ARIN XII Public Policy Meeting Minutes, Day 2, 23 October 2003 [Archived]

Call to Order and Announcements

Presentation (Read-only): PDF

Ray Plzak opened the second day of the ARIN XII Public Policy Meeting at 09:00 CDT. Announcements included thanking Server Central for its meeting sponsorship and ANet for partially sponsoring Wednesday night’s social event.

ASO AC Election Results: Ray also announced Louis Lee as the winner of the election to fill the vacant seat on the ASO AC from the ARIN region. Louis Lee thanked the voters in attendance and gave a brief acceptance speech.

Policy Proposal 2003-12: IANA to RIR Allocation of IPv4 Address Space

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - September 12, 2003
• PPML Summary:
  • 2 posts
  • 2 different people
  • This is a global policy proposal to define the policies under which the IANA will allocate IPv4 address space to the Regional Internet Registries (RIR).
  • It has already appeared on the public policy agendas of the APNIC and RIPE NCC meetings. This policy proposal will also be discussed at the next LACNIC public policy meeting.
  • Following discussion in all four regions, the proposal and discussion results will be forwarded to the ICANN ASO Address Council for review and submittal to the ICANN Board, as it is considered a global policy proposal

Presenter: Ray Plzak
Read-only Presentations: PDF

Comments:

• Questions:

• Responses/Clarifications:

• Suggestions:

Polling of consensus:

Question : Approve of Policy 2003-12?
Yes? 42 No? 0

IANA to RIR Allocation of IPv6 Space Discussion

Presentation (Read-only): PDF
Presenter: Ray Plzak, ARIN CEO

Ray Plzak announced that this is not a formal policy proposal, but an informal discussion and information gathering session. This topic has been previously presented at both the APNIC meeting in Seoul and the RIPE NCC meeting in Amsterdam within the past few months and will be presented at the upcoming LACNIC meeting in Havana. When the language is agreed upon by all four RIRs, this will be a global policy proposal to be forwarded to the ASO Address Council then transmitted to the ICANN Board for adoption.

This policy is similar to the IPv4 proposal, especially in the discussion and determination of available space. The policy will use the HD ratio to determine the RIR utilization rate.

General Comments:

• People want to have sparse allocation by regions, so it may be better to go from /20 to /18 in sparse locations.

• How the RIRs make allocations to the ISPs has nothing to do with the allocation that they receive from the IANA.

• Yes, it does. If we want to do sparse locations, then we want to have a larger block from IANA.

• That could be a factor. So what would you suggest?

• Slightly larger block of address space received from IANA each time and then allowing RIRs to do sparse allocation. But I would like it to happen only if all RIRs do it, not just one region.

• To follow up, you think the allocation should be larger now or should be larger if and when an RIR has a plan for sparse allocation?

• If and when it has a plan for sparse allocations. If and when all RIRs agree to this plan. I think we need to wait before deciding on IPv6 policy with IANA and to decide whether we want to do a sparse allocation or not.

• In the current environment, there is a method of getting an IPv6 allocation on the current allocation plan. I guess what I’m wondering is, given the current plans of the registry, is this a good allocation size or would you still recommend changing it?

• We could do with a larger space so RIPE, for example, won’t have to go through and get an additional space.

• You would recommend doing a larger size now, A, so we wouldn’t get multiple requests from someone like RIPE, and, B, because it would facilitate if we ever do sparse allocations in the RIRs, we have a block big enough already.

• One of the things you should consider in thinking about the size of the block that the RIR gets is how often you think the RIR should be going back to IANA to conduct business. IANA has its own things it has to do as an agent managing IP address space. So from auditing capabilities, a shorter time might be better than several years.

• What were the criteria that you used to pick the /20? Was that based on the utilization that you’ve seen over some period of time in the past, was it based on projected allocations, or was it a random number?

• It’s probably a combination of all those, plus what I just said about trying to think about how often the RIR should go back to the IANA. The only real operational experience we have for a rapid allocation rate is what’s been happening in the RIPE NCC meeting. But again they’re allocating /32 for /29. If they changed their policy or if they went to a sparse allocation policy or something that may make a difference in how they would administer /20. The operational experience in the interim, we haven’t been doing it as fast as the RIPE NCC has, however, within the first six months of the year we did allocate more at a faster rate. It’s not to say as things change in the environment in our region that we could not begin to allocate even more space. Then, again, I can’t speak for the exact experience of what the rates are in the APNIC region, but we’re kind of at a crossroads of trying to determine what that should be. So it’s like when we did the v6 policy in terms of 200 customers, a number had to be selected. This /20 number has not been really raised in the other regions. There’s been thought it should be maybe /8. Some people think it should be /16. So I think that they could make a case for all of them. One of the things we did factor into this was a consideration of how often the RIR should touch the IANA so that there could be some kind of audit done.

• Once you set this number, how much effort would be required to change it if it turns out that the utilization rates go up more rapidly than you expected?

• What we’re talking about here is a minimum size, if you will, as a unit. So it’s just as RIPE now with the policy from the RIR to the ISP. There’s a minimum size, but you get more by the original maximum amount. So if the allocation size was set at /20 and my 18 month projection was for 2.5 of those, I should receive three.

• It would be continuous?

• In that case I would say yes, they should be continuous.

Policy Proposal 2003-11: Proposal and Scope of the WHOIS Directory

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - August 21, 2003
• PPML Summary:

  • 31 posts

  • 12 different people

  • “I’m happy with the way it works right now where issues are resolved directly with the actual users first, then if that doesn’t work the ISP gets involved.”

  • 3 month POC validation is too frequent, once a year is enough.

  • The direct allocation level must have POC info.

  • Contacting end users is worthless, they are not responsive.

  • When end users records are displayed, make it clearer who the parents are.

  • Verification of POC info is good, but it may not scale if all end user reassignments are included.

Presenter: Michael Dillon, Radianz, Inc.

Comments:

• Statements For and Against:

• Questions:

• Responses/Clarifications:

• Suggestions:

Policy Proposal 2003-16: POC Verification

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - August 11, 2003
• PPML Summary
  • 1 post
  • Would prefer a general statement, “ARIN staff shall make all reasonable efforts to contact and verify the POC…”
  • ARIN should make available a specific list of unverified or delinquent resources.

Presenter: Andrew Dul, proposal author

Comments:

• Statements For and Against:

• Questions:

• Responses/Clarifications:

• Suggestions** :**

Policy Proposal 2003-5: RWhois Server Use

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - March 6, 2003
• PPML Summary:

  • Presented at ARIN XI

  • Current version Introduced - September 22, 2003

  • There were no substantive comments on PPML.

Presenter: Mark Kosters, proposal author

Comments:

• Statements For and Against:

• Questions:

• Responses/Clarifications:

Polling of consensus:

Question : Approve of Policy 2003-5?
Yes? 24 No? 5

Hijacking Report

Presentation (Read-only): PDF
Presenter: Leslie Nobile, ARIN Director of Registration Services

Leslie made a presentation about the recent IP address space hijackings.

• Hijacking is defined by ARIN as “Individuals targeting mainly legacy IP address blocks to make unauthorized changes to registration records in WHOIS. The WHOIS data then inaccurately reflects this false information and gives the illusion that the individual now has some authority over the resource records. Affected resources include IP addresses as well as AS numbers.”

• Hijacking misleads network operators, compromises the WHOIS database, creates liability issues, increases staff workload, slows response times, and increases staffing and legal fees

• From April to October 2003, 110 cases were opened: 11 cases were found to have no evidence of hijacking, 84 cases were closed, and 15 cases are still pending

• ARIN’s actions:

• ARIN is not:

• To help ARIN combat hijackings, ensure all of your and your customers’ Org and resource records are updated and use stronger authentication when available

• Several possible actions for policies and procedures, database solutions, and legacy space were discussed

General Comments:

• Requiring tax ID and raised corporate seals is a wonderful idea for your customers who are incorporated. However, there are at least three, maybe two allocations in the database that I know of personally that are individuals that don’t have a corporate seal and aren’t particularly interested in providing a Social Security number to ARIN.

• I think this is a really good idea because it removes a lot of the arguments that we have right now between people who have legacy records and can’t see why they should have to worry about paying money long after they helped build the Internet versus the people who are getting IP addresses right now and paying money into the registries and working hard and have no idea why these old geezers should be allowed to freeload. Neither of these parties are in the wrong. They both exist. There’s no way around that. This is a way of removing any cross subsidy between, and I’m strongly in favor of it and I think you all should be too and I can argue with anybody that thinks otherwise on my own time.

• I also agree – it’s going to allow ARIN to lock down all the old records and basically allow any changes unless they want to play by new added rules. ARIN has to have some financial records to prove what kind of company it is. It’s going to solve quite a bit of problems trying to pin down whether it’s a valid company or not.

• I was talking about the transparency issue and the historical record, and I really think that would go a long way for its people being able to tell ISPs whether the information is to be taken at face value or not. Obviously if people were to look at the historical information on my personal blocks, you would see a few address changes, same person, you know, across multiple changes as the POC and assume that that would play the reason of the evolution of the corporation or individual. And I think that would be a huge step in the right direction. It could be a step we do retroactively. The question is do the data exist?

• I am concerned that legacy holders may have that particular snobbish attitude of we’re the old guys and we were here long before you, if we move them unilaterally to some legacy database, they might object to that as well. I would encourage ARIN to spend a little bit of their phone time talking with the legacy holder as opposed to just tracking down hijackers to invite them to join ARIN and to participate in the current process and inform them that one of the choices we have is that we expect to move you into this other thing that’s going to be relatively skim, pretty much static, and we’ll just leave you there until you decide you want to come out of your suspended animation and join the real world, and when you do, here we are. There ought to be a dialogue with the legacy holder before we move them.

• It strikes me that this conversation about moving legacy address space into legacy databases is sort of another variation of the previous discussions we’ve been having on verification of data in the WHOIS database. I don’t think it should be separated from that. I don’t see any difference between the address space that I acquired a few weeks ago from ARIN and a legacy block that has up to date contact information and whether that actual organization is a member of ARIN or not. If that contact information is up-to-date on that legacy block, it really isn’t a legacy any more. I think what we’re really talking about here is the set of address blocks that don’t have up-to-date contact information. We don’t know who they are, what they’re doing, where they live, et cetera.

• I think from a lot of people’s point of view, the difference is whether or not we’re paying fees to ARIN. Whether or not they are contractually obligated to ARIN and whether or not they have signed a contract acknowledging that they do not own the address space they have; that there are a lot of people who have address space that they received prior to joining ARIN under an informal agreement to book something like it being given to them. And there are a lot of people who do not want to sign a contract with ARIN acknowledging that that is not the case. And so this is the way of removing any financial burden of supporting those people from the regular ARIN membership.

• I believe that if ARIN is responsible for these addresses in any way, shape or form, keeping track of them or anything else, legacy or not, we should all have to play by the same rules. They should have to pay, they should have to keep track of all their stuff, and I could bet there’s many people that won’t agree with that.

• To me whether it’s in a separate database or whether it isn’t, I’m not so concerned about that. But I do think it provides a wonderful opportunity to try to contact legacy folks and say, “These issues are out there and frankly we’re not going to be able to protect you as well if you aren’t someone who we can authenticate in this process.” So I think it’s a great opportunity to go out and challenge those folks to be involved.

• As someone who holds blocks in both categories, I would be pretty upset if I got told that I suddenly had to start paying ARIN for that legacy block. Even though it wouldn’t affect me financially, ARIN doesn’t have any real authority to do that. There’s no real contract between me as the owner of that block and ARIN that allows them to suddenly tell me I’m going to start paying them for it or anything like that. And I think it would meet with some pretty strong legal challenges with a lot of other people in a similar situations. Hijacking is an issue. Hijacking is an issue that is taking a lot of ARIN staff time, and I don’t have a problem with that block being moved to a legacy registry and having the choice of paying fees to get it into the registry that I can update and that ARIN will spend time on. I think it’s perfectly reasonable for ARIN to move those into some place they don’t have to deal with.

• To clarify the options that were on one of Leslie’s slides:

RTMA Working Group

Working Group Chair and Moderator: Cathy Wittbrodt

• Asked attendees to think about the future of the RTMA working group and send comments to the RTMA mailing list

• Suggested disbandonment if there is nothing for the group to do

“Miscreants, Hijacking, and Bogons - Oh My!”

Presentation (Read-only): PDF
Presenter: Rob Thomas, Cisco/Team Cymru

Rob presented a discussion of a wide variety of network security issues. Security incidents have become a daily event for Internet Service Providers. Attacks on an ISP’s customers, attacks from an ISP’s customer, worms, BOTNETs, and attacks on the ISP’s infrastructure are increasing in frequency.

He went on to discuss bogons; a bogon prefix being a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

In addition, he discussed the “miscreants” who are becoming increasingly sophisticated with their technology and methodology. Because spamming equates to big money, they will resort to almost anything to get what they need and want from the Internet and its users and operators.

Policy Proposal 2003-4: IPv6 Policy Changes

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - March 6, 2003
• PPML Summary:
  • Presented at ARIN XI
  • Current version of the proposal is the same text that was presented at ARIN XI
  • There were no substantive comments on PPML

Presenter: Thomas Narten, IPv6 Working Group Chair
Read-only Presentations: PDF

• Some follow-up discussion within AC

• Proposed the abandonment of the current proposal as a whole, but pursue parts of the policy proposal through global-v6 mailing list or within ARIN as appropriate

Comments:

• Statements For and Against:

• Questions:

• Responses/Clarifications:

• Suggestions** :**

Polling of Consensus:

Question: Should the ARIN AC continue work on proposal 2003-4?
Yes? 29 No? 3

Policy Proposal 2003-10: Apply the HD Ratio to All Future IPv4 Allocations

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced – August 21, 2003
• PPML Summary
  • 9 posts
  • 5 different people
  • Won’t this waste more IP space?
  • This is complicated, why not just say 50%?
  • Terminology: Let’s get rid of the words “allocate” and “assign.” What is a “utilized net,” what does that mean?

Presenter: Michael Dillon, Radianz, Inc.

• HD ratio is a different way of setting a threshold rather than setting a fixed hard threshold of 80 percent.
• Areas changed by proposed policy:
  • When you apply for a new allocation you have to report on your entire address space and calculate the host density ratio
  • Includes host density ratio and picks a couple of numbers similar to the way
    the current policy has picked 80 percent as a magic number
  • In our current policy we don’t really tell people how to calculate utilization,
    this proposal requires that you calculate the HD ratio

Comments

• Statements For and Against:

• Questions:

• Responses/Clarifications:

• Suggestions:

Polling of Consensus:

Question: Should ARIN look at different thresholds for utilization for organizations with different amounts of address space?
Yes? 43 No? 19

Policy Proposal 2003-13: Six Month Supply of IP Addresses

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - September 12, 2003
• PPML Summary
  • 1 post
  • Good idea

Presenter: Michael Dillon, Radianz, Inc.

• This policy is meant to address the paperwork and planning overhead types of issues
• Companies will work on a slightly longer cycle once they are familiar with ARIN processes

Comments

• Statements For and Against:

• Questions:

• Responses/Clarifications:

Polling of Consensus:

Question: Support Policy 2003-13?
Yes? 79 No? 0

Policy Proposal 2003-14: Remove /13 Maximum Allocation

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Public Policy Introduced - September 12, 2003.
• There were no comments posted to Public Policy Mailing List (PPML) regarding this proposal.

Presenter: Dan Alexander, Comcast Cable Communications

• Further described the intent of the policy
• Asked for confirmation from the staff of the other registries present about that lack of similar restrictions in their regions

Comments:

• Responses/Clarifications:

Polling of Consensus:

Question: Support Policy 2003-14?
Yes? 79 No? 0

Policy Proposal 2002-2: Experimental Internet Resource Allocations

Introduction: Einar Bohlin, ARIN Policy Analyst
Read-only Presentations: PDF

• Policy Proposal Introduced - September 22, 2002
• PPML Summary:
  • Presented at ARIN X
  • Revised version presented at ARIN XI
  • Current version is the same text that was presented at ARIN XI
  • There were no comments posted to Public Policy Mailing List (PPML) regarding this proposal since ARIN XI

Presenter: Suzanne Woolf, ARIN Advisory Council

• Raised three questions for discussion:
  • Do we need this proposal at all? RIPE NCC and APNIC have similar policy but does ARIN need it?
  • Discussion in Memphis included concerns from the IETF about liaison with IETF to vet experimental proposals. Is requiring an RFC a good way to do this?
  • Discussion in Memphis also suggested a need for inter-RIR cooperation in this proposal to observe any unforeseen global impacts of an experiment. Does the staff have suitable mechanisms for implementing this? Is this enabled or enhanced by the NRO’s coordination mechanisms?

Comments :

• Statements For and Against:

• Questions:

• Responses/Clarifications:

• Suggestions:

Polling of Consensus:

Question: Support Policy 2002-2?
Yes? 55 No? 1

Internet Resource Policy Evaluation Process (NEW)

Presentation (Read-only): PDF
Presenter: Scott Bradner, ARIN Board of Trustees

Scott presented the proposed revision to ARIN’s policy evaluation process. Highlights included:

• Existing process document in use since April 2000; ideas for updating document discussed at ARIN XI and discussion continued on PPML

• New process draft published on October 8, 2003

• Policy process now includes better checks and balances to meet goal of having an open and transparent process

• AC conducts initial review of suggested proposals, petition-based process to push policy proposals forward without Advisory Council support

• A second review by the AC after discussion at a Public Policy Meeting

General Comments:

• You did not mention anything about suspension of the policies.

• To remind folks, if new information reaches the Board after a policy has been adopted, the Board can suspend the new policy pending a discussion in a Public Policy Meeting.

• I think it was implicit but not explicitly stated in the very first line that if the AC thinks that two policies are much the same and need to be converged, you stated that the AC would try to work with the authors. But if they chose not to they could go forward separately at that point.

• They could go forward by petition.

• One other point was that you mentioned if a policy got to the Board and the Board rejected it, that they would have to express a reason for doing so. [Scott replied in the affirmative.] But you did not state that if the AC chooses not to forward something, that they didn’t need to express why they made that decision. Did you leave that out on purpose?

• No, that should be in there.

• My concern is that I would hope that we could clarify Option B. Where there’s a general consensus but we just need to make some minor wording changes, that rather than to kick it back so it has to come back to the Policy Proposal Meeting six months later, that we have a way to go ahead and push once they clarify this, that they can go ahead and do the last call for comments, and that’s not clear.

• Substantive changes require another cycle, editorial changes do not. There’s got to be a significant issue to kick it back for six months.

• I would like to say this is a big improvement [over the current process].

• You make provisions for combining proposals but you make no provision for deciding the pieces of a proposal don’t necessarily need to have their fate tied to each other, and I think it would be a good thing to split the proposal sometimes.

• That would be a good addition.

• I like this. Are “organizations” the correct filter to use? What about “members?”

• This is something that came out of the discussion last time that we want a low but real threshold to escape the AC’s embrace for the first time and a reasonable threshold the second time. This is a Public Policy Meeting so it’s not a member’s thing, so it can’t be members and it can’t just be five people from the same company as the proposer supporting it.

• Can you define what an organization is? [Scott affirmed that would be a good thing to include.]

Polling of Consensus:

Question: Support proposed Policy Evaluation Process?
Yes? 66 No? 0

Open Microphone

Moderator: Richard Jimmerson

Richard Jimmerson opened the Open Microphone session saying that if there’s anything to be discussed that is not on the public policy agenda, this is the time for those issues to be brought forth.

General Comments:

• Lea Roberts, Advisory Council member - I would like to request our chairman to get a little more direction for the AC on the IPv6 policy proposal [2003-4].

  • The following questions were asked by John Curran of the attendees

• Sarah Garfinkel - I think the problem with the last discussion was we had too many different pieces in this policy, so we couldn’t get any agreement and I guess now we’re trying to break it up. Maybe we should in the future have much smaller bits in different policies so we can get it through in a timely manner rather than having big arguments like this.

• John Curran - That appears to be good advice. Getting something through is easier if it only changes one thing at a time. The counterpoint is IPv6 is a fairly new playing field, and we have to lay down pretty much a set of rules at once, so the first time through is expected to be problematic.

• Owen DeLong - As I understand it, ARIN actually does, at some level, track contact reliability, for lack of a better term, in the existing WHOIS database. I understand the desire not to publish that at this current time due to the hijacking issues and such, but I would also like to encourage the ARIN staff to consider publishing it, as it would help a lot of us that are dealing with this stuff on the outside deal with some of the hijacking issues.

• Izumi Okutani - JPNIC - I would like to know what you all think about making an allocation to IPv6 closed networks. In Japan, this ISP provides its service to its customers, connections to its customers, but they would like to provide another service using IPv6 networks to those subscribers but it’s closed, so they use this ISP’s infrastructure in a closed IPv6 network, and they have over 1 million customers for this, so it’s not possible to assign individual and contiguous /48 to each customers, so they have requested for an allocation. And the current policy is quite ambiguous if such allocations can be accommodated to closed networks and I’m interested to know what you all think about this.

• Michael Dillon - When you say closed networks of these millions of subscribers, do any of them actually have their own networks? Is there a closed network of companies which have their own networks?

• Izumi Okutani - JPNIC - I think some do, but I think some can be home users.

• Michael Dillon - My company has a global IP network in 20 countries worldwide and those countries are the ones in which the global financial service industry is focused. We have roughly a thousand customers. All of those customers are companies and they all have their own networks. On these networks some of them use IP address networks because they’re obviously a private network. Some use unique registered IP addresses and our network interconnects them all. We don’t pair with anyone. It’s a closed private network for this group of companies to do various applications. But because our network isn’t a private network really in a sense of IP space because it’s shared by many companies, networks, we cannot use RFC 1918, we must use global unique IP addresses. That’s why I’m here, because we have a large allocation of addresses from ARIN for this purpose and this sounds similar to what Izumi has described.

• Michael Whisenant - I just wanted to mention that with the use of Level 2 VPN, you can indeed have separate networks on your network that are using the same RFC-1918 address space. You can do it on our network as well. So in the aspect of getting a closed network can have private networks it also can have public networks is one I want to point out for clarification. It’s not a requirement to have public IP address space on a public network.

• Leo Vegoda - RIPE NCC - We had the same problem with the IPv6 policy being ambiguous. I think definitely the text needs to be improved because it’s ambiguous at the moment. It’s not really a hundred percent clear what the policy is, so people need to decide what the policy is and then write that down.

• Thomas Narten - My recollection is this particular issue is something we did not consider in time. It does need to be discussed and dealt with.

• Cathy Wittbrodt - I personally believe that people should get to use public address space for this because it’s a huge barrier. But I was wondering if maybe we could take a straw poll of people who think this is a reasonable thing to get public address space for because we’ve been churning about it two days now. It’s really a problem for the consistency so maybe we can see what people think.

Closing Announcements

Ray Plzak thanked everyone for attending and encouraged all those present to complete the meeting survey available on ARIN’s website and reminded everyone that filling out the survey automatically entered them in a raffle. He again expressed thanks to the meeting sponsors: Server Central and ANet. Ray provided reminders about the Registration Services Help Desk and the ARIN Learning Center.

Meeting Adjournment

The meeting was adjourned at 17:36 CDT.

Sponsors