1. Edmonton 3 May 2016

2. Welcome. Here today from ARIN… Paul Andersen, ARIN Board of Trustees Eddie Diego, Senior Resource Analyst Wendy Leedy, Member Engagement Coordinator Mark Kosters, Chief Technology Officer John Springer, ARIN Advisory Council

3. Agenda 10:00 AMWelcome and Getting Started 10:15 AMARIN: Mission, Role and Services; Paul Andersen 10:45 AMSecurity Overlays on Core Internet Protocols – DNSSEC; Mark Kosters 11:20 AMLife After IPv4 Depletion; Eddie Diego Noon Networking Lunch 1:00 PMARIN Services and Tools; Mark Kosters 1:30 PMPolicy Development Process; John Springer 2:00 PMSecurity Overlays on Core Internet Protocols – Resource Certification (RPKI); Mark Kosters 2:30 PMMoving to IPv6; Eddie Diego 3:00 PMQ&A / Open Mic Session

4. Let’s Get Started! Self introductions – Name – Organization – I would like to learn more about “___________.”

5. ARIN and the RIR System: Mission, Role and Services Paul Andersen ARIN Board of Trustees

6. What is an RIR? A Regional Internet Registry (RIR) manages the allocation and registration of Internet number resources* in a particular region of the world. * Internet number resources include IP addresses and autonomous system (AS) numbers.

7. Regional Internet Registries

8. Not-for-profit Membership Organization Community Regulated Fee for services, not number resources 100% community funded Open Broad-based - Private sector - Public sector - Civil society Community developed policies Member- elected executive board Open and transparent RIR Structure

9. IP Address and Autonomous System Number Provisioning Process

10. The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system. Number Resource Organization

11. ARIN’s Mission ARIN, a nonprofit member-based organization, supports the operation of the Internet by: – managing Internet number resources throughout its service region; – coordinating the development of policies by the community for the management of Internet Protocol number resources; and – advancing the Internet through informational outreach. 11

12. ARIN’s Service Region The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

13. Who is the ARIN “community”? Anyone with an interest in Internet number resource management in the ARIN region

14. The ARIN Community includes… 5,300+ members 20,000+ customers 80 professional staff 7 member Board of Trustees elected by the membership 15 member Advisory Council elected by the membership 3 person NRO Number Council elected by the ARIN Community

15. ARIN Organizational Chart 15

16. ARIN Board of Trustees Paul Andersen, Vice Chair Vinton G. Cerf, Chair John Curran, President and CEO Timothy Denton, Secretary Aaron Hughes Bill Sandiford, Treasurer Bill Woodcock 16

17. ARIN Advisory Council: Dan Alexander, Chair Cathy Aronson Kevin Blumberg, Vice Chair Owen DeLong Andrew Dul David Farmer David Huberman Scott Leibrand Tina Morris Milton Mueller Amy Potter Leif Sawyer Robert Seastrom John Springer Chris Tacit 17 Primary facilitator of policy process

18. NRO Number Council 15 member body – 3 representatives from each RIR From ARIN: – Jason Schiller – Louie Lee – John Sweeting Fulfills role of the ICANN Address Supporting Organization Address Council – Global policy and ICANN Board Seats 18

19. 2016 Operational Focus IPv4 to IPv6 Transition Awareness – Targeting ISPs and Content Providers Continued enhancements to ARIN Online – User interface improvements based on user feedback Focus on community suggested high impact software development projects Continued participation in Internet Governance forums Participation in IANA stewardship transition discussions Customer service improvements based on feedback and repeat customer satisfaction survey 19

20. ARIN Services and Products ARIN Manages : Number Resources IP address allocations & assignments ASN assignment Transfers Reverse DNS Directory services Whois Routing Information (Internet Routing Registry [IRR]) WhoWas 20

21. ARIN Services and Products ARIN coordinates and administers : Policy Development Community meetings Discussion Publication Elections Information publication and dissemination and public relations Community outreach Education and training 21

22. ARIN Services and Products ARIN develops technologies for managing Internet number resources: ARIN Online DNS Security (DNSSEC) Resource Public Key Infrastructure (RPKI) Whois-RWS Provisioning and Maintenance of Registration Records (Reg-RWS) Registry Data Access Protocol (RDAP) Community Software Project Repository 22

24. Globalization of IANA Oversight March 2014 - US Government announced plans to transition oversight of IANA functions contract to global multistakeholder community March 2016 - ICANN submitted combined proposal from Domain Name, Number Resources and Protocol Parameters communities to US Government September 2016 - current IANA contract expires Successful transition of IANA Stewardship to the Internet community would be an important validation of the Internet’s multi-stakeholder governance model

25. Get 6 – Websites on IPv6 http://teamarin.net/infographic/ IPv6 Wiki

26. How to Participate in ARIN Attend Public Policy and Members Meetings & Public Policy Consultations – Remote participation available Apply for Meeting Fellowship Discuss policies on Public Policy Mailing List (ppml) Come to outreach events Subscribe to an ARIN mailing list

27. More Ways to Participate Give your opinion on community consultations Submit a suggestion Contribute to the IPv6 wiki Write a guest blog for TeamARIN.net Connect with us on social media Members – Vote in annual elections

28. Q&A

29. Security Overlays on Core Internet Protocols – DNSSEC Mark Kosters CTO

30. Core Internet Protocols Two critical resources that are unsecured – Domain Name Servers – Routing Hard to tell if compromised – From the user point of view – From the ISP/Enterprise 30

31. DNS 31

32. How DNS Works Resolver Question: www.arin.net A www.arin.net A ? Caching forwarder (recursive) root-server www.arin.net A ? Ask net server @ X.gtld-servers.net (+ glue) gtld-server www.arin.net A ? Ask arin server @ ns1.arin.net (+ glue) arin-server www.arin.net A ? 192.168.5.10 Add to cache 32

33. Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks DNSSEC attaches signatures – Validates responses – Can not spoof

34. Reverse DNS at ARIN ARIN issues blocks without any working DNS – Registrant must establish delegations after registration – Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC

35. Reverse DNS at ARIN Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient entities may have authority over a particular zone

36. Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates

37. Changes completed to make DNSSEC work at ARIN Key holders create and submit Delegation Signer (DS) records after securing their zones locally DNSSEC users need to have signed a registration services agreement with ARIN to use these services

38. Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

39. Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

40. DNSSEC in ARIN Online …then apply DS record to apply to the delegation

41. Reverse DNS: Querying ARIN’s Whois Query for the zone directly: Whois> whois -h whois.arin.net 136.136.192.in-addr.arpa Name: 252.149.192.in-addr.arpa. Updated: 2014-08-20 NameServer: SEC1.APNIC.NET NameServer: NS1.ARIN.NET NameServer: NS2.LACNIC.NET NameServer: SEC1.AUTHDNS.RIPE.NET NameServer: NS2.ARIN.NET KeyTag: 18508 Algorithm: 5 DigestType: 1 Digest: 84A741F15E878A088F3884EBE1F0E56EA8599295 KeyTag: 18508 Algorithm: 5 DigestType: 2 Digest: A9B8659C7795166863DE6FEC47808B58ED0CC6ADB0AA5E25B8F46FE87D3D7CBA Ref: https://whois.arin.net/rest/rdns/252.149.192.in-addr.arpa.

42. DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

43. DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …

44. What Is DNSSEC? Why Use It? Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks DNSSEC attaches signatures – Validates responses – Can not spoof 44

45. Reverse DNS at ARIN ARIN issues blocks without any working DNS – Registrant must establish delegations after registration – Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC 45

46. Reverse DNS at ARIN Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient entities may have authority over a particular zone 46

47. Setting up DNSSEC at ARIN Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates Only key holders may create and submit Delegation Signer (DS) records 47

48. Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on… 48

49. Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers… 49

50. DNSSEC in ARIN Online …then apply DS record to apply to the delegation 50

51. Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: 81.147.204.in-addr.arpa. Updated: 2006-05-15 NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa. 51

52. DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= ) 52

53. DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe … 53

54. DNSSEC Validating Resolvers www.internetsociety.org/deploy360/dnssec/ www.isc.org/downloads/bind/dnssec/ 54

55. Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN’s website http://www.arin.net/knowledge/dnssec/ 55

56. DNSSEC Statistics 56 ARIN 37 Number of Orgs with DNSSEC134 Total Number of Delegations 593,946 DNSSEC Secured Zones619 Percentage Secured 0.1 %

57. Q&A

58. Life After IPv4 Depletion Jon Worley –Analyst Eddie Diego Senior Resource Analyst

59. Overview IPv4 depletion recap Post-depletion observations Post-depletion IPv4 options – IPv4 Waiting List – IPv4 Transfers – Dedicated IPv4 block to facilitate IPv6 deployment 59

60. IPv4 Address Space in ARIN Free Pool /8s

61. IPv4 Depletion Recap June 2015: IPv4 requests reach peak volume – 414 total requests – A mad rush for the last IPv4 blocks July 1 st, 2015: First unmet IPv4 request – An org qualified for a block size that was no longer available – Within a few weeks, only single /24s remained in the free pool September 24 th, 2015: Full IPv4 depletion – No IPv4 blocks available other than those reserved for specific policies – Significant drop in monthly # of IPv4 requests

62. IPv4 Requests – Past Year ------- = waiting list initiated ------- = IPv4 depletion

63. Reserved IPv4 Space /10 reserved to facilitate IPv6 deployment 2 /16s reserved for critical Internet infrastructure – Public exchange points – Core DNS service providers (excluding new gTLDs) – Regional Internet Registries – IANA

64. Post-IPv4 Depletion Observations IPv4 demand remains strong Lots of questions/confusion from customers – Not all aware we’ve reach full IPv4 depletion – Education needed on post-depletion options Keeping registration info current is essential – Increase in # of blocks targeted for hijacking – Blocks with bad org/contact info, especially legacy ones, are the biggest target 64

65. Post-IPv4 Depletion Options IPv4 Waiting List IPv4 Transfer Market Dedicated IPv4 block to facilitate IPv6 deployment Adopt IPv6

66. IPv4 Waiting List Policy enacted first time ARIN did not have a contiguous block of addresses of sufficient size to fulfill a qualified request – Must qualify under current ARIN policy and request to be added to the list – Maximum approved size determined by ARIN – Minimum acceptable size specified by requester – One request per org on the list at a time – Limit of one allocation or assignment every 3 months Waiting List published on ARIN’s web site – Approximately /12 needed to fill all pending requests https://www.arin.net/resources/request/waiting_list.html

67. IPv4 Waiting List Growth ------- = waiting list initiated ------- = IPv4 depletion

68. Sources of IPv4 for the Waiting List Returned to ARIN or revoked for non- payment – In both cases, lengthy review required to confirm space is eligible for reissue Redistributed by IANA per global policy for “post exhaustion IPv4 allocation mechanisms by IANA” » /11 (5/2014), /12 (9/2014), /13 (issued 3/2015), /14 (9/2015), /15 (3/2016) issued by IANA to each RIR

69. How Long Might You Wait? 364 tickets added since wait list started 33 wait list requests filled – 19 filled with IANA /14 equivalent issued in 9/2015 – 13 filled with blocks previously held for organizations deciding whether to go on the waiting – 1 filled with space that had been revoked 33 filled via 8.3 transfer and removed from list (as required per policy) Demand is far greater than availability 69

70. Transfers of IPv4 Addresses 3 ARIN Transfer Policies Available: – Mergers and Acquisitions (NRPM 8.2) Traditional transfer based on change in business structure, including company reorganizations, supported by legal documentation – Transfers to Specified Recipients (NRPM 8.3) IPv4 market transfer based on financial transaction, supported by justified need (within region) – Inter-RIR transfers to Specified Recipients (NRPM 8.4) IPv4 market transfer based on financial transaction, supported by justified need (outside region)

71. Transfers to Specified Recipients (NRPM 8.3) Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources Source – Must be current registrant, no disputes – Not have received addresses from ARIN for 12 months prior Recipient – Must demonstrate need for 24-month supply under current ARIN policy

72. 8.3 Transfers Completed ------- = waiting list initiated ------- = IPv4 depletion

73. Inter-RIR Transfers (NRPM 8.4) RIR must have reciprocal, compatible needs-based policies – Currently APNIC and RIPE NCC Transfers from ARIN – Source cannot have received IPv4 from ARIN 12 months prior to transfer – Must be current registrant, no disputes – Recipient meets destination RIR policies Transfers to ARIN – Must demonstrate need for 24-month supply under current ARIN policy

74. Inter-RIR Transfers Completed ------- = waiting list initiated ------- = IPv4 depletion

75. Documentation Required for IPv4 Source Verification current registrant is active and in good standing within the ARIN region – If there was a merger or acquisition, an M&A transfer may be required before you can release your IPv4 addresses Notarized officer acknowledgement Additional items may be needed

76. IPv4 Recipient Documentation – Utilization data for ARIN-issued IPv4 space – Data to support 24 month projected need Historical IPv4 utilization rate New services/markets to be deployed Customer growth projections – Signed officer attestation certifying data is accurate

77. Useful Transfer Information ARIN cannot provide detailed information about your source/recipient partner’s status – Can provide general status (e.g. “we’re waiting on them to provide additional info”) – If you need details on what’s required, ask your source/recipient partner If you’re on the IPv4 waiting list, you’ll be removed if/when you receive IPv4 addresses via transfer

78. IPv4 Transfer Stats Transfers to Specified Recipients (8.3) – 505 prefixes transferred, ranging from /24s to /10 – 23 ASNs Inter-RIR Transfers (8.4) – 215 prefixes transferred, ranging from /24s to /13s 197 ARIN to APNIC 12 ARIN to RIPE NCC 5 APNIC to ARIN 1 RIPE NCC to ARIN https://www.arin.net/knowledge/statistics/transfers. html 78

79. Pre-Approval for Recipients Optional free service to confirm your 24 month projected need for IPv4 addresses – Same documentation requirements as transfers Used to receive IPv4 addresses via specified or Inter-RIR transfers up to the pre-approved amount – Eliminates the need to re-justify need on each transfer – Good for 24 months from the pre-approval date

80. Specified Transfer Listing Service (STLS) Optional fee-based service to facilitate specified recipient and inter-RIR transfers – Sources have IPv4 addresses verified as available – Recipients have a verified need for IPv4 addresses – Facilitators arrange transfers between parties Approved participants can view detailed information for all other participants Public summary available on ARIN’s website – Available block sizes – # of needers and approved block sizes – List of facilitators with contact information

81. Tips for Faster Transfer Processing Ensure all registration information is current – If not, we can help you get it up to date Request pre-approval – Ensures you can bid confidently – Turns transfers into a point-click-ship exercise Provide detailed information to support 24- month need when submitting transfer/pre- approval

82. Reserved IPv4 Block for IPv6 Deployment Requirements Used to facilitate IPv6 deployment (dual stacking, IPv4->IPv6 translation, etc) Need cannot be met from your existing ARIN IPv4 space Have an IPv6 block registered One /24 per organization every six months

83. Help! What Should I Do? Small networks can get a /24 once per six months for IPv6 transition – Cost likely to be lower than the transfer market – Reserved block likely to last several years – Can also have a request on the waiting list Larger networks can get pre-approved for 24 month need and seek IPv4 on the transfer market – Waiting list probably not a realistic option unless you can delay your IPv4 needs indefinitely All networks should begin IPv6 adoption

85. LUNCH Take your valuables as the room will not be locked.

86. ARIN Technical Services Mark Kosters CTO

87. Major Services ARIN Online Email (including templates) Directory Services – Whois – Whois-RWS – Registration Data Access Protocol (RDAP) Domain Name System (DNS) – Reverse DNS – DNS Security (DNSSEC) Internet Routing Registry (IRR) Resource Public Key Infrastructure (RPKI) Operational Test & Evaluation environment (OT&E)

88. Terms Resources – IP Addresses (Networks) – Autonomous System Numbers (ASNs) Organization – The legal entity holding resources – Shows up in Whois/RDAP Points of Contact – Associated with Organizations – Show up in Whois/RDAP – Tech, Admin, NOC, Abuse SWIP – “Shared Whois Project” – Registration of reassigned or reallocated networks in the ARIN registry

89. ARIN Online (www.arin.net)

90. What Can I Do in ARIN Online? Resource management (IPs/ASNs) – Requests and Transfers – Technical services (Reverse DNS/RPKI) Record management (POCs/Org IDs) Downloadable reports – Associations/reassignments/bulk Whois/WhoWas Billing & Payments Voting (Board, AC, NRO NC)

91. ARIN Online Usage 110290 accounts activated since inception through Q1 of 2016 Number of Accounts Activated 500010000 15000 20000 * Through Q1 of 2016 91

92. Active Usage of ARIN Online # of Users Times logged in Logins from inception through Q1 of 2016 One user logged in 1,205,887 times! 92

93. Linking? Way of managing resources put into place before ARIN Online was unveiled A good set of videos at – https://www.youtube.com/user/teamarin https://www.youtube.com/user/teamarin – Teaches you how to: Create an ARIN Online account Create and manage POCs and Org IDs Request transfers

94. Ask ARIN and Message Center Ask ARIN A way to ask ARIN staff a question on the web Message Center – Tracks ticketed requests – Ticketed requests are things like resource requests and correspondence, RPKI notifications, reports

95. Reports Associations Report – POCs linked to your ARIN Online account, including roles served by these POCs for any associated Organization (Admin, Tech, Abuse, etc.) – Organization associated with your ARIN Online account – Network records (NETs) and Autonomous System Number records (ASNs) associated with your linked POCs, directly or via an associated Organization

96. Reports (Cont) User Reassignment Report – Reassignments/reallocations associated with your ARIN Online account via associated Organization – ”Holes" in all Network records (NETs) associated with your ARIN Online account, where no reassignment or reallocation has been made Whowas – History of a resource Bulk Whois – Directory services information placed in files Reports are ticketed and delivered into your Message Center

97. Billing Pay bills Calculate fees View current and past-due invoices

98. REST Services Reg-RWS – SWiP – Reports – Manage DNS / RPKI Whois – RDAP (the new Whois) – Whois-RWS

99. What is REST? Representational State Transfer As applied to web services – defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data – “Resources” are addressable in URLs Very popular protocol model – Amazon S3, Yahoo & Google services, …

100. The BIG Advantage of REST Easily understood – Any modern programmer can incorporate it – Can look like web pages Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

101. What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser.

102. Where can more information on REST be found? RESTful Web Services – O’Reilly Media – Leonard Richardson – Sam Ruby

103. Email/Templates Before ARIN Online, only way of communicating with ARIN Now only – Reassignment information – Inter-RIR Transfers – Email Questions Lots of Spam

104. Reg-RWS Transactions (cumulative) 104

105. Directory Services Whois – Resource Information as per RFC812 RDAP (the new Whois) – Resource Information as per RFCs 7480- 7484 Whois-RWS – RESTful Implementation of ARIN Whois – XML-based, proprietary

106. Registration Data Access Protocol (RDAP) Long, fancy, official-sounding name for a simple idea: – All the RIRs will now have a common query interface – Also will be used by many domain registries

107. Bootstrapping (RFC 7484) IANA will publish a set of JSON files containing IP Address, Autonomous System Number, and Domain Name allocations with URLs to authoritative servers. – Clients will be able to pre-determine where to initiate queries. 107

108. Bootstrapping In the Real World 108 Client ARIN APNIC 45.65.1.1? Ask ARIN 45.65.1.1? Ask APNIC Bootstrap Server 45.65.1.1? JSON

109. DNS Provide Reverse DNS delegation management for IPv4 and IPv6 This includes DNSSEC More Detail later

110. IRR Provides coarse routing information for routing filters Processed through templates sent via email Has a Whois interface using RPSL (RFC 2622) ARIN will be upgrading this service starting Q3 of 2016 Documented at – https://www.arin.net/resources/routing/

111. OT&E (Operational Test & Evaluation) Lots of people test in production – Is not the best place to test – Things do get stuck – may impact others – Operational Test & Evaluation Goodness of OT&E – Place to test code – Place to test process – All services now under ote.arin.net except email – Need to register to participate – https://www.arin.net/resources/ote.html https://www.arin.net/resources/ote.html

112. RPKI We will talk about this in detail later

113. Feedback Users can notify us of Internet Number Resource Fraud and Whois Inaccuracy Can provide feedback on the application via the feedback button Suggestions through “ARIN Consultation and Suggestion Process” (ACSP)

114. Tools Lots of APIs You can build your own tools Some have shared their tools with others Repository for these tools – https://github.com/arineng – http://projects.arin.net

115. Q&A

116. ARIN’s Policy Development Process John Springer ARIN Advisory Council

117. Overview Basic steps Major policy changes (examples) A current proposal How to get involved

118. Policy Development Process (PDP) Steps 1)Proposal – Someone in the community thinks a policy can be improved and documents 2)Draft Policy- Discussion on the list and possibly at meeting(s) - Is there really a problem? Is this a good solution? 3)Recommended Draft Policy - More discussion and presentation at meeting(s). Does community support turning this into policy? 4)Last call 5)Board Review 6)Staff Implementation (NRPM) If you submit a proposal, you can participate further, or let the ARIN process “shepherd” it through the steps

119. Past Policy Changes: IPv6 Policy Circa 2001: Initial IPv6 policy aligned with IPv4 at that time, conservation was important, small amounts issued for short periods, hierarchical distribution from upstreams, and, no end user policy at all 2003-2016 Dozens of proposals to improve IPv6 policy Changes included: Minimum allocation size increased (/35 to /32), larger allocations from IANA, policy for end users, community networks (mesh networks), assignment sizes from ISPs to customers (/56s), larger amounts for ISPs and easier criteria, larger amounts for end users and easier criteria, bit boundary assignments and allocations, etc.

120. Past Policy Changes: Transfers 1997 thru 2007: Policy for Mergers and Acquisitions existed, everything else should go back to ARIN 2007 thru 2016: Many proposals to improve transfers. Changes included: Allow needs-based transfers of unused or underutilized address space between organizations via ARIN, increase supply period from one year to two, allow ASN transfers, allow Inter-RIR transfers, etc. Still seeing proposals to make transfers easier, there are some who are trying to reduce the needs requirement, some want ARIN to simply record the transfers.

121. Policy Currently Under Discussion ARIN-2015-5: Out of Region Use Would allow an organization to receive Internet number resources from ARIN for use out of region as long as the applicant is currently using at least the equivalent of a /22 of IPv4 space, /44 of IPv6, or 1 ASN within the ARIN service region. Earlier Abandoned Proposals ARIN-2014-1: Out of Region Use ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors ARIN-2011-13: IPv4 Number Resources for Use Within Region (continued on next slide)

122. 2015-5 continued ARIN-2015-5 presented at ARIN 36 in Oct 2015 AC found draft to be fair, technically sound and supported and promoted to recommended state (late Oct 2015) Presented as Recommended Draft Policy at NANOG 66 Last Call was 24 February thru 9 March 2016 Next steps: – Review of last call comments – Board Review – Implementation by Staff

123. How Can You Get Involved? Two ways to learn and be heard 1.Public Policy Mailing List 2.Public Policy Consultations/Meetings ARIN meetings (April and October) ARIN Public Policy Consultations at NANOG (twice a year, usually February and June) Remote participation supported

124. Takeaways 1)ARIN doesn't make up number policy, you do. 2)Well documented policy development process includes assistance from ARIN AC and staff throughout the process. 3)Stay informed. Join the policy list and/or attend meetings (in person or remotely).

125. References Policy Development Process (PDP) http://www.arin.net/policy/pdp.html http://www.arin.net/policy/pdp.html Draft Policies and Proposals http://www.arin.net/policy/proposals/index.html http://www.arin.net/policy/proposals/index.html Number Resource Policy Manual (NRPM) http://www.arin.net/policy/nrpm.html http://www.arin.net/policy/nrpm.html

126. Q&A

127. Security Overlays on Core Internet Protocols – RPKI Mark Kosters CTO

128. Core Internet Protocols Two critical resources that are unsecured – Domain Name Servers – Routing Hard to tell if compromised – From the user point of view – From the ISP/Enterprise 128

129. Routing 129

130. Routing Architecture The Internet uses a two level routing hierarchy: – Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network – Interior Routing protocols maintain the current topology of the network 130

131. Routing Architecture The Internet uses a two level routing hierarchy: – Exterior Routing Protocol, used to link each component network together into a single whole – Exterior protocols assume that each network is fully interconnected internally 131

132. Exterior Routing: BGP BGP is a large set of bilateral (1:1) routing sessions – A tells B all the destinations (prefixes) that A is capable of reaching – B tells A all the destinations that B is capable of reaching A A B B 10.0.0.0/24 10.1.0.0/16 10.2.0.0/18 192.2.200.0/24 132

133. What is RPKI? R esource P ublic K ey I nfrastructure Attaches digital certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top 133

134. What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information – Trust Anchor Locator Distributes trusted information – Through repositories 134

135. Hierarchy of Resource Certificates 135

136. Route Origin Attestations 128.177.46.0/20 AS53659 128.177.0.0/16 AS17025 192.78.12.0/24 AS2000 136

137. Current Practices 128.177.0.0/16 AS17025 192.78.12.0/24 AS2000 128.177.46.0/20 AS53659 137

138. What does RPKI Create? It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records 138

139. Relationships Parent Key Parent Cert Parent Manifest Signs Points to (has URI for) Certificate Key 139

140. Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest 140

141. Repository Use Pull down these files using a manifest- validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes “valid”, “invalid”, “unknown” Up to ISP to use local policy on how to route 141

142. Possible Data Flow for Operations RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy) 142

143. How you can use ARIN’s RPKI System? Hosted – create ROAs through ARIN Online – create ROAs using ARIN’s RESTful service Delegated using Up/Down Protocol 143

144. HostedRPKI - ARIN Online Pros – Easy to pick up and use – ARIN managed Cons – No current support for downstream customers to manage their own space – Tedious through the UI if you have a large network – We hold your private key 144

145. HostedRPKI - RESTful Interace Pros – Programmatic interface for large networks – ARIN managed Cons – No current support for downstream customers to manage their own space – We hold your private key 145

146. Delegated RPKI with Up/Down Pros – You safeguard your own private key – Follows the IETF up/down protocol Cons – Extremely hard to setup – Need to operate your own RPKI environment 146

147. Hosted RPKI in ARIN Online 147

148. Hosted RPKI in ARIN Online 148

149. Hosted RPKI in ARIN Online 149

150. Hosted RPKI in ARIN Online 150

151. Hosted RPKI in ARIN Online SAMPLE-ORG 151

152. Hosted RPKI in ARIN Online SAMPLE-ORG 152

153. Hosted RPKI in ARIN Online 153

154. Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators. 154

155. Delegated with Up/Down 155

156. Delegated with Up/Down 156

157. Delegated with Up/Down 157

158. Delegated with Up/Down You have to do all the ROA creation Need to setup a Certificate Authority Have a highly available repository Create a CPS 158

159. RPKI Statistics Oct 2012 Apr 2013 Oct 2013 Apr 2014 Oct 2014 Apr 2015 Oct 2015 Apr 2016 Certified Orgs 4768108153187220250 ROAs 1960106162239308338370 Covered Resources 3082147258332430482528 Up/Down Delegated 000121 159

160. Q&A

161. IPv6 Adoption: Where Are We Now? Mark Kosters CTO Eddie Diego Senior Resource Analyst

162. The Amazing Success of the Internet 2.92 billion users! 4.5 online hours per day per user! 5.5% of GDP for G-20 countries Time Just about anything about the Internet 162

163. The Original IPv6 Plan - 1995 IPv6 Deployment Time IPv6 Transition – Dual Stack IPv4 Pool Size Size of the Internet 163

164. The Revised IPv6 Plan - 2005 IPv6 Deployment 2004 IPv6 Transition – Dual Stack IPv4 Pool Size Size of the Internet 2006200820102012 Date 164

165. Oops! We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses! 165

166. Today’s IPv6 Plan IPv6 Deployment IPv4 Pool Size Size of the Internet IPv6 Transition Today Time ? 0.8 % 166

167. Transition... The downside of an end-to-end architecture: – There is no backwards compatibility across protocol families – A V6-only host cannot communicate with a V4-only host We have been forced to undertake a Dual Stack transition: – Provision the entire network with both IPv4 AND IPv6 – In Dual Stack, hosts configure the hosts’ applications to prefer IPv6 to IPv4 – When the traffic volumes of IPv4 dwindle to insignificant levels, then it’s possible to shut down support for IPv4 167

168. Dual Stack Transition... We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise: The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems – Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration) – This is unacceptably slow Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems – There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big Attempts to use end-host IPv6 tunneling also presents operational problems – Widespread use of protocol 41 (IP-in-IP) firewall filters – Path MTU problems 168

169. Dual Stack Transition Signal to the ISPs: – Deploy IPv6 and expose your users to operational problems with IPv6 connectivity Or – Delay IPv6 deployment and wait for these operational issues to be solved by someone else So we wait... 169169169

170. And while we wait... The Internet continues its growth. And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs: – Edge NATs are now the de facto choice for residential broadband services at the CPE – ISP NATs are now the de facto choice for 3G and 4G mobile IP services 170

171. What is ARIN Hearing from the Community About IPv6? Movement to IPv6 is slow, but progress being made – ISPs slowly rolling out IPv6 – Steady increase in IPv6 traffic – Increase in IPv6 requests – IPv6 entertainment offerings may be a driver Still high demand for IPv4 – Many ISPs purchasing CGN boxes – More turning to the IPv4 market Rent by month Purchasing space outright (costs will increase) 171

172. What will be the tipping point? CGN’s running V4 – Cost per IP will rise based on… – Cost of device and support Why does Gamers have a need for speed User base that supports V6 Social Effect 172

173. ARIN’s Network We eat our own dogfood Every new service must have v6 Evolution on v6 to a robust infrastructure Have had challenges getting robustness 173

174. 2003: Sprint T1 via Sprint Linux Router with Sangoma T1 Card OpenBSD firewall Linux-based WWW, DNS, FTP servers Segregated network, no dual stack (security concerns) A lot of PMTU issues A lot of routing issues Service did improve over the years 174

175. 2008: NTT / TiNet IPv6 1000 Mbit/s to NTT / TiNet Cisco ASR 1000 Router Brocade Load Balancers - IPv6 support was Beta DNS, Whois, IRR, more later Dual stack 175

176. Past Meeting Networks IPv6 enabled since 2005 Tunnels to ARIN, others Testbed for transition techology NAT-PT (Cisco, OSS) CGN / NAT-lite IVI Training opportunity For staff & members 176

177. ARIN’s Current Challenges for Networking Dual-Stacked Internally – Challenges over time with our VPN (OpenVPN) One interface works with v6 One does not Middleware Boxes – Claims do not support reality (“we support IPv6”) Yes, but… – No 1-1 feature set – Limits ARIN’s ability to support new services like https support for Whois-RWS 177

178. However, there is some good news for the future...

179. Google’s IPv6 Traffic Growing > 25% of US customers connected to Google via IPv6 - up from 10% one year ago today & growing rapidly 179

180. Facebook Over 10% of the world uses facebook over IPv6 Over 10% 2015 1% 6/6/2012 180180180

181. Global IPv6 Status Percentage of Members with IPv6 181

182. IPv6 Blocks Issued Over Time ARIN IPv6 Allocations and Assignments 182

183. ARIN ISP Members with IPv4 and IPv6 5,268 total members as of 31 January 2016 183

184. IPv6 Requests – Past Year 184 waiting list initiatedIPv4 depletion

185. Why Move to IPv6 Now? Being IPv4-only has costs – Transfer market, latency, CGN boxes, NAT Many operational issues solved by early adopters If not IPv6, then what? 185

186. Requesting IPv6 - ISPs Have a previous v4 allocation from ARIN or predecessor registry OR Intend to IPv6 multi-home OR Provide a technical justification which details at least 50 assignments made within 5 years 186

187. Data ARIN Will Typically Ask For - ISPs If requesting more than a /32, a spreadsheet/text file with – # of serving sites (PoPs, datacenters) – # of customers served by largest serving site – Block size to be assigned to each customer (/48 typical) 187

188. Requesting IPv6 – End Users Have a v4 assignment from ARIN or predecessor registry OR Intend to IPv6 multi-home OR Use 2000 IPv6 addresses or 200 IPv6 subnets within a year OR Have a contiguous network that has a minimum of 13 active sites within 12 months OR Technical justification as to why provider-assigned IPs are unsuitable 188

189. Data ARIN Will Typically Ask For End users If requesting more than a /48, a spreadsheet/text file with – List of sites in your network Site = distinct geographic location Street address for each – Campus may count as multiple sites Technical justification showing how they’re configured like geographically separate sites 189 37

190. Your IPv6 Checklist  Get your IPv6 address space  Set up IPv6 connectivity (native or tunneled)  Configure your operating systems, software, and network management tools  Upgrade your router, firewall, and other hardware  Get your IT staff training  Enable IPv6 on your website 190

191. Talk to Your ISP About IPv6 Services You want access to the entire Internet! – ISPs must connect customers via IPv4 only, IPv4-IPv6, and IPv6 only – They must plan for IPv4-IPv6 transition services Many transition technologies available Research options and make architectural decisions 191

192. Dual-stack Your Network – IPv6 not backwards compatible with IPv4 – Both will run simultaneously for years 192

193. Make Your Servers Reachable Over IPv6 – Mail, Web, Applications – Operating systems, software, and network management tools 193

194. Audit Your Equipment and Software – Are your devices and applications IPv6 ready? 194

195. Encourage Vendors to Support IPv6 – If not already, when will IPv6 support be part of their product cycle? 195

196. Get IPv6 Training for Staff – Free resources available 196

197. Enable IPv6 on Your Website 197

198. Steps To Get Your Website IPv6-Enabled TeamARIN.net/get6 198

199. Operational Guidance www.NANOG.org/archives/ http://nabcop.org/index.php/Main_Page 199 http://www.internetsociety.org/deploy360/ http://www.intgovforum.org/cms/best-practice-forums/2015-bpf-outs Internet Governance Forum – Enabling Environment for IPv6 Adoption

200. IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html www.GetIPv6.info www.TeamARIN.net 41

201. Q&A / Open Mic Session

202. Take Aways Apply for IPv6 addresses and get started. Subscribe to an ARIN mailing list Participate in ARIN 38 – in person or remotely Apply for a future meeting fellowship Think about implementing DNSSEC/Resource Certification Member organizations please update your Voting Contact – linked to an ARIN Web User account Reach out though various channels with questions or suggestions

203. ARIN Mailing Lists ARIN Consultation - arin-consult@arin.netarin-consult@arin.net Open to the general public. Used in conjunction with the ARIN Consultation and Suggestion Process (ACSP) to gather comments, this list is only open when there is a call for comments ARIN Issued - arin-issued@arin.netarin-issued@arin.net Read-only list open to the general public. Used by ARIN staff to provide a daily report of IPv4 and IPv6 addresses returned and IPv4 and IPv6 addresses issued directly by ARIN or address blocks returned to ARIN's free pool. ARIN Technical Discussions - arin-tech-discuss@arin.netarin-tech-discuss@arin.net Open to the general public. Provided for those interested in providing technical feedback to ARIN on experiences in the use or evaluation of current ARIN services and features in development. http://www.arin.net/participate/mailing_lists/index.html ARIN Announce: arin-announce@arin.net ARIN Discussion: arin-discuss@arin.net (members only)arin-discuss@arin.net ARIN Public Policy: arin-ppml@arin.net ARIN Consultation: arin-consult@arin.net ARIN Issued: arin-issued@arin.net ARIN Technical Discussions: arin-tech-discuss@arin.net Suggestions: arin-suggestions@arin.netarin-suggestions@arin.net

204. ARIN on Social Media www.TeamARIN.net www.facebook.com/TeamARIN @TeamARIN www.gplus.to/TeamARIN www.linkedin.com/company/ARIN www.youtube.com/TeamARIN

205. https://www.arin.net/participate/meetings/fellowship.html

206. Fill out & submit the survey for your chance to win a $100 Amazon Gift Card!