ARIN XI Public Policy Meeting Minutes, Day 2, 8 April 2003 [Archived]

Call to Order and Announcements

Presentation (Read-only): PDF

Ray Plzak opened the second day of the ARIN XI Public Policy meeting at 9:00 AM (CDT). Announcements included thanking Comcast for sponsoring the previous night’s social event and a reminder to fill out the ARIN XI Survey form. Ray acknowledged Paul Twomey, President and CEO of ICANN, as being present and welcomed him to the meeting.

Policy Proposal 2002-2: Experimental Resource Policy Discussion

Presentation (Read-only): PDF
Presenter: Suzanne Woolf

Suzanne Woolf, as a member of the ARIN AC standing in for the policy author, presented this policy proposal. Highlights included:

• Allows for controlled, documented release of addresses for experimental purposes

• APNIC and RIPE have similar policies

• Constraints: experimental uses only, not to be used commercially

• Originally introduced last year, revised this year. Changes are clarifications. The author believes this version addresses issues raised on the mailing list and the previous Public Policy meeting. Has consensus support, next step is Last Call

General Comments:

• Thomas Narten requested clarification of “formalization of long-standing policy of IANA” language. Suzanne replied that the mechanism for experimental allocation had been through IANA, but she thinks it’s more appropriate for a Registry to handle. Thomas questioned where the space came from. He also questioned if it was appropriate for Registries to take on this role for experimental purposes. A comment was made from the floor that the policy proposal wasn’t clear about what is considered experimental.

• Barbara Roseman asked for clarification of what was passed in APNIC and RIPE. Leo Vegoda of RIPE NCC replied that this proposal came to the Rhodes RIPE meeting, and after the meeting it was published as a draft. It was then incorporated into policy documents. RIPE NCC has received two requests and made two v4 assignments under this policy. Gerard Ross of APNIC stated that the policy was approved in December of last year and is now an active policy.

• Randy Bush remarked that operational experiments are not of interest, but engineering experiments are. Randy stated that he understood Thomas’ point that some experiments don’t need to be on the Internet, but there are some that need to be. And for those that do, a lack of clarification of the roles of the RIRs and IANA lead to confusion on this issue, RIR shopping, and short-circuiting of IETF processes. This can be solved by more coordination and communication between RIRs and IETF. John asked if Randy thought we needed this policy, and Randy replied that while the issue needs to be addressed, this was not the policy to do it.

• Bill Manning commented that he had concerns about a lot of the experimental stuff coming out of the other RIRs can impact ARIN’s community, and that we need much better coordination, such as historically existed under IANA experimental allocations. John Curran asked if this policy was insufficient in what it states needs to be published, and Bill replied that yes, but we need to adopt something quickly and work with the other RIRs to create a global experimental policy.

• Leslie Daigle said that there should be an ARIN policy that’s very carefully worded, so that there’s adequate ability to distinguish between operational and technical experiments.

• Alec Peterson asked for examples of allocations that would benefit from this policy and that it would be helpful to hear about historical experiments and how they were handled. Randy Bush offered Multicast Log Experiment as an example, where they tested allowing ISPs to use their AS Number 223/8 to sub-allocate. The experiment was to be conducted for one year, and had a quick run through the IETF before those of us conducting the experiment went to IANA and got space allocated for one year. As one of the people involved in the experiment, we would have been perfectly happy dealing with some coordinated RIR setup, but would not want to have to shop around at RIRs for space.

• Alec Peterson commented that some experiments could need as much as a /8 and this would be unfeasible under the RIRs Experimental Allocation policy. Randy Bush replied that there are experiments of varying size, /32s can be just as weird as a /8. RIRs should be able to make a large allocation for experimental purposes. Bill Manning added that Net 39 was picked as a specific size to test supernetting for CIDR. Alec remarked that both of those experiments were specifically related to address space and suggested that some constraints may be needed on the type of experiments this policy applies to.

• Thomas Narten said that the default size is the minimum. These sizes should be the minimum that the experiments needed. Having two different groups (RIRs and IANA) allocating experimental space depending on size is needlessly complicated. The current policy has a number of problems.

• Alec Peterson observed that it would be helpful to hear how this policy was helpful in other regions. Leo Vegoda replied that the one assignment he clearly remembered was for a BGP beacon experiment, that was something the RIPE NCC’s new project department was doing with another group. Randy Bush remarked that this example was an operational experiment where RIPE allocated space to itself. Leslie Daigle asked if information about this experiment was published anywhere on the RIPE NCC site. Leo replied that it wasn’t yet, and added that RIPE NCC had always been flexible about the one-year time limit on allocations.

• Randy Bush suggested that there should be a small group of people from each of the registries, IANA, and IETF that could draft some global policy on this issue. John Curran asked if Randy was saying that the RIRs should create a design group for this policy and Randy replied that yes, that was correct.

Polling of Consensus:

Q1: Does ARIN need to work on this concept with a coordinated effort among the other RIRs and IANA?
Yes? 14 No? 1

Database Working Group

Presentation (Read-only): PDF
Working Group Chair and Moderator: Ginny Listman

Ginny Listman, ARIN Director of Engineering and Chair of the Database Working Group, provided an agenda of the issues that would be discussed involving the DBWG.

Lame Delegation Status Report

Presentation (Read-only): PDF
Presenter** : Ed Lewis**

Ed Lewis, ARIN Research Engineer, presented an update on how ARIN is handling lame delegations. Highlights included:

• This issue has been discussed the last two sessions

• It’s a 4-phase process: test, attempt contact, evaluate, then remove delegation from the DNS. It’s noted in the record this was a lame delegation

• Lame Delegation Test is outlined: Query for SOA record of zone, in response look for: no authoritative answer (AA) bit set, AA bit set, but an empty answer section; AA bit set, but answer is not an SOA record.

• What is not flagged: no IP address for name server and no answer from server. Ed showed the results of a recent test on zones checked, flagged for lameness, and percentage of servers.

• Notification results were shown for telephone and e-mail

• Help Desk actions were posted

• There is a website with this information: http://www.arin.net/knowledge/lame_delegations.html .

• Next steps: continue notification as per Policy 2002-1, update database, continue testing for lameness, identify engineering issues with testing, identify implementation issues, and share experience with other registries.

RWhois Design Team Report

Presentation (Read-only): PDF
Moderator: Ginny Listman

Highlights included:

• Scope of team is to recommend an alternative to sending reassign templates to hostmaster

• Possible problems include format for comments, difficulty in parsing information, finding contact for ISP-maintained RWhois servers, and RWhois servers are often not operational 24x7 or up-to-date and often have restricted access.

• Suggested changes include creating a new attribute for both/either Net or Org registration records or establishing a new RWhois POC type

General Comments:

• Michael Dillon stated that RWhois should be declared obsolete and that this is a temporary fix

• Mark Kosters said that this discussion will help the design now. Mark said the problem is not how the data is labeled, but what is actually put in the database.

• A comment from the floor about creating new records to do this. Ginny Listman responded that the RWhois server is an attribute of the network. Owen DeLong added that he thought the way to do this with database consistency is that RWhois is an attribute of the network record and the RWhois record would contain pointers to POC info.

• Mark Kosters stated that there were two options: keep as it is now or restructure the “right” way. Ginny said along the same topic, the question is where the data should be.

Polling of Consensus:

Q1: Does the current method of RWhois notation in the comment field suffice?
Yes? 2

Q2: Should ARIN store this information in more structured manner?
Yes? 28

Discussion about where the information should be stored will be tabled as a matter for ARIN staff.

CRISP: Common Registry Information Service Protocol

Presentation (Read-only): PDF
Presenter** : Leslie Daigle**

Leslie Daigle gave a presentation offering a technology update on what is going on elsewhere and cited the overlap in CRISP effort and problems identified by RIRs with RWhois. Highlights included:

• Cross Registry Information Service Protocol is being developed by the IETF Applications Area Working Group

• Goal is a better WHOIS access protocol for domain registries and possibly RIRs

• While the data contained in the different registries isn’t the same, they all have common base requirements

• Requirements draft near completion, two protocol solutions submitted: LDAP-WHOIS and IRIS (XML-based)

General Comments:

• Mark Kosters asked why this is better than RWhois. Leslie replied that the CRISP proposal provides standardized access control across servers.

• William Leibzon asked for a description of the problems that were encountered running LDAP at Verisign. Mark Kosters replied that it would be difficult to sum up the whole process, but one of the primary problems was the continuation of queries. There are some issues with it, but it can be discussed offline.

ERX Status Report

Presentation (Read-only): PDF
Presenter** : Ginny Listman**

Ginny Listman, ARIN Director or Engineering and DBWG Chair, gave a presentation on the Early Registration Transfer Project (ERX). She explained how it was determined which RIR managed in-addr name services for different /8s, explaining it was determined by identifying the majority and minority holders of space in the /8. Ginny also provided a timeline of what has been completed and what is yet to do.

There were no questions.

Proposed WHOIS Display Changes

Presentation (Read-only): PDF
Moderator: Ginny Listman

Ginny Listman, ARIN Director or Engineering and DBWG Chair, gave a presentation on proposed changes to the display of WHOIS. Highlights included:

• Problem Statement addressed simple reassignment registrations that do not have POC information

• Solutions under consideration include educating community to conduct subsequent query, add default POCs to simple reassignments, or simple reassignments could be removed from the information WHOIS displays.

• Each approach has advantages and disadvantages, so we would like to ask if ARIN should make a modification in the way simple reassignments are displayed in WHOIS. If so, how?

General Comments:

• Michael Dillon suggested that users should be able to specify what information appears in WHOIS results. Ginny Listman asked who Michael thought should decide what information is made public. Michael replied that ARIN staff could make the first cut. Ginny commented that it depended on what WHOIS is used for: network operations or tracking abuse. Michael answered that it is irrelevant what WHOIS is used for. Determination of what should be made public should be based on NDAs, legalities, and other issues about what is public. John Curran said that the question is what information we can provide and what is useful in the format of the display.

• Dave Barger remarked that this is already taken care of. He said that he just looked up his own block and it has limited info. If you add a full display flag, you get all the POC info. Ginny stated that this was something ARIN staff had talked about internally and that we don’t know all the WHOIS users, and we don’t know what will break when two network records are returned. Dave replied that there are workarounds for everything. It would be easy from an application standpoint to parse through data. Ginny commented that ARIN doesn’t want to change the length of time it takes WHOIS to respond. Dave said that if someone wants a simple query, they can get the small amount of data and if they want more they can add a full output display flag. Ginny agreed that was true, but that it was difficult to pass this information along through education to the entire WHOIS user base.

• Einar Bohlin suggested that there should be one line of output that explains how to get more information. He added that ISPs use WHOIS to confirm utilization for multi-homing customers.

• Scott Whipple said that from his own experience his company pushed parent POCs down to simple reassignments. Simple reassignments are only useful to determine if someone already has a block from someone else. We should just push POCs down to simple reassignments. Ginny responded that while this would increase the size of the database, ARIN could do incremental updates to ease the load.

• Owen DeLong said that ARIN should use database reference techniques to add data to display, rather than to record. Ginny replied that ARIN’s WHOIS was currently receiving 80 million queries per month, and that queries with server-side real time processing added significant overhead. The performance is less impacted if data is added on the back end. Owen replied that was acceptable.

• Mark Kosters remarked that he thought this should be up to ARIN. John Curran said that the question is whether or not you have the information there, ARIN will figure out implementation.

• William Leibzon commented that we already have a way of getting information. The easiest way to do this is to add a line of instruction in output. Do you really get a lot of questions about records without POC information? Ginny replied that ARIN was trying to take care of this in the most efficient way for the most organizations and people. William stated that if the full output is a negligible impact, then perhaps display full output as default for simple reassignments. Tim Christensen replied that for the display of simple reassignments, the method is irrelevant. Does the community want to see the full display for simple reassignments?

• Owen DeLong said that he would like to see one consistent set of data, no matter what type of delegation it is.

• John Curran stated that if we want to solve this problem and we don’t put the upstream in, we default to education option. The real question is, do we put the POCs in for simple reassignment queries?

• Mark Kosters asked if this has a policy implication. John Curran asked him to clarify what he meant in terms of policy. Mark answered that there needs to be a policy to define this so that people can reference it as a standard. John said that he guessed that the question is what needs to be in a policy document. Policies require a higher standard to change. To change WHOIS output, we would need to go through the whole policy process. Mark commented that at some point there will be privacy requirements that require legal review, Leslie touched on this with CRISP. A policy will need to be done to do this. John replied that we have had discussions about this, but this issue is separate and shouldn’t be policy.

Polling of Consensus:

Q1: Do we display the upstream POCs for simple reassignments?
Yes? 26 ? No? 11

Notify Process

Presentation (Read-only): PDF
Moderator: Ginny Listman

Ginny Listman made a presentation on a notification process for changes in data. Highlights included:

• This would provide a measure of accountability

• Implement use of notification for changes to data would mean new POC type for ASN, NET, and ORG records, and a new process for POCs

• Would require minor modifications to templates, ARIN database, registration software, and the WHOIS software. Also would have to be an education effort to the community

• Could be implemented in 30 days

• Questions to answer: Do we need all three POC types? Should ARIN Display Notify POCs in WHOIS?

General Comments:

• William Leibzon stated that he didn’t see a reason for this. John Curran asked if William would use the Notify POCs if they were in place, and William answered that yes, he would.

• Michael Dillon commented that looking toward the future, LDAP could be used for this and it would take 30 days and could make changes in hours. Mark Kosters replied that it would take longer than 30 days to setup.

• William Leibzon said that he didn’t think we are quite ready to talk about education. He doesn’t think Notify POCs are necessary now. We shouldn’t do this as there are still outstanding issues.

• Owen DeLong asked what this change would get him that he doesn’t already have. Ginny replied it was mainly intended to inform people when their record was changed. Owen replied that he would support failure notifications to the existing contacts, but not new POCs.

• Comment from the floor in favor of tagging of responses. John Curran asked if the person found what this proposal did useful, but perhaps not this solution, and the attendee said yes.

Polling of Consensus:

Q1: Would anyone make use of these?
Yes? 6

General comments continued:

• Mark Kosters said that RIPE has some maintainer properties that did this and the name registries have addressed this. This needs to be more fully fleshed out, looking at security concepts and made simpler. My proposal is that we go back and look at Maintainer and Guardian. Ginny Listman responded that this was intended as a quick fix, as other approaches would require significant database changes.

• Dave Barger commented that he thought there needs to be an easier way to make changes to POCs. He gave an example of a problem at his organization and said what they ended up doing was to setup an additional admin POC.

• Owen DeLong stated that he thought it was a very good idea to notify both

• Lee Howard said that his biggest worry was that his info would be changed or deleted without notification.

Authentication

Presentation (Read-only): PDF
Moderator: Tim Christensen

Tim Christensen gave a presentation on methods of authentication ARIN was looking at implementing, providing a process overview, and a roadmap for what ARIN has planned so far in this area. Highlights included:

• Mail-from authentication is inadequate

• Stewardship principles dictate that ARIN move away from loose security

• Identifying what processes benefit from stronger authentication

• The community has asked for a spectrum of authentication choices: Password, PGP, X.509. We are not going to force everyone into one choice.

• We intend to prohibit a POC from using “mail-from” when another selection is made

• Other RIRs’ implementations were reviewed

• Volunteers are needed for beta testing

General Comments:

• Alec Peterson asked if the format of the messages will be S/MIME? Tim Christensen replied that yes they would be. Alec then asked if the revocation of certificates could be handled quickly, and Tim replied that yes, that was an issue that was considered. Alec asked if ARIN would have its own x.509 so it can encrypt on its side, and Tim answered that yes it would. Alec then asked about multiple methods of authentication, i.e. a password inside an x.509 encrypted file? Tim replied that was good input and would be looked at.

• Jim Cutler asked about a certificate revocation list. In particular, publishing a list to address using the same certificate for all RIRs. Tim responded that ARIN certificates are planned to only authenticate ARIN business. However, the RIRs have talked about in the future addressing the certificate authentication jointly.

• William Leibzon asked if there would be any mail server support for STARTLS. Tim replied that was not the case at the moment.

• Mark Kosters said speaking as a member, if you are sending public data, why would you need to encrypt? David Conrad replied that it might be done to avoid traffic analysis hacks. John Curran asked everyone to focus the discussion on authentication.

• William Leibzon remarked that this is not the only way for authentication. Tim agreed and said the presentation said as much. William said he would like to have PGP implemented first.

• Mark Kosters offered as a recommendation that things should be kept as simple as possible for members, as this is a complex issue. Specific recommendations - better ways to send in CSRs that are more “Windows Happy.”

• Owen DeLong asked if it was planned for certificates to be used as authentication for website submissions of template information. Tim replied that this was an ongoing separate project.

DBWG Closing Announcements

Presentation (Read-only): PDF
Presenter: Ginny Listman

Ginny Listman made a closing announcement that specifics will be sent to dbwg@arin.net and that more POCs are needed on ORG records. Downstreams will be required to have POCs effective May 1, 2003 and more details on that will be sent to the DBWG. Finally, she invited everyone to check out the new web-based templates.

Key Signing Key Management

Presentation (Read-only): PDF
Presenter: Johan Ihren

Johan Ihren gave a presentation on the issue of DNSSEC and the possibility of the RIRs signing keys. Highlights included:

• If the RIRs get involved then this has an impact on RIR resources and RIR membership

• The question here is “whether,” not the technical details of exactly “how”

• DNSSEC is based upon the concept of a “chain of trust,” with a node in the DNS hierarchy that distributes trusted keys called a “security apex." This is the role that might be appropriate for the RIRs.

• This is quite similar to how PGP works: You sign someone else’s PGP key to help others identify him since they trust you, but that does not involve taking responsibility for what the key is used for.

• A mechanism of distribution of trusted keys for root is needed

• RIRs already have a relation with a large fraction of the resolver population and are already working on securing this relationship, and it seems to be a very good match for the requirements. It is unclear if there is a good alternative.

General Comments:

• Comment from the floor that it might not be good for ARIN to specifically solve the problem, but would be good to sign the keys.

• Question from the floor that if there are several roots not in the same region, should ARIN sign those as well?

• Comment from the floor that ARIN shouldn’t authenticate the identity of anyone it doesn’t do business with. Rather than help the presenter solve his problems, ARIN can sign the identity of ARIN members, and that would indirectly help this process. Johan replied that due to infrastructure issues, an Authenticator can’t choose to sign some keys, but not others.

• Jim Cutler asked if Johan preferred a collegial model of trust, rather than hierarchical. Johan replied that no, he is suggesting widening the area of trust, but there is still a hierarchy. The more signers you have, the higher the level of trust. These are third-party identifiers signing keys, and are not involved in the rest of the process.

• Mark Kosters remarked that being a certifying authority is outside what ARIN does and that we need to look at if this is something ARIN should be doing. John Curran replied that it is recognized that this is outside the area of what ARIN does, but the Articles of Incorporation allow us to do this within the bounds of improving the Internet, etc. There is also a liability issue. Mark stated that it is appealing that the RIRs are a trusted entity, but from a cynical point of view, where is DNSSEC going and when is it going to be implemented? Is this something we need to do now or can we wait? It needs to be looked at against ARIN’s mission. ARIN should get involved, but not perhaps at this point.

• John Curran asked Johan about the liability issue. Johan replied that the issue in terms of liability is key signing error. In PGP, very few think about the liability of signing.

• Mark Kosters stated that this is the kind of thing that looks great in a very small environment, but in this case the environment is much bigger. What are the implications, especially if ARIN makes a mistake? Michael Dillon said that he would like to echo what Mark said, and add the issue of cost. Would ARIN be asked to do a lot of these activities? Johan replied that no, only half a dozen or so a month. Michael then said that he misunderstood the scale of this. Johan stated that he didn’t think we should look at creating new Internet organizations. Michael agreed, but said there was still an issue of cost.

• Dave Conrad said that ARIN should make a statement of support for the concept and then look at ways to implement

• John Curran asked Johan what the impact would be of ARIN not doing this. Johan replied that they would like to see as many appropriate organizations as possible do this, not just RIRs.

Policy Proposal 2003-9: WHOIS Acceptable Use

Author and Presenter: William Leibzon

William Leibzon presented this proposal and explained the problems it attempted to address.

General Comments:

• John Curran asked William if the acceptable use policy cited in clause 1 was the same as what the bulk WHOIS AUP currently is. William replied that yes it was, though there are a couple of words about applying it to queries. William said this reflects what he understand ARIN does as an operational issue. John asked if clause 2 of the policy changes the output of WHOIS. William replied that he was not trying to change the display of WHOIS, this is just a policy proposal that would apply to WHOIS queries of any type. This shouldn’t be a big change for ARIN to implement. John asked under clause 3, do bulk WHOIS requesters have to come back and accept the AUP each time? William answered that was true only if they don’t get the data through the Internet (i.e. if they requested a CD).

• Andrew Dul asked do we want to break this into two policies, or do we want just one policy? Andrew said he was leaning to leaving the Bulk WHOIS policy as is, and just adding an AUP to online WHOIS queries.

• Michael Dillon stated that this could be better written, but he liked the idea.

• Lee Howard asked what actions could be taken in regard to enforcement. William replied that we cannot enforce it for companies that are using the data illegally, but we could enforce it for marketing practices. If ARIN knows that someone is violating it, they can stop queries, but that language is not in the document.

• Owen DeLong voiced support for a single WHOIS policy. He stated that he would like to change requirements to once every six months to resubmit policy, instead of every month. To be effective there should be one policy.

• Question from the floor about whether the language for the WHOIS output would be on every query or just a link. William responded that he would leave that up to ARIN staff to decide.

• Alec Peterson stated that there is no authentication in the WHOIS protocol. The idea behind the Bulk WHOIS policy is that instead of people doing frequent queries, they can download bulk WHOIS. William stated that he did not think ARIN should deny frequent queries.

• Nurani Nimpuno, of APNIC, offered that when you query the APNIC database, there is a statement about downloading the Bulk WHOIS AUP.

• Comment from the floor that if the text is in each query, it is likely the text would roll off the screen, while if it is a link, do you think people are going to read it? Do the other RIRs have a port 43 AUP? Nurani replied that APNIC and RIPE NCC do.

• John Curran stated that there appears to be consensus that ARIN should be doing something in this area, the AC should work with the author to come up with a better proposal.

Polling of Consensus:

Q1: Should the ARIN AC work on a single unified WHOIS acceptable use policy?
Yes? 37 No? 0

Policy Proposal 2003-5: RWhois Server Use Requirements

Presentation (Read-only): PDF
Author and Presenter: Mark Kosters

Mark Kosters presented this policy proposal. Highlights included:

• Basis of proposal is to allow for location administration of reassignment info, open to RIR staff to examine reassignment info, open to general public to query for reassignment info

• Requirements are for the server to be up 24/7, access to reassignment information would be for RIR auditing and the general public

• Allowances would be made for privacy protections and query spamming

• Data must be up-to-date

General Comments:

• Michael Dillon commented that LDAP is what we should be doing. It is a waste of time for ARIN members to do anything with RWhois. As an option, companies should be able to run an LDAP server for information currently in RWhois servers. Requirements outlined in policy could apply to any future service.

• Question from the floor about what percentage of ARIN membership uses RWhois vs. SWIP. Richard Jimmerson replied that at first estimation, it would be less than 10-percent.

• Question from the floor about if this is a proposal saying “if you use RWhois” or “You must use RWhois.” Mark replied that this policy is only for those who chose to use RWhois, and it is not required.

• Question from the floor about what the result is if the entity does not continue to meet requirements. Mark replied that he wasn’t sure and asked for suggestions.

• Comment from the floor that if we have policies, we need to at least think and address enforcement. Stop the use of RWhois and use one of the other methods of reassignment.

• Owen DeLong stated that he thought the policy was a really good idea and it had his full support.

• Sarah Garfinkel said that having worked before with RWhois, it is a nightmare to use the software. The people who have RWhois working successfully may not be able to handle the requirements for privacy and opening it to public. Mark replied that there is a minimum number of data elements needed by ARIN. Mark added that it is no different from issuing a SWIP and has very simple guidelines. Sarah suggested that it be recommended instead of required.

• Alec Peterson stated in that replying to the characterization of RWhois being creaky, it may be true, but if someone is using RWhois, it should be populated with the data that ARIN requires.

• William Leibzon suggested that the word “RWhois” be replaced with wording that could apply to the future. Something like “Protocols to be used for reassignment information and include other operation information.”

• Tim Christensen, as a point of information, said that 517 organizations use RWhois, and only 100 have entered referrals, and half of those are not active.

• Comment from the floor that in a couple of places where RWhois is used, it is because they didn’t want to make the data public. It is used to make data available to ARIN, but protect other information.

• Alex McKenzie stated that clause 7 would be okay as long as it doesn’t have to be updated for cable applications because we run those reports monthly.

• Sean Crandall stated that as someone running RWhois, he did not have any problem with this proposal.

Polling of Consensus:

Q1: Should ARIN implement an RWhois requirements policy?
Yes? 23 No? 1

Policy Proposal 2002-3: Micro-Assignments

Presentation (Read-only): PDF
Presenter** : Bill Darte**

Bill Darte, as a member of the ARIN AC standing in for the policy author, presented this policy proposal. There were 3 previous proposals which all dealt with receiving smaller allocations than stated in the current policy. 2002-3 received significant support, the author of 2002-7 was asked to collaborate with the authors of 2002–3, and 2002-9 was abandoned for lack of support. Authors were invited to take input from the meeting and re-work the proposals. This proposal states in order to allow people to both conserve address space and reap the benefits of multi-homing, the minimum size assignment for those who do multi-home should be made smaller. The current policy proposal process suggests the ARIN AC will take this proposal and do something with it. To provide the AC with the best information, Bill asked for input from the members.

General Comments:

• Alex McKenzie stated that he was 100-percent in favor of the proposal. On the business side, he said he had customers ask for address space for multi-homing that they could announce. We say no because it violates ARIN policies, but not everyone does. Alex said that in some cases no one is announcing the larger aggregate. If we announce the aggregate, they will have no choice which upstream to use so that they aren’t dependent on upstream. He stated that his concern was that his company was denying the requests under ARIN policies, but that he knew of at least two cases where this is going on. John Curran said that there weren’t a lot of policies regarding announcing address space and that ARIN policies may not prohibit this.

• Bill Woodcock announced that he supported the slow and gradual increase of prefix links and that he thought we should do a /21 for multi-homing and then see how it goes and then maybe increase it to a /22. He said he weakly supported as stated, but would strongly support it if it specified a /21.

• Barbara Roseman asked how many people who get a /20 come back and request the other /20 to get a /19. I’m curious because the reason we moved from /19 was that no one was coming back for the other /19. Are we really creating a situation that would increase the routing table. If people are not utilizing /20s then we should think about something smaller. Richard Jimmerson replied that he didn’t have the exact number, but that it would be provided to the AC for their discussions on the issue. Barbara said that if we are truly concerned about aggregation, this is a bad policy, but if it we aren’t, than the bit boundary doesn’t matter.

• Owen DeLong said that he was in general support of the policy proposal.

• William Leibzon commented that in general he was in favor of micro-allocation policies. Multi-homing space has become a problem only a short time ago when large numbers of ISPs folded. I supported /22 last time, and support that now. Fully in support as stated.

• Leo Vegoda from RIPE stated that in regards to utilization of /20s in its region, they’ve allocated over 500 /20s in the last couple of years, and that 148 contiguous /20s have been issued.

• Ron da Silva said that if the upstream filters egress traffic when the connection with the upstream is down, he loses reachability to his upstream’s other customers.

• Comment from the floor that suggested an expanded definition to mean also application of networks, not direct multiple connections but connections to networks that have direct connection to multiple connections. Bill Woodcock replied that he believed this was a misunderstanding of multi-homing, as it means connections to multiple ASs, not physical transit.

• Alec Peterson remarked that the ARIN AC came up with a specific multi-homing policy and it states that if you are multi-homed, and you have officially utilized a /21, you can receive a /20.

• Richard Jimmerson stated, as a point of information, that it appeared that for more than half of the /20s issued for multi-homing, the requesting organization has not come back to request additional address space.

Polling of Consensus:

Q1: Should the ARIN AC be working on this policy?
Yes? 15 No? 4

Policy Proposal 2002-5: Amnesty

Author and Presenter: Bill Woodcock

Bill Woodcock presented this policy proposal and gave some background on its support at previous meetings and an overview of changes made in light of the feedback received. Highlights included:

• Received near unanimous report in last meeting, but was filibustered on mailing list

• Lost single most important word – smaller in “they shall be allowed to receive a smaller block, /24 or shorter”

• Sentence added in pointlessly, normal transfer does not need to be stated, already covered by policy

General Comments:

• Jere Cassidy stated that working for an an organization with dozens of maintainer IDs, what I would like to propose is that the block that is returned could be assigned to an organization’s other maintainer IDs. Bill Woodcock responded that ARIN staff could do this and he didn’t think it needed to be codified in policy. Jere said there have been problems in the past with this, and Scott Bradner commented in such cases, people should let Ray Plzak know about it so that it can be dealt with.

• Dave Barger posed a hypothetical situation where if someone suddenly discovered they have /8 they want to return, could they receive a /13 no questions asked if they return it? Bill Woodcock responded that yes that would be the case, and that some reclamation is better than none.

• Sarah Garfinkel asked whether the organization that returns the address space can specify the block they receive in return. Bill Woodcock stated that the original version of the policy stated that they could. Sarah then asked about who decides the size block they get in return, and Bill answered that it would be the person returning it who decided.

• Owen DeLong commented that he thought this is a great policy, and it should have been implemented. In response to Dave Barger, this is not condoning bad behavior, it is rewarding those who are realizing that they have space they shouldn’t have.

• William Leibzon said that the two points he had made on PPML have not been addressed. Bill Woodcock responded that they can request a /24 if they need it. William said that was not the issue he was referring to, he meant the schedule of fees for those getting smaller than a /20. Bill asked if William meant that no one would ever go for anything smaller than a /20, and if they did, would they still be charged? John Curran asked if William wanted this policy in addition to a fee schedule, and William responded in the affirmative.

• Barbara Roseman asked if Bill could discuss the status of this policy in the other regions. Bill Woodcock said that this is not a policy yet taken up in the other regions, but if it passes here he will be introducing it in the other regions.

Polling of Consensus:

Q1: How many people believe the AC should work on a policy for Amnesty requests as stated in this proposal?
Yes? 25 No? 0

Policy Proposal 2002-6: Aggregation

Author and Presenter** : Bill Woodcock**

Bill Woodcock presented this policy proposal and gave some background on its support at previous meetings. Highlights included:

• Received near unanimous report at last meeting, but was filibustered on mailing list

• Takes APNIC policy and brings it forward for inclusion in ARIN

General Comments:

• John Curran asked as a point of information, in regard to ARIN’s current practices, is this a practice already? Richard Jimmerson responded that he didn’t believe it was a standard practice, but that ARIN has done it in the past. Leslie Nobile added that there have not been many requests for this, but it has happened. John stated this policy would clarify situations that happen from time to time.

• Barbara Roseman asked that since we now have the multiple maintainer policy, would it be a problem getting addresses as one organization with multiple maintainers? Bill responded that such a situation would be exactly the right case for this. This policy would give the ARIN staff the latitude to address this while staying within policy constraints.

• James Cutler commented that his company was going through this on their networks, and that this policy is short, to the point, and codifies practice, so he likes the policy.

• Bill Manning stated that he was bothered about this policy and the former policy. ARIN ought to consider if the minimum allocations size is something that may apply here. I support the policy as written, but with consideration of minimum allocation size requirements.

• Question from the floor about what happens when there are three parties to an aggregation request, i.e. one wants space for aggregation and another wants to give space back. Bill responded that the policy would give staff the latitude to deal with those on a case by case basis.

• Sarah Garfinkel said she doesn’t support policy without a requirement for justification, and that she is worried about abuse in terms of organizations getting more space than they need. John Curran replied that this policy doesn’t address assessment of utilization.

• Nurani Nimpuno, of APNIC, stated that there has been no abuse of this policy in the APNIC region.

• Comment from the floor that this proposal and the previous ones have problems with abuse, in regards to blocks returned that are listed on blacklists and similar problems.

• Owen DeLong stated that routing aggregation is a good goal to have, but that we should consider an upper boundary on it. Maybe a /20 or /21 as the limit. Alec Peterson asked what about a percentage ceiling to prohibit situations where a /17 and a /24 could get you a /16. Owen replied that he thought wasting space might be an issue with a percentage limit, and that a limit of /20 or /21 would be good. He said he supported the policy anyway, but it would be better with limit. John Curran stated that an issue that might have to be dealt with is what is a reasonable trade-off?

• William Leibzon commented that he felt we should not let every organization go ahead with this, meaning that ARIN should have the right to refuse these requests if they felt they needed to. Bill Woodcock said that to summarize the discussion so far: the policy should include a limit of a /20 or /21, requests should be reviewed if result would be more than 33% gain over what was previously allocated, and that ARIN staff should be able to use its discretion in all cases.

• Comment from the floor that voiced support of the policy as written, but that it would be more fair if everyone paid their fair share.

Polling of Consensus:

Q1: Should the ARIN AC be directed to work on a proposal for aggregation requests as outlined here?
Yes? 29 No? 1

ICANN Reform

Moderator: Ray Plzak
Presenters: Paul Twomey, Lyman Chapin

Paul Twomey, President and CEO of ICANN, expressed thanks for letting him be here. He then talked about the changes that have been going on in ICANN and where he believes its future direction lies. Highlights included:

• ICANN going from being internally focused to externally focused, dealing with such issues as internationalized domain names

• Working to achieve balance between global and local concerns

• New “ICANN 2.0” is a forum for discussion, not a solution to problems

• Final point - the big issues coming are the globalization of the Internet, especially in developing countries. ICANN has duties to both technical and geographic constituencies.

Lyman Chapin, ICANN Board Member, then spoke some more on issues that will effect the address community. Highlights included:

• Reform process is coming to a close, ICANN will be moving on to fulfill its mission. The missing piece is no longer cosmic philosophical issues, but rather boils down to completing three documents: the ASO Memorandum of Understanding, a document describing the duties of IANA, and a set of documents which are contracts with the RIRs

• These issues are being worked out between ICANN’s President and the Boards of the RIRs

• You can look forward to “ICANN 2.0” emerging from Montreal meeting

Ray Plzak spoke about ICANN reform from ARIN’s perspective. He said that from an ARIN perspective, we have had intense discussions, but we are coming to closure on many items and issues, putting concise words and thoughts on paper. The boards of the RIRs have been working together on these issues holding several teleconferences with those involved. We have been having very frank discussions, and posted documents on our respective websites asking for comments and we’re still open to comments. I suspect we have a bit of intense work to do to get everything ready by the Montreal meeting. Feel free to accost any of the ARIN Board members or ICANN guests with comments you may have.

General Comments:

• Bill Manning said that with internationalized labels there are some scripts or encodings that change what people think of as letters and numbers. Will the reverse map match between RIRs? Lyman replied that he didn’t think so. Mark Kosters answered that he didn’t think it mattered and was irrelevant.

Open Microphone

Moderator: Richard Jimmerson

General Comments:

• Michael Dillon stated the last three policy proposals had all been presented before, and this second time around have received support due to additional work on the language. We should remember this when it comes to PPML discussions.

• Dave Barger said that he had a couple of questions in regards to his policy proposal. To begin with, how many people believe ISPs have a responsibility to protect recipients of address space customer privacy when requested? Michael Dillon asked under what conditions should information be made public and what info should be made public? Dave responded that the whole point here is his customers asked why ARIN needs this information. Comment from the floor asking who decides what networks are anonymous? I have corporate customers who would like to be anonymous. Michael replied that ISPs should decide what information is out there, but that they have to accept the responsibility of that decision. Dave Barger commented that not swipping information is not the point, ISPs have a responsibility to show utilization. The network operator has the responsibility to maintain the customer information, and we seem to be saying that ARIN has responsibility for maintaining information.

• Owen DeLong said that the information should be out there, but only if the ISP is willing to list itself as the POC. He also wants to be able to see what organization actually holds the blocks for determining network operation and abuse issues.

• Alex McKenzie commented that Canadian law forbids the publication of private residence data, but if someone is running a business out of their house, that restriction no longer applies.

• William Leibzon said that it was still an issue if the only thing we see is the block is assigned, the customer name is enough. The only reason someone looks up a block is for operation issues, and without a name, the information is of less value.

• Sarah Garfinkel asked about the corporate right to privacy. Dave Barger replied that his company did have corporate customers that were worried about physical security. Comment from the floor that corporate addresses are a matter of public record, and there are other areas that companies like to keep private and that includes customer names. Alex McKenzie added that he too has had corporate customers that are worried about security and in those instances, his company maintains the name of the corporate customer on the record, but the physical address is his company’s. Dave replied that they have done the same thing for their customers.

• Comment from the floor that it may be important for the information to be shown if that customer has in-addrs.

• John Curran asked that in regards to a show of hands, we can’t have it done randomly. Dave Barger replied that the information he has received from this discussion was ample for him to continue to look at this issue.

• Lee Howard noted that someone commented on how good the proposals were compared to what was here before and asked if people thought that due more to the public editing or the AC editing? Barbara Roseman replied that she wasn’t sure you could separate those two.

• Jim Cutler commented on how he enjoyed the food, network connectivity and sponsors and asked who was responsible for the organization of the meeting. Ray Plzak identified Susan Hamlin as the Director of Member Services, as well as the rest of the Member Services staff, as those directly responsible and asked the rest of the ARIN staff to stand and personally thanked them for their work on the meeting.

• Owen DeLong said that getting back to the refinement of proposals he believes that the AC working with people up front will help, but if not, perhaps a day could be added to the meeting and have multiple BOFs for discussion of policies. It seems helpful to get people together face to face, so this might be necessary. Jim Cutler said that sounded like a working group. Owen replied that it could be, and that it doesn’t matter what people call it. Alec Peterson responded that the Advisory Council had been looking at this and knows the procedure needs to change. He added that contacting the AC will be the main way to propose policy, so that the AC can address some things before it becomes a proposal. Along with other changes, this will lead to better proposals from the start.

Closing Announcements

Ray Plzak thanked everyone for attending and encouraged all those present to complete the meeting survey which he stated was now available on the website. He again expressed thanks to the meeting sponsors: NASA and Comcast. Ray again provided reminders about the Registration Services Help Desk and the ARIN Learning Center.

Meeting Adjournment

The meeting was adjourned at 5:06 PM (CDT)

Sponsor