PPTX - ARIN
advertisement
Roseau, Dominica 18 June 2015 Wireless Access • Network: Fort Young Hotel • Password: P@radis3 Welcome. Here today from ARIN… • Susan Hamlin, Director, Communications and Member Services • Andrew Dul, ARIN Advisory Council • Andy Newton, Chief Engineer • Leslie Nobile, Senior Director of Global Registry Knowledge Morning Agenda 10:15 - 10:45 ARIN: Mission, Services and Community Engagement; Susan Hamlin 10:45 -11:20 Security Overlays on Core Internet Protocols – DNSSEC; Andy Newton 11:20 - 12:00 Life After IPv4 Depletion: IPv4 Inventory, Waiting List and Transfers; Leslie Nobile 12:00 PM - 1:00 PM Lunch Afternoon Agenda 1:00 - 1:30 Security Overlays on Core Internet Protocols - Resource Certification (RPKI); Andy Newton 1:30- 2:00 Number Resource Policy Discussions and How to Participate; Andrew Dul 2:00 - 2:30 Automating Interactions with ARIN: Andy Newton 2:30- 3:00 Moving to IPv6 - Getting IPv6 from ARIN/Current Uptake; Andy Newton and Leslie Nobile 3:00- 3:15 Q&A / Open Mic Session; Susan Hamlin Let’s Get Started! • Self introductions – Name – Organization ARIN and the RIR System: Mission, Role and Services Susan Hamlin Director, Communications and Member Services What is an RIR? A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers. Regional Internet Registries RIR Structure Not-for-profit • • Fee for services, not number resources 100% community funded Membership Organization • Open • Broad-based - Private sector - Public sector - Civil society Community Regulated • • • Community developed policies Memberelected executive board Open and transparent Number Resource Organization The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system. ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach. ARIN’s Service Region The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas. IP Address and Autonomous System Number Provisioning Process Who is the ARIN community? Anyone with an interest in Internet number resource management in the ARIN region The ARIN Community includes… • • • • 20,000+ customers 5,000+ members 60+ professional staff 7 member Board of Trustees • elected by the membership • 15 member Advisory Council • elected by the membership • 3 person Number Resource Organization Number Council • elected by the ARIN Community ARIN Board of Trustees • • • • • • • Paul Andersen, Vice Chair and Treasurer Vinton G. Cerf, Chair John Curran, President and CEO Timothy Denton, Secretary Aaron Hughes Bill Sandiford Bill Woodcock 17 ARIN Advisory Council • • • • • • • • • • • • • • • 18 Dan Alexander, Chair Cathy Aronson Kevin Blumberg, Vice Chair Owen DeLong Andrew Dul David Farmer David Huberman Scott Leibrand Tina Morris Milton Mueller Leif Sawyer Heather Schiller Robert Seastrom John Springer Chris Tacit ARIN Services and Products ARIN Manages: • IP address allocations & assignments • ASN assignment • Transfers • Reverse DNS • Record Maintenance • Directory service Whois Routing Information (Internet Routing Registry) WhoWas 19 ARIN Services and Products ARIN coordinates and administers: • Policy Development Community meetings Discussion Publication • Elections • Information publication and dissemination and public relations • Community outreach • Education and training 20 ARIN Services and Products ARIN develops technologies for managing Internet number resources: • ARIN Online • Community Software Project Repository • DNSSEC • Resource Certification (RPKI) • Whois-RWS • Reg-RWS 21 Globalization of IANA Oversight On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community Current IANA functions contract expires 30 September 2015 NTIA Conditions for Transition Proposal 1. Support and enhance the multistakeholder model 2. Maintain the security, stability, and resiliency of the Internet DNS 3. Meet the needs and expectation of the global customers and partners of the IANA services 4. Maintain the openness of the Internet Current Status of IANA Stewardship Proposal Number Resources (RIR community) – CRISP Team https://www.nro.net/wpcontent/uploads/ICG-RFP-Number-Resource-Proposal.pdf - submitted 15 Jan 2015 – Draft Service Level Agreement (SLA) for the IANA Numbering Services – Open for public comment 1 May 2015 – 14 June 2015 https://www.nro.net/news/call-for-comments-for-a-draft-sla-for-theiana-numbering-services IANA Stewardship Proposal – Victory Conditions • A proposal submitted to NTIA by July 2015 which meets NTIA’s conditions and provides for transition of IANA stewardship to the global Internet community • Community support of the ICG proposal, based on belief that the mechanisms provided for oversight and accountability are appropriate IANA Stewardship – Potential Implications • Successful transition of IANA Stewardship from the USG to the Internet community would be an important validation of the Internet’s multi-stakeholder governance model • Inability to transition could raise concerns about the validity of the multi-stakeholder process and fuel discussion of the perceived need for intergovernmental mechanisms for Internet Governance Join in Internet Governance Discussions Visit ARIN’s webpage: Ways to Participate in Internet Governance https://www.arin.net/participate/governance/participate.html Get 6 – Websites on IPv6 http://teamarin.net/infographic/ How to Participate in ARIN • Attend Public Policy and Members Meetings & Public Policy Consultations – Remote participation available • Apply for Meeting Fellowship • Discuss policies on Public Policy Mailing List (ppml) • Come to outreach events • Subscribe to an ARIN mailing list More Ways to Participate • Give your opinion on community consultations • Submit a suggestion • Contribute to the IPv6 wiki • Write a guest blog for TeamARIN.net • Connect with us on social media • Members – Vote in annual elections ARIN Mailing Lists ARIN Announce: arin-announce@arin.net ARIN Discussion: arin-discuss@arin.net (members only) ARIN Public Policy: arin-ppml@arin.net ARIN Consultation: arin-consult@arin.net ARIN Issued: arin-issued@arin.net ARIN Technical Discussions: arin-tech-discuss@arin.net Suggestions: arin-suggestions@arin.net http://www.arin.net/participate/mailing_lists/index.html ARIN on Social Media www.TeamARIN.net www.facebook.com/TeamARIN @TeamARIN #ARIN35 www.gplus.to/TeamARIN www.linkedin.com/company/ARIN www.youtube.com/TeamARIN Apply now for ARIN 36 October 2015 in Montreal https://www.arin.net/participate/meetings/fellowship.html NEW: Includes attendance at NANOG Q&A Security Overlays on Core Internet Protocols – DNSSEC Andy Newton Chief Engineer Core Internet Protocols • Two critical resources that are unsecured – Domain Name Servers – Routing • Hard to tell if compromised – From the user point of view – From the ISP/Enterprise • Focus on government funding DNS How DNS Works Question: www.arin.net A Resolver www.arin.net A ? 192.168.5.10 www.arin.net A ? root-server Ask net server @ X.gtld-servers.net (+ glue) Caching forwarder (recursive) www.arin.net A ? gtld-server Ask arin server @ ns1.arin.net (+ glue) Add to cache www.arin.net A ? 192.168.5.10 arin-server Why DNSSEC? What is it? • Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks • DNSSEC attaches signatures – Validates responses – Can not spoof Reverse DNS at ARIN • ARIN issues blocks without any working DNS –Registrant must establish delegations after registration –Then employ DNSSEC if desired • Just as susceptible as forward DNS if you do not use DNSSEC Reverse DNS at ARIN • Authority to manage reverse zones follows allocations –“Shared Authority” model –Multiple sub-allocation recipient entities may have authority over a particular zone Changes completed to make DNSSEC work at ARIN • Permit by-delegation management • Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages • Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates Changes completed to make DNSSEC work at ARIN • Only key holders may create and submit Delegation Signer (DS) records • DNSSEC users need to have signed a registration services agreement with ARIN to use these services Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on… Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers… DNSSEC in ARIN Online …then apply DS record to apply to the delegation Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: Updated: NameServer: NameServer: NameServer: Ref: 81.147.204.in-addr.arpa. 2006-05-15 AUTHNS2.DNVR.QWEST.NET AUTHNS3.STTL.QWEST.NET AUTHNS1.MPLS.QWEST.NET http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa. DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= ) DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 86400 86400 86400 IN NS IN NS IN NS DS 86400 DS 86400 RRSIG 10800 NSEC 10800 RRSIG DNS1.ACTUSA.NET. DNS2.ACTUSA.NET. DNS3.ACTUSA.NET. 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 1.121.74.in-addr.arpa. NS DS RRSIG NSEC … NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe DNSSEC Validating Resolvers • www.internetsociety.org/deploy360/dnssec/ • www.isc.org/downloads/bind/dnssec/ Reverse DNS Management and DNSSEC in ARIN Online • Available on ARIN’s website http://www.arin.net/knowledge/dnssec/ Q&A Life After IPv4 Depletion • Jon Worley –Analyst • Life After IPv4 Depletion Leslie Nobile Senior Director Global Registry Knowledge Overview • ARIN’s current IPv4 inventory • Trends and observations • Ways to obtain IP addresses post IPv4 depletion – IPv4 – Transfers – IPv6 55 Check on ARIN’s IPv4 Inventory ARIN’s IPv4 inventory published on ARIN’s website: www.arin.net Updated daily at @ 12 am ET Current IPv4 Inventory Available inventory: .12 /8 equivalent .12 • Space available to fill general IPv4 requests • Excludes space held/reserved • Over the past few years, ARIN has issued approximately 1 /8 equivalent per year 57 Current IPv4 Prefix Inventory Block Size Number of Blocks (CIDR) Available 58 /12 1 /13 1 /15 1 /16 1 /18 1 /21 2 /22 3 /23 118 /24 461 * as of 17 June 2015 Other IPv4 Inventory • Quarantined space (60 day hold) – ~19 /16 equivalents held in “quarantine” to clear filters (returned and revoked space) • Reserved space – 64 /16s (1 /10) for NRPM 4.10 “Dedicated IPv4 block to facilitate IPv6 Deployment” – 218 /24s remaining in the /16 for NRPM 4.4 “Microallocation” – ~8 /16 equivalents needing further research (reclaimed space that needs further chain of custody research) IPv4 Reality Check • Larger block sizes (/8, /9, /10) unavailable • Blocks larger than /16 will be unavailable in the near future • Soon after that, only /24s will remain • Eventually, only blocks reserved for specific policies will remain in ARIN’s inventory 60 Post-IPv4 Depletion Options • More efficient use of existing IPv4 resources • IPv4 Wait List • Specified Recipient and Inter-RIR Transfers • Adopt IPv6 61 IPv4 Wait List • If ARIN can’t fill your qualified request, you have the option to specify the smallest block size you’ll accept • If available, your request will be filled and you’ll be unable to request additional addresses for 3 months • If no block available between approved and smallest acceptable, you can be added to the IPv4 Wait List 62 How the IPv4 Wait List Works • Oldest request filled first (based on approval date) – E.g. - if ARIN gets a /16 back and the oldest request is for a /24, we issue a /24 to that org • One approved request per organization on the list at a time • Limit of one allocation or assignment every 3 months How long will I have to wait? • Space becomes available in several ways – Return = voluntary – Revoke = for cause (usually non-payment) – IANA issued – per global policy for “post exhaustion IPv4 allocation mechanisms by IANA” • 3.54 total /8s returned/revoked since 2005 • /11 (issued 5/14), /12 (issued 9/14) and /13 (issued in 3/15) by IANA to each RIR • Demand will be far greater than availability 64 Transfers of IPv4 Addresses • Mergers and Acquisitions (NRPM 8.2) • Transfers to Specified Recipients (NRPM 8.3) • Inter-RIR transfers (NRPM 8.4) 65 Transfers to Specified Recipients • Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources • Source – Must be current registrant, no disputes – Not have received addresses from ARIN for 12 months prior – Ineligible for further addresses from ARIN for 12 months after • Recipient – Must demonstrate need for 24-month supply under current ARIN policy 66 Inter-RIR Transfers (NRPM 8.4) • RIR must have reciprocal, compatible needsbased policies – Currently APNIC, soon to be RIPE NCC • Transfers from ARIN – Source cannot have received IPv4 from ARIN 12 months prior to transfer or receive IPv4 for 12 months after transfer – Must be current registrant, no disputes – Recipient meets destination RIR policies • Transfers to ARIN – Must demonstrate need for 24-month supply under current ARIN policy 67 Pre-approval for Specified Recipient Transfers • Pre-approval based on 24 month need • Valid for 2 years • Can use multiple transfers to fill need without being subject to re-verification 68 Specified Transfer Listing Service (STLS) • Optional service intended to facilitate specified recipient and inter-RIR transfers • All participants have access to each others contact information – Listers: have available IPv4 addresses • Resources must be covered under RSA/LRSA – Needers: looking for IPv4 addresses • Must be pre-approved under ARIN policy to be listed – Facilitators: available to help listers and needers find each other • Public summary provided – Lists number of available and needed IPv4 address blocks 69 Tips for Faster Transfer Processing • Make sure that all registration information is current and accurate • Request pre-approval for your 24 month need • Apply under the correct transfer policy • Provide detailed information to support 24 month need 70 Summary • ARIN will deplete its available IPv4 pool sometime this year • No perfect solution – – – – CGN = potential problems Waiting list = uncertainty Transfers = subject to market prices IPv6 = transition effort • Begin planning now 71 LUNCH Take your valuables as the room will not be locked. Security Overlays on Core Internet Protocols –RPKI Andy Newton Chief Engineer Core Internet Protocols • Two critical resources that are unsecured – Domain Name Servers – Routing • Hard to tell if compromised – From the user point of view – From the ISP/Enterprise • Focus on government funding Routing Routing Architecture • The Internet uses a two level routing hierarchy: – Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network – Interior Routing protocols maintain the current topology of the network Routing Architecture • The Internet uses a two level routing hierarchy: – Exterior Routing Protocol, used to link each component network together into a single whole – Exterior protocols assume that each network is fully interconnected internally Exterior Routing: BGP • BGP is a large set of bilateral (1:1) routing sessions – A tells B all the destinations (prefixes) that A is capable of reaching – B tells A all the destinations that B is capable of reaching 10.0.0.0/24 10.1.0.0/16 10.2.0.0/18 192.2.200.0/24 A B What is RPKI? • Resource Public Key Infrastructure • Attaches digital certificates to network resources – AS Numbers – IP Addresses • Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top What does RPKI accomplish? • Allows routers or other processes to validate route origins • Simplifies validation authority information – Trust Anchor Locator • Distributes trusted information – Through repositories Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP2 ISP ISP4 ISP ISP ISP Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP2 ISP ISP4 ISP ISP ISP 1. Did the matching private key sign this text? Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” ISP2 Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP4 ISP ISP 2. Is this certificate valid? ISP Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” ISP2 Attachment: <isp4-ee-cert> ISP Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP4 ISP ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate? What does RPKI Create? • It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records Repository View ./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest Repository Use • Pull down these files using a manifestvalidating mechanism • Validate the ROAs contained in the repository • Communicate with the router marking routes “valid”, “invalid”, “unknown” • Up to ISP to use local policy on how to route Possible Data Flow for Operations • RPKI Web interface -> Repository • Repository aggregator -> Validator • Validated entries -> Route Checking • Route checking results -> local routing decisions (based on local policy) How you can use ARIN’s RPKI System? • Hosted • Hosted using ARIN’s RESTful service • Delegated using Up/Down Protocol Hosted RPKI • Pros – Easier to use – ARIN managed • Cons – No current support for downstream customers to manage their own space (yet) – Tedious through the IU if you have a large network – We hold your private key Hosted RPKI with RESTful Interace • Pros – Easier to use – ARIN managed – Programmatic interface for large networks • Cons – No current support for downstream customers to manage their own space (yet) – We hold your private key Delegated RPKI with Up/Down • Pros – You safeguard your own private key – Follows the IETF up/down protocol • Cons – Extremely hard to setup – Need to operate your own RPKI environment – More later Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online Hosted RPKI in ARIN Online SAMPLE-ORG Hosted RPKI in ARIN Online SAMPLE-ORG Hosted RPKI in ARIN Online Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators. Delegated with Up/Down Delegated with Up/Down Delegated with Up/Down Delegated with Up/Down • • • • You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS Q&A ARIN’s Policy Development Process Current Number Resource Policy Discussions and How to Participate Andrew Dul ARIN Advisory Council IP Number Policy Changes If it doesn’t fit, it can be changed Number Resource Policy Manual ARIN’s Policy Document – Version 2015.1 (24 February 2015) – 37th version Change Logs HTML/PDF/txt http://www.arin.net/policy/nrpm.html Policy Development Process (PDP) Process Flowchart Proposal Template http://www.arin.net/policy/pdp.html PDP Goals • "open, transparent, and inclusive manner that allows anyone to participate in the process." • "clear, technically sound and useful policies" • "Policies, not Processes, Fees, or Services” Basic Steps 1. 2. 3. 4. 5. 6. 7. 8. Proposal from community member AC works with author ensure it is clear and in scope AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM) AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM) If AC still recommends adoption, then Last Call, review of last call, and send to Board Board reviews Staff implements Current Draft Policies/Proposals 1. 2. 3. 4. To be implemented in June: • ARIN-2014-17: Change Utilization Requirements from last-allocation to totalaggregate Sent to the Board for ratification: • Recommended Policy ARIN-2014-6: Remove Operational Reverse DNS Text • Recommended Draft Policy ARIN-2014-21: Modification to CI Pool Size per Section 4.4 Under discussion: • ARIN-2015-1: Modification to Criteria for IPv6 Initial End-User Assignments • ARIN-2015-2: Modify 8.4 (Inter-RIR Transfers to Specified Recipients) • ARIN-2015-3: Remove 30 day utilization requirement in end-user IPv4 policy • ARIN-2015-4: Modify 8.2 section to better reflect how ARIN handles reorganizations And 3 new proposals. https://www.arin.net/policy/proposals/ 113 Recommended Draft Policy ARIN-201417: Change Utilization Requirements from last-allocation to total-aggregate • Changes IPv4 utilization requirement from 80% of last allocation to 50% overall and at least 50% of last allocation (easier for smaller ISPs to come back for more space) • Discussed on PPML beginning in May 2014 • Presented at ARIN 34 (October 2014) • Revised in November 2014 and advanced to Recommended Draft Policy • Presented at NANOG 63 • Last call was 24 February through 10 March 2015 ARIN-2014-17 continued • AC reviewed last call, advanced to Board • Board review – Ensured PDP had been followed – Ensured compliance with law and ARIN’s mission – Adopted 2014-7 • Staff announced “will be implemented no later than 26 June 2015” How Can You Get Involved? There are two ways to voice your opinion: – Public Policy Mailing List – Public Policy Consultations/Meetings • In person or remotely • ARIN meetings and Public Policy Consultations at NANOG Takeaways Three things 1. ARIN doesn't make up the policy, ARIN implements community created/maintained policy. 2. Policy process exists, if you are unhappy with a policy, there is a way for you to try to change it. 3. If you want to participate, you know where you can voice your opinion (email, in person and remote). References Policy Development Process http://www.arin.net/policy/pdp.html Draft Policies and Proposals http://www.arin.net/policy/proposals/index.html Number Resource Policy Manual http://www.arin.net/policy/nrpm.html Q&A Automating Your Interactions with ARIN Andy Newton Chief Engineer Why Automate? • Interact with ARIN faster • Not dependent on ARIN’s systems for user interface issues • Build a customized system using standards-based technologies • Improved accuracy • Integrate multiple services Why Automate (continued) • We have a rich set of interfaces • Focused on reliability and completeness • Welcome to share your tools with the community at projects.arin.net REST – Service Summary • ARIN’s RESTful Web Services (RWS) – Whois-RWS • Provides public Whois data via REST – Reg-RWS (or Registration-RWS) • Allows ARIN customers to register and maintain data in a programmatic fashion – Report Request/Retrieval Automation • Permits request and download of various ARIN data (subject to AUP) – RPKI using Reg-RWS What is REST? • Representational State Transfer • As applied to web services – defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data – “Resources” are addressable in URLs • Very popular protocol model – Amazon S3, Yahoo & Google services, … The BIG Advantage of REST • Easily understood – Any modern programmer can incorporate it – Can look like web pages • Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages • This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, … What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser. Where can more information on REST be found? • RESTful Web Services – O’Reilly Media – Leonard Richardson – Sam Ruby Whois-RWS • Publicly accessible, just like traditional Whois • Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc… • Very popular – As of October 2014, constitutes 65% of our query load • For more information: – http://www.arin.net/resources/whoisrws/index.html 2001-07 2001-11 2002-03 2002-07 2002-11 2003-03 2003-07 2003-11 2004-03 2004-07 2004-11 2005-03 2005-07 2005-11 2006-03 2006-07 2006-11 2007-03 2007-07 2007-11 2008-03 2008-07 2008-11 2009-03 2009-07 2009-11 2010-03 2010-07 2010-11 2011-03 2011-07 2011-11 2012-03 2012-07 2012-11 2013-03 2013-07 2013-11 2014-03 2014-07 2014-11 2015-03 4000 Whois Queries Per Second 3500 3000 2500 2000 RESTful 1500 Port 43 1000 500 0 Registration RWS (Reg-RWS) • Programmatic way to interact with ARIN – Intended to be used for automation – Not meant to be used by humans • Useful for ISPs that manage a large number of SWIP records • Requires an investment of time to achieve those benefits Reg-RWS • Requires an API Key – You generate one in ARIN Online on the “Web Account” page • Permits you to register and manage your data (ORGs, POCs, NETs, ASes) – But only your data • More information – http://www.arin.net/resources/restful-interfaces.html Anatomy of a RESTful request • Uses a URL (just like you would type into your browser) • Uses a request type, known as a “method”, of GET, PUT, POST or DELETE • Usually requires a payload – Adheres to a published structure – Depends upon the type of data – Depends upon the method • Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads” Example – Reassign Detailed • Your automated system issues a PUT command to ARIN using the following URL: http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9ABC-DEFG The payload contains the following data: <net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate></registrationDate> <orgHandle>HW-1</orgHandle> <handle></handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net> Example – Reassign Detailed ARIN’s web server returns the following to your automated system: <net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net> Reg-RWS Has More Than Templates • Only programmatic way to do IPv6 Reassign Simple • Only programmatic way to manage Reverse DNS • Only programmatic way to access your ARIN tickets Reg-RWS Adoption 6,000,000 5,000,000 4,000,000 3,000,000 Template 2,000,000 REST 1,000,000 0 ARIN 29 ARIN 30 ARIN 31 ARIN 32 Template 408,383 595,858 846,943 1,066,0 REST 40,374 320,197 841,105 3,524,1 ARIN 33 ARIN 34 ARIN 35 1,311,4 4,296,7 1,498,2 4,715,2 1,749,3 5,034,7 Testing Your Reg-RWS Client • We offer an Operational Test & Evaluation environment for Reg-RWS • Your real data, but isolated – Helps you develop against a real system without the worry that real data could get corrupted • For more information: – http://www.arin.net/resources/ote.html Obtaining RESTful Assistance • http://www.arin.net/resources/restful-interfaces.html • Pay attention to Method, Payload, and XML schema documents under “RESTful Provisioning Downloads” • Or use ARIN Online’s Ask ARIN feature • Or use the arin-tech-discuss mailing list – Make sure to subscribe – Someone on the list will help you ASAP – Archives on the web site • Registration Services Help Desk telephone not a good fit – Debugging these problems requires a detailed look at the URL, method, and payload being used Report Request/Retrieval • For customer-specific data, access is restricted by user – Permits you to request and retrieve reports – But only your data • For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) – ARIN staff may review your need to access this data • Requires an API Key RPKI thru Reg-RWS • Delegated – very complex • Hosted – easy but tedious if managing a large network through the UI • Solution: Interface to sign ROAs using the RESTful API – Ease of Hosted – Programmatic way of managing a large number of ROAs Whois-RWS and the Future • Whois-RWS is ARIN’s RESTful interface to Whois. – RIPE also has a RESTful interface for Whois but it is not compatible • Wanted to make a directory service compatible through the IETF • IETF published the RDAP series of RFCs in Q1 of 2015. – ARIN will have RDAP rolled out June 20 – Will be supported by all 5 RIRs and domain registries. RDAP Clients • ARIN has a client available Nicinfo at http://projects.arin.net - Or – - “gem install nicinfo” for linux/mac users - Other clients coming soon Q&A Moving to IPv6 Andy Newton, Chief Engineer Leslie Nobile, Senior Director Global Registry Knowledge With some help from Geoff Huston The Amazing Success of the Internet • 2.92 billion users! • 4.5 online hours per day per user! • 5.5% of GDP for G-20 countries Just about anything about the Internet 145 Time Success-Disaster 146 The Original IPv6 Plan - 1995 Size of the Internet IPv6 Deployment IPv6 Transition – Dual Stack IPv4 Pool Size Time 147 The Revised IPv6 Plan - 2005 IPv4 Pool Size Size of the Internet IPv6 Transition – Dual Stack IPv6 Deployment 2004 148 2006 2008 Date 2010 2012 Oops! We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses! 149 Today’s Plan IPv4 Pool Size Today Size of the Internet ? IPv6 Transition IPv6 Deployment 0.8% 150 Time Transition... The downside of an end-to-end architecture: – There is no backwards compatibility across protocol families – A V6-only host cannot communicate with a V4-only host We have been forced to undertake a Dual Stack transition: – Provision the entire network with both IPv4 AND IPv6 – In Dual Stack, hosts configure the hosts’ applications to prefer IPv6 to IPv4 – When the traffic volumes of IPv4 dwindle to insignificant levels, then it’s possible to shut down support for IPv4 151 Dual Stack Transition ... We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise: • The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems – Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration) – This is unacceptably slow • Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems – There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big • Attempts to use end-host IPv6 tunneling also presents operational problems – Widespread use of protocol 41 (IP-in-IP) firewall filters – Path MTU problems 152 Dual Stack Transition Signal to the ISPs: – Deploy IPv6 and expose your users to operational problems with IPv6 connectivity Or – Delay IPv6 deployment and wait for these operational issues to be solved by someone else So we wait... 153 And while we wait... The Internet continues its growth. • And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs: – Edge NATs are now the de facto choice for residential broadband services at the CPE – ISP NATs are now the de facto choice for 3G and 4G mobile IP services 154 155 What ARIN is hearing from the community • Movement to IPv6 is slow – Progress is being made – ISPs carefully rolling out IPv6 • Lots of ISPs purchasing CGN boxes • There is a market for IP space – Rent by month – Purchase outright 155 Why is there little immediate need for IPv6? • Some of the claims are either not true or taken over by events – IPv6 gives you better security – IPv6 gives you better routing • Some positive things 156 – IPv6 allows for end-to-end networking to occur again – IPv6 has more address bits – It is cheaper per address 157 2003: Sprint • T1 via Sprint • Linux Router with Sangoma T1 Card • OpenBSD firewall • Linux-based WWW, DNS, FTP servers • Segregated network, no dual stack (security concerns) • A lot of PMTU issues • A lot of routing issues • Service did improve over the years 158 2004: Worldcom • T1 via Worldcom in Equinix • Cisco 2800 router • OpenBSD firewall • Linux-based ww6, DNS, FTP servers • Segregated network, no dual stack (security concerns) • A lot of PMTU Issues • A lot of routing issues 159 2006: Equi6IX • 100 Mbit/s Ethernet to Equi6IX • Transit via OCCAID • Cisco 2800 router • OpenBSD firewall • WWW, DNS, FTP, SMTP • Segregated Network • Some dual stack 160 2008: NTT / TiNet IPv6 • 1000 Mbit/s to NTT / TiNet • Cisco ASR 1000 Router • Brocade Load Balancers - IPv6 support was Beta • DNS, Whois, IRR, more later • Dual stack 161 Past Meeting Networks • IPv6 enabled since 2005 • Tunnels to ARIN, others • Testbed for transition techology • NAT-PT (Cisco, OSS) • CGN / NAT-lite • IVI • Training opportunity • For staff & members ARIN’s Current Challenges for Networking • Dual-Stacked Internally – Challenges over time with our VPN (OpenVPN) • One interface works with v6 • One does not • Middleware Boxes – Claims do not support reality (“we support IPv6”) Yes, but… – No 1-1 feature set – Limits ARIN’s ability to support new services like https support for Whois-RWS 162 So why do the move to IPv6? • IPv4 will get more expensive • Move to IPv6 will happen when cost is too high for IPv4 • Don’t want to be caught with gear that will not support IPv6 before it is end-of-life • Need to have some experience on IPv6 163 Call to Action for IPv6 • ISPs should do it now • Universities should be teaching and making IPv6 available • Businesses should be asking for IPv6 support for gear and services they purchase – Want to be available to all on the Internet – If only IPv4 – may miss some IPv6 clientele • Application developers need to integrate IPv6 support 164 Call to Action for IPv6 • End users – May be behind CGN • Impacts speed and services • Don’t want to lose in those real-time games! (CoD gamers in particular) – Ask for IPv6 support • Faster • Better application support • Less support calls for IPv4 165 What is ARIN doing about it? • What we see with Transfers based on market reality • What we see with IPv6 Allocations 166 Trends and Observations • Comparing the past 12 months over the 12 months prior: – 18% increase in IPv4 requests – 5% increase in Transfer requests – 8% decrease in IPv6 requests 167 Qualifying for IPv6 – a few definitions • Allocate – Intention to assign/allocate to others • Assign – Resting spot for that IP space • ISPs – ones who allocate to other ISPs or assign to end-users • End Users –assigned to themselves 168 For ISPs, qualifying for IPv6 is easy! • Have a previous v4 allocation from ARIN OR • Intend to multi-home OR • Provide a technical justification which details at least 50 assignments made within 5 years 169 For end-users, qualifying for IPv6 is also easy! • Have a v4 direct assignment OR • Intend to multi-home OR • Show how you will use 2000 IPv6 addresses or 200 IPv6 subnets within a year OR • Technical justification as to why provider-assigned IPs are unsuitable 170 171 ISP Members with IPv4 and IPv6 4,960 ISP members as of 13 February 2015 172 Regional ISP IPv6 Adoption IPv6 over time ARIN IPv6 Allocations and Assignments 173 Get IPv6 from ARIN now! Most organizations with IPv4 can IPv6 without increasing their annual ARIN fees 174 Learn More www.GetIPv6.info IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html www.TeamARIN.net 175 Operational Guidance www.InternetSociety.org/ Deploy360/ www.NANOG.org/archives/ bcop.NANOG.org www.hpc.mil/cms2/index.php/ ipv6-knowledge-base-general-info 176 Useful Links and Contacts • Hostmaster – answers questions about policy, IPv4 & IPv6, ASNs, Transfers, etc – Email: hostmaster@arin.net – Phone: 703 227-0660 • Geoff Huston’s article on IPv4 & IPv6 – http://www.potaroo.net/ispcol/201506/ipv6.html Useful Links and Contacts • ARIN links: Statistics/IPv4,IPv6 & Transfers/General Education/CIDR chart – https://www.arin.net/knowledge/statistics/index. html – https://www.arin.net/resources/index.html – https://www.arin.net/knowledge/general.html – https://www.arin.net/knowledge/cidr.pdf – https://www.arin.net/fees/index.html Q&A / Open Mic Session Take Aways • Apply for IPv4 addresses tonight! Call the RSD helpdesk with questions. • Subscribe to at least one mailing list • Apply for a meeting fellowship • Think about implementing DNSSEC/Resource Certification • Member organizations please vote • Reach out though various channels with questions or suggestions Apply now for ARIN 36 in Montréal https://www.arin.net/participate/meetings/fellowship.ht ml Fill out & submit the survey for your chance to win a Portable Battery Pack!
