ARIN 57 Public Policy and Members Meeting, Day 2 Transcript - Tuesday, 21 April 2026

This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Opening and Announcements

Hollis Kara: We’re going to get this party started. I hope everyone had a wonderful time at the Louisville Slugger Museum last night, and we’re glad you’re back today.

We’re going to start with a little audience participation to wake up. If I could get a big round of applause for our volunteers, for our Board, AC, the Number Resource Number Council. (Applause.)

We could not do all the work we do without their support, and they volunteer a ton of time, and we really appreciate them.

I’d also like to, once again, give a round of applause to our Fellows. We’re looking forward to more robust participation from all of you today. No pressure. (Applause.)

And just a couple quick reminders. This will go a lot faster than yesterday. We will have our Virtual Help Desk available till 9:30. As I said, if you’re hearing this, you probably don’t need help, but it’s there. Stop by, say hi to Des.

For folks that are joining us online, chat is for chat. If you have questions or comments for any of the discussion, question-and-answer periods, please make sure you put those either in the Q&A or that you raise your hand, and we can unmute you so we can hear you live here in the room.

Also, always lead off, whether it’s a typed question or you’re coming on mic, to lead with your name and affiliation for the benefit of the transcript.

In person, you are more than welcome to join the Zoom so that you can talk to the participants who are joining us there.

If you do so, please make sure that your audio is down and your mic is muted and all the things so that everyone can have a good experience.

Also, noting that if you’re here in the room and you prefer to submit questions through the Zoom, you can do that. Absolutely welcomed. We have the mic here. We also have a floor mic that we can move around the room, handheld, if anybody needs it, if you’re unable to get to the mic.

If you are in the Zoom and suddenly you are not in the Zoom and you didn’t mean to not be in the Zoom, please try to reenter the Zoom. Trying to see how many times I can say “Zoom” in the same sentence. I think I did pretty good there.

If the Zoom will not reconnect, head over to the livestream, see what’s going on there. We’ll be talking about it. And if the livestream isn’t available, keep an eye on your email. We’ll be sending you a message letting you know when you can rejoin.

For folks who are here in the room, same with the folks online, please make sure when we open the mics and you go to the microphone, that you lead with your name and affiliation and you speak slowly for the benefit of transcription.

We do want to hear from everyone. So if you’ve been to the mic and there are folks in line, please wait until the line is drained before you rejoin the line.

Wi-Fi is available. It’s ARIN Meeting. There’s no login. You should be on it. If you’re not, the folks at the Registration Desk can help you out.

The slides and recording of this meeting will all be posted online. Right now, you can watch the transcript live online as well as the live feed, and you can download all of the presentations if you prefer to view them locally on your device, versus trying to see what’s on the screen.

Today, we’ve got a whole lot of stuff on the agenda. We’re going to start off with some updates from Engineering, Information Security, Routing Security, Internet Governance, and about our Caribbean collaboration efforts.

After that, we will take a break. When we get back, we will be hearing from our 2025 grant recipients and then also having an Internet number resource Status Report and a Data Accuracy Update.

Then we’ll break for lunch, fuel up.

Afterwards, we will launch into our policy discussions. That block will continue as long as it needs to. CXO Update will follow afterward or move after the break if we need more time for policy.

Then we will have updates from all of our fellow RIRs and then close out the day with an Open Microphone. So it’s a very full agenda.

We do want everybody to feel safe and comfortable participating. As mentioned yesterday in great detail, we do have our Standards of Behavior. There is information posted both in the lobby and in here if you need to get a hold of our ombudsman or any of the other leadership that are involved with screening and responding to any concerns that are raised. So, again, let’s all be on our best behavior. We’re all here to work together to make great policy for the ARIN region, so let’s keep that in mind.

And, again, a little more audience participation. A round of applause for our Network Sponsor, Spectrum. (Applause.)

Our Platinum Sponsor, AWS. (Applause.)

Our Silver Sponsor, IPXO. (Applause.)

And our Espresso Bar Host, Verisign. Don’t forget to thank Beruke, our barista, who is doing a fabulous job out there.

And with that, let’s bring up Mark Kosters, our CTO, to give the Engineering Update. He’s coming.

Engineering Update

Mark Kosters: Well, good morning. One of the things you’re going to hear from me today is a bunch of things that have been repeated.

It started yesterday with Richard’s Annual Report, and it’s going to go through me, and then it’s going to be repeated a little bit by our CISO and also by Brad Gorman, dealing with routing security.

I’m going to go ahead and get started. But a hallmark of any good speaker is that you repeat things. So I’m going to be repeating some things and they’re going to continue repeating. And at the end of the day, we may have a quiz.

All right. So let’s go ahead and get started. That’s me. What I’m going to talk about is the services we support, statistics on the services. And I have something that’s a little bit different this time. See if you can catch it. And finally, software releases and improvements.

So here are our core services. You can see we have RPKI; ARIN Online; Reg-RWS, which is our API for people who want to connect to our provisioning system and do high-volume transactions; we have our IRR, Internet Routing Registry; our DNS system, which we don’t really talk about much, and we’re going to be talking about this a little bit more today.

We have directory services, which we talked about a lot at the last meeting. And I’m going to bring up just briefly what’s going on there.

ARIN Mailing List. Maybe we’ll have Discord in the future. I don’t know. We’ll see what’s happening there.

The website, The Vault, and our OT&E environment, which a lot of people use to go ahead and test their code specifically for RPKI.

Internal support, we have a management app that’s used by staff to make changes on behalf of customers. We have lots of monitoring and performance that we look at. And we use a lot of cloud-based tools on the back side. So, if it makes sense, we use a cloud-based tool.

We have various development and testing environments, of which have moved from our headquarters to a now colo site. We have email analytics and infrastructure tools like Jira and Confluence, which many people use as well – build agents, et cetera – and, of course, financial systems.

Okay, now this is a reminder. At the last meeting, I did not do an Engineering Update, a traditional one. So this one is actually going to be for over a year, since the last time I did this was basically a year ago.

But we did talk about – and it was a little bit controversial – about retiring a number of services in the future, and we’re going to have a consultation coming on that at some point in the future as well, about retiring some services that are fairly old – RWhois, which I helped write a number of years ago; Whois-RWS, which is a predecessor to RDAP, which is really now the IETF standard; and perhaps even Whois.

So let’s go to the statistics. First of all, ARIN Online, this always amazes me. These are people that actually come in and go ahead and go through the process of doing their two-factor authentication to get their ARIN accounts. It’s actually fairly consistent over the years, which I find kind of amazing. Maybe there’s a little bit of churn out in the community.

But there’s a lot of people that do come in consistently and go ahead and set up their ARIN Online accounts.

ARIN Online cumulative logins. One person likes to log in a lot. There’s actually a significant tail of people who like to log in to ARIN Online a lot. So you can see here that, yes, there’s a number of people that have logged in at least 16 times, but there are people that have logged in millions and millions of times, almost jillions.

So here we go onto something that I’m going to talk about, which is actually kind of interesting. So here you see the people who have actually used multi-factor authentication. We have TOTP and SMS. A lot of people don’t like SMS, but it’s out there. And you’ll see that FIDO2 is only 3 percent. I think that’s going to change.

Who here uses passkeys?

Guess what? ARIN is actually going to support passkeys in the next release. And the reason for this is it’s actually FIDO2 with a couple of modifications, and we’re going to make that happen. So that’s coming up soon, actually in the next release. So we’ll see this FIDO2 Auth-NS actually start to increase.

Here’s another interesting thing. We’ve always been up to the right on Whois and Whois-RWS, but you’ll notice that there is a substantial decrease on traffic that has gone to both of those services, which I find kind of interesting.

Maybe people saw that, hey, ARIN is thinking about retiring these things, and people are saying, okay, if that’s true, I’m going to get off of it now. I don’t know. But certainly there’s a difference here.

Here’s RDAP. Yes, it’s still an order of magnitude less than Whois. Not doing that for you, Kevin. But you can see here that it is actually increasing some. And within the industry, there is a significant push to RDAP, mainly on the domain side, mainly under ICANN’s provenance of making this happen.

So we’re going to see in the future more and more people using RDAP. We’re kind of the tail wagging the dog here in some sense, but we’re seeing that as well.

Here you can see some spiky graphs on RDAP, and people who actually come in getting RPKI updates from us. Here’s a different way of doing it, using RSYNC, which is actually a much less popular protocol to grab the data. But you have the opportunity to use either.

And here you see DNS information. And what’s interesting about this is there’s a pattern that goes on with DNS, and it’s fairly normal, and life just goes on.

DNS is kind of like the sleepy neighborhood that everyone just assumes works. And it is. I mean, you don’t hear about DNS breaking so much anymore.

But here is an interesting graph. 90 percent of our traffic that comes out of our public-facing sites is either RRDP, which has the lion’s share of the information, or the next three, which is actually DNS. So RIRNS DNS is really us secondarying other /8s for the other regional registries as well as their forwards.

ARPA-TLD is actually the /8s that ARIN’s authoritative for. And we also have some partners that actually share this load with us. So this is a third of the actual traffic.

We have the ARPA (A) DNS server. And really this is two servers, one of the root servers, if you will, for in-addr.arpa and ip6.arpa. And you can see that Whois and Whois-RWS are down there a little bit in terms of the amount of traffic that they actually output. And then we have miscellaneous others.

So, again, the big thing here is that 90 percent of our traffic is either DNS or RPKI or RRDP.

Releases and improvements. This is where you’ve actually heard some of this before, and you’re going to hear it again with Brad and crew, on some of the things that we’re doing. Since the last two meetings ago we put in the RPKI ROA Change Logs, so you can see what changes have been made to your ROAs. ASPA has been released, which is a big deal. It’s not finished in IETF, but the work that actually affects provisioning, actually creating these ROAs is basically solid – has not changed in a long time.

We’re feeling pretty confident about this. We had it in our OT&E environment for a long time. All we had to do was flip the switch, which we did in January to make ASPA support available to the general community within our production environment.

So authorization now goes through ARIN Online. Before we had some authorization tidbits that actually went through email. And that has actually been folded into ARIN Online as well. Origin AS has been removed as part of policy. And, of course, lots and lots of bug fixes.

Internally, we’ve had a lot of tech debt reduction. I’ll say here that this has been a multiyear effort and will continue to be an effort. And one of the things that we’ve actually just exorcised out of our system was some foundational elements that have been in there for a long time that are all gone now.

So we’re in a modern framework now for all of our Java enterprise applications which ARIN actually runs on. And what’s interesting about this is – I’m going to go back in history a bit, since I have a few minutes left – is that ARIN, when I first came there, was actually a Perl shop.

Actually, many of the regional registries were Perl. And today actually about half of them are using Java. And the other half are still Perl-based, which I think is fairly fascinating.

But anyways we’ve moved on to Java and continue to do a lot of work in Java, and it works out very well for our systems.

We’ve had a lot of updates with our financial controls because we have a system that has fairly aggressive update release schedules that we have to follow through on.

We have SOC 2 controls, audits to do, PCI audits that we have to do. Again, large technical debt reduction, not only on the software, but also the OSes and the hardware associated with it; mainly from a compliance, and not only from, hey, we’ve got to support these things, but also making sure that, hey, these things are compliant with both SOC 2 and PCI, and available enhancements to our provisioning systems.

So here you can see our system improvements that we’ve added to ARIN Online, actually going to our new provisioning site that’s now outside the DC region. And we also have moved into a Kubernetes infrastructure that we continue to move to.

And the big thing is our new data center. And, again, you heard this yesterday from the Treasurer’s Report that we are on time and within budget to actually make this data center move happen. And we were able to successfully move it, and I don’t believe you all even saw that, which is actually something that we like to see.

Actually, we’re not only running all our back-end systems out of there, we’re actually doing it on our production provisioning traffic through that system right now. So anyways, kudos to the team making that happen.

Here you can see our upcoming public enhancements that I’m really not going to talk about much because they’re coming up. RPKI routing intelligence on our back systems, actually creating staff efficiencies improvements to the management app, as well as authorization matrices and taxonomies and everything else that goes with it with our existing systems.

RDAP enhancements. We’re working on geofeed and RPKI directory services. That’s going through the IETF right now. We have a fairly active presence in the IETF, dealing with standards work, both RPKI as well as RDAP, and making these things happen. And you’re going to hear more about that as well.

One of the things that’s coming out of the NRO is this idea of trust-anchor constraints. You’re going to hear more about this in the future.

Basically there’s a way to improve the trust of the RPKI system by having basically a substrate that says here are the networks or the network resources that are authorized to be within each regional registry. And it’s really like an access control list that’s going to be built within RPKI.

It’s already in Job Snijders’ RPKI client code. And we’re trying to make this a more sort of robust system that meets the security criteria of the IETF.

So this is work upcoming. You’re going to hear more about this in the future. We have drafts underway, and we’re going to be having working code as well.

And one more thing. I’ve had a first. I’ve actually been dealing with management for a long time. Actually, I’ve never had a person retire.

I’ve had people leave. Sadly, we’ve had a couple people who have passed away. But we’ve never had someone who’s retired. And Reggie Forster, head of Operations, a wonderful guy. Worked for ARIN for six years. Came in right at COVID.

We had our first parking-lot interview with him, which was interesting. We all got, basically, the hood of the cars or lift the hatch, if you had a hatchback, and we had a conversation about whether or not Reggie would be a good fit. And he was a great fit.

He decided to retire. He loves biking. You can see here he’s on his bike on the upper picture, and on the lower picture he’s with Maureen and Deb, who are some of his coworkers.

So anyways, he was a great asset. And we’re going to miss him. (Applause.)

Hollis Kara: All right. With that, the microphones are open. If anyone has any questions or comments for Mark, please come on down or start typing.

Rob Seastrom: Rob Seastrom, ARIN Board of Trustees. Can you flip back to the data center slide for a sec?

Yeah. You kind of buried the slides here. Can you tell me how much stuff is left still running in the data center and the –

Mark Kosters: There’s nothing that’s production affecting. (Applause.)

Rob Seastrom: That’s huge. And I want to acknowledge that publicly, that an office building server room is not the right place today for Internet infrastructure. And I really appreciate all the hard work that the team has done to make that happen. Thank you.

Mark Kosters: You’re welcome.

Hollis Kara: Awesome. Thank you. Anything else for Mark? Here he comes.

Kevin Blumberg: Kevin Blumberg, The Wire. Technical debt. I know you bring it up, and you’ve managed to carve out some stuff. I know FTP was a big concern last year. You got rid of it.

So this is a two-parts, Mark. And I’ll be easy. The first is, has anybody cared when you turned off FTP? I know you guys make a big deal shutting down services and sending notices and all that. Has anybody cared?

Mark Kosters: People didn’t care, but we were fairly proactive in going after a number of the people that actually said, hey, you’re using the service; what are you doing it for? So we were fairly proactive, especially with people that we knew were reliant on it.

Kevin Blumberg: So for the one year that it took to do the decom of FTP – I’m just using that as a poster child today – and you spent 100 hours notifying people, and you’ve now cleaned up 100 hours every year for the next 10 years, that was a good outcome? I’m picking on FTP because it’s fun.

John Sweeting: John Sweeting, Chief Experience Officer. So it doesn’t take 100 hours. We run a meta-report. We find out everybody that’s using it, and we just send out notifications to them.

Heavy, heavy, heavy users, we will probably personally reach out to them and make sure they understand what’s coming. But it doesn’t take 100 hours to do all that.

Kevin Blumberg: Right. It was more once the 100 hours or 10 hours or 20 hours are done, it’s now a long-term ongoing savings for the organization in terms of complexity. That’s where I was going.

John Curran: Yeah, let me pick that up. John Curran, CEO. As it turns out, having the system there that was providing the service means an ongoing security drag, an ongoing patching and maintenance drag, and a certain amount of staff that have to maintain the knowledge of this particular historic piece.

So, yeah, when we let it go, it’s very – I can’t give you the exact number of hours, but it removes quite a bit of drag on the organization. There are things, when you want to do – even things like business continuity planning, testing, and failover – where you’re like, oh, we probably can’t because of this particular legacy system.

So it improves the velocity of the organization as well as cutting hours.

Kevin Blumberg: The point to where I was going with all this was the Internet can’t keep up with snails. Eventually, we need to do it – and you’ve done an admirable job of keeping the snails supported.

I don’t want to see us, the royal “us,” paying and maintaining and dealing with security issues related to the snails. So, please, keep going. Love it and would love to see more things being deprecated out from the organization.

Mark Kosters: Great, thank you.

John Curran: Ask, you shall receive, yes.

(Laughter.)

Hollis Kara: Anything else for Mark? Don’t have anything online. So I think we’re good. Thank you. (Applause.)

All righty. Going to click through a few slides here, get back where we’re going.

All right, next up, Christian Johnson – he’s already on his way down – to give an update on our information security.

Information Security Update

Christian Johnson: To Mark’s point, everything’s already been covered, so if there are any questions? Entertain questions? No? (Laughter.) It was worth a shot.

My name is Christian Johnson. I’m the Chief Information Security Officer for ARIN. I’m going to cover a few things. Mark did cover a couple of items that we have in a few of the briefings, and I think we’re going to touch on them from different perspectives. Hopefully that won’t drag down too much the flow of the discussion.

Real quick, going to do my usual overview/introduction. I’m going to touch on compliance initiatives and what we’re doing there, general security updates for ARIN and impacts to – some of the things that Mark was talking about – we’re talking about impacts on security from the development roadmap, and close out with my usual information requests from customers, security requests.

The usual overview here. We try to maintain an up-to-date, security-minded infrastructure. We’re taking a lot of proactive steps now. He talked about it with the Kubernetes and the data center migration. We try to sensitize users to security threats, the risks that they’re facing each and every day, and the expectations for how to handle those from a security perspective.

Enhancing our reporting capabilities, that’s for the staff to be able to report, the old adage, “see something, say something.” And so, we’re trying to make sure that people have the easiest way, the quickest way, the most direct way to say something when they do see something.

Enabling threat identification and removing those threats, remediating vulnerabilities and risks. So, we do a number of things, a few things that are very general. We’re going to talk specifics here on the next slide; so, I’m not necessarily going to get into those.

So, a quick overview on the compliance initiatives. One thing that’s not covered on this slide, we have sort of a chart there for SOC 2. We have one for PCI. We used to have a chart that had three, and the third was NIST and NIST standards. So I don’t include that on this anymore. A lot of the work that we have done is based on NIST standards. So, we work towards the SOC 2 compliance. We work towards PCI compliance. And in the process of doing that, we’re using NIST standards to get there.

With SOC 2, however, as you well know, we have an annual cycle that we follow, as we do with PCI. SOC 2 covers – has covered, I can say now – has covered RPKI and generally the organization. And both PCI and SOC 2 were on a similar cycle each year, and that’s roughly the beginning of October through the end of September each year.

I will note that this year we’re adding ARIN Online into the SOC 2 program. We’ve been – that’s been the focus of PCI for the time that we’ve been doing PCI compliance, has been on ARIN Online, specifically, the parts that are impacted by the payment card process within ARIN Online. That’s what’s covered in the PCI DSS audits.

SOC 2 is going to look at the public-facing part of ARIN Online as a platform. And hopefully, then in October, when we meet again, I will be able to – fingers crossed, I’ll have the report – but I should know at that point and be able to say that both RPKI and ARIN Online will be complete in our first audit. And that will be part of the forthcoming report. So sometimes we get it before the October meeting. Sometimes we get it, like, in the first week in November. Again, we’ll keep my fingers crossed that we get it in time for that meeting.

So some general security updates. This is split into two parts. I’ve got sort of – it’s been – like with Mark, I don’t think I spoke in the fall, but I did at the last April meeting. So this is basically a year review for 2025. Did our annual security assessment, our penetration test, which we’re going to – I’m starting with that one because I’m going to close out with that one on a separate slide.

We do monthly vulnerability scanning and patching. This is now, for about a year and a half, we’ve been very aggressive in our monthly scanning for vulnerabilities and patching and our compliance on that side. 100 percent trained on all of our - both incoming staff as well as existing staff - for information-assurance training.

And sometimes the question is asked, what do you actually include in that training? We do alternate a little bit year over year, but it’s covering some of the basics, like being able to recognize phishing; being able to understand things like how to work remotely and the security implications of working remotely, things like that; physical security, certain aspects you would want folks to know, both when they’re working from home as well as working remotely, because that’s the environment that we’re in now.

We also supplement that by running monthly phishing scenarios to folks. We’re literally phishing our staff. And the idea here is not to – we’re not trying to test, per se; we’re trying to sensitize each other to the threat that exists within our in-box.

We spend a lot of time – I know this seems like sort of a redundant thing – didn’t you just say that you do a SOC 2 audit? I note this separately here because, when I say that we do a SOC 2 audit, you should understand that that takes about four months of my time each year. That’s not a complaint; that’s just a significant amount of work that I spend each year working with the auditor going from the beginning through getting the final report. There’s a significant amount of time on a regular audit. Adding to that, the next line, that we had quite a bit of work.

And while we’re doing the data center move, while we’re transitioning to Kubernetes concurrent to that, we were also looking at the same controls that we use for SOC 2 for RPKI and trying to ensure that they were in place for ARIN Online going into SOC 2.

And then the last item there is support to ARIN’s Risk & Cybersecurity Committee. And I’ll take a note from Nancy’s presentation yesterday. I actually wrote something down because I wanted to make sure that I didn’t miss anything when I talked to this.

All of ARIN’s committees meet on a monthly basis, generally speaking that they meet on a monthly basis. In the case of the Risk & Cybersecurity Committee, we’re there to talk about risk and cybersecurity activities within the organization.

It’s worth noting that during these meetings, we’re talking about – and R.S. had a presentation a few years ago where he talked about in a bit more detail, when he was the acting chair of the committee, the committee focuses quite a bit on the risks to the organization and the mitigation actions that we’re taking against those risks. So, it’s worth knowing that at any given time, we’re probably reviewing regularly 20 or more risks to the organization. Some are higher-level risks; some are lower-level risks. It’s across the entire spectrum.

That’s not the total amount of risks that we’ve analyzed over the years, but that’s about how many we have active at any given time that we’re paying very close attention to. And what I mean by that is that we’re addressing those on a daily basis within the organization.

The Risk & Cybersecurity Committee reviews those on a quarterly basis, and then once or twice a year we’re actually providing that review of the Risk Register to the full Board as well. I wanted to point those things out just to make sure that they were covered explicitly as a part of this conversation. Didn’t really want to gloss over them.

And the Risk & Cybersecurity Committee isn’t just about reviewing risk. We also look at and make sure that the organization has the appropriate level of insurance coverage. We talk about the tech debt that we were talking about earlier. We’re reviewing the tech debt reports that are put out and looking at the organization’s cybersecurity program activities.

So there’s a lot of stuff that goes into those meetings. And I think I have gotten a pat on the back by a chair or two in the past, but I’d like to say that we have had fantastic and engaged trustees working on the Risk & Cybersecurity Committee. And having done this similar activity in other organizations, it’s a pleasure to have people who are actually engaged and interested and participating and who have a real, genuine concern and investment in the success. So thank you for that. Thank you.

The next item is new and upcoming initiatives, and that is a couple of things here. I mentioned that we’ve been doing monthly vulnerability scanning for about a year and a half, where we were doing quarterly before. And at one point we were even doing it once per year as part of our annual security assessment, the penetration test. We’re up to doing scanning on a monthly basis.

We’re also moving up our reviews where we literally pull a group of people together within the organization across security, across engineering, et cetera, and we review those scan results, taking a risk-based approach, going through all of those results that we have and making sure that they’re getting addressed. In addition, a couple of the things that we’ve started new this year is we’re running monthly web malware scans of the ARIN.net website and conducting social-media monitoring of the TeamARIN Twitter account.

The next item – we’ve got a couple of bullets there – one of the items that – or one of the things that we’ve discussed in the past is we wanted to relook and sort of – I don’t want to say overhaul, but improve, enhance, our background checks for ARIN staff.

There was a time where those background checks were only conducted on specific and key individuals coming into the organization, and it was really dependent on what their responsibilities were. Later, we were able to improve some of the background checks we were doing. We enhanced sort of the activities there. We even escalated it or bumped it up to where we were doing background checks on all new hires coming into the organization, which is where we have been until this year.

So as of right now, so you know, we’ve run background checks on all the existing new hires that have come in. We’re actually running background checks on all existing ARIN staff, with the hope of having that complete this year, the end of this calendar year. We’re taking a phased approach. We’re starting, and it’s ongoing right now, all the executive team within ARIN, our background checks are ongoing right now.

I made the joke during the Board meeting that I hope I’m here for the next meeting. I won’t use that one again. I only used it once. But all the executives are going through that background check now. When that’s complete, we’ll open it up; we’ll bring in the next – our broader management team within the organization. And then hopefully by the end of the year we’ve worked through all of the ARIN staff, and we’ll be able to say we’ve completed that process.

And I mentioned, again, that this year’s SOC 2audit will include both RPKI and ARIN Online. It’s a substantial amount of work. I wouldn’t say that it’s quite doubled, the amount of work, but it has in some places, not in total, but in some places it has.

A couple of impacts on security. And this is probably where I can make up a little bit of time here. This covers a lot of what Mark was talking about. The data center move and the Kubernetes migration, I’m not going to split them apart. I’m going to sort of abruptly put them together in this and just say, when we talk about tech debt, we’ve talked about retiring old services. FTP was mentioned, when we deprecated FTP. We also deprecated a number of legacy encryption ciphers that were being used last year.

Those two items helped us tremendously. But I would also offer that the Kubernetes migration/data center move combined are going to remove a lot of tech debt items and a number of vulnerabilities. That is one of the reasons why we had – and I didn’t say this explicitly. When we did our vulnerability assessment last year, we brought in the vendor. We had a pen test done. It was one of the first years that we didn’t have any vulnerabilities – any vulnerabilities, none, zero vulnerabilities – identified on our external services for ARIN Online, which I don’t know that I’ve been in an organization that had zero – zero.

I’m not just talking about criticals, highs, mediums – zero, because we were doing that monthly scanning and we’ve been addressing them on an ongoing basis. That’s a tremendous bit of progress. And that only happens when you’re being very deliberate in doing that. So, we’re seeing improvements across the board for that. It removes a significant amount of overhead. I feel for some of the folks.

I want to say that one of our directors said at one point that he knew far more about HVAC systems now than he cared to know ever, and he was really looking forward to getting back to his primary job. So you can get back to your primary job now, Mike.

Some opportunities here, and you’ll notice I did pros and not cons, but opportunities. We’ve got to do a lot of follow-on work. Just from a compliance perspective, we have to do a lot of remapping for the vulnerability scanning that we’re doing so that we can improve and continue the good work that we’ve had, redocumentation for our compliance purposes, and we’re just working through all of that. It’s just sort of the normal thing. A lot of great improvements, but we still have good work to do.

Communicating. I’ll say this because I say it every time, and you know we have an Info Sec at ARIN page that answers a lot of questions around the certification/compliance initiatives that we’re doing and some more specific questions. One can also download the ARIN SOC 3 report from that webpage.

And this is also a quick read. We still have security teams that come to us asking for documentation, asking us to fill out questionnaires and things. Some of them are quite lengthy.

And in a lot of cases, we’re turning them back to you, as the POC on the account, to make sure that they’re coordinating with you because in a lot of cases, they’re not coordinating with you. They’re just coming directly to John’s team and Joe and saying, “Hey, we need you to fill out this 350-question security questionnaire. Shouldn’t take more than a couple weeks. And if you can turn that back around tomorrow, that would be fantastic.”

So, hooking them up with you to help coordinate and facilitate that process, and in a lot of cases, we’ve said this before too, most of the things that they’re looking for are literally on the Info Sec at ARIN webpage plus the SOC 3 report. I’d say 90 percent of the requesters are satisfied with that and going away. Some other folks just follow up because that’s their job.

And that’s all I have to cover right now. If and when there are any questions – be real disappointed, Kevin.

Hollis Kara: Don’t run away. Microphones are open. Time to start typing. Wait, looks like we also have an online question. But, Kevin, you go first, by all means.

Kevin Blumberg: Kevin Blumberg, The Wire. $150,000, ask for a deposit to be able to fill it out. $750 an hour, happy to fill out any form you’d like. That’s the way you deal with those people. Sorry. This downloading, you’ve got the reports, great. But the downloading is an industry scourge.

My question was, ARIN Online, RPKI, that’s a lot of PII data, a lot of valuable systems still not covered under any framework. How does that work? Can you sort of go into what you’re planning to bring online into those frameworks or other frameworks? But all of your admin systems, all the back-end data, none of that’s showing here. So I just want to ask what the plans are.

Christian Johnson: Yes, and I would note that there was – probably grossly generalized, RPKI and organization. So when we do that organizational piece, it literally covers controls that cover HR and finance and mail systems and how staff log on to their laptops. It covers a lot of that stuff that I believe is what you’re hinting at here.

RPKI is the – SOC 2 is developed to cover a specific service. As a part of that general audit, though, it forces you to cover a certain number of organizational – generally, organizational controls to prove that you’re doing a bare minimum as a part of that organization, so to speak. So that’s the organization side.

And the same thing with PCI. It’s not all of the same controls. And it does cover things, to your point, that are organizationally general controls versus some of the service-specific things that we cover with RPKI and we will with ARIN Online when ARIN Online is completely audited and certified.

Kevin Blumberg: Clarify that because the way the slides read, a very small percentage – and I think it’s not – I actually think you have a lot of your Org now covered under. It would be very helpful to just get a better sense of that because –

Christian Johnson: Great idea. I will do that.

Kevin Blumberg: – it went from 20 percent in my head to 98 percent in my head. And that’s great, thank you.

Christian Johnson: Yeah, we can certainly do that.

John Curran: If I could add. So the introduction of SOC 2 at ARIN started with RPKI, and that was because it’s a fairly high-priority service that folks rely on. And that got us used to the tempo of doing the SOC 2 process. But as Christian said, you can’t do one system and not bring all of the supporting controls, which touch quite a bit of the organization and systems management.

Bringing ARIN Online brings a substantial portion of our systems under it. The goal is to continue that. But there’s only a certain rate at which it’s possible to force-feed the organization the happiness that is SOC 2 on its systems.

And so we have to pace that, but we will continue that pace, and it will be a happy process. But moderating the introduction of systems into that takes a little bit of prioritization compared to everything else we’re doing.

Christian Johnson: I would even note that we wouldn’t even be able to pull ARIN Online into the SOC 2 program were it not for the data center and Kubernetes migration. Those things have really facilitated and made that happen.

We had conversations about what would it take to get there in advance of the migration, and it would have doubled the effort for that team in some cases, where they would have had to build out certain things in advance and then have to replicate it after the transition.

So at least in that way they were able to do it once and get it done. So it’s not to say that we slow-rolled ARIN Online getting pulled in. There was just logistically no way to make it happen any sooner than this year.

Hollis Kara: All right, real quick before we continue, I’m closing the queue. So if you have anything for Christian – no, no, no, you’re good in line – hop up now and then we’re going to be done with that. And then I’m going to go to my online question before we come back to the floor. Online question before the floor.

Ashley Perks: I have a question from Jon Bachtold from Central Illinois Regional Broadband Network: What role does AI play in your security systems, and what AI systems are your users allowed to use?

Christian Johnson: We are not using AI security systems. That’s a pretty easy answer. We’re not using AI security systems. And as far as the users, I’m going to assume that we’re talking – when we say users, we’re talking about staff as opposed to customers, people within the community.

We have a generative AI policy in the company that specifies that there is a very limited number of use cases where we would authorize use of generative AI within the company. And that’s to create drafts that, by policy, would then require at least both that person who’s generating the draft to review it, and they would be responsible for the content of the draft. And then it would be subsequently reviewed by a second person within that, generally speaking would be their manager or a cowriter on a project, for example.

We’re really talking about very limited use cases where we might be, I don’t know – to the – to the – since it was Ashley that asked the question, right, on behalf of the customer, I would say I could see comms using it to draft a blog. Before the blog got posted on the website, they could draft a blog, and then it would be reviewed, and then it would get posted eventually. That is a specific use case where we might use generative AI within the organization. But we do have expectations around that use. And it has to have, in this case, more than one set of eyes before it becomes public.

We don’t use any organizationally confidential information or sensitive information in a generative AI system. No LLM is exposed to anything that isn’t publicly available on the website or with the intent of publishing it to the website.

John Curran: I’ll add in, since the question was about AI and security in particular, so for people who haven’t seen what’s happening recently, the generative AI folks have done a number of models that specifically had guardrails removed for the purposes of doing black hat/white hat security activities.

You’re going to ask an AI to break into a system if you have the right model. And because if you have the right model, there’s no safety rails to prevent that. What this means now is that if you run an open-source package, for example, you will find yourself inundated with hundreds of submitted patches of varying quality.

Now, as it turns out, this has hit a peak and is beginning to come down. A lot of the open-source packages have said “This has been very helpful now that we’ve gotten past the noise and we’re getting actual useful submissions.” And we’re finding bugs that are years – decades, in some cases – old, in software that we all use.

So the good news is generative AI is going to find a lot of the systems we all use, common packages, and help fix them. The bad news is the reason that the guardrails were taken off by some of the larger firms, and they have models that allow them to do that, is because there’s people out there running AI with no guardrails who are using them to exploit. We’re well aware of this.

There’s a couple of packages available. There’s a couple of private, request-only AI packages available that you can use for defense that you can ask to set up if you run critical infrastructure. We’ve thought about that. We don’t have a big exposure surface, as it turns out, compared to many organizations. And as Christian said, we’re very aggressive in terms of patching and pen tests.

It is possible that a generative AI will find a hole that we have not found and that hasn’t been patched, if it’s a package, because that’s almost certainly where it’s coming from, that they haven’t yet patched. But we haven’t yet engaged AI tools on the defense. It’s something to consider.

I have to point out that the problem with all of this is that AI systems, generative AI, don’t distinguish between instruction and data. And, so, unless you’re completely running these models internally, just the act of running them exports data into the AI system.

And so, there’s a lot of complicated issues. We’re very careful not to use confidential data when we run – like if we use AI to process public responses, that’s fine, it’s public data. But we’re very careful not to use any private ARIN data or customer data. Running these tools inherently exposes the private information within ARIN. And so even using AI for defense, you have to rely on the fact that the models you’re running are sufficiently secure, or they themselves could become an exploit.

So it’s a very deep, complicated topic. Happy if anyone has thoughts, come find me sometime today or tomorrow and chat about it. But we’re not unaware what’s going on, but at the same time, there’s no straightforward, easy answers for this one.

Hollis Kara: Thank you. Okay, Adair, go ahead.

Adair Thaxton: Adair Thaxton, Internet2. Do you intend to continue running regular background checks on all employees, or is that a one-time initiative?

Christian Johnson: We’re going to continue. That is the current plan. That’s the way that it was modeled. Going into the current initiative was that it would be something that we would set up on a recurring basis.

Adair Thaxton: And are you monitoring other social platforms or just Twitter?

Christian Johnson: At this point, just Twitter, because that’s the limit of the tool that we have. We’re doing it on a test basis. We’ve only been doing it since January. So we wanted to see whether or not there was really any value in doing so. But we could open it up if we determine to do so.

Adair Thaxton: Thank you. This was really interesting.

Hollis Kara: Okay, before we go, we’re going to go back to another online question.

Ashley Perks: That’s right, we have a lot of people online that want to play this morning. I’ve got a question from Justin Gehrke. He’s an ARIN Fellow: Good morning. Is SOC 2 implemented as a regulatory-related requirement or as a best practice? If it’s the latter, please accept kudos.

Christian Johnson: I’ll always take kudos, but it is not regulatory, no. PCI is regulatory because we make available the use of the payment cards through our website. And so, therefore, we are required to do PCI DSS.

SOC 2 was an initiative that was identified as important. It’s pretty – I don’t want to say standard, but it’s a relatively common tool that is used in the software commercial space for software development to prove that you’re using something that’s well-designed and works well, availability, integrity, and provides a certain baseline of security for the user organization. So it provides best practices. And so I guess I’ll take the kudos.

Hollis Kara: Awesome. We’ll come back to the floor.

Zulqar Nayen: Zulqar Nayen, ARIN Fellow. My question to you is, is ARIN looking at getting ahead of the curve? What I mean by that is, are you looking at transitioning over your existing cryptographic assets from the traditional standards-based algorithms to NIST-based, N-I-S-T-based, PQC algorithms?

Christian Johnson: We are having a number of conversations around both encryption as well as other parts. Certainly our priority and our focus currently is completing the Kubernetes migration and doing the containerization. But we, again, to go back to one of my earlier comments; we’re leveraging NIST standards to meet the compliance controls within each of the frameworks that we have identified, whether it’s PCI or SOC 2.

So, I’ll give you a general answer to a specific question to say that we use the NIST standards across the board, and we’re trying to look at, again, across-the-board improvements that we can make, not just to encryption standards, but to how we’re implementing everything.

Zulqar Nayen: Thank you.

Christian Johnson: I apologize. That probably sounds like a cop-out because I didn’t directly answer a specific question, and I’m a little conservative about answering specific questions on security plans within an organization.

Hollis Kara: Before we continue, we have two more questions online, one more from the floor. I’m cutting it off there on this topic so that we can keep moving forward on the agenda. Happy to pick this topic up later in the day at the Open Mic, if there are more questions that we don’t get to as folks are thinking of it as we continue to answer these last few.

But if we could take the next online question.

Ashley Perks: Yes. We’ve got Dylan Burke from Triton Internet: Aside from autoscaling purposes, what new security benefits has ARIN utilized or implemented with the transition to cloud infrastructure compared to being on prem?

Christian Johnson: I would offer that probably the biggest benefit is – I’m not even going to go in that direction – and I will say that the greatest benefit has been that we have not had to manage the climate control systems.

We have less physical security controls that we have to put in place because that’s being managed by another organization. There’s a tremendous amount of – I go back to my earlier comment. The Director of Operations doesn’t have to be worried about the temperature in the data center on a daily basis.

So probably the greatest benefit that we’ve seen, if I’m understanding the question correctly, is we’ve had a tremendous amount of – to go back to an earlier comment – the sort of freed time that we now have going forward because of the investment that we put into the transition, into the migration, has been easily, I would think, on the amount of time we’ve recovered by not having to manage the infrastructure, from the environmentals –

John Curran: I don’t love to stand up. That’s not my hobby to stand up and add more, but just to make sure everyone’s on the same page. The question was asked about the benefits from the transition to cloud infrastructure.

So that could lead people walking out of the room with an impression that may not be exactly the right impression. So let me be clear. We transitioned from a data center which was in the headquarters building down the hall from all the offices.

And as a number of people have said, and as our Board made quite clear, that’s not a great place to have a data center.

So we moved to a commercial data center facility where we, in that commercial data center facility, we run physical systems. So we’ve picked up the advantage of having our servers in a professional power/heat, environmentally controlled building. We are not transitioned to the cloud.

Transitioning to the cloud for ARIN, while we do use the cloud for select services, for things like expanding our capacity, distribution services, for example, transitioning general infrastructure to the cloud creates two very interesting things. One is we serve a lot of cloud providers as an underlying infrastructure provider, and that would effectively put one as a dependency on a number of others, and that’s exciting.

And then the other part of that is that ARIN’s infrastructure doesn’t necessarily need the same types of scaling properties as other people go to the cloud for, but we do have very stringent security.

And as much as I would love to say that going to the cloud solves all your problems, it actually just replaces your problems with a different set, particularly when it comes to assurance and availability.

So for now, we have moved to a commercial data center facility, and that’s a wonderful thing. We have not transitioned our core infrastructure to the cloud, though. So just want to make sure everyone understands that.

Christian Johnson: That’s a good point. Thanks for clarifying that, John.

Hollis Kara: Alright, we’ve got a question from the floor.

Kevin Blumberg: Kevin Blumberg, The Wire. I’m fallible. My code is highly fallible.

Coming up here and saying, well, here’s my policy of not using generative AI and we need two people to check it and we’ve completely devalued the purposes of using AI – when you write and have, what, 10-plus developers in-house for writing code and you’re not using generative AI to at least review their own code, please come into 2026.

Yes, there are security risks. There are concerns about things. Those got dealt with and have been dealt with. Having bugs that could have been easily fixed latent in all of your systems because you don’t want to use generative AI because of whatever the reason is, is just a poor excuse today.

Christian Johnson: Thank you.

Hollis Kara: Okay. And I think we have one more question online.

Ashley Perks: We do. Kevin Daglieri from RTX: Will there be a requirement as part of employee training to earn certifications like CISP?

Christian Johnson: Will there be? We only have – from an HR perspective – this is a great HR question, so the CHRO can correct me if I get this wrong – my understanding is that this is not a standard that we would ask individuals to have security certifications to meet a broader certification such as SOC 2 or PCI.

There are certain positions within the company, as with any company, that, based on the job description, require that individual to have a certain set of – a particular set of skills, right? Sorry, I had to say that. Particular set of skills.

In this case, whether it be CISSP or Security+ or being a CPA or having an HR certification, it’s based on the job position and the job description as to whether or not an individual will. That is not a universal requirement within the company, though.

Hollis Kara: All right. I think we are out of questions for now. Obviously this has generated lot of thoughts, and I hope that we’ll be able to revisit this later during the Open Mic. Thank you, Christian. (Applause.)

Christian Johnson: Thank you very much.

Hollis Kara: Thank you. All right. Love the energy this morning. Clearly the social got people revved up last night.

Let’s get Brad Gorman up here – where’s Brad? Oh, gosh, he’s right there, geez – to give us an update on routing security.

Routing Security Update

Brad Gorman: Hi, yes, my name is Brad Gorman. I’m the Director of Customer Technical Services.

It’s an official big title that I have, but I’m the RPKI guy. So, I’m going to talk about routing security here today.

So I’m going to go quickly over what the global and within-ARIN region RPKI statistics look like, the use cases and uptake of the services, and then go into some of the development that we’ve been doing in the routing security environment over the last year inside of ARIN.

So global validity state: In RPKI, the concept of what is a valid route announcement is the gold standard. That’s what we all strive to have tagged to our announcements that say this is authentic and it’s coming from me, and that’s what the real promise and purpose of RPKI is, to establish that positive use case and positive affirmation that the information is accurate.

So, over the last year, globally, the RPKI validity states for both the IPv4 and IPv6 protocols have been increasing, which is good. I mean, that’s really where we all want to be.

But the rate of increase is constant, but it’s a little bit slower than maybe where we would want to be.

Now, within the ARIN organization, there has been, again, a very steady increase in organizations signing up for the routing security services, signing up for RPKI.

The growth of that really has come from a number of different directions, why people have or why organizations have selected, hey, I’m going to use RPKI-hosted services or delegated services.

Part of it has come from the community saying, hey, this is the right thing to do. People coming to this meeting, going to other network organizations, operators’ meetings, like NANOG and CanWISP, or other things within the region and globally that say, hey, RPKI is the direction that we want to go to best secure and make the Internet routing stable.

There are service providers that are also enforcing the need for a customer of theirs or a new customer to utilize RPKI capabilities and create RPKI objects. That is further pushing operators and resource holders to adopt and start using RPKI services and capabilities.

And then ongoing training and education, both within ARIN and globally. I’ll get a little bit more detail into that. All of these things added together are what is promoting the uptake of the RPKI services or registration to use those RPKI services.

So, what are those services? There’s really three. Two main ones are the hosted and delegated RPKI models. And a hosted model, a customer will sign up to say, hey, ARIN, I want to put my objects and make my statements, and you put it in the repository so everybody can use it. That hosted model, ARIN writes the tools, has the web interface, the ARIN Online interface where information can be entered.

We develop and maintain an API that allows a customer to programmatically interface with their configurations.

We run a repository that is high-availability uptime, published to the outside world. And we’re the certificate authority, the organization that maintains all the cryptographic components that assures the accuracy and validity of the information that is in that RPKI repository.

The flip side is a delegated infrastructure, and that delegated infrastructure is really for an organization who wants to have more control over the cryptographic components. But a native delegated instance does come along with additional requirements put upon them, mainly running that repository.

So, the alternative for a delegated organization is a third service that we offer, which is our repository publication service. So, the control - cryptographic control of the objects is maintained by the delegated institution, but they can then offload the more advanced and high-availability requirement of the repository back to ARIN.

So, what does it look like inside of ARIN as far as uptake on these services? The number of organizations right now that are using and have selected the button “Sign up for RPKI” and pick one type of deployment or another, there is just over 8400 organizations that have said, yes, we want to do this.

98 percent of those are using hosted, and that’s clearly an indication that it’s not just small organizations that have a few resources. The largest resource holders of the ARIN organization are amongst those that use hosted RPKI services.

The interesting thing that still that I’m tracking, and I’m scratching my head, I don’t know why, is that even though 8200 people or 8200 organizations have selected to use hosted RPKI, only 7200 of them have created ROAs.

So, someone hit that fun “Sign up for RPKI” button but didn’t go further beyond that. So that’s something that, you know, internally we’re looking at and trying to understand and basically educate ourselves on why we got to this point, why there are people who have said, yes, I’ve hit the button, but I haven’t taken another step along. So that’s something that I’m looking at internally and seeing how we can make that better.

Now, again the percentage use of the delegated RPKI instance, it’s very specific use case, purpose-built for people who have other either internal requirements or regulations that they need to maintain that cryptographic control.

Of those, more than half of them use that RPS service; they use that ARIN repository to store their RPKI information. But the point is that 15 percent of all of the organizations that have signed up to use RPKI have just signed up to use RPKI. They’re not actually using it.

So, by different organization types, just kind of break it out a little bit about how we’ve progressed from last year, over the last calendar year, from the adoption rates.

Within the governmental organizations – and governments might be federal, state, provincial, territorial governments that have accounts and access to resources – 20 percent of government institutions have hit the button that they’re opting and using RPKI services.

The educational institutions, definitely, nice upswing and uptake, 21 percent of anybody that’s an EDU or otherwise going to be attributed to the research institutions, those are definitely an uptake in percentage.

And then the commercial environment. I mean, you can see the trend here. People are moving forward and adopting as time is going on. The increases are clear. The column on the right, though, is we’re talking about how many of the resources are covered under some RPKI objects, the statements that have been made.

And while there are increases in some of these, there’s also decreases in others. That is a normal flow of – ebb and flow of how resources move from maybe one organization to another, or the purposes of other either direct or indirect use of IP resources between organizations. That’s a clear point of how those percentages, these numbers get changed back and forth.

So, within region, based on again the different economies within the region, the registrations versus last year’s or the last meeting, we’re seeing an uptake.

Only highlight the United States and Canada as the largest of the economies, but as those two, along with all of us within region, we are further, again, progressing and registering to use services.

Now, as everyone has heard and has been hearing for a long time, we have been working to get as many of our resources under contract so that they would be eligible to use RPKI services. And as of the end of last year, as the end of 2025 closed, we reached a point where over 93 percent of all of ARIN resources are eligible to be used for RPKI services.

So, these numbers, out of the 1.65-plus billion addresses that are in the ARIN registry, a billion and a half of them are eligible for use.

Of those, more than 50 percent of them are in – sorry – more than 50 percent of them are eligible to be covered by ROAs. And if you look out into the global BGP table and you look at ARIN resources that are covered with RPKI statements and RPKI Route Origin Authorizations, 54 percent of all of ARIN-announced assets are being covered in RPKI.

Here’s another very similar chart with the other one, but in this case we’re pointing out the percentage of resources that are under coverage. And, again, as the two largest economies, making a significant swing, those percentages are coming up. 5 percent of thousands of organizations or even 2 percent of thousands of organizations, it’s making a big difference. I just wanted to point that out.

So, what does it tell us? Participation in the services is increasing. More and more people are registering, but we need to make sure that they’re registering and continuing on to reach the benefit of how RPKI works, you know, making statements about resources.

And the benefits are truly based on information being made available to get that special sauce that you want to get out of RPKI and get the true benefits of what routing security is.

It’s not a thing to miss. It’s not just you as an individual resource holder in an organization. It’s everyone’s responsibility to bolster and secure global routing Internet infrastructure. So, we all need to do our part and continue moving forward.

So, what are some of the new things and upcoming releases that we have put forth in the last year?

I’m going to repeat it again. Flattery and plagiarization, you know, it’s a great form of flattery. So, yes, ASPA. ASPAs are Autonomous System Provider Authorizations, and they’re a new object that is being introduced into the RPKI. At last spring’s meeting, we were just about to release the capability to customers to create them in our test environment, and right at the cusp of the beginning of this year, we enabled that capability in ARIN Online.

So today, any customer can go and create a live Autonomous System Provider object and make statements about the use of their autonomous systems, and on top of creating ROAs, but talking about their resources.

So, the number as of when I pulled the information a couple weeks ago, 198 ASPAs are in the repository. Great. It’s pretty small, but if you think about it, we have 200,000 ROAs in the repository, but we have billions of addresses.

And in the line of how many autonomous systems do we have that are announced globally, 70,000, 75,000 autonomous systems are visible.

Already almost 200 of them in the ARIN region alone have had statements made about them.

So, whether the number may seem small, but as to scale and the speed with which that is starting to happen, it’s actually a good sign. 198’s a good number.

We did it, both ARIN and the RIPE NCC, have enabled our customers the ability to make these ASPA objects. And the reason is that within the standards community, in the Working Group where RPKI and the other routing security discussions are made, the Charter was updated to say that no draft will leave this organization, will leave this Working Group, unless it has been proven - a proof of concept has been provided with data and statistics that it’s going to do what it needs to do.

So as the community works further on the other drafts that are part of ASPA coming out of the IETF, having those real objects available for use was a priority that we, the RIRs, gave to them to work on. So that’s why we have them here.

And those drafts, hopefully, we can kick them out and make ASPA a standard new object in the RPKI.

Now, what may seem like we haven’t been doing a lot of routing security development or deployments, it’s because a lot of the work that we have been spending our time on working has been behind the scenes.

We’ve been doing a lot of the work that the engineering organization had been doing building and transitioning to a new data center, much of the work that is being done on software that our internal users are taking advantage of, our management infrastructure, our management tool that the Registration Services team uses to support customers when they call in and answer the questions.

This is the work we’ve been doing to better equip internal users to provide better customer service to you, the membership, with regards to where routing security services are going.

So, what may not seem like things in front of your face have changed, a lot of things in the background are streamlining and making it more effective for us to support you when you come in and call us.

One thing that I’m super pleased with, and I’m completely thrilled with our Communications team is helping me get it going, we’ve established what we call a Deep Dive training, where I or another member of the team will be able to go out to the community and spend an extensive amount of time, hours, going over the concepts, the basic concepts of routing security, going into the use cases in ARIN, using ARIN’s tools and setting things up and giving people a hands-on capability of seeing what actions inside of the RPKI statements that they make with ARIN and how it will impact their presence of their resources in the Internet and globally.

It’s a hands-on, partial presentation, partial hands-on exercise that is being – the fifth iteration of it was given on Sunday. I had a room of about 25 people in there that we went through the process and showed everyone what the screens looked like and moved their fingers, and it’s all based on IPv6.

So, people are learning how to find that colon key on their keyboard when they’re typing in an address. It is one of the newest ways that we are providing you, the membership, a way to understand and learn not only what RPKI is, but how it does, how it benefits you and everyone else.

So, what’s coming up on the horizon? Now, I’ve been talking about this a long time, and I promise you, the horizon is close.

RPKI Routing Intelligence. What is that going to be bringing you, the membership? Well, today it is a very simple process to go create a ROA and move forward and continue making configurations. What we’re going to do for you moving forward is provide you even more information about what that change is that you’ve made, what it will look like, what is the potential benefit to you.

Are we going to change, or are you going to be changing your current posture of what your resources look like in the outside world? Are you looking to make a change that will fix what might be appearing to be a non-optimal configuration?

We’re giving you more knowledge to be used to make better judgments on your configurations, whether it’s your RPKI configuration, giving you an explanation of maybe what you look like to the outside world in the Global Internet Table.

Give maybe a suggestion on this is the state of things, maybe you want to take action based on what you’re seeing in these results. So, this is data that we have previously not given to you, the membership, and we’re very excited and thrilled to be ready to put that out in front of you and get everyone thrilled and excited and moving forward and using RPKI even more. Other future enhancements that are coming, yes, we’re going to be adding new capabilities to the API. We’re going to be updating right now. Mark had brought out the ROA Change Log. That was something that we implemented over the last year. Well, we now have ASPAs. So, there’s other RPKI information that we could share in this log. So we’re going to augment and now make it an RPKI Change Log.

We’re looking at the possibility of using some third-party tools in order to make your time inside of the ARIN infrastructure be an easier task. Can we utilize the help and assistance that the greater community has provided with tools and try to bring that knowledge and benefit into the ARIN system?

Looking at more ways that we can manage your configurations inside of the RPKI, whether it’s in the API or other connectivity. And then working on expanding further inter-RIR interaction and how we can as a RIR community make it a more seamless and effective process to encourage and enhance routing security across the globe.

As always, if you have ideas or questions or suggestions, come to us. We’re here. We’re listening to you. And make your suggestions and bring it on.

That’s it. Any questions?

Hollis Kara: All right. Microphones are open for questions or comments for Brad.

Leif Sawyer: Good morning, Leif Sawyer, GCI Communications, Alaska. I just want to congratulate you on all the work that you’re doing. You’ve made it easy to do RPKI, and I think that needs to be restated.

I tried to do it on my own, our company’s own, to stand up all the CAs to do all that behind-the-scenes work and make it work effectively. And we didn’t have enough people. We couldn’t do it. You guys have made it so that I can log in, click a few buttons, and I’ve got ROAs protecting all my routes.

It’s hands-off. I mean, I really don’t have to keep coming back and looking and looking and looking because I’ve got all the data when I need it. So, thank you again. (Applause.)

Brad Gorman: Great. Thank you, Leif. While I may be the person standing up in front of the room, a lot of people behind me are the ones that are doing the work. So those kudos need to go to them, and also kudos need to go to you.

You are the people that are making the suggestions and asking for things that help you. So, we’re paying it back to you with what you want, and I’m glad to hear that it’s working out.

Kevin Blumberg: Kevin Blumberg, The Wire. Brad, great to see you again. I think this is the third time because of all your Deep Dives that you’ve been doing.

Brad Gorman: Third time in four weeks.

Kevin Blumberg: Yes. Those Deep Dives are great. And I think it’s great that it’s relevant to the community and you’re getting out there and ARIN is getting you out there. So that’s wonderful. Thank you.

I mentioned something to you that I know you’re working on, I think it’s helpful for the community in regards to timelines because with the auto, you do a 90-day certificate, and you renew it at community in regards to timelines because with the auto, you do a 90-day certificate, and you renew it at 80 days – like with, sorry, 10 days left, and all the wonderful monitoring systems are nice enough to alert me at 30 days that the certificate is coming due.

These systems are based on a concept from years ago. But it’s still annoying that they’re doing it. And I do appreciate that you’re looking at increasing it to 31 days so that we can get some sleep over the holidays.

But this is a great example of where you operate on the Internet not in a vacuum and you work through it as these types of things come up. So, I appreciate that.

The stuff that you’re showing me in terms of the new features with ARIN Online, you used the word “you” a number of times, “you will be able to,” “you will be able to,” and is it inside of ARIN Online, i.e., I can’t just put in something like I do in an IRR Explorer and see a route and how I could fix it and things like that? Is it only my routes inside of ARIN Online? Because the functionality will be awesome, but if it’s limited into just ARIN Online, my only concern is it’s an impediment for people to do their late-night work and the deployment.

So just a suggestion there. You can rate limit it or whatever, but if it’s inside and it’s only your own routes, it’s helpful to a point. But a lot of the checking that people do, a lot of the inquisitive nature of what they need to do with routes and RPKI will be lost on what looks like an awesome tool.

Brad Gorman: I understand what you’re saying. Or let me make sure that I am. Let me clarify that, yes, the information that will be presented to the member coming into ARIN Online will be limited to, for a purpose, to your resources. More in the sense that it is, hey, giving you that direct feedback to what is specific to you.

Now, there are so many third-party locations and tools that are available to give a broader perspective of what the overall global picture looks like for you and for others or in general. The development wasn’t and isn’t being directed in a way to replace what those third-party tools can provide. The knowledge and information being given is so that when a customer is going to make a step, you know, in the production interface, that they will be made aware of what a potential outcome might be so that they can take pause and say, hey, is this exactly what I want to do?

So, yes, it is an ARIN Online feature. It is limited to the organization’s resources that are being looked at right there. The idea of grabbing the full global outside, all of the information as a portion of the overall development, that wasn’t a direction we took.

Kevin Blumberg: Where I was going with this, when I speak with government or enterprise, they are queasy about using some random third-party tool.

I know it’s great. You know it’s great. We both use it all the time.

They have this unease about using these tools. I say, well, you could use the RIPE tool. They’re pretty good with that. If you’ve got the tools and it’s available, it makes my life trying to get people to do the stuff a lot easier coming from an authoritative. Again, I’m not asking you to make new tools, just allow those tools to be accessible so that I can point people to them. Thank you.

Brad Gorman: Very good. Understood.

Hollis Kara: All right. Before we continue, I do have one online question. I would like to note that the queues for this discussion are closed. We’ll be happy to pick this up further later in the day, but let’s get through the questions we have starting online.

Ashley Perks: Jeff McAdams from Denovo Ventures: In regard to the Reg-RWS API, can we get JSON as a data format, in addition to RPSL and XML?

Brad Gorman: That is a question that has been asked before, and we’re looking at it. That is an option, and we’ll have to get back to you on it. At this moment, at this point in time, it is not on the development program.

Hollis Kara: Okay. Thank you. Next from the floor.

Altie Jackson: Altie Jackson, ARIN Fellow. I must say you’re doing a good job with the RPKI and showing us what to do to ROAs and everything. Overall, is there something in the framework to do enforcement, especially with all the customers in the Caribbean, to ensure that their RPKIs are done, just to bring up the numbers?

And coming from telecoms, I’ve seen wherein, if it’s not enforced – for example, Google reached out to us once and said they’re going to enforce this, and the business did something to make it work. But if it’s not enforced, you don’t see the business make a decision to do that.

Brad Gorman: RPKI will always be an option, not an enforcement. ARIN will never go to the membership and say, “You must start using RPKI services.” Anything that is a regulation or a requirement is going to be put on to a resource holder from an external entity and not come from ARIN.

So, it is now and forever will be an optional signup to use RPKI services at ARIN.

Altie Jackson: All right. Thanks.

John Curran: I have to stand up. He’s right, but I want to be very clear. We, ARIN the organization, will not make a requirement on customers to deploy RPKI. We have no basis to do that. It’s your registry. We’re running it.

It’s possible an external party will tell you “You have to run RPKI.” It’s also possible the community, through policy, could say “People have to run RPKI.” But that’s not ARIN, the organization. That’s the room making policy. It doesn’t fall to the organization organically to do that without a mandate from the community through the policy process.

Brad Gorman: Thanks for that clarification, John.

Adair Thaxton: Adair Thaxton, Internet2. I think you mentioned that your RPKI training is conducted using entirely IPv6 addresses.

Brad Gorman: That’s right.

Adair Thaxton: That’s super awesome, and I think it would be great if everyone else who does training did that.

I’ve suggested that to the ARIN workshop, or to the NANOG Workshops Committee as well, that if IP address are used, they should all be in IPv6.

Brad Gorman: Fantastic.

Liz Goodson: Liz Goodson, Lightpath Fiber. So, the IRR Auto-Manager is super great, with the ROA creation. But one kind of nitpicky thing is that when you do the route object, you’re not able to do a description field. It just auto-creates or auto-populates with the name of the entity, the Org ID.

In practice, with the service provider, we normally put the customer name in there. So, I have to go and do kind of a two-step to go and update the description field. So, some mechanism to do that would be super great. So just kind of a request.

Brad Gorman: I’m glad the benefit of the Auto-Manager is being realized. I’m glad you see that. I want to make sure what you’re suggesting is that during that auto-creation process, have the ability to, at that point, inject a description statement or remark statement inside of that object that you would want put in there rather than the one that is automatically published when that linked object, that IRR object is created.

That ability is there now if you go in through the IRR context. You can always put in your own remarks into there. The direction that we took when we did that was to just merely identify to anyone who is pulling out that IRR route object, just to recognize that it was created during a ROA generation process.

Liz Goodson: So, the description field and the route object is – right now it would be like – so for us, it’s, like, Lightpath is the name. But if I go and create the route object normally, I would put my customer’s name as the description field.

Brad Gorman: Sure.

Liz Goodson: Anyway, just a nice to have would be when I do the creation, I could put in a description field that gets populated into the route object.

Brad Gorman: Perfect. We do have a suggestions portal, too. That is the perfect place to make a request like that. That’s perfect. Thank you.

Hollis Kara: Awesome. Thank you so much.

Thank you, Brad. (Applause.)

All right. For the sake of our captioner’s fingers, we’re going to go to break. Whoops. Yep, no, that’s the right thing on screen. Sorry.

I would like to announce our first change in batting order. After we come back from the break, we will launch into our grant reports and then follow up with our Internet Governance and Caribbean Collaboration reports following that.

So look forward to seeing you back at 11:00 for grant reports, and for now we’re on break.

(Break from 10:36 AM to 11:00 AM.)

Ashley Perks: We are back from break. It’s me again. Hollis is back for the espresso hour. Maybe two hours. We’ll see how she goes.

Again, I’m Ashley Perks, Communications Manager here at ARIN. We’ve got a fun block coming up for us today.

We’ll start with our Community Grant Program reports. And then, as Hollis said earlier, we do have a small agenda change. We will, after the grant reports, we will have our Internet Governance Report with Nate Davis and our Caribbean Collaboration Report with Bevil Wooding, and then we’ll see where we are there.

So, for now, I’ll go ahead and get Amanda Gauldin, our Senior Project Manager, to give us an update on our Community Grant Program.

Community Grant Reports

Amanda Gauldin: Hi everyone, like Ashley said, my name is Amanda, and I love to have the chance at these spring meetings to share about the ARIN Community Grant Program and shed some light on a unique opportunity for the community that is happening right now.

So at seven years old, the grant program supports projects and initiatives to improve the overall Internet industry and user environment.

There is a thorough application process, and those selected could receive up to $20,000 in funding for their project.

Twenty-six projects have been funded over the years, and you can see some of those organizations listed here, and we have the time today to hear from the three organizations that applied, were selected, and received funding in the fall of 2025.

Network Time Foundation, Internet2, and 20C are halfway through their projects, and they’ve prepared an update for us on their progress so far.

After the ARIN 58 meeting in the fall, you’ll see a blog post from each of them about the final results of their project. So here in just a moment we’ll watch those video reports, and you’ll get some great insights into how these organizations are using the funds and the benefits that are in store for the Internet community from their work.

So exciting news is that the 2026 Community Grant Program application is open now. You can visit the ARIN website and get a link to the site and complete an application. The ARIN website has very detailed information on the parameters, application questions, and more.

So you can read it over if you have a project in mind and you’re searching for funding.

There are four parameters that we look for projects to fall under noted here: Internet technical improvements, registry processes and technology improvements, informational outreach, and research.

Like I said, the ARIN website has more information on all of those details, so you can look in advance to see if your idea for a project might be a fit.

Like I noted, the application site is open now, and it runs through June 14th. That’s a nice, long timeframe, but this is a very detailed and thorough process. So we want to make sure that you have the time to put together a really solid application.

There is another opportunity open right now as well through Friday of this week, and that’s for a call for the volunteers for a Grant Selection Committee. That’s open for General Members. And this committee reviews the applications, discusses them as a group and makes the final selections.

Those who are selected in 2026 will receive their funding in the fall, make their update to the community the following spring, and then complete their project by the fall of 2027.

So announcements and links for both the Grant Selection Committee and the Community Grant Program application are on the ARIN website under announcements, and you might need to click to the archives to get to the Grant Selection Committee announcement and the link to volunteer.

And if there’s questions, I’ll take them now before we move to the grant recipient project update videos. Thank you.

Ashley Perks: Any questions about the Community Grant Program or how you can apply or the Grant Selection Committee, the floor is open. Otherwise, we will get right to the reports. I think I see someone coming.

Zulqar Nayen: Hi, Amanda. I’m Zulqar Nayen. I represent Internet Society Ontario chapter. We recently formed this chapter December of last year. So I was just wondering for those who do not have deep expertise in the Internet resource area, is there any pathways for us to create an Internet governance program so we can take grants, for example, digital inclusion, these types of areas? Is there any easy pathway for us for competitive, to apply competitively in this program?

Amanda Gauldin: Right, I would encourage you to look at the website for the grant project because we go into great detail.

We’re looking for specific projects that the community is looking to endeavor and accomplish over a period of time, which is 12 months. So if there’s some sort of goal that you guys are looking to complete, you have a project or an endeavor that you need specific funding for, that certainly could be a fit with your organization. But I would encourage you to go check out the website, read a little bit more. That should answer some questions.

We did also – also on the website, I’ll note, there’s project reports from past grant recipients. So looking through those as well is going to give you some good ideas of what we have funded before, what has worked well and been a good fit for the grant program, and that might give you some inspiration, too, with your organization on what you’re looking for and how that might be a fit.

Zulqar Nayen: Got it. Perfect. Thank you.

Ashley Perks: Okay. We are clear online. Thank you, Amanda. We will get right to our grant reports.

Amanda Gauldin: Sounds good. Enjoy.

Markdown Integration for GNU AutoGen

Harlan Stenn: Hello, my name is Harlan Stenn, and I work at Network Time Foundation, and I’m the project lead of the NTP Project.

We were fortunate this year to get an ARIN Community Grant to help us with a significant issue we have.

We need to get markdown integration for the new AutoGen to give us single-point servicing for our documentation needs that producers mark down as an output format. So this is my interim report for this effort.

We’ve had – the NTP Project has been around for over four decades, and we started off in the early ’80s with a bunch of README files.

In the ’90s, we added an HTML directory, and in 2009, we started – we added AutoGen generated man pages to the output of everything.

The problem we’ve got is that the documentation exists in different groups. We’ll call them silos for now. And it’s very difficult to keep similar documentation consistent across silos.

So in 2021, we decided to migrate from WordPress and wiki-based Web pages to Hugo, which produces a static output and has a minimal attack vector on it.

So unbelievable, starting over again.

In 2021, we decided to pivot from Foswiki and WordPress as significant providers for our Web content to Hugo, which produces static web pages. It just saves us a lot of time and effort and resources online. And we didn’t have to spend – dedicate people to doing frequent security patching of things like WordPress.

So our legacy WordPress and Wiki sites required a lot of CPU and memory. They have a high attack surface, that is for WordPress, and we have a lot of maintenance overhead for them. By switching to Hugo, we got static content.

So it was very lightweight, including resources that the public needs to see. It has a small attack surface, and it’s markdown-native.

So we’ve got a single content source for things. So we’ve already centralized all of our documentation needs for the codebase with new AutoGen, which gives us output for all of our documents and man pages and file formats and the rest of it, and it can produce these in both man and doc and texi HTML pages.

The trick is to make this work with our new Hugo website, we have a manual conversion bottleneck to convert those outputs into Markdown. And it takes a lot of time and effort, and it’s error prone also.

So with the Community Grant, we were able to add Markdown to the AutoGen output format, which means we can now automate the entire documentation change from our master source instance producing outputs in all the formats we need that’s automatically maintained.

And it lets all of our release documentation live seamlessly on the website. We’ve finished the phase 1 of our effort. So we have all the translation scripts mapped.

We know what markup tags we need to translate. And we’ve identified the test case we’re going to use. But they’re not really test cases because we’re actually using them. And we know how we have to update the AutoGen build system. From this point, we’re going to finish implementing our translators to and from Markdown. And as we do this, we’ll be identifying areas in our documentation that need further attention.

And we’re on track for a successful delivery before the ARIN Community Grant contract window closes.

This has been really good for us because it paves the way for us to completely upgrade the NTP and other NTF project documentation. And let’s just say I am not happy with the quality or quantity of the NTP Project documentation, and this is going to give us a much easier path to completely upgrade that and to be a benefit to everybody who uses it. I wanted to thank ARIN for the Community Grant that supports this.

And that’s how to reach us. Thank you.

IPv6 Test Pod

James Harr: Welcome, everyone. My name is James Harr, and this is a presentation about the IPv6 Test Pod Project that was funded by the ARIN Community Grant.

And I’ve been in network architecture for a good chunk of my life, did network engineering, and now I am in the automation and orchestration space at Internet2.

So a quick blurb about Internet2, we are a research and education backbone. We have a series of optical and packet backbone sites around the U.S.

We connect research and educational institutions. We also peer with other national research and education networks around the world, providing network services to our constituents, stitching together the research community.

We also have a trust and identity division that works for federated single sign-on services across R&E. And then also we do eduroam, which is a federated Wi-Fi service. So members at one university can log into Wi-Fi on another and it just roams. You don’t really have to think about it. We are a nonprofit member-run organization, so it kind of influences sort of how we help the community out.

So in this talk, I’m going to cover a little bit about the current state of IPv6, what’s been happening. I’m going to talk a little bit about IPv6-only networks, the technology behind it.

We’re going to take a look at the IPv6 Pod Project, which is the ARIN-funded portion of this project. And then the current project status, where we’re at today and where we think we’ll be going.

So on to the state of IPv6.

So this is our second year of doing the IPv6 Pod Grant with ARIN funded through the Community Grant Program.

And this time two years ago, you know, I pointed to an arrow on the IPv6 adoption of the Google IPv6 stats, which is sort of in the world I work in,

it’s sort of the gold standard for how much IPv6 is actually being deployed over to client sites and how much traffic is IPv6 on the Internet. And since then, we’ve gone up a healthy, you know, five percent. So this is one of those things where I think IPv6 started out with a lot of fanfare.

Then there wasn’t really a whole lot going on. I think a good chunk of the world just kind of moved on to using NAT and other technologies, and I think IPv6 has made strides, and I think it’s been one of those things where it’s going to slowly come up to be the dominant protocol here fairly shortly.

And I think a lot of people don’t really realize that that has been happening over the last five years. If you went back to before the COVID pandemic, you can see it’s even down in the 25 to 30 percent usage. So it’s really, you know, in the last few years, adoption’s really seen a big increase.

Similarly, if we look at just the BGP advertisements, that has gone up as well. So we’re seeing good growth in that area.

And if people have been around for a while, they remember when the IPv4 BGP table hit 250,000. So, you know, it’s kind of good to see IPv6 hit these levels of adoption.

So in terms of IPv6 activities, you know, the standard has been ratified for quite some time now.

There’s been a lot of background effort going on, but I think there’s some important key milestones that we’ve either hit or we’re going to hit very soon.

So one of the technologies we’ll be talking about a little bit later is the CLAT, which is a client translator used in 464XLAT.

Two big developments have been happening. Microsoft is committed to expanding the CLAT support in Windows. The private preview for Windows CLAT, I believe, is mostly concluded, but I think we would expect to see the CLAT coming up in a Windows 11 release.

Prior versions of Windows are unlikely to get it, but again, we’re looking towards, you know, the future of operating system support.

Similarly, Linux has a CLAT built into it now. It has not been released. But that’s going to signal some strong support for IPv6-only or mostly networks. So there’s also been a lot of activity in the IETF around standards. There’s a lot of – as people have adopted IPv6, there’s a lot of corner cases that have been identified and as well as like just general best practice operations, some unknowns that were not defined in previous standards. And there’s been a lot of activity in the IETF, in the IPv6 ops, in the IPv6 management areas to sort of like clarify that behavior.

And, you know, as small as these things might seem, I think there’s a lot of – a lot of vendors turn to these RFCs to really identify how should we implement this behavior. So I think while these might seem sort of like why would I care about them, these are very important advancements that I think will help sort of clear the field to make it easier to deploy IPv6.

So moving past the recent events, we’re going to talk a little bit about the technology behind IPv6-mostly networks.

So, you know, eventually we want to get to IPv6-only. But the path there, it’s not something that you can just turn IPv4 off and have most networks operate. So that’s where – but I think, you know, the thing to remember is that dual stack was never the end game. Nobody likes to run two protocols. It adds complexity. It kind of – it adds confusion when you’re troubleshooting. It adds complexity having to do both things.

So I think single stack IPv6 is the ultimate target. But it ends up being a simpler mechanism to sort of – it ends up being simpler to run operating networks that way. But we can’t just go there from here. We can’t just turn off IPv4 and be there.

So we have to have a way to effectively allow IPv6-only hosts to access the IPv4 Internet. And there’s a couple of different patterns to do that. This has been around for quite a long time. It’s NAT64 and DNS64.

I’ll be fairly brief with it, but the short version is that the DNS resolver, when it sees a request for – when it sees a request for a AAAA record for a zone that, you know, maybe that doesn’t have a quad A record, an IPv6 address, it’ll actually synthesize one in a specific prefix.

And below is an example, 64:ff9b, and it embeds that IPv4 address in there, and it synthesizes a response back to the client. The client connects to that address, and then at some point, that traffic will hit a NAT64 appliance and then be able to access the IPv4-only server. This has been around for a while.

There are a number of drawbacks, namely that sometimes there’s hard-coded IPv4 addresses.

Sometimes an application literally will not ever attempt to connect to a IPv6 address. It may try to connect to IPv4-only address family. So that’s something to consider.

But I think there’s a much better solution today that covers a lot more use cases. And as fancy as the name sounds, 464XLAT is pretty simple. It’s been deployed in LTE and 5G networks for quite some time now.

And there’s a lot of the recent efforts have been to bring that to sort of the LAN and Wi-Fi side. So one of the big technologies in 464XLAT is a CLAT on the client device.

And what it does is it presents what looks like an IPv4 interface, and you can actually even, you know, ping a IPv4 literal.

Well, what happens is the CLAT will handle sort of translation, embedding that IPv4 address inside an IPv6 packet, send it over the IPv6-only network and ends up at a NAT64 appliance. It can be the same appliance as in the previous diagram, and allows that user to connect to an IPv4-only server.

Now, why is this different? Why does it matter? Again, the application actually thinks it is connecting to an IPv4 address. It’s not. I mean, it effectively kind of is, but it transits over an IPv6-only network without the client application ever knowing. And so I think that’s a really important pattern that’s going to be useful in enterprise and campus networks. Another technology is this thing called IPv6-mostly. It’s an RFC that defines DHCP version 4, Option 108. And what this does is it says, if you understand this field, turn off your IPv4 stack. And the important part is, hosts that do not understand this field, they will ignore it and continue to use IPv4. So what I think this allows a network operator to do is set up a network.

You still have to configure dual stack, but what you can do and you still will want to configure CLAT in NAT64 in the network. But what you can also do is enable DHCPv4 Option 108 to say if you understand this, you can turn off IPv4 now. So the host that will support CLAT and Option 108 turn off IPv4 and anything that doesn’t understand those two things will continue to operate as dual stacks. So it allows you to gracefully turn off IPv4 to clients as the support is added in devices and operating systems.

So where is support today? The support today is actually pretty good. Any device that has LTE on it. So most mobile devices support it fairly natively.

Some of the older versions, like if you have an Android phone that hasn’t received updates, it may not support it, but anything modern should.

Windows has supported it on LTE interfaces only, and that feature is coming to Windows 11. I don’t have a date for it. They have not publicly released it, but it’s going to be – Microsoft is committed to it and it’s going to be on its way. Linux has options on the way as well.

Network Manager 1.58, the release date of which is to be determined, is going to have that. I’ve actually personally tested out the feature. It works well. There’s a few corner cases they need to clean up, but the feature is coming.

And in FreeBSD and OpenBSD, it’s supported in their packet filter, but you need to configure it yourself. At least that’s the most current information I have on that. Feel free to correct me if I’m wrong.

So that brings us to the IPv6 Pod Project.

So I listed out a whole bunch of technologies that can make IPv6-only or mostly networks possible. But if you’re a network engineer or developer, getting access to these things can be, you know, getting a lab environment set up can be kind of a hassle.

First, you need to understand all the options. Second, you may need to get access to IPv6, which you may not have at home or at work, or the plan to deploy IPv6 may be, it may not have started yet or it may not have been deployed.

And sometimes, you know, instead of having a long, drawn out critical path through these projects, sometimes you may want to sort of get your application ready before the network is ready to run IPv6-mostly. So on top of it, you need to get all these technologies set up and configured.

And not every vendor supports every option right at the moment, especially on lower end hardware. Like if you’re looking at consumer devices, they may not support PREF64, they may not offer a NAT64 option. They may not know how to configure DHCP Option 108.

And then you need to set up multiple test environments because your organization may choose to use a different combination of technologies. So and on top of that, you need to actually accomplish your day job. So that’s where the IPv6 Test Pod project comes in. It is a preconfigured device that we ship out for free to participants who apply.

And it has several different networks configured on a Wi-Fi SSID and wired ports that they can plug in and test applications on.

If they don’t have access to IPv6, it will actually tunnel through an Internet to tunnel server to get them native IPv4 addressing. And so like I said, you know, users will typically receive this device, plug it in. It’ll turn on.

They’ll get about seven SSIDs that they can connect to and a sheet where they can use the QR code to test things on. And it should just work for them. That’s the intention.

And there’s no need to really have a deep understanding and make the choices about how these technologies are configured.

So we wanted to make this for a – we wanted to make this accessible for a number of different people. So these are kind of the three that we had targeted. It’s a software developer who wants to test things. They may not have networking experience. They may not exactly know which pieces they need to configure and they may not want to dig through RFCs. They may not have time.

Similarly, IT support may have – may hear about an IPv6 project in their organization and they may want to deploy IPv6, but they may want to test their applications, you know, for IPv6 compatibility so they can talk to the vendor, make it work or work with the IT, the application hosting team to make sure it works.

Or you may be a network engineer who’s been asked to do research on IPv6 and you need a test environment or demonstration environment sort of to get going with this.

So I think the power on this is that it’s a good demonstrator, especially for network engineers, to say, here’s a different environment. You didn’t need to configure anything. It allows you to do a few tests and sort of get your bearings with some of these technologies. So over the last six months, including all the way back to when this project started in 2023, since then, we’ve actually helped out with the Windows CLAT testing.

We’ve helped out with the network manager CLAT testing as well, including clarifying some behavior, working with, you know, citing RFCs saying this doesn’t quite look right.

We’ve also helped the HPN-SSH project, which is a high-performance networking fork of SSH, OpenSSH, to implement Happy Eyeballs support. And that project’s hope is eventually that Happy Eyeball support will work its way back into the OpenSSH implementation.

The pods have also made an appearance at the 2025 Internet Measurement Conference, providing IPv6-mostly networking to some of the participants that wanted to try it out.

And so in the timeline, we’ve distributed over 65 appliances and we have 20 lined up for April. And we have some of the – we have a little over, sorry, a little under half the grant money left for this year to purchase and deliver IPv6 test pods. So beyond the grant timeline, Internet2 is committed to supporting the IPv6 tunnel as long as it is possible, as long as we can keep these devices maintained and people are using the service.

We’re also committed to redistributing these. If there is someone who has used an IPv6 pod who is no longer using it, we can repurpose that hardware, send it out to someone else to help them get bootstrapped into it. And so that’s our current project.

We’re pretty proud of where it’s gone and very thankful to be able to do it. So now when we look at ways to participate. The most obvious is you can go to IPv6-pod.info, submit an application for a test pod.

We also have a mailing list that’s also linked to on the website or you can contact me directly.

So I’m interested in anybody who is willing to test software, show it off, demonstrate it, and basically advance IPv6 deployment anywhere in the US region.

Today, we’re only able to ship to the United States. So unfortunately, we can’t ship to Canada. We’ve worked with some people to get – if people are able to purchase their own hardware, sometimes we’re able to get configuration to them. But for the time being, we’re only able to ship these devices to the U.S.

So I’d like to take a little moment to thank all the project participants, ARIN, and all the staff at ARIN for helping make this possible. The grant’s been very, very useful.

I think it’s really helped the project along. And my hope is that we can make a very positive impact on the world of networking.

Thank you.

From Raw To Ready: Visualizing RDAP with RegCtl

Matt Griswold: Hey, everyone. I’m coming to you live from my hotel room in Panama City, where GPF is just winding down for the day.

Instead of being poolside with a drink that would likely have an umbrella in it, I’m here giving you an ARIN Grant update. That’s my level of dedication here, or it could just be poor planning, I guess.

I’ve prepared a short deck to go over and give an update. As some of you recall, a couple years ago we had a grant from ARIN to normalize RDAP data.

We came back again with a nice way to make a GUI on it so it’s easier to use.

A little bit about 20C, we’ve got several open-source projects, a suite of automation software. We’ve done a lot of work with IXs, the Python RDAP client, and we just started a new IAX initiative called OpenPipes. So all the links are in there. If people want to look at them later, I don’t want to go too much into that.

The problem that we’re addressing here with RDAP data, it’s quite inconsistent. In fact, at the initial stages of it, each RIR implemented things a little bit differently.

So we spent a lot of time tracking this down like years and years ago. It’s really difficult for humans to read. It’s kind of got convoluted schemas. And like we said, it’s fragmented across multiple sources.

So the RIRs just do the Internet Registry data, but there’s also domain names, and other things like that.

So we try to bring it all together in one place. Lots of people have had problems with this.

So there was a fair amount of interest with this to begin with, and we wanted to make it easier to explore and understand.

So a couple of years ago, we did reg control. It did the consistent data structure. It normalized things to kind of what I would consider a more modern schema.

It supports all the RDAP types, so ASNs, prefixes, domains, and organizations. But until now, it was only command-line.

So as you could see when you went through it before, without typing in a query, it just says not found. If you typed in a query, you’d just get a JSON dump.

So like it was pretty cool, but it really requires another project for people to be able to use it easily. So with this grant, we delivered a brand new UI on it. We can search by ASN, prefix, domain. Has normalized views.

We’re just starting to add more features, tie in different data sources. As also in here, for example, it now will link in PeeringDB when you put in the ASN and things like that.

And then it also does a lot of contextual explanations for RDAP fields and hopefully makes RDAP very easy for people to use and kind of explore without quite the learning curve.

It’s open source, it’s publicly accessible, we’ll be running a public mirror of this. Probably anycasted across multiple locations. And then anybody that wants to use Internet data should be able to use it.

Currently, it’s live and functional. We have the basic functionality there. Everything seems to work. We encourage people to try it out, find bugs, add features. The source code isn’t quite released yet. We just need to do a little bit of cleanup. But I think by the time this even comes out, it should be released.

And then another ancillary goal we have is to make it really easy for people to like add things in and make refinements and things. So definitely you can check it out now. As you can see, if you go to the link, it actually shows a GUI.

And then I think with that, I will do a quick demo. And definitely we always want feedback. So please reach out, give us ideas, ask for changes, anything that you’d like.

So here it is. If I type in my ASN – it’s going to be a very short demo – you can see it pops up.

This is all the normalized data that we have. So this is what we did at the last grant. It’s just displayed in an easy-to-use manner.

PeeringDB link. I think we’ll probably want to do, like, maybe BGP tool links, RIPE stat. Like hopefully we’ll get some users that give us feedback on what to do there. It shows the different records.

We do a lot of caching on this as well, so if there’s any RIR issues, it’ll get laps on from that. And then, of course, it still shows the raw RDAP data. Everything is totally API-driven.

So this is all the open API specs. Please feel free to poke around and let us know. Thank you.

Ashley Perks: All right. That was great.

We had three really interesting projects for 2025. (Applause.)

Again, the Community Grants Program applications are open now until June.

If you have any questions for any of our grant presenters, they had their information on their slides. Or you can email grants@ARIN.net, and we will get you connected.

Next up, we have Nate Davis, ARIN’s Senior Government Affairs Analyst, to give us an update on Internet governance for 2025 and 2026. (Applause.)

Internet Governance 2025-2026

Nate Davis: Thank you, Ashley.

Good morning, everybody, and greetings to those joining us virtually.

I’m Nate Davis, ARIN’s Senior Government Affairs Analyst working within the Government Affairs Department, and I’ll be presenting today on some of ARIN’s Internet governance activities since the last meeting, last spring meeting last year, and also be taking a brief look forward at future activities as well.

All right. Starting with some background first. The Government Affairs Department engages with governments, intergovernmental organizations, and industry in three primary areas.

We advocate for the Internet Number Registry System and multistakeholder approach to Internet technical coordination. We also promote a global, open, stable, and secure Internet. And lastly, we conduct outreach and support to our members, governments, and industry throughout the ARIN region.

We execute these activities across a variety of fora, for which I’ll highlight in a moment, as well as informal engagements with governments, industries, and other interested parties.

While our activities with these organizations and governments within the ARIN region, the team also liaise with governments and organizations outside of the ARIN region that have shared values, as it’s useful in some forums that we have both in-region and out-of-region support across the areas in which we engage.

These activities keep us busy. Our three-member team is led by Einar Bohlin, who is our Vice President of Government Affairs and is currently at the Organization of American States’ CITEL meeting this week, in preparation for Plenipot, the ITU Plenipot meeting at the end of the year. Also on the team, who will be presenting shortly after me, is Bevil Wooding, who is here and will speak in a few moments. Bevil serves as our Director of Caribbean Activities.

So for background, particularly for those who aren’t aware of some of our engagements, I’ll take some time to discuss here where we do engage, starting first with the Internet Governance Forum, which is the global multistakeholder platform convened by the United Nations to facilitate discussions on digital Public Policy and the use of the Internet. The IGF has no decision-making authority, but, rather, fosters open dialogue where all interested parties have a voice and can participate.

Last year’s IGF was held at the end of June in Lillestrøm, Norway. This year it will be held in December with the location being finalized at this time.

Regionally, we also participate in the Caribbean IGF and also Canadian IGF, the latter of which our Board Chair, Nancy Carter, represents ARIN on that forum, the Canadian Internet Government Forum.

The World Summit on Information Society, WSIS review, recently known as WSIS+20, was conducting their 20-year review, and it was held in July in Geneva, Switzerland. The review process assesses the global progress and inclusion of digital evolution and outlines the actions for the future.

The last three of these forums are where really the government affairs team spends a substantial amount of time.

As I mentioned, Einar is at the OAS CITEL meeting, and that’s the telecommunications and information and communications technology advisory body to the Organization of American States. And it’s one of the telecommunications organizations that feeds into the ITU, the International Telecommunications Union’s processes. CITEL also includes 34 member states, 11 of which are part of the ARIN region.

The Caribbean Telecommunications Union is also a recognized regional telecommunications organization that feeds into the ITU processes. With 20 member states, 15 of those member states are ARIN region countries.

Lastly, the International Telecommunications Union is a UN-recognized agency for telecommunications and information and communication technologies known as ICTs.

There are three sectors: ITU-T, which is telecommunications standards sector; ITU-D, which is the development sector; and ITU-R. ARIN is an associate member, not a member state, of ITU-T and ITU-D.

So ITU-T is responsible for standards, for telecommunications standards. ITU-D is responsible for implementing those standards for developing telecommunications across the globe.

ARIN participates actively in a number of ITU study groups, attempting to ensure that the ITU and the study groups stay within their remit. We keep the RIR system and ARIN well known to those study groups, and we also remind them about the IETF if they want to try to dabble into Internet protocol standards.

The ITU-D is responsible for fostering policies and cooperation and training among member states for ICT development, particularly in developing nations, in an effort to reduce the digital divide and promote connectivity.

ARIN participates in two ITU-D study groups, where we advocate policies and programs to help to reduce that digital divide and encourage Internet development.

So since I last reported a year ago, we’ve had some favorable outcomes in our efforts. And one thing to note is some of our efforts are not immediate. These are long-term commitments that we make on behalf of the ARIN community to produce results that sometimes takes years to do that.

So starting first, the WSIS+20 year review, I’d like to mention that there were two cofacilitators assigned to the review process – His Excellency Ektela Lokaale from Kenya and Her Excellence Ms. Suela Janina from Albania, who did an outstanding job in listening and considering all input from the process during the IGF 2025 meeting, but also the WSIS review meeting, including multiple consultations and informal meetings. They just did an amazing job.

Furthermore, there was a designated and formal multistakeholder sounding Board which was comprised of 11 members, four of which came from the technical community, and they worked closely with that sounding Board.

Ultimately the final outcome document continued to recognize and mention the technical community as key stakeholders in this entire Internet governance process, which was a concern going into it, because the role of the technical community prior to this was being marginalized.

And then lastly, it’s worth noting that the IGF is now a permanent function of the United Nations.

The next item, which I also mentioned last spring, was within the ITU-T Study Group 13. There was a recommendation that originated back in 2021 that was in its final last call for several years, was successfully abandoned.

Following a multi-year effort by ARIN, this recommendation proposed using digital ledger technology to distribute, manage, and administer not only domain names but also Internet number resources.

Using DLT was really not the issue at hand, if that was what the community wanted. However, it was not evident that there was any community consultation or involvement in this proposed standard.

The standard was in last call and it was abandoned, and that’s an extremely rare event at the ITU level. And we are very pleased with the outcome of that.

We also received notice at the end of last year that ARIN’s contributions from 2023 were recognized in ITU-D, the ITU-D 2022 to 2025 final study period report, specifically ARIN’s Fellowship Program as well as our IPv6 case blogs, which are available online at ARIN’s websites, were noted in the report.

If you note, a lot of this ITU activity is all in four-year study periods. So there’s sort of a long – it’s a long-time commitment in those four years to actually do work and see the results of that.

So we were glad to finally see some results from our efforts in 2023. I missed that slide. So that’s some of the notes from the slide I just made.

And then in November, at the ITU’s World Telecommunications Development Conference, Resolution 63, which has to do with IPv6 implementation, resulted in a reasonable and workable outcome, in that it recognized the role of the RIRs and the deployment of IPv6 and encouraged deploying IPv6 services such as email services – such as web services and email, I guess in the manner of baby steps in deploying IPv6 among member states.

So these two items, the web services and the email, are interesting in that they were highlighted and oddly consistent with an RFC you might have heard of, 5211, from 2008, which was authored by our own John Curran. So somehow some of that text made it into the resolution.

Also for those interested, any of our contributions that we make in written form to the ITU or CITEL processes, we publish those on ARIN’s website under our Internet governance section for transparency.

At the end of this year, we have the ITU Plenipot coming up. It’s taking place in November. It is a three-week marathon of a meeting which takes place every four years.

It’s the ITU’s highest policy-making forum where leadership elections are held, the Strategic Plan for the ITU is approved, and it outlines objectives for the next four years. Approval of the financial plan also takes place.

In preparation, ARIN has been and will continue to be involved with a number of preparatory meetings with governments and industry. And ARIN region governments are engaging – and the ARIN GAD team is engaging in what seems to be an overabundance of T-sector and D-sector meetings leading up to that event.

So it’s a busy year for us and our team, meeting with governments and industry and so forth in an effort to formulate what our positions are on some of these resolutions that will be considered at Plenipot.

Lastly, I want to mention, one of the programs that ARIN participates in is the ITU’s Partner2Connect program, which mobilizes resource commitments to provide meaningful connectivity particularly to underserved areas. ARIN makes a financial pledge consistent with our existing programs that align with the Partner2Connect program’s goals.

Here, some of the funds we pledge to the ITU for ARIN’s programs. And these are not dollars we contribute specifically to the ITU. This is recognition of dollars that we already spend with existing programs.

So some of these programs include our Fellowship Program, our Grant Program, our Caribbean outreach and so forth. And it’s just a matter that we get recognized for some of those efforts at the ITU level.

We wanted to raise the visibility to the community in the event that you ever see our engagement with this program because we have been asked by the ITU to sort of, I guess, advertise some of the things that we do through the ITU with regards to our program. But I think it’s important that the community understands what we’re doing there before we do that.

So that concludes my presentation, and I welcome any questions or comments.

Ashley Perks: I think we are clear online. Do we have any in the room?

(No response.)

I think you’re good, Nate. Oh, you’ve got one more.

Jasmine Cha: It took me a while to get here. Jasmine Cha, a Canada-based ARIN Fellow. You mentioned that the IGF is a space where all interested parties have a voice in that the technical community’s role was at risk of being marginalized.

So now that the IGF is becoming a more permanent structure, do you have any insight into what’s being done to make sure participation and influence there doesn’t end up concentrated among the same well-resourced groups?

Nate Davis: You know, that’s a great question. So this marginalization actually started with the Global Digital Compact coming out of the United Nations. And there was concern that the technical community was going to be merged into other interested parties, if you will.

So there was considerable effort to get that known during the WSIS process during IGF. And that, as part of the WSIS output document and the WSIS+20 review, it was mentioned a number of times the importance of the multistakeholder community and also identification of the technical community.

So I think we’re okay for the next 10-year review cycle. But it’s important that during that 10-year review, or that 10-year period coming forward, that we stay visible, that we’re known to governments, we’re known to industry, and we advocate for the RIR system. And I think that will be helpful in not having to address the problem again. Does that answer your question?

Jasmine Cha: Yes.

Nate Davis: Thank you. Any other online?

Ashley Perks: You’re good.

Nate Davis: Thank you. (Applause.)

Ashley Perks: All right. Next up, we have Bevil Wooding. Let me move him over. Bevil Wooding, our Director of Caribbean Affairs, to talk about our Caribbean collaboration over the last year. Bevil? He’s working on it. It’s a long way from the Caribbean.

(Laughter.) (Applause.)

Caribbean Collaboration 2025-2026

Bevil Wooding: Good morning, everyone. Let me get my timer going. All right.

So a lot has happened – my name is Bevil Wooding, Director of Caribbean Affairs inside of the Government Affairs Department at ARIN – and a lot has happened since our last update, both in the Caribbean but also across the world.

And some of those developments have had a very direct bearing on the nature of our engagement, and you’ll see reflected in the report that I want to share with you this morning. So let’s get straight in.

So we have evolving outreach. This is what we’ll be covering, looking at some of the engagement milestones, and then tracking some of the trends that will be shaping our way forward.

The thing that I want to really bring across to you this morning is the fact that a lot of what we are reading, hearing, and discussing in the news in terms of the geopolitical activities, increasing sense of conflict and crisis, is actually changing the dialogue around the network in the context of the Caribbean.

And there is a renewed attention to just how resilient are the networks, just how independent or sovereign is the data. And those kinds of discussions are taking place both within the private sector and the public sector.

As a result, we’ve had to evolve our own position in terms of ARIN’s presentation of itself as an organization, the work that we’re doing with our partners, like Nate said – the Caribbean Telecommunications Union; CaribNOG community, the technical community; and some of the private sector organizations – that have been with us over the last several years supporting the work that we do within the context of the Caribbean.

What it has meant in practical terms is that we also had to make some more direct decisions about who are we talking to and how are we talking to them.

So you’ve seen the expanded reach that the attention, which up to this point or historically has been to governments and to the technical community, is now diversifying to direct and tailored outreach to regulatory organizations, more sustained outreach to justice-sector organizations – law enforcement agencies, Attorneys General’s offices, and the like –and turn toward the education sector, where we feel very much a need to start dealing specifically with the next generation and getting that next generation of network operators and practitioners to consider themselves and their role in the landscape more than just having a professional vocation, but actually as having a responsibility to steward the growth, development, stability, security, and maturity of the networks.

And so that has meant, in a very practical sense, it has meant having to change the messaging around who is ARIN, what does it do, why is it here, and why does it matter?

That framing takes the focus on resilience and network autonomy, and puts it alongside a responsibility and stewardship platform. And that has proven to be very effective over the past year in terms of engaging new audiences without losing them with some of the technical detail.

And it has also shaped our current focus, which is to convert the visibility that we now have, the respect that we now have, and the regard that we now have, into participation in the Policy Development Process and participation in supporting and advocating for some of the policy changes at a governmental level, even, and a regulatory level necessary to continue to improve the state of affairs.

So that’s the backdrop for the presentation. Massive tectonic shifts taking place on the global stage, having massive tectonic implications for the nature of our engagement within the Caribbean region.

And some of the milestones over the past year reflect this shifting focus or this shifting strategic emphasis. And you can see a number of activities not just targeted to the technical community through CaribNOG, but we were present at the CTU’s ICT Week, which was an event with a difference for the Caribbean Telecommunications Union. They too are facing some of these same pressures, and they too have to evolve the position in which the CTU sits within the regional context.

So we participated in that event, engaged with the regulators, the private-sector organizations – some of the major global technology players were there as well. And that meeting allowed us to shift our point of contact with a very important group that we had not, up to this point, engaged with. That is the Organization of Caribbean Utility Regulators, OOCUR. And that has resulted in our participation in the OOCUR meeting, which is taking place next week in Jamaica, to raise some of the issues around network resilience in front of utilities regulators.

Last year also saw the launch of our diplomatic forum. We had two very successful outings, one in New York City, with the Caribbean consulates in New York, and then the other was in November with the diplomatic representatives for the Caribbean region in Washington, D.C. And both meetings allowed us to essentially explain who we were and what we’re doing to those who are operating in the capitals out in North America.

The interesting thing about that outreach is not only did we share about ARIN, but we were also able to have them take messages back home about the need to ensure that the work that we’re doing in the region is more deliberately recognized and supported. And that has been very effective as a forum, and we hope to continue it this year, 2026, and beyond.

Coming down to the end of last year, 2025, we had the fourth Connected Caribbean Summit. And this would have been the largest and I think the most impactful of these events.

ARIN has been supporting CCS from its inception back in 2019 in Saint Kitts and Nevis. And at each event, we see this simple but very important reality.

The conversations about shifting the Internet and the technology and the networks within the context of small islands and small states really rests upon persons who don’t always have a technical background. So translating what we are doing and why we’re doing it into language that they can understand, when they are among their peers, has become one of the most effective ways for us to get the “who we are, what do we do” message across.

This year’s CCS saw the participation of the CARICOM secretary-general. That’s the regional body responsible for managing the Caribbean community, at least the English-speaking Caribbean community. The secretary-general presented at that meeting, spoke about the need to ensure that the digital future was secured by appropriate policy.

We had a former head of the Caribbean’s version of the Supreme Court in the US, also addressing on the role of the justice sector inside of the shifting issues that surround the Internet’s growth and development. We also had a police commissioner and attorney general speaking at that meeting.

And it also allowed us an opportunity to bring the youth into the conversation to hear these big issues and translate it into career decisions and career choices.

Michael Abejuela sat on that panel and shared his own journey to his current state and status in a way that was extremely relatable. – I believe the NextGen Forum gives us the opportunity to really connect now with the next generation – not just in terms of what they can do on the network, but who they can become as contributors to society.

So when you look at the milestones, you see the impact of the work reflected both on the technical side, on the policy side, but on the social and national development relevance platform as well.

And that rolled over into 2026, with two very important meetings. One was the Caribbean Datacenter Association gathering. This is a very recent body. This has come out of the work that we have been supporting in terms of proliferating Internet Exchange Points. And so the Caribbean Datacenter Association now is mobilizing to get more attention placed on the need to bring data into the Caribbean and support the development of content.

And we’re moving toward an official MoU with that association. We have now participated in a number of their events, and looking forward to doing that even more going forward.

And then, of course, we had CaribNOG last week in Kingston, Jamaica – and, again, a CaribNOG with a difference. This was the first CaribNOG meeting – Mark Kosters was with me at that meeting – where the meeting concluded with over 55 persons signing on to join the CaribNOG community, which is a massive boost in terms of attention from the networking or technical constituency within the region.

So CaribNOG is doing well. ARIN at CaribNOG is doing well. We typically have at least a half day, sometimes a full day. This one was a half-day session that Mark did. And these give the technical community a chance to see what we’re doing with RPKI and IPv6 deployment. But more than that, they allow the community to see where we fit inside of this technical universe that is the global Internet community.

So CaribNOG concluded with a note on the next meeting which will be held in Curaçao, and we’ll be moving forward to strengthening some of the CaribNOG governance systems coming out of that.

So that’s the spread of our work over the last year.

I just want to close with some trends that we are noting that I think are going to shape the activities that we will be engaging in moving forward.

So the hot topics. Digital resilience is taking a fresh turn and a new wind. Hurricanes Beryl (in 2024) and Melissa last year did a number on several Caribbean countries that has entirely shifted the conversation around the need for greater network autonomy.

And that has brought renewed attention to issues as simple as IPv6 deployment, getting Autonomous System Numbers, looking to move networks out of their traditional home inside of commercial ISPs and building out stronger corporate networks and government networks.

That is one of the major points of prioritization coming out of the last year. More people are listening to what we have been saying for the past decade. More people have an interest and the investment dollars to back it to move their networks into where they need to be.

Digital sovereignty is also a recurring theme that is taking increased attention. Cybersecurity is always something there as a constant baseline and regulation. Regulatory harmonization is also coming up a bit contentious, but it is something that the region seems to recognize as necessary to treat better with this Internet thing.

And then, of course, AI is in every conversation. You can’t escape it anywhere, in any country, at any point, at any time.

So these topics are shaping our agenda for the coming year. And it’s also allowing us to reframe presentations and narratives around IPv6, ASNs, and routing security in a more relevant way to these audiences.

We continue to keep an eye on the activities around the world and their impact on the region. But the hope is that with the focus that is being placed on the Internet, on Internet security and on Internet resilience, that ARIN will have a much greater opportunity to engage more audiences as we go forward. Thank you. (Applause.)

Ashley Perks: If we have any questions for Bevil here in the room, I do have a statement from online.

Hollis Kara: I have a statement from Rodney Taylor of the Caribbean Telecommunications Union. He submitted: The Caribbean Telecommunications Union wants to express appreciation to ARIN for its continued support over the years, particularly to the Caribbean Internet Governance Forum and our engagement with the ITU in international policy forums such as WTDC and the ITU plenipotentiary conference.

Bevil Wooding: Excellent. Rodney Taylor, as many of you know, is secretary-general of the CTU and is one of our long-standing partners. And we’ll continue to be working very closely with them as we prepare for a Plenipot, which Nate spoke about, supporting their meetings and supporting the organization generally in its efforts to continue to champion Internet development in the Caribbean.

Zulqar Nayen: I’m Zulqar Nayen, first-time Fellow and also a founding member of the Internet Society Ontario Chapter.

So there was this presentation from Brad an hour ago. There was this slide that stuck with me. I saw that the Caribbean areas are actually leading in the RPKI adoption rankings, which was really interesting because from your presentation I can see why, because a lot of the community outreach, you’ve been connecting with the governments and everything.

But I was like, it seemed kind of counterintuitive because in Canada and US, I assume the operators would have bigger impact in RPKI adoption.

I’m wondering, is there any playbook you are following that, you know, small communities in Ontario, Canada, where I’m from, we could use?

Bevil Wooding: This is something that John Sweeting, Brad, and I have been talking about. The playbook is one that can be applied anywhere, and that is treating the environment as an ecosystem. So decisions around RPKI adoption aren’t merely technical decisions.

Often the conversations take place within the technical community. But if you expand it and ensure that it is translated into ways that businesspeople can make decisions, governments can see it as important, and at the same time educate or empower the technical community to know what to do, then you have this triangulation of intent that allows for adoption to move forward.

Zulqar Nayen: Thank you.

Altie Jackson: Altie Jackson, ARIN Fellow. I must say thank you, Bevil. You’ve been doing some good work in the Caribbean. We have come across a few events together.

Now, in what you’re doing, what plans do you have? You have identified how the network – how the Caribbean’s involvement is going. What are the plans you have to bring more involvement, to bring more education, to bring more knowledge of the entire Internet policies of ARIN to the Caribbean?

Bevil Wooding: Good question. Thanks. The answer is a lot. That’s the short answer.

The more detailed answer would be the deliberate focus on specific stakeholder groups. So we can’t do what we do without our partner organizations within the region. So CaribNOG is one of the vehicles through which our technical engagement takes place. And the plan over the short term is to essentially ramp up or intensify our work with the Caribbean community.

And you’ll have seen that reflected in the Jamaica meeting, which is the start of this new engagement thrust. You’d have also seen us moving, and I think I made a reference to the deliberate outreach to educational institutions.

We’re going after the community colleges through the next-gen program. We are targeting some of the universities that have an interest in training technical persons outside of the curriculum.

Now, of course, what this means for us is we have to promote the ARIN Academy. We have to look at development of courses that can be deployed on the ground, not just through our meetings, but that can be given to those who want to champion it into the community level. And that’s something that we are very, very keenly exploring in terms of how will that work out, who will these champions be, and what resources will they get.

But the multipronged approach is the approach that we are going after.

Kevin Blumberg: Kevin Blumberg, The Wire. So as long as incumbent carriers view RPKI as a cost without benefits that they cannot download the expense of deployment to their own customers, there will be a low uptake. And that’s where that last 30, 40, 50 percent is going to be.

I’ve heard this time and time again in the Canadian sector, and I suspect that the carriers and the regulators are no different in the Caribbean.

That being said, what I’m about to say is the complete opposite, which is regulation kills these ecosystems. The issue is – over-regulation, I should say, kills it. And it’s great to see some of the things that are being worked on here, especially the digital sovereignty and resilience and working together, islands working together is critical to that.

But I cannot emphasize enough that over-reliance on regulation is why a lot of the things don’t come to the region. Internet exchange points start and die because of regulation.

It is really hard to get away from the financial benefit of having that regulation – and it’s been going on for many years, but you can’t kickstart a lot of these things.

Hopefully the resilience and the – more importantly, the sovereignty that they’re now doing gives the governments and the stakeholders in those regions a new, fresh look at how they can do this because it’s a partnership, as you said, it’s an ecosystem.

Bevil Wooding: Yeah, I just would have responded to Kevin, just add some nuance to what he said – I agree with you entirely in terms regulation, certainly ill-conceived regulation being an impediment to the kind of development that we’re advocating for.

What we have found in the Caribbean, and this has played itself out from the days of the early IXP adoption exercises, is that without the regulator as a champion, as an umpire and as a mediator, nothing gets done.

And so, when I make reference to our relationship with the regulators or our work with the regulators, the output is not regulation. The output is regulatory pressure in a positive way to get things moving.

And we have seen this, and I can give the examples, over the years, the first IXP in Grenada was actually housed in the regulator’s office. And that was the only place that the two incumbent providers felt was neutral enough for them to peer. Who would have thunk it? And there was no other case or precedent for that anywhere in the world.

And over the years we’ve seen that play itself out, where, if we can get the regulators on Board, they can bring the resistant parties to the table in a way that no amount of government pressure or private-sector shouting can do.

And that’s how we’ve been partnering with the regulators within the region, not to get regulation as an outcome, but to get that positive pressure that leads to transformation of the environment.

Kevin Blumberg: That’s awesome. Thank you.

Ashley Perks: All right, I think you’re clear, Bevil. Thank you. (Applause.)

Okay I know I’m between you and lunch, but I do have a few announcements before we go to lunch.

First of all, if you in-person attendees join us in Daisy, second floor, we have our table topics today for our Working Groups: The Policy Engagement Working Group to improve the policy engagement experience; the NRPM Working Group, which will talk about the future of ARIN IPv4 allocated space; and the Policy Experience Working Group to talk about Section 6, IPv6 allocations.

Qualified Facilitators, please grab your lunch downstairs in Daisy, and then you can bring it up to the Poplar Room on the third floor, beginning at 12:30, if you would like to meet.

And the Policy Block will start back at 1:30 PM. No mini bats allowed in the room, please, during that session.

(Laughter.)

We will be moving Data Accuracy in the ARIN Registry; that will move to after the Policy Block.

Other than that, enjoy your lunch. We’ll see you back here at 1:30 PM.

If you are a virtual attendee, you can leave your Zoom open while we are gone, or you can just rejoin us at 1:30. Thanks.

(Lunch break from 12:16 PM to 1:30 PM.)

Hollis Kara: All right. We are on. Folks wandering back in, hopefully everybody is all loaded up on hot brown and derby pie and ready to talk some policy. Come on in the room, folks. We got some policy stuff to do. I don’t know what sound that was honestly — brought to you by caffeine. This is a Public Policy Members Meeting. I need members in the room so we can talk about policy. Get it? That’s how it works. That’s what the words mean. Come on, folks. It’s a policy party.

All right. Are we ready? I think we’re ready. All right. First up, he’s already over there – he’s not going to pull a Brad on me – Leif Sawyer, to lead off our first policy discussion of Draft Policy 2025-1. (Applause.)

Policy Block 1

Draft Policy ARIN-2025-1: Clarify ISP and LIR Definitions and References to Address Ambiguity in NRPM Text

Leif Sawyer: Thanks, Hollis. As she mentioned, I’m Leif Sawyer. My co-shepherd is Elizabeth Goodson. And this is clarifying ISP and LIR definitions and references to address ambiguity in the Number Resource Policy Manual text.

So this is going to be a lot of words. So I highly recommend you pull open your Discussion Guide online or the presentation slide deck from online if you want to have a deeper dive into the actual text.

But essentially what has happened over the past few meetings is we are trying to align the terms “LIR” and “ISP” throughout the NRPM. In common practice, ISP and LIR are essentially equivalent. ISP is a subset of LIR. So this proposal adds clarity to that by explicitly defining ISP and LIR to each other and then replacing ISP with LIR throughout the NRPM.

So continuing that Policy Statement, this is where you will start to see red changes throughout the text. That is what is being replaced. So here we’ve replaced ISP with LIR. And we are replacing the definition, a portion of the definition in red, replacing ISP with LIR in 2.15.

Then I have a note here that there’s an additional Draft Policy which does coincide with this, so we will have to align the two policies if those both move forward.

We’re adding the new definition for ISP. I’ll take a second here.

We’re replacing the first instance of ISP with LIR here – and more ISP with LIR and more and more, more. We’re not through with this Section 6 yet. We keep going. This is all just replacing ISP with LIR.

We have a new terminology statement here. This is where, in Section 6, we previously equated LIR and ISP. It was originally stated as this document, or as this section was brought in wholesale, that it applied to the whole document. But when it was inserted into the NRPM, that should have changed to “section” and it was not. So we’re just replacing wholesale at that point.

ISP with LIR here and here. Removing ISP where it no longer makes sense.

And so we’ve had quite a storied history. When first brought forth, this tried to combine LIR and ISP throughout the NRPM. That did not go over well with the community. So we moved toward ISP. That did not go over as well. So we moved to LIR, which seemed to have a broader community support. So that is what you are seeing here today.

Policy impact: changes this terminology across the majority of the NRPM and aligns the policy language used here in ARIN’s community with other RIRs.

It does require some changes to how ARIN staff educates people internally and externally. But it does not appear to substantively change the overall language aspect.

If it moves forward from here, it will go through a Staff and Legal Review, so I’ll be able to report on exactly what that means at a later date.

And community feedback, as you can see and as you heard me summarize earlier, the desire was to move away from the original text to LIR.

Also, PPML voiced significant support in using LIR as well from a small subset of the respondents that chose to respond, I should say.

And with some minor text feedback, feedback after the latest draft was in the positive.

So, really, this is a question for you: Do you support this policy as written?

Hollis Kara: With that, we’re going to open the microphones, and Nancy will come up on stage to help facilitate the discussion. If you have thoughts or feelings or opinions about 2025-1, please approach the microphone or start typing.

Nancy Carter: I’m going to stand beside the podium so people can see me instead of – if I’m behind, you can’t see me at all. So anything virtual, should I go on?

Hollis Kara: You can go ahead to the floor. I’ll let you know if anything comes in online.

Nancy Carter: Please go ahead.

Eric Landgraf: Eric Landgraf, Virginia Tech. With the exception of some slight textual corrections I sent to you on the policy mailing list, I support this policy as written.

Leif Sawyer: Great, thank you.

Roman Tatarnikov: Roman Tatarnikov, IntLos. That was actually one of the topics I really wanted to reply in PPML. And then, of course, almost a year later, I never did, so instead I’m standing in front of a microphone.

I support the policy as written, and I also want to emphasize that LIR is realistically the best term when the whole conversation on PPML started whether to use ISP or LIR.

The reason why I am emphasizing it, I just want to essentially say that it’s best not to go just for usability, but go for clarity and unification with the rest of the RIRs. This way, our whole environment is more unified and it’s easier for everyone. Thank you.

Nancy Carter: Thank you.

Leif Sawyer: Thank you.

Kevin Blumberg: Kevin Blumberg, The Wire. I support the policy but not as written. This is a draft. There’s some work still to do.

Leif Sawyer: Sure.

Kevin Blumberg: I do support the policy. When it came up as using the term “LIR” originally, I was concerned that the view of what LIR meant was going to expand the scope, but it doesn’t. And I think that’s been reiterated now enough times that’s no longer the case.

So, here’s some of the issues. 4.2.3.6, replace ISP with LIR between the customer and ISP in regards to BGP. An ISP is not the only one doing BGP, and we should be using LIR there. So that’s the first thing.

Please stop with the acronyms. IR, Internet registry, we’re shortening two words to make a document more difficult for somebody to have to read. So this is across the Board, and this will be for every shepherd, cut out the acronyms when they’re not needed, okay? Stop overusing acronyms. So that’s the second point.

The second thing is stop with the acronyms. Please stop with the acronyms. IR, Internet registry, we’re shortening two words to make a document more difficult for somebody to have to read. So this is across the Board, and this will be for every shepherd, cut out the acronyms when they’re not needed, okay? Stop overusing acronyms. So that’s the second point.

And the last point is this: Get rid of ISP completely. Either do it completely or don’t do it at all.

Leif Sawyer: Okay.

Kevin Blumberg: Okay? This is a half measure. And, in fact, when you have a section that says, “for the purposes of this document, an ISP is a subset of an LIR,” you are just adding in meaningless text.

I, as an Internet service provider don’t need my name, Internet service provider, in a document for me to get space from ARIN. If we’re going to go LIR, just do it. Pull the bandage, fix the text, and don’t do the half measure. Thank you.

Leif Sawyer: Thank you. So quick follow-up, would you support, then, just striking that bulleted section part out completely?

Kevin Blumberg: I believe that that bulleted section is meaningless. When you say I’m a subset of, but give no reason what the subset actually means, it is completely just writing for the sake of writing.

Leif Sawyer: Great. Thank you.

Nancy Carter: Thank you, Kevin.

John Stitt: John Stitt, Hopkinsville Electric System – EnergyNet. Originally I was more in favor of ISP, aligned with the people saying, we’ve never used LIR widely in the ARIN region. Since then, I’ve come more on the side of using LIR. I feel like it does add clarity and putting us more in line with the other regional registries.

Much like Kevin, I support the policy almost as it’s written. I think removing ISP completely is also worth doing.

Leif Sawyer: Great, thank you.

Hollis Kara: We have two comments online. Ashley, you want to take the first one, and I’ll take the second?

Ashley Perks: You got it. We’ve got Tom Bonar from TDS Telecom: As one of the IPAM specialists, it’s great to have the ISP/LIR conjoined to LIR. It simplifies the NRPM verbiage. I support it as written.

Hollis Kara: Okay. And also online, we have Matthew Cowen, former Fellow: I support the policy with the slight text changes suggested and discussed on the Public Policy Mailing List such as removing and revising “at the local level.” Thank you.

Leif Sawyer: Thank you.

Hollis Kara: That clears the online queue. Is there anything else in the room?

Nancy Carter: Going, going –

Hollis Kara: Count down. All right. Thank you, Leif. Thank you, Nancy. (Applause.)

All right. Moving right along, I’d like to invite Gerry George to come down to talk about 2025-3: Changing Section 9 Out of Region Use Minimum Criteria. Policy Block

Draft Policy ARIN-2025-3: Change Section 9 Out Of Region Use Minimum Criteria

Gerry George: Good afternoon. Hey, is everyone asleep? Good afternoon!

From the floor: Good afternoon.

Gerry George: Yay. Okay. So we’re looking at 2025-3: Change Section 9 Out of Region Use Minimum Criteria.

The shepherds are myself and Matthew Wilder, taking over from Doug, who is now Vice Chair.

Green button, okay.

So, essentially, in summary, this policy seeks to reduce the requirements for smaller organizations, primarily, who want to use ARIN resources outside of the ARIN space.

Currently, the requirement is that they need the minimum of a /22, and the policy seeks to reduce that to a /24.

There has been – sorry, I’ll get to that a little later.

So the requested change is to move from a /22 used in region to a /24. And the result is that there will be a lower threshold of justification for smaller organizations that are outside of the – that are within ARIN, to use those resources outside of the ARIN region.

Note that there is no change to IPv6 requirements. And there are also requirements that they also have an ASN present within the ARIN space.

And the history of this policy. It went through a Staff and Legal Review, and the staff gave an understanding. I will not read the full text. It has been posted on PPML for a while now.

Some of the key points I want to make based on the Staff and Legal Review is that it doesn’t apply to Section 4.4 or 4.10 space because they have their own restrictions in there.

Under this change, an organization still needs to demonstrate use of only one /24 within the ARIN region, so there are requirements in place. They also still have to show significant connection to the ARIN space. That also remains. And it does not modify the current Section 9 threshold for ASN and IPv6 usage, as I just mentioned.

In conjunction with Section 4.1.8, the ARIN Waitlist, there’s a concern that an organization could request an initial /22 under the waitlist and then simply divert those resources or use it so that they can access resources outside the ARIN region.

Staff appreciates that there will be a significant increase in the IPv4 waitlist requests and also there would be an expected increase, potentially, in the workload on ARIN staff.

Okay. No material legal issues in here. And the implementation required, just some staff training based on the public documentation and so on.

So the policy impact. Relatively straightforward. More organizations will be eligible
to use ARIN resources outside of the ARIN region, and the change in policy would significantly increase the volume of waiting list requests, which would lead to an increase in staff workload, staff ticket workload.

Community feedback. We’ve gotten a bit of community feedback. Generally, there is support for the policy. However, some concerns have been raised.

For example, let’s see, community – potential for abuse of the waitlist. Would companies now use the waitlist to access ARIN resources, because the threshold is now lower, and use that as a means to use those resources outside of the ARIN space?

Is the real and substantial contributions – or connection – sorry – real and substantial connection requirement that’s specified in Section 9, is that sufficient against abuse? But we know that ARIN does a fair amount of follow-up on that, and they do a very good job in ensuring that there is substantial and significant connection.

I think at the last ARIN, ARIN 56, John gave a very long presentation on how ARIN goes about ensuring that companies do actually have a real connection within the ARIN space and not just using shell companies to access resources.

More community feedback. Some persons raised the issue, as to terms of restrictions, whether you should require that more of those resources issued by ARIN be used within the ARIN space as opposed to outside the ARIN space, or have some other levels of limits put in.

The problem we saw with that, and as has been expressed, is that by ensuring, for example, that a company requires to use more of a greater volume, a greater percentage of the ARIN resources within ARIN – let’s say you have a company that has multiple companies across the world in different LIRs. It now puts a restriction on them that if they have, let’s say, three of the offices within the different LIR spaces or other offices within the LIR spaces, for them to request those resources, they would be forced to request more resources within ARIN space that they may not need just so that they can use those resources outside of the region.

So it forces inefficiencies that we don’t really want. Essentially, unintended consequences.

And here you see the restriction would force organizations with multiple large ARIN blocks used out of region to do some severe restructuring and would potentially force them to either join other RIRs or move all of their resources away from ARIN.

The last line, I like that the proposal policy has a very light touch. This is coming from PPML; this is not coming from me, okay?

So questions for the community: Are you in support of this policy, and should there be any additional issues that should be considered, any additional restrictions that should be considered to ensure there’s no abuse, to ensure that efficiency is in place?

So are you in support of this policy as written? Should the AC continue working on this policy as it is written?

Hollis Kara: All right. Thank you, Gerry. At this point, microphones are open. So please, if you have thoughts or feedback on this policy, if you’re here in the room, please approach the microphone. Online, please start typing.

We’ll go to the floor.

Nancy Carter: Go ahead, please.

Tom Fantacone: Tom Fantacone, IPTrading. I support the policy as written. The real-world case here is a small organization getting their IP addresses for the first time, they are learning about how to join ARIN. They have to sign a Registration Services Agreement. They have to learn the online rules and everything else.

And then they have a POP in Europe, they have a POP in Asia, and suddenly they have to join three RIRs. Or they have to register all their resources in RIPE because they have lower requirements on in-region use.

So I support it. I think it’s a step in the right direction. I think some of the feedback on the PPML included a suggestion that we eliminate the /24 requirement entirely. I’d like to see that too.

But this is a step in the right direction. So I’d like to start with this, and hopefully we can move to that in the future. As long as the organization has the real and substantial connection in the ARIN region, I think it’s fine.

Gerry George: I want to follow up to this. If there was consideration for removing the /24 requirement completely, how exactly then would the – because the /24 is the smallest for IPv4 – so what would then be the requirement, potentially?

Tom Fantacone: They would still have to do needs justification on the addresses used elsewhere. But they’re headquartered in the U.S., they want to be an ARIN member. They don’t want to be a RIPE member or whatever, even though they have POPs in those regions.

Gerry George: Okay, so the suggestion is potentially that they would not even necessarily have to use those resources within ARIN as long as they’re headquartered in the ARIN space?

Tom Fantacone: Correct. Even in the current policy, you can have a /22 in the ARIN region. You could have a /12 in other regions. So it’s not that big a jump from that to eliminating that /22 entirely.

Gerry George: Understood.

Kevin Blumberg: Kevin Blumberg, The Wire. I originally was going to say that I support it but with significant changes. And I’m going to change that to I don’t support because I actually don’t think this is fixable in this current policy.

So couple things. I would support this if Section 4 and Section 6 were completely excluded – sorry, Section 4 was excluded, allow IPv6, if Section 4 was excluded.

You could only do out-of-region if you went to the transfer market. Then I’d be okay. But unfortunately, there are too many loopholes that can be applied for abuse of this. And I know staff have said that the reserved pools are not touchable by this. That’s fine. I will assume that that is completely the case.

But the waitlist is absolutely part of this. And you can come up – and I’ve come up here with half a dozen ways, which I’m not going to repeat on the mic, of gaming the system to allow it.

So again – the second thing is, I find it quite humorous that IPv6 was not part of this policy. Making out-of-region IPv6 blocks and all of that easier because, well, a /44, if you’re a small multinational organization, is probably not enough for you, you need to do something bigger, whatever. We didn’t touch IPv6. This is a IPv4 land grab on the waitlist. So I don’t support it as that.

And lastly, this is, to me, also now a regional fairness. ARIN and community worked hard to come up with a soft landing with the 4.10 reserve space and even with our waitlist. Other regions intentionally chose not to do that. They wanted to hit a brick wall.

And now, what it’s asking is, hey, I don’t want to hit the brick wall, I’d like to actually come and take advantage of your pool that’s available to go swim in.

I don’t think this policy is a good idea.

Nancy Carter: Thank you.

Roman Tatarnikov: Roman Tatarnikov, IntLos. I do support the policy. While Kevin brought up a good point about IPv6, I think it’s a good step forward, the way the policy is going to be changed.

/24 is still within the ARIN region, so the LIRs still have to play by ARIN’s rules. And I understand that the biggest question for PPML was abuse of the waitlist. However, our waitlist is for IPv4. If we will withhold the policy just because of the question of the waitlist, it feels like IPv4 is holding back the old deployment – withholding all of our policy changes.

I think this might be a good way to use this as a push for everyone towards IPv6. Thank you.

Nancy Carter: Thanks for your feedback.

Navin Suvarna: Navin Suvarna, ARIN Fellow. Good presentation, Gerry.

Gerry George: Thank you.

Navin Suvarna: My question to you is if /24 would result in increased requests for out-of-region use, are we looking at incorporating additional guardrails to maintain a balance between in-region use and out-of-region use? Or do you believe that the real and substantial connection test is sufficient for now?

Gerry George: Well, right now, IPv4 is only available via the waitlist, and there are certain guardrails already in place for the waitlist. Plus, there’s a, I think, currently – is it 36-month timeframe? Or 24-month timeframe?

It varies, but there’s a time delay. So a company wanting to game the system would actually have to play the long game and be willing to wait an extended time to be able to get those resources.

Plus, the allocation of the resources from off of the waitlist are not guaranteed. So even if a company may ask for a /22, they may not necessarily receive a /22. They may receive something less.

So there are some limitations in being able to use the waitlist as a way to have an end run-around getting access to IPv4 resources.

Navin Suvarna: Gotcha, so it means that you have the runway to put in the due diligence before you allocate.

Gerry George: Yeah, and the due diligence is already there.

Nancy Carter: I’m going to move to the virtual queue.

Hollis Kara: Sure, do you want one or both?

Nancy Carter: Let’s take them both.

Hollis Kara: Okay, Ashley, you want to go?

Ashley Perks: Sure. I’ve got Matthew Cowen, former Fellow: I support this policy, and I feel it is a good step in the right direction for smaller organizations in the ARIN region. Please continue with this policy discussion.

And number two, Mustafa from Mustafa Tech LLC: I do not support this proposal. The current minimum allocation size of a /22 is already reasonable and serves as an appropriate threshold for demonstrating operational need.

Lowering the minimum to /24 is problematic, especially since /24 is already the minimum generally routable IPv4 block on the global Internet. Reducing the threshold to /24 could create more room for abuse, where organizations obtain only a minimal /24 primarily to maintain ARIN eligibility while using most of their IPv4 resources outside the ARIN region.

Nancy Carter: Great. Thanks to both of you for your feedback. Adair?

Adair Thaxton: Adair Thaxton, Internet2. I would support, with the addition of the IPv6 requirement, as we discussed earlier yesterday and as mentioned by my colleagues.

But I’ve only been involved with ARIN for two years, and some of these comments on the PPML really make me feel like a new person.

So I was wondering, I’m unclear on why an organization who needs space from LIRs that are not ARIN would have to request space from ARIN first. That was in one of the comments.

Gerry George: Organizations who need space from other RIRs? No, they’re requesting space from ARIN so that they can use outside of the ARIN region. They’re not requesting from the other RIRs. And they tend to want to keep dealing with just one RIR as opposed to dealing with all the different RIRs.

Does that clarify that question?

Adair Thaxton: Can you flip back to the comments?

Gerry George: Which one? There are three –

Adair Thaxton: Forward, please. That first one on that slide, and I think maybe the last one on the previous slide, perhaps. It just seemed like they have more needs outside of ARIN, but they would have to request space from ARIN in order to get it.

Gerry George: That’s under the current restriction of a /22.

You mentioned adding IPv6 to that. Can you clarify exactly – can you clarify – okay, before we go to that, let me let Doug –

Doug Camin: A point of clarity as the previous shepherd on this policy. I believe that bullet point was in reference to a request to change the policy about percentage usage of your allocation. And that bullet speaks to if we implemented the percentage usage, that would force that change, those changes. So that’s very specific to that.

Doug Camin, CCSI, ARIN AC chair.

Gerry George: Yes, there was a comment that said that there should be a requirement that they use at least 50 percent of their resources within the ARIN space. So that was a clarification.

The other question I was asking, you mentioned about adding IPv6 requirements to this policy. Can you expound on that?

Adair Thaxton: We discussed yesterday the proposal from LACNIC, I believe, to require that the requesting organizations be required to be utilizing IPv6.

Gerry George: Okay, gotcha.

Adair Thaxton: To request more IPv4 resources.

Gerry George: Gotcha.

Nancy Carter: Thanks, Adair.

Eddie Stauble: Eddie Stauble, IPTrading. I authored this policy, and I did so because I saw it as discriminatory against the little organizations who they have a /24 – we’ve run into this several times – they have a /24 in ARIN. And they need a block in APNIC or in RIPE, and they can’t demonstrate need, according to this policy.

If we change it to a /24, they can. They can keep all their resources in ARIN. What they have to do now is we typically – the most cost-effective thing for them to do is to get a legacy block, register it in RIPE. It doesn’t cost them anything. Typically that block comes from ARIN. So ARIN loses the block, and off it goes.

And they do it – they can continue to do it. It just seems kind of the hard way to do things.

I do think – I did not know when I submitted this proposal that they could use it to get a block from the waiting list. I don’t think that’s a good idea. Maybe that’s another policy proposal. But somebody else will have to do that one. So that’s basically why it’s there.

Nancy Carter: Thank you for your intervention.

Kevin Blumberg: Kevin Blumberg, The Wire. You know what? Might as well, as the author, if this was an 8.x and the waitlist was excluded, I think a lot of the problems would go away, a lot of the stress would go away.

And if that solved the problem, maybe that would be the solution to the concerns of the community versus the concerns of people wanting to do transfers.

So maybe, Gerry, that’s something you can follow up on, is if this was limited. I’m really worried about the unintended consequences of things like large existing organizations or smaller existing organizations being penalized or not penalized by this.

So, again, there’s a whole bunch of people on the waitlist who legitimately need it for in-region use. If they’re going to get penalized by this policy, then that’s not good for them either.

The last part, I don’t know what a “small multinational” is. I’m sorry, I’m trying to wrap my head around “small” and “multinational.” But I don’t think it matters if it’s an 8.x, like I said.

Eddie Stauble: The only difference between what we’re proposing and what is currently in place is that you’re talking a /24 instead of a /22. They can still abuse the waiting list today. They can still suck up ARIN resources as long as they have a /22 in region. You know, they can use out-of-region policy to justify a /8 if they want.

Doug Camin: Doug Camin, CCSI. I just want to correct the record. I was running away from the microphone and it didn’t catch – I’m the Vice Chair of the AC, not the Chair.

(Laughter.)

Hollis Kara: Thanks for that Doug. Nancy, I do have one more online.

Nancy Carter: Great.

Hollis Kara: It was a follow-up from Matthew Cowen, former Fellow, Caribbean based, who noted: I think there is a real misunderstanding of the difference in the size of organizations in the Caribbean and North America that needs to be taken into account when assessing this policy.

Nancy Carter: Thank you. Go ahead.

Mike Burns: Mike Burns, IPTrading. I just wanted to point out one or two other issues.

One is revenue to ARIN. If you force these people to go to another LIR and register the addresses there, you know, ARIN loses the revenue it would have if they stayed in ARIN.

And also there’s been some concern expressed this week about registry leakage and the amount of – or the disparities in inter-regional transfers, which may be causing some of ARIN’s addresses to leak into other regions. And this policy would sort of prevent that to some extent.

So I support the policy as written.

Hollis Kara: Thanks, Mike.

Gerry George: Thank you, all, very much for the contributions and interventions.

Hollis Kara: Nothing further. Thank you, both. (Applause.)

All right. Let’s move on ahead. I’d like to invite Bill Herrin up to discuss Draft Policy 2025-6.

Draft Policy ARIN-2025-6: Fix Formula in 6.5.2.1c

William Herrin: Okay. I am Bill Herrin, and I’m presenting Draft Policy 2025-6, which corrects a couple of math errors in the policy for IPv6 allocation to ISPs.

So Section 6.5.2.1 is the part of the policy manual which explains how to determine an ISP’s entitlement to IPv6 addresses, how many addresses they’re entitled to. Section (c) of that policy contains a fairly complicated math formula that has a couple of errors in it that were not caught. And this Draft Policy aims to correct them.

So here’s what that looks like. There are two key changes here. The first is the customer count is replaced with a logarithm of the customer count, a base-2 log. And the reason for that is that this formula is supposed to express a network mask, a CIDR network mask.

And the customer count is a raw number. It’s not a bit mask. So to convert from the customer count to a shift at the bit mask, we apply an algorithm – or a logarithm.

The second thing it does is it replaces a couple of instances of the word “assignment” with the word “allocation.” Assignment and allocation were used interchangeably in this policy. But when you wanted to find this back reference to the Provider Allocation Unit searching for the word “allocation,” you hit ctrl+F, and it wouldn’t come up with anything because the word actually used was “assignment.”

So in order to make that piece of the policy findable, this draft changes everything to “allocation.” And that’s all it does. It doesn’t change how the policy is supposed to work, it just makes these two corrections.

This policy was received from a member of the community last May. It was accepted by the Advisory Council as a Draft Policy and posted to the mailing list. This is the second ARIN meeting at which it has been presented.

For those of you who keep track, the original author of this Draft Policy has stayed involved and the words you find in the draft as written are all there with that author’s consent.

The next six slides are the Staff and Legal Review for this Draft Policy. I encourage you to look and read the whole thing from your information packets from the website. I’m only going to pull out the three key findings from the Staff and Legal Review. First, the Staff and Legal Review acknowledges the errors identified by this Draft Policy.

Second, it confirms that, as intended, the Draft Policy will not change anything about how ARIN actually allocates IPv6 addresses. It really just corrects these pinpoint errors in the policy text. It’s still consistent with how ARIN’s actually been allocating addresses all along.

Third, staff explains a hypothetical alternate approach of just stripping the formula from the policy manual entirely and indicates that doing it this way would also have no effect on how ARIN allocates IPv6 addresses. This claim is problematic, and I’ll return to that in a couple of slides.

Before I proceed, I just want to be clear that I am not an ARIN employee. You guys elected me. I’m working through you. Some of what is in this presentation will contradict the official ARIN views on the subject. I anticipate that when we reach the Open Mic, ARIN staff will rise and clarify those views. So I just ask you to keep that in mind during the presentation.

So as we do discuss the draft, I want to take a moment to explain how ARIN actually determines the ISP’s entitlement to IPv6 addresses during that initial allocation, what’s the actual process that ARIN uses. Part of that is documented in the Staff and Legal Review that we just looked at, which is that after ARIN determines the number of IP addresses needed by the ISP’s largest site, it then applies a 75 percent rule and a 4-bit nibble round-up rule.

What that means is that ARIN picks the longest prefix that can include all of the IP addresses needed by that ISP’s largest site while only consuming – while consuming no more than 75 percent of the IP addresses in that prefix. So that’s the 75 percent rule.

Then whatever that prefix is, it’s shortened to the nearest 4-bit nibble-boundary. And that provides the ISP’s entitlement to IPv6 addresses for that largest site.

With that number determined, ARIN applies this entitlement at the largest site to each of the ISP’s smaller sites as well, adds that all up, and then the 75 percent and 4-bit nibble round-up rule are applied a second time in order to determine the final prefix length to which the ISP is entitled on this initial IPv6 allocation.

What the staff assessment does not explain is how the number of IP addresses needed by the ISP’s largest site are determined. So you might expect that it’s like ARIN’s other allocation processes where they present a numbering plan for that site, but that’s not really what happens.

What you see on the screen is an excerpt from the instructions that ARIN provides to ISPs who are requesting IPv6 addresses. And this is the process that’s used for determining the prefix entitlement at their largest site.

It’s very simple. ISP – how many customers do you have at your largest site? Look it up in this chart, and here’s the block size, the prefix, that you’re entitled to for your largest site.

As you can see, the 75 percent rule and the nibble round-up rule have already been applied to the numbers in this chart. So once you have the prefix size that you’re entitled to at your largest site based on this chart, it’s then, simply, apply this number again to each of your other sites, add it up, apply the 75 percent and round-up rule again, and now you have your total entitlement to IPv6 addresses.

I want to draw your attention to two points, two notable things about this chart, which will become important later in the presentation. The first thing is /48. This chart was calculated based on the ISP’s number of customers and a /48 for each customer.

There aren’t any alternate charts in the instructions for other sizes. It’s just /48. And the instructions are pretty clear, it’s count your customers and pick the number from this chart. The second point – and I want to draw your attention to – is that this chart was derived from that formula that we just looked at.

That formula is the part of the policy manual which both authorizes and directs ARIN to take this customer count shortcut to determining the ISP’s entitlement instead of asking for some kind of comprehensive numbering plan.

So there isn’t anything else in the policy manual that justifies this sort of shortcut based on the customer count.

So that brings us back to the problematic claim. No, we can’t just delete the formula from the Policy Manual without an impact. To remove the formula from the policy manual, we would need to make some more extensive changes, some more thorough changes and powerful changes to the policy text.

Otherwise, we would essentially destroy the justification for that chart we just saw. That’s how ARIN allocates IPv6 addresses. So it would take more than just deleting the formula to avoid having an impact. So returning to the draft as it’s actually written, which is correcting the errors in the formula, not trying to delete it.

We got a bunch of feedback from the community about this policy. Most of the feedback looked like these first two statements. Basically, yeah, as written, the policy’s okay – I’m sorry. As written, the draft is okay, but this policy is confusing; we’d really like you to do more to simplify it and make it more accessible to folks reading it.

A few people said, no, just delete the formula. Although, in fairness, they said that before this information about just deleting the formula was presented.

One person stood up and actually said, hey, I prefer to have the formula in here; it helps me understand what all the words mean.

We also got feedback from the author of the original policy – that’s the one that’s in the manual now – reached consensus, was ratified by the Board a decade-plus ago, so the actual original policy.

The first thing he said is that in his view, yes, the proposed changes in the draft correct the policy so that it actually says what it was intended to say.

He also made some statements which were more remarkable. He claims that ARIN’s implementation of this policy is not correct. Specifically, that as written, the policy was intended to scale the ISP’s entitlement based on the number of IP addresses the ISP intended to assign to its customers. So if they intended to assign /48s, it was supposed to be one thing; and if they intended to assign /56s, it was supposed to be less.

So I investigated that claim, and the policy’s a fairly difficult read. There’s complex math. There are back references where the policy says, you know, do this, and then a later piece of the policy says, well, if this condition changes what we said back here – and then there’s active pieces of the policy that are in the wrong part of the Policy Manual.

Namely, it talks about this Provider Allocation Unit. Well, actively, what it means to be a Provider Allocation Unit should really be in Section 6, how you determine what that is should be in Section 6, and it’s not. It’s actually hiding down in Section 2, which is supposed to be simple definitions, not active policy constructs. So a fairly difficult read.

Long story short, I investigated, and I found words and phrases and numbers which do substantiate this claim. So that raises all kinds of issues, but there are only really two that are relevant to this particular Draft Policy.

The first is that the hypothetical alternate policy, where we just delete the formula from the Policy Manual, that would have the effect of wiping away this claim. This claim comes out of the Provider Allocation Unit concept which is a piece of that formula. So if we delete the formula, it also deletes this claim, which is impactful beyond what was identified in the staff assessment.

The second point worth noting on this claim is that both sides agree that this Draft Policy as it is actually written does not impact this claim. The author agrees that the changes are correct. Staff agrees that the changes would be correct and wouldn’t impact the way IP addresses are allocated.

So at least as far as the draft as it’s written, this claim doesn’t change anything. It just makes the policy say what it was trying to say in the first place and nothing more.

So next I’m going to open up the microphones to folks with comments about this. Afterwards, after the open mic, I will take a poll of support for the draft as it’s written.

I want to note that the Policy Experience Working Group has already heard and understood that there are more changes to the IPv6 policies than are contemplated in this draft, and this draft is not that work. It’s a simple pinpoint correction.

So the question to all of you is: As the Advisory Council works on broader changes to the IPv6 policies, really, do you want to make this minor fix or just let it fester?

And this draft proposes that – I’m sorry, this draft seeks your consent to fix it. With that –

Hollis Kara: All right. The microphones are open. I already see we have a queue formed in the room. I would encourage folks online to start typing.

Nancy Carter: Go ahead, Mr. Curran.

John Curran: John Curran, president and CEO.

You’ve made a couple of comments about staff assessment of the policy – John Curran, ARIN CEO.

You made a couple of comments about the staff assessment of the policy. Could you go back one slide. Two slides. Thank you.

Okay. Policy impact. I believe the staff assessment concurs there’s no change to how addresses are allocated by adopting this policy.

Is that your position as well, Mr. Herrin?

William Herrin: It is.

John Curran: Okay. Good. Could you go back? Now, the only question is why that’s the case, why is it the case that no change is the result of adopting this?

Could you go back to the Policy Statement? Okay. Go forward one.

So in Section 6.5.2.1c, there’s a sentence that begins the beginning of that section that lays out a policy, states the policy. Then the second half of that is this statement.

The second half begins, “The calculation can be summarized,” and it has another Policy Statement. Okay. There’s a Policy Statement about how to do an allocation, and then there’s a second half which says, “This calculation can be summarized.”

Are you in agreement that the calculation in 6.5.2.1c currently doesn’t match the text above?

William Herrin: In several ways, yes.

John Curran: Yes. Okay. But we made great progress. We know adopting this doesn’t change anything. And we know that there’s two Policy Statements, one in text and one that begins, “This calculation can be summarized,” and has a formula. Okay. And the formula. That’s the words, right, “this can be summarized”?

William Herrin: I think you’re characterizing this as – sounds to me like you’re characterizing this as two separate policies, two alternate approaches to –

John Curran: Two alternate phrasings of the policy.

William Herrin: I see it more as the second one clarifies and expands on the first one.

John Curran: Okay. So the reason that changing this won’t result in a change to how policy’s executed is because the first statement is a clearer statement and the second statement asserts to be a summary of the first one.

Okay. When there’s two Policy Statements, staff’s going to try to implement it in a way that is clear to the community. And so we always use the first half, not the formula.

If indeed you want the formula corrected to be applied the way you wish it to be applied, that’s perfectly fine. I think the community should say that.

But it’s not – as you’ve said, changing the formula alone doesn’t change anything.

If you really want the policy to be implemented the way you assert it should be, the way you believe or the original author might believe it should be –

William Herrin: The original author.

John Curran: – then you need to change the first text to begin, “You will obtain a Provider Allocation Unit using the following process, and then you will do the following steps.” And that’s not there. So staff is implementing 6.5.2.1c exactly as the sentence says at the beginning of that, and the paragraph that follows, which is, “This calculation can be summarized,” well, we’re not using the summary, we’re using the full policy text.

William Herrin: With respect, John, that’s not correct.

The sole source for that whole customer count shortcut is the formula. It’s not in the text at all. It’s not in that first paragraph at all.

John Curran: Oh, no, our training materials are a simplification. But if someone comes to us and says, “Here’s my Provider Allocation Unit, and I meet 6.5.2.1c,” we’ll issue according to what they say.

But for someone who comes to us who has no idea what the policy manual has, we do have to have training materials. Okay?

So all I’m saying is that if we adopt this, there’s no effective change. But I’m not sure it’s even necessary because it is two separate Policy Statements purporting to do the same thing.

I personally prefer one Policy Statement rather than two for the same thing. But if you want to fix the formula, it’s a step in the right direction.

If you want to change it to be what the original author asserts the intention was, then you need to change the first statement as well. Okay? Staff doesn’t care. We’ll do whatever the community does.

But as long as there’s a formula, if there’s a statement that says “this can be summarized,” and it follows the prior sentence, there’s nothing wrong with implementing the prior sentence because you’re asserting yourself in the policy text what follows is a summary of what’s before. Okay?

William Herrin: Well, fortunately, the draft as it’s written –

John Curran: Doesn’t change it either way.

William Herrin: – does not attempt to – does not attempt to align it with the claim.

John Sweeting: John Sweeting, Chief Experience Officer.

I just have a quick point to make, to let the folks in the community understand that over 95 percent of our IPv6 allocations are simple default allocations based on whether they have – whether they’re an ISP or end user and they already have IPv4 space.

Anybody that needs to differ from the default, they are then personally handled by staff analysts to help them go through and follow the policy in 6.5.2.1c wording to figure out what they need.

John is exactly right. The example you showed up there was an example in our training materials. But they get personalized help from an analyst if they have to go outside the defaults that they get by just asking for it.

William Herrin: And by defaults, you mean the /32 allocation that doesn’t require doing any of these calculations.

Adair Thaxton: Adair Thaxton, Internet2. So, first of all, I want to commend you on your first policy discussion, and you took a problem that seemed to be quite an easy one to solve and really did a lot of extra work to flesh it out. And you’ve explained it very thoroughly.

Whether or not they agree with you, you’ve done a lot of extra work. So good job.

So behind me, Mr. Blumberg is promising to go “Full Kevin.” And I am up here to go “Full Adair,” which is to say that I’m going to be a pedantic grammarian.

So on the screen, first of all, I’m not entirely certain why the replacement in the second line of the replacement text has “allocation” in red because that is not actually being replaced. It is correct in the top statement, the second statement, and in the Number Resource Policy Manual.

William Herrin: Sure. That was 100 percent me. The reason I flagged it in red is so you could see where the reference was coming from that then went back to Section 2.

Adair Thaxton: In the same section, it refers to “requesters” twice. That is a possessive, and there is no apostrophe indicating it as such. That exists in two locations and should be fixed.

While I was searching for more instances, I noticed that we have NRPM, Number Resource Policy Manual, Section 5 uses requestor, with an “o-r” instead of an “e-r,” at the end.

So while you’re replacing stuff – yeah. And I also – just on a personal level, I’m not sure that “summarized” and “logarithm” should be in the same sentence.

(Laughter.) (Applause.)

William Herrin: Before you leave, I just want to get your opinion, if you have one. Fix or let it fester?

Adair Thaxton: Fix the grammar. I’m going to go with Kevin for the math.

(Laughter.)

Kevin Blumberg: Kevin Blumberg, The Wire. Thank you, Adair.

I’m just going to run off a bunch of stuff because there’s been a lot of stuff. I know you had your three minutes at the mic, so just give me two.

The formula’s been broken close to 15 years. And that’s one thing. Okay. Staff have already come up and said they never use it. So now we’ve got dead policy.

You haven’t changed the draft. It didn’t reach consensus the last time, and you’re coming up and kicking the can again. Sorry. Doesn’t work that way.

We’re not dealing with anything unique here. Okay. People come to ARIN with their unique needs. If they don’t, they just get a /32 and there’s no problem there.

This math doesn’t math. We can prove that because the math was wrong for 15 years, and nobody mathed the math. Okay?

Next, who here has a college math degree and can handle logarithms?

(Show of hands.)

Kind of. Who would like to do logarithms? Who here would like to do logarithms? Who here would like to do inside-of-the-NRPM math? Okay. College-level math. And who would like us to expect that people coming to ARIN are doing logarithmic math?

Next, complexity creates confusion. Confusion never serves the community. I’ve already sort of gone on with that. And this is complex. You just spent 20 minutes explaining it. Every other policy, much shorter.

This is complex. I don’t – I’m going to say this very nicely – I don’t care about the author’s original intent. 15, 20 years have gone by. This is now 2026. You should be advocating for the community of today, not something that was written 15 years ago.

I want to talk about your advocacy in a moment, but please let me keep going.

When we adopt this, we will now need to then have a new policy on examples inside of it. This is not an implementation document. This is “how you get IP space” document.

So this is the big one. This is the first time in 17 years that I have been at the mic that staff have come to correct a shepherd in advance of the community. First time. Congratulations! You are advocating for this in a way that I have never seen a shepherd do, and I’m disappointed in it. I’m disappointed that the AC has not been able to actually address this with you.

We have gone no further ahead than the last time this policy went there. So you’re welcome to try to rebut whatever it is, but ultimately, this text needs to be removed completely from the NRPM. It is not being used. End of story.

This is not about let it fester. This is about the shepherd taking what the community is saying and actually changing this text to remove it, not to continue on a path of doing something that the community doesn’t want, which is logarithmic math that doesn’t math. Thank you.

William Herrin: Before you go, please. So, again, to be very clear, the AC has heard you on this. We are working on more substantive changes to the IPv6 policies to do exactly what you’re talking about: simplify it. I mean, we just had a table topic on it at lunch. It was discussed in the Policy Experience Working Group Report yesterday.

We hear you. This policy is just about as we are trying to do what you’re asking of us, as we are trying to do that.

Do you want to fix this or let it fester?

Kevin Blumberg: No, that’s not the question.

William Herrin: That’s my question.

Kevin Blumberg: That’s what you’ve used as a question. That is not the question. That is an advocacy.

My recommendation is either to abandon this and start over with a policy to remove it or to actually just put into this policy to remove it.

You have the ability. This is not a “we support” because it has not reached recommended by your compatriots on the Advisory Council. It is sitting as a draft for the shepherd to work on.

No changes have been made. The shepherd has continued to do this. I am saying that either abandon it – don’t tell me fester – abandon it or change it to remove this section. End of story. Thank you.

Nancy Carter: Thanks, Kevin.

Altie Jackson: Altie Jackson, ARIN Fellow. I do believe – I agree with Kevin – drop the math. If it’s been there for a whole long, and it took one person to realize that something is wrong, you can drop it. If it’s been working, drop it.

Nancy Carter: Thank you.

Kat Hunter: Kat Hunter, AC Chair. While we’re on the topic of speaking for the AC, I just want to remind all the shepherds that if anyone is going to speak for the AC, that it is the Chair, for a start.

Secondly, the AC has a variety of opinions on this as we’re continuing to work on this. I just wanted to remind everyone that it’s still a draft. We’re still working on it. It’s not recommended yet.

Nancy Carter: Thanks, Kat.

Tina Morris: Tina Morris, AWS, ARIN Board of Trustees and previous chair of the Advisory Council for many years.

I have a lot of opinions about how this is presented, and Kevin was nice enough to share many of them with you.

I just want to say, in my day job, with my AWS hat, customer hat on, I do not support. I am a customer that clearly wants you to drop this effort.

Fester is not in the policy development manual.

Nancy Carter: Thank you, Tina. Anything online, Hollis? Anybody else? (No response.)

Thank you very much.

Hollis Kara: We’re not quite done. We do have a poll on this that Bill had requested. So we’re going to run that now. I believe my poll counters are in position.

Bill, if you wanted to go to the question in the slides, that might be helpful.

William Herrin: It’s just the standard question you’ve seen.

Hollis Kara: But if you could advance to the slide, that would be helpful.

William Herrin: I did.

Hollis Kara: No, you’re not.

Nancy Carter: Move to the actual poll.

Hollis Kara: If you could please move forward with that.

I don’t know where the rest of the slide deck is. Oh, is that it? Sorry. There’s just a lot of words on it. I got confused. My bad. Hollis is being dumb. Maybe.

So the question is if the AC should continue to work on this policy or not.

William Herrin: The question is, do you support the Draft Policy?

Hollis Kara: Do you support the Draft Policy? Okay. So the question for the room is, do you support the Draft Policy?

And I guess we go to – Nancy, do you want to call for the show of hands?

Nancy Carter: Show of hands for anybody who supports the Draft Policy as written.

Do I have to call for the alternative?

Hollis Kara: I would say call for a show of hands for those not in support.

Nancy Carter: Show of hands for those not in support of the policy as written, please.

Put your hands up high and leave them there, please, so that the counters can get a sense of the room. Thanks. I’ll let you know when you can put your hand down.

Okay. We’re good. Thanks so much, everybody.

Hollis Kara: Just a moment and we’ll have the tally.

Michael will read when the tabulators are done tabulating. Yeah, guys, don’t tally with the tally. Good one, JC. Appreciate everyone’s patience.

Just so folks know, obviously – and it’s good to see our Policy Block is running long, we’re getting lots of engagement, that’s great, so what we’re going to do is continue with the next policy presentation, which should take us up to break time, and then afterward we’ll do our last two Policy Proposals immediately following the break at 3:30.

So if folks who are online want to adjust their plans, if they need to, they know that.

Michael Abejuela: Michael Abejuela, ARIN General Counsel. On the poll: Do you support Draft Policy ARIN 2025-6 as written?

We had 151 total participants, 86 in the room, 65 remote. We have 11 for. 42 against. Thank you.

Hollis Kara: Thank you very much.

William Herrin: Thank you very much.

Hollis Kara: Thank you, everyone. (Applause.)

Hollis Kara: Sorry. I got very confused by the polling slide. That was me. Whatever. We’ll figure it out later.

With that, I would like to invite up Lily Botsyoe to present on Policy 2025-7, which has lots of words and numbers in the title.

Draft Policy ARIN-2025-7: Make Policy in 6.5.8.2 Match the Examples

Lily Botsyoe: Hi, everyone. Hi, everyone, online and in person. I’m going to try to get through this quickly.

This is coming also from ARIN 56. So you’ve seen this before, and I would encourage you to come to the microphone and give your thoughts on it.

So my name is Lily. I’m co-shepherding this Draft Policy with Leif Sawyer. So what we’re trying to do is to make the policy in 6.5.8.2 match the examples.

This is another markup but not complex, I promise. And we want you to come to the microphone and speak. The idea is that we want to see where the community wants us to take this.

So we have a bit of a logical contradiction between the math rule and the example that’s stated in this problem statement. And what we’re looking to help clarify, especially with ambiguity for anybody who is looking at it, is when it comes to single-site organizations and multisite organizations.

So right now, as it’s reading as though the 75 percent threshold would suggest that even a single-site entity justifies a larger /44 block, which contradicts the example implication that the single site stays at a /48.

So what are we doing? Now, the Policy Statement from our last time was that we just do a restructure of the policy so that we have the single site not looking – the single-site /48 not looking like an exception but really to position it with the examples to show what implementation will look like.

So you can see here what the Policy Statement is like and how it’s going to change. We’re just moving around and adding on an initial statement that precedes what the example looks like, and you see it here in this new Policy Statement.

So we have that, and we list it out clearly so that people are able to see that the structure is reworked in a way that came from the community from ARIN 56, and you see that in the impact of this policy in a moment.

So where have we been? We have been at 56, with the proposal came in May. That was a Draft Policy – it became a Draft Policy in July and revised in February of this year. And all of that was sent on to the PPML as well.

So the impacts. And this is where I want us all to look clearly. So here what’s going to happen with the changes, it clearly defines that assignments larger than /48, such as a /44, 40, are only triggered once an organization justifies more than one site.

And then it also removes the loophole where the 75 percent rule accidentally qualified a single-site organization for a /44, forcing the policy to align with the intended /48 baseline.

So like I mentioned, it is making – from the community feedback, what we did was that – after 56, we sent it to the mailing list. There was not much engagement on the mailing list, but we hope we can have some engagement here in person. So please do come to the microphone.

The previous feedback said that we reworked this so that we have the single-site organization receiving a /48 and then the 75 percent formula applies to the multi-site organization.

When we do that, it would position it as part of what has been implemented rather than framing it as an exception. When I say framing it, framing the /48 as an exception.

So we have two questions for you, and we want you to come to the microphone to say whether you support it as written or if you have any additional changes before moving this policy to recommended status, if you think we should do so.

So please come to the microphone, and we hope to hear from many of you, even online also. Thank you.

Hollis Kara: All right, thank you, Lily. You heard the lady. We need feedback. So please approach the microphone. If you’re online, start typing.

And, Nancy, thank you for coming back to help moderate.

Altie Jackson: Altie Jackson, ARIN Fellow. In reviewing this, I do support this, don’t see any major changes, just bringing clarity to what’s happening. So I do support it.

Nancy Carter: Thank you.

Eric Landgraf: Eric Landgraf, Virginia Tech. I believe the current policy or Draft Policy language was what I proposed on the Mailing List. I support that as written because it takes a more holistic view of 6.5.8.2, which is easier to read than the other IPv6 policy we were just discussing, but it’s still not intuitive to go through. So I support the policy as written.

Nancy Carter: Thank you.

Brian Jones: Brian Jones, Virginia Tech, ARIN AC. I support the policy as written. I think we should consider “allocation” instead of “assignment.”

Lily Botsyoe: Thank you.

Kevin Blumberg: Kevin Blumberg, The Wire. I support the policy. But it’s in draft, so I’m going to make a suggestion.

Lily Botsyoe: Right.

Kevin Blumberg: This is all good. I remember the original policy, and it came out – why did the original policy come out? Because ARIN had a complicated fee schedule that made it so this type of policy was required to allow organizations to fit within certain boundaries of the fee schedule.

Now, staff will very correctly tell you that the fee schedule and the NRPM should never be co- – they’re not co-joined. They shouldn’t be. But for the last 20 years, we’ve done that anyway.

We’ve tried to commingle policy because of the fee schedule, and it’s like pulling and pushing.

We don’t need this complexity anymore. We don’t need /48, /44, /40. It really should be, come to ARIN and anything smaller than a /36 or a /40, here you go; we’re not going to ask you why.

We should just actually just remove out this complexity, and it would serve the same purpose and make it so much easier for everybody at this point. So just a suggestion, if that is something that you have an appetite for, I would actually suggest simplifying it.

The last part is, IPv6, when you’re deploying it, should be thinking about a decade from now, five years from now, and we keep thinking of IPv6 with the same scarcity model, one site, /48.

Where are you going to be five years from now? Are you going to be one site? Even if you’re in one building, you may not be in one site. So I think the whole premise here is still the old guard scarcity concept. And I think there’s a great opportunity to simplify this down. Thank you.

Lily Botsyoe: Thank you.

Nancy Carter: Thank you, Kevin. Can we go to the online?

Hollis Kara: We certainly can. I have two comments online. First, Matthew Cowen, former Fellow: I support this policy as written.

Second, Mustafa from Mustafa Tech LLC: I support this policy as written.

Nancy Carter: Thank you. Anybody else? Going, going, gone. (Applause.)

Thank you very much.

Hollis Kara: All right. I don’t have the break slide queued up, but I will assure you it is 2:55. We’re going to go ahead and take our break rather than start the next policy discussion.

We will take a half hour, come back at 3:30. We will do 2025-8 and 2026-1, and we will explain what’s going to happen with the rest of the agenda once we get past those. I need to have a little bit of conference while you guys are out there eating whatever delicious snacks they’ve brought up.

So we will see folks back in at 3:30. Thank you.

(Break from 2:55 PM to 3:30 PM.)

Hollis Kara: We’re going to give the folks in the room a chance to get to their places. While they’re doing that, let me explain how we’re gonna run through the end of the day today.

First of all, I would like to thank my RIR colleagues, Tony Smith from APNIC, Carlos Martinez from LACNIC, Alastair Strachan from RIPE NCC, and Arthur Carindal from AFRINIC for submitting video updates.

Due to our lively policy discussion, we are actually going to just be posting those online. They will be available on ARIN’s YouTube channel and linked to the meeting report.

You’ll probably see those show up tomorrow. It’s just going to take us a minute to get those posted. But you’ll be able to review those, and I do encourage you to take advantage of the opportunity to view those updates.

For the remainder of the day, we’re going to finish out our Policy Block, and then have our Data Accuracy presentation with Joe Westover. And then if there’s time before we run out of clock, we will have the CXO Update before Open Microphone. But that is a little bit flexible depending on how we’re running with our discussions.

So with all of that being clarified and everybody’s up to speed and ready to get rolling, I’d like to welcome E. Marie Brierley. This is her first meeting as an AC member, and she’s going to be presenting 2025-8. So please, let’s give her a welcome. (Applause.)

Policy Block 2

Draft Policy ARIN-2025-8: Reserve 4.10 Space for In-Region Use

E. Marie Brierley: So I’ve been promised that presenting policy on your first AC meeting is not actually a hazing ritual, but okay.

(Laughter.)

So my name is E. Marie Brierley. Kaitlyn Pellak was actually the shepherd. I’m the co-shepherd. And she can’t be with us today in person. She is online, however.

And I want to say up front that I have told Kevin Blumberg, The Wire, that my presentation will be three minutes, so we need to hit that.

I would venture out and say that this would be straightforward. But, quite frankly, I just don’t want to curse myself like that.

Okay. So this policy is about conforming language to a long-term operational practice. So we’d like to change the language to specify that these addresses can be used within the ARIN service area.

My understanding is there was quite a bit of positive feedback originally when this was brought to the last meeting, and then there was some feedback on the PPML so that we wanted to bring this back to the community with the knowledge of the PPML feedback and ensure that the community is still supportive or not.

At this point, I don’t believe there’s any – it’s passed Staff and Legal Review with no material alterations or impacts.

This is something that just conforms the NRPM language to existing ARIN operational practice. It’s just to codify in the NRPM what’s already happening. It’s presumed to be used only in the ARIN region, and that’s how the staff has been allocating.

So here we go with the feedback. Like I mentioned, originally it was positive feedback, and then there was some feedback on the PPML. So I’d like to invite you all to come to the mic and either obviously support or add some additional feedback.

And I think the PPML feedback was just that it was just a little too strict. So I’d like to get the community feedback one way or the other.

And here’s a use case where someone thought that someone with an ARIN IPv6 allocation globally should also be able to use 4.10 allocation to provide NAT64 for their global IPv6 allocation.

So the questions for you are, should the language be adopted as is? Is it too strict? Should we ask if the language should say “only in the ARIN region”?

Hollis Kara: All right. So we’ve got a series of questions for community consideration. And Nancy is on her way up to help moderate. This will be the time to approach the microphones if you have feedback on this policy proposal or to start typing if you are with us online.

Kat Hunter: Kat Hunter, AC chair. Just to clarify for the room for the new people, because it wasn’t mentioned, the 4.10 space is the transition space for IPv4 to IPv6. So if anybody is wondering what that 4.10 space is, that’s what it’s used for.

Nancy Carter: Thanks for the clarification, Kat.

Chris Woodfield: Chris Woodfield, Woodfield.tech, ARIN AC. Normally, I would say not use the word “only” because that forecloses any Anycast use case where a space might be used both in the ARIN region and outside the ARIN region.

IPv6 transition space, if used for the purposes it’s intended for, off the top of my head, I’m not thinking of any use cases where Anycast would be useful in that, but there might be. So I would not agree with adding the word “only.” I’m sure other people can think of exactly those kinds of use cases, but I support the current language as written.

Kevin Blumberg: Kevin Blumberg, The Wire. I support the policy. To Chris there, it is only used in the ARIN region. It’s just Schrodinger’s cat. It happens to also be in other regions but you don’t know that it’s in other regions.

I think “only” is actually the right – yeah, I think “only” is actually the right terminology or it creates edge cases that are worse. So for the Anycast scenario, I think it’s okay.

So history lesson, because I think that’s really important with this policy, 4.10 is a soft-landing policy for the ARIN region. That’s essentially what it is. And what soft landing means is we didn’t want everybody hitting a brick wall when IPv4 ran out. We had this little block, and then the community decided that you needed to tie it to IPv6. So that’s what we got.

The most important feedback from that era, when we came up with this policy was, this wasn’t a one-size-fits-all. This was not meant to solve everybody’s problems. And most importantly, this was not meant to support your business plans long term.

This was just a small uplift to help you get there, and once you were there, to do more. So, yes, I absolutely support this because I think this is a restrictive policy. It was meant to be restrictive. It was meant to be for in-region, all of those things. Yes, absolutely.

I will take it one step further. Please keep in mind that I think that the 4.10 policy is actually being utilized, again, in a way that was never really intended by people who think that it is a continual grab, they can go back and back and back and back, and their business that ARIN has got the IPv4 space for them through this policy.

So I think at some point, the policy, I think, for 4.10 is going to have to tighten up more. Maybe it will be instructional. But I think that people’s expectations – because I heard this last week at an ISP convention – people’s expectations of 4.10, I think, are unrealistic for what the community can actually give them from the soft landing space.

Thank you.

Nancy Carter: Thank you. John.

Hollis Kara: We have one online comment after John.

John Sweeting: John Sweeting, Chief Experience Officer with ARIN.

So just to Kevin’s point, 4.10, there was a lot of noted abuse in the very early days of giving out, like, before COVID and during COVID, but that has been greatly tightened up.

Hardly anybody gets a second bite at that apple unless they can verify that they meet the policy of 80 percent of the /24 being used for deployment of IPv6.

So what was once true is no longer true. However, it does take a lot of resources to enforce that.

Nancy Carter: Thanks for that, John.

Hollis Kara: Okay. And online, I have Scott Morizot, IRS, saying that: I support the Draft Policy as written.

Nancy Carter: Anybody else?

Hollis Kara: Thank you. (Applause.)

If I could get another round of applause for E. Marie for surviving her “not hazing.” (Applause.)

I would like to welcome up Alison Wood to present Draft Policy 2026-1: Taking IP to Other Planets.

Draft Policy ARIN-2026-1: Taking IP To Other Planets (TIPTOP)

Alison Wood: Good afternoon, everyone. Today I’m presenting, arguably, the coolest policy that you’re going to hear about today. You could even say that it’s out of this world.

This is Draft Policy 2026-1, also known as TIPTOP, Taking IP to Other Planets.

At a high level, this policy is trying to get ahead of a problem that hasn’t fully hit us yet, but it’s coming.

So bear with me as I present this policy. I have a lot of notes up here, so I’ll be referring to my notes quite a bit. But this is new to many of us. This policy just came in a few weeks ago. When I share the Staff and Legal, you’ll see that there is still work that needs to be done on this policy.

All right. Oh, and Brian is my co-shepherd on this one.

Okay. So right now, space networks are being built somewhat independently. So we have NASA. We have the European Space Agency. We have commercial contractors. And they’re just using whatever IP space that they already have or that they’re obtaining from their RIR.

That works fine when those networks are isolated. But as they start interconnecting, you lose routing aggregation and you could end up with fragmented routing. The key issue is that space networks aren’t shaped like the Internet on Earth. I’m looking for Kevin on this one.

All right. So outer-space networks are inherently not like networks on Earth. Instead of being densely interconnected, they’re going to be clustered around things like the Moon, the Lagrange points and eventually even possibly Mars. And they have relatively limited links with inherent latency between all of those different regions.

So what TIPTOP is proposing is pretty straightforward. Conceptually, it will assign IP address space in a way that matches the physical topology or, in other words, will use hierarchical addressing aligned to celestial regions. These are all kind of new terms.

So assigning them to a celestial region, so routing can stay aggregated, especially as those networks grow. We’ll talk about that a little bit more. So while the technical side – especially for me as a network architect – technical side’s fairly intuitive, the policy side is a little bit more complicated.

So specifically, we’re trying to figure out if ARIN is the right place for this. Should we be coordinating globally with IANA and the other RIRs? But, keeping in mind, with this policy just coming in, we have to start somewhere.

So as we go through this policy, I’d encourage you to think about both sides, the technical benefits and the coordination challenges that come with implementing this.

So the last thing on this slide that I wanted to talk about is that we’re introducing a new concept called Extra-Terrestrial Networks, or ETNs. So these aren’t LEO networks, they’re not GeoNetworks. They’re beyond that.

So we’re going to start with the IPv4 sections that we’re adding to the NRPM. So for IPv4, this policy creates a new section for Extra-Terrestrial Networks, and that allows ARIN to either use a dedicated pool or specific allocation guidelines. Organizations, they have to show real operational need beyond Earth’s orbit, and eligibility would be for government research and commercial operators.

The key piece is using address space from contiguous blocks aligned to those celestial regions. Remember I said that before. We want to keep those celestial regions, like the Moon or Mars, to support the routing aggregation.

And while standard utilization rules apply, we have to have some flexibility for inherent deep-space latency. Next slide, please.

So for IPv6, this policy establishes that IPv6 is the preferred protocol. Joe Provo, if you’re listening, I did get your feedback on that.

So IPv6 is a preferred protocol for Extra-Terrestrial Networks. It sets a minimum allocation of a /48 to allow for hierarchical subneting. It’s very important across celestial environments. It also encourages aggregation prefixes with a planetary system that has a single route back to Earth. Again, we’re trying to eliminate very large and incongruous routing tables.

It uses sparse allocation to leave room for future growth without fragmenting that address space. Next slide, please.

All right, everyone, this is not going to happen in isolation. This work is being developed alongside the IETF TIPTOP Working Group, which is looking at both the addressing side and the architecture side.

So what you’re seeing here is the policy side trying to align with the technical side. And that alignment is going to be critical as this moves through the PDP. Again, this is a baby policy. We just got it.

All right. Okay. So in the beginning of this presentation, I talked a little bit about the Staff and Legal. So staff’s read on this policy is pretty much aligned with the intent of the policy. That’s fantastic.

They see it as establishing a framework within the Number Resource Policy Manual for allocating IP address space to Extra-Terrestrial Networks with a focus on routing scalability through hierarchical addressing. It’s very important. Next slide, please.

Staff breaks this down into three main pieces. First, creating a dedicated allocation pool, or guidelines for space-based networks; second, defining what an Extra-Terrestrial Network is and who qualifies to get ETN space; and third is putting allocation practices in place that support aggregation, specifically aligned to celestial regions.

All right. This is really about correcting what’s already starting to happen. So keeping those routing tables congruent. Right now, agencies are using existing address space with no coordination.

That works now in the short term. But long term, this could create fragmentation when these networks interconnect.Remember, we do have incredible latency. It’s outer space, it’s physics. So the policy is trying to get ahead of that before it becomes a bigger problem.

Staff confirms that this does fall within ARIN’s Policy Development Process since it amends the NRPM. But, this is important, it raises questions about clarity, implementability and whether this fits with ARIN’s role.

So this is one of the most important takeaways from this review. The policy assumes – the policy as written assumes that dedicated address space already exists for this purpose.

But that hasn’t been established yet. So staff is basically saying this only works if your prerequisites are met, which they have not been met yet. So without the dedicated space, we can’t achieve any aggregation.

So this is where it’s actually bigger than just ARIN. Staff points out that the IETF and IANA would need to define and allocate the address space first. So that, again, has not been done yet. Next slide.

And we also need to coordinate with the other RIRs to see how this would be managed.

All right. So the Staff Review states that it’s not clear whether ARIN acting as the registry for space-based networks fits within its current mission.

So for that to happen, we would have to have Board approval, we would have to have community support, and we’d have to have some sort of agreement with the other RIRs. So this is not a technical problem as much as it’s a governance problem.

So staff outlined four major conditions that would need to be true for this policy to work. The IETF determines that there is dedicated space that’s needed for this. IANA would then have to allocate that space. ARIN would have to agree to host that space. And the other RIRs would have to agree that this would be ARIN’s role.

So right now, the policy as written assumes that these are already in place. This is an area that needs refinement. And as the shepherd, this is something that I am working on.

So is this implementable as written? The answer is no. Go ahead and go to the next slide. Thank you.

All right. So staff has stated that there’s much more work that’s needed especially around all those dependencies and prerequisites. And we are aware and working on it. And again, this is a very, very young policy.

All right. So Legal also reviewed this policy. Immediately they flagged three main things. Jurisdiction. Space doesn’t map clearly and cleanly to existing regions.

We also, of course, as I mentioned before, would have to coordinate with other RIRs, and Legal is very concerned about the source of the address space. And overall, Legal felt that we needed cleaner definitions and alignment with ARIN’s policies.

So again, this is reinforcing that while we do have some technical things to work out, we have a lot of governance issues that we need to worry about.

So Staff and Legal kind of in a nutshell are saying that there’s complexity in coordination authority and the prerequisites, which, again, as the shepherd – and Brian as my co-shepherd – we are working on it.

So moving forward, the discussion really needs to focus on those areas.

All right. Policy impact. At a high level, this policy has no impact on current terrestrial networks. What it does do is establish a framework for Extra-Terrestrial Networking, and it would help avoid inconsistent ad hoc addressing as space networks do develop.

By encouraging topology-aligned addressing, it aims to improve aggregation and reduce the risk of future routing-table growth as these networks do interconnect.

It also promotes coordination across the RIRs, since space could certainly become multinational. And while the near-term demand of this is very small, right, currently there isn’t a lot of, or really any, demand for this. But it is really important that we set a precedent and we get ahead of any problems before they arise.

All right. Community feedback. Community feedback has been a mix of support and some important questions.

There’s a general agreement that ad hoc addressing in outer space could become a problem and that some form of guidance would be helpful.

And at the same time, there are concerns about scope, specifically whether this should be handled globally rather than just by ARIN alone. So there are also questions about coordination authority and how this would even fit in the existing RIR network. Perhaps this should be an RIR on its own.

In closing, this policy is not creating an Extra-Terrestrial Network today. It’s defining the conditional framework under which the community could operate when the global, technical, and governance prerequisites have been met.

We are at a point where networking is no longer confined to the surface of the Earth. Whether it’s satellites or deep space, the Internet will continue to expand outward. And it is our responsibility to create, aggregate, and steward addressing in a way that preserves global coordination, scalability, and interoperability as
that expansion continues.

And I would like to say, this is one small step forward for mankind and one giant leap for Internet coordination.

Now for your questions.

Hollis Kara: Thank you, Alison. Microphones are open. If folks want to approach. Nancy is on her way up.

We had an early submitter get a question in online. If we want to do that one first. Ashley, do you want to read it?

Ashley Perks: Alan Rowley from Citizens Support. I think this is not ARIN, RIPE, or dot, dot, dot. This seems to be a new registry dealing with IANA as space is unlimited. ARIN region is in general North America and has no jurisdiction on the Moon, Mars, or other stars eventually. Idea may be needed, but needs a registry of space first.

Alison Wood: Can I respond to that?

Hollis Kara: You can do whatever you want.

Alison Wood: I very much appreciate that comment. I do believe we need to start somewhere. And if we just continue to push this off, we won’t have that framework in place.

Whether it belongs in ARIN or any other RIR remains to be seen. But if we could come together to help to begin to build that framework, we will be able to prevent some of the problems that could arise in the future.

John Curran: I’d like to respond to that. John Curran, CEO of ARIN. The prior comment’s quite apt, actually.

The right way to do this would be to have an RIR – region is kind of a weird word; Internet number registry – that would serve the community that’s going to be composed of those networks.

And there’s a reason for this. This is because, amongst other things, it would allow those networks to establish their governance structure, establish funding, determine the right services. I can think of many, many reasons why a separate number registry for this is the right thing.

In fact, on an IETF mailing list, I might have actually wrote that in the TIPTOP Working Group. Because it’s not something ARIN has to do. It’s actually something that the Board may say that ARIN shouldn’t do even. So let’s be clear.

Having said that, people familiar with the history of the registry system will know that some of the regions like AFRINIC and LACNIC were part of the ARIN region at one point.

The ARIN region was ROW, Rest of World. At the point in time when the Internet number registries within the early ’90s, RIPE got formed and got organized and was getting draws from the Internet central registry, a group that was operating under – a separate group but operating under Jon Postel’s supervision as the IANA. And then APNIC got formed and it was getting draws, but it was still getting it from the central Internet number registry.

At one point, the US government funded a group called the Intra-NIC team at Network Solutions to run that Internet number registry – again, still under Jon Postel as the IANA. And then in 1997, when ARIN was formed, the National Science Foundation, which had that cooperative agreement, directed that that function all be moved to ARIN. This is before ICANN.

So in 1998, ARIN was the number registry, and that included everything that was not RIPE or APNIC was in the ARIN registry. And we made all allocations, if it wasn’t RIPE or APNIC. And when APNIC needed a new block, they came to ARIN and got the additional block – again, all under the auspices of the IANA.

And to this day, even though we now have five RIRs, you’ll find things like Antarctica is in ARIN’s region. And I’ve stared at the North America map, and no matter how long I look, I can’t reconcile Antarctica being in North America. But it’s there; it’s on the list of our region.

For that reason, because of a historic role we’ve served, if it turns out that there was an address block assigned for this purpose, and if all the RIRs got together and said, we don’t care who does it, and ARIN’s willing to, and if the Board of Trustees said we’re willing to, because that’s a prerequisite to saying that ARIN’s willing to do this, it’s conceivable we could serve this role.

You’ll hear, I’m not strongly advocating for it. I’m also not saying we can’t do it. It very much is, if there’s address space and if the other RIRs think someone has to do it, it might as well be ARIN, and if the Board of Trustees says it might as well be ARIN, and if you make a policy, then we thread all the loops and we get there.

I will say one of the assumptions in the Staff and Legal response that does need to be clarified, we sort of said, we think this policy calls for a dedicated address block. But that’s actually not clear in policy.

If it is, at all, the intention that this thing go through without a dedicated address block and that ARIN should instead make a pool out of ARIN’s current IPv6 resources, that would need to be explicit, because as it is, we would – if this was passed, we would normally hold it.

It’s not clear one way or another, and I would ask, if it’s definitely a dedicated address block that has to be for that purpose, coming from the IANA for that purpose, make that explicit. If it’s “get it done however you can get it done,” make that clear so we know what it is under what conditions you’re passing it.

But in terms of whether or not this is in ARIN’s scope, it’s not in our present scope. It’s not inconceivable it could be if the community wants us to do it and someone has to do it and the Board wants us to do it. It does align with one of the historic things we’ve done. Clear? Clear. Okay, I’m going to sit down.

Nancy Carter: Thank you, John. Go ahead, Adair, please.

Adair Thaxton: Adair Thaxton, Internet2. Pursuant to a discussion yesterday at lunch, Kat – sorry. So John finished by saying it’s not inconceivable. But in this case, I believe he’s quoting the wrong movie.

(Laughter.)

Well, the discussion on the PPML has proceeded at ludicrous speed. Before we go plaid and start combing the IPv4 space, I don’t want to go over your helmet or anything –

(Laughter.)

– I don’t think this is ARIN’s purview. I think this is more likely something that should be handled by IANA or IETF before we start printing TIPTOP, the T-shirt; TIPTOP, the coloring book; TIPTOP, the lunchbox.

So I encourage this to undergo some more thought. I hope to see it back in ARIN 2026-1-2, the search for more money.

(Laughter.)

And I will conclude by saying Hail, Skroob.

Nancy Carter: Thank you.

Altie Jackson: Altie Jackson, ARIN Fellow. I like the initiative and the fact that the business is being proactive by somebody suggesting this and it’s pushing through.

But I do believe that IANA should be the person developing this framework and interacting with all RIRs, so they can develop a policy to do this and then allocate the space so it can work, and then do the technical framework of how it was set up before ARIN can push through a policy on this.

So there should be a larger framework and everything up and running, and then we can have – ARIN can now push through this as a policy.

Alison Wood: Perfect, thank you.

Nancy Carter: Thanks. Can we go to online?

Hollis Kara: We sure can. Ashley, do you want to take one, or shall I?

Ashley Perks: I’ll go ahead. Matthew Cowen, former Fellow: I do not support this policy as written. Outer space is not North America. This is a planetary-wide issue to be discussed at the relevant level. Also, to me, this is more operational than policy for the foreseeable future.

Hollis Kara: Do you want the second online?

Nancy Carter: Sure, let’s go.

Hollis Kara: Okay. I’ll take this one. Andrew Gallo, The George Washington University:

I agree that starting early is a good idea. I don’t think any existing RIR should handle this alone. There should be a separate RIR. Even if management of space number resources starts with an existing registry, it should be kept separate and discrete with the anticipation that it will be separate in the future. More than a preference for IPv6-first, would suggest IPv6-only.

Alison Wood: Okay. That’s wonderful. And I greatly appreciate that feedback. As we’ve been kind of mulling through the proposal, we had been requested to include both IPv4 and IPv6, and respected the author’s wishes on that.

Nancy Carter: We can go back to in-person queue, please.

James Lord: James Lord, ARIN Fellow. I’m largely in agreement with the overall community sentiment here about this probably not being something that ARIN alone should handle. But I appreciate the forward-thinking on this, trying to lay out the framework for it.

Although I do think it should be its own RIR with probably collaboration from maybe representatives of the different regions to kind of decide exactly how this should go in the future, even though there may not be a need for it now, there’s going to be a need in the future.

Alison Wood: Fantastic. Thank you.

Nancy Carter: Thank you.

William Herrin: Bill Herrin, speaking for myself. Talking about risks to discuss, there’s a hidden assumption in this TIPTOP architecture that the links between planets are going to converge into a single organization, similar to what we had back in the day with the NSFNET.

And ultimately that was not at all what happened on the Internet. And by the time there are enough IP addresses being used in outer-space scenarios, it’s not obvious that that’s going to be what happens in outer space either.

And the moment you have multiple organizations running these cross-planetary networks, that aggregation no longer works in the routing protocols. So that’s a risk worth considering.

Alison Wood: Excellent. Thank you. The technical side is certainly something that is relevant to the policy side in this case.

Roman Tatarnikov: Roman Tatarnikov, IntLos. This might be the most interesting Policy Proposal this year, especially – I’m pretty sure there’s still a line behind me.

Alison Wood: There is.

Roman Tatarnikov: While I do feel that there’s a need for a separate RIR, I do also want to start somewhere. So I think creating a separate RIR is going to be a more cumbersome process. It’s going to take a while.

But as a stopgap, doing this proposal here, ARIN being responsible for the space, is probably the best way to go and probably the best way to start.

Plus, mostly, I love the idea of saying, hey, my RIR didn’t just give IPv6 to a bunch of penguins in Antarctica, we also did to space.

Alison Wood: I love that. John Curran, did you hear that part? Yeah, awesome.

Roman Tatarnikov: What I also – I still need to catch up on the PPML, but what I also remember from the discussion was the need for IPv4. And this is something I want to bring up.

One of the proposals that there is a need for IPv4 because some objects are too far away, and the speed to reach those objects is going to be so low that IPv6 is essentially going to take eternity. So I’m not sure exactly how IPv4 would solve it, because now we’re going to be in a situation where, are we putting IPv6 into IPv4 tunneling? I remember there was something like this proposed on the mailing list, or something else.

IPv4 is an old protocol. Let it die peacefully. Instead, if there’s an issue with these distant objects and we want to make sure we can reach them, great, let’s use labeling. I’m not talking about MPLS. I’m talking about VLANs, essentially – one VLAN per planet, per tunnel to the planet. And then put IPv6 into it.

We can even create a new protocol. Call it IPv5 2.0 or something like that. That’s all the comments that I had. I still need to catch up on PPML, and I’m looking forward to more development of this policy. Thank you.

Alison Wood: Thank you. That was amazing technical information. I just encourage you to join the mailing list, the IETF Working Group Mailing List for TIPTOP. And you may be able to contribute those ideas there.

Kevin Blumberg: Kevin Blumberg, The Wire. I closed my laptop. I had, like, 48 points of why this was such a bad idea. Not even the Schwartz is going to save this one, I’m sorry.

Okay. Nice punch line. Here it goes. This has to be abandoned. Not just reworked, not continued on. It needs to be abandoned. It needs to be abandoned because it is setting a dangerous precedent.

We already had this precedent occur when we did the CGNAT space, the 100 dot. We got ahead of ourselves. We got ahead of ourselves. The IETF came in and very politely said, not your purview.

Staff have come in and have said, hey, this is a problem. Lots of problems. This hasn’t reached draft consensus. This hasn’t reached consensus within IETF. This is a shot to the moon of an idea that one group of people has within the IETF, and they need to get their ducks in a row, okay, first.

Once that’s done, great, we’ll figure it out from there. But we’re so far from that. So what we have is forum shopping. We continue down the path of working this thing, all we’re doing is angering a sister organization in the iSTAR world. We are angering them because we are touching their purview of policy. Okay? Please be very careful.

Nancy Carter: We can’t read that from here.

Kevin Blumberg: Not saying it. It’s an HR violation.

The last part, there’s a lot of commingling of ideas that I think are misguided. The first is latency has nothing to do with IP numbering policy. If latency is an issue, then maybe the IETF can come up with IPv2, lightweight IP addressing that is a much shorter number to deal with that.

But there’s a lot of commingling – what? Yeah. There’s a lot of commingling going on. But more importantly, it just needs to be abandoned. I’m sorry. Thank you.

Alison Wood: Thank you, Kevin.

Nancy Carter: Thanks for your feedback.

Henrik Van Tassell: Henrik Van Tassell, ARIN Fellow. I’m at risk of being a part of a collective broken record. I’d like to say, first of all, I agree with the general sentiment of creating another RIR. I’d also like to draw kind of difference between networks like, say, Starlink that do have hardware in space but they’re operated by people on Earth and serving people on Earth, whereas there’s a different thing with regard to networks operating, like, on moons or on other planets.

To kind of lead into that, or, well, with regard to those networks like Starlink, that, I think, falls under the purview of ARIN and RIPE and other RIRs because they’re operated by people within some region on Earth and serving people in some region on Earth. But with networks on other planets, that would be a whole other society with their own rules and their own technical requirements.

And also, as some other people have mentioned, is IPv4 even necessary here? Because networks – these networks on the Moon or Mars or any other thing don’t exist yet.

So if there are problems with that sort of thing, there’s not some legacy concern that we have to take into account because there is no legacy hardware that exists. So those are problems that could be – those are engineering problems that could be solved before those networks actually even need to be deployed.

Alison Wood: That’s a fantastic point. Thank you so much.

Eric Landgraf: Eric Landgraf, Virginia Tech. To basically say that more, who cares about Section 4? There is no pool in the IPv4 space we can reserve. What are we going to use, class E? There’s nothing. It’s gone.

So I think that section should be completely stripped out even if we were to even consider going forward with this policy. And we should strongly predicate that this depends on IANA reserving a block for these deep-space networks that is outside of 2000::/3.

It would be a completely different pool dedicated to this application if we were to do it at
all. And, of course, we have to deal with Section 9 of, is outer space our region?

I am worried also for the IPv4 stuff. There’s a serious risk of running into the uniqueness guarantees in ICP-2. So, yeah, IPv4 just has to be stripped out of this, or ICP-2 is going to have to be reevaluated, and we haven’t finished rewriting it yet.

And also I want to ask, is ARIN actually the most equitable or most efficient place for this registration to live if it needs to live in an existing RIR? And that’s something that I think is going to come to the ASO or ICANN-y things.

John Curran: John Curran, CEO of ARIN. “Is ARIN the most efficient place dot, dot, dot” – I’m not sure I even listened to the end of that sentence. Probably not, regardless of what that sentence is. There’s nothing to say that we are necessarily the right place to do this.

However, a member of the community submitted a Policy Proposal, and so you folks get to consider whether this gets refined, revised, whatever. As I said, the Board has not even said if this is in scope
or not.

And I can’t – even if the IETF makes an allocation for IPv6 and puts it in a special pool and says, oh, this is general purpose space for a particular region and it should be administered by an RIR, even if all those steps happen, there still needs to be effectively a policy that gets it to an Internet number registry to issue. And that’s a global function with all the RIRs.

So, like I said, the Board needs to say it’s worth doing. The other RIRs and probably their communities in some form need to concur. We would be a possible way of doing this. Efficient? The right place? There’s also the idea that this is a policy to issue numbers according to a specific network architecture.

I’m not sure the networks affected by that are in the room. And that has all sorts of implications. So when you say efficient, I would say there’s no representation that this is the most efficient place to do it.

Eric Landgraf: Okay. I just want people who might be in support of this policy to consider, should ARIN be doing this at all?

I think we should drop the policy on the floor and run away with it, or run away from it. But those are some technical concerns, if we move forward.

Nancy Carter: Thank you, Eric.

Alison Wood: Thanks for your feedback on that. Please remember this is a Draft Policy. It’s nowhere near recommended. It’s just a few weeks old. So we have a long ways to go before any of that would even potentially happen.

Nancy Carter: Evghenii, go ahead.

Evghenii Kosatii: Evghenii Kosatii, Addrex. It seems this is forcing space agencies to do the right thing, and it’s complete opposite of self-governance.

This is also a really good test for ICP-2. It seems that this is already covered by the DTN plus Bundle Protocol, and it doesn’t require the IP. But things like IPv6 could be used here.

And it also seems that Vint Cerf has already solved this problem sometime long ago. And there’s zero chance that multiple deep-space agencies will share traffic links and routing. Thank you.

Nancy Carter: Thank you.

Alison Wood: Thank you.

Nancy Carter: We have one more online, so we’ll go to that.

Hollis Kara: We do. Ashley?

Ashley Perks: Justin Gehrke, speaking for myself: Perhaps it’s oversimplification, but why can’t NASA, SpaceX, or whichever other organization that goes into space utilize their already-allotted IP space for their extraterrestrial activities?

Alison Wood: Yep, that’s a great question. We are, more or less, trying to get ahead of something even further out into outer space, where we would potentially have celestial regions on planets, the Moon, the Lagrange points. And so there is no allocated IP address space in those situations today.

Nancy Carter: Go ahead.

Gerry George: Gerry George, DigiSolv and ARIN AC. I think this would have significant impact for the Policy Experience Working Group and the adequacy of PPML. So, Matt, be on notice because how are we going to make allowance for members of the community who are extraterrestrial bodies?

Alison Wood: That’s a great point. Thank you.

Adair Thaxton: Adair Thaxton, Internet2. I have one more. So I would like to commend Nancy, in solidarity with Alison, changing to her fancy high heels.

Nancy Carter: Thank you, appreciate that. Thanks for noticing.

Alison Wood: We need a photo later.

Nancy Carter: Yes, we do.

Adair Thaxton: It makes the two of you look like proper Druish princesses.

Nancy Carter: Thank you, Adair.

Kevin Blumberg: Kevin Blumberg, The Wire. Where are my heels? No.

So a couple things have been brought up. I just want to add one thing, and I think it’s important.
John, you brought up at the very beginning about the region scenario and the community support. And all of these are in the ICP-2 and the new RIR governance document. What does it take to be a new RIR is all there. And the first thing and the most important thing is community support.

The reality is, I don’t know if anybody in this room is from the spacefaring community. Now, that’s not to say we can just ignore it, but ultimately, we need organizations that are spacefaring to be here, actually talking about what they need from an addressing, if it’s any different than anything. If they say we’re fine with out-of-region use policy that’s in the ARIN NRPM today, great.

The other thing, there seems to be a misguided concept that number policy can solve technical problems.

I don’t understand – and it was just brought up – I don’t understand how forcing aggregation is possible, because that is assuming that one industry, one organization will be responsible for
a specific celestial body. That is misguided at best. There’s going to be lots of people in a celestial body. Is the RIR going to have a space router there to handle the aggregation?

Again, we’re commingling and avoiding – we’re commingling and avoiding a lot of the issues. We’re trying to put into the NRPM something that is really more a technical or a business or governmental or whatever. We can definitely look at it from a governance, from an ICP-2 perspective down the road, but I don’t think we’re anywhere near that. Thank you.

Alison Wood: Thanks, Kevin. Just a quick reminder again, this policy is maybe a month old. So I love the suggestion of involving the parties that would be affected by this, and I will certainly put that kind of on my work queue to be able to gather information from them.

Kevin Blumberg: No, no, please, I want to be very clear. My direction was abandon. Take everything that I said –

Alison Wood: Understood.

Kevin Blumberg: – but please don’t commingle the things that I’m saying. This actually has to be abandoned. It is out of scope.

Alison Wood: Thanks, Kevin.

Nancy Carter: Anything else online?

Hollis Kara: Nothing else online.

Nancy Carter: Going, going, gone. Thank you very much for all of your feedback. That was great.

Alison Wood: Thanks, everyone. I super appreciate it. (Applause.)

Nancy Carter: Where’s the photographer?

Alison Wood: If our photographer could take a quick picture of these shoes, they’re killing us.

Hollis Kara: If you could do that. And then if, Alison, when you go off stage, and, John, if you could come up, I think we’re going to move straight to Open Mic because we’ve been running a little bit long.

Everybody’s getting their pictures. Aww, smile. Aren’t they cute? So cute. All right, Christina brought the good camera this time.

Nancy, we’ll let you change your shoes. Okay. John, if you want to head up, I think we’re going to go to Open Mic next. Yes, after Nancy changes her shoes.

You can stay. If you’re up for it, you can stay up here. Otherwise, I was going to let you change your shoes. I’m trying to be nice. That’s what I get for trying to be nice, y’all. I want you to take a note. All right. It is now Open Microphone, so comments, questions, thoughts, feelings, opinions, anything else for the day, welcome to come to the mic.

Open Microphone

Dan Robinson: Dan Robinson, with Bedrock Fiber Group and VoIPster Communications. I was here yesterday with a gentleman in a wheelchair, and he wanted me to give you all this information. So I’m going to read it to you as he wrote it:

“Hello. My name is Andrew Mitchell. I am the resident and network engineer of VoIPster Communications and Bedrock Fiber Group IX here in Louisville, Kentucky.

“First, I would like to thank all of you for being able to take part in person in the last half of yesterday’s meeting and the Louisville Slugger mixer. It will, for me, go down as one of the honors of my professional career. I have never before been able to interact with so many peers in the industry that I love and originally got involved in as a means to offset my physical liabilities.”

For you that don’t know, Andrew has cerebral palsy, which is something that happens at birth. He’s been in a wheelchair for his whole life.

“I think all of us have an obligation to leave this wonderful industry in a better position than we found it for the next generation. While ARIN has only a responsibility to North America, we professionals work in an industry that is worldwide. So I believe we have an obligation to do what we can to make the world a better place.

“In my professional career, I have worked in many major cities. I have seen early adoptions of technology and seen those that you’ve had to drag and pull into it, kicking and screaming.

“Many years ago, I was hit by a car while crossing a road in my wheelchair. That hit-and-run driver changed my life forever and is the reason I come to you today, the proud owner of two businesses.

“When I first opened my company in Louisville, it was not long before I found what was missing in this particular market. Routing was terrible and most of the ISPs and WISPs in that area could not keep up.

“I created Bedrock Fiber Group IX and brought connections from MICE, KCIX, SIX – three of the largest nonprofit IXs in the US at the moment – to one central location in Louisville. In doing so, our customers have gotten to have reliable routing and lower latency than they were able to get before. At the moment, we are for-profit, but only until our investment has been recouped.

“I listened to much of the conversation about IPv6” – and this is something that’s dear to his heart – “I think it is important for all network operators to adopt, offer, and utilize IPv6. “Psychologists say it is human nature to fear things that we do not understand. Let’s be honest – many of us can calculate an IPv4 CIDR in our heads. I do not know of anyone who can do that with IPv6.

“Business psychologists say it is a businessperson’s nature to fear things they do not understand that would negatively affect their bottom line, even in the short term. The truth is, if you will not advance, you are left behind.

“ARIN is a nonprofit, and I know what I am about to suggest takes money for allocation. But if ARIN could put together a team of IPv6-knowledgeable individuals, then reach out to several different industries – including a school, a hospital, a retail chain, one local government, one state government, et cetera – and then agree to aid their staff in the implementation and deployment of IPv6 with the understanding that the ARIN communication team can record and use this event to make educational videos to share with the community and the public at large, I think that would go a long way to eliminate the fear of what is not understood.

“I would personally love to start a council that is a helping hand for anything related to the industry, be it IPv6, RIR, best security practices, or just provide resources to youth that might be interested in beginning a career in the industry that I love.

“I think having mentors like I had was the key in my personal development.

“Thank you for listening. These are just some of my thoughts. For those of you interested in discussing anything further, I will make sure that the ARIN staff has my email address and phone number.

“Thank you for your time.” (Applause.)

Kevin Blumberg: Kevin Blumberg, The Wire. Bingo. Seventeen years I’ve been doing this. Adair, thank you. All those that have come to the mic, thank you. The mic doesn’t bite. Okay. And as long as it’s not personal, the mic is a wonderful tool. I hope that more of you come up to the mic. There’s nothing stupid about answering something. There’s nothing stupid about asking.

We all need this. Okay. It’s really important, and I’m not going to be around much longer in terms of in this community at this mic. I am one of the longest. I think, Lee, you may be a little longer than me.

But a lot of us are now gone. We’ve gone off to different paths, different things, and the community, to be strong, needs more people coming up to the mic and just asking questions. That’s okay. It doesn’t have to be a statement. It can just be a question. And I think it’s really important.

So I will give my one last. My one last is I would like to arrange a couple sessions through this year for anybody who is interested in coming up to the mic so that we can do some history lessons and some of the cool things that you can ask and help people be able to come to the mic who may otherwise feel a little skittish about doing so.

So if ARIN is interested in having a couple of Zoom sessions on it, I am happy, and I would like some of the Fellows who have been here for many years to also come join me in offering our support in having other people come up to the mic. Thank you. (Applause.)

Tina Morris: Tina Morris, AWS, ARIN Board. I was going to pile on to that. I am somebody that didn’t go to the mic for probably my first six to eight years of participating. Now you can’t get rid of me. So it does work.

But I was going to say, more than Zoom sessions – maybe that’s a good start, but hearing your own voice on a microphone is scary the first time. So I know you guys build all this out on the Sunday before. Maybe open it up for people to get up on the stage, feel what the spotlight is like, hear their voice on a microphone, do all that before so it’s a little less scary.

Henrik Van Tassell: Henrik Van Tassell, Fellow. The first thing I’d like to say, it’s been a very long day, a lot of long discussions. So first thing is to leave you all with a joke.

An IPv4 address walks into a bar and says, “Bartender, get me a CIDR, I am exhausted.” I did steal that one from the Internet. I have no idea if it’s a common one, but I’ve never heard it before. But I’ve also never had an actual network engineering job, so I just play with the old switches in my rack in my garage.

With regard to the approachability of the Open Mic, I would like to say that, personally, it really helps if you make a lot of really bad YouTube videos as a kid to get comfortable with seeing yourself and hearing your voice, but I also do very much respect people who have – I have respect still for people who are otherwise afraid of coming up to the microphone and who make that step to do it for the first time.

This also has been a great experience as a first-time Fellow. So thank you. (Applause.)

John Curran: Thank you for that. I do think we need to do more to make people feel comfortable coming to the mic, prior speaker, and your comment as well.

The other thing I wanted to say is that IP address block that walked into the bar and was exhausted, he did get served, he got served a CIDR.

Nancy Carter: Who is winning?

Adair Thaxton: Adair Thaxton, Internet2. I thought we were too classy for CIDR jokes, John.

(Laughter.)

Kevin Blumberg: Kevin Blumberg, The Wire. No, I’m not going to make a joke. One of the things we discussed during our break was something called an omnibus.

And I want to now quote back, oh, 12, 15 years ago, wonderful man named Jason Schiller, who said, “I’ve been run over by the omnibus.” Because he came up with a beautiful, long policy to make a whole bunch of changes and nobody could agree because there were too many things and too many people had too many interests at the time.

One of the problems that I see with policy today is there’s lots of – and I will be direct – meaningless chatter on policy that doesn’t need changing, but we change it anyway because it gives us something to do. And I think that right now what we’re ready for is actually omnibus policies.

I think the community is ready for an entire Section 4 cleanup in one fell swoop, very similar to what was done with the RIR Governance Document. Start fresh. Start over. Do it right and done.

This is not for staff. This is for the community. We need an omnibus for [Section] 4, for [Section] 6, even for [Section] 8, whatever it may be. Do one section at a time, because, unfortunately, we are just – we’ve got a really big pot of soup, which is Section 4, and we keep stirring the same pot around. We need to do a new pot of soup, is really what it comes down to.

John Curran: So you say omnibus, and having lived through all this, I have to admit, the fate of some of the omnibus policy changes were entertaining, I guess, if you were watching from the outside and painful if you were near them.

Might I suggest you don’t need another omnibus, but what you do need is maybe some section-wide policy simplification proposals, someone take a section of NRPM and say: I don’t want to rewrite the whole thing, but I want to simplify this section and come up with something that has less words and more clarity.

I would not call it an omnibus because those tend to touch everything, and I think some of this can be done in a piece-by-piece portion. But if you want to do an omnibus, I won’t slow you down. You have been run over by a few yourself.

Kevin Blumberg: The term “omnibus” is an evil term, and, yes, we don’t want that.

Where this is coming from is what happened today with the LIR/ISP discussion, where we touched four things but realized that there were 42 things.

Then again, it happened with the IPv6 discussion, where we really could have simplified it and fixed it, but instead we’re moving a couple of deck chairs, as they liked to say in the old days.

The simplification, yes, but it needs to be a simplification where we’re compacting down rather than simplifying one part and leaving 18 parts that are the same thing in it. So, yes, I guess fundamentally I’m agreeing with you, but I think it’s a little bit more than the way you’re sort of describing it.

John Curran: It’s also true that if you simplify some of the sections, then the drag on something big, like the LIR change or other things, if you’ve simplified a whole bunch, then you can do cleanup a lot easier. So just –

Kevin Blumberg: Correct.

John Curran: So for people who don’t know who that is – he comes to the mic now and then – that’s Kevin Blumberg. If you want to get involved in his simplification omnibus program, find him.

Nancy Carter: Can we go to the online comment, please, Hollis?

Hollis Kara: We certainly can. Ashley, do you want to take this one or me?

Ashley Perks: I’ve got it. This is from Mark Brown, AT&T: A question for management team. I think a policy should be put in place to ensure AC and Board member term has a limit. Having one person on AC and Board for six or seven does not allow for fresh knowledge and ideas always flowing into the business of ARIN. A limit of three terms is good.

John Curran: We have a limit on Board member terms. After three consecutive terms you have to take two years off, right?

Nancy Carter: Correct.

John Curran: Your third term, you’ve stepped down and it’s a two-year status before you can run again. Regarding AC. I don’t recall if there’s a term limit. I’ll have to look.

John Sweeting: There is not.

Nancy Carter: There is not.

John Curran: But that can certainly be something – the Board is here and listening. They put the Board term limit in. They can hear the community. If you folks have strong feelings one way or another about an AC term limit, find someone with the Trustee badge and inform them accordingly. But point heard.

Nancy Carter: John?

John Sweeting: John Sweeting, Chief Experience Officer at ARIN. I just want to point out, like, we have a great Fellowship Program. And I hope the community has noticed over the last few years, more and more and more of the Fellows get up to the microphones.

That’s not just a coincidence. It’s the hard work of our Fellow program coordinator, Amanda. (Applause.)

The fact that the Fellows get – they participate in four virtual sessions leading up to every meeting. They get to share their ideas. They get educated on the policies and everything. They come in well informed. I’ve been blown away by the comments from our Fellows on the policy today at this meeting. I just wanted to acknowledge the Fellows and, of course, Amanda. (Applause.)

Leif Sawyer: Leif Sawyer, ARIN Advisory Council, former Chair, former Vice Chair.

We don’t have, as noted, term limits. However, the prior Chairs and current Chairs have all, somehow, decided on their own that they would term themselves out so that new people could have the opportunity to become a Vice Chair or a Chair.

We haven’t done that for standing members. But if you look at the number of years that the average AC member has been on, it is less than six. Two terms. Or three terms – no, two terms. So I did a policy – I did a report on this four years, five years ago. So if you’re interested in looking at those statistics, the number of years of knowledge lost per year, it’s in the history.

John Curran: Thank you.

Nancy Carter: Thanks, Leif.

Alyssa Quinn: Alyssa Quinn. I’m on the NRO NC, and I’m a stay-at-home mom. And it’s my first time back in over three years, and I want to echo the comments on the Fellowship Program. The quality of Fellows here is really good. And some great comments at the mic. So whatever you’ve been doing differently there is working. It’s great.

And then second, to just tack on to what Leif was saying about term limits. I don’t think there’s any issue with the AC. There’s been so much turnover. So many new faces, so many faces that I didn’t see three years ago. So that is certainly functioning as it should in bringing new faces and new talent.

That maybe wasn’t the case five or six years ago, but it certainly is the case now. And also happy to hear about the two-year breather for the Board. I think that’s great. Thanks.

Nancy Carter: Thanks, Alyssa.

Lee Howard: Lee Howard, ARIN Board of Trustees and retiree. I wanted to acknowledge the gentleman who read us that letter and the person who wrote that letter. I found it extremely moving. I really appreciate that.

And the kinds of requests for development that you’re asking for – I’m not speaking on behalf of the Board, obviously, I haven’t had a chance to talk to the Board yet – some of those things are a little bit outside of what ARIN typically does, but ARIN does have a potential role as a convener, and we do have a lot of expertise in the community, and I look forward to talking with you more and hearing more, thinking more about how we can support and help.

One thought that immediately occurred to me is that there is a community in Louisville of networking people, whether in the industries that you mentioned or specifically in network operating capacities, and I don’t know if there’s a Louisville NOG, Network Operators Group, but just getting people together to just share their best practices and their lessons learned is something that there are support organizations – NANOG is supporting local Network Operators Groups getting started up, and so there was already some people here who can probably bootstrap that. Of course he’s already done some of that.

So that’s excellent. I look forward to seeing more of that kind of growth.

John Curran: Excellent.

Nancy Carter: Thank you, Lee.

John Curran: Thank you, Lee. (Applause.)

Nancy Carter: We have a comment online?

Hollis Kara: We do. Mathias Robles, High School of Navigator Academy of Leadership Davenport: I’m curious about the Policy Implementation and Experience Report presentation, specifically what was in the last slide about possible options to encourage IPv6 adoption, and I would like to say that I agreed with those proposals.

Nancy Carter: Great. Thank you.

John Curran: I will speak a little out of turn and say this is now the fourth time I’ve heard it in two days, including a number of trustees.

ARIN has a difficult situation because we want to make sure we support you. If you need ASNs, you need ASNs; you need IPv4, you need IPv4; you need IPv6 – and while we’ve encouraged people to make use of IPv6 and move to IPv6, we also want to be calibrated with the community regarding how much advocacy we do there.

I will tell you, in the last two weeks, I’ve heard more calls that ARIN needs to do more advocacy than I have in many, many years past. So it’s possible that maybe it was the magic of Google stats hitting 50 percent so now we’re on the other side of the hill, or it could just be some of the great – we had a great keynote presentation, but in any case, we are hearing a lot more people saying we should get more involved in advocacy.

I will tell you now, if you think we shouldn’t, definitely tell a trustee that soon. Okay?

Kevin Blumberg: Kevin Blumberg, The Wire. Okay. Couple things, quickly. Just first, term limits for the ARIN Advisory Council: Yes and no. So I looked – there’s a lot of people – it’s a pretty good mix, actually. It refreshes itself. That’s great.

But there are some people that have been on there more than a decade, and maybe for their own sanity, having a policy that helps them with the decision is a good thing.

But what you lose, which is the key part here, is you lose a historical understanding.

So maybe what would be helpful is, just like you have an appointed position in the NRO NC, you appoint somebody to act ex officio to the Advisory Council to help them with some of the history, that isn’t elected, that is just there to act as a, you know, a community member rather than staff doing it. That’s so –

John Curran: Interesting thought.

Kevin Blumberg: It’s just a thought for the Board, but I do think that sometimes you have to help people. It’s sane to do that. Right.

Next, you and I just got into a little tit-for-tat the last time in regards to the Policy Block, John Sweeting and yourself.

I did a little bit of digging. 12 1/2 minutes. The last 10 years. 10 years, the average policy has been 12 1/2 minutes. Every single meeting, for the last 10 years, it has worked out to 12 1/2 minutes. So ultimately, ARIN does give whatever time. We saw that with the policy earlier, but it’s boxed.

I’m suggesting that you unbox it a little bit more and work with both, because you control the scheduling and they control – try to work with it – but there is math that is showing that there is a boxing that’s going on.

And the discussions that we had today, while they weren’t cut off, thankfully – I appreciate that, you were really great – in the past I’ve been told: Mics are closed, we’ve got to move on. I don’t want to hear that again. That’s all.

John Curran: The point is well taken. I will say that, for scheduling purposes, we don’t like scheduling less time than is necessary like today because it takes presentations and either sets them aside or pushes them. So it does seem as though we need more room there. And so we’ll schedule accordingly.

Kevin Blumberg: Thank you. And have a great rest of the day, everybody. I’m not going to keep you from anything else.

Nancy Carter: Thank you, Kevin. Tina?

Tina Morris: Tina Morris, AWS, ARIN Board. Seems to be my role today to comment on Kevin’s stuff. So I’m just going to come up and I’ll go through it sequentially.

For one, term limits, yes, Leif, you are correct. We don’t typically need them. But I think having a forced break every decade for every role we do is a very reasonable thing. It allows for new people to come in. It lets us as volunteers realize that we might be tired and we need a break.

But it’s not a brain drain. I look around this room, and off the top of my head, I see about 10 former AC members. All of us are available to the AC, and maybe that’s what we need to do. We need to have, like, “Dial a Gray Beard”, you know?

(Laughter.)

Invite us to an AC meeting if you want the history. Why not? Why can’t we do it that way? We don’t have to lose that talent, and we don’t have to have an ex-person on there all the time for that. We’re available. We don’t need to go away.

But I do think term limits are healthy. It helps us frame our minds around growing new people. I know it’s completely changed the way the Board talks about our terms. I think term limits for everything. I’d love to see them for the NRO. I’d love to see them for the AC. If we never need to implement them, fine, no harm.

John Curran: Understood. And the term limit is a cumulative year served. It’s not a permanent ban. It’s a pause. If you feel passionate, you can come back.

Tina Morris: I think that’s a really important thing because we don’t want to make it a ban. I never want that. I just want you to take a break every decade.

John Curran: Right.

Dan Robinson: Dan Robinson with VoIPster Communications. I’d like to thank you all for what you said. But one of the reasons that Andrew brought that up is that – I’ve been involved in the computer community here since 1991, and I will tell you that one of the biggest problems we have had in this community is the good old boys. It gets to be a real problem because, just as someone said many years ago, would we elect a president in a wheelchair now?

Andrew is in a wheelchair, and he gets overlooked because he’s in a wheelchair. And I’ve never met anybody who has the intelligence and the abilities that he has. I have never seen him ever not be able to solve a network issue, no matter how intense it was.

And one of the problems we run into here is that it’s all about presentation and how you look, who you are, and who you know. That’s why his thing is that if we had someone like ARIN or some other group who had some authority, who would be able to coalesce people in the understanding, hey, we think this is what you need to do because. And not because it’s convenient, but it’s because it’s the future. And that’s his big thing with IPv6.

So that’s what I wanted to point out. Thank you.

John Curran: Thank you. Thank you very much.

Mike Burns: Mike Burns, IPTrading. I’d like to voice support for AC term limits.

And I have a rather mundane request involving the search capabilities for the PPML archives. I find them very difficult to search globally, and I use Google for that. And I wonder if there’s any provision to be made to search all the archives for keywords or something. Maybe it exists, I don’t know.

John Curran: In theory, you can use the search on the ARIN webpage to do qualified searches. I will say I’ve had mixed results myself and often gone to Google or something else to go parse them.

If there’s a cost involved in engines that are better for searching in terms of licensing and installation and maintenance and all, we can do it. I’ve had the debate back and forth on how much to invest in the search.

If you say you want really great golden search, then we can spec it out. It does add a little cost to the organization is all.

Mike Burns: I’d settle for silver search. And my second question, do you use a robots.TXT file to prevent Google searching at all?

John Curran: No.

Mike Burns: Thank you.

John Curran: No. Let me confirm. Mark or someone? John? Can you double-check the robots file? I don’t think we have a robot.TXT that prohibits – I see Mark coming. Thank you, Mark.

Mark Kosters: Mark Kosters, CTO. We do have a robots.TXT on the RDP servers.

John Curran: For the RDP servers.

Mark Kosters: Yeah, because we were getting hit pretty hard.

John Curran: Right, okay. But not for the web server?

Mark Kosters: But at the web server itself, no.

John Curran: Okay. Thank you.

(unintelligible question from the room)

Mark Kosters: At the robots.TXT? So the robots.TXT is basically something that robots try to honor so that they don’t crawl your website.

John Curran: “Try” is a very important word there. Yes – wait. You left, Kevin.

Kevin Blumberg: Yes. Mike, thank you. Kevin Blumberg, The Wire. Mike, we use a lot of AI tools to find the information, but I’d actually now take it back to John on this one.

You are far better off having a baby LLM –that is, we can search NRPM, than letting the LLMs invent and hallucinate stuff. So this is a great example of, if you don’t have the tool, we’re going to use the wrong tools.

So, yes, you can use – they find all of it, but they invent stuff. A baby LLM that’s literally there to heuristically find things is probably very inexpensive and maybe –

John Curran: Right, that’s true. There is now other options other than the commercial search engines.

Kevin Blumberg: Right.

John Curran: Yeah, good point. We will explore.

Nancy Carter: Anything online?

Hollis Kara: Nothing online.

John Curran: Going once, going twice. Thank you for having us.

Nancy Carter: Thank you very much. (Applause.)

Closing Announcements

Hollis Kara: All right. We’re going to wrap this up because I know we’ve run a little bit longer than anticipated. Clearly y’all really did not want to hear about data accuracy today. Don’t worry, we’ll make you hear it tomorrow.

Thank you very much for being here. Thank you very much for all of the lively dialogue.

Thank you to our Network Sponsor, Spectrum.

Round of applause, please. (Applause.)

Our Platinum Sponsor, AWS. (Applause.)

Our Silver Sponsor, IPXO. (Applause.)

And our espresso bar host, Verisign. (Applause.)

Give us about 45 minutes and we’ll have that daily recap blog up for you. There’s a lot to process. Actually, maybe give us an hour, if I’m being honest.

And then please note that we will be circulating the link to the meeting survey. Probably, I think, it will go out in your email tomorrow. But we will really want to hear from you on how we’ve done this meeting, things we can improve in the future.

And by completing that, you’ll have the option to be entered in a drawing for a Nintendo Switch 2 console.

Tomorrow will be our last day. Please join us for breakfast. Note, we will not be down on the second floor in the Daisy room tomorrow. We will be up on 25 in Waterford, where we had the Welcome Reception. So we’ll have a nice view of the city to close things out. Meeting will begin here at 9:00 AM.

And with that, I hope everyone has a restful or fun evening, whichever you prefer. Thank you. (Applause.)

(Meeting adjourned at 4:55 PM.)

ARIN 57 Public Policy and Members Meeting, Day 2 Transcript - Tuesday, 21 April 2026

On this page

Opening and Announcements

Engineering Update

Information Security Update

Routing Security Update

Community Grant Reports

Markdown Integration for GNU AutoGen

IPv6 Test Pod

From Raw To Ready: Visualizing RDAP with RegCtl

Internet Governance 2025-2026

Caribbean Collaboration 2025-2026

Policy Block 1

Draft Policy ARIN-2025-1: Clarify ISP and LIR Definitions and References to Address Ambiguity in NRPM Text

Draft Policy ARIN-2025-3: Change Section 9 Out Of Region Use Minimum Criteria

Draft Policy ARIN-2025-6: Fix Formula in 6.5.2.1c

Draft Policy ARIN-2025-7: Make Policy in 6.5.8.2 Match the Examples

Policy Block 2

Draft Policy ARIN-2025-8: Reserve 4.10 Space for In-Region Use

Draft Policy ARIN-2026-1: Taking IP To Other Planets (TIPTOP)

Open Microphone

Closing Announcements

Related