Winnipeg 11 September 2014

Welcome. Here today from ARIN… Paul Andersen, ARIN Board of Trustees – Vice Chair and Treasurer Susan Hamlin, Director, Communications and Member Services Andy Newton, Chief Engineer Leslie Nobile, Director, Registration Services John Sweeting, Advisory Council Chair

Local speakers Ron Dallmeier, R&D Technologies Jacque Latour, CIRA Bill Reid, MBIX Sean Wallberg,ERTW

Today’s Agenda 1.Welcome and Getting Started 2.ARIN: Mission, Role, and Services 3.Obtaining IP Addresses: IPv4 Inventory, Countdown Plan 4.Automating Interactions with ARIN using REST 5.IPv4 Waiting List and Transfers 6.Using RPKI to Secure Routing 7.Lunch (12:00 to 1:00) upstairs in West Ballroom

Today’s Agenda – after lunch 1.Obtaining IPv6 Address Space 2.Current Number Resource Policy Discussions and How to Participate 3.IPv6 Tutorial 4.Break (3:00 – 3:15) 5.How to Add DNSSEC to your ARIN Records 6.Manitoba Internet Exchange Update 7.Q&A and Open Microphone 8.Beers and Peers

ARIN: Mission, Role and Services Paul Andersen Vice Chair and Treasurer ARIN Board of Trustees

”ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach."

ARIN’s Service Region ARIN’s region includes many (20) Caribbean and North Atlantic islands, Canada and the United States and outlying areas.region

Regional Internet Registries

Who Provisions IP Addresses & ASNs? ICANN IANA Top level technical coordination of the Internet (Names, Numbers, Root Servers) Manage global unallocated IP address pool Allocate number resources to RIRs RIR Manage regional unallocated IP address pool Allocate number resources to ISPs/LIRs Assign number resources to End-users ISP/LIR Manage local IP address pool for use by customers and for infrastructure Allocate number resources to ISPs Assign number resources to End-users

ARIN Structure: Not-for-profit Fee for services, not number resources 100% community funded Membership organization (private and public sector, civil society) Member-elected Board of Trustees Community regulated…Internet number resource policies developed by the Community Open and transparent

ARIN Support Organization

Number ResourcesOrganization Policy Development IP address allocation & assignment ASN assignment Directory services Whois -RWS WhoWas IRR Reverse DNS DNSSEC Resource Certification (RPKI) Community Software Repository Information dissemination Websites Educational materials IPv6 Wiki Social media Meetings Elections Outreach IPv6 Internet Governance Maintain discussion lists Conduct public policy meetings and public policy consultations Publish policy documents ARIN Services

Information on Joining in the Internet Governance Discussion Visit ARIN’s webpage: Ways to Participate in Internet Governance

ARIN Community Input 14 March 2014 the US government announced desire to transition oversight of the Internet Assigned Numbers Authority (IANA) functions contract from the National Telecommunications and Information Administration (NTIA) to the global multistakeholder community. Coordination Group formed to facilitate the transition process – input from the Number Resource Organization, Address Supporting Organization, ISOC, IETF, IAB All RIRs will engage their respective communities ARIN 34 in Baltimore – on agenda and a likely consultation via on the issue

Participate in ARIN Contribute your Opinions and Ideas: Public Policy Mailing List IPv6 Wiki Attend Public Policy and Members Meetings, Public Public Policy Consultations – remote participation Outreach events Submit a suggestion Participate in community consultations Write a guest blog – TeamARIN.net Members – Vote in annual elections

ARIN Mailing Lists ARIN Consultation - Open to the general public. Used in conjunction with the ARIN Consultation and Suggestion Process (ACSP) to gather comments, this list is only open when there is a call for comments ARIN Issued - Read-only list open to the general public. Used by ARIN staff to provide a daily report of IPv4 and IPv6 addresses returned and IPv4 and IPv6 addresses issued directly by ARIN or address blocks returned to ARIN's free pool. ARIN Technical Discussions - Open to the general public. Provided for those interested in providing technical feedback to ARIN on experiences in the use or evaluation of current ARIN services and features in development. ARIN Announce: ARIN Discussion: (members ARIN Public Policy: ARIN Consultation: ARIN Issued: ARIN Technical Discussions: Suggestions:

ARIN’s IPv4 Inventory, Depletion Projections, and Countdown Plan Leslie Nobile Director, Registration Services

Updated 8PM ET IPv4 inventory published on ARIN’s website: ARIN’s IPv4 Inventory As of 2 Sept 2014, ARIN has 0.76 /8 equivalents of IPv4 addresses remaining

Prefix Length Breakdown

IPv4 Annual Burn Rate

ARIN’s IPv4 Free Pool

Linear Depletion Projection

“Run On The Bank” Projection

Which Projection is More Likely? Probably somewhere in the middle, but it only takes one unexpected very large request (e.g. /10) to change things completely Policy requirement to only fill requests with one block will prevent large ISPS from depleting all of the small blocks

IPv4 Countdown Plan

IPv4 Countdown Plan – Phase 4 Started at 1 /8 equivalent left All IPv4 requests team-reviewed and processed on a first in, first out basis Org has 60 days from approval to complete payment and RSA IPv4 hold period drops to 2 months

New IPv4 Policy – “Reduce All Minimum Allocation/Assignment Units to /24” Will be implemented on 17 Sept 2014 /24 minimum allocation/assignment No longer a multi-homed requirement

Minimum Requirements for IPv4 - ISPs ISPs qualify for a /24 by having one /24 reassigned and efficiently used Allocations > /24 based on demonstrated utilization history and renumbering (if applicable) Allocation size not based on predicted customer base (see Slow Start policy NRPM ) 3 month supply per policy

IPv4 ISP Data Typically Requested Static: Mapping of static IPs/subnets to customer names and street addresses Dynamic: List of all dynamic pools with prefix/range assigned, area served (location), peak util % Internal Infrastructure: Mapping of internal subnets with description and # IPs used

Example

Other IPv4 ISP Data Requested Typically ask for: – Customer justification data If necessary, may ask for: – Customer contact information and proof of customer payments – Proof of equipment lease/purchase

Minimum Requirements for IPv4 – End Users /24 minimum assignment size Show 25% immediate utilization rate (within 30 days) and 50% projected one-year utilization rate If requesting additional assignment, must show that each previous assignment is 80% utilized

IPv4 End User Data Requested Subnet mapping for previous ARIN assignments – Each subnet with description and # IPs currently used Planned subnet mapping for requested block – Each subnet with description, # IPs used within 30 days, # IPs used within one year

Example

The Bottom Line ARIN has v4 space today, but can’t guarantee future availability Plan appropriately to ensure continued growth of your network – Waiting List – Specified Recipient Transfers – IPv6

Automating Your Interactions with ARIN Andy Newton Chief Engineer

Why Automate? Interact with ARIN faster Not dependent on ARIN’s systems for user interface issues Build a customized system using standards-based technologies Improved accuracy Integrate multiple services

Why Automate (continued) We have a rich set of interfaces Focused on reliability and completeness Welcome to share your tools with the community at projects.arin.net

REST – Service Summary ARIN’s RESTful Web Services (RWS) – Whois-RWS Provides public Whois data via REST – Reg-RWS (or Registration-RWS) Allows ARIN customers to register and maintain data in a programmatic fashion – Report Request/Retrieval Automation Permits request and download of various ARIN data (subject to AUP) – RPKI using Reg-RWS

What is REST? Representational State Transfer As applied to web services – defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data – “Resources” are addressable in URLs Very popular protocol model – Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST Easily understood – Any modern programmer can incorporate it – Can look like web pages Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser.

Where can more information on REST be found? RESTful Web Services – O’Reilly Media – Leonard Richardson – Sam Ruby

Whois-RWS Publicly accessible, just like traditional Whois Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc… Very popular – As of September 2013, constitutes 65% of our query load For more information: –

Registration RWS (Reg-RWS) Programmatic way to interact with ARIN – Intended to be used for automation – Not meant to be used by humans Useful for ISPs that manage a large number of SWIP records Requires an investment of time to achieve those benefits

Reg-RWS Requires an API Key – You generate one in ARIN Online on the “Web Account” page Permits you to register and manage your data (ORGs, POCs, NETs, ASes) – But only your data More information –

Anatomy of a RESTful request Uses a URL (just like you would type into your browser) Uses a request type, known as a “method”, of GET, PUT, POST or DELETE Usually requires a payload – Adheres to a published structure – Depends upon the type of data – Depends upon the method Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”

Example – Reassign Detailed Your automated system issues a PUT command to ARIN using the following URL: The payload contains the following data: 4 HW-1 A Reassigned NET HELLOWORLD

Example – Reassign Detailed ARIN’s web server returns the following to your automated system: 4 Tue Jan 25 16:17:18 EST 2011 HW-1 NET A Reassigned NET netName>HELLOWORLD

Reg-RWS Has More Than Templates Only programmatic way to do IPv6 Reassign Simple Only programmatic way to manage Reverse DNS Only programmatic way to access your ARIN tickets

Reg-RWS adoption at ARIN – In 2012… 1.09 Million transactions processed – 375K processed via Reg-RWS (34%) – 371K processed via Template (34%) – Remainder via ARIN Online – In 2013… 4.72 Million transactions processed – 3.66M processed via Reg-RWS (78%) – 488K processed via Template (10%) – Remainder via ARIN online

Testing Your Reg-RWS Client We offer an Operational Test & Evaluation environment for Reg-RWS Your real data, but isolated – Helps you develop against a real system without the worry that real data could get corrupted For more information: –

Obtaining RESTful Assistance Pay attention to Method, Payload, and XML schema documents under “RESTful Provisioning Downloads” Or use ARIN Online’s Ask ARIN feature Or use the arin-tech-discuss mailing list – Make sure to subscribe – Someone on the list will help you ASAP – Archives on the web site Registration Services Help Desk telephone not a good fit – Debugging these problems requires a detailed look at the URL, method, and payload being used

Report Request/Retrieval For customer-specific data, access is restricted by user – Permits you to request and retrieve reports – But only your data For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) – ARIN staff may review your need to access this data Requires an API Key

New Feature: RPKI thru Reg-RWS Delegated – very complex Hosted – easy but tedious if managing a large network through the UI Solution: Interface to sign ROAs using the RESTful API – Ease of Hosted – Programmatic way of managing a large number of ROAs

Whois-RWS and the Future Whois-RWS is ARIN’s RESTful interface to Whois. – RIPE also has a RESTful interface for Whois but it is not compatible IETF will hopefully be ratifying RDAP by the end of this year. – Will be supported by all 5 RIRs and some domain registries.

Leslie Nobile Director, Registration Services ARIN’s IPv4 Waiting List and the IPv4 Transfer Market

IPv4 Waiting List

How It Works If ARIN can’t fill a justified request, option to specify smallest acceptable size If no block available between approved and smallest acceptable size, option to go on the waiting list May receive only one allocation every three months Only one request on the list at a time

Filling Waiting List Requests Oldest request filled first – Example /19 is oldest request /16 returned to ARIN ARIN breaks up the /16 and issues the /19 Subject to re-verification Removed from list once a block is issued

IPv4 Churn IPv4 addresses go back into ARIN’s free pool 4 ways – Return = voluntary – Revoke = for cause (usually nonpayment) – Reclaimed = fraud or business dissolution – IANA issued – per global policy for “post exhaustion IPv4 allocation mechanisms by IANA” 3.54 /8s recovered since 2005 – /8 equivalent returned to IANA in 2012 /11(May 2014) & /12 (Sept 2014) issued by IANA

Global Policy for Post Exhaustion IPv4 Allocation Mechanisms by the IANA RIRS may return IPv4 space of any prefix size to IANA IANA will issue this returned space in equal allocation sizes to the 5 RIRs twice per year Policy activated when first RIR reaches /9 in its IPv4 inventory (Lacnic in May 2014)

Burn Rate vs. Churn Rate

Reality Check At the rate at which IPv4 addresses were recovered in 2013, it would take 51 years to fill all of 2013’s approved requests

IPv4 Transfer Market

Types of Transfers Mergers and Acquisitions (8.2) Transfers to Specified Recipients (8.3) Inter-RIR transfers (8.4)

Transfers to Specified Recipients 12 month waiting period (anti-flip provision) Recipient must qualify to receive resources under current ARIN policy Recipient may receive up to a 24 month supply

Specified Recipient Transfer Notes 82 transfers completed (53,124 /24s)* Transactions typically arranged through IPv4 brokers *As of Jul 31, 2014

Inter-RIR Transfers From ARIN RIR must have reciprocal, compatible needs-based policies Currently: APNIC – Under discussion in the RIPE NCC, LACNIC, & AFRINIC regions Org releasing resources must not have received IPv4 from ARIN within the past 12 months Recipient must meet other RIR’s Inter-RIR transfer policy requirements

Inter-RIR Transfers To ARIN RIR must have reciprocal, compatible needs-based policies – Currently: APNIC Recipient must qualify to receive resources under current policy Recipient may request up to a 24 month supply

Inter-RIR Transfer Notes 34 transfers completed (5,040 /24s total)* ARIN & APNIC for now Expectation is primarily ARIN to APNIC given the early exhaustion of IPv4 in the APNIC region *As of Jul 31, 2014

Specified Transfer Listing Service (STLS) 3 ways to participate – Listers: have available IPv4 addresses – Needers: looking for more IPv4 addresses – Facilitators: available to help listers and needers find each other Major Uses – Matchmaking – Obtain preapproval for a transaction arranged outside STLS

Misconceptions About Specified Recipient Transfers IPv4 transactions will never be allowed – Fact : Transfer of unused IPv4 started June 2009 It’s a ploy to take my unused addresses back – Fact : ARIN does not require the return of address space ARIN recognizes all IPv4 transactions – Fact : Must meet policy requirements

Tips and Tricks Make sure you are applying under the correct transfer policy Involve ARIN as early as possible – Make sure a contemplated specified transfer meets ARIN requirements before finalizing Make sure that all registration information is current and accurate Use ARIN’s STLS to pre-qualify Provide detailed information to support 24 month need

IPv4 Transfer Market

Reality Check Reports say current asking prices are around $10/IPv4 address Prices will likely rise once ARIN’s depletes its IPv4 pool (supply and demand) Supply not guaranteed; need willing participants Temporary measure; does not preclude need to transition to IPv6

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Andy Newton Chief Engineer

What is RPKI? R esource P ublic K ey I nfrastructure Attaches digital certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top

What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information – Trust Anchor Locator Distributes trusted information – Through repositories

AFRINICRIPE NCCAPNICARINLACNIC LIR1 ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ICANN Resource Cert Validation

AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP ISP4 ISP Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 1. Did the matching private key sign this text? ICANN Issued Certificates Resource Cert Validation

AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ISP ISP4 2. Is this certificate valid? ISP Issued Certificates Resource Allocation Hierarchy ICANN Resource Cert Validation

AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ISP ISP4 ISP Issued Certificates Resource Allocation Hierarchy ICANN 3. Is there a valid certificate path from a Trust Anchor to this certificate? Resource Cert Validation

What does RPKI Create? It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records

Repository View./ba/03a5be-ddf a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r Jun ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r Jun cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r Jun nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

Repository Use Pull down these files using a manifest- validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes “valid”, “invalid”, “unknown” Up to ISP to use local policy on how to route

Possible Flow RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)

How you can use ARIN’s RPKI System? Hosted Hosted using ARIN’s RESTful service Delegated using Up/Down Protocol

HostedRPKI Pros – Easier to use – ARIN managed Cons – No current support for downstream customers to manage their own space (yet) – Tedious through the IU if you have a large network – We hold your private key

HostedRPKI with RESTful Interace Pros – Easier to use – ARIN managed – Programatic interface for large networks Cons – No current support for downstream customers to manage their own space (yet) – We hold your private key

Delegated RPKI with Up/Down Pros – Same as web delegated – Follows the IETF up/down protocol Cons – Extremely hard to setup – Need to operate your own RPKI environment

Hosted RPKI in ARIN Online

SAMPLE-ORG

Hosted RPKI in ARIN Online SAMPLE-ORG

Hosted RPKI in ARIN Online

Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

Delegated with Up/Down

You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS

Updates within RPKI outside of ARIN The four other RIRs are in production with Hosted CA services ARIN and APNIC have delegated working for the public Major routing vendor support being tested Announcement of public domain routing code support

ARIN Status Hosted CA deployed 15 Sept 2012 Web Delegated CA deployed 16 Feb 2013 (now deprecated) Delegated using “Up/Down” protocol deployed 7 Sept 2013 RESTful interface deployed 1 Feb 2014

RPKI Usage Oct 2012Apr 2013Oct 2013Apr 2014 RPAs Signed Certified Orgs ROAs Covered Resources Web Delegated 000 Up/Down Delegated 00

Why is this important? Provides more credibility to identify resource holders Leads to better routing security

Afternoon’s program Obtaining IPv6 Address Space Current Number Resource Policy Discussions and How to Participate IPv6 Tutorial 3:00 -3:15 break How to add DNSSEC to your ARIN Records Manitoba Internet Exchange Update Q&A/Open Microphone

Beers and Peers in the York Room Thank you CIRA!

Leslie Nobile Director, Registration Services Obtaining IPv6 Address Space

Why Adopt IPv6? Global IPv4 pool is depleted ARIN’s IPv4 free pool will be gone soon IPv4 Waiting list is uncertain and sure to be loooooooooooong IPv4 Transfer Market = $$$$$ How will you continue to grow your network? What other options do you have?

Qualifying for IPv6 - ISPs Have a previous v4 allocation from ARIN OR Intend to multi-home OR Provide a technical justification which details at least 50 assignments made within 5 years

IPv6 ISP Data Typically Requested If requesting more than a /32, a spreadsheet/text file with – # of serving sites (PoPs, datacenters) – # of customers served by largest serving site – Block size to be assigned to each customer (/48 typical)

Qualifying for IPv6 – End Users Have a v4 direct assignment OR Intend to multi-home OR Show how you will use 2000 IPv6 addresses or 200 IPv6 subnets within a year OR Technical justification as to why provider-assigned IPs are unsuitable

IPv6 End Users – Data Requested List of sites in your network – Site = distinct geographic location – Street address for each Campus may count as multiple sites – Technical justification showing how they’re configured like geographically separate sites

ISP Members with IPv4 and IPv6 *4,818 total members

ARIN Resources IPv6 Info Center

Operational Guidance Deploy360/ ipv6-knowledge-base-general-info bcop.NANOG.org

ARIN’s Policy Development Process Current Number Resource Policy Discussions and How to Participate John Sweeting Chair, ARIN Advisory Council

Policy Development Process (PDP) Flowchart Proposal Template Archive Petitions

Policy Development Principles Open – Developed in open forum Public Policy Mailing List Public Policy Meetings / Consultations – Anyone can participate Transparent – All aspects documented and available on website Policy process, meetings, and policies Bottom-up – Policies developed by the community – Staff implements, but does not make policy

Who Plays a Role in the Policy Process? Community – Submits proposals – Participates in discussions and petitions Advisory Council (elected volunteers) – Facilitates the policy process – Develops policy that: enables fair and impartial resource administration is technically sound is supported by the Community – Determines consensus based on community input

Roles… ARIN Board of Trustees (elected volunteers) – Provides corporate fiduciary oversight – Ensures the policy process has been followed – Adopts policies ARIN Staff – Provides feedback to community Staff and legal assessments Policy experience reports – Implements adopted policies

Basic Steps 1.Proposal from community member 2.AC works with author ensure it is clear and in scope 3.AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM) 4.AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption 5.Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM) 6.If AC still recommends adoption, then Last Call, review of last call, and send to Board 7.Board reviews 8.Staff implements

Petitions Petitions available for: – Delay by the AC Proposal to Draft Policy (after 60 days) Draft to Recommended Draft (after 90) Last Call (after 60) Board (after 60) – Abandonment – Rejection (proposals out of scope) Petitions begin with 5 day duration, needing support from 10 people from 10 different organizations (later stages require more people) Despite low bar, attempted petitions are rare

Number Resource Policy Manual ARIN’s Policy Document – Version (26 June 2014) – 34th version Contains Change Logs HTML/PDF/txt

Policies in the NRPM ARIN Principles IPv4 Address Space IPv6 Address Space Autonomous System Numbers (ASNs) Directory Services (Whois) Reverse DNS (in-addr) Transfers Experimental Assignments Resource Review Policy

Current Draft Policies/Proposals Recommended Draft Policies 1.ARIN : Resolve Conflict Between RSA and 8.2 Utilization Requirements

Current Draft Policies/Proposals Draft Policies 1.ARIN : Out of Region Use 2.ARIN : Remove 7.1 [Maintaining IN-ADDRs] 3.ARIN : Removing Needs Test from Small IPv4 Transfers 4.ARIN : Allow Inter-RIR ASN Transfers 5.ARIN : Section 4.10 Austerity Policy Update 6.ARIN : Change Utilization Requirements from last- allocation to total-aggregate 7.ARIN : Simplifying Minimum Allocations and Assignments 8.ARIN : New MDN Allocation Based on Past Utilization Draft Policy 9.ARIN : Transfer Policy Slow Start and Simplified Needs Verification

Adopted Policy (to be implemented no later than 30 Sep 2014) 1.ARIN : NRPM 4 (IPv4) Policy Cleanup 2.ARIN : Subsequent Allocations for New Multiple Discrete Networks 3.ARIN : Remove 7.2 Lame Delegations 4.ARIN : Anti-hijack Policy 5. ARIN : Reduce All Minimum Allocation/Assignment Units to /24

How Can You Get Involved? There are two ways to voice your opinion: – Public Policy Mailing List – Public Policy Consultations/Meetings In person or remotely ARIN meetings and PPCs at NANOG

Public Policy Mailing List (PPML) Open to anyone Easy to subscribe to Contains: ideas, proposals, draft policies, last calls, announcements of adoption and implementation, petitions, and more… Archived RSS feed available

ARIN Meetings Two ARIN meetings a year – Attend and participate in person or remotely Check the ARIN Participate/Meetings site a few weeks prior to meeting Look at the Proposals/Draft Policies on Agenda (what and when?) Get a copy of the Discussion Guide (summaries and text) Attend/log in and state your opinion – Additional Public Policy Consultations Currently being held during NANOG meetings Potential for additional ones in different venues in the future

Advisory Council Meetings Teleconference meetings held monthly (currently the third Thursday of the month) AC meeting results – Watch PPML for AC’s decisions (once a month) – Read AC meeting minutes – Draft Policies – good or bad ideas, for or against? – Last Calls – For or against?

References Policy Development Process Draft Policies and Proposals Number Resource Policy Manual

IPv6 Tutorial

Securing Internet Infrastructure: Using DNSSEC with ARIN Online Andy Newton Chief Engineer

Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks DNSSEC attaches signatures – Validates responses – Can not spoof

Reverse DNS at ARIN ARIN issues blocks without any working DNS – Registrant must establish delegations after registration – Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient entities may have authority over a particular zone

Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates

Changes completed to make DNSSEC work at ARIN Only key holders may create and submit Delegation Signer (DS) records

Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online …then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> in-addr.arpa Name: in-addr.arpa. Updated: NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref:

DNSSEC in Zone Files ; File written on Mon Feb 24 17:00: ; dnssec_signzone version P1-RedHat P1.el5_ in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC 1.74.in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files in-addr.arpa IN NS DNS1.ACTUSA.NET IN NS DNS2.ACTUSA.NET IN NS DNS3.ACTUSA.NET DS ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) DS ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) RRSIG DS ( in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) NSEC in-addr.arpa. NS DS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …

Use REG-RWS for Bulk Changes If you have a lot of changes, copy&paste over the Web will be tedious. – Use REG-RWS. – Or ARINcli (which is a REG-RWS client) Reads zone files

DNSSEC Validating Resolvers

Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN’s website

Apply now for ARIN 35 April 2015 in San Francisco

Beers and Peers in the York Room Thank you CIRA!