ARIN XV Public Policy Meeting Minutes, Day 3, 20 April 2005
Call to Order and Announcements
Speaker: Ray Plzak, ARIN President and CEO
Ray Plzak opened the third day of the Public Policy Meeting and made announcements. Ray offered information on the Terminal Room, the Registration Services Help Desk, and the ARIN XV meeting survey. He also thanked the ARIN XV sponsors: Native6, Smart City, and NTT Communications.
At the beginning of the day there were approximately 100 people in attendance.
John Curran, as Chairman of the Board, moderated discussions throughout the day.
[ARIN offered the opportunity for remote participation throughout the meeting. Comments from remote participants were read aloud at the meeting and are integrated into these meeting minutes.]
Internet Number Resource Status Report
Speaker: Leslie Nobile, ARIN Director of Registration Services
Leslie Nobile presented a joint RIR report on the current status of all IPv4, IPv6, and Autonomous System number resources as of March 31, 2005. This report is updated several times per year by the NRO and provides up-to-date statistics on rates of IPv4, IPv6, and AS number consumption. She stated that this is the first time the NRO has integrated AFRINIC statistics into the report.
Question: Is it fair to characterize the current trends as being analogous to the trends from, say, 1998 to 2001? It looks like we're approaching the same kind of curve as we were then. It appears that this will be a big year in both IPv4 and IPv6.
Leslie reponded that ARIN does not usually make predictions, but that ARIN is seeing the same trends, especially in its own region, and other regions have growth starting to go up again.
IPv6 Round Table
Speakers: Lea Roberts, Thomas Narten, David Conrad, Geoff Huston, and John Curran
Three segments of the panel discussion were: (1) use of the HD-Ratio and the /48 default allocation size to an end-site; (2) reservations; and (3) the ITU proposal for national IPv6 registries.
David Conrad presented slides prepared by Geoff Huston that explained current IPv6 policy and calculated the effects of a higher HD-Ratio. Increasing the HD-Ratio from 0.8 to 0.94 gains about three more bits. Moving away from /48 allocations and dropping them to a /56 will recover another 8 bits.
Lea Roberts began a discussion on the /48 default allocation size, as taken from RFC 3177. She suggested a /56 allocation and perhaps even a /60. Bill Darte then offered some historical observations on IPv4 address allocations and stated that in St. Louis many of the largest organizations are not interested in IPv6 addressing yet because there is not an immediate need to move away from IPv4.
John Curran stated that ARIN will allocate address space according to the policies adopted by the membership and that the responsibility of making that space available and handling its stewardship is an awesome responsiblity. At the end of the day, it is up to the members to decide what should be done and up to the Board to verify that the policy process the members approve of followed the Internet Resource Policy Evaluation Process thoroughly and completely.
Thomas Narten presented a brief overview of the allocation process and stated that if you want to preserve aggregation over the long haul, the RIRs need to maintain some sort of reserve. The goal is for subsequent assignments to be adjacent so a single aggregate covers old and subsequent allocations. Reservations can be explicit, implicit, or dynamic. At some point you have to make a decision about chopping up the space and eating into the reserve, or holding the reserve for some amount of time in the future in anticipation of additional growth. If you don't hold sufficient room for growth, you're going to get address space fragmentation. One of the goals for IPv6 is to get much better aggregation than we got out of IPv4. The time frame where I think we want to actually consider is on the order of 10 years or perhaps longer, as opposed to 18 months - 3 years. If you look at the current proposal we've been talking about, like the policy that was approved or read yesterday, 2004-8 mentions reservations, but the details about how big a reservation time frame and so forth is completely unspecified at this point. I would assert there is a need to develop consensus recommendations that all the RIRs are comfortable with in terms of what the impact will be long-term, like IPv6, and achieve the shared goal of preserving long-term aggregation.
The final topic was the ITU proposal for national IPv6 registries. Geoff Huston's presentation included possible issues of the ITU plan. Issues include the possiblity of 200 different policy regimes and policy confusion; inability to align to regional and global business models; no visible relationship to known routing capabilities; creation of competition regimes based on policy dilution; elimination of common interest in one network; compromisal of any hope to enhance routing integrity and security; and creation of further churn in perceptions of stability and viability of IPv6.
NRO Activities Report
Speaker: Ray Plzak, ARIN President and CEO
Ray Plzak gave a presentation on the Number Resource Organization. Some highlights include:
- AFRINIC, upon its final recognition by ICANN, is now a full member of the NRO. Axel Pawlik, as current chair of the NRO, and AFRINIC will sign a joinder to the NRO MoU at the AFRINIC-2 meeting in Maputo, Mozambique, April 26-27, 2005.
- Ray noted that all of the RIRs have contributed money, staff, and other resources to help AFRINIC get started.
- The registries that previously allocated resources in Africa will complete transfer activities and other formal documentation indicating transfer of registration and accounting records at the AFRINIC-2 meeting in Maputo, Mozambique, April 26-27, 2005.
- The executive council officers rotate on an annual basis. This year, Axel Pawlik is the chair; Paul Wilson, last year's chair, is a member; Raúl Echeberría is the Secretary; and Ray Plzak is the Treasurer. AFRINIC is not taking on many NRO duties this year.
- LACNIC is the Secretariat this year, which means that Adriana Rivera is the Communications Coordination Group Chair and Fredrico Neuevez is the Engineering Coordination Group Chair.
- The Communications Coordination Group is working on the NRO website, information items, press releases, and other documents, and are working on a strategy and plan to continue these efforts.
- The Engineering Coordination Group is working on developing several services, including joint WHOIS and CRISP.
ICANN Activities Report
Speakers: Doug Barton, IANA General Manager
Doug Barton gave a presentation on ICANN and IANA activities.
- ICANN, in general, and specifically as part of the IANA function, is trying to improve the performance and the timeliness with which it fulfills requests from stakeholders.
- IPv6 unicast requests take longer because there is currently no global IPv6 allocation policy. IANA has been working with the RIRs and other interested members of the community to determine the best strategy for allocating IPv6 and how the operational aspect of the arrangement between IANA and the RIRs should interoperate with the yet-to-be-determined global allocation policy. In the meantime, IANA has established a framework under which it can move forward with IPv6 allocations on a case-by-case basis until a global policy is adopted.
- IANA usually achieves a one-day turnaround on AS Number allocation requests because it's a simple allocation process, though it took 2 days for an ARIN ASN request in February.
- IANA has hired Barbara Roseman as its Operations Manager.
- IANA has implemented a request tracking system and is working on an integrated project management system.
- The ICANN Strategic Plan has received extensive public comment, including input from the NRO and the ASO AC. ICANN will refine the Plan as it goes along, and Doug thanked the community for its input.
- IPv4 global allocations policy has been approved by the ICANN Board and is now fully in effect.
Number Council (ASO AC) Activities Report
Speaker: Sanford George, NRO NC and ASO AC Member
Sandy George began his presentation by explaining that the NRO Number Council now fulfills the role of the ASO Address Council. He also explained the new election and appointment process to the NRO Number Council and identified ARIN's current representatives as well as the representatives from the other RIRs.
- Two physical meetings this year will take place in Maputo, Mozambique during AFRINIC-2 and Vancouver, BC, Canada, during ICANN.
- Discussed and submitted comments to ICANN on its Strategic Plan.
- Discussed the status of the IPv4 global allocation policy, which ICANN approved on April 8, 2005.
- Discussed AFRINIC's recognition as an RIR and planned a formal welcome representatives for the AFRINIC region to join the Council.
- On April 6, ICANN put out a call for public comment on proposed review procedures for ASO policy proposals. The call is open until April 28, 2005.
- ICANN adopted the bylaws regarding the new MoU on April 8, 2005.
- The next ICANN meeting will be held in Luxembourg City, Luxembourg, July 11-15, 2005.
Speaker: Ray Plzak, ARIN President and CEO
Ray Plzak presented the first AFRINIC update after its final recognition as the fifth Regional Internet Registry on behalf of Adiel Akplogan, AFRINIC's CEO.
- Completed the transfer of member information, registration information, and billing transfers.
- 4 employees so far, with a fifth on the way.
- 10 new members since February. Seven have paid their bills already. They've made 15 allocations. Given the size of AFRINIC, these are significant numbers.
- AFRINIC is the first continent-wide organization in Africa to deal with the Internet, so it is causing significant activities in the political arena.
- AFRINIC is involved in the World Summit on the Information Society (WSIS) discussions.
- Two public policy meetings planned for this year; next week in Maputo, Mozambique, and then in November in Cairo, Egypt.
- Developed training materials in English and French.
- Launched new website at http://www.afrinic.net.
- Billing information is being merged into an AFRINIC database from three different RIRs with three different sets of banking and accounting laws. The newly hired Chief Financial Officer and the billing departments of all the RIRs are working to make the transition as smooth as possible. AFRINIC will be doing credit card payments by the end of April. AFRINIC is also looking to integrate their billing and registration services databases.
- Currently developing a policy and procedure for bulk data access.
- Ongoing discussions to use a single routing registry for allocation in the AFRINIC region.
- Three current policy discussions: experimental and temporary allocations; IPv4 assignments to end users; and Autonomous Systems number assignment. A fourth policy discussion is the global IANA to RIR IPv6 policy.
Speaker: German Valdez, Policy Liaison
German Valdez presented the LACNIC report on behalf of Raúl Echeberría, LACNIC's CEO.
- Training session in 7 countries, with more than 300 participants, covering more than 80% of LACNIC's membership. More training planned, to focus on IPv6.
- Promoting IPv6 in the region, to include changes to the IPv6 policy, fee waivers, research funding, training, and working with the IPv6 Task Force in Latin America.
- New policy: IPv4 Minimum allocation size. Implemented. (/21 new minimum allocation for ISP.)
- Sponsoring small research technology projects through a program called FRIDA.
- New policy development process in place.
- Will deploy F-root service in Latin America, beginning in Caracas, Venezuela, in May 2005.
- Open Policy Forum Chair – Christian O'Flaherty (IMPSAT)
- Topics under discussion
- IRR services for LACNIC
- IPv6 policy IANA - RIR
- Recovering resources
- Resource Recovery: 316 ASN holders with whom LACNIC did not have contact. A direct contact campaign has held during 2004 to update information and collect fees. Also campaign to contact all members to inform them of elections and meetings, encourage updated information, promote mailing lists, and solicit input on LACNIC's services. 32% of the members participated in the election for board members.
- Involvement in WSIS, WGIG, regional forums, and local governments.
- Next meeting will be held in Lima, Peru, June 27-30, 2005.
Speaker: Paul Wilson, APNIC Director General
Paul Wilson presented an update on APNIC activities.
- IPv4 allocations have been accelerating. APNIC made a single /8 allocation to an ISP in Japan.
- IPv6 allocations still fairly slow, which has to do with the per-address fee issue that applies to ISPs in NIR areas to include Japan and China, where there are some very significant candidates for large IPv6 allocations. APNIC has recently adjusted those fees in the case of allocations of IPv6 address space to IPv4 infrastructure, and we expect that there be some uptake of all these allocations as a result.
- Soon-to-be deployed ISP support website that provides online resources to help ISPs, particularly those in developing countries, with access to useful information about various technical aspects of operating ISPs. It will be a wigi-type model, which seeks contributions from the community.
- Adding VOIP access to the help desk.
- Developing a resource certification in line with RFC 3779, support of secure BGP.
- Extended training activities, including or soon to include DNS, a routing workshop, IPv6, spam, and security.
- APNIC board member visits to government representatives about certain aspects of their domestic policies, including Korea, where there was legislation which requires ISPs in Korea to receive their space from KRNIC, the national agency. The NIR structure is not, and is unlikely ever to be, a monopoly situation for the NIR service provision in the country. ISPs in any particular country have a choice to join APNIC directly or receive their address space through the NIR.
- Direct support of deployment now of 10 root sever areas around APNIC's region in collaboration with mostly F and, also, I, K, and M. And we're working actively this year on five or six more of them around the region.
- Implemented three policies; one in last call.
- Surveying membership on how IPv4 address space is being managed and how it might be managed better with the introduction of HD-Ratio-based utilization.
- Next meeting will be in Hanoi, Vietnam, September 6-9, 2005.
RIPE NCC Report
Speaker: Alex Pawlik, RIPE NCC Managing Director
Axel Pawlik presented a report on activities in the RIPE NCC region. His report included updates on policy, registration services, membership, training, and RIR coordination.
- Finalizing a documented policy development process.
- Policy discussions include IPv6 and utilizing the HD-Ratio in IPv4 address allocations.
- Document to be published soon on WHOIS: what's in the database, what should come in, what shouldn't go in, what should go out, etc.
- Revised our course materials for the LIR training. Working with AFRINIC on computer-based training.
- Made database infrastructure changes. Engineers are busy fixing old systems, including resource management systems.
- Holding regional meetings. Next one to be held in Kazan in June 2005.
- New initiative on the roundtable on Internet management governance or coordination. RIPE NCC invited governments to come for a short workshop to get some verification on some issues. About 30 came in March for a small, but useful meeting. Next meeting to be held in conjunction with ICANN.
- RIPE 50 will be held in Stockholm, Sweden, May 2-6, 2005.
Moderator: John Curran, Chairman of the Board
- During brief comments on Tuesday the issues raised were in regards to problem with bogon filters by somebody from Shaw and separately regarding problems with blocklists and possible relation of that to bogons by person from SBC. I'd like to address some of the concerns raised and provide clarification of the problems, some of which are specific to the companies mentioned. Before I begin I would like to first apologize for the length of my text as there are number of separate issues here that have to be explained.
First of all regarding bogons it is certainly true, that those who get allocations from new /8 blocks experience some problems with connectivity. This is largely due static bogon filters that some ISPs use and it did not help that cisco was for some time selling routers that came with security auto-configuration feature with static filter of unassigned IANA /8 blocks that were known at the time router was made. These routers do not have auto update feature for this filter and unfortunately majority of them are used at the isp-edge by smaller companies that do not have IT department dedicated to internet engineering that could regularly update bogon filter. The situation is now better as IANA unallocated filter has been removed from default security configuration of the newly sold cisco routers and those that have old static filter as well as ISPs that similarly use static bogon filter are being identified by efforts such as the one ARIN is going to participate when testing connectivity of its new 73/8 block. If other ISPs here would like to help, I would encourage to check with your T1 and similar customers and especially ask if they had either setup bogon filter on their own or used autosecure command on cisco router bought within last 18 months and if so help make sure that bogon filter is removed or kept updated.
Another bogon related issue for ISPs is making sure that the ip block being announced in BGP correctly matches size of ip block allocation listed in ARIN whois. If its not then those users on the part of ip block that has no whois allocation data may see themselves blocked by bogon filter. As an example currently Shaw Communications is announcing in BGP network 220.127.116.11/13, where as corresponding ip block in in ARIN whois is 18.104.22.168 to 22.214.171.124, which means almost 1/2 of the announced block is bogon. This also causes entire block announced in bgp to appear as active bogon in some monitoring systems such as ones run by completewhois.com or seen in weekly cidr-report. I'm sure in this case as in many others this was not intentional and simply an oversight or miscommunication to network engineering team as to the expect size of arin allocation and improved internal company communication and double-checking would help to avoid problems like this.
Moving on to the comments made by the gentlemen from SBC who noted that individual ips are sometimes reported as being blocked by bogon filter. It should certainly be noted that number of users who are doing bogon filtering on individual computers or with specific service such as mail has increased 100 times or more in the last 12 months (at least based on logs at completewhois dns-based bogon service and that does not account for all those who download entire bogon list on regular basis with ftp, rsync or http), but all such bogon data is kept accurate and updated daily and there were no serious errors with the data in at least a year, so except for few cases such as one mentioned with Shaw, the users should not see their individual ips blocked by bogon filter. Instead what is happening is that many end-users who use bogon filtering may also be using number of other blocklists, especially for mail filtering. Some users would then get confused as to exactly which of the blocklists was responsible for inability to communicate and may blame bogon filter when it is almost certain is not the problem. This maybe result of either human error or technical problem, for example openrbl.org which some use to determine if ip is on any blocklist (and if so which one) has a problem with their algorithm as they use string comparison instead of numerical and this results in errors in about 5% of what they report as a match. For this and similar reasons any reports of ip being on any blocklist should always be double-checked by ISP staff by using dig or similar utility to document and verify exactly which blocklist is a problem.
Further I remember that gentlemen from SBC mentioned that they ran into problems with delisting of the ips from some blocklists and he complained that somebody was asking them $2000 for it. I find this highly unlikely and while I don't pretend have list of every blocklist every used or know all their policies, all the major ones I'm aware of do not operate in this way and are maintained based on donations or support of those who use blocklist. None of those I know ever ask for money for delisting with exception of SORBS (and I dont support their policy in this regard) that does ask for $50 (but not $2000!) to be donated to a charity and that is only to get the case expedited as otherwise listings there would still be removed, it may just take longer. So the issue is not likely to be money if ISP block or ip is listed, but time it may take for ISP techs to get in touch with blocklist operator and answer their questions (usually to make certain the reported abuse has been dealt with).
Next it was also noted by gentelement representing SBC that while abuse only came from one or two specific ips (often due to viruses or user computer becoming a zombie controlled by spammer) larger ISP blocks are ending up in blocklist. Again I don't pretend to know policy of every blocklist, but I do know that many if not majority do lookups in ARIN whois to try to determine size of the block to be listed. And while some blocklist would only limit to individual ips, its often enough that abuse comes from several nearby ips and usually the problem are several computers on the same LAN (easier for virus to spread and if more then one computer is vulnerable its likely that same organization may have security problem and other computers that are vulunerable too) and as such preventative measure has been to expand listing to entire ip block as listed in end-user assignmen.
In case of SBC, this may have caused some additional problems. In particular for last 18 months SBC has been listing in whois large blocks (such as /22) as "Residential Customer / Private Address". While I originally thought myself the listing should be for just one customer (as per my reading of 2003-3 policy), after further research, I came to believe that majority of such /22 are combined listing for many individual residential dsl customers with actual user assignments varying from /32 to /26 and that SBC is choosing to consolidate it all into one reassignment. Blocklist operators may also be confused by this and believe that it really is one reassignment and not multiple SBC customers.
As my interpretation of 2003-3 is different then the use by SBC described above, I would like to see ARIN staff provide their position as to if consolidation of multiple reassignment records into one very large one and listing it all as "Private Customer" is in accordince with the policy. In either case it does seem that this use is causing misunderstanding as to the size of the exact block assigned by SBC to a customer and this may well be part of the reason for larger SBC blocks getting listed.
I hope in above remarks I clarifed some of the issues in regards to bogons and blocklisting. If you do have more comments on these subjects, please raise them further on ppml or other appopriate mail list.
- Lee Howard requested that the remote participant send his comments to the Public Policy Mailing List.
- Dave Wodelet thanked William for his comments and stated that he wanted to see that sort of discussion. If we have a problem in some aspects of advertising a block larger than we actually have, he wasn't aware of it and will certainly look into fixing it. Not sure why that results in the lower half not being advertised. We can check into that, but I certainly appreciate his response and hope we can use some of those things to resolve the issue. From the ad hoc investigation we did, I don't think the problem was with the bogon list out there. From what I can see, they seem to be updated on a regular basis as soon as they are allocated a block. Again, if anyone has any other information, please, let us in or send us that list and we can look at it.
- Dave Barger addressed William's statement about the apparent practice of putting WHOIS entries out there with /22s marked as private customers. I believe we had a situation a number of months ago where we had a SWIP error. We had a couple of blocks that got stuck out there; we found them, and we fixed them, and that fixed the problem. SWIPping is not a perfect science and sometimes mistakes are made. As most of you probably know, I was the one who was pushing a lot of the private customer policy over the last year and a half or so. ARIN has a policy related to what can be done with residential customer information, and we, along with I'm sure everybody else in this room, abides by that policy. And I guess on the black list and things like that, there are so many black lists out there; there are a lot of different policies to go through to remove blocks through these people that operate the black lists. In fact, there are so many out there that I'm sure others' experiences are different from ours. But what I said the other day was just based on those black lists we run across, and there's a lot of them out there with some rather strange policy.
John Curran reminded Dave to respond to William's posted comments to PPML.
- Paul Vixie stated that he created the first black hole list, and the lawyers at the time advised him against calling it a black list, and now he sees why. The problem with black hole lists, as John Gilmore warned at the time, was that this was the beginning of the end. Every organism that has an infection will either die or develop an immune system. Since nothing else was going to stop the abuse that happened -- and you can blame me for setting the example creating the technology standards others are following -- but I want to say it's in our power to make these black hole lists go away.
Closing Announcements and Meeting Adjournment
Speaker: Ray Plzak, ARIN President and CEO
Ray Plzak made closing announcements and adjourned the Public Policy Meeting at 12:30 PM EDT.