ARIN 43 Members Meeting Transcript - Wednesday, 10 April 2019 [Archived]

Please Note: This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

For an executive summary of this day of the meeting, read the daily digest on the TeamARIN website.

Members Meeting - Opening Announcements

John Curran: Good morning. If people will come in and be seated, we’ll get started. Welcome to our third day at ARIN 43. This is our ARIN Members Meeting.

We’re done with our policies. We’re now going to hear from the organization and how it’s doing.

A couple of announcements first. Thanks to our sponsors, C&W Business and Google.

(Applause.)

I’d also like to thank our meeting sponsors, Platinum Sponsor Addrex and Silver Sponsor IPv4Mall.

(Applause.)

It’s the sponsors that make it possible for us to meet and find locations like this.

Okay. We’re not going to have a lot of discussions, but we will have an Open Microphone. And if you approach the microphones during the Open Mic, please do so courteously.

Today’s agenda, we’ll have departmental updates. We’re going to have Communications and Member Services, Engineering, Registration Services, Financial Services, our HR and Administration Department.

We’ll have a report from the ARIN AC. We’ll have a Financial Report. We’ll have the Board of Trustees Report. We’ll have an Open Microphone. And then we’ll close the meeting.

Okay. Help Desk, still available out there. Wonderful. The last chance really, today and tomorrow. If you have a question, go to the Help Desk.

Don’t forget your meeting survey. We improve the meeting based on your feedback. Big issues, small issues, suggestions, complaints – fill out the meeting survey. We’d love to have the feedback.

And after ARIN 43, we’re going to be – after this meeting ends, we’re going to have CaribNOG, which will be going on actually this afternoon, Thursday and Friday. And we have an ARIN in the Caribbean CTU Public Policy group meeting taking place.

And at the head table – Dan, Peter, Tina and Vice Chair Bill Sandiford.

With no further delay, we’ll move into the reports. And the first department report I have is Susan Hamlin, who will come up and give the department update for Communications and Member Services.

Department Update: Communications and Member Services

Susan Hamlin: Good morning, everyone. It’s always a pleasure to chat with you and talk about what ARIN’s doing in the communications and outreach area.

I’m going to cover our ongoing responsibilities and talk about some new initiatives that are underway. And first a picture. I wouldn’t normally put a photo of us because all of CMSD usually attends these meetings.

But a few new things and we’re missing one of our team members here with us. So just a shout-out to Sean Hopkins in the back row, middle. He’s ARIN’s Policy Analyst and couldn’t travel with us today for the meeting. But he’s enjoying the remote participation experience this week. And he’s given us a thumbs up, so that’s good.

And in the photo to my right, for those who have not met Beverly Hicks, Beverly is our new Training Program Coordinator. And thanks to those of you who sat at the table topic lunch the last two days and chatted with Beverly about your training needs.

And then Tommy Baldwin, to Beverly’s right, is our new Graphics and Digital Media Designer. And he’s with us, too.

So what does Communications and Member Services Department do? Obviously putting on the ARIN Public Policy Members Meeting. This is one of our major responsibilities. And we do that in collaboration with all of the ARIN departments.

It does take a village. Our Engineering department, who is responsible for the webcasts, does the network at the meeting.

We have folks from Registration Services at the Help Desk. We have folks from our financial area on the Registration Desk. So it’s really a whole Team ARIN effort.

But in addition to that, we are responsible for the ARIN content – the content on the website, content on announcements that go out, content in printed materials, and really any of those needs.

We also, within the department, facilitate the Fellowship Program, the Membership Engagement Program. We facilitate elections, the policy process, and we run ARIN’s social media and PR efforts.

So just a minute while we’re looking at this list, I just wanted to call out elections. It’s never too early to start thinking about your participation, if you’re a representative from an ARIN member organization.

And that would be an organization that has a direct allocation of resources from ARIN or an assignment of resources from ARIN and you’ve opted in to membership.

So it’s good to be looking within ARIN Online to see if you have a properly registered Voting Contact. And the registration process will open this summer when we open nominations.

You’ve heard a lot about the new website and hopefully you’ve all experienced it. This was a major effort within ARIN, a collaborative effort across many departments.

And I know Mark will be talking a little bit later about the engineering aspect and all that went into that. But on the communications side, we’re responsible for the content. And there was a lot of work involved in getting that content organized, migrating the content. We created a vault to put in a lot of static pages.

And I want to thank those of you in the community who took part in our type of user testing.

Many of you did the card sort to help us find a navigation that was intuitive to you. So thank you for your participation. And I hope that we will continue to hear from you if there are things that aren’t working for you, things you particularly like. There is a feedback button on the top of every page of the website.

We continue to move forward with our IPv6 case studies. And here’s a list of all of the organizations who have published a case study with us.

If your name is missing on that list, please see Jennifer or myself after the meeting, or contact us at blog@arin.net. We’re continuing to look for people who would like to share their implementation experiences. It’s a great learning tool. And if you haven’t read any of these case studies, I would suggest you take a look on the TeamARIN site.

Now to talk about a few new initiatives. The first is the ARIN Leadership Development Program. This is something the Board of Trustees have been talking about, looking for a way to provide community members who might have an interest in one day running for an elected position at ARIN, some additional information about ARIN.

So we have put together part one, which is going to be a four-module webinar series covering in greater depth than you hear about here at meetings or here on the website ARIN’s operations, our services and how we determine what work we do, and then the roles and responsibilities of all three of our elected bodies – the Board, Advisory Council and NRO Number Council.

So we’re in sort of final preparation stages of this content, and you should be seeing a call to sign up to participate in these webinars sometime probably in early May. The goal is to present these series of four webinars before nominations open.

And then another new initiative. In the 2019 organizational objectives for ARIN, there were three – or at least three new initiatives. One deals with the grant program. And it says “to facilitate Internet advancement efforts in the ARIN region via refreshed ARIN community grant program.”

So this program has been approved by the Board. They’ve dedicated some financial resources to it. We are putting on final touches of the program description and getting set up.

But sometime later this spring, you’ll be hearing more about the grant program and looking at projects that align with ARIN’s mission, so Internet technical improvements, registry processes, informational outreach.

So another not new initiative but maybe formalized initiative, in the 2019 organizational plan it says “ARIN is to develop and promote ARIN training library by making training an integral part of ARIN’s programs and services.”

So this is the first time it’s been formalized. ARIN has been conducting education outreach in many platforms and areas for over a decade. But now we have a mandate to develop a formalized training program.

So step one is finding Beverly and bringing her on board. And she’s busy talking to people, learning our resources that are available within ARIN now, externally, and would be putting together a program talking about the various types of training.

And some of the sample topics here, IPv6. You all have been asking for IPv6 training for a long time. We had a survey the end of last year. It asked for your feedback. We’re compiling that now.

We have had a video library of how to use various aspects within ARIN Online. With the new website, the UI changed for many of those programs. So we’re now in the process of prioritizing which of those videos to redo first. And we’ll be doing that.

There are other important topics – Whois, data accuracy, Leslie’s interested in law enforcement training. So we are combining all of that now and Beverly’s going to have her hands full.

And then another new item on the organizational plan is to “increase ARIN membership through outreach to industry associations via programs with measurable results.”

So, again, ARIN has been speaking at various industry meetings for decades and more recently we’ve been focusing on what would be our value added to these organizational annual meetings per se.

So we have been successful in reaching out within the WISP community asking about bringing an ARIN Registration Services Help Desk to their meeting. They’re members of these associations. Some of them are ARIN members. Some of them have resources from an upstream, do not yet have IPv6 and could be getting that from ARIN.

So we are successfully exploring and reaching out to associations where we might be of value to their meeting.

So I put this on here. If any of you participate in an association in your region or nationally and think that ARIN could add value by bringing a Registration Services Help Desk there and being on the agenda, please reach out to either me directly or send a note to info or contact John. We’re looking for the places where we can be of most help.

And now because it’s Wednesday morning, I have a little exercise with you all. And I want to talk about engagement with ARIN. So I’m going to ask a few questions and please either raise your hand or stand up if you’re cold and you need to get your circulation going.

Raise your hand if you are subscribed to the ARIN-announce Mailing List. Nobody’s counting, just honor system.

Raise your hand if you subscribe to the Public Policy Mailing List. That’s even better.

Raise your hand if you read ARIN Bits quarterly. Raise your hand if you know what ARIN Bits is. We have a little work to do there.

Raise your hand if you read the announcements on the home page of www.arin.net.

Raise your hand if you read the blog post now on the home page of ARIN.net. Raise your hand if you knew there were blog posts at the bottom of the home page of ARIN.net. Got a little more work to do.

Raise your hand if you bookmark your login to get to your ARIN account and bypass the home page. Okay.

Raise your hand if you’re a Voting Contact for your organization. Keep your hand raised if you voted last year.

(Laughter.)

Awesome.

And then raise your hand if you volunteered to serve on a committee or write a guest blog. Okay. Pretty good.

And last but not least, raise your hand if you knew that my alma mater won the 2019 NCAA Men’s Basketball Championship.

(Laughter.)

I’m ignoring that, that’s fine. There’s always next year for Texas.

So last thing I want to talk about is feedback. We really are here to serve your needs. We move forward with a prescribed list of programs and tasks. But none of it matters if it’s not giving you what you need.

So feedback is very important to us. The top of the page of every website page there’s a feedback button. Let us know if there’s something that doesn’t make sense to you content-wise, it’s missing, you think it could be better organized. We’ll look at that and take action.

We have an ARIN suggestion process for things other than policy-related. If there’s something, a new program you would like ARIN to explore, an enhancement of something we’re doing, this suggestion process is formalized. We are committed to taking action on it. Your suggestion will appear on the website unless you ask us not to put your name on it. And you can track our conversations and dialogue internally, and we will be reporting back on that.

We have open Mailing Lists that cover just about everything. We conduct surveys from time to time. We’re looking for remote website testers.

And also your interaction with staff here at meetings, at other outreach events and the Board, Advisory Council, NRO NC is valuable and we take all that feedback. And the feedback that John gets is dispersed appropriately amongst the staff.

We do listen and we do try to be accountable to your needs.

And then we have the Ask ARIN through ARIN Online. And we have several generic Mailing Lists, info@ARIN, members@ARIN, blog@ARIN – plenty of ways to reach us.

Lastly, a look at our upcoming Public Policy and Members Meetings.

So we will be in Austin, Texas in the fall. And this is a list going down to future years of venues we have contracted. The two in bold, April 2021 and April 2022 – so several people this week have asked me how do you decide where you’re going to have a Public Policy and Members Meeting.

Really for the April meetings, it’s about a network sponsor. We need someone to step up to provide the bandwidth to build out our own wireless network at the venue that will accommodate you all and our webcast.

So it’s a collaborative process of identifying potential network sponsors with the location with the venue that has enough space. So currently we are looking for a network sponsor for April 2021. We’d like to get started in that process.

So if you have an interest or want to volunteer a competitor of yours to be a network sponsor, send us a note to meetings@arin.net and we’ll follow up. We’d be most appreciative.

And then upcoming meetings, we have mid-May, two ARIN customer lunches scheduled, one in Providence, Rhode Island and one in Boston. We have our next ARIN on the Road in Montréal at the end of May. And we will be scheduling additional outreach events for the remainder of the year.

So that’s all I have. Happy to take any questions.

John Curran: Any questions for Susan?

(No response.)

Thank you, Susan.

(Applause.)

Next up I’d like to have the engineering report. Mark Kosters will come on up and give it.

Department Update: Engineering

Mark Kosters: Thanks, John. All right. So let’s get started with this.

So, first of all, I want to break out – I don’t have a picture of the staff. The last time we did this, it was a real controversy within Engineering. And the guys whose car that we all congregated with, he sold it. He no longer has the car and he takes the bus to work every day.

So we were trying – we were thinking about getting a bus in front of us, but they kept on moving.

(Laughter.)

That was a dad joke, okay. All right. So let’s go through our staff summary here.

We have five engineers and a manager for operations. And Information Systems and Security, we have three engineers and a manager.

I want to point out something about Information Systems and Security and a few of you have noticed this. And that is, we’re very much interested in you safeguarding your own accounts. We have two-factor authentication that you can use for ARIN Online, right?

And, sadly, only 3 percent of our community is using two-factor authentication. I would encourage those who don’t have two-factor authentication to turn it on.

You could say, oh, that’s cool. Well, what about ARIN staff? So ARIN staff comes to these meetings. And they also have to use two-factor authentication to get into our infrastructure.

So we have a VPN. And we use Duo as a way of authenticating ourselves to get into our network.

And also, and this is something that Pete and his team put together, and the other thing is all the boxes are centrally managed. And they take a close eye over, not only boxes back in the office, but also in remote locations and here in Barbados.

So let’s keep on going. Development, there’s nine engineers and a manager – a web experience expert, user interface designer, that you’ve seen the results of their work with ARIN Online, software integration – and they’re the ones that do the testing. We have five engineers and a manager. Project management, we have Deb in the back there and her sidekick, Sherrie. And of course me.

Okay, so our main focus areas since the last meeting, website improvements. Okay, so you’ve heard a lot about this. You’re going to continue to hear a little bit about it, at least the rest of this meeting, is because it was a really big effort within ARIN to make this happen.

ARIN Online is now 100 percent on angular technology. It actually uses RESTful calls on the backside to actually do the work. Before it was using JSF, which is older framework, and we still have a lot of older frameworks on the backside we’ll talk about that in the technical debt.

But that is one area that we have actually modernized. We have an outstanding area that is not currently in the new framework, and that’s web Whois. Web Whois is not really a part of ARIN Online as far as we’re concerned. It’s on separate boxes on our public-facing sites, of which we have three of them. And that is the Whois search.

So for those who like the old way of doing business, there’s where you can go and feel happy.

We have a lot of technical debt to deal with. For example, our ARIN Online infrastructure is running on CentOS 6. And we still have some CentOS 5 boxes in our infrastructure. We did get rid of our CentOS 4 boxes. And it’s been recycled, not shot.

Okay. Whois performance. We are still having instances of crawling. There’s a huge botnet and they continually sort of cross at /32 at a time. I don’t understand why. They can hit us at a /24 and do just as well.

And we’re getting lots of traffic from specific countries, which is very interesting; social network providers, which is also interesting; and cloud providers.

And that is the majority of our traffic. And a majority of that is automated. It’s not something that a human can’t type that fast physically to do the queries that we’re seeing.

ACSPs, with ARIN Online, we actually knocked out three ACSPs. You can see that on the list. We completed version one of the user interface.

So there’s some nits that we have to fix. There’s some iterations that we’re going through and have gone through. We’ve had a number of releases since our big bang release and we continue to work on that. And CMSD of course has content responsibility.

RDAP conformance. The community has noticed that the various regional registries have slightly different sort of behaviors with RDAP. And we’re working on actually consolidating that so that they all work the same.

And this is IETF format, so the search and results are a little bit different than what you expect and do things a little bit differently.

So you can see that we’ve had a couple things that we’ve added in to make it more conformant with IETF specs.

So a couple of words about the website. One is thank you very much for your participation. So we had our user experience and our user interface designer here. We’ve had those persons also at various ARIN on the Road events as well as NANOG and – wearing white coats and the whole nine yards, trying to get test drives and user feedback, which actually it was very helpful in putting the website together.

One of the things I’ll mention is that every page within ARIN Online has been extensively overhauled. It’s been designed and reviewed by the UI/UX team and every page has, like I said, new technology behind it.

It is using RESTful services as a calls on the backside to get the data from our database to input it back on the page.

So we also created a new framework for CMSD so that they don’t have to worry about making sure that the pages are formatted correctly in the sense that, okay, does it look right?

We’re doing that ourselves and it’s designed and tested to be conformant with the web accessibility guidelines as well as with mobile browsers. So it’s very responsive. And again this is a culmination of a multiyear cross-department collaboration.

So other accomplishments. Well, we got some technical debt completed. But sadly part of that was actually the result of an outage.

So we had a DNSSEC outage. And sadly it was something that we knew that we had to monitor but we just never had the cycles to put it together.

So we’ve – since then, have fixed those shortcomings. And we do have one outstanding thing in that we have this bump in the wire DNSSEC signer that we have.

The box is – it needs a little bit of work and we actually needed to get it up to snuff. And one of the things, some technical debt that we need to take care of, is still continuing – it continues to work but we have a lot of hacks in place to make sure it does work.

We have automated build systems with Ansible. We used to use Puppet. We’re using Ansible now. There’s still a little bit of Puppet in our infrastructure that we’re trying to distinguish.

We modernized our virtualization. We use virtualization extensively within ARIN. And some of our public-facing services are also virtualized. And the managers underneath that, we’ve kept on upgrading them so they don’t go behind as well.

And we’ve put in lots and lots of Whois performance improvements to deal with the added influx that we’ve had.

So let’s go through some of the stats. So you can see here that there’s a – basically we’re fairly even in terms of the number of accounts activated every year. It’s less than 10,000, but close to 10,000. And of course we’re just starting 2019. So it’s too early to tell what 2019 will have.

So active usage within ARIN Online. You can see there’s a lot of users that do the one-and-done sort of thing. And a few do – are in the two to five range, log in two to five times.

But what’s truly amazing is those people that log in 16 or more times. And there’s a good number of those, especially at the higher realm that have automated that ability to log in, because again there’s no way they could have typed that fast.

So there’s definitely some automation that’s going on with the user interface as well.

Here’s our provisioning transactions. One of the things, I’m not sure how well you can see it, but the lower bar that you can see going through in each of the ARIN meetings is those people that submit templates for reassignments and so on. And the higher bar is those people that use the RESTful service for the same activity.

And this is something that we really encouraged you who do still use templates to move away from, because much like we said before about security, we consider security important. Using templates for sending in reassignment information is not as secure as it could be. And the RESTful service is certainly a better foundation to use going forward.

DNSSEC, we had 11 new organizations at the last meeting that are using DNSSEC. They’ve actually put in 222 additional secured zones, which is great. And we’re getting up to a certain, a little bit higher percentage of our users actually using DNSSEC.

Here’s an interesting slide. And if you look at it you say, well, okay, I see a lot of numbers going across the page. I apologize if some of this is kind of small in the back of the room.

But what I’ll highlight is just one thing, and that is that the number of ROAs that has increased over the last six months is basically quadrupled.

So we went from a little over a thousand to 4,500 ROAs within our infrastructure. Those have covered almost 6,000 networks. So RPKI is actually starting to take off within the ARIN region. I’m excited about that. So I’m glad to see that there’s a lot of work going on.

There’s one misnomer. And I’ve said this before and I’ll say this now again, is that the up-down delegated portion, there’s two steps of the process. That person actually went through the first time and – for the first step saying, hey, I want to do RPKI up-down. And the second part is you actually had to present a certificate to us saying here are the resources I have that ARIN will sign over for delegated.

They actually never did the second step. So that’s really a half. It’s not really a one. We actually have, over the course of using RPKI services, we’ve actually only had one true up-down customer. And that person actually pulled out because – or that organization pulled out because it was hard for them at that point in time.

Here you can see our Whois and Whois-RWS queries. You can see that it’s starting to crawl up again. The last time we had a spike was in 2010, which was crazy.

But one of the things that I’ll note now is in 2010 they were very simple queries that we can answer. The queries that we’re seeing now are quite expensive and actually is causing a bit of a load on our servers.

RDAP, which is the lighter color below, has seen less traffic but again it has peaks as well. Whois and Whois-RWS and RDAP queries over a v6, you can see we’re still running about 3 to 4 percent over v6 as a cumulative versus v4.

Here’s our RDAP sort of breakout in terms of how many people are using v6 versus v4. V4 is the predominant winner.

IRR, the list of maintainers continues to go up. The route and Route6 objects continue to go up. And inetnum and inet6num objects, which normally aren’t really part of the IRR, but are survey accoutrement are there as well and they continue to grow, too.

Here’s a breakout of the number of people who participate in the IRR. And what’s interesting here is you have a lot of people at the very low end, almost 2,000, they have one to four objects in here. But the number of organizations here that have a huge number has increased. There’s one organization that has almost 20,000 objects within their IRR.

So, what are we working through Q3 this year? IRR. We’re in the design stages now and we’ll start development work in Q3.

Stateless, ARIN Online, one of the things we want to get rid of is the pesky timeouts. As you go to many sites, if you just leave your terminal open, it will timeout on you eventually.

And there’s been complaints about our timeouts because they’re server side. We’re now going to go to a client side timeout. And that will allow you to stay on for a much longer period of time – not infinite, but longer period of time.

We have RPKI HSM upgrade. And what this is is a high security module that we’re using. It is end of lifed and we need to upgrade it. So there is some RPKI work that we have to do in Q3 of this year.

And of course some improvements, incremental improvements that we want to make to the website.

We have a technical backlog. We’re still using Java 7 and JBoss. Now they’ve been subsumed and been replaced. These are running on CentOS 6 boxes which are older too.

We need to make sure that they don’t become incredibly ancient. They’re starting to get to the midlife crisis stage. We want to get beyond that if we can.

We continue to work on Ansible and replace, or actually upgrade our bump-in-the-wire DNSSEC signer.

One of the other things that we’re doing is – and this is something I really wanted to do – is put GSLB, Global Service Load Balancing within our infrastructure. Right now we’re reliant on round-robin DNS.

So when you connect to, for example, Whois you’ll get presented three records or three records back, of which you will go to probably the first one on the list. And – which is fine. It’s old 1990s technology. And it gets you to where you need to go. But we like to be able to load balance in a more granular fashion by using GSLB.

And we’re also working on a cutover to our disaster site. We have our servers out there but we don’t have all the glue that needs to be done to make sure everything works together, such as monitoring.

And those are the things that we are working on for the next couple of months or next six months, rather.

Coordination work for the original registries. We’re working out the differences, as I mentioned, about RDAP, and extended statistic file formats. It’s amazing, even though you have a standard, people still find a way to deviate from that standard. And we’re trying to make sure we’re coalesced across that way.

We have Internet Technology Health Indicators, and we’re working on coordinated reporting between the regional registries. This is essentially an ICANN initiative that we’re putting together, along with Registration Services.

And we have some work going on in RPKI, putting some – and asking for some protocol enhancements to be put into place to make RPKI more robust.

Essentially this is operator feedback going into the IETF and saying, you know, you did okay with the standard, but we could really do a better job.

For example, one of the areas is there’s this thing called a repository, which has all your RPKI elements in it. To pull that down, use this protocol called rsync.

And rsync, it’s a fine protocol, but there’s much better ones that could be used out there that actually allow you to push out the data to more locations using a cloud provider, for example, so that people can have more availability to pull down this content, which means that you have to change the protocol underneath to make that happen. And that’s something that we are looking forward to actually do.

Okay. With that, I think I’m done.

John Curran: Questions for Mark? Microphones are open.

Andrew Dul: Andrew Dul, speaking for myself. Are you seeing any instances of the ARIN Online accounts attempting, people attempting to hijack the accounts, especially older accounts?

Mark Kosters: That’s really a question more for John.

Andrew Dul: Okay, he can answer the question then in the presentation.

John Curran: Front mic, go ahead.

Michael Casadevall: Michael Casadevall, NARALO. Roughly speaking, have you seen, has there been any attempts to try and look at reverse DNS data and tell how accurate it actually is versus people that, like, just stuff their 8 pointer records in there?

Mark Kosters: I don’t think we’ve ever done any validity testing on how people are using the reverse.

Michael Casadevall: Okay.

John Curran: Any other questions for Mark? Thank you, Mark.

(Applause.)

John Sweeting, come on up and you get to do the Registration Services presentation.

Department Update: Registration Services

John Sweeting: Good morning, everyone, John Sweeting, ARIN Registration Services.

I’m going to give you a quick update on what we’ve been doing in RSD over the last few months, since our last meeting.

The overview, I’m going to, of course, talk about the current staff, past year ticket review, waitlist status, reserved pool and IPv6 status update.

So the current RSD team, there’s 12 of us. The newest member is Christy Le. Lisa is the manager of the team. Everybody reports to her except for Cathy and Jon Worley; the three of them report to me. The people here this week helping you guys and supporting this meeting is Misuk and Mike, who you’ve hopefully stopped and talked to at the Help Desk, and also Cathy, who is splitting her time between keeping me in check here in the meeting and watching over the Help Desk.

So, organizations served by ARIN. A total of 38,220 organizations, of which 41.55 percent are legacy, which means they have no agreement, no signed agreements with us. There’s 15,882 of those. Non-members, 16,361. And then members, just shy of 6,000.

Decided to show a little – how our processing times are coming along. I’m happy with some of them, not so happy with others. We’re going to be working to streamline this.

As you can see, ASN requests have come down quite a bit. Org creates have remained about the same, but that’s a pretty good time for that.

Org recoveries have gotten a little bit more. That doesn’t bother me in the least because that just means that we’re really looking into that and we’re making sure that whoever is trying to recover that Org is the right person, right organization.

These next two, the end user v6 and ISP v6, there’s – to me I feel we could do better. So we’re going to look at what we can do to do better.

A lot of it, though, is really getting the replies back from the customers on – we have to see their addressing plans. There’s an attestation that has to come back from the “signed by an officer” and there’s things that take a little bit of time. But we’re going to look into all of that and figure out how we can streamline this and make it a better process for everyone.

So IPv4 RSA coverage in /24s, that would include legacy RSA as well. We’re up to 59 percent of our resources are covered by agreement.

As you’ll see here that continuously goes up. The transfer market has a lot to do with that. And we’ll continue to – I believe the line will continue to go up. It doesn’t go up fast, but it’s going up, and that’s good.

Waiting list growth. There’s no bump yet since we did do our Q1 distribution on time. For the process what we normally do is we have a meeting each quarter with – like five or six directors come in, and we go through everything to make sure that if they were revoked, that the process was followed, that all the mailings and phone calls and emails, everything that – all the contact that was supposed to be made was made.

If they were returned, we make sure that there’s an officer acknowledgment that the organization really wants to return it. And then there’s just some that we just have to go through and, like, over the years they’ve been revoked or returned. But they’re still being routed and we do cleanup work with that, reaching out, contacting the networks that are routing them. It’s just a lot of work.

So we’re very, very careful before we reissue any space. We’re going to – I’ll wait until I get to this slide.

So as everybody knows, Waiting List distribution has been suspend as of 7 February 2019. The staff is continuing to process and approve requests and added people to the list. Internal processes are continuing.

So we’re going to continue to have our quarterly meeting. We’re going to continue to approve space to be – that will be eligible to be reissued. But, of course, we won’t issue that until or if and when the suspension is resolved.

But we’re absolutely going to be prepared to do that immediately upon getting the word from the Board that we can resume the distribution.

Here’s a report, I think Owen has asked for this, and we’re now reporting on this at every meeting – the IPv4 Reserve Pool Update. The 4.4 is your critical infrastructure, and 4.10 is IPv6 deployment.

As you can see, there’s still a lot of space there in those reserve pools for the people that require it and can qualify for it.

IPv6 profile. RSP is the Registration Services Plan, which is the RSA – we call it RSP because end users can apply to be under the RSP and have their resources converted to direct allocations, and they become members and they pay a fee to have that done.

As I mentioned, I think when I was given the NRO statistics, IPv6-only, we do have 560 organizations, which is 9.5 percent of our organizations. But that doesn’t mean that those organizations only have IPv6.

A lot of them have IPv4 that was reassigned or reallocated from their upstreams. But for IPv6 they decided to come in and get their own.

In 2018, we – Lisa instituted a program within RSD where each of our staff analysts publish a blog. They get to select from a list of topics.

We are taking suggestions now for topics. We’ve done a few already this year. Jon Worley has posted one for our time at CanWISP a couple weeks ago, and there’s a few others that are done. So it’s a professional development and a lot of other things, the reason we have our staff doing these blogs for you.

And they’re really the ones – they’re the ones that talk to you. So they’re the ones who know what you’re asking; they know what your interest is. So that’s one thing we’re doing.

We have a telephone Help Desk. Phone staffed 7 AM to 7 PM, Eastern Time, Monday to Friday. Average wait time is 17 seconds. I understand that 17 seconds is normally due to the announcement you have to listen to. The phone gets picked up pretty quickly after that.

And the most common topics are Point of Contact validation, ticket status, ARIN Online use, and transfer-related questions.

I also wanted to inform the community at this meeting that we have initiated a pilot 24/7 help line. We have a few volunteer organizations. It’s for support of the technical services – RPKI, DNSSEC, reverse DNS problems.

We’ve initiated that. We have a few organizations in this pilot program that we’re using as a proof of concept. And our goal is to have it tweaked and ready to roll out to the full community later this year.

So if anybody’s interested in that, grab me anytime you see me walking around the meeting or you can email me, call me, whatever.

I also wanted to mention there’s a new slide that I’ll have in the fall. We have – part of when the new website was deployed, also there was a feature that we’ve been waiting on in RSD, and that was customer or RSD-initiated tickets for the customer.

So I’ll be reporting on stats on that at the next meeting. But right now, since March 2, there’s been roughly 12. Six of them were for 8.2s, four of them were for 8.3s and two of them for IPv4 requests.

And basically what it is is, when you call into the Help Desk you need to have a ticket and initiate it, and if you’re not really sure of how to do that staff will walk through that.

And we used to have to walk you through screen by screen and explain everything to you, which we still do. But instead of you having to do all the work, we do all the work and generate the ticket. That ticket then goes to the customer for approval back to us so we can then take action on it.

We don’t generate the ticket and take action on it. It has to be approved by that POC that’s in there requesting that ticket to be generated.

So it’s a very good enhancement. And I think it’s going to help a lot of people out there in the community.

So with that, Andrew, what was your question?

John Curran: Any questions for John?

Andrew Dul: The question is about ARIN Online accounts. I saw that Mark’s slide says that you continue to grow the number of accounts, which also means you continue to grow probably, likely, dominant accounts, people not coming in regularly.

My question is whether you see any systematic attempts to hijack ARIN Online accounts at this point.

John Sweeting: We’ve not seen any systematic attacks. In order to recover an account they have to call in and do – there’s the challenge questions and stuff. And then if they can’t answer that, there’s other things that we can do to verify who they are.

But as far as anybody saying that somebody has hijacked their account and used it for anything, we haven’t had any complaints like that.

Andrew Dul: You don’t see users trying to use known username/password databases against it?

John Sweeting: The closest I think we come to it is we get people that go out and find dormant domain names, and they re-register them. Then they send an email in through hostmaster or such and use that email domain name. But as far as –

Andrew Dul: Sounds like you guys aren’t target, so that’s good – so far.

John Sweeting: I think there may have been one or two where they tried to send us an email saying they were the web user and they didn’t have any other proof of it and we don’t take just that. There has to be something else.

Kevin Blumberg: Kevin Blumberg, The Wire. Yesterday somebody asked about two-factor authentication related to ARIN Online. And it had me thinking, it would definitely be very beneficial that an Org can say the only users that can touch this are ones that have been authorized through two-factor authentication as a hard lock at the beginning.

And if five people have it and one person doesn’t, that one person is going to be the one they go through.

But having that master lock at the top to say this Org must be done through two-factor authentication, that would be a wonderful feature to add.

John Sweeting: I think Mark’s going to reply to you on that one because we’ve started a story on that.

Mark Kosters: So the suggestion is noted. It’s something that we’ll be putting in the backlog to actually implement.

Steve Wallace: I think it’s actually remarkable –

John Sweeting: Name and affiliation, please. I know who you are –

Steve Wallace: Sorry, Steve Wallace, Indiana University. I think it’s remarkable it hasn’t been a target via phishing attacks like the DNS registries. And I would assume it either is or – and it’s not being detected or it will be, you have assets that are worth a lot in trade via paperwork.

I don’t think you’ll get them physically. So I would encourage you to think about enhancing things like authentication as well as your ability to detect patterns of behavior.

And I’m speaking from a community where this has been happening, things like phishing, accounts of staff members at universities and then redirecting just part of the direct deposit. Those are things that universities now have to deal with and have changed their behaviors to mitigate the risk.

John Sweeting: The vector we’ve seen is they will actually create their own ARIN web account and they will try to do POC recoveries or Org recoveries to get tied to that.

But as far as – we have not noticed or seen people trying to actually hijack web account users’ accounts.

Leif Sawyer: Leif Sawyer, GCI, ARIN AC. Is there any move to add U2F or FIDO2 authentication for multifactor, so you can use hard tokens?

John Sweeting: That would be a Mark or Deb – I don’t know if there’s any stories on that.

Mark Kosters: No. So, we use OTP as the protocol. So you can have a token that has a provider that uses OTP, we’re all set. I don’t know if anyone does. But that’s interesting.

So usually with a hard token providers you also have to – there’s usually some sort of back end that’s associated with it too. Anyways, we can talk about this a little bit more offline.

John Curran: Leif, if you have a particular support for hard token you need that doesn’t support OTP, then ARIN Suggestion process, please.

John Sweeting: Okay. Thank you.

John Curran: Thank you, John.

(Applause.)

Next up we’re going to have Val come up and give the Financial Services Department Update.

Department Update: Financial Services

Val Winkelman: Good morning. I’m Val Winkelman, Director of the Financial Services Department. And ARIN’s Financial Services Department is responsible for accounts receivable, accounts payable, budgeting, general accounting and Financial Reporting.

The Finance Department staff consists of Tammy Rowe, who is our Accounts Receivable Manager, and Tammy has four staff members who report to her. They are Tanya Gomez, Amy Sanchez, Amaris Wang and Lindsay Norman. The average tenure of the FSD staff is 13 years.

Tammy’s group is responsible for billing, applying cash receipts, collecting on accounts, registration service agreements and the billing Help Desk.

And Tanya has been here since Saturday working on the Registration Services desk along with Sarah Ba and others back in the office holding down the fort.

The Financial Services Help Desk is open from 9:00 AM to 5:00 PM, Monday through Friday except holidays. There are four staff members that answer the phones and those are the four members under Tammy Rowe.

And FSD received over 3,700 calls in 2018. And the top questions were: Can I pay with a credit card over the phone; how do I update my billing Point of Contact; and can you email a copy of my invoice?

They always receive hundreds of email requests also. And we don’t have a ticketing system so we’re not sure how many. But for each of these questions, the FSD staff encourages the caller to create an account on ARIN Online, and that’s where they can manage their own account and find answers to their questions.

ARIN adopted a new fee schedule July 1 of last year. And the 2018 financial audit has been completed, and we’re now focused on completing the IRS Form 990. And I’d like to congratulate the FSD team that it was a very good audit.

The new fee schedule was adopted July 1st of last year. The new fee schedule increased fees by end users for each IPv4 address block, IPv6 address block and Autonomous System Numbers from 100 per object to 150 per object.

Legacy resource holders pay the same amount as the – lost my place. The legacy resource holders pay the same annual registration maintenance fees as end-user organizations. However, there’s an annual limit on total maintenance fees applicable to legacy resource holders.

As of July 1, 2018, the annual limit on total maintenance fees for legacy resource holders was set to $125, regardless of the number of legacy resources held or versions of their legacy resource agreement.

The annual registration fee for ARIN transfer facilitators was increased from 100 to 1,000 in order to cover rising costs associated with these services. You can find out more about ARIN’s fees on the ARIN website under fee and billing information.

There were some updates to our accounting system for this fee change and ARIN also redesigned our customer invoice. It was brought to our attention that we put all the information to contact us on the email that went with the invoice but not on the invoice and that a lot of times the invoice is passed on without the email. So we added detailed information on how to contact FSD along with our working hours and we added links so the organization would help to research – resources that they’re being billed for on the invoice.

ARIN receives four types of payments – checks, credit cards, ACH and wires. As you can see, the dollar amount of the checks we receive still exceeds the credit cards on a transaction basis even though we’re receiving more credit card payments.

But I did a second slide showing that the electronic payments are slowly replacing the corporate check as a payment method.

And this slide shows that revenues holding steady with the bulk of our revenue coming from the Registration Services plans followed by the paying-per-resource-maintenance invoices.

Any questions?

John Curran: Any questions for Val?

(No response.)

Thank you, Val.

(Applause.)

Next up I’ll have Erin come up and give the HR and Admin Report.

Department Update: Human Resources and Administration

Erin Alligood: Good morning, everyone. I’m Erin Alligood. I’m the Director of HR and Administration at ARIN.

As you see here, I have an outline of the myriad of responsibilities that our team handles. You can see here that we have a wide range of responsibilities. It keeps us quite busy. We wear a lot of different hats within the HR and admin team. And I’ll be touching on several of these topics throughout my presentation today.

So, how do we tackle this wide variety of work? We have a really great team and we have a very tenured team. First, Thérèse Simcox has been our executive assistant for almost 18 years. Thérèse supports our Board of Trustees, our Advisory Council, our ASO AC and our executive team for travel and administrative support.

Next we have Sarah Ba, who has been our administrative coordinator for almost five years.

Sarah secures our employee travel. She acts as an HR administrator in terms of benefits and she also acts as our facilities coordinator.

Denise Alston has been our receptionist for almost five years as well. Denise does a wonderful job greeting our visitors, distributing our mail and keeps the front part of our office running.

So this next slide shows an outline of our accomplishments over the last year. As you might remember, Nate Davis, our previous Chief Operating Officer, and Cathy Handley, our previous Executive Director of Government Affairs and Public Policy, both retired at the end of 2018.

Both of these positions were filled in advance for cross-training purposes by Richard Jimmerson and Anne-Rachel Inné respectively.

Both transitions have been successful and Richard and Anne-Rachel are both actively working in their new roles. And I think Nate and Cathy are likely enjoying their long-overdue retirement. Good for them. I’m jealous.

Another item we tackled in 2018 was our Employee Salary Survey. This is a great opportunity for ARIN to examine our overall employee compensation structure and ensure that our staff is compensated both within the range of our demographics and their specific roles at ARIN.

As you can imagine, the Washington D.C. metro area job market is quite competitive. And this exercise is extremely beneficial for ARIN with regards to maintaining our excellent employee tenure that I think a lot of the other departments touched on already.

And it also creates – excuse me, I lost my place as well – it also ensures that our overall compensation package is competitive when compared to the market.

Also, in 2018, we converted payroll platforms with our current provider, Paychex. Our old system was really suboptimal with regards to processing payroll and also employee timesheet entry.

So our new system is much more user friendly, much more robust. And my favorite part is that it’s reduced our payroll processing time significantly. I’m not spending nearly as much time as I was processing payroll.

We also conducted a series of management and leadership training in 2018. This was due to the results of an Employee Engagement Survey that was associated with the Washington Post “Top Workplaces” listing.

As you might remember, ARIN was listed at No. 14 in the 2017 listing in the Washington Post. The data from the Employee Engagement Survey was quite favorable because we made the list. But there were some areas noted for improvement, which sparked the need for us to enhance our management training at ARIN.

As a result, we secured an outside consulting firm, who helped us address the themes within the Employee Engagement Survey. This included a management 101 training session for both our directors and our managers. And we conducted a very detailed leadership assessment that was shared amongst that same group.

This assessment has already served as a great tool for our team and has and will continue to further enhance our interactions company-wide.

I was also pleased to assist the Advisory Council in securing public speaking training when they met in January of this year. And from what I understand it was very well received from the AC.

We actually used the same vendor from the management training that I just spoke about. And we may in fact consider doing this for our employees at some point in the near future.

So now I’m going to go over some recent projects that are currently in progress. As I mentioned in the last report that I gave at the previous – two ARIN meetings ago, the trustees of our 401(k) plan recently conducted a full review of our plan.

And just for your information, our plan trustees are Richard Jimmerson, Val Winkelman and myself.

As a result of this review, we issued a request for proposal, or an RFP, for a new 401(k) vendor who does administration, compliance and record-keeping for ARIN’s 401(k) plan.

Over the last six months we worked really diligently to research and interview various 401(k) vendors. And I’m pleased to announce that ARIN has selected Principal Life Insurance Company for our 401(k) needs going forward. Principal is a well-known and trusted 401(k) provider that’s been in the financial industry for over 100 years. So, not only will we have access to their tremendous investment portfolio, their website platform is also much more interactive and has a lot of security features that we didn’t have with our previous vendors such as two-factor authentication.

This transition will take place in July of this year. And we’re looking forward to a successful transition for both our employees and their retirement needs.

So you might have seen in my very first slide with our responsibilities, we manage the facility for ARIN or our office space, which is kind of unusual for the HR and Admin team to manage. And it’s kind of an ongoing joke that whenever we come to the ARIN meeting that something breaks.

So I can report two things happened while we were here, of course, because Sarah and I are both here at the meeting. And unfortunately, it’s kind of the joys of homeownership.

And when we were at the October meeting, we had a pipe leak in our kitchen and it caused damage to our floor as well as some drywall. We haven’t gotten it fixed yet because it’s actually covered by insurance, which is great news. So we’ll be getting that repaired over the next month. So never a dull moment, just like owning a home.

I’m going to move into some employee statistics, which is always kind of a fun slide to go through.

Fully staffed, ARIN is at 78 employees. And as I mentioned earlier we do have quite a remarkable employee tenure that was pointed out earlier by some of the other directors.

Our average tenure is over eight years. Last year it was seven years. So it’s improving every year. And I usually show a graphic that you see here on the right that highlights the remarkable employee tenure that we do have.

And as you can see, I actually had to add a category for 20-plus years because we do have two employees who have been with ARIN for 21 years. So that’s quite an accomplishment.

And then if you add up those numbers from the five to 20 years, over half of ARIN’s staff have been with ARIN for five years or more.

But then at the same time, we’ve been able to be successful in drawing new talent to the organization in that zero- to five-year category.

So what’s next for our team? As we move into 2019 and 2020, as I mentioned earlier, we conducted our salary survey in 2018, and we typically like to do the salary survey every other year. So our next engagement will be planned for 2020.

Then we will continue the work related to the 401(k) transition that I mentioned earlier and that will be completed in July.

And then we have in our plans later for this year to evaluate our travel needs and potentially research a new travel agency. We’re still in the very beginning phases of this process, but we think it’s a good time to evaluate whether or not we want to make a switch or not and then analyze maybe how to cut some costs and things like that.

Next, we will be revisiting our current Value Statements that are tied to our employee performance reviews or discussions. Back in 2014, we created these value statements as a company initiative where our employees actually participated in the process of developing the Value Statements.

Since it’s been a few years since they were originally developed, we’re going to sit down and probably go through those as a company and make any changes and adjustments and then tie them back to our performance discussions.

Last, we have some training initiatives planned for 2019 and into 2020. This will include a continuation of the management project that I was talking about earlier, the management training series, as well as conducting company-wide harassment prevention training at some point soon.

And then we’re also going to do some relevant training related to our intranet site called Confluence. We just did an update with the site and I’ll be working with engineering on doing some training. Hopefully we’ll bring someone in and update our employees on that tool.

And, of course, we’re looking forward to another successful year. Anybody have any questions?

(No response.)

Thank you.

John Curran: Thank you.

(Applause.)

We are slightly ahead of schedule. And we’re going to take advantage of that if Tina is ready. Not to put you on the spot. If you’re ready. Okay, come on up.

ARIN Advisory Council Report

Tina Morris: Good morning, everybody. I wanted to take a moment to acknowledge our Advisory Council. These are all volunteers, and they put so much time and effort, energy, passion into their work. It’s really wonderful to have such a great group helping to get the policy work done for the community. And they always need more input from you.

(Applause.)

The Advisory Council works with proposal authors to ensure they have a valid problem statement. And they move it – once it moves to our docket, once it meets within scope of the ARIN Policy Development Process, the Advisory Council takes on docket and gathers input for the Draft Policy.

If there’s support in the community and the language works for where we think it’s in the best possible state, it becomes a Recommended Draft Policy, if it’s fair and impartial, technically sound, supported by the community.

Eventually, after it goes to meeting as a Recommended Draft Policy, we initiate Last Call, assuming it’s still supported, of course. And then recommend – if there’s still no reasons to prevent this from becoming a policy it’s recommended to the Board of Trustees for adoption.

Since ARIN 42, we have recommended five policies to the Board for adoption, all implemented 7 March.

Since ARIN 42, we’ve had several proposals, and in fact during this meeting we received another seven proposals. So our docket is quite full and we’re working through all of them. I hope to have shepherd assignments to all of those by the end of next week.

We appreciate the work and we continue to think policy is actually going to go away at some point and it just doesn’t stop. But it’s interesting.

Draft Policy traffic, as you can see, 2019 is on track to be a very busy year. We’re only in April. We don’t have any adopted policies or abandoned policies as of today. So that column is empty for 2019.

Any questions?

John Curran: No questions for Tina?

(No response.)

Thank you, Tina.

(Applause.)

Speeding through the morning, next up is the Treasurer’s report. I’m going to keep going. Nancy, come on up.

ARIN Financial Report

Nancy Carter: Good morning.

All: Good morning.

Nancy Carter: This is the beginning of my second year both as Trustee and as Treasurer. So I’ve learned a lot in the past year.

When I ran for the Board, I promised you that I would use my not-for-profit financial governance and legal experience to support ARIN’s mission, and I’ve done my utmost to deliver on that promise during year one.

I’ve been helped enormously by ARIN staff and by my colleagues on the Board of Trustees. I’m excited to be here to present the ARIN Treasurer’s Report. And as usual, I know that is the reason you’re here.

(Laughter.)

I’m going to tell you a bit about the work that the Finance Committee has undertaken since we last met, after which I’ll review the 2018 financial results, provide highlights of the investment portfolio, and then look at the 2019 budget.

The Finance Committee continues to monitor the investment portfolio for compliance with the investment policy and make any adjustments that are required in consultation with our investment consultants.

At the end of March, the portfolio balance was about $25.6 million.

The Finance Committee approved fee schedule changes for implementation last year as you all know. In addition to implementing those fee changes, financial services redesigned invoices to better support our ARIN customers.

ARIN staff worked diligently in collaboration with the Finance Committee to develop the 2019-2020 budget, which was then approved by the Board. The Finance Committee met often during the fourth quarter, and I would like to acknowledge the significant efforts that Val and her team put into compiling that budget. Thank you, Val. Where is Val? Thanks.

The 2018 audited results have been approved by the Audit Committee and have been presented to the Board. ARIN has an annual financial audit performed by an independent outside firm to fulfill the Board’s fiduciary responsibility to this community.

The 2018 audited financial statements have been posted to the new ARIN website. And I encourage you to review them.

Finally, staff have begun work on the IRS 990 form, as Val mentioned earlier, and that will be presented to the Finance Committee for review and approval soon.

The 2018 financial results are in front of you. Registration revenue came in slightly over budget. However, our investment income was much lower than anticipated.

We experienced a loss of $1.4 million rather than the budgeted investment income of $1.4 million due to the December market correction that happened in both the US and Canada.

The Finance Committee has asked ARIN’s investment consultants for a detailed review of our investment policy, and we will meet with them next month to determine whether we need to make any revisions to our policies.

ARIN, like many of us, experienced a dramatic change in its portfolio balances in December of 2018. To put December into context, it was the most severe correction late in the year since the early 1930s.

Stock valuations in the US went from being fully valued to maybe overvalued in early December, to being undervalued or even a bargain by end of December. This impacted ARIN.

On the expense side, our expenses for the year came in $1.7 million under budget. And I will highlight some of the significant variances in the next two slides.

Rather than a budgeted $2.9 million decrease in net assets for 2018, we experienced a $3.9 million decrease in our net assets.

You can see the salaries and benefits are under budget. This occurred in a number of areas – fringe benefits uptake, training and capitalized fringe benefits.

Software and equipment support is $66,000 or 10 percent under budget, and this is attributed mainly to lower-than-expected software support costs.

Professional fees came in 15 percent under budget.

Some of the 2018 budgeted expenses have been delayed to 2019.

General office expense is $237,000 under budget due to some of our service costs being lower than expected and due also to a change in our accounting treatment for investment fees.

Legal fees are over budget by 21 percent due to some litigation expenses incurred late in the year. Some of those will or may be recoverable.

Members Meeting expense is under budget for the year due to some nonrepeatable cost efficiencies that were achieved in 2018.

Travel expense was $180,000 under budget for the year due to reduction in cost that we experienced and in some cases a reduction in the budgeted number of travelers.

ICANN expense is computed by the RIR’s treasurer annually and was lower than anticipated for 2018.

The NRO budgeted expense is also estimated based on our previous experiences, and the actual expense was 34 percent less than we had estimated.

ARIN’s investment portfolio is allocated into three distinct funds, each with different investment objectives. The Long-Term Reserve Fund was by far the largest component at $19.9 million at December 31. The Legal Defense Fund was $2.2 million at the end of the fiscal year. And the Operating Reserve Fund had a balance of $1.6 million at the end of the year.

The chart in front of you illustrates the investment portfolio balances over the past five years. You’ll note the December market correction and then the subsequent recovery that we have experienced in the first quarter of 2019.

And now for the 2019 budget. I’ll note that we have projected revenues of $21.9 million and we have budgeted expenses of $22.7 million, which would leave us with an expected 800,000 draw on our net assets for 2019.

Some budgeted expenses that I’ll draw your attention to are: Salaries and employee benefits, where we project a decrease in personnel costs due to some attrition; software and equipment support will increase over 2018 actuals, as will professional fees because we will undertake activities or projects that were originally planned for 2018.

The general office budget is increased due to the costs resulting from a rising trend of customer credit card payments. We expect routine legal fees will be less than those we experienced in 2018.

We will have ongoing litigation expenses which are unbudgeted and some of which may be recovered.

On this last slide, members meetings budgeted expenses show an increase from 2018 due mainly to the increased costs of our 2019 locations.

And finally ICANN and NRO expenses are increased to reflect our current best estimates of 2019 assessments.

Any questions?

John Curran: Any questions on the Treasurer’s Report?

(No response.)

Thank you, Nancy.

(Applause.)

ARIN Board of Trustees Report

Paul Andersen: We’ve got eight minutes because I actually don’t have a very long report. The problem with being last is that everyone before has done such a great job giving updates.

So on behalf of the Board thank you to the entire staff, of course, and community for making this yet another great policy meeting.

On some brief high-level updates about what the Board has been up to is, of course, first, we welcomed Peter Harrison, who was elected in January. So, he’s joined the Board, along with Regenie Fräser, who had been acting as an observer last year, and now have begun their term.

We have, in the first part of this year, really just been looking at how we can evolve the Board into a much more strategic role. We’ve been looking at our – first, our own internal processes to see which items really need to sit at our level at the Board and which ones are better either dealt with by staff or other members of the community, which is why you’ll see programs like – so, for instance, the Fellowship Program that you all know and love, actually this is its last meeting.

Don’t worry, that’s because a greater and better new Fellowship Program will be coming in the future months.

And that will be a program not necessarily Board committee anymore, but it will be in conjunction with the staff, the Advisory Council, as we look – what is the Fellowship Program hoping to accomplish? What measurable goal will let us know that we’re getting success out of that program. We’ve had great success so far, but how can we enhance it even further?

The same thing with the grant program which we’ve just finalized as of this meeting – coming soon, the training programs which you’ve heard of through Susan.

And that’s just something we’re looking – we’re just looking at all the programs to see that we have today, which ones are working well and that we need to put more energy in, which ones have maybe lived their time and they’re not performing as well anymore, or have served their purpose and make sure that we can continue to invest in more and exciting programs.

The other thing I’ll just leave you is what really now will take up the bulk of our year, before you see us next time, is our strategic planning process.

We had a bit of a kickoff meeting here in Barbados towards, what is normally in August, our multiday strategy session, where we help as a Board, with management, create the strategic plan that will basically try and answer the question: How do we see ourselves in the coming years?

And that’s while a very intense process between the staff and the Board, it’s not one that’s just confined to us.

So, please, if you have ideas or suggestions of things that the Board should be looking at in this kind of strategy process, grab somebody at this table while you’re still here or drop an email and give your thoughts.

We really do look for that input. It’s very valuable, and we’ll be looking to see what topics we want to challenge in the coming years.

And that’s really – I’ll double-check my notes – all that I want to hit. So with that, if there are any questions, I would just defer directly to Open Microphone.

Our last Open Microphone and point before our break. Don’t rush all at once.

Open Microphone

John Curran: Microphones are open for Open Microphone. Anything you might have. Anything that wasn’t covered in the prior days.

Paul Andersen: Stump the Chair. Stump the staff. Stump the CEO. Name that tune. I can name that tune in three notes.

Far microphone. If you want, come up here after; it’s blinding up here. Far microphone over there. I’ll start with there and then go across.

Mike Arbrouet: My name is Mike Arbrouet, first-time Fellow, from Pensacola, Florida. I just want to say thank you to ARIN to have me here as a first-time Fellow. Last year I ran as an outsider for council, and it was Louie Lee and Louie Lee’s hat over there.

I did not win. But I learned quite a lot. And I came back as a Fellow, and it was an eye-opener to all the good things that are going on with ARIN.

And hopefully in the near future, as I learn about how the inside work of ARIN, I’ll run again and maybe I’ll win.

I just want to say thank to the ARIN staff, especially Wendy Leedy. I don’t know if she’s around. She did tremendous work.

(Applause.)

And communicating with us all the details about coming to Barbados. And I can tell you what, because of the information we received our stay here has been quite an experience. We enjoyed it so much, so thank you.

And I have one comment for ARIN and the ARIN Board of Directors. Yesterday there was a report about RPKI. And I’m part of the InfoSec community, you can say that.

And one thing I think is lacking with ARIN and the ARIN meetings is having engagement with the InfoSec community. I don’t know if you guys have that or not.

So I would highly encourage that engagement. And we’re an open community as far as information security. And it would be tremendous to have an ARIN Help Desk or somebody – let me put it this way, ARIN InfoSec ambassador to meetings like Defcon – and I go to all these meetings, and I’ll tell you what, I’ll be one of the volunteers to carry that hat for ARIN.

So that’s one thing I’m seeing that’s lacking. Conversation like RPKI can have tremendous support from the InfoSec community. So I highly encourage you guys to think about that and work on that.

Paul Andersen: That’s a great suggestion. We’ve done a lot of outreach in the past, especially on v6 adoption. Maybe there is some conferences.

Those are some great suggestions although we’ll have to get the disposable laptops ready for Defcon.

(Laughter.)

John Curran: I’ve spoken at Defcon. I’ve been at Black Hat. We do InfoSec; we’ve had an engineering team there as well. Come up to me, tell us what conferences you want us at.

Paul Andersen: Those are great suggestions to ones we can attend.

Do you have another question?

Mike Arbrouet: No, that’s it. Thank you.

Paul Andersen: Thank you very much.

Middle mic.

Richard Hamilton: Good morning, everyone. My name is Richard Hamilton, a first-time member. Fellow. And I’m representing Digicel.

I want to also say thanks for the opportunity to be here. It’s a wonderful opportunity, for the first time on the inside looking at how these policies are actually administered.

Usually we’re on the outside making the requests but not necessarily seeing how the policies are taken care of.

I have just two comments that I’d like to share. And one as it relates to the IPv4 shortage and the monetization situation.

I personally don’t believe ARIN should venture into that area, trying to monetize from the shortage, being a nonprofit organization.

I think we should more likely be on the forefront, trying to defend those agencies that legitimately seeking the shortage – shortages and protecting those entities from those who are hoarding the info or the resource and trying to monetize it –

Paul Andersen: Are you talking about the resources that come back into ARIN and then reallocated, or are you talking about addresses that have already been allocated?

Richard Hamilton: Resources that have been allocated. And the area I’m looking at is where persons who want to make money from it, they may join the waitlist or they may come in as a new company, requesting the resource and then try to sell it after a couple of years.

I personally believe we should have a class that protects this shortage at this time, to say, if you come in and you get this resource at this point, then you can’t sell it back. Eventually you’ll have to put it back if you don’t use it. And that will protect those who are legitimately seeking this shortage – shortages at the moment.

Paul Andersen: So you’re advocating for the waitlist policy, restrictions on transfers and the ability –

Richard Hamilton: Exactly, at this point.

Paul Andersen: That can be passed on to the AC. Thank you.

Richard Hamilton: And as it relates to RPKI, I am really – I really like the fact that we’re pushing in that direction. And I also believe that if we have the agreement where entities sign to say, okay, ARIN does not take responsibility where the servers are not available, and you should protect yourself now using the far back routing, persons just agree to that. And the most we could do is have something on the website which constantly, maybe, inform or update – send updates to people to say, we’re still not responsible and you’re responsible for protecting yourself when the servers are offline.

Because as you mentioned yesterday, John, there’s no way we can implement it and then shut it down to say, we’re testing. That’s just not a feasible approach.

Those are my two bits. Thank you very much for having me here. It’s a wonderful opportunity.

Paul Andersen: Thank you for having us and thank you for the feedback. Far microphone.

Cathrona Samuel: Good morning. Cathrona Samuel, Antigua Public Utilities Authority, returning Fellow. I’d also like to commend ARIN on the Fellowship Program. I would have been a Fellow for the first time at ARIN 41, and I remember coming in with a very vague understanding of issues, such as the importance of the deployment of IPv6, and leaving with much more insight and much more understanding.

And I really see that a lot of time and effort has gone into planning this experience for us as Fellows and ensuring that we’re exposed to as much as possible.

I was very happy to hear that you will be revisiting the Fellowship Program. And I’m really confident that what is coming out after that will be more insightful and more engaging. And I just really want to recommend, as a two-time Fellow, that it would be really good to see more opportunities that we can continue to become involved with ARIN – maybe mapping our development track so that in another capacity we can function and contribute, and perhaps even extending the mentorship program so that your interaction with your mentor goes beyond the week that you are present.

But it has been a very meaningful experience, and I have learned a lot and grown a lot. So continue to do a good work in that area.

Paul Andersen: Thank you and thank you for the kind feedback on the program. The staff do an excellent job of executing on the Fellowship Program. I think we’re now into – is it 15 years almost now? – it’s been a long time in kind of its existence, lots of tweaks.

And, again, no one to fear, even though we are kind of discarding that program, the real goal is so we can see how can we, especially to improve the meeting as a whole, not just the attendees but also the content, how could we relook at Fellowship and make it, take it to the next level.

So if you have feedback, I know there’s post surveys for the Fellows, please get what really worked and you found valuable in there because that will be instrumental. Staff are right now doing that initial development of that new program.

Back to the far microphone.

Frank Hoonhout: I’m Frank Hoonhout, state of Oregon, second-time Fellow.

Paul Andersen: Could you get closer there, sir, so that I can hear you? Thank you.

Frank Hoonhout: I’m a little tall here. Frank Hoonhout, state of Oregon, second time Fellow. I’d like to give a shoutout to Wendy. She’s been awesome with this Fellowship Program.

(Applause.)

My first-time orientation with ARIN was with ARIN 10, and since then I’ve seen this organization really grow. And I really appreciate the top-up mentality of this organization for the policy development.

And I would like to thank you again for being a second-time Fellow.

Paul Andersen: Thank you.

(Applause.)

Thank you for the comment. Middle microphone, please.

Michael Casadevall: Michael Casadevall, NARALO. I have three comments.

So the first one is, has there been any discussion or looking at open sourcing parts of the back-end infrastructure? It would actually be very useful to be able to simulate an RIR for certain types of capture-the-flag and testing purposes, as well as being able to involve the community in helping bug fixing, security fixing and so forth and so on.

Paul Andersen: So, my quick – and I’ll ask John – thinking is no, because that’s not been certainly a strategic direction with limited resources, but –

John Curran: So, you said “handing off outsourcing parts of the infrastructure?”

Michael Casadevall: No, no, simulating parts of the infrastructure.

John Curran: No, we have not. But what we’re looking at is we’re looking at a number of – with this new website and new development approach – it does open up ARIN to different approaches to use other tools for reach, not just our own facilities but, for example, content delivery.

Some of the website now is capable of being served from multiple points to be resilient from DDoS and similar, as opposed to us having to do our own DDoS mitigation for our own sites.

So we’re looking at a different strategic direction for that.

Michael Casadevall: Okay, my second question is for someone who is more interested in becoming involved with helping vet policy and so forth, what is the best way to – this is based off discussion I had at one of the lunch days – what’s the best step way forward to move towards becoming a second shepherd or getting more involved with policy development?

Paul Andersen: Oh, if only we had something –

John Curran: So, you’ve got three things you can do.

First, make sure, if you’re interested in policy, you’re on the Public Policy Mailing List, and paying attention and responding there.

Second thing, we’re launching a mentor development program which will help ramp you up if you want to have a leadership role, such as the ARIN AC and the ARIN Board.

Third, when the election comes, run for the ARIN AC. Got it?

Michael Casadevall: Okay, and I can’t remember my third one, so I’ll come back.

Paul Andersen: I’ll just add, we’re going to close the microphone – the queue in one minute. You now should approach the microphone if you want to speak.

We’re going to the far back microphone.

r. LeVere Harper: Hi, r. LeVere Harper, Mondo Media, ISOC BB. I just want to say two things. Thanks for this opportunity to acquire the knowledge about ARIN and for choosing Barbados. Thank you very much.

And this one goes to John Sweeting about beta testing program. So if I could get – I’ll be e-mailing you as soon as possible, probably as early as next week to find out more information on that because that sounds very interesting, about beta testing as it relates to this forum.

Thanks again for coming to Barbados.

Paul Andersen: Thank you. If you are not presently getting out of your seat or starting to type on remote participation, the microphones are now closed. Please now let’s just flush out and we’re going to go over there.

Janeel King: Good morning, everyone. My name is Janeel King, and I am from the Internet Society Barbados Chapter. This is my first time here and I am having a blast.

(Laughter.)

I’m standing up here because I consider myself a novice. There’s a lot I do not understand, but I was embraced by the ARIN members. And I’d like to take this opportunity to thank some of them who stood out in that embrace.

I’d like to apologize for John because I can’t remember your surname –

Paul Andersen: Curran.

Janeel King: But you’re over there.

Paul Andersen: Oh, Sweeting. Too many Johns.

Janeel King: Right, John. But I’ll go on. I’d like to also thank Tanya Gomez and Sarah Ba at the front desk. They were really awesome.

I’d like to also thank Hollis Kara, Wendy Leedy, Peter Harrison, Regenie Fräser and Alicia, who was a former member of the Internet Society Barbados Chapter.

(Laughter.)

I know, I know, I know. So I’d like to thank those persons for their love and appreciation.

I’m looking forward to applying for Fellowship. I was told last year to apply by a certain point. But now I came today – I understand now, so I’ll be applying. So, one love, everybody, and thank you for having me.

Paul Andersen: Thank you for the comment and kind words.

(Applause.)

Front microphone. Remote participant I believe.

Kerrie Richards: From Jason Schiller, comment to the Board of Trustees Report. “Please keep working expeditiously to remove barriers to RPKI adoption. Please keep working to work down the CSP IT acts. Please keep working to get us useful IRR that is tightly coupled with Whois and address allocation and assignment revocation and ARIN Online.

Raise my fees if that’s what it takes or needed to keep making progress.

Channeling my former coworker, Michael Joseph, I lament the lack of a service document. This work is important.”

Paul Andersen: So, obviously the Board itself, and you probably would not want us writing the RPKI software or doing the legal review, that’s just trouble. But certainly we try and help the CEO, the present CEO do that kind of optimization.

Certainly RPKI specifically, and there was a lot of stuff, Jason, you had on that list, many of them that we have a strong focus on, but certainly I can assure that RPKI and the issues that have been raised in the community are front and center.

It’s pretty much been a topic at every Board meeting this year, and I suspect will be at every Board meeting going forward. I don’t know John if you wanted to add on to any of that.

No? Okay. But, yes, thank you, Jason, for the comments. And, yes, also I lament the lack of service document.

I’ve forgotten where I am, so I’m going to go over there.

Owen DeLong: Owen DeLong, ARIN AC. I want to go back to the lady that commented on a continuing relationship between mentor and Fellow.

I can’t speak for the other Fellows. There’s no official provision at this time. I think it’s a great idea. Certainly any of my Fellows are welcome to contact me and keep in touch after. Some of them have. Some of them haven’t.

In one case I’ve known him long before he was my Fellow. So it’s all good. I think that’s to be encouraged. I encourage other mentors to encourage their Fellows to do so.

Paul Andersen: Thank you. Front microphone.

Robert Seastrom: Rob Seastrom. I’ve mentioned this informally, but I’d like to make this request formal. I believe it would be constructive to have our first Open Microphone session when the meeting is not well over two-thirds of the way done.

It’s really good for bringing things up for hallway track discussions.

Our first open mic is Tuesday night. I would really appreciate one on Monday and possibly even earlier in the day than end of the day.

Paul Andersen: We can certainly look for that for October, although that is, of course, a shortened meeting. Thank you for that.

David Farmer: David Farmer, University of Minnesota, ARIN AC. Plus one to the services document, please.

And then to note there isn’t a good way to simulate a IRR, but there’s the OT&E environment or the test environment that ARIN has. So if you want to play with an IRR environment, there’s something you can play with.

Paul Andersen: Okay, thank you for that.

The last comment, sir, goes to you.

Rudi Daniel: Rudi Daniel. I’m a Fellow and I’m from the region, Saint Vincent and the Grenadines, which is kind of the next door island.

First of all, I want to shout out David Farmer as my mentor. He’s been great. I’ve just been keeping an eye on him. It’s great.

(Laughter.)

My first Fellowship was at – the first time we went to San Antonio. So how long ago was that? I can’t remember.

Paul Andersen: I don’t want to think about how long ago it was, is the problem. Let’s call it last year just to be safe.

Rudi Daniel: I was kind of missing for a few years and then came back. It’s really great to see the improvements. There have been massive improvements in the ARIN infrastructure and the people who have been contributing to ARIN also.

And it’s great to have had the opportunity to facilitate some of the region’s finer persons who have now joined ARIN, both on the AC – on both committees in fact. So, it’s been great to contribute in that way.

I’ve noticed that you’re going to reprogram the Fellowship and I think that’s a good thing. I’ve also noticed that that also has been happening at ICANN. They’ve sort of reformatted the whole sort of Fellowship Program, which I think is – I think it’s very necessary because the expectation of Fellows just ramps up as we move along.

And the Fellows that I’ve been with this time around have been just fabulous. I’ve enjoyed being with them and I want to give them a little clap.

(Applause.)

That’s about it. Thank you very much.

(Applause.)

Paul Andersen: Thank you. So that closes Open Microphone. Before I get shoved off stage, I do want to take – say a few thank yous, of course.

First, thank you to the staff that pulls this off. I think people don’t realize how much effort goes in because it’s such a well-oiled machine now, especially when you get to some of these locales and such like that, where there’s a lot of coordination to get equipment here, get everything set up and make sure everything happens on time and changes.

So, special thanks to the entire ARIN staff that have pulled off, once again, a very successful meeting.

(Applause.)

And my special thanks to the scribe of this meeting, because not only did they have to put up with my fast talking, they’ve had to put up with me coughing into the microphone every two seconds. So, I look forward to the transcript on that one.

(Laughter.)

Just a reminder, again, just even though it’s April, October comes fast, and we are getting into the process very, very soon of looking for people in that leadership.

While we do have a leadership program, if you have been thinking of whether or not you might want to run for the Advisory Council or for the Board, please feel free to reach out to any of us on that, if you have questions about what’s involved, either here at the meeting or offline.

And I do encourage you all to consider, if there’s a way that you think you can contribute, to put in. This community only works with you, the volunteers in this community. And my thanks to all the volunteers again for making this one of the easier jobs at the organization.

So thank you very much. And with that we’ll see you in Austin.

(Applause.)

Members Meeting - Closing Announcements and Adjournment

John Curran: Okay, with that, it’s my honor to close the meeting. And we’ll do that most expeditiously.

One last time, let’s thank our network and webcast sponsor, C&W Business and Google. Thank you.

(Applause.)

And our meeting sponsors, Addrex and IPv4Mall.

(Applause.)

Okay, last chance, I’m going to remind you for the meeting survey. If you have an idea on how we can make this a better process, please fill it out. If you have thoughts or suggestions on what we should be doing differently, let us know.

Thank you for being a part of ARIN 43. We’re going to have ARIN in the Caribbean and ARIN on the Road going on. ARIN in the Caribbean is later this week. ARIN on the Road will happen in cities throughout the country between now and then.

And I will see you at ARIN 44 in Austin, Texas, taking place at the end of October. Thank you.

Make way for CaribNOG 17. They’re going to take this room, so we need to move out. Thank you, everyone.

(Applause.)

See you in Austin.

(Meeting adjourned at 10:45 AM)

Network Sponsor

Webcast Sponsor