to seek too much work. Be there to respond and look for things, but we don’t need a docket full of policy change edits.

Hollis Kara: Go ahead, Kevin.

Kevin Blumberg: Kevin Blumberg, The Wire. I’ll echo what Tina just said. Chicken Little, the sky is falling. ARIN has eight, 10 policies in the docket continually every day, every meeting.

Other regions, one, two policies. I am concerned continually that we are generating “the sky is falling” editorial changes because we think it’s important. And the really important policies get missed by the community as a whole because it’s just lost in all the other little policies.

I don’t know how you identify the difference because everybody views their policy as the important one. But just echoing Tina, don’t generate policy for the sake of generating policy, because you will lose discussion on the really important things that do matter.

Kat Hunter: Right.

Hollis Kara: Do we have any online questions? Nothing online.

Alright. Looks like the queues are closed. Thank you, Kat.

Kat Hunter: Thanks. (Applause.)

Welcome to the first switch in the batting order. We’re running ahead of schedule, So I’m going to go ahead and invite John Curran up to the stage to give us an update on the Number Resource Organization.

Number Resource Organization Report

John Curran: Okay, good morning, everyone. I’m John Curran, and President and CEO of ARIN, but I also have a role in an organization called the NRO, the Number Resource Organization. I’ll be talking a little bit about that.

The NRO is the organization that the RIRs use to coordinate amongst themselves all the activities we use to keep the Internet Number Registry system running. So, it’s not really a big organization, it’s just a title we use for how we do our work together. So let’s talk about it.

It was formed by an MoU in October of 2003. We had a signed addendum that talks about the registry system responsibilities to make sure we don’t violate its uniqueness, that we do things to promote it, that we make sure it’s public so people can access it. And we cooperate for the provision of consistent, effective global services. So, we have an MoU, and we have an addendum to the MoU.

Now, what’s our mission and vision? It’s pretty simple. We coordinate and support the joint activities of the RIRs – that’s it – to make the Number Registry system work.

Our vision, a little more ambitious, to be a flagship and global leader for the collaborative Internet Number Resource management as a central element of an open, stable and secure Internet.

And the vision is because it’s not just enough for us to coordinate the RIRs, we also need to understand why are we doing this. Why do we have RIRs and why do we work together this way? Why is it important?

Well, it’s about maintaining the open, stable, secure Internet. That’s why that mission is important.

How do we do it? We have an Executive Committee. Hans Petter of RIPE is the Chair. I’m currently the Vice chair and Secretary. Jia Rong Low is Treasurer. Ernesto from LACNIC is on it. And AFRINIC is currently vacant. We’re waiting for them to have a governing Board, and they’ll appoint somebody at that point.

We have a permanent secretariat hosted at APNIC with German and Laureana. And they maintain the records for the organization, similar things.

One of the big things we’ve been doing recently is we’ve heard feedback about RPKI and the fact that five RIRs running independent RPKI programs can be challenging to coordinate with all of them and we should have higher levels of consistency.

So, we’ve managed to get our RPKI teams together, work on trying to do exactly that, more common ways of approaching things like how we structure our RPKI certificates, what services we use, our publication services. And we’re busy working through that process now. And it’s a little different.

We have, again, five organizations that are independent organizations with their own budgets, governing Boards, trying to make one service that looks somewhat consistent. So, this doesn’t change how any of the RIRs are governed, but it provides at least a forum for us to talk to each other specifically about the service, see if we can get better commonality on it.

We have Coordination Groups. So, a lot of what happens at the NRO is we engage with other organizations. We might have some booth at IGF or we might be participating in an event somewhere. The communication groups work together to make that communication consistent. The engineering groups work together to make sure our services interoperate as they have to do it. Registration Services, all your transfers that go inter-RIR.

So, all of the teams work with each other, their counterparts, on the other RIRs. Some a lot more than others, obviously, like Registration. Some less: Legal, Finance. It all depends on what level of activities we have.

But the Coordination Groups are just labels we give to the respective departments when they’re working together in a coordinated fashion.

Now, we have to fund this because there’s some costs. So, for example, the secretariat, the cost of RPKI. We have a Program Manager. The costs of meetings, we do get together and have meetings periodically. Traveling. The ASO AC is a component. The NRO Number Council serves as the ASO AC. So, we have to fund the ASO AC and their travel for activities. Any Internet governance we fund.

So that adds up to about $628,000.

We also contribute to ICANN. Since the first year ICANN was formed, the RIRs collectively agreed to pay $823,000, and we’ve been doing that since ICANN’s inception back around ‘99 or 2000. I can’t remember when it started. We predate – the RIRs predate ICANN obviously. We’ve been doing this for a long time, and then the DNS community decides to do its ICANN thing.

Recently, when we did the IANA stewardship transition, we created a contract for the specific IANA services we received, and we actually allocated. We said the money we’re paying is $650,000 for that, and the rest is voluntary contribution above and beyond for ICANN. So that’s how that $823,000 breaks down.

We also have a Stability Fund where we’ve all pledged resources. It’s not part of the budget. It’s not allocated separately. It’s monies that we have available and maintain available in case it needs to be drawn by an RIR.

If an RIR were to see some untoward event that would endanger its operation, the Stability Fund is there, and there’s a document online that describes how it works.

Now, the costs have to get allocated every year. That’s the costs of the program and the costs of the ICANN contribution we do each year. And those are broken down based on the size of each RIR. And the number we use for that is the total Registration Services revenue.

Non-Registration Services don’t matter, but we look at actually the Registration Services revenue of all the RIRs. We break it down by percent out of 100 percent.

So ARIN ends up paying 32.7 percent; RIPE pays 33; LACNIC, 12; APNIC, 21; AFRINIC right now,

because of its governance situation, isn’t paying. So, we actually have to reallocate that – it’s a little interesting. We’ll have to see what happens when they resume normal governance structure.

AFRINIC situation, now that we’re mentioning it. So, we’ve been monitoring that. It’s an independent organization. Each RIR is. We’ve been coordinating with ICANN because obviously ICANN provides a little bit of coordination and oversight to the system.

And we’ve offered support to something called the Private Receiver. AFRINIC has a receiver appointed who makes all the decisions because it has no governing Board right now.

We’ve increased engagement with the African Internet community to let them know what’s going on. There’s an upcoming election in June where AFRINIC will get a new Board. We’ll get people engaged to make sure they have a Board that they want, the one that supports them.

We’ve been working with them on the AFRINIC Internet Summit report. As an RIR, there’s only so much we can do while AFRINIC is in this current situation, while collectively the RIRs work together through the NRO to provide the support that’s reasonable without getting in – this is truly something for the African Internet community to deal with. But we pay a lot of attention to it.

One of the things that happened with AFRINIC is we realized that we set up a system for recognition of new RIRs, and that was how LACNIC was recognized and then how AFRINIC was recognized.

But we didn’t really say that much about the maintenance and care, the ongoing feeding of RIRs. So, that’s something that we kicked off. The document for the recognition of RIRs is called ICP-2. There will be a whole presentation about that coming up tomorrow.

We asked the NRO – EC, Executive Council, asked the NRO Number Council, what also is called the ASO AC, to help with two tasks. One is to do a set of implementation procedures for the existing ICP-2 document. And that’s been done and that’s in place.

And it talks about how we handle the recognition and derecognition, if necessary, of a nonperforming RIR. But it’s based on the existing document. And we thought, really, this is a community document. The community should have a chance to look at it.

So, there’s a complete process that started out with a set of principles and a consultation, and now there’s a draft governing document. You’ll hear a lot about it, but that’s being run by the ASO AC.

The ASO AC, amongst other tasks, handles tasks as defined by the NRO Number Council to – the NRO EC to – better improve coordination of the system.

And we did ask the community-elected ASO AC could they go forth and do these two things. They’re on the second one now, on strengthening ICP-2, doing a more robust, more community-anchored, more complete document that governs the governance of RIRs, how they’re recognized and how they’re de-recognized.

There’s going to be a discussion at one of the lunch topic tables; we’ll all be chatting about that.

Publications. The NRO also publishes some things. We publish the Number Resources Status Report, which you’ll see, given the global status on IPv4, IPv6 and ASNs.

We do RPKI adoption reports that we update online. You can see how that’s doing across all the regions. All of that is available on the NRO website.

We also do a Comparative Policy Overview, which was actually – Eddie just picked up and did some presentations on that. It’s just information that we get asked for frequently, we decide we’ll make standard publications for to make everyone’s job easy.

There’s an IANA Review Committee. When the IANA Stewardship Transition Project completed, we ended up with a situation where the ICANN and its Public Technical Identifier subsidiary, what we call PTI, they provide IANA services to the RIRs: They run the central unallocated registries for IPv4, IPv6 and ASNs, and they use the global policies we develop to issue number resources to each RIR.

We get services because they have to receive the requests from the RIR, look at them, validate them, and then approve them and issue the resources.

There’s an IANA Review Committee that our agreement with them, the SLA for IANA numbering services, calls for a review committee to review their performance.

We have two community-elected members, an RIR staff representative from each region, they can go online and see. They review to make sure that the service that the RIRs are getting from the IANA is satisfactory and that you can all see that.

I will say that the IANA has been exemplary in their performance, ICANN and PTI, really have done an excellent job.

The Review Committee members are there. And we have Amy Potter, Nick Nugent and John Sweeting from the ARIN region participating.

IANA SLA Amendment. We realized that the services we get isn’t just managing the free pool. One of the other incidental services we get is the reverse DNS zones that are built and put in the DNS system are built by the same team.

When ARIN was formed in 1997 and it was formed out of the Network Solutions team that was doing the Internet contract, one of the things we had to do was build the central zone file for the reverse DNS zones.

Once ICANN got formed and running and stable, the RIRs collectively chatted with IETF and then chatted with ICANN and said can you take this on. And so ICANN has been doing it since 2012 or so on, building the reverse DNS zones so that each RIR, its own piece of Number Resources, when it does allocations, we all run our own reverse servers, but we need someone to run the top-level ones and put the pointers in.

And ICANN’s been doing this. But we really didn’t have a contract for them to do it. They did it because we asked in 2011, 2012. We realized, well, we have an SLA services agreement, we should amend it to specifically say provide reverse DNS resolution services for the top zones. That’s something that took a little while.

Sometimes it’s easy to do something and it’s harder to make the paperwork to reflect how you want it done. It took us a while, but we have the paperwork in place now, and that’s part of now the IANA services we get under that agreement.

ICANN Empowered Community: The NRO serves a very interesting role. When we did the IANA stewardship transition, basically was the 2016, ‘17, ‘18 activity of the US Government relinquishing its contract with ICANN over ICANN’s services for names, numbers and protocols, the decision was made that instead each community would contract with ICANN.

And so the RIRs collectively; We have our SLA for IANA numbering services. The IETF has an RFC, RFC 2860, which is an MoU for how all the protocol registries are maintained.

And the DNS community, we presume that the ICANN organization representing the DNS community would contract with an independent organization to do that. That didn’t happen. Instead, they made the decision that they wanted to have ICANN – we actually figured the DNS community would contract separately.

Turns out that didn’t happen. They wanted to have ICANN contract. That’s why there’s a PTI affiliate that ICANN contracts with for the DNS Root Zone.

At the last minute, the DNS community said just in case we should have one more protection over ICANN. And so they put in place the Empowered Community, and this is in case the ICANN Board doesn’t do an adequate job of representing the communities that it contracts for.

There’s a group which has procedures that is responsible for appointing, actually seating ICANN Directors and removing ICANN Directors and ratifying bylaw changes. Those have to be done not by ICANN’sBoard, but by the Empowered Community.

It’s an entity above. It’s a very strange thing. But it’s made up of some of the ICANN constituency groups, and ASO is also – the NRO serves as one of those, one of the five, and so you can go see our procedures.

In general, you won’t hear anything about this because, in fact, at no time has ICANN’s board or its processes, policies, not declared its own policies. So, these are all pro forma approvals.

However, if at some point they were to make a bylaw change that didn’t follow the community processes or they were to appoint directors in a way that was improper or somehow if they violated their own governance, the Empowered Community could actually step in and make direct changes if that were necessary.

Hopefully that’s never the case, but we have one stopgap there just in case.

With that, I’d like to end the presentation on the NRO. I’ll take questions on it, and the microphones are open.

Hollis Kara: Please approach the microphones if you have questions, start typing if you’re online.

Mike Burns: Mike Burns, IPTrading. Going back to the ICP-2 negotiations, it strikes me as a little unfair that there’s no African representative on the NRO while this is going on. I understand there was a request for public commentary. Do you know, did you get much commentary from Africa?

John Curran: It’s interesting, you say there’s – what aspect do you consider unfair or inappropriate?

Mike Burns: It seems like AFRINIC is both the subject and going to be affected by this ICP-2. And it seems natural that they should have a voice in the development of the principles as well as the draft document.

John Curran: Right. So at present they have as much voice, the AFRINIC Internet community, as every other community.

Mike Burns: Except they don’t have somebody on the Executive Council.

John Curran: So let’s talk about this. You raised ICP-2. Let’s talk about that first. ICP-2 is right now being done by the ASO AC. They’re administering the process. But the community process – how the principles were put out, how comments are done, how it’s being integrated, how this governance document review is happening – is all a public process. Okay?

Now, the NRO EC, we did get a copy of the governance document that we looked at and said here’s some places where there might be issues; but even that, we provided the feedback back to the ASO AC and said this is what we see collectively.

What’s interesting is, at the end of the day, all the RIRs will have to agree to the new document.

Mike Burns: That was my follow-up.

John Curran: And ICANN has to agree to the document. ICANN has not yet weighed in on any of this.

You can imagine there would obviously be folks at ICANN looking at what we’ve gone through over the last few years and think, hmm, maybe we should have a stronger role because things like AFRINIC did happen.

You could also see someone saying, wow, I’m not sure I want that responsibility. And so we actually don’t know how ICANN’s board and its community that feeds its board are going to go in.

So we’re very early in on this process. We thought we would get it started early. We’ll get the principles. There will be consultation. It will go from principles to the current governance document.

But AFRINIC’s having an election with the Board in June. They’ll be coming in and joining everyone else, and that Board will have to sign off on agreeing to the document just like each RIR board will do.

I don’t know – I actually had the privilege of briefing ARIN’s Board the other day, and I said, “I don’t know.”

They went, “What do you mean, you don’t know?”

“I don’t know what the final document is going to look like. I don’t know whether it’s acceptable to ARIN. We don’t have any firm positions.”

So when you’re saying ICANN doesn’t have a seat at the table, well, none of us have a seat at the table.

Mike Burns: No, AFRINIC.

John Curran: AFRINIC doesn’t have a seat at the table. None of us do. It’s way too early for that process.

Mike Burns: You say that, but you’re involving every RIR but AFRINIC in the early stages of generating the ICP-2 document. And I just think, even for appearance sake, it would make more sense to have – to just wait a little bit until June when the Board is reconstituted before you do this stuff because you know what they’re going to say.

John Curran: You’re commingling two things. I want to again be clear. We’re involving every RIR Internet community, including Africa’s Internet community.

Mike Burns: How many responses did you get from Africa for the public –

John Curran: We can cover that tomorrow. A large number, a very large number.

Mike Burns: That was my concern.

John Curran: Additionally, just to be clear, the NRO EC, we’re not driving this, we’re not reviewing it.

By the time we actually do our first formal comment on what is now a governance document that came out two weeks ago, by the time that gets through this process, which is going through May, okay, and there’s a document, it’s quite possible they’ll have a Board.

Mike Burns: John, all through this, you are talking to us right now as a community, as an ARIN meeting, where people participate; but AFRINIC has been without that for quite a long time. They don’t have somebody at –

John Curran: This is the African Internet community, not AFRINIC.

Mike Burns: But they’re related.

John Curran: There’s nothing to prevent – let’s go back to your other topic, which isn’t ICP-2, but is the NRO EC, the NRO Executive Council. There’s nothing to prevent from AFRINIC, if it turns out that the receiver is the party that controls their corporate powers, in theory, a decision could be made to appoint someone using those powers.

Now we’ve said it should be elected by, a member-elected governing board of the RIR should be the one that appoints someone to the NRO EC.

Mike Burns: The EC members currently said that to AFRINIC?

John Curran: We have.

Mike Burns: AFRINIC didn’t have a voice in that. The other RIRs said to AFRINIC Receiver: Look, we don’t want you to appoint a member to the –

John Curran: No, not that at all.

Mike Burns: I thought that’s what you just said.

John Curran: I want to be clear. We’ve met with the Receiver. We have not received a request to appoint someone, but they know there’s a possibility. In fact, we have attendees from AFRINIC on our Executive EC calls.

I guess what I’m trying to say is that if you’re speaking on behalf of Africa and AFRINIC about a problem with the NRO EC, I want to really talk about who’s there, because they’re more engaged than you seem to be letting on.

Mike Burns: I see they’re vacant from the Board, and the Board is involved in the development of the ICP-2.

John Curran: It is not.

Mike Burns: Well, it seems like –

John Curran: It is not.

Mike Burns: – you’re here talking to us about it.

John Curran: Actually, the session about it is tomorrow. I mentioned it because we’re the ones at the NRO who kicked it off.

Mike Burns: Regardless. It’s a session at a meeting to inform the community about it. That’s something AFRINIC doesn’t have.

John Curran: It does, actually.

Mike Burns: They don’t have meetings.

John Curran: I’m sorry. If you go online and you look – you should wait until tomorrow if you’re going to talk about the ICP-2 process.

Mike Burns: What about lunch?

John Curran: You should look at the actual consultation. Every region is having seminars, webinars, interactive, to provide comments. Every region, including Africa, is having a consultation.

Mike Burns: Except they’re not having meetings.

John Curran: They’re having an online meeting for that purpose.

Mike Burns: But it’s not the same as the meeting we’re attending, or in Toronto.

John Curran: Then the right thing for you to do is to speak to the African community about what you want them to do.

Mike Burns: Or I can speak to the rest of the RIRs and say why not delay until you have a Board and AFRINIC can have the same kind of voice that the other RIRs enjoyed with a fully informed and engaged community.

John Curran: They have exactly that, and they’ll have it in this process once they seat a Board. We can’t control their timeline.

Their timeline for an election was actually before all this started. We can’t control that. We still don’t know. While June is the date, you would have us hold the whole system awaiting – actually,there’s some problems they have to address themselves, and we cannot hold the whole system in the leeway.

Mike Burns: The system of the development of the ICP-2 is not something that is acute.

John Curran: Is something that’s not acute?

Mike Burns: It’s something that’s not an acute need.

John Curran: I would argue that distinctly.

Mike Burns: If it is acute, then it shouldn’t be pursued without AFRINIC’s full participation just like the other RIRs.

John Curran: They have full participation.

Mike Burns: They don’t even have a Board.

John Curran: Mike, I’m sorry, I really need to move on to other speakers. But I just want to say, if you have folks from the African community you want to raise this, bring them up, okay? Because we’re hearing the opposite from them.

Mike Burns: Fair enough.

John Curran: Next speaker.

Caleb Ogundele: Hi. My name is Caleb, and just to corroborate a little bit of some of the thingsyou did mention: I’m quite active on the AFRINIC Mailing List. So, I’m aware that staff did run consultations with the Internet community from Africa.

And just to also mention that they have the African Internet Summit, which they usually hold every year, even though it’s not constituted in collaboration with AFRINIC. But most of all the African Internet players do attend that meeting. So, I just needed to put that in perspective to corroborate some of the things you said.

And the fact that the ICP-2 had a lot of consultation within the community and feedback has been given, despite the fact that there are challenges within the community that, yes, there’s no Board constituted at the moment, the fact still remains that it’s still the community that needs to contribute to the ICP-2, not really the AFRINIC Board itself.

So, it’s the community that needs to come and put that, for lack of a better word – the community that needs to actually contribute to it.

Now, to my question, the reason why I’m here, I was looking at the Stability Fund, and it gotme very curious. Like AFRINIC hasn’t contributed, yet there were a lot of allocations done within that 2024 period.

I understand that they do not have a Board, which it’s obvious to everyone, but is there going to be an opportunity for them to backfill their contribution to that Stability Fund?

John Curran: We have to keep the NRO running. So, we’re all contributing enough money to keep the NRO running. We’re obviously incurring expenses on behalf of the whole system, and that includes a system that benefits Africa.

So, when AFRINIC has a governing Board, we have to meet with them, discuss what’s happened in the past, but no one can make a commitment for a Board that hasn’t been seated.

Caleb Ogundele: Okay. But I’m just asking if you perhaps make that request that, given that there’s an established agreement, they need to.

John Curran: There’s been a lot of support for AFRINIC over the last few years, and you have to draw a line between making all the RIRs whole for that versus making AFRINIC the highest chance of success in getting itself to a stable position. That’s a very complicated matter.

So certainly we’ll have the discussion when there’s a governing Board, but it’s impossible to predict the outcome.

Caleb Ogundele: Thank you.

Hollis Kara: Thank you. Do we have any further questions for John either in the room or online? Nothing online, nothing further in the room. Alright. Thank you.

John Curran: Thank you. I look forward to everyone. (Applause.)

Hollis Kara: Thank you for the lively conversation. We’re heading into our lunch break. I will note that – Alright there she goes – in-person attendees please join us next door in the Carolina Room.

Reminder again that we do have three discussion tables, table topic sessions, happening at lunch. They’re listed on this screen. If you’re interested in any of them, please just look for the stanchion on the table and sit right down, take part of that conversation.

The virtual attendees, the meeting will resume promptly at 1:30 for the start of our Policy Block. You’re welcome to leave the window open through lunch or just exit out and rejoin us at 1:30. Virtual Help Desk will be open if you run into any issues.

Reminder, the room is not secure during lunch, so take that under consideration. And I will point out that the ICP-2 discussion presentation will actually be today following the policy block.

So, look forward to seeing you back after lunch. See everyone at 1:30.

(Applause.)

(Lunch break from 12:05 PM to 1:31 PM.)

Hollis Kara: Welcome back from lunch, everybody. Hope you enjoyed the break, had a chance to catch up on email and whatever other things you needed to take care of.

Before we get into the meat of the presentations for the day, this afternoon, we’ll be covering four draft policies.

First up will be Gerry George – Gerry, I see you – with Draft Policy ARIN-2023-8: Reduce the 4.1.8 Maximum Allocation.

Gerry, if you would like to come up. (Applause.)

Policy Block 1

Draft Policy ARIN-2023-8: Reduce 4.1.8 Maximum Allocation

Gerry George: Good afternoon, everyone.

Using the Caribbean term, it looks like they have me up opening the batting. I’ll try not to — crossing cricket with baseball — I’ll try not to strike out.

So we’re looking at Draft Policy 2023-8: Reduce 4.1.8 Maximum Allocations. And this policy has been around for a bit of a while, and it’s shepherded by myself and Brian Jones.

So it’s been presented at — okay, I’ll get to that after. This has been on PPML for quite a while, so I won’t go through the whole, long, drawn-out process of reading out the entire policy and so on. But essentially, in summary, it tries to reduce the allocation from a /22 to a /24 on the wait list.

Okay. We’ve also had some adjustments to the text, to the original text, to a final/current text as of February — not February, as of September of last year because it was last presented at ARIN 54 in Toronto, and we’ve not made any changes, we’ve not made any significant changes to the text since then.

And the reason for this policy is that the wait list was seen to be too long. It had been in excess of 30 months to get an allocation from the wait list.

And here’s the Policy Statement. And, again, I won’t bore you with the whole detail. It’s been on PPML for quite a while now.

And the changes that are recommended from the wait list — sorry, the changes that are recommended from the Draft Policy as far as the solution proposal since October of 2023 became a Draft Policy on the 21st of November of that year, revised 14 of February 2024, and another revision as of 30 of September. We’ve not had any revisions since then.

What we’ve been seeing is that the community on PPML has been kind of reasonably active, but what happens, that every time there’s a change or a recommendation, there’s a flurry of activity on the PPML, and then it kind of dies out.

And over time we’re not really seeing any changes in positions. So let’s look at some of the community feedback.

We have persons indicating that reducing from a /22 to /24 will not really have any significant impact. In fact, some persons are saying a /24 is too small for any reasonable business to operate, that the changes are aimed at reducing anxiety for the wait times on the list.

Someone else said that the Wait List at that time was in excess of three years, while the needs requirement, the justification had the 24-month time period. So by the time one became due for an allocation, that justification may have no longer been relevant. And also saying, hey, IPv4 is finished.

Push everyone to IPv6 and the problem goes away. Not quite practical. Okay.

Some of the key positions we saw from the membership is that there needed to be some protection for persons who are already on the Wait List, that their request for a /22 or /23 would not suddenly be replaced with a /24. So based on community feedback, that protection was put in place.

And, well, other comments in terms of is a /24 useful, is it sufficient, is it practical for an organization? Why still focus on IPv4 when, based on the scarcity, IPv6 is readily available?

So the policy impact. Let’s look at the possibilities if this policy is not implemented.

Okay. The IPv4 Waiting List times will remain currently at 18 to 21 months. At the time the policy was submitted, it was in excess of 30 months and growing. But it will remain at 18 to 21 months and will continue to fluctuate. And that has been observed over the past couple — probably close to a year now. It’s been within that time frame.

Runout will eventually happen, unless organizations return IPv4 addresses or space to ARIN, or the number of transfers and cost of IPs could be impacted. And, of course, there’s the lease market that deals with that.

The retroactive protections, as I mentioned, were put in, and that has been addressed.

The current state of policy. This has been active since November of 2023. It was presented at ARIN 53 in April, ARIN 54 in October. And the last text revision, September of 2024.

What we’ve found within the AC in our discussions is that the problem statement no longer accurately reflects the current state of the Waiting List.

Wait times have dropped from a high point in excess of 30 months, as mentioned, and currently we’re seeing 18 to 21 months. It is projected that the 18-to-21-month time frame will remain the same for the next few quarters.

The distribution activity — and just some statistics for your processing pleasure — in April 2023, there were 136 requests fulfilled, which distributed 65 IPv4 blocks. And the wait list size was 561. In July of that same year, 63 requests out of 34 blocks. The wait list size grew to 617. September, 29 requests out of 24 IPv4 blocks. Waiting list size, 702. December, 54 requests fulfilled from 37 IPv4 blocks, and the wait list size was 831. It’s a trend that the wait list size is actually increasing.

However, we’re also seeing that the — we have some more figures for the past year, which I won’t go through in detail. All the slides are available. But while the list size is increasing, the wait list time is actually decreasing. So persons on the list are getting their requests fulfilled much quicker than at the time that this policy was proposed.

Another point of information, in August of 2024, the wait list had 703 entries. And if all those entries were issued /24s, the entire wait list would have been eradicated.

Current state of the policy. Wait list sizes, and we see the changes in size of the wait list, the growth over time. The top of the queue, as of April 1, the request was from June 2, 2023, for a /22; a /23 from June 5; and a /24 from June 7.

The current requests at 908, and that is as of the date that the slides were prepared. But as of today, the Wait List is actually 872, with the latest entry coming in today.

And you have the age of the requests. In 2023, 298 requests; 2024, 513 requests; and 2025, 395 requests. So as I said, as the graph shows, the wait list is actually increasing; however, the time to fulfillment is shrinking.

So future of this Draft Policy. The best-case scenario, large IP blocks are relinquished or returned to ARIN and people get IP addresses. Worst-case scenario, IPv4 completely runs out and only the transfer and lease markets will be available or IPv6 transition.

What happens in the future if demand drops or increases? Well the wait list is somewhat self-adjusting, and it kind of takes care of itself as we’ve seen over the time.

So presently the Policy Statement is not quite valid. However, if things change in the future, a proposal can be rewritten or resubmitted that would avoid some of the technicalities of the current policy or problem statement and a new policy can be addressed.

So just one last point. There would be some changes to this Draft Policy, but those changes are mainly editorial because of a new change incorporating the NRPM 2025.1. And it just changes the language and actually simplifies the language.

So where it had a whole long, drawn-out statement, it now comes down to all ISP organizations without any IPv4 addresses from ARIN automatically qualify for an initial allocation of a /24.

Questions for the community. One question: Should we keep working on this policy?

We go to the mics.

Hollis Kara: Alright. I’d like to welcome Bill up to the stage to help to moderate and ask folks to either approach the microphones to queue up with their questions or comments and our virtual attendees to begin typing.

Over to you, Bill.

Bill Sandiford: Alright. We’ll start over here on this side.

Mike Burns: Mike Burns, IPTrading. So I authored this policy, and I think we should drop it. It just seems like —

(Laughter.)

It just seems like things have gotten better over time. It doesn’t seem like — what seemed to be an acute problem getting worse seems to have stabilized. I would support dropping it.

Bill Sandiford: Thank you.

Andrew Dul: Andrew Dul, 8 Continents Networks. No.

(Laughter.)

Tina Morris: Tina Morris, AWS. Drop it.

Kevin Blumberg: Kevin Blumberg, The Wire.

Actually, I have a different view of this. I think this should be very simple. /24s are routable. /24s are usable. This is a free give to the community. It’s the free car. It’s not the whatever you want; it’s what we’re able to give as the community.

There’s lots of other uses we could have for this space. We’ve opted to have the wait list as a way of kick-starting new Orgs, new entrants. They don’t get everything they want.

Most comments have self-interest attached to them. It’s just a fundamental change. Change /22 to /24. We should have done it when we changed it earlier down to /22, but again that wasn’t the case. We don’t know what’s going on in the market. We don’t know anything. //24s are usable. The point of this is to give something usable.

We don’t need complexity to this policy. It is just knocking it down a /24. That’s all this policy needs to be. Thank you.

Bill Sandiford: Thank you. Quick response, then we’ll go to the online.

Gerry George: Based on the text of the policy, it means that whatever change that would happen would only kick in after the entire — after the current wait list is exhausted. So you’re still looking at an 18-to-20-month horizon before it happens.

Kevin Blumberg: This is the same thing with the last time. We had the exact same policy lowering it to /22. We told everybody then that enough was enough and we weren’t going to do that again. Obviously this is not — they’re rehashing that.

If you want to add in text that says this policy may change at any time and you being on the wait list does not ensure you get it, if you want to actually add that text in for good this time, by all means.

At a /24, it’s irrelevant anyway. There is no more, no less that you can give them. You’re not going to give them less. Once you’ve done it to a /24, at that point it doesn’t matter.

Gerry George: The protection for those on the wait list was probably the only overwhelming support that the community had for this policy.

Kevin Blumberg: Again, I don’t care about the protection for the existing members. That’s just a waste of everybody’s time trying to deal with that. Once it’s /24, we don’t need to keep rehashing that whole issue.

The protections, the last time we did this policy, the community overwhelmingly said, okay, we’ll deal with it this time, but it’s not going to happen again. And it’s happening again.

Bill Sandiford: Alright. Any more online?

Beverly Hicks: I have eight. How many would you like?

Bill Sandiford: All of them.

Beverly Hicks: Alright, let’s go.

David Farmer, University of Minnesota: “I support a change to /24 prefixes only from the wait list. I prefer not to protect shorter requests up to /22 already on the wait list.”

Kerrie-Ann Richards, Public Jamaica: “I support abandoning this policy as it seems, by the way of evidence, to be self-regulating.”

Jay Krivanek from Radio Toolbox: “I think I would support dropping this policy since wait times are coming down.”

Altie Jackson: “Please don’t drop it.”

Robert Hoppenfeld, Up in Two, LLC: “While the problem may have stabilized, I don’t think we should keep it on hold for — we should keep it on hold for now and not drop it.”

Keep going?

Bill Sandiford: Yep.

Beverly Hicks: Tyler O’Meary, no affiliation: “Although I disagree that the problem has gone away, I do not believe that this policy will get consensus and therefore should be abandoned.”

Mohibul Mahmud: “Yes, I believe we should continue working on this policy. The /24 cap addresses long wait times, but refinement is needed, particularly around existing wait list treatment, consistency across the NRPM, or NRPM, and clearly operating — an operating network criteria. With these adjustments, the policy will enhance accessibility while ensuring responsible IPv4 management.”

Brandon Knutson, Vantage Point Solutions: “We have helped new Greenfield Internet service providers that deploy Internet in rural America. It has been very useful to get both — to both get IPv address and dual-stack deploy IPv6 addresses, Internet still requires both.”

And Jason Cook, Dennis Group: “I don’t support this policy and believe it should be abandoned. The free market is available if you need IPs sooner. As a concession, I would not oppose reducing an organization’s maximum allocation to a /22 for the purpose of delaying run-out.”

I’m done now.

Bill Sandiford: If there’s nothing else, we’ll consider the microphones closed.

Hollis Kara: Thank you. (Applause.)

Alright, we’re going to move into our next policy. Before we do, I’m going to put out a challenge to the room. Y’all, I love you. NRPM is not a word. Can we just say Policy Manual? Can we all just make a handshake agreement to call it that? I’d appreciate it.

Next up, I’d like to invite Kaitlyn Pellak from the Advisory Council to talk about Draft Policy 2024-7: Addition of Definitions for General and Special Purpose IP Addresses.

(Applause.)

Draft Policy ARIN-2024-7: Addition of Definitions for General and Special Purpose IP Addresses

Kaitlyn Pellak: Hi, everybody. This is Addition of Definitions for General and Special Purpose IP Addresses.

Current text. Essentially — or the problem text is essentially the author wanted to clarify how certain IPs are referenced in the NRPM. There are certain spaces such as 4.10 space for IPv6 deployment or 4.4 space for critical infrastructure that are referred to frequently throughout the NRPM — I’m going to try to not say NRPM, I promise. And so they wanted to put forth a definition that would make referring to those specific IP addresses more easy to follow.

So this is the Policy Statement, which is essentially just the definition. At this point we did have one language change. We took it from “special purpose” to “reserved IPv4 and IPv6 addresses” in an attempt to clarify and make it a little bit more concise.

So we’re basically saying, ”Addresses that are reserved by ARIN for specific purposes including, but not limited to, maintaining critical infrastructure, facilitating IPv6 deployment, or temporary experimental purposes as approved by ARIN.”

So basically we’re trying to leave wiggle room in there in the event that ARIN does come up with other special purpose IPs in the future.

Like I said, this is the history. So, proposal came in last year. We presented it last year at — it was presented in the spring and fall. And then we did revise the language, as I mentioned, back in December of 2024.

My attempt was to try and get some additional feedback from the community, but it’s been a little difficult to get any kind of consensus around this definition. So that’s what we’re still working on.

Like I said, I think the majority of the community has said that one big issue that they take with this policy is that the author did not provide any examples or any actual textual changes to the NRPM. So they didn’t put any example of how the policy would truly be implemented.

So that was one suggestion that we received from the community, was that if we were to proceed with this definition, it should be — the policy as it is should be taken down. And then the author should resubmit a policy that includes actual textual changes to the NRPM that would illustrate how the definition would be put into place.

So that is one suggestion we received. And then we did get some support for that suggestion. And somebody else also mentioned that there’s some wordsmithing that could still be necessary, and it might create some additional complications if we did put this in place as it is currently written.

Like I said, a lot of the feedback has kind of trended towards abandonment and then resubmitting with the textual updates. Just as a note, if we were to submit this policy as written and it were to make it all the way through, there would need to be at least one additional policy that would effect the actual changes to the NRPM that the definition is proposing.

So like I said, probably would be some additional follow-up policies, knowing how things go with the NRPM. I would imagine that this wouldn’t all fit into one single policy if we were to implement this policy as written. So there would probably be at least one or two additional policies that would put in the definition into practice.

So considering that there would probably be some lengthy updates in that and it could get a little bit confusing, sothat’s just one thing to keep in mind.

And like I said, so at this point, we really haven’t had a lot of negative or positive feedback towards this policy. Everything has kind of been more about wordsmithing.

So with that in mind, I really want to hear — I’m looking for positive affirmation from the community that this is something that they would like us to continue to work on. I want to hear, like, enthusiastic support or enthusiastic nonsupport for this policy.

And that’s it.

Hollis Kara: Alright. The queues for the microphone are open. Bill is on his way to the stage to moderate, and I hope our virtual attendees are busy typing. Let’s get some feedback for Kaitlyn. She asked so nicely.

Kevin Blumberg: Kevin Blumberg, The Wire.

I don’t know how enthusiastic I will be. Dump it for a number of reasons, but the most important is this is an ineffectual change, A. B, more importantly, those sections actually should be self-contained. They are very different unto themselves.

And I believe that the strength of those particular ones is not relying on external definitions, commingling definitions, et cetera. I think this is actually a step backward.

If you want to improve the special reserves that exist, great. Do that. They should be self-contained and not be relying on an ambiguous definition. Thank you.

Kaitlyn Pellak: Just to clarify, you’re talking about the 4.10 and the 4.4?

Kevin Blumberg: 4.10, 4.4 specifically, but even if there’s others, they really should be self-contained because they’re talking about very special use cases.

The word “reserved” is not the important part. It’s how those spaces are used. Self-contain them. We don’t need these kinds of definitions.

Kaitlyn Pellak: Got it. Thank you.

Doug Camin: Doug Camin, CCSI. I support abandoning the policy, based more or less on the idea you had mentioned during your presentation that follow-up policies would be necessary.

So from a procedural standpoint, if we are going to do policy that requires a follow-up policy that is as-yet undefined and as-yet unsubmitted, they should be put together, which to me would say — and Kevin, I think, his statement, I would support his statements as well about the structure of those.

But in this context for this policy, I think it should be abandoned on the idea that if it is necessary, it should be put together with the corresponding changes that somebody wants to see in the future. Thank you.

Bill Sandiford: Go to the online comments.

Beverly Hicks: David Farmer, University of Minnesota: “I do not support this policy. It appears unnecessary.”

Bill Sandiford: Any others, or is that the only one?

Beverly Hicks: That’s the only one this time.

Atefeh Mohseni: Atefeh Mohseni, ARIN Fellow. I think the current language is specific and clear, so we should keep it as is.

Bill Sandiford: Thank you. Alright, last call for comments either in the room or online. Alright, seeing and hearing none, that’s it. Thank you very much, everyone.

Kaitlyn Pellak: Thanks, everyone.

Hollis Kara: Thanks, everyone. (Applause.)

Next up, Lily Botsyoe. Been practicing getting the name right for a while now. I was close. I was within an acceptable range. I tried really hard.

Lily is on her way up to present ARIN 2024-10: Registration Requirements and Timing of Requirements with the Retirement of a section with a lot of numbers.

Draft Policy ARIN-2024-10: Registration Requirements and Timing of Requirements With Retirement of Section 4.2.3.7.2

Lily Botsyoe: Hi, everyone. My name is Lily Botsyoe, and I’m presenting today as one of the newest members of the AC. Thank you so much.

And today I’m going to be walking through Registration Requirements and Timing of Requirements with the Retirement of Section 4.2.3.7.2. And this was shepherded by Alicia Trotman — she’s online — and myself.

You’ve seen versions of this before. It’s evolved. One of the latest was at ARIN 54. And today you had the gist from Kat. So it’s just really to walk you through some of the things that has been spoken about and to leave you with some questions.

So those are our names, Alicia and I.

This policy, the problem statement describes the timing of registration. ARIN holds it very dear that there is accurate timing for — or is key to what the value ARIN delivers for community. And there’s also been the observation that there’s a waning motivation for registration. And maybe one of the reasons in the Problem Statement is said to be there’s a depletion of the free pool.

So this proposal aims to modernize the registration-related policies in Section 4. And it’s introducing the language that’s supposed to talk to ISPs and to speak about the importance of registration when feasible for the benefit of the community.

And so the Policy Statement, there was an ask to replace Section 4.2.3.7.1. The original text stays a bit the same, but there was an introduction, you can see the red line, that there was a change for SWIP and it’s supposed to be now represented with the phrase “directory services system.”

And then every other thing from the top remains the same, but there’s also the timing that is added here to show 14 calendar days, as shown here for this part.

And then there’s also the ask to retire the section “Reassignments and Reallocations Visible Within Seven Days” and also rename Section 6.5.5.1 from “Reassignment Information” to “Reassignment and Reallocation Information.”

And here also there’s a replacement of an original text with a new text, and I mentioned before, the “Whois directory via SWIP.” Both of them have been changed. And there’s the new term, “directory services system,” which encapsulates both words right now. And that is what is changing here with this part.

There’s also an ask to rename the Section 6.5.5.2 from “Reassignments and Reallocations Visible Within Seven Days” to the same but now “Within Fourteen Days.” So that is the change here as well.

Then there’s also another change that is coming for this section. The original text will stay the same, but also there’s an introduction of the “fourteen calendar days of reassignment or reallocation.”

Now, the timeline for this, the timetable for implementation was set to immediate.

And so I’ll walk you through what this has looked like from the past. The proposal came in sometime July ‘24. Moved to Draft Policy in August. It was revised in September and November ‘24.

Staff and Legal Review, a couple of contents here. Everything that I said prior to this, which was the new text, incorporates some of the things that already were listed or set for Staff and Legal.

So for here there’s the notice that, yes, there’s the elimination of the outdated term for SWIP in Section 4, and then to simplify the language to use “directory services,” which represents Whois and SWIP, like I said before.

And then the draft also will combine two sections just to simplify the wording there. And also, because the draft originally didn’t mention clearly, if there is a need, if it was 14 calendar days, ARIN is going on to use 14 calendar days to be consistent with what has been done in the past.

And the Draft Policy also changes the title of Section 6.5.5.1 to include “IPv6 reallocations,” aligning it with current practices. And also there’s also the suggestion for updating the text in Section 6 to remain consistent with the proposed changes to Section 4.

Also continuing the Staff and Legal, there’s also the observation of some differences that will arise because of the what was set for IPv4, 14 days, and IPv6, seven days. So, because of the confusion that could arise, the staff recommended that we update Section 6.5.5.2 to 14 calendar days to be consistent with the proposed change in Section 4.2.3.7.1.

And also, like I mentioned, the change of the phrase which also would see the introduction of “directory services system” to be consistent with the revised Section 4.2.3.7.1.

So for Staff and Legal, implementable as written, yes; the impact on ARIN Registry, none; and there’s also no material legal issue.

The time frame estimate is three months. The requirement for this implementation ranges from staff training to updates to public documentation and internal procedures and guidelines.

Like I mentioned before, this proposal or Draft Policy was assessed September 13, 2024.

And community feedback, there has not been a lot on the Mailing List. We have reached out a couple times. But from ARIN 54 and what was said from there, the sentiments are mixed, if I should say. So some people support it. Others don’t. And so we want to go on today to just ask that back to you to see what you have to say.

The crux of this presentation is on this slide, these three things: That the Draft Policy updates the registration-related policy sections to reinforce the importance of timely ISP registration; and then there’s also the extension we saw from seven days to 14 calendar days; and there’s the replacement of Whois and SWIP by the phrase “directory services system.”

So for you, our community, these are the questions we have for you, and I’ll start from the last one: Do you support this policy, and do you think extending the registration requirement from seven to 14 calendar days is a positive change? Why or why not?

And should we also combine Section 6.5.5.2 to be absorbed into Section 6.5.5.1 like we did with the other section that I mentioned in the earlier slides?

So that’s about it. Thank you.

Hollis Kara: Thank you, Lily. Bill’s on his way up. If you have questions or comments on this Policy Proposal, please approach the mic or start typing if you’re with us online.

Bill Sandiford: We’ll start on this side over here.

Atefeh Mohseni: Atefeh Mohseni, ARIN Fellow, speaking on my behalf. For the first questions, I think that the seven-day window should stay. Timely updates help law enforcement and network operators by keeping registry data accurate.

Extending to 14 days could cause delays and reduce the reliability of the data unless there is a clear need for change.

Doug Camin: Doug Camin, CCSI. I do support the policy as drafted. I think I voiced support at ARIN 54 as well.

Regarding the questions that are here, I support the 14-day change. I don’t think that it should be collapsed with the other section at this time. If it does, that should be a separate policy proposal in the future. And as mentioned, I support it as written. Thank you.

Kevin Blumberg: Kevin Blumberg, The Wire. I support the policy with, I think, some additional work that definitely could go on.

I don’t think there’s any difference between seven or 14 days. An organization that is not putting in SWIPs doesn’t care whether it’s seven or 14 days. But for those that are doing it, I think 14 is more reasonable when they’re dealing with manual processes, et cetera.

The one thing that would make the biggest difference to this policy is changing the arbitrary /29 to something more reasonable, more realistic, like /24. I actually believe that the uptake of records would improve when we weren’t SWIPing things that made sense 20 years ago that don’t make sense now.

So I actually think the biggest improvement to this policy is to increase the size of what is required to be SWIPed so that we’re not dealing with minute portions of space. Thank you.

Bill Sandiford: Online comments.

Beverly Hicks: I have four. How many would you like?

Bill Sandiford: All of them.

Beverly Hicks: Alright. Let’s do it.

Kerrie-Ann Richards, no affiliation: “I support this policy. Things moving slowly, technically, administratively in the Caribbean, and extending the window to 14 days will benefit to small island states. I also support for the sake of consistency between sections 4 and 6.”

Robert Hoppenfeld, Up in Two, LLC: “By calling out a generic and nonspecific service, directory service system, creates a loophole that allows someone to update via a system that is not universally recognized.” That’s a question, sorry.

Keep going?

Bill Sandiford: Yep.

Beverly Hicks: Okay. Ray Krivanek, from Radio Toolbox: “I support the policy as defined. I think reducing confusion around the seven or 14 day is a positive change.”

And Jason Cook from Dennis Group: “I support this policy as drafted. I do not believe the sections should be combined, however. I have no preference regarding seven or 14 days. If folks aren’t submitting in seven days, they won’t start flipping in 14.”

Bill Sandiford: Alright. Last call in the room or online.

Alright. Hearing and seeing none, thank you, everybody, for your feedback.

Hollis Kara: Thank you, Lily, and thank you, Bill.

(Applause.)

Alright. And next up we have the last policy in this block today. I’d like to invite up Brian Jones to talk about Draft Policy 2024-11: IPv4 Transition Efficiency Reallocation Policy. Do have a question, though, Brian. Shouldn’t it be “I Hokie”?

Brian Jones: We can do that. I would support that.

Draft Policy ARIN-2024-11: IPv4 Transition Efficiency Reallocation Policy

Brian Jones: This is ARIN Draft Policy 2024-11. You’ve already heard the name. As the exhaustion of IPv4 addresses continues, ISPs and end users face increasing challenges in managing their transition to IPv6. Many end users require small amounts of IPv4 space to implement technologies like Carrier-Grade NAT or dual-stack environments to support their IPv6 deployment efforts.

Under the current NRPM 4.10 policy, ISPs are prohibited from reallocating portions of their IPv4 blocks to end users, forcing these organizations to request larger, inefficiently used blocks — /24s” — from ARIN.

So without a mechanism to allow ISPs to reallocate small portions of Number Resource Policy Manual 4.10 space to qualified end users, the current policy inadvertently encourages inefficient IPv4 address utilization, which conflicts with ARIN’s goal of maximizing the use of remaining IPv4 resources while facilitating the widespread adoption of IPv6.

The problem is twofold. End users are forced to request larger, underutilized IPv4 blocks for their IPv6 transition needs. ISPs are unable to efficiently manage and reallocate their IPv4 resources under Number Resource Policy Manual 4.10 to meet end-user demands for small-scale CG-NAT and IPv6 transition deployments.So, Policy Statement. Things that would be added — there’s not really any changes. These two bullets in red would be added to Section 4.10 of the NRPM.

So ISPs may reassign a /29 or /28 for their direct downstream customers for IPv6 transition only. ARIN reserves the right to validate any downstream allocations from ISPs to direct customers.

Anyone wishing to perform a reassignment of a 4.10 allocation must be approved through ARIN and meet all the justification requirements of this policy.

Timetable for implementation is immediate.

This came in September of ‘24 and became a Draft Policy at the October meeting of the Advisory Council.

There’s not been a lot of community feedback on this proposal. This is the first time it’s been presented to the ARIN community at a Public Policy Meeting.

So here’s some of the feedback: “I interpret the proposal as allowing for NAT64-as-a-Service where the customer is IPv6-only, and the service provider provides the NAT64.” Not sure that’s what the author intended, but this is community feedback.

And: “Ah! Pardon my confusion. This seems to be a reasonable goal. How extant is this need?”

And then: “To clarify, ITERP does not propose to allow the transfer of 4.10 space, but allow ISPs to reallocate a /28, /29, or even smaller, to an End-User wanting to do such things as run Dual-Stack DNS, Dual Stack Load Balancers, or CG-NAT. IPv6-only networks large enough but not multi-homed via BGP. Many only need small address space to allow them to do IPv6 internally.”

So also: “Limiting the reallocations to a maximum of /28 makes abusing this policy more difficult.”

Some points to consider. Allowing further reallocation of 4.10 space could open up additional possibility of inappropriate use of this space. If this policy is successful, it could add administrative overhead to ARIN staff for downstream reallocation approvals.

Policy impact. It could encourage further adoption of IPv6 for downstream customers who do not have IT staff. It could encourage further nefarious behavior or misuse of the 4.10 space. It should create opportunity for more efficient use of the 4.10 space.

So questions for the community. As there’s not been much Public Policy Mailing List feedback, does the community feel this is something that adds value to the 4.10 space allocations? Or should the 4.10 space remain only for end users wishing to implement IPv6 in their networks?

Hollis Kara: Thanks, Brian. Bill’s on his way up. Just a quick reminder to folks at the microphone to please speak slowly and clearly.

Kevin Blumberg: Not directed me at all.

Bill Sandiford: Slowly.

Kevin Blumberg: Kevin Blumberg, The Wire. I don’t support this policy. Every single one of my customers falls under this category, and I will be coming back and depleting the 4.10 pool ad nauseam for that purpose.

I’m actually now just giving myself a way of every customer needing to have IPv4 space from 4.10 for creating a CGNAT as a Service.

So, no, this policy was meant for organizations who could help kick-start for — this is just going to get abused, rinse and repeat.

So we have the 4.10 space there. It’s helping. I really don’t like asking or — asking — telling staff in policy that they need to go and audit this stuff, because even if they did, it really doesn’t have any effect on anything anyway.

So it’s a nicety in the policy, but it actually has no teeth, is my view on it. So really don’t support this at all.

Bill Sandiford: Alright. Go ahead, John, then we’ll go to the online comment.

John Sweeting: John Sweeting, ARIN CXO. I just wanted to make a quick point, where it says “remain only for end users wishing to implement” — it’s not only for end users. It could be a small ISP. It’s for new people that want to deploy v6. Or it could be end users, ISPs. It’s for everybody that has the need for a /24 to transition to IPv6.

Bill Sandiford: Got it. Online?

Beverly Hicks: I have two. Robert Hoppenfeld, Up in Two, LLC: “Does this create an additional cost on ARIN? And, if so, how is that being covered? Have you calculated this cost? And if the policy gets abused, how could it be rolled back?” Would you like the second one as well?

Bill Sandiford: Yes.

Beverly Hicks: Kate Gerry, NetActuate: “I do not support this policy. 4.10 space is already abused, and this will even further support the abuse of this space.”

I have another one more that just came in.

Bill Sandiford: Go ahead.

Beverly Hicks: I’m apologizing to this person. I will probably mess up their name. Waqar Ahmed: “Should eligibility for receiving a reallocated /29 or /28 under ITERP be tied strictly to demonstrated IPv6 deployment efforts?”

Brian Jones: That would be the intent, is to tie it directly to IPv6 deployments.

Bill Sandiford: Alright. Go ahead.

Kat Hunter: Kathleen Hunter, AC chair.

There was another question there. What happens if this goes in? Can we roll it back? No, we make new policy to roll it back.

Bill Sandiford: Online comment again.

Beverly Hicks: David Farmer, University of Minnesota: “Section 4.10 originally envisioned allocations no larger than /24 prefixes, which proved impractical. This proposed reassignment process allows these for more efficient, longer reassignments”

Beverly Hicks: Want some more?

Bill Sandiford: Uh-huh.

Beverly Hicks: Jason Cook, Dennis Group: “I support this policy in principle but believe it requires further discussion. Either the audit of the usage will be costly or it will be ineffective. I would like to see feedback from staff before proceeding”

One more. Kerrie Richards, unaffiliated: “I do not support expanding 4.10 allocations. To allow ISP reallocation risks undermining the original intent. It also introduces potential for misuse and adds unnecessary administrative complexity. The current 4.10 policy should remain focused solely on direct end-user needs.”

Bill Sandiford: Alright. Last call in the room and online.

Alright, hearing and seeing none, thank you, everyone, for your feedback.

Hollis Kara: Thank you, everyone. (Applause.)

Before I ask John to come up to the stage, I did neglect to mention earlier we do have some attendees in the audience that our with us from our other RIRs. That was really hard to say for some reason. So if you are here representing another region, feel free to stick a hand in the air so folks can spot you.

We’ve got folks from the RIPE NCC, LACNIC, and APNIC region — board members and staff. We’re happy to have you. If you have questions about happenings in those regions, they’re great people to find to talk to at the social later. So please do that. And thank you very much for coming all this way to join us in Charlotte. We hope you’re enjoying the hospitality.

Now I’m trying to stall because we’re running ahead of schedule and I want to make sure — I’m going to be honest with you, I want to make sure we start the ASO AC presentation at 2:45. And the reason I want to make sure we stick to that time slot is because I know we have folks from other regions who are interested in the discussion that’s going to be happening here today and I want to make sure that we align with when they may be joining us online.

I could say I want to be sure one more time because that will eat five more seconds, but I’m not.

John, you want to come on up? We’re going to now go through the Internet Number Status Report. Just walk real slow.

Internet Number Status Report

John Sweeting: I’ll try to do this justice and really take it slow.

Alright. So, John Sweeting, Chief Experience Officer with ARIN. Internet Number Status Report. This is a report that’s going to show you all the status of Internet Number Resources around the globe in each of the RIRs and also what’s at IANA, or IANA? Which way do you want to say it?

Hollis Kara: IANA.

John Sweeting: Okay, I’m trying to make some time for Hollis, so –

Alright, so this slide here is a depiction of all the address space, 256 /8s, the way they were given out or reserved by IANA.

Hollis Kara: IANA.

John Sweeting: NRPM.

Hollis Kara: IANA. Policy Manual.

John Sweeting: NRPM.

Let me go back. Okay, so you can see the central registry, multicast, and then RIPE NCC has 35. ARIN got 36. APNIC, 45. Kind of remember those numbers because later on there’s going to be a slide that shows you how much address space in /8s each of the RIRs manage today.

So you’ve got that? 35; 36; 45; AFRINIC, 4; LACNIC 9. Okay. There’s going to be a quiz later. So remember those.

So total IPv4 addresses managed by each RIR. You notice ARIN has 98.88. We were only given – what was the number? 36. Correct.

Alright. What are those other 62? Where did they come from? Well, they’re either legacy, which most of them are legacy, but some of them are basically with the early – what was the – early registration protocol. They moved a bunch of space around – whoever had the most of the /8, that’s the RIR that manages that /8.

But for this slide, this is the number of addresses broke into, like, a count of /8s that are managed by each of them. So, it’s not really that there’s 98 full /8s, but there’s 98 /8s worth of space, if that makes sense. Hopefully I’m making sense here.

The other one, the 36, that was full /8s that were given directly from IANA to ARIN, after ARIN was established to manage, and the rest of the space was prior.

So the available IPv4 space in each RIR today, in terms of /8s – and this doesn’t count the reserve pools because otherwise ARIN wouldn’t be at zero. But we do have still – in AFRINIC they still have .059 of a /8. And APNIC has a .21 of a /8 in their free pools. ARIN, LACNIC and RIPE have zero.

We do run wait lists, and we do have some special reserve IPv4 as well, but as far as space that’s available to just anyone, those three registries have none, and AFRINIC and LACNIC have a small piece, a small chunk.

Okay. So IPv4 space issued by RIRs per year in terms of /8s, and we’re going back to 2020, nothing really surprising or out of the ordinary here. It got smaller, smaller, smaller. It’s not a lot. As you can see, none of them are a full /8.

If you went back to 2019, ‘18 and back, you’d see a lot of /8s being given out. I believe just before run-out there were three or four /8s from APNIC that was given out, and RIPE gave out some– probably four or five /8s. There was a run on the IPv4 pool, and a lot of /8s got given out. Then we ran out, so to speak.

Right now, for 2024, you can see that ARIN gave out about .03 of a /8, and that was mostly from our reserve pools and the wait list.

Okay, we’re going to talk a little bit about transfers, exclusive of merger and acquisitions, which in ARIN-speak would be the 8.2, Number Resource Policy Manual Section 8.2, Transfer.

So intra-RIR IPv4 transfers, this is market transfers. This is the market that’s run – helped being run by our facilitators out there. Year over year, as you can see – this is the number of transfers, not the number of IPs, but the number of transfers – RIPE does a lot of transfers, a lot.

Almost as much as all the other RIRs put together.

But when you go to the number of IPv4 addresses transferred per year, you’ll see that there’s a lot more in the ARIN region that actually are transferred. A lot of that is because of the size of the blocks and the size of the customers that were purchasing those blocks within the ARIN region compared to the transfers that were being done in the RIPE region. So RIPE does a lot of transfers. ARIN transfers a lot of resources.

Okay. Intra-RIR IPv4 transfers. Some interesting numbers here. So as you can see, ARIN definitely transfers out a lot more. So the number above the slash is the number of transfers; the number below is the number of IPs.

So you can see ARIN to APNIC, there was 489 – this is total from when we started doing them – 489 transfers, 19.863 million IPs. And getting in from APNIC, ARIN got 216 transfers in and 1.744 million IPs in.

And RIPE, again, RIPE out to – from RIPE to ARIN was 298 transfers for 8.245 million IPs. And ARIN to RIPE was 670 transfers, 27.312 million IPs going out.

Now, a lot of people say, wow, that’s a huge disparity. Well, one of the reasons is because ARIN had such a large pool of legacy address space that a lot of those transfers were legacy space that were being transferred out.

So as far as affecting – and I don’t have numbers to share or anything, but as far as affecting revenue and all that, there isn’t a lot of impact to revenue of any of the RIRs based on intra-RIR transfers strictly because a lot of the space that ARIN had transferred out we weren’t getting paid for anyway. So it didn’t hurt the revenue outlook. We’ll probably have more on that in a different presentation later on in the week.

IPv6 – am I doing good on time? IPv6 address space, you can see the first doughnut up there. That’s the /0. And you see IETF reserve, a /1 and a /2+. The /3 of global unicast that’s been put out there is then further broke down into – that’s the pool that they’re giving out /12s to the RIRs.

There is a little – the box up at the top, your top right-hand corner is space that was given out earlier prior to when they started – came out with the scheme that they were doing, when an RIR goes in, they get a /12. So that space was done earlier.

That larger circle there at the bottom, doughnut at the bottom, since they started out giving out /12s, every RIR got a /12. AFRINIC and LACNIC are still on their first /12. ARIN, APNIC and RIPE have all three gone back in for an additional /12 over the last three years, I think. And so those three RIRs all have a /11 of IPv6 space issued.

IPv6 allocation issued by RIRs, the prefixes allocated each year by the RIR, and you see that’s just over time. There have been some years where RIPE gave out a lot of it in 2021. ARIN’s been pretty steady with what we’ve given out.

I think we did have one big allocation one year that made it a little bit higher than normal. And that was probably 2024. Yeah, it was, so you can see that.

Total allocated space, IPv6, so in the /32 counts, this is the total amount of space that each RIR has allocated, IPv6 space. RIPE has allocated the most IPv6 space in /32s. Next is ARIN and then APNIC and LACNIC. And AFRINIC you can see.

One thing with AFRINIC, I think, I don’t know if we’ll see it in here – not AFRINIC, LACNIC. LACNIC actually has given – I’m looking for Alfredo – I think all their customers all have v6 because they gave all their customers v6. Is that true? That’s what it –- right. I think there’s another slide maybe that talks about that.

And IPv6 assignments. You see that ARIN was giving out assignments and then ARIN wasn’t giving out assignments. It’s because we changed away from giving out assignments, and everything we issue as far as IPv6 and IPv4 are allocations. You can see that started in ‘22.

Total assigned IPv6 space in /48s that each RIR has assigned, you can see LACNIC has assigned quite a bit of IPv6 address space. And it’s because they made sure that every one of their customers – do you still do that, Alfredo? Do new customers automatically get IPv6?

Alfredo Verderosa: Yes, they get 72 or 536, every new ISP. Since 2012, we have been doing that.

John Sweeting: Thank you very much. Okay, and there you go, there you see the percentage of members with IPv6 in each RIR.

Interesting to us is, of course, ARIN. We have 37.2 percent of our members have v4 and v6. And then we have 9.4 percent that have v6 only. It doesn’t mean they only have v6. They could have IPv4 reallocations, reassignments. But from ARIN, 9 percent of members only have v6 from ARIN.

AS numbers. The first big circle on the left there is the unallocated and what’s assigned out to the RIRs. We stopped – and when I say “we,” I mean the RSCG and the NRO. On our statistics that we present, we stopped presenting this as 2-byte and 4-byte. So this is all AS numbers together.

And then the circle on your right is the space, the AS numbers that each of the RIRs manage: RIPE with 45,000-plus, ARIN, APNIC, LACNIC and AFRINIC.

ASN assignments by RIRs, the number of ASNs issued by each RIR per year. Nothing really outstanding there. APNIC, looks like they had a run on the bank for AS numbers in 2021. Maybe there was a fee change or something changed that everybody wanted an AS number in the APNIC region that year.

But other than that, it’s pretty – it’s pretty stable, pretty steady through all the RIRs. So total ASNs currently assigned by each RIR, again, nothing different than you would expect from seeing all those other slides and all the other statistics.

And that’s it. I don’t have any more slides, Hollis.

Hollis Kara: You did your best. Thank you, John.

(Applause.)

I’m guessing nobody has any questions. He’s already out of here. I think that may be the most thoroughly I’ve ever seen that deck presented, and I’ve seen it presented a whole, whole lot.

Just to stall for a few more moments before we get started. I know Nick has a few minutes of introductory slides before he gets into the meat of the ICP-2 portion. I think by the time we get there we will have hit 2:45.

But I did just want to point out, because I don’t know how much time he’s going to have to talk to it, that the consultation is ongoing right now. There’s a mailing list in the ARIN region. You’re welcome to sign up and participate there. There are mailing lists being hosted by all the regions. They’re all listed on the NRO website. You’re welcome to join any and all of them.

And there’s also an open public comment period being held by ICANN. All of those community engagements will be ending on the 27th of May. Again, please sign up, share your feedback there. But importantly share your feedback in the room.

And with that I’m going to go ahead and ask Nick to come on up and get us started with his presentation on the ASO AC update and the status of the ICP-2 review. Come on. Okay, yeah, walk slow – that’s a good point. Take your time. Come on up, Nick.

(Applause.)

Address Supporting Organization Address Council Update

Nick Nugent: I have the opposite problem.

I have to try to compress a lot of content into a smaller period.

Hi, everyone. I’m Nick Nugent. I am a member of the NRO NC from ARIN, Vice chair of the ASO AC, and in my day job I’m a law professor at the University of Tennessee.

So I’m here to present our normal recurring update on the work of the ASO AC in general, but the presentation is going to be longer this time because a fair amount of it will be devoted to the ICP-2 work.

Here’s a roadmap of what we’ll talk about. Rather than read each of the bullet points to you, we’ll just dive right in.

So about the ASO AC, what is it, how does it relate to the NRO NC. The ASO AC is a 15-member body. It is one of the three ICANN-supporting organizations, along with the GNSO, which speaks to generic top-level domains; and the ccNSO, which speaks to country code top-level domains; we speak to Internet number policy.

We advise ICANN on number policy. We are responsible for appointing two members to the ICANN Board and one member to the ICANN NomCom, and we also oversee the Global Policy Development Process.

We’re 15 members, three from each of the five regions. In each region, two are elected and one is appointed by the RIR.

We hold monthly meetings, which you’re all welcome to attend, over Zoom, and we have one meeting per year in person, typically at an ICANN meeting. You’re welcome to attend that as well.

This is the current slate of the ASO AC. You’ll notice that it contains only 12 members; yet 3 times 5 is 15, why do we only have 12? That’s because, as you know, AFRINIC is currently without a functioning Board and therefore the members of the ASO AC from AFRINIC, they rotated off when their terms finished. And without a Board to hold elections or to appoint additional members to the ASO AC representing AFRINIC, we’re currently without any AFRINIC members.

But as you may have heard, the receiver for AFRINIC has called for Board elections to be held on the 23rd of June, after which the Board can appoint at least one member from AFRINIC to sit on the ASO AC and then thereafter hold elections for the other two.

So we’re hopeful that, in due course, maybe by the end of the year, we can have AFRINIC members on the ASO AC once again, which would be great.

This slide shows our focus of work in 2025. The first two bullet points are entirely ordinary. We’re going to conduct the election for seat 10 of the ICANN Board and continue to monitor and support the Global Policy Development Process.

The third bullet point is where it gets interesting. Namely, the ICP-2 review work. And that’s what we’ll talk about now.

Okay. So what is ICP-2? What’s it all about? You hear a lot about it. We talk about it a lot. ICP-2, as you all probably know, stands for Internet Coordination Policy 2, and it’s a document that sets forth criteria for recognizing new RIRs.

The full text of the current version of ICP-2 can be found at the link that you see on this slide, or you can simply Google it. We encourage you to read it. It’s not a long read. It’s a relatively short document.

And especially if you plan to look at the new draft policy that’s come out, the new draft document, this will give you foundation for you to assess the deltas between the two documents.

We very much encourage you to take a look at it. This is where we are in the timeline or, I should say, this is where ICP-2 falls within a historical progression.

ICP-2 sets forth criteria for recognizing new RIRs, and yet three of the five RIRs were actually established before ICP-2; namely, RIPE NCC in 1992, APNIC in ‘93 and ARIN in ‘97.

ICP-2 was enacted or, I should say, adopted in 2001, and thereafter it provided the criteria and a basis for recognizing LACNIC and then later AFRINIC. Since then, of course, it’s remained just those five.

But the question is: Why revisit ICP-2? What’s the big deal? Well, ICP-2 is nearly 25 years old, and 25 years is an eternity in the Internet world. The Internet itself has changed quite a bit.

The relationship between the different players in the Internet governance space has changed quite a bit in those 25 years as well. Namely, the relationship between ICANN and the RIRs and even the relationship between the RIRs. That’s one reason.

Another reason is that, as I mentioned, ICP-2 is primarily geared toward the criteria for recognizing new RIRs. Well, what about if an RIR is recognized, what happens thereafter? That’s not the end of the story.

After a new RIR comes onboard, it’s very important that that RIR continue to abide by the same obligations, commitments, requirements as it was required to get recognized in the first place.

And if an RIR should cease being able to adequately serve the needs of its members or support the stability of the global RIR system, there needs to be a possibility, an avenue for de-recognizing that RIR.

So those are the two bases for revisiting ICP-2. To that end, in October of 2023, the NRO EC approached the ASO AC to ask for help with the task of reviewing and revising the ICP-2.

Now, just a brief detour. I talked about what the NRO NC is. It’s the three-member delegation from each RIR that makes up the ASO AC.

The NRO EC is the body consisting of the CEOs, the heads, of each RIR. So John Curran from ARIN, Hans Petter Holen from RIPE, et cetera.

And the EC asked for our help along two lines. The first was reviewing and advising on a set of implementation procedures.

What are those? One of the things about ICP-2, is even though it speaks primarily to criteria for recognizing new RIRs, we believe it’s a fair reading of it that it does speak to the ongoing obligations of RIRs and to the potential even for de-recognizing RIRs, albeit implicitly rather than explicitly.

So the Implementation Procedures, it’s a document that fleshes out, well, okay, if an RIR is not continuing to abide by its obligations, or if there is a need for de-recognizing an RIR, how does that work? That’s what the Implementation Procedures document is.

So the NRO EC drafted that document, provided it to us, and we provided our comments, and now that document has been published. It’s been published for a while. And although the link isn’t on the slides here, you can Google it and see that document anytime you like.

That first half of the work is done. The second half of the work was strengthening ICP-2 to address some of those things that I mentioned that have happened over the last 25 years.

To that end, we were given the freedom to figure out whether this meant editing, tweaking ICP-2 or even coming up with a full new document to replace ICP-2, and we took the latter approach.

Here’s a timeline of our ICP-2 work to date. I won’t read all of this, but I wanted to talk about one of the things, which is the first step in this process.

We thought given how easy it is to get bogged down in specific languages, commas, semicolons, whether to use the Oxford comma — and the answer is always — we thought, let’s not get bogged down into all the minutia at this point, let’s instead come up with a set of broad principles. What should the next version of ICP-2 have? What should it look like?

And so after a number of meetings and discussions, we came up with 24 core principles, as we call them. This is what we think ICP-2 should have.

We called this the Principles Document. We published it. We pushed it out for consultation, both through ICANN and the RIRs, and received feedback on it. I’ll talk in just a minute about what that feedback looked like.

Having received that feedback, having considered it, we’ve now published a full draft document which we’re calling the RIR Governance Document, and that’s available right now today for your review and, we hope, your feedback.

We seem to really like timelines in these slides. I won’t go over all this again. Let’s talk briefly about the principles. As I mentioned, we published 24 principles for consideration and feedback, and we had a very healthy response. We were very pleased with the level of engagement.

You can see here, from ICANN, we had 14 responses, but from the RIR questionnaire, we received upwards of 300 responses from all the different regions.

We have published all those responses in raw form. You can look at all of them. But we thought, rather than just make people drink from a firehose, let’s try to digest it somewhat for them.

And with a lot of help from Hollis and folks in the communications group, Ulka in RIPE NCC and Maria in LACNIC, we put together a report on the consultation for the principles. You can download it – pardon me. You can download it there, use a QR code or the link.

And this is just a snapshot, just to kind of see what it looks like, but we describe in it our methodology for how we’ve summarized and analyzed all the feedback; our deduplication process, as our algorithms revealed some potential duplicateresponses; and various bar charts of feedback on various principles.

For example, one of the first principles, if not the first principle, we had in the document was this authority principle, who gets to make the final decision.

So in the summary report, we’ve provided the full text of that principle and then summary of some of the comments received and even some of the literal replications of the feedback that we received from the consultation process.

Anyway, again, I think it’s a very well done report, and we invite you to take a look at it if you’re interested in the feedback that came in.

Okay. That’s a summary of the feedback. Now the question is what impact did that feedback have? Are we listening? Do we care? The answer is yes. We’ve read every single comment, we’ve discussed every single comment, and it did indeed impact our drafting process.

It impacted it in a number of ways. I won’t go through all the ways but just a few that are highlighted on this slide. It clarified the decision-making process. So in the draft document, you’ll see times where it refers to the decision of an RIR, if an RIR decides to approve, if an RIR takes its action.

What’s that mean? So we thought initially should we specify how it works in terms of voting and board approvals and member meetings and such, and we thought, no, rather, we’re going to defer to each RIR’s specific process. That’s one piece of feedback we incorporated.

We also incorporated some procedural protections. I’ll talk about the sort of procedure by which decisions are made to recognize or de-recognize RIRs. What if an affected RIR is dissatisfied? So we’ve provided some sort of review process from ICANN, taking into account privacy and governance procedures, et cetera.

Those are just a few. Again, we want to emphasize we very much appreciated the feedback and we very much took it into account.

Now on to the document itself. We’re calling it the RIR Governance Document, or the longer, Governance Document for the Recognition, Maintenance, and Derecognition of Regional Internet Registries.

We’re still on the hunt for a good name. If you have a pithier name we can use, we’re certainly all ears. But for now we’re calling it the RIR Governance Document. It will supersede and replace the ICP-2 as the governance document going forward.

You can view the full text of it at this link or using the QR code. We encourage you to do so. It’s just eight and a half pages. We’ve tried to make it readable. I’ll just go through – I can’t summarize the full document, but I’ll just go over a few high-level points about it.

This is the roadmap. We love roadmaps in this slide deck. Let’s dive into it.

So scope and lifecycle management. One of the things, again, as I’ve mentioned, ICP-2, the current document, speaks primarily to the recognition of new RIRs, but once a new RIR becomes an RIR, they have ongoing obligations.

There’s the potential, if they ever exit the scene. The new document makes this explicit. It really recognizes the full lifecycle of an RIR from recognition to ongoing obligations, to potential derecognition, makes that clear, structures the document around that lifecycle.

Governance structures. The current version of ICP-2 provides various criteria that an RIR must satisfy to be recognized. The new document says, you know, it’s not just about impartiality and bottom-up development. Those are all important and those are all carried forward, but we want the RIR to be healthy. And that health requires good governance structures.

So the new document gets into sort of how an RIR conducts itself, its governance structures, the fact that the Board of the RIR must be the majority, must be elected by its members, requiring it to follow good corporate governance procedures.

And this is something that is new, is that each RIR is required to implement measures to prevent itself from being captured by any single entity or group of related entities so that it can continue to represent the broad needs of the community.

Strengthening operational requirements to ensure that the RIR continues to function in a way that’s healthy, we’ve introduced an audit mechanism, both periodic audits and ad hoc audits, should the need arise.

Transparency requirements, requiring it to publish aspects of its governance, its finances, anything that it can that is not going to be prohibited by privacy laws. And then requiring it to implement continuity procedures that, in the unlikely event another RIR needs to take over its operations, either temporarily or permanently, that those procedures are in place.

Then the current version of ICP-2 talks about ICANN, but it’s not as clear about the role of RIRs in these decisions to recognize or de-recognize.

And so it’s in the document itself, Section 2.3. We encourage you to read it. Basically says any decision to recognize or de-recognize an RIR has to first be approved by the RIRs themselves.

And there are different thresholds for what those approvals look like for recognition versus derecognition. Our current draft says that to recognize a new RIR, all the other RIRs need to unanimously approve that.

This is something we’re floating, this is something we want feedback on. There are only trade-offs in this. Unanimity can be hard to obtain, but then, again, lack of unanimity can introduce unintended consequences as well. So we’re looking for feedback on that.

De-recognition has a different threshold. But the heart of the matter is that the RIRs must approve any initial action and then ICANN would make the final decision. That’s a clear approval mechanism in the new document.

So the document is out. Now we want feedback on the document. You all provided feedback on the principles. Now we’d love your feedback on the full text.

ICANN has launched a consultation on the document, and you can participate in it. Here’s the link. And I’ll get into in just a moment the RIR consultation process.

This is the slide that indicates some of the things we’re looking for in the feedback, but one of the things I’ll highlight right now is that even though the new version, the new document is more detailed, it can only get so detailed. There are many details that we simply haven’t gotten into that we considered but then we realized that’s just getting down into the weeds too much, what we call implementation details.

So some of the feedback we’ve gotten so far is why haven’t you explained exactly how this is going to work in practice in this particular circumstance? And the answer is we’re not that smart. We just can’t anticipate exactly how that would work or how different RIRs would do it, different RIRs would do it differently.

So even though the document is more detailed, it’s still somewhat high level. Although we welcome your feedback, I’ll just state up front that some of the feedback we received will be about implementation details that we simply don’t plan to put in the document. But again, I’m not trying to discourage any feedback on that.

In terms of the RIR consultations, you can follow all of them. You can subscribe to every single one of them if you’re a glutton for punishment, all five right there.

But for ARIN folks, here is the information for how to participate in ARIN’s discussion, and I guess I’m just going to flip through these for each of AFRINIC, APNIC, LACNIC and RIPE community.

But act soon. The consultation will close in a little less than a month. So hopefully this presentation will spur some conversation. We’d love your feedback before May 27th.

We’re also holding table talks. We held one today, and we’ll have one tomorrow, if you want to discuss the matter with us. Or you can always pull one of us aside in the hallway as well, that’s perfectly acceptable.

After that consultation closes, we’ll take the feedback into account, much as we did with the principles, and meet in Prague as a body to work on a revised document.

Our hope is that we can present a final revised document to ICANN and to the NRO by the end of this year, but we’ll see. We’ll see what the future holds.

And I’ve left nine minutes for questions. So thank you. Any questions?

Hollis Kara: Thank you, Nick. Anybody who has questions for Nick on the presentation, or the current consultation, please feel free to approach the microphones, and for our virtual attendees to begin typing. Do we have any questions in the queue?

Nothing in the queue so far. Any questions or comments in the room?

Tina Morris: Tina Morris, AWS. I wanted to say, Nick, big thank you for doing all this work, and especially this presentation was one of the most crisp, clear ones I’ve ever seen.

Nick Nugent: Thank you. A lot of work went into it by the members of the ASO AC. So I’ll take it as a compliment for the body.

We also got a lot of support from the NRO EC and RIR legals and a ton of help from CCG, including Hollis and the other folks that I mentioned.

Tina Morris: It’s really appreciated. Thank you.

Nick Nugent: Not this guy.

Kevin Blumberg: Kevin Blumberg, ASO AC member. Fresh eyes, I think, are the most critical piece for us. I’m not joking when we are talking in the thousands of hours that we’ve put into this, especially when it came to looking at 300 times 24 responses in the cycle. We have spent a lot of time, and we are 12 people. It is really, really helpful to get your perspectives with that set of fresh eyes on this.

Just one thing Nick mentioned, which was the implementation details. If your comment has an integer in it, it’s probably an implementation detail. Six months, as an example, that’s an implementation detail as an example.

And lastly, think global. What’s good for you sitting in this city right here? Think global.

That’s the hardest thing I think any one of us is tasked with, is thinking outside towards our neighbors and cousins in different countries, different regions of the world.

Just have that one perspective, and I think it will make this document make a lot more sense. Thank you.

Hollis Kara: Kaitlyn, I think.

Kaitlyn Pellak: Kaitlyn with Amazon Web Services and the ARIN AC. Do want to echo the earlier comments. Awesome job, Nick. This was very, very digestible. Really took a complicated topic and were able to synthesize it into a way that even I was able to follow. So thank you.

Nick Nugent: Again, I’ll take that compliment on behalf of the AC.

Kaitlyn Pellak: Excellent. Speaking only for myself, so excuse me, Nick. My question is around the language about when an RIR would propose that a fellow RIR would be de-recognized.

I was just curious, is the thinking that each RIR would come up with their own methodology of determining whether or not they should submit that recommendation, or is ICANN or the NRO planning to come up with a way that the RIRs could do that?

Nick Nugent: I’m sorry. Can you elaborate a little bit?

Kaitlyn Pellak: I guess I’m just thinking if all of the RIRs come together and decide this one RIR is not doing the right thing, and it’s stated that each RIR would need to submit a proposal to de-recognize the, quote/unquote, naughty RIR –

Nick Nugent: We don’t use that term in the document, but yes.

Kaitlyn Pellak: I’m just curious if there’s any thinking around how the RIRs themselves can come to consensus as to when they would want to submit that recommendation. Does that clarify my –

Nick Nugent: Yes, I’m glad you asked the question. In the first place, and maybe it’s a flaw in the document – I’ll have to take a look – it’s not a requirement that all the other RIRs submit sort of their own derecognition proposal. A single one suffices.

In other words, any RIR can submit a proposal to de-recognize, just as any RIR — why is it so hard to say that word right now? — can submit a proposal to recognize. And anyone can trigger the process.

Then that goes to all the RIRs to decide as a body what they’re going to do, then to ICANN. So that – just hopefully that answers the first question. But if the document is not clear in that regard, then we can take a look at that.

I’m glad you asked the question as well because anytime I can emphasize that derecognition is a last resort, it is really intended to be if all other options have been exhausted. The point of this document is not to find new ways to de-recognize RIRs, it is to have that option and clearly spelled out if the need should ever arise after trying to rehabilitate the RIR and do whatever else we can.

Kaitlyn Pellak: Got it. Thank you.

Nick Nugent: Thanks.

Sander Steffan: Sander Steffan, former ASO AC member. First of all, a lot of thanks to my former colleagues because this is a lot of work. I know how much effort you put into it.

Nick Nugent: You put some effort into it, too, I believe.

Sander Steffan: A long time ago.

But it’s very important work. And I really want to stress, everybody, please give feedback. Look critically at the document, but just not at the text that’s there, because criticizing existing text is easy, but like Kevin said, take a step back, look from a global perspective. Also look if there’s something missing or if there’s something that should be added maybe.

Because like I said, it’s easy to criticize what somebody else wrote, but please take a broader picture and think about the importance of this document for the future of our communities. Thank you.

Mike Burns: Mike Burns, IPTrading. My question is it’s unanimous to add a new RIR. What’s the current draft for de-recognizing an RIR?

Nick Nugent: It’s unanimous except for the subject RIR for reasons that are hopefully obvious in that regard.

I’d love to hear your further input on this, but just again to reiterate, this is our best shot. This is our best guess as to what should work. We’re definitely open to feedback on the thresholds.

Mike Burns: Sounds right to me. My question is on a derecognition, is there – this could be an implementation question, but is there a provision for a substitute to be ready in the event of a derecognition? I know that there was a plan there for other RIRs for continuance.

Nick Nugent: You’re right, there’s nothing in the document that says, hey, you’re in the batter’s box just in case and you have an obligation to be ready should the need arise. There’s nothing – there are requirements for all RIRs to have continuity procedures in place, and there are provisions that – for example, the document specifies that another entity should be able to take over.

It could even theoretically be a situation where no other RIR takes over but simply –

Mike Burns: An NIR maybe.

Nick Nugent: Some other entity that the other RIRs agree should do it for whatever reason.

But you bring up a good point. There’s nothing in there currently that says, hey, X, be ready for this.

Mike Burns: Thank you.

Hollis Kara: Do we have any questions or comments from online? Anything else in the room before we close the microphones?

No. I think we’re good. Thank you, Nick. (Applause.)

Because we’re running a little bit ahead of schedule today and we don’t have anything else scheduled for after the break, we’ll move directly into the Open Microphone session.

I will note, when we get to the end and close, there will be a break outside. Please do stop by. We have to pay for it whether or not you eat it, so grab a snack.

Open Microphone

Bill Sandiford: Microphones are open in the room and online.

Kathleen Hunter: Kathleen Hunter, AC Chair.

When we go through our slide sets, there are many people that go through the slide sets and check them. I have one addition that I need to make.

The Policy Experience Working Group. Doug Camin was missing from that list and should have been on that list. I wanted to make sure that was clarified.

Bill Sandiford: Okay. Alright. Microphones remain open.

Hollis Kara: Somebody said popcorn and now everybody stopped talking. I will note, virtual attendees, while I can’t send you popcorn, I am happy to have you field some questions to Bill and John.

Tina Morris: Seems like Kevin and I are up here at the same time every time. Tina Morris, AWS.

Just a comment to the AC. I wanted to say thank you for incorporating the comments from the PPML into this room. And vice versa, I hope you take the comments from this room back to PPML.

It’s really hard in this day and age. Not everybody has time to communicate in both formats, and it’s great to tie them together in that way, and I appreciate that.

Bill Sandiford: Thank you. Kevin.

Kevin Blumberg: Kevin Blumberg, The Wire.

I hope to one day not be here and the community continue, and it’s guaranteed. The community continue, and it’s just like you have business continuance. It’s important.

And I realized today that there were things that I was very aware of, because of the history of how long I’ve been around, that others in this room just don’t know about, and really we don’t advertise and we don’t talk about it.

I think that it may be worthwhile having an FAQ style, make it simple, for things such as what the role of the “nerpem” [NRPM] –

Hollis Kara: Kevin! (Laughter.)

Bill Sandiford: You know that’s going to fail, right?

Hollis Kara: I did that to myself. I’m sorry. My apologies to everyone.

Kevin Blumberg: – what the role of the policy manual is versus what the role of staff is when it comes to implementation.

As an example, there was a policy up today that talked about staff doing things, or there was another policy that talked about if you don’t do this, this, you know. Those aren’t necessarily the case because you have the RSA, you have all sorts of other things that go in.

I think it would be helpful for the community to have: Here’s the digest of the last 15 years of helpful information, specifically these types of things.

Because you go up to the mic with an expectation of saying something, and it turns out you were completely wrong because your assumption that you could do it. So that’s one part to it.

The second part to it is after the financials this morning, there’s obviously a deficit that the organization is running. You’re hoping to have that cleared up. Us asking for more, and us asking to do, and us this, has a direct impact to that at the detriment of technical improvements that could be done, at the detriment of X and Y and Z.

So it’s this balancing act where we can ask for whatever we want, but ultimately, it’s just going to cost money, and we’re running a deficit so we need to be very cognizant of that, is important.

So that was my two cents on Open Mic.

Bill Sandiford: Thanks, Kevin.

Any comments online? None. Going once in the room. Twice. Alright. Thank you, everybody, and I’ll pass it back to Hollis. Thank you.

(Applause.)

Closing Announcements and Adjournment

Hollis Kara: Thank you, everyone, for your patience and persistence today.

Go through a few things. First, audience participation time. Big round of applause for our sponsors, Spectrum, for the network. (Applause.)

Google for the webcast. (Applause.)

AWS as our Platinum Sponsor. (Applause.)

And our Silver Sponsor, IPXO. Thank you for all you do to support the ongoing community to help fund these meetings.

(Applause.)

We have a social this evening. First popcorn, later social. There will be dinner at the social. There will be walking buses, meaning I encourage people to meet and walk in groups. Best place to meet up is going to be at the College Street entrance down at the bottom of the escalators.

We will have some enhanced security along the route to make sure everybody feels safe and comfortable walking to and from. Do remember to wear your badge. That’s going to be your ticket into the door.

All attendees will get three beverage tickets when they arrive. Soft drinks and water are complimentary with your meal.

We look forward to seeing you all at the science museum. There’s lots of great stuff to play with. I don’t know about you guys, but I love science museums.

Reminder, we are committed – thank you, everyone, today for behaving and playing by the Standards of Behavior. They remain enforced throughout the meeting and they do also apply at the social tonight. Everyone be on their best behavior, and we’ll see you back again tomorrow morning.

Breakfast at 8:00, right next door. The meeting will begin at 9:00, and I look forward to seeing everyone here and online. Thank you very, very much.

(Applause.)

(Meeting adjourned at 3:15 PM.)

Related