ARIN 56 Public Policy and Members Meeting, Day 2 Transcript - Friday, 31 October 2025

Opening and Announcements

Hollis Kara: Looks like it’s 9:00. All right, folks. Whoo! That’s right. Welcome to ARIN 56, Halloween edition, day two. Here we go.

All right, first of all, audience participation time. I’d like to get a big round of applause for our elected volunteers, our Board of Trustees, Advisory Council and Number Resource Organization Number Council. Let’s hear it.

(Applause.)

Thank you for all the work you’ve done to help make this a successful meeting and good luck to all the folks that are standing in the election. I do want to note that I believe yesterday we hit quorum. So thank you to all our voters. Keep ’em coming.

Now, just a couple of quick reminders. For folks in the virtual meeting, again, chat is for chat. Q&A is for questions. And never the two shall meet.

If you have something that you would like read into the room, please make sure it lands in Q&A. We don’t want to miss your comments.

You can also raise your hand if you need more time. And always lead with name and affiliation. Same goes for folks here in the room.

If you’re having any issues, you can always hop over to the Virtual Help Desk, which will be open until about 9:30 central this morning, 9:30 Central. If anybody wants to pop in there just to praise our great graphics and design for this meeting, you can talk to the guy who did it. So go say hi to Des.

If we have any issues with Zoom and it disconnects, please try to reconnect again to see if it’s an issue on your end. If not, hop over to the livestream, which is available on the ARIN 56 website, and you will hear our plans for getting things restored and know when everything is ready to get back on track.

If for some reason the livestream is not there, watch your email. I’ll be here crying. (Laughter.)

If you’re here with me in the room — I’m not kidding. It could happen. Not the everything falling down, knock wood. Me crying? Always, always a chance.

All right. If you would care to join the Zoom to talk to the folks that are hanging out there and joining us virtually, folks in the room, you are welcome to do that. Just make sure you mute and disconnect your audio. Also, be aware that you can use that avenue to submit questions or comments if you don’t want to approach the microphone.

Again, speak slowly and clearly. I think I’m doing okay this morning. Denise, am I doing okay? I’m doing okay. I slowed down. Go, me. Lead with your name and affiliation, and just wait for the host to direct you when we’ve got the queues open to let you know whose turn it is to talk.

And we do want to hear from everybody. So please do feel free to approach the mic when it is an Open Microphone or a Q&A session, not just randomly. That would be weird. And if you have already approached the microphone, make sure to wait until everybody who is coming up had a chance to come up before you come back, if you don’t mind.

If you haven’t found the Wi-Fi yet, I’m really sorry. Hopefully you’ve got that figured out. If you haven’t, ask the Registration Desk, and they’ll get you set up.

We do have the slides and recording available to you through the meeting website. They’re right there on our meeting materials page. The live transcript and video are on the transcript page. Easy to find. Go to ARIN 56. Hit the red button below the yellow button, and there you go.

If you are having trouble either here in the room — I think I need to see the eye doctor again based on what’s happening here — but if you’re having trouble reading from the screen or reading things in the Zoom, you can always open the presentations directly on your laptop or whatever device you’re using and follow along from there.

All right. So what are we doing this morning? We’re going to kick it off with our Financial Report, and then we’re going to have an update on the ASO AC and the current open ICP-2 RIR governance document consultation which is ongoing.

After that, we’ll have a break. We may be pulling in another presentation, depending on how time’s going at that. And then afterward we will have an update from the NRO EC as well as an overview of the state of the RIR system.

Routing Security Update, it’s going to float in there somewhere. And then we’ll have our Open Microphone and close the day, hopefully right around lunchtime.

So, as I’ve already said before, we do have Standards of Behavior in place. We have our ombudsman here as a resource, if anybody requires assistance. And we do ask that everybody, you know, use your best manners.

We are all here to work together for the betterment of the ARIN community and ARIN and the Internet community in general. So if we can take each other’s comments in that vein, I think we’ll all have a much better time.

Again, Wade, where’s Wade? Wade’s here if you need to talk to him. Yeah, maybe he’ll show you his selfies from the end of the night last night. Don’t know.

ARIN Elections are open, as I mentioned. So, if you haven’t cast your ballot yet and you’re a voting contact, please do so. Make sure that happens before November 7th at 7:00 PM Eastern.

Before we go to this, did everybody have fun at the social last night?

(Applause.)

In honor of owning your mistakes, I apologize to everybody who I misled about when you would get the directions to find your way into the stadium. That being said, I saw a lot of you there. So I think it worked out okay. I’ll try to make sure I have my notes in order next time and don’t cause any more confusion than necessary.

I hope everybody got a chance to step out on the field, got their football cards — I know I love mine — and had a great time. Thank you so much for being part of that.

All right. So, more audience participation.

Can I get a thank you for our Network Sponsor, AT&T?

(Applause.)

We cannot do this meeting with a network. So thank you to them.

Thank you to our Platinum Sponsor, AWS. Please keep those applauses coming. Thank you, Alastair.

(Applause.)

Our Social Sponsor, Kalorama, for a great social last night. Hope everybody got their hats. If you didn’t, they’re out on the table in the hall.

(Applause.)

Our Silver Sponsor, IPXO.

And our Exhibitor Sponsor, IPv4.Global by Hilco Global. I almost tripped on it that time.

(Applause.)

All right. With that, I would like to invite up Nancy Carter — this says “Treasurer”; she’s also our Chair of the Board of Trustees — to give our Financial Report. Come on up, Nancy.

Financial Report

Nancy Carter: Thank you, Hollis. Thanks. Good morning.

From the Floor: Good morning.

Nancy Carter: Thank you. It’s wonderful to see all of you here in Texas. And apologies for those of you online. It’s a beautiful day here in Texas.

And Happy Halloween!

(Applause.)

No, you’re supposed to sound more excited than that.

(Applause.)

Yes, thank you. I may have a Halloween joke for you later.

So we’re finally at the moment everyone’s been waiting for since our last get together. The ARIN Treasurer’s Report is on the last day of the Public Policy and Members Meeting this time, which ensures that the financial update is scheduled after some of the other organizational updates and policy discussions. So, I know that so many of you are interested in hearing about our finances.

First of all, I want to extend my sincere thanks to my Fellow board members and the ARIN staff for their essential support in my capacity as Treasurer.

I’m especially grateful to the Financial Services Department for their dedicated work in generating and enhancing valuable financial reports. My appreciation also goes to Brian and the entire FSD team for their ongoing contributions. The commitment and assistance provided by both the team and Alyssa have been instrumental in enabling me to fulfill my responsibilities as Treasurer effectively.

I’m going to get emotional here because I think this might be my last Treasurer’s Report.

So, today I’m going to — oh. Am I going the wrong way? There we go. I’m going to update you on the activities of the Finance Committee since last April; I will review ARIN’s financial performance, including revenue and expense highlights; I’m going to provide details of the investment portfolio; and then look at our financial position. Finally, I’m going to tell you more about the data center move and our long-term financial plan.

The Finance Committee has remained actively engaged, meeting six times since we met last at ARIN 55 in Charlotte. In addition to conducting our regular quarterly reviews of investments and financial statements, we also successfully completed the audit of the 2024 financial statements and submitted the annual IRS Form 990, as Bill noted in his presentation yesterday.

This year marked the transition to CLA, which stands for CliftonLarsonAllen, as ARIN’s audit and tax service provider, following four years of working with BDO. The change in service providers also included a strategic adjustment to our audit timing, resulting in an additional fee discount. We’re really pleased with the quality of services provided by CLA this year.

Additionally, this period marks the annual review of the proposed budget for the upcoming year. Who doesn’t love budget time?

Alastair? Okay. Good.

Alastair Strachan: If you’re giving it to me, who wants to sponsor the NPC?

(Laughter.)

Nancy Carter: The committee met with management in both September and October for this purpose, and the full Board approved the 2026 budget during its meeting on Wednesday.

So we’ll look at ARIN’s financial performance, and this is for the first eight months of 2025, so ending August 31st. At the end of August, ARIN reported $20.1 million in revenues and $19.9 million in operating expenses, resulting in an operating surplus of $0.2 million. Additionally, ARIN recorded $2.4 million in investment income for the period ending August 31st of this year.

So we’ll dive into revenues. Here are the revenue figures for the first eight months of 2025. First off, revenues are slightly ahead of budget. Our annual renewal revenues for IPv4, IPv6 and ASN total $18.1 million, which is $70,000 above budget.

Other revenue sources earnings are $2 million, of which the combined recipient and source transfer fees contribute $1.1 million. Fees earned on new or initial resource fees are approximately $400,000, surpassing budget. And earnings from Org Creates and recoveries, Premier Support Plan, Qualified Facilitators and contributions was about $500,000.

We’re going to take a deeper look at the ARIN Registration Services Plan customer counts that drive the annual renewal revenues. Registration Services Plan, or RSP, customer counts grew to 24,570 on October 1st. This is a 1.7 percent increase in total customers in 2025. Over that same period, the RSP total annual revenue run rate increased just over $800,000. This is a 2.9 percent increase. There are a total of 11 different Registration Services Plan, or RSP, customer categories. Four of those are small categories. The four small-level RSP categories have a total of about 23,000 accounts. This is 93.5 percent of all the RSP accounts. Combined, these accounts have grown by 1.7 percent since the beginning of the year.

From a revenue-run-rate perspective, these small RSP categories generate total revenue of $14 million. That’s 49 percent of the total RSP revenues. And combined, revenues from these accounts have grown by 1.3 percent since the beginning of the year.

In addition to the four small RSP categories, there are seven RSP categories that run from medium to 5X large. These seven RSP categories have a total of 1,607 accounts. That’s 6.5 percent of all the RSP accounts. Like the small RSP categories combined, these accounts have grown by 1.7 percent since the beginning of the year.

But from a revenue run rate perspective, these seven RSP categories generate total revenue of $14.5 million. So that’s 51 percent of the total RSP revenues. And combined, revenues from these accounts have grown, also by 4.5 percent since the beginning of the year.

So typically, FSD has all this information on one slide, and it’s really interesting — I found it really interesting. First of all, when we put it on two slides, you can read it. And second, it’s interesting to see the division of revenue versus number of accounts.

So we’ll move on to ARIN’s operating expenses. I mentioned earlier that total operating expenses are $19.9 million through August, which is 3.7 percent below budget. When reviewing ARIN’s operating expenses, it’s essential to begin with salaries and benefits, which total $12.9 million and comprise nearly 65 percent of overall expenditures.

While some of the budget variance for salaries can be attributed to position vacancies this year, a greater portion results from benefits falling below budget, primarily due to a lower-than-expected medical expenses.

This variance in medical expenses is attributable to three factors: A zero premium increase in 2025; a discretionary credit in 2025, which was based on the 2024 plan experience; and fewer participants in 2025 because of any position vacancies.

Engineering operations constitutes another significant expense category for ARIN, amounting to $3.2 million or 16 percent of total expenses. This category includes data center costs, hardware and software expenses and depreciation. These expenditures are tracking close to budget overall, yet are 2.5 percent below budget in aggregate. All other expenses for this period stand at $3.8 million, representing a figure that’s 3 percent under budget.

This is another view of the operating expense and budget variances. Operating expenses are expected to continue trending below budget throughout the balance of the year.

We can now look at investments, and I’ll summarize the 2025 portfolio activity to date. The market is doing well again this year, which has resulted in the ARIN long-term investment fund realizing a year-to-date 7 percent return.

Interest rates on the operating investment fund money market accounts continue to stay relatively high during 2025. This has led to investment income of almost $80,000, a year-to-date performance of 2.5 percent.

And as expected and budgeted, withdrawals were made from this fund during the year. These withdrawals were made to support the investment in equipment and services for the new data center that I’ll talk about later.

This chart gives you a view of the long-term investment fund since 2019. The fund has seen positive results in six of the last seven years. In total, these investments have grown 35 percent during the period shown on the chart.

In the first quarter of each year, the Finance Committee meets with our investment advisor to review the allocation of the investments across available investment classes.

The ARIN investment allocations remain relatively conservative, with the majority of our investments in money market and other fixed-income investment funds.

Looking at the operating investment fund, this chart shows the changes to the fund I mentioned earlier. Additional transfers are expected during 2025 but will be less than budgeted.

Just a reminder of our Operating Reserve Program, our target reserve is defined as nine months of annual budget expenditures. For 2025, that target is $24.7 million. One purpose of the ARIN investments is to fund the desired target reserve. At the end of August, the investment balance of $37.1 million exceeded the target reserve by $12.4 million.

And we’ll move to financial position. ARIN’s financial position continues to be both strong and consistent with prior periods. The increase in other assets was driven by equipment purchases necessary for the new data center.

And in other business, the data center move continues to be on time and on budget, with equipment purchases comprising 76 percent of the budget.

My final slide is a reminder of the commitment the Board of Trustees made to a balanced budget by 2030, meaning that we plan to manage through a few years of negative net budget positions, and there’s been no change to that plan.

We continue to focus on spending discipline and reasonable management of Registration Service Plan price increases to achieve a balanced budget by 2030.

And that’s a wrap. Thank you. Happy to answer any questions.

(Applause.)

Hollis Kara: Thank you, Nancy. All right. You heard it. The microphones are open. If you have any questions for Nancy about the Financial Report, please feel free to approach the mic and or start typing in Q&A. Give it just a moment. Nothing? No questions. Nancy, you’re so thorough.

Nancy Carter: Good. I have a joke then.

Hollis Kara: Go for it.

Nancy Carter: Why do ghosts love elevators?

From the Floor: Why?

Nancy Carter: It lifts their spirits. (Applause.)

And now I have an accounting joke, accounting Halloween joke. Who knew you could do that? So why did the accountant go trick or treating with his calculator?

Hollis Kara: Why?

From the Floor: Why?

Nancy Carter: So he could count his candy.

Hollis Kara: Oooh. All right. Thank you, Nancy. Awesome.

Rolling right along, I’d like to invite Amy Potter — where is Amy? There she is. Amy Potter to come up. She’s going to present the presentation on behalf of the ASO AC, particularly on the ongoing work on the RIR Governance Document revision. Come on down.

(Applause.)

ASO AC Update and ICP-2 Consultation

Amy Potter: Hi, y’all. Happy Halloween. I hope everyone had so much fun last night and is very excited to get into ICP-2.

All right. So I’m here on behalf of the ASO AC. The ASO AC is the Address Supporting Organization Advisory Council. We are formed to advise ICANN on Internet number resource policy.

There should be 15 members of the ASO AC. Now, the sort of confusing bit here, yesterday you saw candidate speeches for members of the NRO NC. The NRO NC is the Number Resource Organization Number Council. They fulfill the role of the ASO AC. So same group of people, two different names. Don’t stress out about it. Just know whoever you elect for the open seat that we have for the NRO NC will come and join the rest of us to fulfill our work on the ASO AC.

Sound good? All right.

So, as I mentioned, currently we only have 12 members of the ASO AC because AFRINIC has been unable to elect and appoint their three members. Although, with the formation of the new AFRINIC board, it looks like, fingers crossed, we’ll have at least one new member from the AFRINIC community coming to join us soon, which we are very excited about. So what is it that we do?

We advise ICANN on global number resource policies. So yesterday we were talking about regional policies. Global policies impact how the IANA functions operator distributes space to the RIRs. So, sort of just one level up from what we were talking about yesterday, right?

In addition to that, the ASO AC also appoints two members of the ICANN board and one member of the ICANN NomCom.

We are also currently working on a revision to ICP-2, which we’ll get into now. I know that’s why you all came here this week. So, thank you very much.

All right. Here are all of our lovely pictures. We look forward to very soon having three more photos up there. Also, while those photos are up here, Nick Nugent is unable to join us this week because he is at the meeting in ICANN. But he is completing his third year on the ASO AC, and I just wanted to formally thank him for all the work that he has done. He has been such a great contributor, and we’ve been so lucky to have him.

(Applause.)

Okay. So, now, why are we revisiting ICP-2?

Let’s take a step back. What is ICP-2? Way back in 2001, there were only three RIRs in existence and ICANN. So we had ARIN, RIPE, APNIC and ICANN. And they were sitting around contemplating the addition of new RIRs to the system. And they understandably thought to themselves, hey, we probably need some criteria for deciding how do we recognize a new RIR?

So they put together the original ICP-2. In 2001, it was adopted, and that was what was used to bring in AFRINIC and LACNIC into the fold.

Now, almost 25 years have passed since then. A lot of things have changed. So while the original ICP-2 sets forth the criteria for bringing in a new RIR — and implicit within that is the obligation to continue to meet those obligations over time —additional details would be very helpful at this later point in time to not only make it explicit that you have to continue to meet those original requirements over time, but, also, we wanted to provide some additional strength to the document to provide more protections for the community and allow for, in a worst case scenario, the possibility of derecognizing an RIR that fails to continually meet these obligations.

And we also wanted to add some more details to the obligations that an RIR needs to continue to meet to provide services to its community. So here we are now.

So, in 2023, the NRO EC, which is just the heads of all the RIRs, asked the NRO NC/ASO AC to help with two tasks. I know, so many letters. The first of these was to review and advise on implementation procedures for the original ICP-2 document. Those implementation procedures are just sort of laying out, hey, you have to continue to meet these obligations over time and providing a little bit more detail for that original document.

They also asked us to work on revising the document, coming up with a new one that is more robust. So about a year ago, the NRO NC/ASO AC worked with the EC on the implementation procedures. And those have been published and adopted for the original document. We also began this process that we’ve been working on for also approximately a year now on coming up with a new, stronger document.

All right. So here we have a timeline of everything that’s gone on so far. So in contemplating how are we going to go about putting together a new, stronger document, we wanted to start out sort of at the core principles of what are we trying to do here?

We wanted to get feedback from the community on what is it that we care about? So we put together a list of, I believe, 24 principles and sent them out for consultation to the community. We went through a full consultation process on that. We received so much helpful feedback from all of you and from community members from the other RIRs. So, thank you all for that.

We went through all the comments we received in detail, put together a report summarizing those comments so that the community could see, “Hey, what did everybody else say” without having to read through 800 or however many comments that we received.

So we put that out, and then we got to work on starting the first draft of this new document. So we put out a first draft through the same sort of consultation process. Again, thank you for your feedback. We solicited a lot of feedback on that document through mailing lists and through the ICANN public comment process, and presenting that first draft at different RIRs, ICANNs, we held webinars, that sort of thing.

Again, we got so much helpful feedback from all of you. And we took that feedback, we again put together a report summarizing that, put that out to the community so you could all see what everyone else had to say. And then we revised and came back with a second draft.

So that’s the stage that we’re at right now. We have a second draft that we put out. We are in the midst of a consultation on that second draft. That consultation runs through November 7th. So I would very much appreciate all of the feedback that you all have to give on that.

Right here, we have some QR codes to the original Principles Consultation Report, and the first draft.

Here we have a very helpful graphic that just sort of takes you through each of the steps. The ones in gray have already been completed. And, again, right now we’re at the process of conducting the review on the second draft.

And here you can find the second draft that we’re currently running the consultation on. I’ll give you a sec, if you want to take that. All right, we’re good?

We also put out some supporting documents to help everyone make sense of what’s the difference between the previous draft and the current draft.

Here we have a link to a redline of the changes or a diff that shows you how is this draft changed from the other within the draft of the document. And for those of you that would prefer just a summary of what that looks like, we also put together a summary rationale document where we went through and explained the choices that we made based on the feedback that we received. And there’s a link to that as well. And at the bottom there’s just an FAQ on the whole process.

If you’re not able to click on that immediately right here, it’s all on the NRO NC’s website as well.

And as I mentioned, we’re in the midst of the consultation on the second draft. So here’s another link to participate in that directly. Again, we are running the consultation via mailing lists that are occurring within each RIR, as well as the ICANN public comment process. Pick your poison, whichever way you would prefer to participate. Or you can always find me or Kevin after and provide feedback that way.

And I know this is a shortish presentation but I’m happy to sit down with you and go through the details of the document as well later, since time probably won’t permit up here.

All right. So I’m going to start out by doing a quick overview of some of the changes that we made, and then I’ll go into a little bit more detail here.

So some of the key changes that we made is we made a small change to the title of the document. We changed the word “maintenance” to “operation”. We just felt that it reflected what was going on a bit more accurately.

We also added a preamble in response to the feedback that we received looking for a little bit more context and stating what the goals of what we’re doing are.

We also explicitly mentioned the Implementation Procedures. So I know I talked about Implementation Procedures earlier. There were Implementation Procedures that were put out and published and adopted for the original ICP-2 document, which is still in force until this process is complete for the new one. These Implementation Procedures are different than those. They’re applying to this document once it’s adopted by the community.

We had said from the beginning that this governance document was going to be a high-level overview and that there would likely be implementation procedures that came out later that went into more depth and would be appropriate within the document the community wanted to see that mentioned within the actual governance document. So we added that as well.

We also added some additional protections within the recognition and derecognition sections. We made some additions to the audits, which I’ll get into that in more detail. And we also added an emergency continuity process.

All right. So as I mentioned, we changed one word within the title of the document from Governance Document for the Recognition, Maintenance, and Derecognition of the Regional Internet Registries to Governance Document for the Recognition,, Operation and Derecognition of Internet, Regional Internet Registries. We just felt “operation” was a better description of what was going on there.

We also added a preamble to add in some context that the community had requested that we put there and clearly state what those goals are.

We, as I mentioned, so the Implementation Procedures for this document that’s going through this process, we explicitly mentioned those within this document. And in response to community feedback, we also made it clear that the Implementation Procedures that will be jointly created by the RIRs and ICANN, they can’t contradict the terms of the governance document. They can’t override it.

We just wanted to make it very clear that they couldn’t come around and then undo what the community consultation process produced.

It’s really just adding additional details and allowing the flexibility for implementing things in a way that makes sense, given what’s going on at the time. So, if they need to change the emergency operator or auditor or something like that, they can go ahead and do that without being tied down in too much detail within this document.

All right. So now we’ll get into the more detailed explanation of some of the changes that we made.

So, we received feedback from the community that, during the recognition process, the community wanted the ability for a new RIR to be recognized without unanimous support from all of the RIRs. They were concerned that there might be some sort of gamesmanship or something like that.

So, what we did is we put together a more sort of robust mechanism throughout the recognition process. So, say you want to start up a new RIR. The candidate RIR will go ahead and submit a proposal to the other RIRs and ICANN to be recognized. They’re going to lay out why they qualify, all of that.

The first step is it goes to the other RIRs. The other RIRs will independently review the proposal and make their own recommendations about whether or not to allow the new candidate RIR into the system and to recognize them.

If everyone unanimously agrees, great, wonderful, it goes on to ICANN. Then if ICANN agrees, wonderful, welcome to the RIR world.

If, however, there is not unanimous support during the first step where the RIRs are reviewing the proposal, then it gets rejected. But the candidate RIR has essentially an appeals process. So, they can file an objection with ICANN. ICANN will appoint an independent third-party to review not just their proposal for recognition, but also the decisions made by each of the RIRs, which will be published so that everyone will have transparency into what’s going on with that decision-making situation.

The independent third party will publish a report of its findings. And then from there, if only one of the other RIRs has recommended to not allow the candidate RIR into the system, then that candidate RIR has the option to essentially object again. If the independent third party found that the reason why that one holdout RIR was holding out, was due to a material error of fact or just inadequate justification, the mechanism allows the candidate RIR to come into the fold and join anyway, if there’s just one holdout.

Make sense? It’s a little complicated.

We also made some changes to the derecognition process. We wanted to make sure that that was as fair as possible at such an extreme thing to do, to derecognize an RIR. We already have a presumption of rehabilitation for that RIR, so it’s not a real quick process.

But if an RIR is going to be derecognized, first there’s going to be a proposal to derecognize them. That proposal now has minimum requirements that are set out so there aren’t spurious attacks, right?

Within that proposal they have to set out all the reasons why the RIR should be derecognized. And they have to point to, within the governance document, what are they not complying with? And then at that point, the impacted RIR has the right to respond publicly. And each step of this is published along the way so the community can see what happens.

So the impacted RIR can then publish their own response to all of the reasons that were set out for their derecognition. And ICANN is also publishing its decision along this path.

We thought it was really important to have transparency within there and also a stronger mechanism for any RIR that’s being proposed to be derecognized to really have the right to, you know, state all of the reasons why they should not be derecognized, and that the community would have a chance to see everything that’s going on there.

We also made some changes to the thresholds for derecognizing an RIR. Okay, so the very first step of derecognizing an RIR, there are three entities that can submit a request to derecognize another RIR. It can either be one or a group of the other RIRs, it can be ICANN, or it can be a group of the members of the impacted RIR.

Previously, we had had the group of members set at just 25 percent of the membership. However, we went through and did a deep dive into how many members does each RIR have. It turns out there are vastly different numbers in different regions. There’s also different criteria within each region for becoming a member. We wanted to make sure it was more fair across the board.

So instead of just 25 percent of the membership, we changed it to the lesser of 2,000 members or 25 percent, just because of the differences between the memberships within each RIR.

We also allowed, in this second draft, for ICANN to initiate the derecognition proposal. There was a concern that because each of the RIRs could submit a proposal to derecognize one of the others, there might be hesitancy on the part of some of the RIRs to initiate that process where it might be appropriate because there might be a fear that one of the other RIRs might do it to them.

So we wanted to have more sort of a neutral party that could initiate that process as well.

Although, it should be noted that ICANN cannot unilaterally derecognize or recognize an RIR. If ICANN initiates the derecognition process, it does still go to the RIRs at the next step. So they cannot act unilaterally. The RIRs will have their ability to participate in that.

And say ICANN, for some reason, decided to initiate a derecognition proposal and the other RIRs came together or each — sorry, the RIRs are considering independently whether or not to move forward, but if the RIRs all independently said, hey, no, what are you doing, it would end there.

We also made some changes to audits in response to the feedback that we received from the community. What we did is we added specificity to the frequency of the regular audit, so now it’s clear that regular audits will occur for each RIR at least every three years.

We also added the possibility of an ad hoc audit that could be initiated any time. The way that initiation of the ad hoc audit works is pretty similar to the initiation of derecognition. So it can be, an audit can be initiated, an ad hoc audit can be initiated by either 25 percent or 2,000, the lesser of, of the members of that RIR, ICANN or the other RIRs.

Basically, we wanted a mechanism to catch problems early on, right? Because we don’t want to jump right to derecognition. We want to be able to see what’s going on; if there’s an issue, have transparency for that. The audits will be published so the community can see those and understand what’s going on there.

And, as I just mentioned, we set the frequency for a minimum of once every three years for the regular audits. There’s two audits. There’s ad hoc audits that can come at any time if proposed by one of the three parties mentioned earlier. And then there’s also regular audits that will occur at least every three years. And, again, the audits will be published.

So another exciting new addition that we made in response to feedback from the community was we added emergency continuity procedures. So there was a concern that, hey, yes, we have this derecognition process if an RIR is not complying with its obligations and not serving its community, but what if something happens really rapidly that we need to respond to? What if there’s a war? What if there’s a natural disaster or something like that, where someone else needs to step in to make sure that the impacted community continues to receive the services of an RIR, but just for a temporary period of time.

This is not the same thing as a derecognition. It’s just a temporary step in case there’s an emergency that occurs to ensure that region continues to be served.

What it requires: Unanimous agreement from all the RIRs and ICANN, because we don’t want this to be weaponized, obviously; and it’s time-limited. It lasts for 90 days. It can be renewed for an additional 90 days. But if you renew it, it has to go through all the same steps to start the emergency continuity procedures in the first place.

So what happens if we need to start an emergency continuity protections? First, ICANN has to publish a rationale in the scope of the emergency continuity and initiate a community engagement process as soon as possible.

As I mentioned, it cannot exceed 90 days unless it’s renewed. And following the close of that emergency continuity process, where somebody else is coming in and stepping in, there’s going to be a postmortem review of what happened. What were the lessons learned from that experience? And all of that will be published for the community, so everyone knows what’s going on and there’s transparency there.

But we received a lot of feedback in the previous round that people wanted additional strength there just in case some sort of force majeure event occurs.

So, we also had some miscellaneous additional changes to rectification or amendment of this document. So, each amendment to the document needs to specify a grace period. And there are sort of two different grace periods that will apply.

Once this document goes through this entire process and it replaces ICP-2 for the first time, there will be a three-year grace period for all the RIRs to get to a place where they’re able to comply with the document.

If in the future, everyone comes together and decides, hey, we forgot this one thing, we need to make a change, we need to make an amendment here, then that amendment will need to specify what the grace period will be for RIRs to come into compliance with that. Because we don’t want to end up in a situation where, you know, changes are made and then all of a sudden everyone’s out of compliance and could be forced into a derecognition or something like that. We want to give everybody a reasonable period of time to get into shape for any changes.

We also added a dispute-resolution mechanism to Section 4.1. Section 4.1 of the document lays out what are all the ongoing operational requirements that an RIR has to continue to meet over time. We did this in response to community feedback.

It just ensures that every RIR has to have a dispute mechanism for their own members. So this is about the relationship between the members and the members’ RIR. And it has to have fair and effective adjudicative mechanism for members to enforce their rights against the RIR. So we added that as well.

We also added just an explicit statement that ICANN and the RIRs will act in good faith and fair dealing under the governance document. We did this, again, in response to community feedback. I think people were concerned that there would be some sort of gamesmanship, so we decided to explicitly state everyone that is subject to this governance document will participate in good faith and fair dealing, and any actions that will be undertaken will be done promptly and within a reasonable time frame, just to make sure everyone’s participating under the document in the way that it’s intended.

So, again, we’re going through a consultation on the second draft. That consultation ends November 7th. Please participate. Give us your feedback. All of the feedback that we’ve received so far has been so helpful and really shaped the direction that this document has taken. So we really appreciate all the work that y’all have done in reviewing, giving us feedback. And we’d love to hear from you again. So please participate there.

Again, you can participate on mailing list discussions that we have for each RIR. Or you can participate via the ICANN Public Comment process. And we really do take the time to go through every single comment. The NRO NC/ASO AC will be meeting in a couple of weeks to go over all of the feedback that we received, discuss it, and then make any changes that come about from that.

So, thank you all. Any questions?

Hollis Kara: All right. Microphones are open. So please do approach if you have questions or comments for Amy. Same with our virtual participants to join online.

Lee Howard: Lee Howard, unaffiliated.

Thank you very much. You guys are doing fantastic work. You know I’m really impressed with how much work has gone into this and the document you’ve come up with so far. Part of the way you know that is I’m the only comment on the ARIN ICP-2 mailing list in the last three months.

Two things, one quick question for you, I guess note for you, is early in your slides you had a link to the current draft. It’s actually not the current draft. It links to the one in April. So you have to go —

Amy Potter: Apologize, that was lack of clarity on my part.

Lee Howard: I know, you’re going all the way back to the very beginning.

Amy Potter: You can keep talking while I’m —

Lee Howard: My first question is, it wasn’t immediately obvious for me how to get to the current version of the drafts document. But I finally got there, and I found — and that’s when I found all the changes you were talking about.

Amy Potter: The earlier slide has the previous.

Lee Howard: Has the previous document, okay. So, I was clicking from the wrong slide, thank you.

So the second question is not for you. It’s probably for John Curran, which is at some point I think we probably need to hear from ARIN about how we need some discussion about how this is going to affect our region and the implementation in our region.

In particular, I note that, what made me think of it in particular is when you said there’s a threshold of 25 percent of members or 2,000 members, and I realized there’s three different kinds of members in the ARIN region, and I don’t know which one we’re talking about.

Amy Potter: I can also go through the text of the document with you a little bit later. I don’t have it in front of me right now, but I believe it does specify in there. I think it’s voting members, but I need to double-check that.

Hollis Kara: I see JC.

John Curran: Good morning. As it turns out, because this consultation is open through November 7th, we are not actually, right now, focused on what the implications are for ARIN.

I’ve been briefing the Board. The Board of Trustees, themselves, have been looking, watching this process. But we are going to wait until the NRO NC, the ASO AC has a chance to take this round’s comments and produce what is, quote, the final.

Now, how final that is, if it has minor changes, it’s probably final. If it has major changes, they may want to go back out to the community. That’s why Amy’s slide, when it shows the timeline, you’ll note it’s very specific until it gets to the next few blocks. We need to see what happens to know to be determined and quarters there.

But after this draft is done, whatever shape it is, whether it’s to be finalized or to go out one more time, is when the RIR boards and ICANN will engage on it to double-check any issues for implementation.

Now, a lot of the little details — like how will we interpret members, okay — we’ll do. And that will be something that we’ll generate as a Board and publish to people to say this is how this applies to ARIN.

If there’s substantial issues, that’s the challenge. If an RIR has to have a restructure of its governance in order to comply. And that’s the one that we hope to avoid. But if we do, there’s a three-year rectification period.

So we’re holding off on doing a formal assessment. All the trustees are watching this. But right after this November 7th consultation closes, and the NRO NC has a chance to do its best and final, we’ll engage and let the community know.

Right now, if you look at the document, my first guess is there’s no showstoppers right now.

Hollis Kara: All right. We’ll come back over here.

Oksana Denesiuk: Hi, everyone. Oksana Denesiuk, ARIN Fellow. So, I work in governance and policy. Thank you, Amy, for such an insightful and fascinating presentation. I have a question about continuity of audits for RIRs, for the RIR transfers.

For the organizations, is there a plan to put in place the continuity when RIR does transfer to another RIR in terms of compliance?

And my second question is in terms of governance and policy, is — there some plan to put in place some kind of governance framework that will help to even out the competitiveness among different RIRs, in terms of outflow of certain ISPs to other RIRs in a different region? Thank you.

Amy Potter: Sure. I’ll address the second question first. I believe that’s a little out of scope for what this document is doing when it comes to — I believe when you say the transfer from one RIR to another, you’re referring to the emergency continuity procedures, when someone can step in for a limited period of time. During that process, there is — as soon as possible after it’s started, there will be a consultation and review of that.

And then also after the 90-day period has occurred, there will be a postmortem review where they look into the effectiveness, any issues that came up and that sort of thing.

Oksana Denesiuk: And about the audits?

Amy Potter: So, it’s not framed as specifically an audit within that. But it’s a similar type of process.

Oksana Denesiuk: Thank you.

Hollis Kara: Thank you. I think we’ll come across.

Kaitlyn Pellak: Kaitlyn Pellak with Amazon Web Services. I did have just one question about the ad hoc audits. I know you mentioned that that is a certain percentage of the members of the RIR.

And I’m assuming that is the truth, but I just wanted to clarify that you mean of that RIR; like it can’t be the members of a different RIR?

Amy Potter: Yeah. So the ARIN members could not initiate an audit of a different RIR but either — the lesser of 25 percent or 2,000 members of ARIN could initiate an audit of ARIN, for example.

Hollis Kara: Thank you. Great. Come over back over here.

Lu Heng: Lu Heng from LARUS Limited. I’ve got a few observations on this document and during the whole commenting process. First of all, me and a lot of people I talked to, we were advocating for the number portability.

And that comment has been continuously disregarded by some of the NCs as it’s a policy issue of the RIR; it’s not in the ICP-2.

So on that front, I believe that should be recognized that it is a community to decide what should be in the document; it is not for the NC to educate people that this should be in the policy or that should not be in the ICP-2.

If the global community thinks the rights to your numbers is extremely important, and if there’s potential changes in the governance or the policy that might negatively affect you and you should have the right to move to another RIR, then that should be in the ICP-2. It should not just be in the policy document of that particular RIR, because that’s exactly the reason why we need to have the number portability, because you might not like the policy in this region and you need to have the ability to leave.

This is also good for the stability and all sorts of reasons, but the most important thing I want to comment on here, is it’s not for the ASO AC or the Number Resource Organization, the NC, to be in the position to decide if this belongs to the RIR policy or it belongs to the ICP-2 document. If the community wants it, we should put it.

Number two, I did not see a specific clause that allows members directly remove the Board of RIRs in case things go wrong.

And the process of recognizing an RIR or derecognizing an RIR, it’s entirely done at a very high level and requires massive support of the members to a point which is practically impossible.

Let’s say 25 percent of the RIPE members, we’re talking about 5,000 independent organizations across, what, a continent, or half the planet. That practically is impossible for any group of members with discontent to find that much support and to go on on things if things go bad really quickly.

The initial of ICP-2, let’s address the elephant here. I probably was one of the primary reasons this review was started in the first place, then we need to have a solution. We need to have the members, their rights be protected in the first place really quickly, not asking them to go across a continent and finding 5,000 organizations supporting them, which is practically an impossibility.

So I believe this document still needs a lot of work, and at its core, we need at least some contingency plans to protect members’ rights, which of that call is a number portability.

If an escalation was unavoidable — if a group of members wasn’t particularly happy about the RIR, which happened in the past, just couple years ago when the war of Ukraine and Russia goes on, a huge group of Ukrainians come to the RIPE meeting, require lockdown to their resources, and that was only done nearly 12 months later.

And now you guys are suggesting, really, for those Ukrainians, to go out and find 5,000 organizations to support them in order to have their voice heard.

No. Things like that needs swift action. And one of the best ways to solve this is allow members to move to another RIR if so required, whether it’s policy dispute, whether it’s a contractual obligation the member does not feel satisfied with, and then allows new RIRs to be established without this very strict requirement that RIR need to be anonymously — almost anonymously, yes — I would back down a little bit.

You know ICANN can have a third party, but that’s also another practically an impossibility task. There’s no reasonable organization without billions of dollars that will be able to go through that process. Practically speaking.

So we will need to allow new RIR to come up, encourage competition, improve service qualities so we will have a healthy ecosystem not constrained by a small garden of people. We’ll have a more fullish Internet and more freedom of the future. Thank you.

Hollis Kara: Thank you. Do we have any more questions or comments before we close the microphones?

Lee Howard: Lee Howard, unaffiliated. I do think that Lu Heng’s impassioned plea has certainly some merit in terms of, in particular, I’ve also had some concerns about the timeliness of the responsiveness in the various parts of the document. I have not come up — I have not mentioned that before because I haven’t thought of a better way to do it, honestly.

As far as number portability, though, that seems like an entirely new policy that could go through the global policy process, which would be facilitated by the ASO AC, but to me that seems like it is outside the scope of this document.

Tina Morris: Tina Morris, AWS. I agree with what Lee said. That should be a global policy. I’m not opposed to it existing, that’s right.

Also, in general, I wanted to say thank you so much for the supplementary documents. That’s made it very digestible.

Also, some organizations have difficulty posting on the mailing list for reasons of our company. So don’t take the lack of support there as not participating in the process.

So I really appreciate the council, not just Amy, but everybody on the council’s willingness to talk and sit with us when we can’t really discuss it publicly and all of that.

So thank you for doing that. And thank you for handling the difficult task of taking everybody’s individual opinions about what they think the RIR system should be after participating in it for a number of years, or hitting whatever roadblock, and trying to merge that with what’s good for the entire community. And that’s incredibly difficult.

I’d rather this document be a little more broad and not get into specifics and use policy for the specifics.

Lu Heng: Lu Heng, Larus Limited again. Just a response to Lee Howard. That’s exactly what I’ve mentioned first.

It’s the community to decide which part of the document that policy needs to be.

It’s like if we believe certain things are freedom of your rights, then that should be in the constitution. It should not be in state law or federal law, it should be in the constitution.

For example, freedom of speech, and all that sort of thing. If all the members — if the community believe number portability, the ability to carry your numbers, because a number portability essentially means that the numbers stay with the member, not the RIR. That is a fundamental change.

And I don’t think anyone, personally, have the rights to disregard that as out of scope. Who defines the scope? What is the scope?

The scope of this very document is make sure the RIR operated for its members. If we believe some of the RIPE member rights is so fundamental that need to be part of the precondition for an RIR to even exist, then this is inside the scope of the ICP-2.

Thank you.

Hollis Kara: Thank you. We’re going to wrap it up. We’ve got time for one more comment.

Louie Lee: Louie Lee — this is Louie’s hat – affilation Google Fiber ISP. Also past ASO AC chair. I might add that Lee was also a past ASO AC member, so we have certain viewpoints that is based on experience.

Plus one to what Lee said. Also, in terms of scope of this document, specifically for the operations, recognition, derecognition of an RIR.

And plus one to what Tina was saying. Not necessarily opposed to having other issues in scope for a global policy, but not for this document also, also speaking as a community member.

And then lack of mailing list support from my organization. It doesn’t mean that there is no support. All right.

So thank you for the work, to you and to Nick and the rest of the ASO AC, in gathering all the comments, feedback, on-list, off list, everything, and the work in producing this draft. Thank you.

Amy Potter: Thank you.

Hollis Kara: Thank you, I think we’re wrapping up. Before you leave the stage, Amy gave a very comprehensive overview. I’ve had the great privilege of doing a lot of support work with this.

If I could get Kevin to stand up too. If we could get a round of applause. These guys have put in a ton of work over the last 18 months, and it’s ongoing.

(Applause.)

So thank you to both of you. It’s been a pleasure, and we look forward to a successful conclusion to this effort. Thank you, Amy.

(Applause.)

All right. We’re going to scurry on ahead. As you may note if you looked at the agenda, we pulled forward Directory Services from yesterday, and it is a little bit after 10:00, which leaves us with a gaping hole before break —

Beverly Hicks: Hollis, if you stop clicking, we can click it for you.

Hollis Kara: Cool. Even better. Save my thumb.

Anyway, in light of that, we’re going to go ahead and move forward our Routing Security Update with Brad Gorman, our Director Of Customer Technical Services. Come on down, Brad.

Routing Security Update

Brad Gorman: Thank you, Hollis. Thank you for pulling me forward. I always like going before lunch than after.

So, I’m Brad Gorman, Director of Customer Technical Services, but I’m also the responsible product owner for RPKI, IRR, the routing security services that are important to the Internet today and moving forward in the future.

I’m going to be talking about that today.

Three basic sections, I’m going to be briefing everybody on today, would be the current state of the RPKI in a global context, in the context of ARIN, and then go over some newly delivered features and features that are on our roadmap for further development.

So, what does it look like in the world today? The key factor or measurement of how RPKI’s functioning and the performance today is the global validity state.

Over the last couple of years, there’s been increase in validity, which means not only are the resources that are being announced are visible, but they are also covered by Route Origin Authorizations, or ROAs, and that key validity state is what is used for the main feature that’s available today in RPKI that network operators can use this information to build a more robust and more informed policy for their Internet-connected devices.

Now, the numbers have, yes, been increasing, and both IPv4 and IPv6 passed a 50 percent threshold in the last 18 months, IPv6 in the end of 2023, and during 2024 was when IPv4 did.

So, there’s an incremental growth, but what we can see is that, as we’ve been successful in getting people to perform, cover their resources for RPKI in their ROAs, which makes RPKI better, we’re now looking at the possibility of it levelling off.

Now, what does that mean? It means that we’ve hit the low-hanging fruit. That low-hanging fruit are the organizations with the largest blocks of resources that are being announced today.

And that’s important, because it has added that benefit, that feature, the capability of what RPKI promises, but we’re at a more difficult point. There’s still a lot of resources on the network or on the Internet today, but they are under the — they’ve been allocated to smaller organizations.

Now, do their smaller organizations know why they need to do RPKI? Education is in process. Not only here at ARIN — I had a workshop at the NANOG meeting that just concluded, but this kind of work is being done in all of the RIRs, in all of the regions, promoting the fact that just because you only have a small block of resources doesn’t mean it’s also important for you, those resource holders, to cover those with RPKI routes.

It is now the harder process, the longer-term, the getting the message out far to the edge of, hey, this is important for everyone. It’s a global context that needs to be fixed, and we’re all part of that global community. So, education continues.

So, within ARIN, what we’ve seen is a pretty steady growth in our organizations within our region, signing up and performing RPKI services, whether that’s just joining, but as a just general group and forward progress of making it happen, we’ve seen that over the last five years. It’s pretty consistent.

And the numbers that we had available prior to coming to the meeting here, at the end of September, is that we’re pretty much on track to meet and exceed the number of organizations, the growth that we had in 2024. We’re going to meet or exceed that in 2025.

So, within ARIN, where there are three basic services that we have to offer for RPKI. There’s a hosted service. There is a delegated service. And then there is a repository publication service. I’ll go through them really quickly. For many of us, they might be familiar with them.

But the hosted RPKI service, which is broadly offered by all of the RIRs, is where the registry performs a certificate authority process. We’re the ones that can authoritatively say, hey, these IPs have been allocated to these organizations or these people.

So, in the RIR context of hosted RPKI services, we run that certificate authority, but we also maintain and publish the repository of information that’s associated with those ROAs, the real components of how RPKI functions and what’s necessary to make that feature set, that capability, the benefits of RPKI to function.

ARIN also has tools that we’ve developed for people who use the hosted services. And it’s really the simplest implementation of starting to use any long-term use of RPKI, because the resource holder’s only responsible for making statements about their resources themselves. There is no additional load or requirement put upon them to get started and continue using RPKI.

Delegated RPKI’s kind of the other side of that coin. For an organization that either has a requirement or the desire to maintain cryptographic control, they have an opportunity to run their own certificate authority, and that CA is responsible for the maintenance, making sure that the ROAs that have been created follow the same consistency checks that ARIN does with the purposes of a hosted organization, but they have that additional requirement of the maintenance and running and the publication of the RPKI repository.

So, there’s a bit more that’s associated with that, and really the recommendation would be for any organization that has a desire or a need to make sure that there are additional technological or other human resources responsible and needed to perform that.

So, Repository Publication Service is an offering that ARIN has that for those people who don’t want to run a high-availability repository, it is an option for them to choose for ARIN to maintain that repository. So, these are the three capabilities that ARIN offers our members in order to sign up for, use and run RPKI services.

So, within ARIN, we have over 7600 organizations that have signed up for service. What that means is they have selected a button that says, please sign up for RPKI. We have healthy growth year over year so the messages getting out within region, and they’re continuing to adopt and start the process of making the statements on the resources. But the breakout is pretty extreme. Most organizations, not only in ARIN but globally, will sign up or have signed up for hosted RPKI services.

It’s that ease of use, ease to get started, and ease of continually running and using RPKI services is why hosted has been really the most predominant use case of RPKI.

In the delegated RPKI, the number of organizations that do use it, it’s a very small percentage based in ARIN numbers, but of those delegated customers, nearly half of them use the repository publication service. Get the hard part out of the way.

An even recommendation, it’s probably — here’s my opinion. Using the repository service makes it easier on you, so please take advantage of that and take the opportunity to go through and use the work that ARIN has done for you to continue moving forward.

Now, the key takeaway out of these numbers is the fact that adoption of RPKI does continue to grow. What we’re seeing, as I said before, is that the largest groups have signed up, and now it’s the smaller organizations that we’re moving forward with.

So, the continued education, understanding of what it does, how it works, how to use it and the benefits, that message is still getting out, and people are interested. And that makes me, my peers, and other people in the RPKI community in general very happy that the progress is still being made.

A lot of numbers on this one. Sorry if they’re a little bit too small. But we broke out the use of RPKI across three different segments: The government organizations, educational institutions, and then others: the commercial ISP, the enterprises, the individuals that use RPKI services.

And, really, the gist of these numbers is the fact that, over the last six months, and since our last meeting, there has been an increase, a relatively steady increase in each of the different sectors that are turning up RPKI and using those services.

However, what you might see is that in some of the numbers that are coming forward is the fact that there has been a burst in some numbers of support and that are starting to — this particular update is — these numbers have been skewed a little bit by the large surge in uptake.

So, across the region, yes, the U.S.A. and Canada are, unfortunately, way down at the bottom. But what that is really indicative of is there are many more organizations within Canada and the United States as a whole that need to or have signed up based on, you know, just sheer numbers of membership.

I’m still very pleased to see that, within the Caribbean community, there has been very good adoption. But that in and of itself, that is why the Canadian and US numbers look artificially small. Not that it would be great to see those numbers increase beyond where they’ve been since the last update.

This is one of these charts that kind of has a larger impact on where some of these percentages become. And we have seen a large increase in the number of resources that have now come under contract and are eligible to use RPKI services.

And that alone has driven what looks like a plateau or even drop in the other coverage of RPKI services under ROAs or the number of allocated resources that are being used or signed up for to use RPKI services.

So, as time goes on and larger blocks of IPs that have come under contract are now, then, or will then be covered under RPKI services or using them and put under ROAs, we’re going to see these percentages really jump up.

This is another case of the progress and hard work that people inside of the customer organization have been partaking in getting more organizations eligible by putting resources under contract.

The US percentage dropped from roughly being in a situation where we’re right next to Canada, same amount of coverage, that’s why we’ve actually dropped to below 50 percent of our resources. But that’s indicative, like I said, of additional resources coming under contract since our last meeting.

So, our development and testing teams, really, have been busy in the last six months and a little bit beyond going to the end of last year with regards of new services that have been requested and then delivered to our customers to use.

So, since our last meeting, three relatively big features have been delivered by the team, coming from requests from the community, on what they asked ARIN to give to us, through our suggestions process or through direct interaction coming into meetings and talking with the community directly.

The first one was the ability to modify a ROA. Now, historically, previous to this feature going out, the only way to modify a ROA would be to delete and recreate that ROA. That could have an impact in the validity or the reachability or just the visibility of what that prefix or prefixes inside of that ROA were covered.

And now they have — everyone has the capability, whether through the API that we have delivered or through our web interface, to make a change in a ROA so that the existence of the ROA does not fall off in between one edit and a future edit.

The ASPA Object, it’s actually an object that’s still in the draft stages, hopefully near the end of the draft stages within the standards community.

The ASPA’s gonna be another object that will be complementary to the ROA as far as how RPKI functions and the usability of it. It is an Autonomous System Provider Authorization.

We developed the feature set and the tool that the RIR piece is responsible for. Merely, it’s the shape and size and condition and what needs to be within an ASPA object, it has been solidified.

So not only ARIN, other of the RIRs have put forth development to create these ASPA objects in preparation for, hopefully, the upcoming ratification and acceptance of ASPA as a whole out of the IETF.

You have the capability of looking at the feature set of doing some testing, for scripting, moving forward, getting these things created so when it does get released into production, you will have some comfort and familiarity with it. It won’t be a surprise.

It’s available in our operational test environment. It’s an unfortunate occurrence I’ve heard far too many times. There’s a test environment, what is OT&E? So, as time goes on, you’re going to hear me and other people hopefully talking more and more about it evangelizing it.

So, yes, ARIN has a very robust test environment that is a production equivalent. The same features associated are available to you as in the live ARIN Online system.

And one other big thing that happened since we last met was the sunsetting of the previously developed API. This was the original API that was delivered at the very beginning of ARIN turning on its RPKI services.

So, over time, there have been many additional features and capabilities offered within the services that ARIN runs, and we developed a new API that was delivered more than two years ago, and we went back, communicated with people that had historical use of the 2014 endpoint, made sure that everyone was comfortable, had moved over to the new endpoint, and that was why we felt comfortable in sunsetting the capability and the older API.

Okay. This is a new feature that was just delivered the end of last month. There is a lot to unpack out of this one, so I’m going to spend a little more time on this slide than the rest.

So, we have not had the ability — our customers haven’t had the ability, nor have ARIN staff had the ability, to track the changes that people are making with regards to their ROAs.

And once that vulnerability — or bad word — once that visibility or that feature set, that capability wasn’t with the customers, we went through the process of delivering what is called a ROA Change Log.

Change Log has one-year of history lookback at what has been changed and who has done it and the specific resources associated with it.

You can see that real time in the UI. You can download that to a CSV file for off-system further research into the numbers and crunching it on your own. And it is something that already has been well received, and I heard a lot of feedback about it earlier this week during the NANOG meeting. Glad that it’s there, glad that people are happy with it and using it, and we will have additional enhancements that we’ll be giving to internal customers, the RSD analysts and things like that, to further assist customers who want to understand what has been done in the past.

This is a big one. So historically, and even today, if an organization has initiated a transfer, in this case an 8.3 or 8.4 resource transfer inside of ARIN, there’s a responsibility upon them to make sure that, hey, if my resources are associated with a transfer, exist within a ROA, you need to make sure that those resources are either, you know, preemptively taken out of a ROA or at least consideration has been given to the content within the ROA.

Because if a transfer is executed with resources inside of a ROA associated with that transfer, the cryptographic signatures and the components would end up that the ROA itself would become invalid, and it would be deleted per standard, per the way it works.

So, anyone who had been through the process had to manually take, you know, make the effort ahead of time to make sure that their resources were properly accounted for and would modify their ROA ahead of time.

So, we looked for — we asked of the community, and developed a feature that will take into consideration — ARIN knows the before-and-after state of what your resources are going to look like. Those resources are on your RPKI certificate. We know, when the transfer takes place, that certificate automatically changes.

So, in the same vein of supporting customers that have created ROAs that we auto renew, we have developed the capability and the feature that ARIN will repackage a ROA at the execution of a transfer so that if resources involved in that transfer had not been preemptively taken out or a new ROA had been generated, the sequence is that we will regenerate a ROA with the remaining resources that are on a resource certificate, and the intent is to make sure there’s not an untimely end of life for a ROA.

There are two really key components to this.

We have not disabled the capability of a resource holder to make these changes prior to a transfer, but it’s also critical that the customers who do have transfers and their ROAs go through this automated process of being regenerated, it really is still a responsibility of the resource holder to make sure that the before-and-after is what was intended.

So, we’ve made it so that this process —it’s an automated safety net, but it’s still a responsibility to make sure that what comes after is really what you intended.

So, it is imperative that you still maintain that understanding and ownership and the visibility into what those ROAs look like both before and after a transfer.

What are we doing moving forward? We’re continuing listening to and working through suggestions that the membership has made. The next big feature set is what we’re calling RPKI Intelligence or RPKI Routing Intelligence.

Today, when a customer goes and creates a ROA, we give a very easy-to-use interface for our online customers. We have a very robust API that allows people to go forth, create and move forward. You’ve created your ROA in a very simple manner.

But what clearly has been missing is the understanding of maybe what that impact might be. Or what is my current state of announcements on the Internet?

How is it possible — what potential impact?

What will it look like, if this ROA is created, do I have something to take care of after the fact? Or is what the ROA that I’m creating really doing what I’m intending it to do? Or could it have a negative impact as it’s being deployed?

So, we are presenting the customers with a table of information about their current announcements. We’re going to give guidance as to, hey, you have an announcement without a ROA, would you like to create one?

Knowledge of, if announcements are being marked as “invalid” as part of the origin validation process, and say would you like to correct this? Or if your proposed or staged change will have what could be a detrimental effect based on announcements that you have.

So, all of this information put together is being made available to the customers that we have not done before. And this is something that people really have asked for and we believe — I know — but we, the community, believe that it’s going to be a huge benefit to the membership.

And further on down the line, another thing that has been asked for — and we hear from customers of customers who are using RPKI, or who want to use RPKI, within one of the major requirements of using RPKI services is that those resources have been directly allocated to you by ARIN.

And anyone who has been the recipient of a reassignment from the direct resource holder or reallocation of those resources, they have not had their own RPKI destiny, for example.

So, we are planning on developing a service that would allow direct resource holders to pass along the ability to have your own RPKI destiny, to create your ROAs on your own behalf, rather than needing to come back to the direct resource holder to do that.

This is really something that we have heard in customer calls: Can I do this? And the answer is today, unfortunately, or today, given the requirements, it is what a direct resource holder that must do it for you. So, it could — it will stop those questions.

It will give these people who are asking for this feature an opportunity, but the direct resource holder will have — still maintain the full control of the RPKI destiny of the resources they have been allocated.

If they want to maintain ownership of that and are happy enough with customers coming in and requesting this, hey, I need a ROA created, they can maintain that or they can say: Go forth, do the right thing, please, and create ROAs for yourself.

I’ve said it before; routing security is a global effort. It’s all upon us to do what’s right to make statements about our resources because RPKI is only better when the information that is out there is stronger and more complete.

So, the routing security team is here to help you. In general, in broader terms, ARIN and the RSD team is here to help you. Please reach out. If you have a question or a concern, a desire, a gripe, we’ll hear it. We want to listen to it. We want to serve you.

Questions?

Hollis Kara: All right. Microphones are open. Online, please start typing into Q&A, if you have anything for Brad. Otherwise, we’re going to go to the microphones on the floor. I’m going to start with Sparkles over here.

Alison Wood: I know, I’m blinding you guys. Alison Wood, state of Oregon, early adopter of RPKI. I read that there was an executive order that the federal government deploy RPKI in January of this year, and it looked like we went from 7 percent to 18 percent in government deployment of RPKI.

But can you comment on how the federal government’s doing, or if that executive order even exists?

Brad Gorman: The executive order, I think, that you’re referring to was a 2023 executive order that was updated in January of this year that, in fact, the RPKI information was maintained within that executive order.

So, the intent is there, but I see John Curran is up, and he can answer a bit more authoritatively on that.

John Curran: He’s 95 percent right on directional. So, yeah, the cybersecurity order that the prior administration had put in place in almost the last days of the US administration called for US government agencies to mandatorily work with ARIN to update their registration records to bring resources under registration agreement and to deploy RPKI.

When the new cybersecurity order was issued, they reaffirm Executive Orders. When that one was reaffirmed by the incoming administration, it took a while before it was issued. When it finally was, the language to bring your resources under agreement and update your contact information remained. The information regarding doing RPKI ROAs became advisory. It became recommended, not mandatory.

And that reflects a reality that government agencies have many priorities they have to hit, and you can’t just put one in a list and expect it to be done automatically.

It will get done. But it has to be matched with all the others. So, it’s not mandatory now, it’s just a strong recommendation.

Alison Wood: Thank you so much.

Brad Gorman: Thank you, John.

Hollis Kara: Going to cut to Angus over here.

Leif Sawyer: Angus Young, AC/DC

(In costume for Halloween)

— no, Leif Sawyer, GCI, ARIN Advisory Council. Brad, I want to thank you and your team.

You guys are making this so easy to do. I turned it on earlier this year, in March, and it’s been just going. Right? I’ve had no issues.

The Change Log that you rolled out here in September is amazing. I can’t wait to show this to my staff and say, you guys can go do this now because I can keep an eye on what you’re doing, and if you make a mistake, I can roll you back because the Change Log is there.

I’m really looking forward to the next iteration with the delegation. That’s going to be fun.

But kudos, major kudos. Thank you.

Brad Gorman: Thank you for that, Leif. And if you want to rip off a few riffs later, we’re here and the microphones are live. Kevin.

Kevin Blumberg: Kevin Blumberg, The Wire. Absolutely echo the incredible work that’s been done here.

The delegated down to our subcustomers is probably the biggest single missing feature that was a, wow, that would be incredible to do but it’s probably never going to happen, so we’ll just do it manually the way we’ve been doing it. And now being able to give it to our customers is wonderful.

Small thing: Automation is awesome. Love automation. Everybody is complaining at 30 days that my ROAs are not renewed. And it’s a blame game. They’re blaming you for not renewing it in time. You’re blaming them for setting an unrealistic date.

If I could have a window of five or six days where I could say, you know what, renew it at 35 days before expiring and not 30 days before expiring. Even if you made it 31 days, the likelihood is then it becomes their problem, as far as I’m concerned.

But the exact specificity you have it set to right now is triggering alarms everywhere, and those alarms, because RPKI is so new, I think, is freaking people out. They’re getting it.

So, I don’t know if you’ve seen this or heard from people on this one. It’s annoying. Would love to fix that.

Lastly, Mark Kosters did a presentation where basically he was talking about all the things we are getting rid of or want to get rid of. I saw the 2 percent number for delegated. Is that 2 percent of total resources?

Brad Gorman: Those numbers aren’t based on resources, but on the use of the ARIN organization, which service that they are using. It is not tied — those numbers weren’t tied to the actual count or percentage of resources that were under that feature.

Kevin Blumberg: I guess what I’m asking is if everything and all these features are moved towards hosted and hosted has been — we put in one 10 years ago. We put in the delegated 10 years ago and thought a lot of people were going to take it up. And they’re not.

You’re spending a lot of money developing it and putting a lot of features into the hosted one, I’m just wondering, are we at the point where — again, I guess it comes down to numbers. If 85 million IPs are in the delegated one, awesome, but is this a long-term question for the community to, should we be doing this?

Is it time — give it 10 years and it’s time to sunset it, or are we going to be talking about it like RWhois in 15 years?

Brad Gorman: John, do you want to go first?

John Curran: When you think about the delegated service, it’s really interfacing to the customer’s own CA infrastructure so that they can manage and operate it themselves the way they want with their protocols, security, infrastructure, et cetera. It’s not a lot of work to us. It’s much like the difference between us running your DNS versus you running your DNS.

If you want to run your DNS, we should be able to do the delegation linkage. It doesn’t take a lot of work for ARIN to support the delegation of RPKI to a customer; it’s not a high resource or high maintenance item, and it lets the customer administer it under his controls, under his security in the model that he wants.

Hosted, we’re doing it all for you. There’s an enormous amount of work to maintain and develop hosted. But then, again, it also provides the ease that many people just want to click a button and have us do.

I do appreciate the, we need to be careful about our resource investment, but delegated isn’t so much a resource investment as letting the customer invest the resource themselves in building his own system.

Kevin Blumberg: I guess my bigger concern, John, is everybody in this room can attest to RWhois availability. If you’re relying on the other party who is doing the RWhois to have an up-service, that’s been the biggest problem with that. So, we delegated out. Now routes are getting dropped because you can’t get the information.

Yes, you can say it’s their problem, but that’s my concern. Maybe if it’s under the, what is it, the RPS?

Brad Gorman: The Repository Publications Service.

Kevin Blumberg: Then it’s sort of best of both worlds, but that’s my concern is that we’re going to deform down to what’s happened with RWhois, which is it just doesn’t work reliably.

John Curran: Have you seen delegated RPKI data not be present?

I will tell you it seems to be a different beast altogether. In the case of RWhois — (echo) wow, I’m using my authoritative voice — in the case of RWhois, for many people, unless they were coming back for resources and they had to show utilization, it was something they updated usually before they came to us.

In the case of RPKI, the customer is the driver of the system. So, I’m very sensitive to the possibility, but I don’t think we have the same characteristics involved.

Lu Heng: I have a couple of things. First, Brian, you guys did a great job. You know we manage IP addresses across all five RIRs and your feature and the ease of use of your system is great. I will say if not the best, but I’ll leave that part, right? It’s great.

As a delegated, a bit of follow-up on the large entitlement, the delegation would be great, because when you manage, like, millions of IPs to thousands of networks, then forced automation delegation to be able to run our own, say, server is wonderful, it’s great. It’s really improved efficiency than when you click, you have to click button once, but that’s okay, but if have to click a button like a thousand times every hour, then it’s not become fun. So being able to run delegation is great.

A few questions for you, since our last speak — since our last ARIN meeting — what is the process of standardized APIs and basically the technical operations for RPKI services across all five RIRs?

I haven’t seen a standardized document been published or anything. It’s been almost a year since we last talked in the last ARIN meeting.

The second question is, would that be possible? I know that was a bit of historical here, is the community wants ARIN to host the root key for the resources and delegate it back to the customer, but would that be a possibility? Because I believe this is not really a policy issue but rather an operation issue.

But, in the future, would ARIN be open to, let’s say, just give the private keys back to the resource owner, let them take the full responsibility.

Of course, there’s a possibility for them to lose it. But if they lose it.

Brad Gorman: To your first question, yes, we did have a discussion about the visibility and the differences in the use cases across RIRs, that all of the feature set isn’t the same.

Much of that is dependent upon the five RIR communities that each have their own requests coming in that they need to meet for their members.

Now, the NRO asked for or set up a RPKI Steering Group that we have been meeting regularly every six weeks. We do it online, on a Zoom call or a Teams call, and we also meet at all of the IETF meetings.

Now, there has been some progress on starting to pick off the requests that are coming in from the community. All of those updates do come from the NRO site, the coordinator, wrangler of all of the individuals in the RIRs that, like me and Mark, that have the same responsibilities.

That’s where the work is being published and put out to the community. So, I would recommend going to the NRO website to get answers towards that and then the progress and the state of the work that we’re in right now.

You know, what we talked about is being addressed, and the updates on that you can find on that site.

With regards to the keying, I see someone else who is further back in the queue that will have an opinion on keying and how it works in the DNS community. So, I can’t — I don’t know if there is currently an appetite to do what you’re requesting inside of ARIN.

So, really, I don’t want to articulate what I think is going to happen. So if there is a request to do something like that, you’re standing at the microphone at our meeting, we’re listening to the community, there’s also the suggestions portal, which is probably a better way to more accurately, in detail, articulate what your ask and what your need is, and I really would suggest doing that so that we can address any points or all points that you might have or that you do have in the request so that we can make sure that everything is addressed.

Lu Heng: Thank you very much. John may have something to add to us.

John Curran: For something like this, the problem is we need to engage the command wheel, we need to understand what functionality you want and gauge the demand within the entire community. The advantage of putting it in the suggestion process is it goes to ARIN Consult. Everyone can comment on the value of that whether there’s a better way to do that, the value of ARIN investing in that.

When we have ideas for new functionality like this, best to hit the ARIN suggestion process. It will go to ARIN Consult. People who have interest in our services and we want to comment on their direction, please subscribe to ARIN Consult.

Lu Heng: Thank you very much.

John Stitt: John Stitt, Hopkinsville Electric System and current ARIN Fellow and very uncomfortable with microphones.

First off, thank you for all the work you’ve been doing on this. One slide you had was about upcoming features for being able to see how RPKI changes will affect your current announcements. That’s a very welcome feature coming. I work with a lot of other smaller providers that they’re often reaching out to me saying, like, hey, I need to do this thing; I’m afraid it’s going to break stuff, can you help me out with this? So that will be very helpful for that.

But the data on current announcements, where will you be getting that data from?

Brad Gorman: That will be a part of information that is presented to the user. So, if the desired feature that we’re developing — and in fact, we’ve started development on this since September 30th on this — will be multiple tables that represent either, this is what your resources were going to identify and give the customer the presence of current announcements of their resources on the net today.

And in that table, we will represent whether it’s already hit RPKI validity or if there’s no ROA that’s covering it. Or if there isn’t one, if there is a state or particular announcement that might be or are being marked as invalid and they’re being dropped, just to give that intelligence to you so that you can go forth and either make, take steps to rectify invalid, things like that.

And then the other component, the other side of it is, as you’re going to create ROAs, what could be the possible outcome for doing that.

John Stitt: To clarify, what I’m looking for is more, is it like RIS, route views or some other public data source like that?

Brad Gorman: Yes, yeah, so the information we’re pulling from — you called the two of them. We have information being sourced from RIS and route views that will be used to populate that information that we’re presenting out to people.

You know, we hope to have a relatively recent snapshot of everyone’s resources, whether it’s whatever the time window is, it will be at least representative enough to say, hey, this is what it looks like, and this is a potential here.

John Stitt: Perfect. Thank you.

Hollis Kara: All right. One last question, comment.

Robert Seastrom: Rob Seastrom, ClueTrust, ARIN Board.

I’m speaking on my own behalf and on my own interest, not as a member of the Board. Lu has stepped out, unfortunately, and I wanted to ask him for clarity on exactly what he was asking for because it wasn’t entirely clear to me.

But as a general principle, being able to export the keys, not the signatures, from any kind of HSM-based platform is something that’s really hard to do, particularly in a platform independent way, and that’s by design. That’s part of maintaining the trust chain.

I’d welcome a chance to collaborate with him on that. But I’d like to use this opportunity at the microphone to ask you for the statistics, for the easy button.

The hosted RPKI has been extraordinarily popular, and your slides are wonderful about presenting the choices, because ARIN generally doesn’t take a platform based on which thing you should use. But in the spirit of 50 million Elvis fans can’t be wrong, what percentage of people who are new to RPKI are choosing hosted RPKI?

Brad Gorman: Well, the percentage that was on that slide was 97 point —

Rob Seastrom: I’m sorry, I missed that one.

Brad Gorman: One of the important things to pull out of that, is it’s not just users with, you know, a few resources. It’s not just, you know, an endpoint with a /24.

The largest consumers of addresses within our region are the largest, you know, allotments, allocations. Those organizations are using it too.

Just by fact of the tools that we deliver and the ease of use of those tools, the responsibility and added requirements put upon a delegated operator of a CA, it’s just — it’s kind of a no-brainer.

Typically, the people who do set up their own CAs and run a delegated instance, have some form of company requirement to do that, to maintain some information and hold it closer to themselves.

So that number, that use of hosted services across all the other RIRs is relatively consistent in percentage. It is the vast majority of members inside of all the RIR communities that have chosen to use hosted.

Robert Seastrom: One last point. There’s an OT&E environment. It is not just for developers. Rich Compton has a very nice automation framework. He’s from Charter.

Brad Gorman: Comcast.

Robert Seastrom: Sorry, I missed the update. On his GitHub, I’ve used ARIN Online to issue ROAs and hosted. I’ve also used his automation.

Even if you’re only doing one, you can test it against the OT&E environment, have another set of eyes on it, match intent versus outcome, before you run it against production.

And it’s wonderful, and your risk mitigation people will love you for it. I know, because I wrote the risk memo for it in my last job. Thank you.

Brad Gorman: I like to say that OT&E is a place where you can go medieval on your configuration and not have any impact associated with it. So, please, make use of it.

You’re going to see additional information. We’re going to publish, hey, did you know about OT&E? Unfortunately, too many times the answer’s no. So, we will be standing on top of the soapbox and screaming from the highest mountain, that, yes, please take advantage of this, because you do have the ability to do everything in the OT&E that you do in the ARIN Online production service.

Hollis Kara: Thank you, Brad. (Applause.)

Love all the questions and comments. That being said, we’re running a little bit behind schedule. We’re still taking a break, don’t worry. My captionist would probably hurt me after the end of things if we didn’t.

We’re going to take 15 minutes. Actually, because I like round numbers, wait, can I do math —no, that still works. So that’s 11:10, is my math right? This is why I’m comms. Math, not my thing.

All right. So 11:10, back in here and we’ll be wrapping up the meeting. Thank you so much.

(Break)

Hollis Kara: We are back. Next up, we’ve got our president and CEO John Curran, who is going to — run away.

(Laughter.)

That was unexpected. Don’t mind him, he’ll be right here. We’re going to do an NRO EC update and a brief update on the state of the RIR system, what’s been happening since we last met.

NRO EC Update and State of the RIR System

John Curran: Thank you, Hollis. For those who don’t know me yet by now, I’m John Curran, the President and CEO of Curran. I’m going to give the NRO EC update, and then I’m going to talk briefly about the state of the RIR system.

The NRO EC Update is something we do at all of the RIR meetings. And it’s the NRO Executive Council presenting the status of what we’ve been doing. The state of the RIR system is actually my comments on our current affairs and they’re not from the NRO EC, so they’re not part of these remarks. It’s just one slide at the end.

So, with that, let me do the NRO EC Update.

Here’s the NRO Organizational Report. What is the NRO? I think you’ve all figured it out by now. The NRO is the Number Resource Organization. It’s the coordination of the five RIRs. It was established by an MoU in 2003. We signed an addendum in 2020 that talks about the Internet Number Registry System. And it basically gives us commitments about trying to promote accurate, reliable Internet number registry services globally.

Now, in 2022, the NRO reviewed our strategic plan, and we reconfirmed our mission to coordinate the activities of the RIRs and promote a joint Internet number registry and our vision to be the flagship, the leader in promoting the registry system. If someone has a question about how the Internet Number Registry System works, it’s our vision that we’re the one that answers that question.

Now, the structure is very simple. The NRO — the Number Resource Organization — has an EC, an Executive Committee. The Executive Committee is made up of one appointed individual from each RIR, generally the executive officer. So we have Hans Petter Holen appointed from RIPE, and he’s the Chair of the NRO Executive Committee; myself, appointed from ARIN, and I’m Secretary; Jia Rong Low, who is appointed from APNIC and Treasurer; and Ernesto Majó, from LACNIC, he is our fourth member. And we have a vacant spot on AFRINIC right now because they haven’t had a governing board for a while.

We have a permanent secretary that’s hosted by APNIC. German runs that. He’s the Executive Director of the organization, the Executive Secretary of the organization. He’s the one who handles the administration of keeping this running.

So one of the things we do is we’ve had, as people have heard, an RPKI program. RPKI, much like the registry system itself, is a joint program that we all use. It’s one of these circumstances where we have to coordinate tightly to make sure we do things in a coordinated manner.

But as Brad said earlier, each RIR has its own community with its own requests. So we decided that rather than doing these things in each RIR and not having any real communication between the teams formally, we would set up an RPKI program. And we did that. And as he said, they meet every six weeks, and they talk about things like what our services are, what the differences are, the differences in APIs, availability and SLA. They talk about trust anchors. All of those activities are being done one level down, coordinated between our teams. It’s the type of coordination we do to try to make it look like one registry system.

Objectives for 2025: Improving the transparency, security, and robustness of RPKI and trying to improve the user experience.

And we’ve done a bit of that. I don’t know, people — we all have our own RIR RPKI system, but you’ll see they’re slowly looking more and more like each other. You can go to the URL, see that project, see what it’s working on. The big push right now is working on a trust anchor structure that makes sense and will facilitate things like transfers in a more sensible manner.

We also have other Coordination Groups. The RPKI is an actual joint program with a program manager, but we’ve had Coordination Groups that work across the teams in each RIR. So communications, engineering, public affairs, financial officers — and there’s still a lot of coordination just running as five RIRs.

We don’t have whole programs for each of those. We only did that in RPKI. But these Coordination Groups do speak periodically. Once or twice a month, they talk to their counterparts, so that we have common communications when we need to, or that we’re making sure we’re handling — if there’s a request from governments to respond, we make sure we understand who’s covering it, what messaging is being used.

Finances. So it costs a bit of money to run the NRO. General operation, $628,000 a year. That’s the ASO, the NRO, and the IANA Review Committee support, secretariat support, RPKI program, travel for the ASO Chair to ICANN meetings. The ASO and NRO EC meeting costs are in there.

Internet governance support, we do support a number of organizations externally, like IGF, that have costs in there. And the secretariat.

So those are common costs that all five RIRs have to absorb their share of. And then in addition to that, we have a small allocation we give to ICANN each year, $823,000. We’ve been doing that pretty much since ICANN’s inception.

And with the IANA stewardship transition that occurred, we established an IANA services contract. And that identifies $650,000 a year for those IANA services for the central number registry. And the rest, the $173,000 is a contribution to ICANN’s general operation. So the sum of those two are the expenses that the NRO has each year, about $1.4-1.5 million.

We also have a Stability Fund. This doesn’t involve any money moving. It’s a pledge that we’ve all put in, a short-term reserves, if necessary. If an RIR needed to draw from this for its own stability, it could use this mechanism. And the total commitments amongst us all is $2.65 million.

Those costs get divided up each year. And they get allocated among the RIRs. And we decided to do it based on a metric of size. The metric we use is RIR services revenue. So, ARIN — we don’t count AFRINIC at present because obviously they need a governing board to cover their share of these things. So for now, we’re dividing these expenses by ARIN, RIPE, LACNIC, and APNIC, and RIPE ends up with about 33 percent, 34. ARIN ends up with 33. Twenty-one and 12.

And that changes a little bit each year based on size of the registry.

AFRINIC situation. So, the NRO EC, the Executive Council, has closely monitored the AFRINIC status. We’ve spoken with ICANN leadership because they’re obviously interested in AFRINIC status. We’ve offered support to the private receiver that was appointed. We engaged in collaboration with the Internet community down in Africa to make sure they’re aware of what’s going on. And we supported the Africa Internet Summit annual event.

We put an announcement out saying we’re pleased of the election of a new AFRINIC Board, which did occur. It occurred in September. AFRINIC now has a Board seated. I’ll talk a little bit about that later. And we’re looking forward to resuming regular operations. That’s a wonderful thing.

ICP-2 review. You might have heard of this. There might have been some slides earlier, and some more slides. And someone named Amy did a great job covering this. I’m not going to go into it, other than to say, yes, in October 2023 we did kick it off with two projects.

One was to do Implementation Procedures for the current ICP-2. And the second one was to kick off a formal review with the community to sort of look at ICP-2 and decide what we really need. And as you can see, they’ve come up with an RIR Governance Operations Requirements document. And that’s in its way through a process that’s already been described at length. I’m not going to go through that because that’s less detailed, but the same information that Amy gave you.

Publications. One of the things we do is we try to make it easy for people by publishing joint stats across the five RIRs, so we do the Internet Number Status Report, which you’ll see presented at the RIR meetings periodically. We update global stats on IPv4, IPv6, and ASNs daily.

We do RPKI adoption reports. If you want to know the RPKI deployment in all the regions, that’s available on the NRO website under statistics.

We also publish a comparative policy overview, which might be of interest to the people in this room. If you are curious about, well, how do they handle transfers, or what do they do with waiting lists or soft landing, or how do they handle this question — we have a comparative tables of the current policies in each RIR so you can see them lined up on one table and understand the counterpart policy in the other RIRs. Can be quite helpful.

IANA Review Committee. So, one of the things we do is we have a committee because we have an agreement with the IANA to provide services. We have a Review Committee that reviews the services and makes sure that when we put requests in, they’re handled by IANA in a timely manner.

I will say the IANA has done a wonderful job for us, and the Review Committee has a pretty easy job thanking IANA each quarter. But they do meet. They do review the service by quarter, and they publish reports online. You can take a look at it. And as I said, the IANA has done exceptionally well. Never had really an issue with them.

IANA Review Committee members are there in the ARIN region — Amy Potter, Nick Nugent, and John Sweeting.

IANA SLA amendment. We did amend the IANA SLA. So we have a Service Level Agreement with the IANA that provides when we make a request for one of the free pools for the general purpose number registries — IPv4, IPv6, and ASNs — that they’ll process the request according to global policy and update, obviously, the registry tables that the IANA runs to show the delegations.

There’s also a little other thing the IANA does, but it does it in cooperation with other entities, which is that we have to make sure the glue for reverse DNS is put in the right zone.

So back when IANA — back when ICANN was being formed, before there was ICANN, someone had to do the root zone. Actually, it was a function of the InterNIC.

When ARIN was formed, we took over building the glue for the reverse DNS. When ICANN finally got up and running, ARIN handed it off to ICANN’s IANA team, and it’s been done by ICANN ever since, reliably. Since about 2012 — yeah, 2012.

But we never had an agreement that said, please build the reverse zone for IN-ADDR and IPIPv6.ARPA and populate it with records that correspond to the allocations made to the RIRs.

So we did an addendum — now that we have an SLA for IANA number services, we did an addendum with the IANA service agreement to actually have the reverse DNS resolution services for those zones. And between that agreement and the agreement that the IETF has and the agreement that the DNS has, that ends up building the global zone for the root.

ICANN Empowered Community. So when we did the 2016 IANA stewardship transition, as part of that, it was noted that each of the communities, the numbers community represented by the RIRs and their members, the names community represented by ICANN, and the protocol community represented by the IETF, we all ended up using IANA services, and each of us have our own governing structures.

In the DNS case, the DNS community said, we want to have a safety because we have ICANN, but just in case something goes wrong, there won’t be a U.S. government contract over all of this. So, we’re going to create a mechanism above ICANN.

They created something called the ICANN Empowered Community, which basically ratifies the actions of ICANN in areas like adopting budgets and adopting strategic plans and appointing directors, and the Empowered Community really simply ratifies those actions but has the ability, if those actions were done improperly, not according to bylaws, has the ability to intervene, cause a hearing to be held, cause those matters to be reconsidered, has the ability to spill the board of ICANN or remove a director, things like that.

We are part of the Empowered Community, as is several of the supporting organizations within ICANN, all have a seat on the Empowered Community.

And it’s basically a safety check valve, and we are happy to participate in this as one of the organizations. You can read more about it on the NRO. We actually adopted procedures so that if we have a request to ratify something, we know how we handle it. We know how to notify our communities, and based on what our communities say, we make that decision as to whether to ratify or not ratify a particular action.

All right. That concludes the NRO presentation. I’m going to do, now, my remarks, which is just a touch more because they’re not in the slides and they’re really based on current events.

I want to just say, first, as noted, since we last met, AFRINIC has now elected a governing board. So that happened. And the governing Board October 3 sent out an announcement saying they are in place. They have a Chair and Vice Chair now.

They still have a receiver in place. The receiver is the person who’s been running the organization under court direction and will remain until they’re up and running in a comfortable way.

The receiver has indicated, if my memory recalls, that he’d like to step down now that there’s a Board, but that hasn’t yet happened. So we have to wait until that is done.

There’s also another detail involving that. The AFRINIC Board, while AFRINIC has a governing Board, it still has litigation outstanding. There’s a number of active activities. So we’re not completely out of the woods there.

The Board has said it’s looking at those issues. So we’ll have to wait and see. The good news is that with the Board they’re able to do some things pretty clearly. So for example, the NRO Number Council, aka, the ASO AC, the party working on that whole RIR governance document, has been without representatives from the AFRINIC region.

The good news is that the representatives of the AFRINIC Board at ICANN this week, last week, running concurrently with us, earlier this week in Dublin, representatives of AFRINIC did indicate that they were going to appoint people so that they would have people on the NRO Number Council and that way they would be able to participate in the RIR governance work.

Still more going on, and we have to watch it carefully, but certainly the election of a governing Board is one step to getting AFRINIC back on the road and running smoothly.

So with that, now, I’ll take questions on the NRO presentation or the state of the RIRs.

Microphones are open. Remote microphones are open.

Hollis Kara: I believe we have a question or comment online.

John Curran: Okay. We have a remote? Yes, go ahead. Remote first.

Beverly Hicks: Cicero Chimbanda, interested in ensuring that AFRINIC has proper representation and that their voice is heard in the future.

Hollis Kara: Just wanting to make sure that AFRINIC will have proper representation and that their voice is heard going forward. I think you already spoke to that.

John Curran: Well, that’s sort of — with the establishment of a Board, they’re able to now put representation and bodies as necessary. So this is going to be something we’re all waiting patiently for.

They have to actually get their governance moving to do that function, but we’re looking forward to AFRINIC having normal restored representation. The Board is an elected Board of the community. So its decisions on who it puts in bodies are sufficient for our purposes.

Kevin Blumberg: Kevin Blumberg, The Wire.

John, I just have a minor question, the SLA related to — the SLA change with the reverse DNS being added in, can you remind me, if a resource is transferred from ARIN to RIPE, or ARIN to APNIC, that root glue is not changed.

John Curran: Right, not at all.

Kevin Blumberg: So the resource that moved from ARIN still goes back to ARIN. Then it goes to RIPE and then it goes to —

John Curran: Let’s talk about that, because that’s a complicated matter and, by the way, it affects DNS and RDAP and RPKI.

So an RIR is responsible for every resource in the registry. Now, there are parties that have very large resources, /8. Even those point to ARIN or APNIC or RIPE, whoever’s responsible, for providing the services for that registry. Okay.

Having said that, when you start breaking up blocks and moving them, you have to decide where you want the chain to be reflected. The final RIR has to be accurate. But you may or may not have an interim pointer.

Historically, we have changed things when, if we have a /8 that moved from RIR to RIR, we would change it. The whole discussion of the trust anchor brings up the fact that it might be better to chain from one to the other, and so it’s a complicated matter.

At present, no, we do not chain, and the original RIR stays in there, I think. Mark — I believe, in all cases, it stays as is. We haven’t done updates, but this is, as I said, tied into the trust anchor discussion long-term.

Kevin Blumberg: That’s from an RPKI point of view, and I understand that opens up a whole complexity. I was actually just more curious, and I appreciate that you brought up the RPKI because that was a whole other level of complexity I didn’t think of. Just for reverse DNS.

John Curran: It lists an RIR there.

Kevin Blumberg: Thank you.

John Curran: Okay, more questions? If there’s no more questions on this, we’re going to move into Open Mic, where I’m going to ask the same question. But we’ll have Nancy up here too. Nancy, come on up.

Open Microphone

John Curran: And we can change the slide to say Open Mic. So we’re now in the Open Mic portion of the day. It’s the end of the day.

This is available for you to bring any questions that have come up in the meeting, anything that’s come up with respect to how ARIN operates, how we’re governed. This is your time now to ask us.

So microphones are open. Remote microphones are open.

Abdelkrim Mekkaoui: Abdelkrim Mekkaoui from MEKTEL. I’m an ARIN Fellow. I just want to take the opportunity to thank the Fellowship Program for this opportunity to be here. It’s because of this program that I’m here today.

So far, I’ve been a passive member, just on the mailing list, seeing what takes place in the discussion, and this program has allowed me to move a step forward to be an active member.

I already have a couple of ideas that are eligible for new policy that I’ve discussed around with the community. I probably, in the next few days, will initiate that. And thank you so much.

John Curran: Thank you for your appraisal of the program. Thank you for being here.

(Applause.)

Abdelkrim Mekkaoui: Please allow me to dedicate this applause to Amanda and Melissa.

John Curran: Amanda is somewhere here, yes.

Abdelkrim Mekkaoui: She did a great job to coordinate all the program and give us all the supports to be here today. Thank you so much, Amanda.

John Curran: Great to hear. Thank you. Next.

Chris Rapier: Chris Rapier, Pittsburgh Supercomputing, ARIN Fellow 56. Just came up here to basically say the same thing. This has been an

incredible experience for me. I have met some amazing people, have had some great conversations. I’ve learned a lot about what I came here to learn, which is about how ARIN works, how ARIN reaches out to the community.

This has been an invaluable experience for me. And I do hope to be at one of these again as soon as is possible. So thank you for all of that.

And big shout-out to Amanda and my mentor, Kaitlin, and the person who pushed me to get here, Adair.

John Curran: Sounds good. Thank you. (Applause.)

Chris Woodfield: Chris Woodfield, Woodfield Network Consultants and the ARIN AC. The people who are praising how useful and helpful and informed this meeting is, that is not unusual.

There’s nothing extraordinarily informative about this meeting because they’re all like this. Yes, please come back. And come back with curiosity, and we will help you understand everything you need to and help you participate the way you need to.

I have one specific question from your presentation. Is the transaction ledger of the Stability Fund a matter of public record, or only the contributions?

John Curran: There’s been no transactions. There’s just been pledges. So I don’t know what the answer — if the transaction ledger is the null set, is it published or not?

Chris Woodfield: Good point.

John Curran: I’ll go with Schrödinger, it may, may not be. It’s empty. We’ve put pledges in, and we actually at one point we did think about that with respect to AFRINIC. When we set — because there was a period of time when they may not have been able to access their bank account — when we set it up, we were thinking about a number of circumstances with regard to how to handle an RIR that had an unusual event happen. But we didn’t think about the unusual event of governance issue.

And so it was not really able to be used. It wasn’t really suitable for that. We were able to help AFRINIC in a number of ways. So we did not end up with any transactions, and the ledger is blank. It’s all just pledges.

Chris Woodfield: And is that scenario now in the list of contingencies?

John Curran: So one of the things we’re looking at is we’re looking at strategically — and we want to wait until we have everyone on board, including AFRINIC — look at long term what we want to do with the Stability Fund and how we want it to operate.

It was really set up for the idea that an RIR has a natural disaster, for example, or something like that.

Handling the case of it not having a governing Board is very hard and actually falls more into the RIR governance document than the Stability Fund. But we’ll be looking at it, obviously.

Chris Woodfield: Thank you.

John Curran: Remote?

Hollis Kara: We do have a remote contributor.

Beverly Hicks: We have a remote that would like to speak for themselves. So you should be able to unmute yourself now. Make sure you start with your name and affiliation.

Cicero Chimbanda: Yes, my name is Cicero Chimbanda. I’m with the City College of Chicago here in Chicago. But I also work at a private investment firm.

This is my second time attending remotely.

I am not a member, but I have vested interests on the — let’s just say on the progression and the stability of the African continent. I was born in Angola. I run a scholarship fund in Angola, it’s one of the countries there, for higher education for students.

I just want to make myself known. Name is Cicero Chimbanda. I did put my email on the chat. I would love a follow-up. I would love to advance the issues or opportunities that you guys are facing with AFRINIC.

I have several relationships at the higher education/academic level and also some of the government agencies in Africa, especially South Africa, Angola, and Nigeria. So I just want to make myself known. I don’t know specifics that you guys are running into. You mentioned some. But I can definitely get the right people and advance the cause because it is a very important cause.

So if you have any questions for me or comments, I’m here to listen as well.

John Curran: Thank you. Excellent to hear from you, and you’ve made yourself known. Certainly we have a number of attendees paying attention to the same issues. And, quite frankly, we report on it at ARIN, but this really has to be people like you, people from that community working together to figure out next steps.

So very happy to hear from you. Microphone.

Anthony Delacruz: Anthony Delacruz with Lumen. One of the things we chat often on the PSP is about the Waiting List. I noticed you guys just put out a whole other pile this month, so good job on that. You keep putting ranges into it.

I still think we’re falling a little bit on clearing up old IRR entries in it. I run the Lumen Level 3 and also the WCGDB registry. I noticed this morning I didn’t see that set. So I pulled out, like, 42 objects that were clearly just old, going back to like 2003.

I think there’s probably another 50 in there that look bad with RADb. So again, just offer, if you guys ever need a hand with pulling out, or if anybody else ever needs stuff removed.

John Curran: That’s a great issue. So, first, if you’re in the room and you run an IRR registry, raise your hand. You, okay.

We do do a lot of outreach, but one of the things that happens with IRR is that there’s a large number of ad hoc and not necessarily well-known, well-reachable. I’d like you to find Mr. Sweeting.

Anthony Delacruz: We’ve chatted.

John Curran: We will get on you the notification and tell you when we’re bringing blocks. We do it very careful. We take the blocks out. We hold them fallow, make sure they’ve been sitting awhile. So it’s just making sure that you get the notification of that.

Anthony Delacruz: Great.

John Curran: And there’s been IRRs we can’t reach. There’s no response when we reach them.

Anthony Delacruz: Yeah, most of us, there is an IRR.net page now that the RADb guys put up. Everyone’s contacts are on there pretty well. So if you ever find an old object or anything you need cleaned up, you should be able to find contacts there that are pretty responsive.

John Curran: We find old objects every week. So we probably need to set up a process for this, because we’ve tried to contact, and the problem is that a lot of them, you notice, and it’s a report about a block that isn’t a present customer, so it’s not high on anyone’s list.

We’re happy to outreach to anyone who’s running an IRR. We just need to know how to get ahold of them and they just need to respond.

John Sweeting: So John, I just want to say get ahold of John Sweeting like December 8.

(Laughter.)

Until then, get ahold of Joe Westover.

John Curran: That’s right.

John Sweeting: But I also want to add that we do have a new team we stood up this year, Registry Integrity and Oversight, and one of their missions for their team is to clean up IRR entries.

And that’s Reese Radcliffe that runs that. They’ve been doing a great job doing everything that we’ve tasked them to do with the three people they have, and one actually went out for a while because his wife had a baby. So he’s back, and they’re full strength.

But they haven’t quite got to where they’re able to look into the other IRR. They’ll get it fixed if they get notified of it. They will have a process next year to where they will proactively find that stuff and fix it.

John Curran: Right. Thank you, John.

Ignore this man. He’s a pumpkin. He’s going out on sabbatical momentarily.

(Laughter.)

Joe, are you here?

Joe Westover: Over here.

John Curran: Okay, get together with him and talk about the next steps, okay?

Anthony Delacruz: Yeah, and if anybody needs help on clean-up. We blew out 30,000 entries last year, 50,000 the year before. So, folks are noticing their router configs are getting a little smaller in the prefix lists. That’s stuff we’re doing.

John Curran: People don’t understand, there’s continually blocks coming back, so we definitely need a way — we’ve done a pretty good job liaising with the ones that we can respond to. But a lot of times we’ve just not had success because we’re not a priority for them.

Remote? No. Lee. I’m deferring to this microphone.

Lee Howard: It’s such a polite community, and I appreciate that. Lee Howard, unaffiliated. And actually I wanted to respond, because Anthony brings up a really good point, because it’s not just in the case of wait list entries, but also in the case of transfers where we see those objects, and not just in the case of — it’s not just IRR entries.

John Curran: It’s spam entries and block lists. We have a whole process.

Lee Howard: I’m sure you do. I would love to have maybe a more collaborative, open process, where we could, again, (indiscernible) suggested a workshop already this week, can we bring a whole bunch of people in the room and say, how can we provide better information in an automatable way to help you provide the tools in a timely manner, a geolocation, another one.

John Curran: So, I’m all for more process but I want to point out, just sensitivity, some of the people who run those lists are pedantic about who they talk to and who they believe and may not participate in an open process. In fact, if the process is open, that may actually prevent their enrollment, because the problem is that when you get into reputation, they want to deal with trusted parties. I’m all for that, but I want to first set up ARIN’s trusted processes and then do a workshop after.

Lee Howard: And that makes sense to me, and I understand, having been to a few M3AAWG meetings, though, you understand what their sensitivities are. And they’re there, and I made the same offer to them at meetings. And they said, oh, that’s a great idea. And we never talked again.

John Curran: Understood. Yeah, I think this is something we can workshop. But it’s, first, we’ve got to get at least the basic mechanisms of, people who run lists that are IP-based have to understand or talk to the registries because transfers, because wait list reclamation and lay fallow, things like that.

Kevin.

Kevin Blumberg: Kevin Blumberg, The Wire. So I had a bit of a health scare in June after an ICANN meeting. I want to personally thank Erin and Richard, who went above and beyond in terms of helping. But it’s a lot more than that. They directly helped. But it was the staff. It was the volunteers. It was everybody else.

And there’s two parts to this. One, thank you. Two, this is a work/life balance issue for everybody in this community. And the number of people that I heard say, I’ve been doing this for 20 years, 20 years this, 20 years that — there will be another 20 years.

And if you’re not at the mic because you can’t be at the mic because you forgot the work/life balance, you can forget about your benefits long-term, and we need everybody here long-term. So I’m taking that to heart. I wish everybody else here takes that to heart.

Not pressuring you, but just please keep it in mind, because I would like to be here another 20 years at the mic annoying people. So that was the first thing.

(Applause.)

Thank you for everybody. The second is, it had been mentioned today that the ASO AC, the NRO NC has spent the last 18 months doing a heavy lift of taking the original ICP-2, taking what was implicit and making it explicit and doing a holistic review of everything.

We need to do that for the NRPM.

(Laughter.)

Nobody likes the term “omnibus,” and I’m not actually referring to omnibus anymore, but I believe —- and this is not directed at staff, obviously, this is directed at the community —- I believe we’ve reached the point where we are shuffling words, and unfortunately there are too few people in this room today that know what those words meant and why they were put in.

And I think that we need to go through holistically and say, are we doing the right thing? Section 8, a great example, that was actually done only 10, 12 years ago. And it’s pretty clean -— mostly clean. But all the other sections are now pretty much unparsable, and simple changes here then go through 80 different things.

It’s not a “put through the process once and hope it goes through and then” — we actually have to take a whole new look at how we’re doing. And it’s going to take two years just to get there. We can continue on the way we’re doing. But I think that we’ve reached the point in the community and time where we need to look at doing this. So that’s just my take on it.

John Curran: This is Kevin Blumberg, he’s calling for the holistic NRPM review BOF. If you see him and you’re interested in that, collect to him. And you may not use the word “omnibus.”

Kevin Blumberg: Oh I was just going to say, in my work/life balance, it’s not Kevin Blumberg. I’m going on vacation, so it’s somebody else.

John Curran: You want someone else to run that.

(Laughter.)

Kevin Blumberg: Absolutely, but it was more something for the community to now think about. We’ve had a great experience — that was the point of this — we’ve had a great experience on the ASO doing this collaborative work over the last 18 months.

We’ve had a great experience working with the community on multiple iterations of the document.

And it’s shown me a lot of good things can come out of it, where before we’ve been scared of doing those kinds of things. I think it’s time for the NRPM, to look at that.

John Curran: Thank you. That microphone.

Max Krivanek: Hi, I’m Max Krivanek with CodingDirect. So, we talked about earlier the clearing for the IPv4 wait list. I was wondering, is there any sort of process around ASNs? Because my own experience, I had an ASN assigned to me and then found out that the old owner was still using it.

John Curran: Oh, wow. If you’re talking about ASN hold down and use, I think I’ll ask Joe, because I don’t want to ask John, when we do reclaim an ASN, we hold it down. But we’re only holding it down for four to six months. We do look to see if it’s routed.

So it would be really weird for someone to get an ASN — because routing we can see. We can’t see if someone’s running a block list on a webpage somewhere, impossible to know, butif someone’s using an AS, it’s generally visible.

You received a 2-byte or 4-byte, which was it?

Max Krivanek: 2-byte.

John Curran: Okay. We want find out that 2-byte and what happened to it. Joe’s on that; he’s going to find you right after.

We do look — was it globally routed or just in a pocket?

Max Krivanek: It was globally routed. It looked like it was an older company that just had a /24 that was an AT&T customer.

John Curran: If that happened, we failed. We want to know about it. Let’s find out.

Max Krivanek: I had to open a ticket because originally they weren’t responding to me, but I opened a ticket and then they paid attention then.

John Curran: There’s a bunch of issues with that. Because if that happens, the party using the routing may not easily give it up. So that’s really never supposed to happen, really never supposed to happen. Please let’s get together with Joe and find out the pedigree on that block.

Max Krivanek: All right, thank you.

John Curran: Geoff’s going to get up and talk about the visibility of AS numbers. Come forth Geoff. He may talk about anything, but I’m guessing he’s going to talk about the visibility. You’re responding directly, go ahead.

Geoff Huston: I happen to run one of those lists where I’m trying to see ASes that are being routed that actually aren’t legitimately routed. And what I’d rely on is the RIR status of that AS.

And so when an AS goes back into ARIN, normally they mark it as reserved or some other status, which is a clear flag I shouldn’t see it in the routing table.

The reason why I got up to the mic is actually an ARIN business practice, that if I am an ARIN member and I have an AS and I’m late in paying my bill, immediately that resource gets marked as reserved, and it clogs up the set of ASes that are bogus.

Because it’s not really bogus. It’s the grace period between falling delinquent and marking the AS as being toxic, don’t use it, appears to be so short that that list now balloons with false positives.

Now, I appreciate it’s a business practice coinciding with routing. But I’d just like to, please, sometimes in the ARIN business area, I know you want people to pay, but could you give them a month or two before you —

John Curran: 110 days.

Geoff Huston: Oh, God, pay your bills, people. Stop mucking around.

(Laughter.)

John Curran: The problem, Geoff, is that, 110 days, and then we just take it out, but we still hold it because we want to hear from them. It’s kind of jiggling the wire to say, hey, are you out there? And it’s the only —

Geoff Huston: I’m the wire that you’re dealing with.

John Curran: Some of them actually do notice as well.

Geoff Huston: That’s the whole intent. But I’m saying —

John Curran: 110 days.

Geoff Huston: This marking of ASes, we do see it if it’s not being routed the right way. But it does rely on a whole bunch of other things, including business practices to make it happen, that’s all.

John Curran: Thank you. Okay.

Matthew Wilder: Matthew Wilder, Telus and ARIN 2025 Election Nominating Committee member. I want to say thank you to Nick Nugent. He’s not here, but this is the end of his term.

He was going to be up for reelection, potentially, but withdrew his own nomination. Thank you so much to Nick. Obviously, everyone who volunteers for ARIN is doing tremendous work. I think Nick’s had an especially impactful single-term in his duties. So just a big thank you to Nick.

John Curran: Round of applause for Nick. (Applause.)

I don’t know if he’s actually remote now, he might be on an airplane back from Dublin, because he was at ICANN meeting representing and handling many questions about the updated document. He’s done a lot of heavy lifting on the editorship and really big wave of thanks to him. Yes.

John Stitt: John Stitt, Hopkinsville Electric System and current ARIN Fellow. I wanted to echo the sentiments of my fellow Fellows earlier and thanking the staff and the Advisory Council, but beyond that, just thanking the whole community here in making us feel so welcome.

And speaking to the wider community, the ability that someone as small as our organization can have as much voice as a multinational corporation is a very special thing. And that I’ve been pushing for other small groups to make sure their voices are getting out there.

And the Fellowship was such an educational experience that I would highly encourage anyone else to apply for that so they can see how the sausage is made.

John Curran: Thank you very much. Very happy to have you here.

(Applause)

I’ve been doing all the talking because we haven’t had a lot of governance questions.

Any other questions? Microphones open. Remote?

Nancy Carter: Governance questions?

John Curran: If there are no other questions, I’ll close the microphones, closing the remote queues. Anyone remote?

Hollis Kara: Nobody remote.

John Curran: No one at the mics. Thank you for being here for the Open Microphone. I’m going to turn it over to Hollis. Bye-bye.

(Applause.)

Closing and Adjournment

Hollis Kara: We on? We did it, guys; we’re through. Thank you very much for joining us.

Hold on. Let me go back here. I lost it. I’ve been informed I would be totally remiss if I let a meeting go pass without a bad joke from the podium.

So: What do network engineers wear to Halloween parties?

The person who sent me this can’t tell me. A subnet mask.

All right. There we go. One and done. I’d like to get some audience participation here. Big thank you to our Network Sponsor, AT&T.

(Applause.)

Our Platinum Sponsor, AWS; keep clapping. (Applause.)

And then our other sponsors, our Silver Sponsor, IXPO; our social sponsor, Kalorama; and our Exhibitor Sponsor, IPv4.Global by Hilco Global.

So thank you to all of our sponsors. It’s been a great meeting. Remember that elections are open. They will be open until 7:00 PM Eastern on Friday November 7. Please, please, please fill out your meeting surveys for a chance to win a pair of Bose QuietComfort Ultra headphones.

Also, because we do take your feedback seriously, you may notice, if you are a repeat attendee, if you’ve given us feedback, you might have seen it implemented. That’s because we do a very thorough review of everything we hear from you to make these meetings better.

Please also be saving the date. We hope you can join us in Louisville, Kentucky, 19 to 22 April of next year. And wish you all safe travels home and hope that we see y’ll soon. Thank you.

(Applause.)

ARIN 56, over and out.

(Meeting concluded at 11:55 AM.)