Fairfield, NJ 10 September 2015

Wireless Access SSID: Password:

Welcome. Here today from ARIN… Dan Alexander, ARIN Advisory Council Einar Bohlin, Senior Policy Analyst Eddie Diego, Senior Resource Analyst Andy Newton, Chief Engineer Avneet Wadhwani, Senior Software Engineer

Morning Agenda 10: :45 ARIN: Mission, Services and Community Engagement; Einar Bohlin 10:45 -11:20Security Overlays on Core Internet Protocols – DNSSEC; Andy Newton 11: :00 Life After IPv4 Depletion: IPv4 Inventory, Waiting List and Transfers; Leslie Nobile 12:00 PM - 1:00 PM Lunch

Afternoon Agenda 1:00 - 1:30Security Overlays on Core Internet Protocols - Resource Certification (RPKI); Avneet Wadhwani 1:30- 2:00 Number Resource Policy Discussions and How to Participate; Dan Alexander 2:00 - 2:30Automating Interactions with ARIN: Avneet Wadhwani 2:30- 3:00 Moving to IPv6 - Getting IPv6 from ARIN/Current Uptake; Andy Newton and Eddie Diego 3:00- 3:15Q&A / Open Mic Session; Einar Bohlin

Let’s Get Started! Self introductions – Name – Organization

ARIN and the RIR System: Mission, Role and Services Einar Bohlin Policy Analyst, Communications and Member Services

What is an RIR? A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Number resources include IP addresses and autonomous system (AS) numbers.

Regional Internet Registries

Not-for-profit Membership Organization Community Regulated Fee for services, not number resources 100% community funded Open Broad-based - Private sector - Public sector - Civil society Community developed policies Member- elected executive board Open and transparent RIR Structure

The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system. Number Resource Organization

ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach.

ARIN’s Service Region The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

IP Address and Autonomous System Number Provisioning Process

Who is the ARIN community? Anyone with an interest in Internet number resource management in the ARIN region

The ARIN Community includes… 20,000+ customers 5,000+ members 60+ professional staff 7 member Board of Trustees elected by the membership 15 member Advisory Council elected by the membership 3 person Number Resource Organization Number Council elected by the ARIN Community

ARIN Board of Trustees Paul Andersen, Vice Chair and Treasurer Vinton G. Cerf, Chair John Curran, President and CEO Timothy Denton, Secretary Aaron Hughes Bill Sandiford Bill Woodcock 17

ARIN Advisory Council Dan Alexander, Chair Cathy Aronson Kevin Blumberg, Vice Chair Owen DeLong Andrew Dul David Farmer David Huberman Scott Leibrand Tina Morris Milton Mueller Leif Sawyer Heather Schiller Robert Seastrom John Springer Chris Tacit 18

ARIN Services and Products ARIN Manages : IP address allocations & assignments ASN assignment Transfers Reverse DNS Directory service Whois Routing Information (Internet Routing Registry) WhoWas 19

ARIN Services and Products ARIN coordinates and administers : Policy Development Community meetings Discussion Publication Elections Information publication and dissemination and public relations Community outreach Education and training 20

ARIN Services and Products ARIN develops technologies for managing Internet number resources : ARIN Online Community Software Project Repository DNSSEC Resource Certification (RPKI) Whois-RWS Reg-RWS 21

Globalization of IANA Oversight On 14 March 2014, the US Government announced plans to transition oversight of the IANA functions contract to the global multistakeholder community Current IANA functions contract expires 30 September 2015

NTIA Conditions for Transition Proposal 1.Support and enhance the multi- stakeholder model 2.Maintain the security, stability, and resiliency of the “Internet DNS” 3.Meet the needs and expectation of the global customers and partners of the IANA services 4.Maintain the openness of the Internet

Current Status of IANA Stewardship Proposal Number Resources (RIR community) – CRISP Team content/uploads/ICG-RFP-Number-Resource-Proposal.pdf - submitted 15 Jan 2015https:// content/uploads/ICG-RFP-Number-Resource-Proposal.pdf – Draft Service Level Agreement (SLA) for the IANA Numbering Services – Open for public comment 1 May 2015 – 14 June 2015 Draft Service Level Agreement (SLA) for the IANA Numbering Services iana-numbering-services

IANA Stewardship Proposal – Victory Conditions A proposal submitted to NTIA by July 2015 which meets NTIA’s conditions and provides for transition of IANA stewardship to the global Internet community Community support of the ICG proposal, based on belief that the mechanisms provided for oversight and accountability are appropriate

IANA Stewardship – Potential Implications Successful transition of IANA Stewardship from the USG to the Internet community would be an important validation of the Internet’s multi-stakeholder governance model Inability to transition could raise concerns about the validity of the multi-stakeholder process and fuel discussion of the perceived need for intergovernmental mechanisms for Internet Governance

Join in Internet Governance Discussions Visit ARIN’s webpage: Ways to Participate in Internet Governance

Get 6 – Websites on IPv6

How to Participate in ARIN Attend Public Policy and Members Meetings & Public Policy Consultations – Remote participation available Apply for Meeting Fellowship Discuss policies on Public Policy Mailing List (ppml) Come to outreach events Subscribe to an ARIN mailing list

More Ways to Participate Give your opinion on community consultations Submit a suggestion Contribute to the IPv6 wiki Write a guest blog for TeamARIN.net Connect with us on social media Members – Vote in annual elections

ARIN Mailing Lists ARIN Consultation - Open to the general public. Used in conjunction with the ARIN Consultation and Suggestion Process (ACSP) to gather comments, this list is only open when there is a call for comments ARIN Issued - Read-only list open to the general public. Used by ARIN staff to provide a daily report of IPv4 and IPv6 addresses returned and IPv4 and IPv6 addresses issued directly by ARIN or address blocks returned to ARIN's free pool. ARIN Technical Discussions - Open to the general public. Provided for those interested in providing technical feedback to ARIN on experiences in the use or evaluation of current ARIN services and features in development. ARIN Announce: ARIN Discussion: (members ARIN Public Policy: ARIN Consultation: ARIN Issued: ARIN Technical Discussions: Suggestions:

ARIN on Social Media #ARIN35

Apply now for ARIN 37 April 2016 in Jamaica NEW: Includes attendance at NANOG

Q&A

Security Overlays on Core Internet Protocols – DNSSEC Avneet Wadhwani Software Engineer

Core Internet Protocols Two critical resources that are unsecured – Domain Name Servers – Routing Hard to tell if compromised – From the user point of view – From the ISP/Enterprise Focus on government funding

DNS

How DNS Works Resolver Question: A A ? Caching forwarder (recursive) root-server A ? Ask net X.gtld-servers.net (+ glue) gtld-server A ? Ask arin ns1.arin.net (+ glue) arin-server A ? Add to cache

Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks DNSSEC attaches signatures – Validates responses – Can not spoof

Reverse DNS at ARIN ARIN issues blocks without any working DNS – Registrant must establish delegations after registration – Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC

Reverse DNS at ARIN Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient entities may have authority over a particular zone

Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates

Changes completed to make DNSSEC work at ARIN Only key holders may create and submit Delegation Signer (DS) records DNSSEC users need to have signed a registration services agreement with ARIN to use these services

Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

DNSSEC in ARIN Online …then apply DS record to apply to the delegation

Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> in-addr.arpa Name: in-addr.arpa. Updated: NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref:

DNSSEC in Zone Files ; File written on Mon Feb 24 17:00: ; dnssec_signzone version P1-RedHat P1.el5_ in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC 1.74.in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

DNSSEC in Zone Files in-addr.arpa IN NS DNS1.ACTUSA.NET IN NS DNS2.ACTUSA.NET IN NS DNS3.ACTUSA.NET DS ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) DS ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) RRSIG DS ( in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) NSEC in-addr.arpa. NS DS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …

DNSSEC Validating Resolvers

Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN’s website

Q&A

Life After IPv4 Depletion Eddie Diego, Senior Resource Analyst

Overview ARIN’s IPv4 inventory Trends and Observations Ways to obtain IP addresses post IPv4 depletion – IPv4 – Transfers – IPv6 55

Check ARIN’s Available IPv4 Inventory ARIN’s IPv4 inventory published on ARIN’s website: Updated daily 12 am ET 56

Available IPv4 Inventory Today, only /24s remain to fill general IPv4 requests (104 as of 8/28) – Per policy, ARIN issues only contiguous prefixes (cannot issue multiple /24s to satisfy a request) Excludes space being held or reserved under policy *ARIN has issued ~1 /8 equivalent per year over the past several years 57

Other IPv4 Inventory Quarantined space (60 day hold) – ~19 /16 equivalents held in “quarantine” to clear filters (returned and revoked space) Reserved space (indefinite hold) – 64 /16s (1 /10) for NRPM 4.10 “Dedicated IPv4 block to facilitate IPv6 Deployment” – ~218 /24s remaining in the original /16 for NRPM 4.4 “Micro- allocation”. 2 nd /16 recently added under new policy – ~8 /16 equivalents needing further research (reclaimed space that needs further chain of custody research) 58

Trends and Observations Surprisingly smooth transition to depletion – Very few complaints or escalations – Community seems to have general understanding of the situation ARIN put depletion plan and communications into place well in advance of the actual event – Most criticism directed at policy not allowing issuance of multiple prefixes More organizations opting to be placed on ARIN’s Wait List for Unmet Resources; 50+ organizations on the list 59

Post-IPv4 Depletion Options More efficient use of existing IPv4 resources IPv4 Wait List Specified Recipient and Inter-RIR Transfers Adopt IPv6 60

IPv4 Wait List If ARIN can’t fill your qualified request, you have the option to specify the smallest block size you’ll accept If available, your request will be filled and you’ll be unable to request additional addresses for 3 months If no block available between approved and smallest acceptable, you can be added to the IPv4 Wait List 61

How the IPv4 Wait List Works Oldest request filled first (based on approval date) – E.g. - if ARIN gets a /16 back and the oldest request is for a /24, we issue a /24 to that org One approved request per organization on the list at a time Limit of one allocation or assignment every 3 months 62

63

How Long Might You Wait? IPv4 space can become available periodically – Return = voluntary – Revoke = for cause (usually non-payment) 3.54 /8 equivalents returned/revoked since 2005 – IANA issued – per global policy for “post exhaustion IPv4 allocation mechanisms by IANA” » /11 (issued 5/14), /12 (issued 9/14) and /13 (issued 3/15) by IANA to each RIR Demand will be far greater than availability 64

Transfers of IPv4 Addresses Mergers and Acquisitions (NRPM 8.2) Transfers to Specified Recipients (NRPM 8.3) Inter-RIR transfers (NRPM 8.4) 65

Transfers to Specified Recipients (NRPM 8.3) Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources Source – Must be current registrant, no disputes – Not have received addresses from ARIN for 12 months prior – Ineligible for further addresses from ARIN for 12 months after Recipient – Must demonstrate need for 24-month supply under current ARIN policy 66

Inter-RIR Transfers (NRPM 8.4) RIR must have reciprocal, compatible needs- based policies – Currently APNIC, soon to be RIPE NCC Transfers from ARIN – Source cannot have received IPv4 from ARIN 12 months prior to transfer or receive IPv4 for 12 months after transfer – Must be current registrant, no disputes – Recipient meets destination RIR policies Transfers to ARIN – Must demonstrate need for 24-month supply under current ARIN policy 67

Pre-approval for Specified Recipient Transfers Pre-approval offered through ARIN online – Based on 24 month need (per policy) – Valid for 2 years (no need for re- verification) Must meet current ARIN policy Can use multiple transfers to fill need without being subject to re-verification 68

Specified Transfer Listing Service (STLS) Optional service intended to facilitate specified recipient and inter-RIR transfers All participants have access to each others contact information – Listers : have available IPv4 addresses Resources must be covered under RSA/LRSA – Needers : looking for IPv4 addresses Must be pre-approved under ARIN policy to be listed – Facilitators : available to help listers and needers find each other Public summary provided – Lists number of available and needed IPv4 address blocks 69

Tips for Faster Transfer Processing Make sure that all registration information is current and accurate Request pre-approval for your 24 month need in advance of the transfer Provide detailed information to support 24 month need Apply under the correct transfer policy 70

Requesting IPv6 - ISPs Have a previous v4 allocation from ARIN or predecessor registry OR Intend to multi-home OR Provide a technical justification which details at least 50 assignments made within 5 years 71

Data ARIN Will Typically Ask For - ISPs If requesting more than a /32, a spreadsheet/text file with – # of serving sites (PoPs, datacenters) – # of customers served by largest serving site – Block size to be assigned to each customer (/48 typical) 72

Requesting IPv6 – End Users Have a v4 direct assignment from ARIN or predecessor registry OR Intend to multi-home OR Show how you will use 2000 IPv6 addresses or 200 IPv6 subnets within a year OR Technical justification as to why provider- assigned IPs are unsuitable 73

Data ARIN Will Typically Ask For – End users If requesting more than a /48, a spreadsheet/text file with – List of sites in your network Site = distinct geographic location Street address for each – Campus may count as multiple sites Technical justification showing how they’re configured like geographically separate sites 74

Summary ARIN will deplete its available IPv4 pool sometime this year No perfect solution – CGN = potential problems – Waiting list = uncertainty – Transfers = subject to market prices – IPv6 = transition effort Begin planning now 75

76

Security Overlays on Core Internet Protocols –RPKI Avneet Wadhwani Software Engineer

Core Internet Protocols Two critical resources that are unsecured – Domain Name Servers – Routing Hard to tell if compromised – From the user point of view – From the ISP/Enterprise Focus on government funding

Routing

Routing Architecture The Internet uses a two level routing hierarchy: – Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network – Interior Routing protocols maintain the current topology of the network

Routing Architecture The Internet uses a two level routing hierarchy: – Exterior Routing Protocol, used to link each component network together into a single whole – Exterior protocols assume that each network is fully interconnected internally

Exterior Routing: BGP BGP is a large set of bilateral (1:1) routing sessions – A tells B all the destinations (prefixes) that A is capable of reaching – B tells A all the destinations that B is capable of reaching A A B B / / / /24

What is RPKI? R esource P ublic K ey I nfrastructure Attaches digital certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top

What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information – Trust Anchor Locator Distributes trusted information – Through repositories

AFRINICRIPE NCCAPNICARINLACNIC LIR1 ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ICANN Resource Cert Validation

AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP ISP4 ISP Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 1. Did the matching private key sign this text? ICANN Issued Certificates Resource Cert Validation

AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ISP ISP4 2. Is this certificate valid? ISP Issued Certificates Resource Allocation Hierarchy ICANN Resource Cert Validation

AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ISP ISP4 ISP Issued Certificates Resource Allocation Hierarchy ICANN 3. Is there a valid certificate path from a Trust Anchor to this certificate? Resource Cert Validation

What does RPKI Create? It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records

Repository View./ba/03a5be-ddf a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r Jun ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r Jun cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r Jun nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

Repository Use Pull down these files using a manifest- validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes “valid”, “invalid”, “unknown” Up to ISP to use local policy on how to route

Possible Data Flow for Operations RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)

How you can use ARIN’s RPKI System? Hosted Hosted using ARIN’s RESTful service Delegated using Up/Down Protocol

HostedRPKI Pros – Easier to use – ARIN managed Cons – No current support for downstream customers to manage their own space (yet) – Tedious through the IU if you have a large network – We hold your private key

HostedRPKI with RESTful Interace Pros – Easier to use – ARIN managed – Programmatic interface for large networks Cons – No current support for downstream customers to manage their own space (yet) – We hold your private key

Delegated RPKI with Up/Down Pros – You safeguard your own private key – Follows the IETF up/down protocol Cons – Extremely hard to setup – Need to operate your own RPKI environment – More later

Hosted RPKI in ARIN Online

SAMPLE-ORG

Hosted RPKI in ARIN Online SAMPLE-ORG

Hosted RPKI in ARIN Online

Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

Delegated with Up/Down

You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS

Q&A

Fairfield, NJ 10 September 2015

ARIN’s Policy Development Process Current Number Resource Policy Discussions and How to Participate Dan Alexander ARIN Advisory Council

Number Resource Policy Manual ARIN’s Policy Document – Version (29 July 2015) – 39th version Change Logs HTML/PDF/txt

Policy Development Process (PDP) Process Flowchart Proposal Template

PDP Goals "open, transparent, and inclusive manner that allows anyone to participate in the process." "clear, technically sound and useful policies" "Policies, not Processes, Fees, or Services”

Basic Steps 1.Proposal from community member 2.AC works with author ensure it is clear and in scope 3.AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM) 4.AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption 5.Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM) 6.If AC still recommends adoption, then Last Call, review of last call, and send to Board 7.Board reviews 8.Staff implements

Current Draft Policies/Proposals Implemented recently ARIN : Change Utilization Requirements from last-allocation to total-aggregate ARIN : Remove Operational Reverse DNS Text ARIN : Modification to CI Pool Size per Section Under discussion ARIN : Modification to Criteria for IPv6 Initial End-User Assignments ARIN : Modify 8.4 (Inter-RIR Transfers to Specified Recipients) ARIN : Remove 30 day utilization requirement in end-user IPv4 policy ARIN : Modify 8.2 section to better reflect how ARIN handles reorganizations ARIN : Out of region use ARIN : Transfers and Multi-national Networks ARIN : Simplified requirements for demonstrated need for IPv4 transfers ARIN : Reassignment records for IPv4 End-Users

ARIN : Modification to CI Pool Size per Section 4.4 Increase the pool reserved for Critical Infrastructure (primarily Exchange Points) from a /16 to a /15 Discussion started on the policy list in October 2014 Presented at NANOG 63 in February 2015 Advanced to Recommended state in March Presented at ARIN 35 in April Last call was 27 April thru 11 May 2015 (continued on next slide)

ARIN continued AC reviewed last call, advanced proposal to the Board in May Board review in June – Ensured PDP had been followed – Ensured compliance with law and ARIN’s mission – Adopted Implemented by staff in July 474 /24s available in this pool of address space

How Can You Get Involved? There are two ways to voice your opinion: – Public Policy Mailing List – Public Policy Consultations/Meetings In person or remotely ARIN meetings and Public Policy Consultations at NANOG

Takeaways Three things 1. ARIN doesn't make up the policy, ARIN implements community created/maintained policy. 2. Policy process exists, if you are unhappy with a policy, there is a way for you to try to change it. 3. If you want to participate, you know where you can voice your opinion ( , in person and remote).

References Policy Development Process Draft Policies and Proposals Number Resource Policy Manual

Q&A

Automating Your Interactions with ARIN Avneet Wadhwani Software Engineer

Why Automate? Interact with ARIN faster Not dependent on ARIN’s systems for user interface issues Build a customized system using standards-based technologies Improved accuracy Integrate multiple services

Why Automate (continued) We have a rich set of interfaces Focused on reliability and completeness Welcome to share your tools with the community at projects.arin.net

REST – Service Summary ARIN’s RESTful Web Services (RWS) – Whois-RWS Provides public Whois data via REST – Reg-RWS (or Registration-RWS) Allows ARIN customers to register and maintain data in a programmatic fashion – Report Request/Retrieval Automation Permits request and download of various ARIN data (subject to AUP) – RPKI using Reg-RWS

What is REST? Representational State Transfer As applied to web services – defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data – “Resources” are addressable in URLs Very popular protocol model – Amazon S3, Yahoo & Google services, …

The BIG Advantage of REST Easily understood – Any modern programmer can incorporate it – Can look like web pages Re-uses HTTP in a simple manner – Many, many clients – Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …

What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser.

Where can more information on REST be found? RESTful Web Services – O’Reilly Media – Leonard Richardson – Sam Ruby

Whois-RWS Publicly accessible, just like traditional Whois Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc… Very popular – As of October 2014, constitutes 65% of our query load For more information: –

Whois Queries Per Second

RDAP RDAP is a Whois alternative for querying resource registration data from Domain Name Registries (DNRs) and Regional Internet Registries (RIRs). IETF published the RDAP series of RFCs in Q1 of – ARIN has rolled out RDAP – Will be supported by all 5 RIRs and domain registries.

RDAP vs Whois-RWS Both are RESTful sevices Standardized format used between all RIRs for RDAP RDAP responses offer direct referrals to other RIRs, whereas Whois defines no queries or responses, and interaction with DNRs and RIRs can vary significantly

ARIN RDAP ARIN’s RDAP service (w/ bootstrap) – ARIN’s RDAP service (w/o bootstrap) – Command Line client called NicInfo –

RDAP IP Query wget { "rdapConformance" : [ "rdap_level_0" ], "notices" : [ { "title" : "Terms of Service", "description" : [ "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use" ], "links" : [ { "value" : " "rel" : "about", "type" : "text/html", "href" : " } ] } ], "handle" : "NET ", "startAddress" : " ", "endAddress" : " ", "ipVersion" : "v4", "name" : "ISOTROPIC-NETWORKS", "parentHandle" : "NET “,...

Bootstrapped Response wget :02: Resolving rdap.arin.net (rdap.arin.net) , 2001:500:13::160 Connecting to rdap.arin.net (rdap.arin.net)| |: connected. HTTP request sent, awaiting response Moved Temporarily Location: [following] :02: Resolving rdap.db.ripe.net (rdap.db.ripe.net) , 2001:67c:2e8:22::c100:68e Connecting to rdap.db.ripe.net (rdap.db.ripe.net)| |: connected. HTTP request sent, awaiting response OK

RDAP Statistics RDAP Released June 20, 2015 – 51K queries Entity queries: 173 Domain queries: 290 IP queries: Autnum queries: query/2 seconds

Registration RWS (Reg-RWS) Programmatic way to interact with ARIN – Intended to be used for automation – Not meant to be used by humans Useful for ISPs that manage a large number of SWIP records Requires an investment of time to achieve those benefits

Reg-RWS Requires an API Key – You generate one in ARIN Online on the “Web Account” page Permits you to register and manage your data (ORGs, POCs, NETs, ASes) – But only your data More information –

Anatomy of a RESTful request Uses a URL (just like you would type into your browser) Uses a request type, known as a “method”, of GET, PUT, POST or DELETE Usually requires a payload – Adheres to a published structure – Depends upon the type of data – Depends upon the method Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”

Example – Reassign Detailed Your automated system issues a PUT command to ARIN using the following URL: The payload contains the following data: 4 HW-1 A Reassigned NET HELLOWORLD

Example – Reassign Detailed ARIN’s web server returns the following to your automated system: 4 Tue Jan 25 16:17:18 EST 2011 HW-1 NET A Reassigned NET netName>HELLOWORLD

Reg-RWS Has More Than Templates Only programmatic way to do IPv6 Reassign Simple Only programmatic way to manage Reverse DNS Only programmatic way to access your ARIN tickets

Reg-RWS Adoption

Testing Your Reg-RWS Client We offer an Operational Test & Evaluation environment for Reg-RWS Your real data, but isolated – Helps you develop against a real system without the worry that real data could get corrupted For more information: –

Obtaining RESTful Assistance Pay attention to Method, Payload, and XML schema documents under “RESTful Provisioning Downloads” Or use ARIN Online’s Ask ARIN feature Or use the arin-tech-discuss mailing list – Make sure to subscribe – Someone on the list will help you ASAP – Archives on the web site Registration Services Help Desk telephone not a good fit – Debugging these problems requires a detailed look at the URL, method, and payload being used

Report Request/Retrieval For customer-specific data, access is restricted by user – Permits you to request and retrieve reports – But only your data For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) – ARIN staff may review your need to access this data Requires an API Key

RPKI thru Reg-RWS Delegated – very complex Hosted – easy but tedious if managing a large network through the UI Solution: Interface to sign ROAs using the RESTful API – Ease of Hosted – Programmatic way of managing a large number of ROAs

Q&A

Fairfield, NJ 9/10/15

Moving to IPv6 Mark Kosters, Chief Technology Officer With some help from Geoff Huston 152

The Amazing Success of the Internet 2.92 billion users! 4.5 online hours per day per user! 5.5% of GDP for G-20 countries Time Just about anything about the Internet 153

Success-Disaster 154

The Original IPv6 Plan IPv6 Deployment Time IPv6 Transition – Dual Stack IPv4 Pool Size Size of the Internet 155

The Revised IPv6 Plan IPv6 Deployment 2004 IPv6 Transition – Dual Stack IPv4 Pool Size Size of the Internet Date 156

Oops! We were meant to have completed the transition to IPv6 BEFORE we completely exhausted the supply channels of IPv4 addresses! 157

Today’s Plan IPv6 Deployment IPv4 Pool Size Size of the Internet IPv6 Transition Today Time ? 0.8 % 158

Transition... The downside of an end-to-end architecture: – There is no backwards compatibility across protocol families – A V6-only host cannot communicate with a V4-only host We have been forced to undertake a Dual Stack transition: – Provision the entire network with both IPv4 AND IPv6 – In Dual Stack, hosts configure the hosts’ applications to prefer IPv6 to IPv4 – When the traffic volumes of IPv4 dwindle to insignificant levels, then it’s possible to shut down support for IPv4 159

Dual Stack Transition... We did not appreciate the operational problems with this dual stack plan while it was just a paper exercise: The combination of an end host preference for IPv6 and a disconnected set of IPv6 “islands” created operational problems – Protocol “failover” from IPv6 to IPv4 takes between 19 and 108 seconds (depending on the operating system configuration) – This is unacceptably slow Attempting to “bridge” the islands with IPv6-in-IPv4 tunnels created a new collection of IPv6 path MTU Discovery operational problems – There are too many deployed network paths containing firewall filters that block all forms of ICMP, including ICMP6 Packet Too Big Attempts to use end-host IPv6 tunneling also presents operational problems – Widespread use of protocol 41 (IP-in-IP) firewall filters – Path MTU problems 160

Dual Stack Transition Signal to the ISPs: – Deploy IPv6 and expose your users to operational problems with IPv6 connectivity Or – Delay IPv6 deployment and wait for these operational issues to be solved by someone else So we wait

And while we wait... The Internet continues its growth. And without an abundant supply of IPv4 addresses to support this level of growth, the industry is increasingly reliant on NATs: – Edge NATs are now the de facto choice for residential broadband services at the CPE – ISP NATs are now the de facto choice for 3G and 4G mobile IP services 162

What ARIN is hearing from the community Movement to IPv6 is slow – Progress is being made – ISPs carefully rolling out IPv6 Lots of ISPs purchasing CGN boxes There is a market for IP space – Rent by month – Purchase outright 163

Why is there little immediate need for IPv6? Some of the claims are either not true or taken over by events – IPv6 gives you better security – IPv6 gives you better routing Some positive things – IPv6 allows for end-to-end networking to occur again – IPv6 has more address bits – It is cheaper per address 164

2003: Sprint T1 via Sprint Linux Router with Sangoma T1 Card OpenBSD firewall Linux-based WWW, DNS, FTP servers Segregated network, no dual stack (security concerns) A lot of PMTU issues A lot of routing issues Service did improve over the years 165

2004: Worldcom T1 via Worldcom in Equinix Cisco 2800 router OpenBSD firewall Linux-based ww6, DNS, FTP servers Segregated network, no dual stack (security concerns) A lot of PMTU Issues A lot of routing issues 166

2006: Equi6IX 100 Mbit/s Ethernet to Equi6IX Transit via OCCAID Cisco 2800 router OpenBSD firewall WWW, DNS, FTP, SMTP Segregated Network Some dual stack 167

2008: NTT / TiNet IPv Mbit/s to NTT / TiNet Cisco ASR 1000 Router Brocade Load Balancers - IPv6 support was Beta DNS, Whois, IRR, more later Dual stack 168

Past Meeting Networks IPv6 enabled since 2005 Tunnels to ARIN, others Testbed for transition techology NAT-PT (Cisco, OSS) CGN / NAT-lite IVI Training opportunity For staff & members 169

ARIN’s Current Challenges for Networking Dual-Stacked Internally – Challenges over time with our VPN (OpenVPN) One interface works with v6 One does not Middleware Boxes – Claims do not support reality (“we support IPv6”) Yes, but… – No 1-1 feature set – Limits ARIN’s ability to support new services like https support for Whois-RWS 170

So why do the move to IPv6? IPv4 will get more expensive Move to IPv6 will happen when cost is too high for IPv4 Don’t want to be caught with gear that will not support IPv6 before it is end-of-life Need to have some experience on IPv6 171

Call to Action for IPv6 ISPs should do it now Universities should be teaching and making IPv6 available Businesses should be asking for IPv6 support for gear and services they purchase – Want to be available to all on the Internet – If only IPv4 – may miss some IPv6 clientele Application developers need to integrate IPv6 support – “Preparing Applications for IPv6” – s_for_v6.pdf 172

Call to Action for IPv6 End user customers – May be behind CGN Impacts speed and services Don’t want to lose in those real-time games! (CoD gamers in particular) – Ask for IPv6 support Faster Better application support Less support calls for IPv4 173

What is ARIN doing about it? What we see with Transfers based on market reality What we see with IPv6 Allocations 174

Trends and Observations Comparing the past 12 months over the 12 months prior: – 9% increase in IPv4 requests (3641 > 3981) – 18% increase in transfer requests (500 > 648) – 2% increase in IPv6 requests (745 > 758) Now that we have run out of IPv4 (or very close to it) – Activity on the Wait List for redistributions from IANA – Anticipate a larger number of transfer requests 175

5,196 total members as of 31 July 2015 ISP Members with IPv4 and IPv6 176

IPv6 over time ARIN IPv6 Allocations and Assignments *As of 30 June

Get IPv6 from ARIN now! Most organizations with IPv4 can IPv6 without increasing their annual ARIN fees 178

Learn More IPv6 Info Center

Operational Guidance Deploy360/ ipv6-knowledge-base-general-info bcop.NANOG.org 180

Q&A / Open Mic Session

Take Aways Apply for IPv6 addresses and get started. Subscribe to at a mailing list Participate in ARIN 36 – in person or remotely Apply for a future meeting fellowship Think about implementing DNSSEC/Resource Certification Member organizations please vote Reach out though various channels with questions or suggestions

Apply now for ARIN 37 in Jamaica ml

Fill out & submit the survey for your chance to win a ????? !