ARIN 45 Public Policy Meeting, Day 1 Transcript - Tuesday, 16 June 2020 [Archived]


Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.

Please Note: This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

For an executive summary of this day of the meeting, read the meeting recap on the TeamARIN website.

Public Policy Meeting, Day 1 - Opening Announcements

Beverly Hicks: Good afternoon, everyone. It’s my pleasure to welcome you to ARIN 45. At this time I’d like to turn it over to Paul Andersen, Chair of the ARIN Board of Trustees.

Paul Andersen: Thanks, Bev. And welcome, everyone, to this unprecedented and historic meeting for ARIN. Obviously we’re all aware of why we’ve had to move this meeting from our planned meeting in April – when we hoped to see you all in Louisville – to virtual.

Before we get started, a little bit of background. This meeting obviously culminates a lot of efforts behind the scenes. Just to give the community a bit of background on our thoughts:

When it was clear we could no longer hold our in-person meeting, the Board worked in close consultation with the AC and staff, and we decided that holding a meeting in April at that time was not right – even though policy is important – but we felt many community members throughout the region were dealing with other more important things and we would push the policy process back a bit and hold this shortened virtual meeting.

In close consultation again with the AC and the staff, this meeting structure is obviously different that it is virtual and different in content and style. Specifically, we’ve just tried to – we’re just trying to hold a minimal meeting to allow us to move forward with items that are essential.

So, unfortunately, though, there will be less of some of the content that you looked forward to seeing, but we hope that you understand that part of that is just to keep our policy process moving and to allow you to move that process into your lives.

But we do look forward to feedback on this. And please bear with us. There may be the odd hiccup and all that. Of course we’ll have to rely on the underlying technology that we all work on, day and day.

Before we really kick it off, I’d like to thank the ARIN Communications team, specifically led by Hollis Kara and her entire team. I’d love to name them all, but I’m fearful I will forget some of them.

They have put countless, countless hours into trying to make this work and get ready for this under very short notice. So while normally in-person we’d hear all the applause, I’d like you all to give a little clap and thank them for all their efforts as we kick off this meeting.

So with that, let’s get ARIN 45 underway. Next slide, please.

First, we’ll do introductions here virtually in the house. We have all of our volunteers and community leaders.

Specifically from the Board, we have myself, who is the Board Chair; my Vice Chair, Bill Sandiford; our Treasurer, Nancy Carter; and our other Board members – Dan Alexander, Peter Harrison, Catherine Middleton; and of course, our CEO and President, John Curran. Also we have Steve Ryan, who acts as our corporate secretary.

Next slide, please. I believe now based on the over 100 people we have in the room that we have all of our AC here – Owen, Andrew, Kat, Alyssa, Tina, Anita, Amy, Joe, Kerrie, Leif, Robert, Chris, Alicia, Alison, and Chris Woodfield. These people put countless hours in to move the policy you see today.

Next slide, please. We also have the NRO Number Council. These people coordinate with other regions on global policy and other matters in the more global Internet scene – Kevin, Martin, and Louie. They are also present today.

So let’s get into the next – a little bit of how this meeting is going to work. Next slide, please.

So if you want to see how many participants we have, you can just hover over and you’ll see the number is in gray. Looks like we have about 97 attendees right now plus 13 of us who are behind the scenes right now running the meeting.

Next slide. Just a few rules and reminders that apply, even though this meeting is virtual. As your Board Chair, I will be acting as your Chair throughout this meeting or anyone who I designate. John Curran will be acting as the master of ceremonies to help move the agenda along.

It goes without saying that you need to continue to clearly let us know who you are and what your affiliation is regardless of whether you type that through – type in your question or comment, or if you decide to come on the audio.

And, again, ARIN requires all community participants to adhere to our Standards of Behavior. And there’s a link there on the screen in case you’re not familiar with them. I would ask all community members, new and old, to take a moment to review that.

Next slide, please. Okay. I’m going to go over just how the meeting will work from a technical standpoint and just quickly go over the agenda. Next slide, please.

So everybody has – I’m sure at some point in the last few months – been on a Zoom call. But for some of you this might be your first Zoom webinar. The client is the same but there are some different functionality that you should be aware of.

The first is that some of the controls that you’ve become used to will not be there. You can see from the bar that as a participant there’s less options for you available. Same thing – you will only be able to speak in the conference when you have been acknowledged by our moderator. So the first thing to say is that we do have a chat going on that is more familiar to all of you. You can click there right now and see and chat along.

That chat is provided for us to interact socially, raise technical issues, and communicate any issues.

Our only ask is that you please do not engage in the policy discussions there. That is not an official forum by which to engage and be put on the record.

Next slide. So if you want to send – use the chat, just click on chat. Click on – make sure you select all panelists and attendees. And you can then send a message and everybody who is here at the meeting will see it. And maybe we can, of course, overload the chat right now and everybody could just let us know where they’re coming in from today.

Next slide, please. So let’s get a little on to the how you’ll actually be able to interact with us. First, again, there’s the chat. And we’ll be moderating that based on our ARIN Standards and Behavior. Next slide, please.

Then we have our Q&A section. There will be two ways you can interact when the opportunity is for you to provide input. One will be to use the Q&A function, and one will be to actually turn your mic on and speak.

So, first, the Q&A. You can at any time during the presentation or during the opportunity click on the Q&A, type in your question. Again, please remember to note your affiliation and your name if you haven’t logged in or your name is not showing correctly.

Those questions will be queued by our moderators, who will then read them into the record for us and then they can be addressed in real time.

Next slide, please. The other way you can do is, if you wish to get into the more traditional microphone line, is to click raise hand. If you’ve raised your hand, and when the time comes for the microphones to open, our moderators will generally, in the order of which you’ve raised your hand, call on you.

You will then be presented with an opportunity to unmute yourself. So please look for that button. And at that point you will be live and be able to speak into the meeting.

If you decide you don’t want to speak, you can simply just lower your hand again. Next slide, please.

Just a bit of other housekeeping. So this is being streamed live on YouTube right now and will be recorded and posted. Do keep that in mind. A transcript is being made available in real time. And the slides are available online. And with that, I believe, next slide.

We are ready to go over – so, quick summary of the agenda. We’ll have Tina Morris come up and give a very brief docket overview. And effectively for the rest of today we’ll be dealing with ARIN policies – specifically before our break, 2019-1 and 2019-10. Next slide, please.

We’ll take a brief break and continue with the next two policies. And then we’ll have some – three very brief staff reports to give us an update on some things that they have been working on. Even though there have been some unprecedented times, staff continue and have actually had some very exciting product developments that they’d like to quickly share with you, including the Internet Registry – the Routing Registry, the IRR that just launched, RPKI update, and just the general one. And then we’ll be closing with ARIN open microphone.

If you do step away, you can keep an eye on the agenda and schedule. It’s linked there on the website. Next slide.

And with that, is there any quick questions before we get underway on how this is going and can I ask Bev and those who are watching the chat, do we look like we’re on board? I see John Curran is already looking to get in. John Curran, our President and CEO.

John Curran: Paul, I just wanted to say thank you for that wonderful opening and introduction. And we are, as you said, we’re very pleased to be able to have this meeting and hope that everyone enjoys the ability to participate even if we can’t do it in person.

And as soon as we’re sure there’s no questions, we’re going to move on to the first speaker, which will be Tina Morris doing the AC Docket Overview.

Beverly Hicks: There are no questions. You’re ready to continue.

John Curran: Tina, take it away.

Advisory Council Docket Overview

Tina Morris: Okay. Let’s see. Welcome. Thank you for coming to the ARIN 45 meeting. I want to say on behalf of the entire Advisory Council that we are really grateful for your participation here.

And the fact that this allows us to do the valuable policy work that we need to do. Next slide.

We have a really amazing Advisory Council right now. If you get a chance, please review everybody’s bios. We have such a diverse set of backgrounds. And we have everybody – not just in their day jobs – but in their volunteer in their historical job history, we really have a great, dedicated group of people that put so much time and effort and care so much about this community.

I really want to just take a minute to honor everybody. We have Kerrie Richards, Owen DeLong, Chris Tacit, Rob Seastrom, Kat Hunter, Chris Woodfield, Joe Provo, Leif Sawyer, Alicia Trotman, Alison Wood, Amy Potter, Andrew Dul, Anita Nikolich, and Alyssa Moore. And they just do a really fantastic job.

Next slide. Currently, since – policy activity since ARIN 44 – is we’ve sent six items to the Board of Trustees. The Board adopted them all on January 22nd, and they were implemented by staff on March 31st. There’s obviously always a slight delay while staff ramps up and gets prepared to implement a new policy.

Next slide. We’ve received 10 new proposals. Two are withdrawn by the author. This can happen for a number of reasons. In this particular case, one policy, when we were talking it out, it was covered by other work that was being done. And in the other case, it was more appropriate as a suggestion rather than a policy change.

Two of our policies, two of the 10 have also been classified as editorial changes. This happens when we’re cleaning up language but there’s no change in the function of the policy. We’re just making adjustments. There are six policies currently under discussion as draft and Recommended Draft Policies. Next slide.

Five Recommended Draft Policies are in the works. These are important to look at because these policies may go to Last Call and the Board after this meeting. This may be the last time you see these. So please pay extra attention to these policies as we discuss them. Make sure they meet the community needs and express your support or nonsupport. This is critical feedback for the Advisory Council.

Next slide. We have three draft policies. These are still works in progress. The language may change before they move forward or they may not move forward after this meeting. We absolutely still need input on these, but these will have to go to another meeting before an action can be taken.

Next slide. We also have an edit change, another editorial change, just the language change for the PPML – I’m sorry, for the NRPM. And we have three new proposals that are brand new and just starting to get work done on them. We will also discuss those. Next slide.

One other thing before we go into questions. I wanted to mention. We have implemented, as the Advisory Council we were talking at the beginning of this year and we decided a lot of things we were kind of waiting for, we’re hearing discussion about the PDP being difficult to understand, the NRPM maybe having some language inconsistencies, things like that that we knew where it could be better.

So we formed three working groups with the Advisory Council. One is focused on NRPM. One is the Policy Development Process. And another is reviewing the last three years of Policy Experience Reports. These groups are working with the community and with each other.

Each group has at least four members from the Advisory Council. And they are reviewing this. So in the case of like the NRPM, they are reviewing it, looking for things that are overly difficult or language that doesn’t make sense.

In the Policy Development Process, they’re reviewing that to make sure it’s fair, it makes sense, that we’re not making it overly burdensome for the community. And the policy experience report is an important one because that comes, those are reports from RSD that tell us what they’re seeing customers have problems with.

And we want to make sure that nothing was overlooked there that we could correct. So a lot of the policies that are coming forward now are from those three groups. If you have anything you want to contribute to these groups or input, they would love to hear from you.

And they are also sending updates out to PPML, as appropriate, looking for feedback. So please give feedback when possible.

And that’s all I have today. Any questions?

Beverly Hicks: At this point, I still don’t have any questions listed in the Q&A. And no hands raised.

Tina Morris: All right. Great. We can move on.

John Curran: Thank you, Tina. And we’ll move right on.

Our next speaker is going to be Kat Hunter doing Recommended Draft Policy 2019-1, Clarify Section 4 IPv4 Request Requirements. Go ahead, Kat.

Kat Hunter: This is ARIN-2019-1: Clarify Section 4 IPv4 Request Requirements. Next slide, please.

Myself and Amy Potter are the Advisory Council shepherds. This started out as a proposal last year, January 2019, was moved to Draft Policy the following month.

After the meeting in April, it was moved to – after the meeting in April it was moved to recommended in July of 2019. It was reverted back to draft because there was discussion in the meeting in Austin that we wanted to add some merger and acquisition language.

So we moved it back to draft so we could make the necessary changes within Section 8, and then moved it back to recommended status just last month, after a few staff and legal reviews.

This was presented twice last year, ARIN 43 and ARIN 44. And the latest version was May 18th, 2020.

Next slide. So Staff and Legal Review. Summary. Staff understanding. ARIN 2019-1 would restrict organizations that are involved in 8.2, 8.3 and 8.4 transfers from applying for IPv4 addresses from the ARIN waitlist for specific time periods. Specifically, it adds 36-month restriction for source organizations, and 90-day restrictions for 8.3 and 8.4 recipient organizations.

Additionally, it specifies that 8.3/8.4 recipient organizations and 8.2, 8.3, 8.4 source organizations will have any current ARIN Waitlist requests removed.

Next slide. Staff comments. The text is clear and understandable and can be implemented as written. All previous staff suggestions have been accounted for.

Next slide. Legal assessment. The policy as written creates no material legal issues. Resource impact: Minimal. Could be implemented within three months. The following would be needed in order to implement – staff training, updated guidelines and internal procedures, standard documentation updates.

Next slide. And now for the AC presentation.

Next slide. So there were two policy goals. These haven’t changed since the beginning. It’s to clarify the waiting period to only prohibit requests for IPv4 allocations under Section 4 of the NRPM and to also disallow organizations that have transferred space to other parties within the past 36 months from applying for additional IPv4 space under Section 4.

Next slide. So this is the current language. This actually hasn’t changed since the last meeting. There were some discussions during the last meeting that there needed to maybe be some language changes for – or not language changes but additions to the 8.2, 8.3 and 8.4 sections. So when people were looking up the merger and acquisition language, you didn’t have to jump around the NRPM to try to figure out where the relevant information was.

So I’m not going to read this but I will read the next slide, if I can get the next slide.

So the proposed new language for Section 4, again, this really hasn’t changed much. Multiple requests are not allowed: An organization currently on the waitlist must wait 90 days after receiving a distribution from the waitlist or IPv4 number resources as a recipient of any transfer before applying for additional space.

ARIN, at its sole discretion, may waive this requirement if the requester can document a change in circumstances since their last request that could not have been reasonably foreseen at the time of the original request, and which now justifies additional space.

Qualified requesters will also be advised of the availability of the transfer mechanism in Section 8.3 as an alternative mechanism to obtain IPv4 addresses. Restrictions apply for entities who have conducted recent resource transfers. These restrictions are specified in Section 8 for each relevant transfer category. That last sentence was added so that people would know to go to Section 8.

Next slide. So these are the – the extra text that was added to 8.2 and 8.3. So the proposed new language for those sections, add the following under 8.2, mergers, acquisitions and reorganizations: An organization which serves as the source of an 8.2 IPv4 transfer will not be allowed to apply for IPv4 address space under Section 4.1.8, ARIN Waitlist for a period of 36 months following said transfer unless the recipient organization remains a subsidiary, parent company, or under common ownership with the source organization.

So that covers Section 8.2. 8.3, add the following under 8.3 transfers between specified recipients within the ARIN region and under the conditions on the source of the transfer: The source entity – excuse me – the source entity will not be allowed to apply for IPv4 address space under Section 4.1.8 ARIN Waitlist for a period of 36 months following the transfer of IPv4 address resources to another party.

Under conditions on the recipient: If applicable, the recipient will be removed from the ARIN Waitlist and will not be allowed to reapply under section 4.1.8 ARIN Waitlist for a period of 90 days.

Next slide. Okay. So these were the additions to 8.4 and 8.6, for further clarity.

So add the following under 8.4, transfers between specified recipients within the ARIN region and under the conditions on the source of the transfer: The source entity will not be allowed to apply for IPv4 address space under Section 4.1.8 ARIN Waitlist for a period of 36 months following the transfer of IPv4 address resources to another party.

Under the conditions on the recipient: If applicable, the recipient will be removed from the ARIN Waitlist and will not be allowed to reapply under section 4.1.8 ARIN Waitlist for a period of 90 days.

So, there was also some discussion that how do we fit in the waitlist restrictions? And there really wasn’t a section for waitlist restrictions. So we ended up suggesting and submitted to PPML – and everyone seemed to be on board with this – to add Section 8.6, which would actually be waitlist restrictions. Any organization which is on the waitlist and submits a request to be the source of a transfer under any provision in Section 8 will be removed from the waitlist.

We also added this section so if there were any other waitlist restrictions, they could just be built into this section and it kind of could just get taken care of inside this policy.

Next slide. So points of interest. This proposal incorporates two related policy goals, which were stated in the beginning. I think during the very first ARIN meeting that this was presented at, it was approved by the community that it was a good idea to incorporate the goals.

There have been updates to Section 4 since the beginning of this work. But we have updated the policy to come in line with all of those changes since the changes were made.

There was significant community support to change the word “repeated” in the text as it was vague. And additionally there were concerns that a company may perform an M&A transfer to itself/parent company and the original proposed language would exclude those companies from being able to apply to the waitlist.

So, that was during the last meeting in Austin. We didn’t want people to get confused with what happens with the M&A transfers and how do we handle that. So right here this section is why we moved it back to Draft Policy, to rework the language, make sure that the AC wanted to remove it back to recommended, because there were too many other sections that were being touched. We didn’t want it to stay recommended without really going over it.

Before the last Staff and Legal Review, the Draft Policy did not include the removal of pending ARIN Waitlist requests for organizations that act as a source organization for 8.2, 8.3 and 8.4 transfers. And that was remedied, like I stated in the previous slide, with Section 8.6. So that covers that.

And the most recent staff and legal that I presented in the beginning is the resulting staff and legal after all of this had gone through.

Reception on PPML has actually been excellent. So next slide.

So, thank you. And that is all I have for 2019-1. If anybody has any questions or discussions.

Paul Andersen: Thank you, Kat. So the way this works, which is slightly different than our in-person meeting, is it will be going to the Q&A first. It’s been piped in. And then we’ll be looking for raised hands.

So, I believe we have our first Q&A that came in just literally as Kat finished. So, Beverly, who will be helping me throughout the next two days.

Beverly Hicks: We have a statement from Owen DeLong: I support this policy as written. It closes some unintended loopholes in previous language. These additional restrictions on the waitlist should help reduce its attractiveness as a target for fraud.

Paul Andersen: Thank you, Owen, for your comment. And just as a reminder, and I know there’s no place for it in the Q&A, just put your affiliation. I know we won’t have our traditional that way. So thank you for that. That’s the only Q&A we have now. Do we have any raised hands, Beverly?

Beverly Hicks: At the moment we have no raised hands. If anyone would like to raise their hand to speak, they can.

Paul Andersen: We’ll give the virtual queue about 20 seconds. Thank you, Owen, for affiliation, ARIN AC, just for the record. We’ll give about 20 seconds. If there’s no comments –

Beverly Hicks: We have an additional typed comment from Kevin Blumberg at The Wire: In support as written.

Paul Andersen: Thank you, Kevin. If you wish to speak on this proposal or comment on this proposal for the ARIN consideration, AC consideration, please now start typing Q&A or raise your hand so that you can be – I think we have a raised hand.

Beverly Hicks: We do have a raised hand. And so I’m going to unmute – actually I’m going to jump over real quick and let you know that we do have a typed answer that – Joe Provo from Google, ARIN AC, support as written.

Paul Andersen: Thank you. Okay. Let’s try the historic first interactive response.

Beverly Hicks: Great. Mercia, I’m going to allow you to talk. You should be able to speak now.

Paul Andersen: State your name and affiliation and your comment, please.

Mercia Arnold: Good morning. Can you hear me?

Paul Andersen: We can hear you.

Mercia Arnold: Oh, very good. Wonderful. I’ve typed it. The question is whether there’s any history on the number of instances where this policy has occurred or would have impacted prior to the policy change. I’m going to send it.

Paul Andersen: So I think if I heard it correctly, you’re asking how many times this policy – the issue is the policy experience report flag has occurred. I don’t know, John Curran or John Sweeting, if we have that data available handily. I’ll turn it over to either. John, you are muted. Could you repeat that?

John Curran: This is John. It’s hard for us to know. We don’t track how a policy would have been implemented before it’s implemented. So we don’t know whether people would have – how many people would have been deterred if this had already been adopted.

Paul Andersen: Did that answer your question? I’m sorry if I got your name wrong. Is it Mercia? You’re muted if you’re still there.

Okay. We’ll move on. Let’s go back to the Q&A.

Beverly Hicks: At this point, I have a statement from Adam Thompson at MERLIN: I’m satisfied there’s been enough oversight during this process. I’m okay with the proposal as written.

Paul Andersen: We’ll take that as support. Thank you.

Beverly Hicks: And from Celeste Anderson from Pacific Wave: I support this as written.

Paul Andersen: Thank you for that support. Is there anyone who would like to speak on this who might be opposed to it, who would like to give some feedback to the AC.

John Sweeting: Yeah, Paul, this is John Sweeting. I just want to say we don’t have numbers for that, but it was enough of an issue that staff felt it needed to be raised up as an issue for the AC to look at. And they felt it needed to be fixed, and this should be fixed.

Paul Andersen: Thank you. We’ll give another 15 seconds here just to allow people typing because unfortunately we can’t see whether you’re typing a question. And at that point we will close the queue.

Beverly Hicks: We have one additional – I’m going to butcher names today. Ross Tajvar of Atlantic Metro: Am I reading the policy correctly, that organizations are removed from the waitlist upon requesting a transfer even if the transfer is not approved?

Paul Andersen: Kat, do you want to address that for us?

Kat Hunter: I actually would need to look at that, believe it or not.

Paul Andersen: While you’re looking at that, I’ll take a queue here. There was a question about that there was no affiliation. Again, it was Mercia Arnold that gave the audio comment for the person that asked. Mercia, if you could just type your affiliation in the Q&A, we’d appreciate it, just for the record.

While we’re giving Kat a chance to look up on that, we’ll come back to that question from Ross. So why don’t we take Chris Woodfield’s comments, Bev.

Beverly Hicks: Chris Woodfield from ARIN AC, Twitter: Original author of this proposal, happy with the extensive edits and support as written.

Paul Andersen: Okay. Owen, can we unmute Owen DeLong, if possible? He would like to comment on this.

Beverly Hicks: Absolutely.

Paul Andersen: Owen, could you raise your hand, please? That makes it easier for us. There you go, Owen. Go ahead.

Beverly Hicks: Owen, you have your own control now.

Owen DeLong: Not to steal Kat’s thunder, but as I read the proposed policy, the person requesting a transfer out would be removed from the waitlist upon request of the transfer out, regardless of whether the transfer out was successful or not, because if you are offering to supply IPv4 addresses in a transfer, it is somewhat indicative that you have addresses you don’t need. And so it doesn’t make a lot of sense that you would be remaining on the waitlist needing additional addresses.

Paul Andersen: Okay. Kat, did you want to add anything – sorry, Kat and then John. Kat, did you want to add anything, although I’m pointing down like she’s there.

Kat Hunter: I agree.

Paul Andersen: John Curran wants to add something.

John Curran: I agree as well. And we’ll confirm the policy text is implemented that way. If it turns out it’s otherwise, we’ll bring it back to this group.

Paul Andersen: Just as a point of order – thank you, Mercia – Mercia Arnold is with TOG, Vice President of Risk Management. Thank you for your interaction and welcome.

I believe we’ve answered all our Q&A. Is there anyone else with their hands up? Please bear with us as we get used to this because we can’t see –

Beverly Hicks: It appears that we’re cleared.

Paul Andersen: I’ll give 10 more seconds. If we see nothing in 10 we’ll close and go to our poll. Hearing none, going last, going last. Seeing none, we’re closing the queue.

We thank Kat for her presentation. And at this point we are going to try our first poll. So typically if we were in an in-person we would do a show of raise the hands for those who are either in support or against. And as this is Recommended Draft Policy, we’ve always held a poll for that.

At this time we’re going to attempt to make use of Zoom’s poll functionality. In a few seconds hopefully a poll will hopefully pop up on your screen.

Beverly Hicks: I’m sorry, can you state the number of policy that we’re looking at to make sure we’re launching the right poll?

Paul Andersen: 2019-1.

Beverly Hicks: Thank you very much.

Paul Andersen: So the question is: Are you in favor or against, yes or no, of this policy advancing. And this feedback is used by the Advisory Council to make a determination on whether or not to forward it to the Board for approval.

So, if there’s no further input, we’re going to try this and ask you all to on the question. The question is on ARIN 2019-1, clarify Section 4 IPv4 Request Requirements. It asks you to answer on the poll. We’ll keep the poll open for 30 seconds to allow you to answer.

Beverly Hicks: Give us two more seconds.

Paul Andersen: I’ll just give the 30 just to be sure. We might type this up for future polls, but since it’s our first we’ll – Andrew Dul is asking for the bad jokes and the music. I’ve told the staff I would keep my jokes to a minimum.

John Curran: I can accommodate that if necessary.

Paul Andersen: Nobody wants to hear me sing.

Okay, last chance, last call. Please answer the poll. Let’s close the poll, please, now. And in a few seconds, Beverly, I’d ask you to give us the results of the poll indicating how many people are present at the meeting right now and how many people were in favor or against.

Beverly Hicks: Yes, at the close of this poll there were 108 attendees. 56 voted in favor and one voted against.

Paul Andersen: Thank you. That’s a very great participation rate. So that feedback will be provided to the Advisory Council for their consideration. And with that I’ll turn it back to John to introduce our next presenter.

John Sweeting: This is John Sweeting. You’ve had a couple of comments that there’s no poll on the web client, from Joe Provo and Louie Lee, particularly.

Paul Andersen: Okay. Let us take that under advisement. If you were unable to vote for any technical reason, I was going to make a decision on the fly here that could you just send a chat – don’t need to send it to all panelists and attendees, if you could just send it to all panelists, and we’ll try and accommodate that number and make an adjustment if possible. If required, we’ll repoll.

But thank you all. I should say thank for putting up with this – it’s very new for all of us on trying to accommodate what is normally an in-person process virtually. So I think that went very smoothly.

Beverly Hicks: Paul, I just wanted to add that for future polls we’ll leave it open a little longer because it seems that people may need a minute. But that on the web client, it opens in a separate window. And so you may have just missed that it was in a separate window.

Paul Andersen: Or your pop-up blocker blocked it.

John Curran: Or your pop-up blocker needs to be modified.

Paul Andersen: Can you rerun the last poll, Beverly?

Beverly Hicks: I can absolutely.

Paul Andersen: Can we pop it up – this is not anything, but if everyone can see if their pop-up blocker is maybe kicking in on the web client. Just give everybody a small chance. I apologize for this. Just trying to work through these little issues. This is just a test, as they would say.

If you’re on a web client, please try and see if you’ve got a pop-up blocker. Let us know if you may be seeing that window.

John Sweeting: This is John Sweeting. Alyssa Moore indicated it only works on desktops. So information out there for people that are trying to get in.

Paul Andersen: We also know, Kevin indicated it was a separate window on the web client. So if you’re not seeing it on your web client it’s probably your pop-up blocker.

Okay, so we can put that poll away. That was just a test. If you’re still having problems, please reach out to the all panelists. Don’t need to put it out to all attendees. And staff will try to help you out. Hand it over to John.

John Curran: We’ll move on. We’re just a touch ahead of schedule. But not a problem. We’ll keep going.

Our next policy is Recommended Draft Policy ARIN 2019-10. And Rob Seastrom is our presenter. Rob, go ahead.

Robert Seastrom: Thank you, John. As John just said, this is Recommended Draft Policy ARIN 2019-10: Inter-RIR M&A. It’s lagging a little bit there. Sorry.

So the history of this Policy Proposal, Kerrie Richards and I are the Advisory Council shepherds.

The proposal was submitted a year ago last April, on April 9th as Proposition 270. Became a Draft Policy on May 21, 2019. Recommended September 24, 2019 and presented at ARIN 44. The last version contains updates for clarity that came out of a working group and did some language smithing.

Staff and Legal Review: Staff understands the intent of the Recommended Draft Policy is to clarify handling M&A transfer between RIRs that have compatible transfer policies. The proposed change would not be a change from current practice but the policy change would make our implementation of the current policy clearer.

Staff comments: The updated text in 8.4 more accurately clarifies staff interpretation of how M&A transfers are processed. Staff suggests changing the second bullet under conditions on recipient of the transfer to read specified recipients within the ARIN region must meet the transfer requirements as defined in Section 8.5 to clarify that M&A recipients are outside the scope of 8.5 policies. The text is clear and understandable and can be implemented as written.

Legal assessment was that while ARIN staff has been handling these situations successfully, the proposed policy change would not materially increase ARIN’s legal risk and should be considered if consistent with the community’s intent for ARIN’s handling of these requests.

Resource impact is minimal. Could be implemented within three months. The following would be needed in order to implement: Staff training; updated guidelines and internal procedures; standard documentation updates.

All right. So the title slide for the AC deck, Inter-RIR M&A.

The problem statement is that when M&A activity takes place, it takes place without regard to where the business’ assets are domiciled or situated, and the surviving legal entity can be in another location. Could be on another continent. And it may serve everybody’s interests to have the servicing of the number resources be moved to a different RIR.

So here are some examples. What if a company has decided to discontinue service in the ARIN region? Shut down the offices, let the employees go, and no more customers in the ARIN region. But the number resources are redeployed elsewhere in this global footprint. So there’s ARIN domiciled, if you will, number resources that are currently being used worldwide.

Another example is if a global company has divested its assets in the ARIN region. Again, offices close network assets sold but some ARIN-issued resources are still in use outside of the ARIN region.

The policy statement – and I would like to draw particular attention, since they look the same – the particular change is the last sentence in Section 8.4 bullet point, conditions on source of the transfer. This restriction does not include 8.2 transfers, is changed to number resources received as a result of an 8.2 transfer out of scope for the purposes of this restriction. That’s the salient difference.

As I already read, staff and legal suggests changing the second bullet under conditions of recipient to transfer. We intend to take that as a piece of good feedback and add that before we send it to Last Call.

Any questions?

Paul Andersen: Any questions for Rob on this proposal? Please, again, either type Q&A or raise your hand and you can speak at our virtual mic.

Beverly Hicks: At the moment we don’t have any, but we’re waiting.

Paul Andersen: We’ll give it a few seconds. All right. We have our first.

Beverly Hicks: First, Owen DeLong, ARIN AC, Farsight Security: Support as written.

Paul Andersen: Thank you, Owen. Give it a few more seconds. It took everyone a minute or two to get warmed up on the first proposal.

Okay. We’re not seeing any questions or feedback. I’ll give it about – I’ve got to just keep doing that and that will obviously queue people. Go ahead.

Beverly Hicks: Celeste Anderson, Pacific Wave: If a company divests itself of all assets in an ARIN region, wouldn’t that imply that at least some of the numbering resources are no longer needed to support the ARIN region?

Paul Andersen: Sure. I’ll give that question to Rob in a second. Just reminder, Celeste, to give your affiliation and also type in the Q&A. Just have to remember.


Robert Seastrom: I’m looking to see if that request is still up there verbatim in one of the windows. And it seems to have disappeared.

Paul Andersen: I can give it to you. If a company divests itself of all assets in the ARIN region, wouldn’t that imply that at least some of the numbering resources are no longer needed to support ARIN region?

Robert Seastrom: So, yes. Let me – this is unfortunately not going backwards for me. I seem to not have control of the screen anymore. But if we were to –

Beverly Hicks: Sean, can you help him move back?

Robert Seastrom: And we’re not backing up – there we go. All right. Try this one more time.

So this slide here, where a company has decided to divest its assets in the ARIN region, bullet point two talks about network and number resources sold off. They may have been transferred along with the network assets. They may have been transferred along with the customer’s.

It’s assumed that resources would be deployed outside of the ARIN region as discussed in the previous slide – sold off, transferred with customers – that the addresses are unlikely in these scenarios to simply just not have a use anymore.

So I don’t know if that answers the question or not.

Paul Andersen: Celeste, if you will let us know maybe in the Q&A, if that answers your question. I see that the hand has been taken down.

Is there anyone else? We’ll give it another couple seconds here before we go to our poll.

Beverly Hicks: I have a hand.

Paul Andersen: Okay, we have a hand. Can we go to the hand? State your name and affiliation, please.

Beverly Hicks: Mercia, you should be able to speak now.

Paul Andersen: And if you could speak a little louder. Last time when you spoke it was a little hard to hear.

Beverly Hicks: She’s still on mute.

Mercia Arnold: Can you hear me now?

Paul Andersen: We can hear you now.

Mercia Arnold: Okay, let’s do this correctly. My name is Mercia Arnold. My affiliation is with the Obsidian Group, Incorporated, where I’m vice president of risk management and compliance. This question goes to the method that ARIN uses for providing geographically based identifiers for IPv4 resources. I’m new here, so I apologize.

Paul Andersen: Don’t apologize.

Mercia Arnold: …everything about it. In the process for providing the geographic identifiers that you use, are they assigned to the home base of the owner, or the location of the servers?

Paul Andersen: Rob?

Robert Seastrom: Do you want me to answer that, Paul, or do you want to hand that to John.

Paul Andersen: Yes, please. You first.

Robert Seastrom: Information in Whois is something that we’re always looking to have be more accurate. But the actual information that’s put in Whois is generally up to the registrant. And so you’ll see clusters of stuff if you do a heat map around the corporate headquarters of certain entities.

And geodata versus registration data, well, there are folks out there who say they have a value add for that. They have finer-grained, more correct, whatever, information about.

So I don’t know, maybe I’ll defer to John for a more correct answer for what is and isn’t in scope.

John Curran: Yes. R.S., I’m happy to answer that. So we don’t actually provide, per se, geographic identifiers. We provide IP number resources to parties requesting them and handle administration of existing blocks within the registry.

And the fact that a block is within the ARIN registry doesn’t mean necessarily it’s used within the ARIN region. We do have parties who are global, who happen to have their resources numbered at ARIN. And we also have parties that are located in the ARIN region who are using resources they’ve obtained from other RIRs.

So, these are not strictly geographic identifiers. It’s just a registry system that has five regions for convenience of administration.

Paul Andersen: We’re going to close the queues in 30 seconds. If your question has not popped up or your hand is not raised in 30 seconds, we’ll be cutting off there. Mercia, hopefully, sorry, that answers your question.

Is there anyone else that would like to raise a question? I see we have a Q&A.

Beverly Hicks: Yes. David Farmer, from the University of Minnesota: Does this policy allow transfer of IPv6 resources to another region in addition to IPv4?

Paul Andersen: Rob.

Robert Seastrom: It is not meant to change the way that ARIN currently executes that policy. It’s merely meant to make the current practice in the NRPM more clear.

And again I’m going to defer to John on the specifics.

Paul Andersen: John Curran.

John Curran: It’s actually an excellent question. As R.S. said, this doesn’t actually change the practice; what it reflects is something that we have to accommodate already, which is that realistically, companies reorganize, and we are in a situation where if a company reorganizes in such a way that its resources are outside the ARIN region, we might want to be able to update the registry to reflect that.

And it was not 100 percent clear whether policy allowed that. We do do it because we want accurate records. But what this policy does is not change the circumstances under which we operate, but makes it clear that there’s policy supporting it.

Again, we don’t stop someone from doing a merger and acquisition. They often come to us to want to update the records. It would be nice for us to be able to do so, even in the case where it may reflect an entity outside the region.

Paul Andersen: We have – the microphones, virtual microphones are now closed. We have one more question. Can we get the question, please?

Beverly Hicks: One more question from Mercia Arnold: Are the geographic-based identifiers for IPv4 and IPv6 addresses that are tied to the area the physical server, tied to the area of the physical servers?

Paul Anderson: John Curran, you want to address that?

Robert Seastrom: That question seems to be a repeat of her earlier question. I would be happy, if she were to reach out to me, I’d be happy to have an extended discussion with her about that in email.

Paul Andersen: Okay. Please reach out to the AC for that.

With that, I’d like to thank Rob Seastrom for the presentation. And we are going to go to our poll.

So, you know, a little dynamic. So we’re going to do the same thing as last time with a bit of an exception. If for some reason, due to technical reasons or otherwise you’re not able to use the native poll functionality in Zoom, we’re going to ask you to put your “yes or no” – please, a one-word answer – in the Q&A. So, we’re going to do our poll now on ARIN 2019-12 – sorry, I got ahead of myself – on ARIN 2019-10, Inter-RIR M&A.

I’d ask all those in favor of the proposal continuing to say “in favor” and all those against it advancing to click “against” either on the poll or in the Q&A. And we’ll leave the poll open for 30 seconds starting now.

Okay. Last call. And that closes our poll. And I would ask, when ready, Beverly, if you could give us the results on this proposal.

Beverly Hicks: At the close of the poll there were 108 attendees. Adding in two that we got in separate locations, we had 44 in favor and two against.

Paul Andersen: Okay. That feedback will be provided to the AC for their input. We have about 10 minutes until break, and while it’s normally not our process in an in-person meeting just to be sensitive to everyone’s time, I’m going to suggest we actually get into the next RDP proposal.

But we will do a hard stop. So if we have to stop in 10 minutes, if we’re not done, we will. And then we’ll resume on this proposal after break, John, if that works out.

Beverly Hicks: If you can hold for just a moment because we need to – I didn’t know we were doing that and –

John Curran: Slight change.

Paul Andersen: Oh, yes.

Beverly Hicks: You’ve thrown us all for a big loop. No, it’s fine.

Paul Andersen: I figured a 40-minute break would be too much. And if we come back early, people get dropped. I think we’ll just try to make use of the time. Even if we can just get the presentation done and we can leave the feedback until after the break, potentially.

John Curran: Is Joe ready for this as well?

Beverly Hicks: I’m promoting him now.

Paul Andersen: My apologies.

John Curran: You could sing, Paul.

Paul Andersen: Nobody wants that.

Beverly Hicks: On my end we’re ready.

Paul Andersen: Joe, I think the floor is yours. Thank you, everybody. And, Joe, take it away when you’re ready.

Joe Provo: Testing, testing.

Paul Andersen: We gotcha.

Joe Provo: All right, excellent. That whole change of role to panelist sometimes can throw somebody for a loop. Just had to reattach my audio devices and so forth.

Hello, everyone. As introduced, Joe Provo, I’m speaking for the ARIN AC. Myself and Chris Tacit are shepherds for this policy, ARIN 2019-12. Sort of okay that we accelerated this because it’s kind of a complementary policy to the previous one we just saw – the M&A Legal Jurisdiction Exclusion.

Next slide, please. My first time impersonating Mr. Curran in doing this intro.

This came about in – started in April of last year. So, it’s a little over a year old. The language was mostly accepted with a little wordsmithing when we got the Draft Policy.

It went to a meeting, got a lot more comments. There was a lot of activity on PPML, mostly focused on a few specifics of language and ensuring that it was not too narrowly scoped in terms of merger acquisition reorganization.

And the latest version, based on all feedback from parties involved, was cut in late January. Next slide, please.

And the Staff and Legal Review. ARIN staff understands this policy is to mean that the surviving entity of specifics will be permitted to continue holding any number resources issued by ARIN prior to said transfer regardless if they cease to have a real and substantial connection to the ARIN region. You’ll note this is complementary to the previous policy, as indicated.

Next slide, please. In addition, they will not qualify to receive any additional number resources from ARIN unless they once again establish a real and substantial connection with the region. Real and substantial connection would be decided in accordance with the ARIN NRPM.

Next slide, please. The staff comments were just clarifying that we’re sticking to the NRPM, that this is not providing any sort of – we’re not introducing a new loophole that is outside of the NRPM.

The staff would manage the resources, the same as any other resources, and just emphasizing that a new RSA would be needed to be signed by the surviving entity.

Next slide, please. The legal assessment was no material legal issues. There were no significant resource impact either. You’ll be familiar with this text, those who have been here before, because it’s pretty much what we see for a minimum-impact proposal.

Next slide, please. And then the shepherd presentation.

Go ahead to next slide, please. To revisit the problem statement. It is that a merger and acquisition activity sometimes results in a surviving legal entity that is not in the ARIN service region, but may prefer to continue the pre-existing relationship with ARIN.

Again, I said a couple times, it’s sort of complementary to the policy that R.S. just proposed where an organization in that scenario divests from the region and chose to transfer to another RIR. In this case, an organization is divesting from the region and wishes to maintain its relationship with ARIN.

So, imagine a case where a global company decided to discontinue service, shuttered its regional offices, laying off employees, canceling regional customers and repurpose network resources.

And Number Resources in the rest of the holding, let’s say it’s in Europe, and dissolves its US legal entity. In that case, this organization decided to continue its relationship with ARIN rather than transferring to RIPE. And the current policy requires the real and substantial test and this allows that legal jurisdiction exception.

So it is cited in the reviews as an infrequent corner case. That’s highlighted. I gave you one example verbally here. Further examples are cited within the policy text.

Next slide, please. And so the actual text of the policy statement has grown since it was originally put together because there were some certain concerns regarding the phrasing potentially excluding certain types of organizations.

So to be consistent, it is referring to Merger, Acquisitions and Reorganization activity, as that’s the text we use elsewhere in the NRPM. That that activity resulting in a survival entity outside of the region shall be permitted to continue holding any number resources directly or indirectly. And, sorry, allocated by ARIN prior to the Merger, Acquisition and Reorganization activity – becomes a bit wordy to say; my apologies for the pause there – but shall not qualify for any additional numbering resources directly or indirectly from ARIN unless and until it once again has a real and substantial connection with the ARIN region as required by the Number Resource Policy Manual.

A bit of a long way to say it, but the “directly or indirectly” was to address concerns people have regarding subdelegations. And the merger acquisition resource reorganization activity, as I indicated, is to be consistent with language elsewhere. And we are clarifying that this is not any sort of get out free – any sort of free pass to further resources, that this is totally about resources that were being held prior to the reorganization.

Next slide, please. And that’s where we are.

Paul Andersen: Perfect. So, Joe, this kind of works out timing-wise, because we’ve got about a minute and change until break. What we’re going to do is take our break. I’ll turn it over to John in a second to explain how that simply works.

However, the Q&A will remain open during the break. So if you do have feedback on this proposal, consider the virtual queue open. And that way you can take your time during the break after you’ve taken some time and we will address the Q&A section as soon as we come back. And you can also raise your hand during the break and we’ll get our queues all warmed up. So with that I’ll turn it over to John and we’ll go from there.

John Curran: Thank you, Paul. I’d like to, again, tell everyone thank you for participating. You can actually start your Q&A, as Paul noted, now. We’re going to resume with the discussion of the policy we just saw presented.

During the break, we won’t be here. There will just be this welcome screen up. But feel free to go get a refreshment, enjoy yourself, get out and stretch. And I look forward to seeing everyone back here 1:35 PM Eastern. Again, 1:35 PM Eastern time sharp. Thank you for participating in Virtual ARIN 45.

Paul Andersen: Thank you, everyone.

(Break taken.)

John Curran: Good afternoon and welcome back to our ARIN 45 virtual meeting. If everyone can get ready, we’d like to resume today’s program. When we left off, we had just had Joe Provo finish his policy presentation.

And we’re now going to move into the discussion phase. I’ll turn it over to our illustrious chair, Paul Andersen, who will moderate the discussion.

Paul Andersen: Illustrious, where? Oh, me, sorry.

John Curran: All yours, Paul.

Paul Andersen: Thank you to the people who lined up in Q&A. So we’ll open the microphones now.

John Curran: No audio yet.

Paul Andersen: No audio yet?

Beverly Hicks: No, you’re good. You’re good.

Paul Andersen: You never know, sometimes the airpods here sometimes die on the break. Let’s go to our first Q&A.

Beverly Hicks: I have David Farmer of University of Minnesota. Support as written.

Paul Andersen: Thank you, David. We’ll record that. Other people just request in Q&A or raise your hand, please.

Beverly Hicks: None at this time.

Paul Andersen: We will give 20 seconds, and then that will be where we close off.

Okay. Just give it another few seconds here. Let’s take the next Q&A and the microphones are closing in five seconds. Go ahead with the new question.

Beverly Hicks: Last one. Owen DeLong, Farsight Security, ARIN AC: Support as written.

Paul Andersen: Thank you, Owen. And with that, seeing no further hands raised or questions coming in, we will close this discussion and we will go to our poll. So I’ll ask our polls to get set up.

This will be on question ARIN 2019-12, M&A Legal Jurisdiction Exclusion, all those in favor of it advancing please indicate, or those against, please indicate either using the Zoom poll or in the Q&A. Give it another 20 seconds. Okay. Last call.

We’ll close the poll now and ask for the results whenever you’re ready, Beverly.

Beverly Hicks: At the close of the poll there were 106 attendees, and with additions from Q&A, we have 46 in favor and zero against.

Paul Andersen: Thank you. That feedback will be provided to the AC. And I’ll turn it over to John, to our next speaker.

Richard Jimmerson: And I’m being John right now as he’s doing a restart. This is Richard Jimmerson from ARIN staff.

Our next speaker on Recommended Draft Policy ARIN 2019-20 is Chris Woodfield. Chris, all to you.

Chris Woodfield: Hello, everybody. So this is the staff assessment for ARIN 2019-20, Harmonization of Maximum Allocation Requirements under Sections 4.1.8, ARIN Waitlist, and 4.2.2, initial allocation to ISPs. Yes, that is a mouthful.

Next slide, please. Advisory Council shepherds are myself and Andrew Dul. This was originally proposed in October of 2019. Promoted to Draft Policy in December and then again to Recommended Draft Policy in February, after PPML discussion.

This has not yet been presented to ARIN meeting. This is the first time being presented as well, but it is a Recommended Draft. So the latest version was – the latest revision of this was in December of last year.

Next slide, please. The summary of the staff understanding is that we are changing the initial allocation allowance from a /22 from a /21. And this is to harmonize the language with Section 4.1.8 that shows a /22 is the maximum allocation that can be received from the waitlist.

Next slide. Okay. Staff comments. ARIN staff understands the purpose of the policy as previously mentioned, which eliminates the contradiction. And this will effectively make the largest allocation that ARIN is authorized to distribute to a /22. Staff welcomes this clarification and will continue to allow up to a /22 as the maximum allocation distributed per policy.

Next slide. There are no material legal issues. And resource impact is minimal – training, updated guidelines, documentation.

And on to the AC presentation. I will not reread the title of the proposal. So the goal of this policy is to correct a discrepancy that identified – now, this discrepancy came in as a result of the 4.1.8 modifications that were made last year during the larger waitlist cleanup.

During that update, two things happened. First off, the maximum allocation from the 4.1.8 waitlist was changed to a /22, where previously there had been no maximum allocation there.

The other major change, and forgive me for not recalling exactly which section this was made in, but there was also a reference saying that all IPv4 allocations from here forward would be via the waitlist.

So given that the reference in 4.2.2 to initial allocations of a /21 created the conflict and required clarification.

Next slide, please. So here’s the current language of 4.2.2. All ISP organizations without direct assignments or allocations from ARIN qualify for an initial allocation up to a /21, subject to ARIN’s minimum allocation size.

Next slide, please. Very subtle update. All organizations without a direct assignment to allocations from ARIN qualify for an initial allocation of up to a /22, subject to ARIN’s minimum allocation size. So literally this is a one-character change to the NRPM.

Next slide, please. PPML feedback has been positive. I don’t believe there are any dissenting opinions on this on PPML. The community sees this largely as a no-op given the fact that all allocations are via 4.1.8. No concerns raised about negative impact from community members, and as seen before the Staff and Legal Review came back with no issues.

Next, please. So questions to ponder, as we discuss this: First off, it’s obvious that we now have language in the NRPM that says that all future v4 allocations will be via the waitlist.

If that is the case, is Section 4.2.2 still relevant? And if not, would the community still support a proposal, a future proposal to simply retire the section entirely as opposed to correcting it? So some points to ponder as we discuss this.

Next slide, please, which I believe is the questions slide.

Paul Andersen: Thank you, Chris. So the queues are now open. Just as a small point of note, please feel free to use the Q&A anytime during the presentation. You do not need to wait until I open. We simply will address them as they come.

Any feedback on this proposal? Either raise your hand or – we have a raised hand, I believe. I see Steve Ryan has raised his hand. Let’s go to Steve Ryan initially.

Beverly Hicks: He lowered his hand.

Paul Andersen: Okay, never mind. For those who don’t know, Steve Ryan is our General Counsel. When he raises his hand I have to make sure there’s not a burning issue that he needs to bring to my or your attention.

So let’s go to the other speaker.

Beverly Hicks: Okay. Kevin Blumberg, I am asking – I’m giving you permission to talk.

Kevin Blumberg: Good afternoon, it’s Kevin Blumberg from The Wire, Inc. Just a clarification, the /22 maximum allocation size on an initial ISP request is not the limit in the NRPM for an organization looking to request space through the transfer market. There are other policies that would allow for a larger allocation size. I just wanted to clarify that from the AC.

Chris Woodfield: Yes, that is understood. Thank you for that clarification.

Paul Andersen: Thank you, Kevin.

Kevin Blumberg: It was a question.

Chris Woodfield: Oh, okay. Yes, the answer to that question is yes. This only is relevant for allocations made from ARIN’s free pool, which in this case means the waiting list.

Kevin Blumberg: Thank you. I would support this as written.

Paul Andersen: Thank you, Kevin. Let’s go to our Q&A.

Beverly Hicks: Okay. I have David Farmer from University of Minnesota. Support as written.

Paul Andersen: Thank you, David.

Beverly Hicks: And I have Owen DeLong from Farsight Security, ARIN AC. Support as written.

I have Adam Thompson from MERLIN. Removing 4.2.2 could be premature. I’d rather have a dead section in there than try to recover old text if and when it might be needed again.

Chris Woodfield: May I comment?

Paul Andersen: Go ahead.

Chris Woodfield: That mindset is the reason why we haven’t modified this proposal to eliminate it all together. And the question was raised as a, would there be support for a future proposal to remove it after this proposal is adopted.

Paul Andersen: Okay. Thank you. Did we lose a question there, I thought?

Beverly Hicks: Yes, I was getting an affiliation and was going to get back to it, yes.

Paul Andersen: Sorry, go ahead.

Beverly Hicks: No problem. So I have Brian Jones, I’m sorry I don’t have an affiliation. Support as written.

Joe Provo, ARIN AC, Google. Support as written.

Paul Andersen: Flying in furiously now.

Beverly Hicks: Yes, Andrew Dul, ARIN AC, shepherd for this proposal. Note to Kevin Blumberg, I believe the initial allocation size for transfers is controlled by 8.5.4.

Paul Andersen: Thank you, Andrew. Keep going, sorry.

Beverly Hicks: Celeste Anderson, Pacific Wave. Support as written.

And Donnie Lewis, Obsidian Group, and I just lost your question. Here it is. Nope. I’m sorry, Mr. Lewis, can you retype your question? I’m sorry, it disappeared for a second.

John Curran: I can actually read the question, if you’d like.

Donnie Lewis asked: What is the formal definition of an ISP versus a service provider?

Beverly Hicks: Thank you, sir.

Paul Andersen: I think he means ISP versus end user from the ARIN perspective. I could be wrong, but I’ll let John talk to that.

John Curran: So, in the Number Resource Policy Manual, we have definitions that handle these cases. And to be clear, a service provider is an ISP, is what’s also called a Local Internet Registry. For us it’s all the same. If you primarily assign address space to users, we consider you a service provider, ISP or LIR. If you don’t, you’re an end user.

Paul Andersen: Okay. We’ll give it another 15 seconds for people who want to get in the queue in either way. If there isn’t we’ll go to our poll on this. And this will bring us to the end of the policy block for today.

That closes the queues. Thanks, Chris Woodfield, for the presentation. And we’ll now go to our last poll of the day.

So the same as before, on the issue of ARIN 2019 – oh, we have a late question. I’m going to allow it just because, you know, first day. So I’ll just, Rusty Bright asked, does this apply to end users or ISPs?

Chris, did you want to address that?

Chris Woodfield: Sorry – well, the 4.2.2 covers ISPs – initial allocation to ISPs, I believe.

Paul Andersen: It applies to ISPs.

Chris Woodfield: Right, yes, ISPs.

Paul Andersen: Okay. Thank you for that. I appreciate that. So we will now go back to our polling. My apologies to our poller.

On the question of Recommended Draft Policy ARIN 2019-20, Harmonization of Maximum Allocation Requirements under Section 4.1.8 and 4.2.2.

Please answer in the Zoom poll either in favor or against, or use the Q&A if you are unable. We’ll give it 30 seconds.

Okay. Last call. And that closes off our poll. And I’ll ask Beverly, when she’s ready, to address.

Beverly Hicks: At the close of the poll we had 111 attendees, which included 49 in favor and two against.

Paul Andersen: That feedback can be provided to the AC for their consideration. That closes off our policy block for this meeting.

We have a few staff reports today, and we’ll have some Board and community reports tomorrow. I’ll turn it over to John Sweeting to give the Internet Routing Registry Update.

Internet Routing Registry Update

John Sweeting: Can you hear me?

Paul Andersen: We can hear you, John.

John Curran: Yes, we can.

John Sweeting: All right, I kind of lost there – my controls came back. Thank you, Bev, for helping me out with that.

So, hello, everybody. I’m John Sweeting, Chief Customer Officer with ARIN. And I’m going to give you an update on our IRR deployment that actually happened six days ago, last Wednesday. And I do not have controls to move the slides.

John Curran: “Next slide” will – say it. You say it, they’ll move it.

John Sweeting: Next slide. So the Internet Routing Registry. Project Overview, we started this project back in second quarter of 2019. And the team’s been working diligently throughout that time.

There was community stakeholder involvement. We had at least three meetings that included the stakeholders providing us feedback and guidance on the requirements and the development as it went along.

It was deployed on 10 June, last week, last Wednesday. And there are now two processes for creating objects in the ARIN IRR. There’s the IRR email, which is using existing email template processor. And then there is the new IRR online using ARIN Online.

Next slide. So the update process, we have an IRR data migration that happened. And what that did, that created authorized validated data and NONAUTH, which is objects that we could not validate.

We have creation of new services for validated IRR entries within ARIN and also the integration of the IRR into ARIN online, with the development of a user interface in ARIN Online for creating and editing new IRR options.

Next slide. So during the migration, what happens is all existing objects were migrated into one of two datasets: ARIN, these are the objects validated as meeting ARIN’s requirements; and ARIN-NONAUTH, which are unvalidated objects. Some of the criteria used to validate objects as ARIN were they had to be – they have to be under an RSA, and they also had to be maintained by a maintainer that was associated with the Org ID.

So we’ve had a few issues with people that have had more than one Org ID, and they created a maintainer with one of their Org IDs, and then they created objects for all their Org IDs with that maintainer.

Those objects would not meet the criteria to be validated and put into the ARIN dataset. They would come up and be ARIN-NONAUTH during the migration.

Validation included the organization is authorized to create the record and also verify that it’s under an LRSA or RSA.

Next slide, please. So the migration process runs multiple times per day to move objects created or updated into the IRR-email to the new database. So it started out, I think the first day we were at once every 24 hours.

We had some input, feedback on that, and we changed it to once every four hours until recently, on Monday we changed it again to where it updates every 15 minutes. But due to some other processes, it takes about 30 minutes for you to see the updates once you submit them.

Validated objects will be moved to the ARIN dataset, and unvalidated object sets get moved to ARIN-NONAUTH during migration.

No new maintainers – so, this is an important one – no new maintainers are accepted in the IRR-email system. So any new users that come in and want to start entering objects into the ARIN Internet Routing Registry will have to do that through the ARIN Online process.

I’m going to read a couple of stats we have right now. We took a reading on this: Orgs that are using the IRR Online system, and this has just been out there six days – we have 168 organizations that are already using the ARIN Online IRR.

We had about 20 organizations that have transitioned from the IRR email to the IRR online. So that tells us that there’s about 148 to 150 brand new users using the IRR and creating their own objects.

A lot of those we’ve seen have been ISPs, most likely ISPs that were creating objects for their customers that had space directly from ARIN. Those ISPs have been asking their customers to go in and create those objects now so that they are no longer NONAUTH but they end up in the ARIN dataset.

And one more statistic. We have a total in the IRR online objects, 1,079, of which 70 percent are route, nine percent are route6, seven percent are aut-num, 10 percent as-set, five percent route-set.

Next slide, please. So the initial deployment for allocated IRR objects. Users can now create update and delete the following object types via ARIN Online. So we went with a limited object, a limited set of object types.

This was with input from stakeholders and other people in the community as well as internally, to make sure that we got – the first deployment would put out there and allow those object types most used in the online system, which is route, route6, aut-num, as-set and route-set. Another important point, the existing users can still continue using the IRR email interface. So anybody who had a maintainer prior to last Wednesday, June 10th, 2020, can continue to submit their templates to ARIN the same way they always have.

And even if they have – if they ended up with some of their objects being labeled as NONAUTH, the source for submitting all templates is always going to be ARIN. We didn’t want to change that. We had feedback that that should always stay the same so we didn’t break anybody’s automation.

It did cause a bit of confusion, especially since we weren’t updating things. The objects for over 24 hours, people got confused and were trying to delete an object and they submitted it to ARIN; they didn’t see anything. They submitted to ARIN-NONAUTH, they got an error.

But we realize that, hey, the submitting it to ARIN actually did work, and now we’re going to be doing that update to where you’ll see that within 30 minutes.

Only IRR objects created in ARIN Online can be edited in ARIN Online. So there’s a very important warning, when you go into ARIN online, if you’re an existing IRR email template user, if you go into ARIN Online and you attempt to create or delete an object, you’re going to get this big warning that comes up that you will have to accept that tells you, once you accept that, you will no longer be able to submit templates.

So if you want to start using ARIN online, you have to be very careful, and anybody you have as a routing POC, you need to make sure they understand what your intentions are.

We understand that the larger users really need an API, and that is our next big part of the IRR project is to make sure we have this API in place by the end of the year.

So we imagine a lot of the larger, heavier users will continue submitting the templates throughout the next six months. And hopefully once we get that API in place we can work with the community to make sure everybody can move over to the new system.

Next slide. So some important notes about the IRR, and I might have covered some of these already, which I have the first one. Existing users who continue using the IRR-email interface must only use the IRR-email interface. I’ve covered that pretty well, so we’ll move on to the next.

So when you’re submitting objects using the IRR-email interface, users must use ARIN as the source. Covered that. But once again ARIN as the source. Even if the object is tagged as ARIN-NONAUTH, the source for the template would be ARIN.

When the first IRR transaction is made via ARIN Online access to the IRR-email will be removed. We will have some tolerance for this. If this happens by mistake and it’s creating issues, as long as we’re notified, and as long as it’s not a month later or six months later, and there hasn’t been that many transactions completed online, we will work to help fix that for anyone that has mistakenly checked off on that big red warning sign that they get before they can actually create an object or delete an object through ARIN online.

Once again, we will be absolutely working with the community. We’re not here to cause pain. We’re here to make things work better.

And existing users, there’s the big warning message again. You’ve got to acknowledge the warning message before you’re allowed to continue in ARIN Online. Again, you’re going to get a big red warning. It’s going to say, hey, are you sure you want to do this. Then you have to take the effort to check that box before you can continue.

Next slide. So differences in service between the authenticated and NONAUTHenticated. So unauthenticated IRR objects can only be modified using email templates. No new maintainers will be added to the email template system.

So we also learned – I have that on the next slide; I won’t cover it here. Authenticated IRR objects, existing maintainers can continue to use email templates. ARIN Online can be used by existing maintainers and new maintainers, and both the authenticated and unauthenticated will be published via FTP and NRTM.

Next slide. So for the near Real-Time Mirroring, ARIN now offers two NRTM streams using existing systems. There’s the ARIN, which is the validated IRR data. And there is the ARIN-NONAUTH, which is the unvalidated IRR data. You have to be pulling both those streams.

Current users who were notified of the need to make configuration changes to pull from both of these streams to continue receiving all ARIN IRR data and the existing ARIN NRTM stream, the serial number had to be reset upon deployment. Everyone was advised of that. I don’t believe – we haven’t seen a lot of issues with that. So I believe we did a pretty good job of getting that out there.

Thanks to a lot of people, Job Snijders and a bunch of other people that are out there that helped us spread that word, to make sure everybody got the word. So all the organizations realized that they had to reseed as well and use the new serial numbers.

Next slide. For the FTP, ARIN offers two FTP sources – ARIN and ARIN-NONAUTH. Current FTP users needed to update their configurations to pull from both ARIN-NONAUTH and ARIN sources.

Next slide. Future IRR functionality. So, as I already pointed out, our next major development for the new IRR is the creation of an application programming interface to manage the IRR records, which will be deployed by the end of year 2020.

And IRR development as scheduled – we have a dedicated team that is going to continue to be dedicated. We already have made some tweaks based on input from the community, and we have some ACSPs that we’re working on and we also have a lot of suggestions from the team as well as from the stakeholders on things that we need to continue working on.

So if anybody – if you have noticed anything that you would like to see, please submit an ACSP, which is the suggestion program, ARIN suggestion program.

And next slide, please. I want to also say besides the suggestion program, you can also submit that through our feedback button as well as through our service issues button.

So, feedback. Here’s some of the things that happened. We had, why are my objects considered NONAUTH? And the big one was we had a little over 2,000 records that they weren’t covered by a Registration Services Agreement. And we found out through looking at it that some of it was because of what I said of one company, one large company or couple large companies having multiple organizations and having a maintainer or getting a maintainer under one Org ID and then using it for all their Org IDs, anything that that maintainer – any Org ID that that maintainer was not associated with would be considered NONAUTH.

The fix for that is to – the fix for that one is to get – to actually to come in and ask us for a maintainer ID. Depending on the size of the organization and everything we will work with you to fix that issue.

The issue with not having a Registration Services Agreement is to get a Registration Services Agreement. Once you get an RSA, once you sign an RSA, your objects will – you’ll be able to then create authenticated validated objects, but you will no longer – you won’t be able to delete the NONAUTH. But we’ll do that for you once you have created your validated objects and you can do an Ask ARIN ticket, submit an Ask ARIN ticket, and we’ll remove those NONAUTH objects out of the dataset.

So the other thing was the updates are not fast enough. So we’ve now corrected that and made changes to where changes will be visible approximately every 30 minutes. There’s a couple of 15-minute runs in there that make it to where it could end up being faster than 30 minutes but at the most it will be 30 minutes.

Next slide, please. All right. That’s what I have for the new IRR that has been deployed and I just want to do a shoutout to the team and the stakeholders and everybody else out there in the community that provided input, because I think we’re doing – we’ve done – we’re seeing great results from this already.

Paul Andersen: Thumbs up to the team. I know it’s been a long-time ask of several community members.

Throw it open to questions. I see two in our Q&A. Three now. Beverly?

Beverly Hicks: Yes. First question from Owen DeLong, Farsight Security, ARIN AC: Not wild about the one-way gate to ARIN Online. It’s a lot easier to code for email interface. But humans will likely want the ARIN Online interface having to make that decision one way on a per-Org basis is far from ideal.

John Curran: I’ll take that question, actually. So as people are aware – and as John just covered, it takes resources to do the development, to build a new IRR system, to do the API, which we’re now doing, and all these resources cost money.

Realistically, we’re gated at how fast we can do that and what capabilities we can put in.

Now, the services are serving a lot of legacy holders who are paying – in many cases a legacy holder who has no relationship with ARIN is paying nothing.

And, so, to the extent that we are still providing services, it would be good if we had more of the users of ARIN services actually with an RSA with ARIN because that would help speed things along.

Until then, we are gated. And so there’s a period of time now where there is no API and your access is entirely based on either using the old template system or using ARIN Online.

We will catch up. We’ll provide an API. And for folks who don’t want to have that disconnect, just wait; continue to use the templates. We’ll get you an API. As for whether the templates are going to be around forever, that’s a different matter.

Again, it’s a question of maintaining resources for a very old system for a lot of folks who right now aren’t ARIN customers.

Paul Andersen: Okay. Thank you, John. Looks like we have a few questions queueing up here. Go ahead, Beverly.

Beverly Hicks: I’m so sorry. Ross Tajvar from Atlantic Metro: Thanks for implementing this. I’m looking forward to the API. Why can we not edit objects imported from email? I had to delete and recreate all of my objects in order to edit them. Also, is there a plan to eventually retire the email system?

John Curran: I’ll take this one as well. It’s a very similar question. We have two distinct IRR systems right now – the prior legacy one, which we’ve covered in detail, and a brand new system running in parallel. So really there was no way to provide realistic translation between the two.

We’ve built a new system. And for folks who have moved over to it, that’s great. We’ll get you an API ASAP. But trying to import that back and make it compatible with the email templates would have been a lift that would have been far too much work compared to the path that we want to go for our systems going forward.

Beverly Hicks: Okay.

Paul Andersen: Next, please.

Beverly Hicks: Next question, Kevin Blumberg, The Wire: Please include a future roadmap and change log on the website. Very much look forward to the new IRR.

Paul Andersen: Thank you for that comment. Next.

Beverly Hicks: Anthony DeLaCruz, the updates in 15 and 30, is that both for NRTM and FTP?

Paul Andersen: He also says thanks to Jon Worley for catching up on some questions before lunch. John Sweeting, did you want to address that?

John Sweeting: I’d like to call on Mark Kosters, because I don’t want – there’s been a lot of discussions and a lot of changes since we deployed it. So I’d like Mark to answer that. I think he’s on and he can have it.

Paul Andersen: He should be. Mark, if you can unmute him.

Mark Kosters: I’d be happy to answer that question. So NRTM is available on all the public-facing nodes. You should be able to capture that for both ARIN, the sources for ARIN, and ARIN-NONAUTH. So they’re both available. And both will get updates within 30 minutes of the change that was made with the template-processing system.

The FTP dumps are made once a day. And this is customary to what the old system had done. So, the FTP dumps were made once a day, in the morning, and they continued to do so.

So that’s kind of where things stand at the moment.

Paul Andersen: Okay. Thank you for that. Why don’t we give – we have a raised hand. Why don’t we switch it up here.

Beverly Hicks: No problem. Andrew Dul, you should be able to talk now.

Andrew Dul: Okay. Here I am. So, thanks a lot for this. Andrew Dul, ARIN AC, 8 Continents Network. I’m looking forward to this. So this may be more of a help-desk question rather than a feature functionality question, but I figure other people are probably in the same situation, where you have both records that would exist under your own organization and records for which you’ve done proxy records for customers for that are outside of your organization.

Obviously for the outside-the-organization records, not to get authorized records for those they’d have to come through ARIN Online in the future.

But until that happens and given that there’s this one-way gate, if you wanted to, say, abandon those NONAUTH records and allow them to continue to exist for now but yet create AUTH records via ARIN Online, what’s the appropriate way to do so given the gate?

Paul Andersen: Would staff like to take that?

John Curran: That one I’m going to have to refer to Mark. Mark, is it possible for us to allow someone to start creating records which would be in the AUTH stream and somehow still have the prior ones being admitted in NONAUTH, the ones from the template system?

John Sweeting: Go ahead, Mark.

Mark Kosters: There’s two things, and I’ll let Sweeting talk more about this as well. One of the things that we did have is, we sort of anticipated this, Andrew, in terms of the sort of proxy registration. So we created this thing called a routing contact within ARIN Online. We did that earlier this past year.

And one of the things that allows you to do, as a routing contact for that Org you can then make changes directly once that record is actually created, once you’ve actually become a routing POC for that particular Org. And it will be in the authorized stream.

So for those who are in ARIN-NONAUTH, they are where they are, and they continue to be populated as they are right now. And that goes on without change.

Andrew Dul: If you go through the gate, you don’t lose the NONAUTH records.

Mark Kosters: So, when you go through the gate, you do not lose the NONAUTH records as such because they weren’t in the authorized stream anyhow. The only ones that go through the gate are the ones in the authorized screen.

So those are the records that you had previously put in that were matched, the maintainer matched your Org, your organization. And then we said, well, those resources match your organization, so, therefore, you’re authorized. And they can be used either as a template or, once you pass through the gate, then they’re used through the web interface.

John Sweeting: And I think the last part of that is, as I think I mentioned, the NONAUTH objects will stay there. They will be there until you open up an Ask ARIN ticket and ask us to remove it for you. We’ve tested this. We have seen that we’ve made an ARIN validated object and left it as NONAUTH.

And when you do the Whois on the – when you query the ARIN IRR both of those objects come up. They both show. You’ll have an ARIN, a source of ARIN and a source of ARIN-NONAUTH. Both objects will remain there, and they’ll be there until you ask us to remove the NONAUTH.

Paul Andersen: Andrew, does that address your issues?

Andrew Dul: Yeah, I think it sounds like the functionality is there for people to move forward in this way and keep – create AUTH records and let the NONAUTH records stay until other orgs, subservient orgs actually create the AUTH. Thank you. Great work, guys.

Paul Andersen: We’re a little long on the presentation from a time perspective. We’re a little ahead on the day, so it kind of works out. But we’ll close off here. So let’s close out the Q&A, but if you do want to get in line, either raise your hand or put a Q&A in. The queue will be closing magically in 30 seconds.

Go ahead, Beverly.

Beverly Hicks: I have a question from Charlie Liu: What was the relationship between ARIN, IRR, and RADb?

Paul Andersen: John Sweeting or John Curran?

John Curran: I’ll handle that. So, RADb is a separate service that Merit operates, the RADb project. They indicated that the RADb has been updated to reflect ARIN’s now two streams, so that folks using RADb should still see ARIN’s records as before.

So there’s no change, per se. They did have to make – there’s no change in the relationship. They did have to make a change for their mirrors.

And any other organization for that matter that has been mirroring IRR data from ARIN, obviously that data is now in two streams. If you’re mirroring our data you will have to make that update.

Paul Andersen: Next comment.

Beverly Hicks: David Farmer, University of Minnesota: Thank you. Well done. I eagerly await the additional features.

Paul Andersen: Thank you, David. Next.

Beverly Hicks: Owen DeLong, Farsight Security, ARIN AC: Why do the templates and ARIN Online have to be mutually exclusive?

Paul Andersen: Is the question –

John Curran: That one’s mine. Okay. So the template system is unmaintainable as was described in the IRR roadmap that was discussed with the community. And so we have a code base that literally is coming now on 10 years old – actually might be more than that, more than 10 years old.

So we need to create something with a modern engine behind it. The new IRR using IRRd4 which is a great platform to use. We need to configure that, though, so we built an interface to ARIN Online.

As for the template system, if there’s enough demand, we can rebuild an email template system. But most people have moved on to other things – RESTful interfaces and APIs. So it’s really up to the community on what sort of interface you want for the IRR.

We’ve heard a lot of demand for an API. We haven’t heard a lot of demand for an email template-serving system. But if that’s what the community wants, then that will also get added to the development here.

Paul Andersen: Maybe I’ll add a bit, John, just to add as well – this is just more general – that from a strategic point, we’ve certainly as a Board given direction that ARIN has to be very judicious with its resources. It is still a relatively small organization and has a wide range of services it has to cover.

So where there are services that are in high demand, as John said, we’re happy to deploy it. And at the same time, if other parties want to make use of the API and develop email template engines and such, that’s something that they’re free and open to do, and in fact happy to, they’re happy to even note it, I’m sure. We’re happy to encourage that kind of work.

Okay. The queue is being closed. Let’s go with our last one.

Beverly Hicks: Last question from Ken Beaty: Is an Org Registration Services Agreement from 2012 still valid for IRR or do we need to update it?

Paul Andersen: John Curran?

John Curran: It’s valid. As long as you’re under any RSA or LRSA then you receive access to new IRR services.

John Sweeting: Just a quick note on that. The only time we would ask you to update that would be if you came in to get new resources and you were at least two versions of the RSA back. Then you would be asked to update and sign a new RSA.

Paul Andersen: I’d like to move on to our next topic and see, Mark, if you can help move us along, since there seems to be a lot of questions and excitement on this. So, let’s go to the RPKI update and keep on rolling because we only have 37 minutes left.

RPKI Update

Mark Kosters: Okay, great. Let’s move on to the next slide.

So, I’m Mark Kosters. I head up Engineering. And one of the things I just want to say through this is I’m really excited about a lot of the effort that’s gone on within Engineering and that’s being seen by the community now.

And we’re seeing a lot of focus on route security, whether it be IRR work that John Sweeting has talked about or RPKI work which I’ll talk about now.

And a lot of this work is being done in really close participation and in conjunction with the other departments here at ARIN. We hear you. We want to make changes that benefit you, and we want to make the best solutions possible to make this happen.

So, let’s go on to the next slide, please. So what I’d like to talk about today is our current status, where we currently stand, our recent updates and our upcoming plans when it comes to RPKI.

Let’s go to the next slide. So, the community has been really focused on routing security. At the last two NANOG meetings there’s been multiple presentations made by John Curran or myself or John Sweeting on dealing with various things dealing with either the IRR or RPKI.

We’ve actually had a test run where people have actually been able to say, okay, I want to play with RPKI, but I don’t want to do things with the production system.

We actually had a workshop where we actually sat down with people and say, okay, here’s how you make RPKI work. And we did it in our OT&E environment and we called it a ROA-thon, and it was a great success.

People were able to use the systems, see how it worked, see how easy it was to actually create ROAs in there – it wasn’t so complicated – and actually move on.

So, there’s been just a lot of activity in this area. And there’s been a lot of focus. And I’m sure this will continue. And we’re seeing that in our stats.

Speaking of which, we’re seeing an uptick in delegated use. And that’s because they’re starting to become – various software providers are putting out code now that is actually making it much easier for people to use different ways of doing business than the ways that have been seen by, until recently – it’s been able to be used by you.

So there’s just a lot more things going on out there. There’s the five or six RPKI implementations out there now. There’s various vendors that have RPKI out there.

One of the things that came up at the most recent NANOG meeting is all the vendors who are supporting RPKI validation – and ISPs are actually using this, and putting it into practice.

So this is all spending time to see this work that’s gone on for us since 2012 actually coming to some fruition here.

So next slide, please. So here you can see our stats. And you can see that for over the period of time since October of 2012, we’ve had maybe 100 or so participants actually coming in per every six months. But that’s really jumped up recently.

And that’s because more people are starting to see that, hey, I really need to be involved with RPKI. I really need to start certifying my resources. And I need to create my route objects, or ROAs, in this case. And I need to make this all happen.

And one of the most notable things I’ll put down here – or note here – is all of a sudden we went from really one up/down delegated customer to eight. And that’s increased or will continue to increase because the software is much easier to use now than it was in the past.

So there’s just a lot of really positive things happening in our RPKI space. And we’re starting to see that through our statistics.

Next slide, please. So here are the things that we’ve done in response to the community. One of the things that we’ve done is we went from basically a repository generation – changes made to your ROAs from going once every six hours to every five minutes. So once you put in a ROA, it will be seen to the community through the repository within five minutes.

One of the questions that came up at a recent meeting where – John Curran actually mentioned this at NANOG, is, why five minutes? And five minutes is the time that we felt that was reasonable to put this information out. And it wasn’t too fast and it wasn’t too slow. So it just seems right. One of the other things we did is we added RRDP support as an alternative to rsync for repository retrieval.

So RRDP, what it basically is, is it’s really a way of getting the repository over the HTTP transport as opposed to using rsync. And one of the things this can do – if we wanted to go down and start making this more scalable, we can do so, and there’s a lot of vendors that understand HTTP. Not as many understand rsync as doing a third-party outsource service.

We also changed the default validity period for ROAs to 825 days. It used to be up to 10 years, which, after working with the system, it just seemed a bit too long. So we actually decreased it to 825 days.

The next thing that we’ve done is we’ve looked at delegated work. And based on some of the customer interactions we’ve had, it’s supporting a sort of provisioning enhancement that allows people to start playing with up/down protocol using RFC 8183, which is the out-of-band setup for up/down protocol.

What we had there previously was a pre-IETF specification, but we didn’t have a lot of customer demand. We only had one customer that was using it. And this allowed for people to start using more modern software based on the most recent RFC to use the new system.

One of the things that we did do is that we spent a lot of time looking at the various delegated software implementations to make sure that there was good interoperability.

We wanted to make sure that we didn’t break existing systems out there as we upgraded from the pre-IETF spec to the IETF spec 8183.

Accordingly, some of the community suggestions we’ve had – we added the capability to list and delete ROAs through the API (Reg-RWS), and that was added as ACSP 2018.16.

And the most recent thing that we’ve done is we’ve updated our TAL to include the HTTPS URI along the existing rsync URI. And what that allows people to do is that their validators can use the HTTPS transport across the entire spectrum. They don’t have to use rsync anymore. They can use HTTPS, which is more modern.

Next slide, please. Here are the things that we’re looking forward to doing in the future. So one of the things that we’re currently – that’s underway and will be out shortly, is that we’ve upgraded our IBM 4765s to 4767s, hardware security modules, HSMs. And the reason we’ve done this is that the 4765 has gone end-of-life and is no longer supported by IBM.

So we’re updating to their most recent model. And as part of that, one of the things we’re also doing, is we’re updating the interface between the HSM and RPKI applications that ARIN supports. And when we’re doing this, we’re removing some of the architectural limitations that we have with the old HSM.

So, for example, one of the things that we have an issue with in the current system: it’s the number of maximum CRL entries that we can have per organization. And this sort of architectural limitation that we did not think about or conceive at the time when we designed the system back in 2012. But we’re realizing that, hey, we need to remove this limitation, of which we’ve done when we moved to the 4767.

The other thing that we’ve done – I’m not sure how many of you have watched a DNS root key signing ceremony for DNSSEC – we do a very similar thing within ARIN regarding our key-signing ceremonies for RPKI.

We have a very structured way of actually updating our keys. It includes having an MC, a master of ceremonies. It includes having a witness. It includes having multiple key holders that each part holds a part of the key that unlocks the hardware security module.

We also have a systems administrator as part of the process. And if there’s any deviation to that script, it’s actually documented and stored for future events so it can be audited.

We’ve also had third-party people actually come in and witness this. Right now we’re in a very small facility. So it’s kind of hard to deal with. We also have COVID-19 going on right now, so we have to limit the participation with our key-signing ceremonies as they stand right now. But there’s – thankfully we don’t have to do them so often. But it’s something that we’ve been working on, reducing and making – simplifying.

Next thing that we’re doing is we’re doing some enhancements on notifying all the Tech and Routing contacts for automatic ROA renewals. We’re making some user interface improvements with ARIN Online. I’ve had multiple conversations with community members on our current state of affairs with ARIN Online and their wish to make things easier and less complicated. And also there’s the added work of synchronization between IRR and RPKI, both very similar systems. Why can’t we synchronize the data between the two? And that’s something that we’re looking to do.

And, so, next slide, please. So, with that, you’ve seen how things have grown. You’ve seen what we’ve done over the last six months and our future plans. So, are there any questions?

Paul Andersen: Any questions for Mark, knowing that we have a few minutes?

Melissa Goodwin: Yes, Paul, we have a question from John Kristoff with Are or can there can be publication point server access logs made available for research?

Paul Andersen: Mr. Kosters.

Mark Kosters: So, this is one of the things that we would like to be able to have a third-party consortium actually take care of, where we can ship them the logs and they can actually vet the researchers to make sure that this data is being used in appropriate ways. This is something that is an ongoing conversation, of which we need to – there has to be further work to get accomplished. But this is something we’d like to do, so that third-party researchers can see this. They can see who is actually pulling this down, who is actually using it for validation, et cetera. That’s a good question. Thank you very much, John.

Paul Andersen: So, Mark, in case John has desires to get involved in that conversation, should he email, or is there another contact he should be reaching out to?

Mark Kosters: Actually, John and I have been in conversation about this. So I kind of knew the question.

Paul Andersen: Just in case, but if somebody was interested in being involved, not just John, who should they reach out to?

Mark Kosters: They can certainly reach out to me or – info would probably be the best place to start. And it will be shunted to me at some point.

Paul Andersen: Okay. We’ll close the queues in about 30 seconds. Let’s go to our next question.

Melissa Goodwin: Excellent, we have a question from Ross Tajvar from Atlantic Metro: Can you elaborate on the synchronization between IRR and RPKI, and what would that look like?

Mark Kosters: This is something that – we have this community – we have these people that have been helping out John Sweeting and I with IRR, in terms of what are we going to do with IRR and how is all this going to look?

And one of the things they’d like to see is that ROAs actually trump things in the IRR, for example. Because ROAs have stronger sort of credibility—it’s a newer sort of system that the IETF is putting out, and that they would be able to trump it.

The other thing is synchronizing things. So route and route6 objects are very similar to ROAs. So, if we synchronize a ROA, maybe we want to do the same sort of thing with the route and route6 objects in RPKI.

Paul Andersen: Thank you. Next question or comment.

Melissa Goodwin: We have a comment from Anthony DeLaCruz: Much appreciate the work done so far. The tools in ARIN Online are very easy to use for RPKI.

Paul Andersen: Thank you. And our last comment goes to Kevin, looks like.

Melissa Goodwin: Yes, Kevin Blumberg with The Wire: Is there any real demand for up/down? Is that functionality slowing down other RPKI features?

Mark Kosters: That’s a really good question. So, up/down, until maybe about three, four months ago – the software for people who wanted to play in the delegated space and use up/down, it was fairly hard to use, the software that existed.

And the people who were playing in that space actually realized, boy, this is hard work. And actually, hosted is much easier. So we’re going to stop this delegated stuff and actually go to hosted, because it’s much easier to use the machinery that ARIN has created than for people to actually glue together the existing technology set at that point.

There’s new technology that’s coming out now that is making it much easier to use delegated RPKI. I’m not saying it’s perfect yet. But it’s something that’s coming out and people are starting to experiment with.

And we’re seeing that with the people, that the number of participants has gone–has really gone from one to eight. And really that one that was there previously was only half way there. Actually, they never really finished their RPKI implementation.

So it’s good to see that, because that’s very complicated machinery underneath and the developers on my team are very happy to see that their work is actually being used.

So we look forward to seeing more people playing with this. There’s some upcoming work that I’m sure the community – actually the community has already asked us to do – in support of delegated. So it’s all exciting stuff. We’re at the very sort of forefront of RPKI, but it’s great to see adoption by the community.

Paul Andersen: The queues are closed, although Owen is just making a comment. We’ll take Owen’s comment and then move on to the next presentation. Please, Beverly.

Melissa Goodwin: Owen DeLong with Farsight Security: IRR is RPSL specification of inter-AS relationships. ROAs are strictly a claim by a prefix owner that their prefix can legitimately use a particular AS as origin, whether the AS holder agrees or not. While these are both related to routing security, they do not contain identical data and neither is a true subset or superset of the other. As such, an override is an odd idea, in my humble opinion.

Mark Kosters: So, actually, I was very careful to talk about route and route6 objects as part of that response. There’s work in IETF that’s underway, and I encourage Owen to look at it. It’s called ASPA. And it actually describes how you put in adjacencies within RPKI.

So the work on dealing with – hey, who, do you peer with – is actually also being mirrored within RPKI as well. And this work is underway. It’s getting some traction. And we’ll see what actually comes out of the IETF. And we’ll go ahead and implement it, if the community so desires.

Paul Andersen: Okay. Thank you, Mark, for that presentation. We have to keep speeding on because we only have 20 minutes to get to our last two items.

So, Richard, as they say…

Mark Kosters: Thank you very much.

ARIN Update

Richard Jimmerson: Thanks, Mark and Paul. My name is Richard Jimmerson, I’m ARIN’s Chief Operating Officer. My apologies to the transcriptionist. It’s going to be my task to get us back on time. So I’ll be talking a little bit faster than I normally do.

Next slide, please. I’ve got about six content slides to give you the normal update that we would do at a meeting across several different presentations. We’ve condensed that down into a single presentation for you today.

First, pandemic operations. A lot of folks are curious about that and what we’ve been doing. In February, once we started hearing about the pandemic, staff provided, was given office guideline use. We started looking at CDC and WHO guidance.

We started giving flexibility to staff on business travel and cancellations. And that led us into March where we began preparations to do 100 percent remote work environment at ARIN. We informed staff that office use was optional in early March, and then we closed the office for general use on March 19th, and the staff went to a 100 percent virtual work environment. And we’ve been in that state since then.

All business-related travel for ARIN was canceled at that time until further noticed. That’s not been reopened yet.

April through today, we are fully functional in terms of registry operations. That continues without daily use of the ARIN office. However, we do have some mission critical in-person things that need to be done on a temporary periodic basis where people will make a quick visit to the office and inform of us of them doing that.

We have a limited reopening program that actually just started this week in line with the state of Virginia and what they are doing. And staff can actually apply if they agree to certain office-use requirements to be in the office on a more regular basis.

And a few of our staff members are actually doing that, are in the office today. But the majority of the ARIN staff remains in the remote-work environment and the company is operating per normal.

Next slide, please. We’ve had some leadership updates since October of last year when we last met. Some of them, because of retirements, and others because of leadership changes in the organization – just real briefly, John Sweeting and Lisa Liedel have been with the organization for some time now.

However we continue to increase the focus on the customer inside the organization. As such, John Sweeting was promoted to Chief Customer Officer to oversee the customer experience inside the organization.

With that, Lisa Liedel was promoted to Director of Registration Services, where she’s doing a great job of running the registration operation in terms of help-desk support to all of you.

Also we had a few people in the organization that were doing governmental affairs-type work. And we wanted to put that together inside of a single department. And we’ve done that now with the Government Affairs Department. And Anne-Rachel Inné is now ARIN’s Senior Vice President of the Government Affairs Department.

Susan Hamlin retired at the end of last year – we’ve had several retirements over the last years at ARIN – and Hollis Kara was promoted as the Director of Communications at ARIN. She’s doing a fine job running our communications for the organization.

We had two departures inside the organization. One was our Software Engineering Manager and one was our Operations Manager. Those roles have been filled by Garth Dubin in the Software Engineering Manager position. He has been a leader inside the organization in another department in the past. He’s doing a great job running our software efforts.

And we welcomed Reggie Forster to the organization. We’re very happy to have Reggie with us, who is now our Senior Operations Manager at ARIN, just starting here in the last month.

And we last had a Chief Financial Officer in the organization back in 2013. And it was time for us to add that role back into the organization. And we’re very fortunate to have Brian Kirk with us as our Chief Financial Officer as of the beginning of this year. And we do have Val Winkelman, who is our Director of Finance. She’s actually retiring the end of this year.

Lots of retirement words, but fortunately for ARIN our retirees have given us one to two years notice each time. So that’s great.

Next slide, please. Some organizational highlights. 2020 work plan has largely remained unchanged by the pandemic work environment. There are some smaller things that aren’t required. For instance, it’s harder for us to do an RPKI ceremony now and a few other things.

But work is running per normal inside the organization. Help desk remains available 7:00 AM to 7:00 PM. We’re still responding to all your tickets and requests and running the organization.

We’ve added a service issue reporting feature to the ARIN website. You’ve always been able to reach us through the feedback button and other ways, but some folks wanted to know, well, in off hours, if I just wanted to let you know about an issue I’m seeing with your services, how can I do that? We added this feature to the website and people are using that. And that’s continually monitored by ARIN staff, to get notified when somebody uses that feature.

We have the addition of a customer support chat to supplement the already existing telephone help desk task. If you’re logged in to ARIN Online you’ll see the ability to chat with Registration Services staff, and they’ve been doing that now for a couple of months. And it’s become very popular feature, alongside our telephone help services. So we’re glad to be able to add that service for you.

And you’re going to see some upcoming consultations here very shortly on possible closure of redundant or seldom-used services at ARIN.

I know this will interest a lot of you. I can’t give you a preview of what those things are, but there’s a consultation coming out here inside the next month where you’ll be able to see those things and comment on them as part of ARIN Consultation and Suggestion Process.

Next slide, please. Now, it’s important you know that we have an election this year, just like we do every year, for the ARIN Board of Trustees Advisory Council. And also we’ve taken nominations for the NRO NC. All the nominations closed on the 13th of June. So that just happened.

Now, the NomCom is going to be reviewing all the candidates, and if they choose, as the Nominations Committee – and we won’t know until they make that determination – they can open up a second nomination period that would be open from 20 July to 27 July. Now, if you’re going to vote in the election this year, it’s important that you be a member in good standing in order to vote.

And you have until September 7th to have that all in order, and that’s when we’ll be creating the eligible voter list inside the organization.

Now, the initial slate and call for petitions and statements of support, you’ll see that on 14 September go up on the website, where you can start adding your comments there. And the final slate is identified for the elections of the candidates on 12 October, just in case anyone came in through the petition process or otherwise.

The elections are open for you to vote as the membership on 22 October through 30 October. And we’ll be sending you plenty of reminders that you normally get. You might even get some telephone calls, like some of you have in the past from us, letting you know the elections are open. The results will be announced no later than 6 November for all of those open seats on our elected bodies.

If you want more information, you can go to our elections page on the website and you can find the information you need there.

Next slide, please. We do a Customer Satisfaction Survey about once every three years. We did one in 2014 and one in 2017. It has a big impact on the services we’re offering to you as a registry.

We’ve made changes to our services. We’ve added services. We’ve made decisions based on the feedback that you’ve given us during these surveys.

We’re doing this again. It’s very important to us. And we want to make sure that your voice is heard. So you’re going to see an announcement come out about a survey that will run from the 13th of July to the 31st of July. Please take some time to go in and take that survey.

There should be a short track and a long track that you can take in there so it can take anywhere from five minutes up to as many minutes as you want to spend on giving expanded answers if you choose to do that. So we’re looking forward to seeing you there in the survey.

The final results will be published with full transparency to the ARIN website. Our Board of Trustees has asked that when the report that we actually get from our third-party contractor that can touch the survey, they’ve asked that the community see that report directly as they provided it to us with no modifications by staff. And that will happen again this year.

And between time in the surveys, of course, we always have the feedback button. You can give us feedback on the website. And we’re constantly reading those piece of feedback. And we also do transaction surveys. And you can fill those transaction surveys out when you request services or transfers and let us know how we’re doing. We pay very close attention to those things, and we make modifications to the services throughout the year to make accommodations for that feedback.

Next slide, please. ARIN 46. You’re probably wondering, are we going to do an in-person meeting in October or do a virtual meeting in October.

Well, the current plan is for us to do an in-person meeting – 22-23 October in Seattle, Washington together with NANOG. It would be the two days following the close of the NANOG meeting, like you normally have in the month of October.

Today, we’re cautiously optimistic about holding an in-person ARIN 46 meeting as we monitor guidance from Washington state, Seattle and the CDC and the WHO. We expect to make a decision about the meeting by early July with notification to the community shortly after.

Really what’s happening is the staff is going to have a recommendation completely confirmed by the end of this month, the end of June. That’s going to be reviewed by the folks inside the organization and our Board that need to review that. We expect by early July that we’ll have some information available to the community about that.

Next slide, please. With that, that’s about 10 presentations condensed into six slides. Ready for questions.

Public Policy Meeting, Day 1 - Open Microphone

Paul Andersen: I thank you, Richard. I wonder, John, if we could just do double here and just do open microphone because we only have nine minutes left, but of course take any questions for Richard during that – and the only thing I’ll add –

John Curran: Makes perfect sense.

Paul Andersen: On the Seattle meeting, the other thing that will have to be taken into consideration, obviously, is what kind of restrictions people will be put back under if they have to return. So, for instance, those that have to cross borders and may be subject to a two-week quarantine may be a reason we might have to revisit.

But with that, we throw up – we are going to close sharp today. We do have another day tomorrow. But we will take eight minutes of questions from the community. Either raise a hand, please, or put your Q&A up.

I see one hand raised already and I don’t have my Q&A up. So, if there’s Q&A please go to that first.

Beverly Hicks: That’s okay. I’ll go to Ron da Silva first. You are unmuted.

Ron da Silva: Excellent. Can you hear me okay?

Paul Andersen: We can, yes.

Ron da Silva: Fabulous. My question is to Richard. First, commend you and the organization on – it sounds like operations continued to move well, didn’t miss a beat under the Virginia mandates motivated by COVID. So that’s good to hear.

And I’m kind of curious, culturally, if you’re seeing – have you increased productivity with the work from home? Is there sort of a cultural shift that’s being considered to change the way ARIN operates and responds to the experience over the last couple of months of having everybody working from home? What is sort of the thinking around that?

Richard Jimmerson: Thank you very much, Ron. That’s a great question. We’ve noticed quite a bit there. We’ve noticed that some things take longer in this environment, just like your companies have. But we’ve noticed some things are actually more efficient inside this environment. Our President and CEO, John Curran, has actually asked that the staff organization put together a report for the ARIN Board of Trustees to be reviewed in an upcoming strategic workshop that they have this summer.

And we’ll be giving them some input on what worked for us, what didn’t, and how that might actually change our operations going forward as an organization. So, we certainly are looking for that. Thank you for asking the question.

Paul Andersen: Ron, I know it’s a bit awkward just because of the way of the intro, can you just give us your affiliation as well because you’re obviously Ron da Silva.

Ron da Silva: Network Technologies Global, under my own badge.

Paul Andersen: Thank you, appreciate it. Okay. We have one Q&A I believe now.

Beverly Hicks: Sorry. I have a comment from Louie Lee, NRO NC, Google Fiber: I would like to encourage anyone who sees a gap in skills, backgrounds or experience on the Board, ARIN AC, NRO NC, to provide their comments to the NomCom.

Paul Andersen: I’ll take the first stab at this, but I’ll ask if Catherine’s mic can be unmuted in case she wants to add anything. Catherine Middleton, our newest Board member and also NomCom Board chair.

So, background, the Board does provide some guidance from its standpoint, but the community is always welcome to approach and email the Nomination Committee through its Chair. I don’t know, Catherine, if you wanted to add anything.

Catherine Middleton: No, I think you’ve covered it. Thanks, Paul.

Paul Andersen: Okay, thank you. Any other questions or comments? Give it a few seconds.

Beverly Hicks: I don’t have any further. We’re waiting.

John Curran: We have someone.

Paul Andersen: We have a hand raised.

Beverly Hicks: Yes. Mercia, please state your name and affiliation before speaking.

Mercia Arnold: Mercia Arnold, the Obsidian Group, Incorporated. I want to thank you for giving outreach for me to raise awareness about ARIN with my students at the University of the District of Columbia. And I wanted to commend you for your outreach of the academic community at the university level. Thank you.

Paul Andersen: Thank you for the kind words and feedback. We always appreciate it.

Any other comments, questions, darts, laurels, stump the Chair, stump the President?

Beverly Hicks: We’re clear.

Paul Andersen: I see we’re clear. We’ll give it another 10 seconds, otherwise…

Seeing none, I’d like to thank everyone for their participation. This has been obviously a bit of an experiment and new adventure for us. And my thanks to all the staff that pulled it off.

I’ll turn it over to John for any closing comments. Otherwise we’ll see you all tomorrow, hopefully.

Public Policy Meeting, Day 1 - Closing Announcements and Adjournment

John Curran: Thank you, Paul, for your able moderation. We’re going to end the meeting today and we’re on time, which is wonderful.

We’re going to resume tomorrow at noon Eastern time. So, day two of the meeting, more policy discussions, more presentations.

Tomorrow, again, same time, noon Eastern, and please be prompt. We look forward to seeing everyone. We hope you found this useful. And look forward to resuming the meeting tomorrow.

Paul Andersen: Thank you, all.

(Meeting recessed at 2:57 PM.)


Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.