Wireless Access: SSID: HHonors PW:Hilton16

Transcription

1 Columbia, SC 30 October 2014

2 Wireless Access: SSID: HHonors PW:Hilton16

3 Welcome. Here today from ARIN Susan Hamlin, Director, Communications and Member Services Andy Newton, Chief Engineer John Sweeting, Advisory Council Chair Jon Worley, Principal Technical Analyst

4 Today s Agenda Welcome and Getting Started ARIN: Mission, Role, and Services IPv4 Inventory, Depletion Projections, Countdown Plan Securing Internet Infrastructure I: DNSSEC IPv4 Waiting List and Transfers LUNCH - 12:00 PM - 1:00 PM Breakout Rooms I & II IPv6 Addresses Automating Interactions with ARIN Other Items of Interest BREAK 2:20 2:30 PM Securing Internet Infrastructure II: RPKI - Andy Newton Current Number Resource Policy Discussions and How to Participate Q&A / Open Microphone Session Optional Ask ARIN - Opportunity for a one-on-one conversation with ARIN staff

5 Let s Get Started! Self introductions Name Organization

6 ARIN: Mission, Role and Services Susan Hamlin Director, Communications and Member Services

7 ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach."

8 ARIN s Service Region ARIN s region includes many (20) Caribbean and North Atlantic islands, Canada and the United States and outlying areas.

9 Regional Internet Registries

10 Who Provisions IP Addresses & ASNs? ICANN IANA RIR ISP/LIR Top level technical coordination of the Internet (Names, Numbers, Root Servers) Manage global unallocated IP address pool Allocate number resources to RIRs Manage regional unallocated IP address pool Allocate number resources to ISPs/LIRs Assign number resources to End-users Manage local IP address pool for use by customers and for infrastructure Allocate number resources to ISPs Assign number resources to End-users

11 ARIN Structure: Not- for- profit Fee for services, not number resources 100% community funded Membership organiza?on (private and public sector, civil society) Member- elected Board of Trustees Community regulated Internet number resource policies developed by the Community Open and transparent

12 ARIN Support Organization

13 ARIN Board of Trustees Paul Andersen, Vice Chair and Treasurer Vinton G. Cerf, Chair John Curran, President and CEO Timothy Denton, Secretary Aaron Hughes Bill Sandiford Bill Woodcock 13

14 ARIN Advisory Council Dan Alexander, Vice Chair Cathy Aronson Kevin Blumberg Bill Darte Owen DeLong Andrew Dul David Farmer Scott Leibrand Tina Morris Milton Mueller Heather Schiller Robert Seastrom John Springer John Sweeting, Chair 14

15 ARIN Services Number Resources Organization Policy Development IP address allocation & assignment ASN assignment Directory services Whois -RWS WhoWas IRR Reverse DNS DNSSEC Resource Certification (RPKI) Community Software Repository Information dissemination Websites Educational materials IPv6 Wiki Social media Meetings Elections Outreach IPv6 Internet Governance Maintain discussion lists Conduct public policy meetings and public policy consultations Publish policy documents

16

17 Information on Joining in the Internet Governance Discussion Visit ARIN s webpage: Ways to Participate in Internet Governance

18 ARIN Community Input 14 March 2014 the US government announced desire to transi?on oversight of the Internet Assigned Numbers Authority (IANA) func?ons contract from the Na?onal Telecommunica?ons and Informa?on Administra?on (NTIA) to the global mul?stakeholder community. Coordina?on Group formed to facilitate the transi?on process input from the Number Resource Organiza?on, Address Suppor?ng Organiza?on, ISOC, IETF, IAB All RIRs will engage their respec?ve communi?es ARIN 34 in Bal?more on agenda and a ly consulta?on via on the issue New mailing list created: iana- transi?on@arin.net Currently ARIN is seeking volunteers to join the Consolidated RIR IANA Stewardship Proposal (CRISP) team h"p://teamarin.net/educa1on/internet- governance/iana- globaliza1on/

19 Participate in ARIN Contribute your Opinions and Ideas: Public Policy Mailing List IPv6 Wiki Attend Public Policy and Members Meetings, Public Public Policy Consultations remote participation Outreach events Submit a suggestion Participate in community consultations Write a guest blog TeamARIN.net Members Vote in annual elections

20 ARIN Mailing Lists ARIN Announce: ARIN Discussion: (members only) ARIN Public Policy: ARIN Consultation: ARIN Issued: ARIN Technical Discussions: Suggestions:

21 Q&A

22 ARIN s IPv4 Inventory, Depletion Projections, and Countdown Plan Jon Worley Principal Technical Analyst

23 ARIN s IPv4 Inventory As of 27 Oct 2014, ARIN has 0.61 /8 equivalents of IPv4 addresses remaining IPv4 inventory published on ARIN s website: Updated 8PM ET

24 Prefix Length Breakdown

25 IPv4 Annual Burn Rate /8 Equivalents Issued

26 ARIN s IPv4 Free Pool /8 Equivalents in ARIN Free Pool

27 Linear Depletion Projection /8 Equivalents in ARIN Free Pool

28 Depletion Notes Could come at any time ARIN has issued 0.41 /8 equivalents in ~2 weeks before Policy requirement to only fill requests with one block will prevent large ISPS from depleting all of the small blocks

29 IPv4 Countdown Plan

30 IPv4 Countdown Plan Phase 4 Started at 1 /8 equivalent left All IPv4 requests team-reviewed and processed on a first in, first out basis Org has 60 days from approval to complete payment and RSA IPv4 hold period drops to 2 months

31 New IPv4 Policy Reduce All Minimum Allocation/ Assignment Units to /24 Will be implemented on 17 Sept 2014 /24 minimum allocation/assignment No longer a multi-homed requirement

32 Minimum Requirements for IPv4 - ISPs ISPs qualify for a /24 by having one /24 reassigned and efficiently used Allocations > /24 based on demonstrated utilization history and renumbering (if applicable) Allocation size not based on predicted customer base (see Slow Start policy NRPM ) 3 month supply per policy

33 IPv4 ISP Data Typically Requested Static: Mapping of static IPs/subnets to customer names and street addresses Dynamic: List of all dynamic pools with prefix/range assigned, area served (location), peak util % Internal Infrastructure: Mapping of internal subnets with description and # IPs used

34 Example

35 Other IPv4 ISP Data Requested Typically ask for: Customer justification data If necessary, may ask for: Customer contact information and proof of customer payments Proof of equipment lease/purchase

36 Minimum Requirements for IPv4 End Users /24 minimum assignment size Show 25% immediate utilization rate (within 30 days) and 50% projected one-year utilization rate If requesting additional assignment, must show that each previous assignment is 80% utilized

37 IPv4 End User Data Requested Subnet mapping for previous ARIN assignments Each subnet with description and # IPs currently used Planned subnet mapping for requested block Each subnet with description, # IPs used within 30 days, # IPs used within one year

38 Example

39 The Bottom Line ARIN has v4 space today, but can t guarantee future availability Plan appropriately to ensure continued growth of your network Waiting List Specified Recipient Transfers IPv6

40 Q&A

41 Securing Internet Infrastructure: Using DNSSEC with ARIN Online Andy Newton Chief Engineer

42 Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure Easy to spoof Notable malicious attacks DNSSEC attaches signatures Validates responses Can not spoof

43 Reverse DNS at ARIN ARIN issues blocks without any working DNS Registrant must establish delegations after registration Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC

44 Reverse DNS at ARIN Authority to manage reverse zones follows allocations Shared Authority model Multiple sub-allocation recipient entities may have authority over a particular zone

45 Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records ARIN Online RESTful interface Not available via templates

46 Changes completed to make DNSSEC work at ARIN Only key holders may create and submit Delegation Signer (DS) records

47 Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on

48 Reverse DNS in ARIN Online then enter the Reverse DNS nameservers

49 DNSSEC in ARIN Online then apply DS record to apply to the delegation

50 Reverse DNS: Querying ARIN s Whois Query for the zone directly: whois> in-addr.arpa Name: in-addr.arpa. Updated: NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref:

51 DNSSEC in Zone Files ; File written on Mon Feb 24 17:00: ; dnssec_signzone version P1-RedHat P1.el5_ in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC 1.74.in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. onk3gvacwj2j8+ear0pncqnzeqjm8h4w51ns D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9tq4ovbxvyusnxriz2mq55iimgdr3nat BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519ghxp2qonnkow6ib6mr5cnkylkl0h lu+ic4buh6dqm4hbjczcmxketwe0a6dmf+th sa+5ov7ezx5lcudvqvp6p0lftae= )

52 DNSSEC in Zone Files in-addr.arpa IN NS DNS1.ACTUSA.NET IN NS DNS2.ACTUSA.NET IN NS DNS3.ACTUSA.NET DS ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) DS ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) RRSIG DS ( in-addr.arpa. n+apxbhuf+sbzqn4lmhzloi0c/hkasvo3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gfrmz9inf2ber435gmsa/nnjpvvww/mbrkxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhcy8uoboylole5whtk3xoux9+u= ) NSEC in-addr.arpa. NS DS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe

53 Use REG-RWS for Bulk Changes If you have a lot of changes, copy&paste over the Web will be tedious. Use REG-RWS. Or ARINcli (which is a REG-RWS client) Reads zone files

54 DNSSEC Validating Resolvers

55 Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN s website

56 Q&A

57 ARIN s IPv4 Waiting List and the IPv4 Transfer Market Jon Worley Principal Technical Analyst

58 IPv4 Waiting List

59 How It Works If ARIN can t fill a justified request, option to specify smallest acceptable size If no block available between approved and smallest acceptable size, option to go on the waiting list May receive only one allocation every three months Only one request on the list at a time

60 Filling Waiting List Requests Oldest request filled first Example /19 is oldest request /16 returned to ARIN ARIN breaks up the /16 and issues the /19 Subject to re-verification Removed from list once a block is issued

61 IPv4 Churn IPv4 addresses go back into ARIN s free pool 4 ways Return = voluntary Revoke = for cause (usually nonpayment) Reclaimed = fraud or business dissolution IANA issued per global policy for post exhaustion IPv4 allocation mechanisms by IANA 3.54 /8s recovered since 2005 /8 equivalent returned to IANA in 2012 /11(May 2014) & /12 (Sept 2014) issued by IANA

62 Global Policy for Post Exhaustion IPv4 Allocation Mechanisms by the IANA RIRS may return IPv4 space of any prefix size to IANA IANA will issue this returned space in equal allocation sizes to the 5 RIRs twice per year Policy activated when first RIR reaches /9 in its IPv4 inventory (Lacnic in May 2014)

63 Burn Rate vs. Churn Rate # /24s issued # /24s received back

64 Reality Check At the rate at which IPv4 addresses were recovered in 2013, it would take 51 years to fill all of 2013 s approved requests

65 IPv4 Transfer Market

66 Types of Transfers Mergers and Acquisitions (8.2) Transfers to Specified Recipients (8.3) Inter-RIR transfers (8.4)

67 Transfers to Specified Recipients 12 month waiting period (anti-flip provision) Recipient must qualify to receive resources under current ARIN policy Recipient may receive up to a 24 month supply

68 Specified Recipient Transfer Notes 82 transfers completed (53,124 /24s)* Transactions typically arranged through IPv4 brokers *As of Jul 31, 2014

69 Inter-RIR Transfers From ARIN RIR must have reciprocal, compatible needs-based policies Currently: APNIC Under discussion in the RIPE NCC, LACNIC, & AFRINIC regions Org releasing resources must not have received IPv4 from ARIN within the past 12 months Recipient must meet other RIR s Inter-RIR transfer policy requirements

70 Inter-RIR Transfers To ARIN RIR must have reciprocal, compatible needs-based policies Currently: APNIC Recipient must qualify to receive resources under current policy Recipient may request up to a 24 month supply

71 Inter-RIR Transfer Notes 34 transfers completed (5,040 /24s total)* ARIN & APNIC for now Expectation is primarily ARIN to APNIC given the early exhaustion of IPv4 in the APNIC region *As of Jul 31, 2014

72 Specified Transfer Listing Service (STLS) 3 ways to participate Listers: have available IPv4 addresses Needers: looking for more IPv4 addresses Facilitators: available to help listers and needers find each other Major Uses Matchmaking Obtain preapproval for a transaction arranged outside STLS

73 Misconceptions About Specified Recipient Transfers IPv4 transactions will never be allowed Fact: Transfer of unused IPv4 started June 2009 It s a ploy to take my unused addresses back Fact: ARIN does not require the return of address space ARIN recognizes all IPv4 transactions Fact: Must meet policy requirements

74 Tips and Tricks Make sure you are applying under the correct transfer policy Involve ARIN as early as possible Make sure a contemplated specified transfer meets ARIN requirements before finalizing Make sure that all registration information is current and accurate Use ARIN s STLS to pre-qualify Provide detailed information to support 24 month need

75 IPv4 Transfer Market

76 Reality Check Reports say current asking prices are around $10/IPv4 address Prices will likely rise once ARIN s depletes its IPv4 pool (supply and demand) Supply not guaranteed; need willing participants Temporary measure; does not preclude need to transition to IPv6

77 Q&A

78 Lunch Break Take your valuables as the room will not be locked.

79 This Afternoon s Agenda IPv6 Addresses Automating Interactions with ARIN Other Items of Interest BREAK 2:20 2:30 PM Securing Internet Infrastructure II: RPKI - Andy Newton Current Number Resource Policy Discussions and How to Participate Q&A / Open Microphone Session Optional Ask ARIN - Opportunity for a one-on-one conversation with ARIN staff

80 Obtaining IPv6 Address Space Jon Worley Principal Technical Analyst Registration Services Department

81 Why Adopt IPv6? Global IPv4 pool is depleted ARIN s IPv4 free pool will be gone soon IPv4 Waiting list is uncertain and sure to be loooooooooooong IPv4 Transfer Market = $$$$$ How will you continue to grow your network? What other options do you have?

82 Qualifying for IPv6 - ISPs Have a previous v4 allocation from ARIN OR Intend to multi-home OR Provide a technical justification which details at least 50 assignments made within 5 years

83 IPv6 ISP Data Typically Requested If requesting more than a /32, a spreadsheet/text file with # of serving sites (PoPs, datacenters) # of customers served by largest serving site Block size to be assigned to each customer (/48 typical)

84 Qualifying for IPv6 End Users Have a v4 direct assignment OR Intend to multi-home OR Show how you will use 2000 IPv6 addresses or 200 IPv6 subnets within a year OR Technical justification as to why provider-assigned IPs are unsuitable

85 IPv6 End Users Data Requested List of sites in your network Site = distinct geographic location Street address for each Campus may count as multiple sites Technical justification showing how they re configured like geographically separate sites

86 ISP Members with IPv4 and IPv6 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 2010Q3 2011Q3 2012Q3 2013Q3 2014Q3 % IPv4 Only 75% 66% 62% 59% 58% % IPv4 and IPv6 25% 34% 38% 41% 42% *4,818 total members IPv4- only and IPv4+v6 ISPs

87 ARIN Resources IPv6 Info Center

88 Operational Guidance Deploy360/ bcop.nanog.org ipv6-knowledge-base-general-info

89 Q&A

90 Automating Your Interactions with ARIN Andy Newton Chief Engineer

91 Why Automate? Interact with ARIN faster Not dependent on ARIN s systems for user interface issues Build a customized system using standards-based technologies Improved accuracy Integrate multiple services

92 Why Automate (continued) We have a rich set of interfaces Focused on reliability and completeness Welcome to share your tools with the community at projects.arin.net

93 REST Service Summary ARIN s RESTful Web Services (RWS) Whois-RWS Provides public Whois data via REST Reg-RWS (or Registration-RWS) Allows ARIN customers to register and maintain data in a programmatic fashion Report Request/Retrieval Automation Permits request and download of various ARIN data (subject to AUP) RPKI using Reg-RWS

94 What is REST? Representational State Transfer As applied to web services defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data Resources are addressable in URLs Very popular protocol model Amazon S3, Yahoo & Google services,

95 The BIG Advantage of REST Easily understood Any modern programmer can incorporate it Can look like web pages Re-uses HTTP in a simple manner Many, many clients Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr,

96 What does it look like? Who can use it? Where the data is. What type of data it is. The ID of the data. It is a standard URL. Anyone can use it. Go ahead, put it into your browser.

97 Where can more information on REST be found? RESTful Web Services O Reilly Media Leonard Richardson Sam Ruby

98 Whois-RWS Publicly accessible, just like traditional Whois Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc Very popular As of October 2014, constitutes 65% of our query load For more information:

99 Registration RWS (Reg-RWS) Programmatic way to interact with ARIN Intended to be used for automation Not meant to be used by humans Useful for ISPs that manage a large number of SWIP records Requires an investment of time to achieve those benefits

100 Reg-RWS Requires an API Key You generate one in ARIN Online on the Web Account page Permits you to register and manage your data (ORGs, POCs, NETs, ASes) But only your data More information

101 Anatomy of a RESTful request Uses a URL (just like you would type into your browser) Uses a request type, known as a method, of GET, PUT, POST or DELETE Usually requires a payload Adheres to a published structure Depends upon the type of data Depends upon the method Method, Payload, and XML schema info is found at RESTful Provisioning Downloads

102 Example Reassign Detailed Your automated system issues a PUT command to ARIN using the following URL: The payload contains the following data: <net xmlns="h"p:// > <version>4</version> <comment></comment> <registra1ondate></registra1ondate> <orghandle>hw- 1</orgHandle> <handle></handle> <netblocks> <netblock> <type>a</type> <descrip1on>reassigned</descrip1on> <startaddress> </startaddress> <endaddress> </endaddress> <cidrlength>24</cidrlength> </netblock> </netblocks> <parentnethandle>net </parentNetHandle> <netname>helloworld</netname> <originases></originases> <poclinks></poclinks> </net>

103 Example Reassign Detailed ARIN s web server returns the following to your automated system: <net xmlns="h"p:// > <version>4</version> <comment></comment> <registra1ondate>tue Jan 25 16:17:18 EST 2011</registra1onDate> <orghandle>hw- 1</orgHandle> <handle>net </handle> <netblocks> <netblock> <type>a</type> <descrip1on>reassigned</descrip1on> <startaddress> </startaddress> <endaddress> </endaddress> <cidrlength>24</cidrlength> </netblock> </netblocks> <parentnethandle>net </parentNetHandle> <netname>netname>helloworld</netname> <originases></originases> <poclinks></poclinks> </net>

104 Reg-RWS Has More Than Templates Only programmatic way to do IPv6 Reassign Simple Only programmatic way to manage Reverse DNS Only programmatic way to access your ARIN tickets

105 Reg-RWS adoption at ARIN In Million transactions processed 375K processed via Reg-RWS (34%) 371K processed via Template (34%) Remainder via ARIN Online In Million transactions processed 3.66M processed via Reg-RWS (78%) 488K processed via Template (10%) Remainder via ARIN online

106 Testing Your Reg-RWS Client We offer an Operational Test & Evaluation environment for Reg-RWS Your real data, but isolated Helps you develop against a real system without the worry that real data could get corrupted For more information:

107 Obtaining RESTful Assistance Pay attention to Method, Payload, and XML schema documents under RESTful Provisioning Downloads Or use ARIN Online s Ask ARIN feature Or use the arin-tech-discuss mailing list Make sure to subscribe Someone on the list will help you ASAP Archives on the web site Registration Services Help Desk telephone not a good fit Debugging these problems requires a detailed look at the URL, method, and payload being used

108 Report Request/Retrieval For customer-specific data, access is restricted by user Permits you to request and retrieve reports But only your data For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) ARIN staff may review your need to access this data Requires an API Key

109 New Feature: RPKI thru Reg-RWS Delegated very complex Hosted easy but tedious if managing a large network through the UI Solution: Interface to sign ROAs using the RESTful API Ease of Hosted Programmatic way of managing a large number of ROAs

110 Whois-RWS and the Future Whois-RWS is ARIN s RESTful interface to Whois. RIPE also has a RESTful interface for Whois but it is not compatible IETF will hopefully be ratifying RDAP by the end of this year. Will be supported by all 5 RIRs and some domain registries.

111 Q&A

112 Other Items of Interest

113 Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN Andy Newton Chief Engineer

114 What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers IP Addresses Allows ISPs to associate the two Route Origin Authorizations (ROAs) Can follow the address allocation chain to the top

115 What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information Trust Anchor Locator Distributes trusted information Through repositories

116 Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 ISP2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv>

117 Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 ISP2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, 1. Did the matching private key ISP4 <isp4-ee-key-priv> sign this text?

118 Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 ISP2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 2. Is this certificate valid?

119 Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to originate a route for the prefix /24 ISP2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, 3. Is there a valid certificate path from a ISP4 <isp4-ee-key-priv> Trust Anchor to this certificate?

120 What does RPKI Create? It creates a repository RFC 3779 (RPKI) Certificates ROAs CRLs Manifest records

121 Repository View./ba/03a5be-ddf a1f9-1ad3f2c39ee6/1:! total 40! -rw-r--r Jun ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa! -rw-r--r Jun ckxlcu94ums-qd4dookak0m2us0.cer! -rw-r--r Jun dsmerm6ujglwmmqtl2esy4xyuaa.crl! -rw-r--r Jun dsmerm6ujglwmmqtl2esy4xyuaa.mnf! -rw-r--r Jun nb0gdftwffkk4vwgln-12pdfte8.roa! A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

122 Repository Use Pull down these files using a manifestvalidating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes valid, invalid, unknown Up to ISP to use local policy on how to route

123 Possible Flow RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)

124 How you can use ARIN s RPKI System? Hosted Hosted using ARIN s RESTful service Delegated using Up/Down Protocol

125 Hosted RPKI Pros Easier to use ARIN managed Cons No current support for downstream customers to manage their own space (yet) Tedious through the UI if you have a large network We hold your private key

126 Hosted RPKI with RESTful Interace Pros Easier to use ARIN managed Programatic interface for large networks Cons No current support for downstream customers to manage their own space (yet) We hold your private key

127 Delegated RPKI with Up/Down Pros You keep your own private key Follows the IETF up/down protocol Cons Extremely hard to setup Need to operate your own RPKI environment

128 Hosted RPKI in ARIN Online

129 Hosted RPKI in ARIN Online

130 Hosted RPKI in ARIN Online

131 Hosted RPKI in ARIN Online

132 Hosted RPKI in ARIN Online SAMPLE- ORG

133 Hosted RPKI in ARIN Online SAMPLE- ORG

134 Hosted RPKI in ARIN Online

135 Your ROA request is automatically processed and the ROA is placed in ARIN s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

136 Delegated with Up/Down

137 Delegated with Up/Down

138 Delegated with Up/Down

139 Delegated with Up/Down You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS

140 Updates within RPKI outside of ARIN The four other RIRs are in production with Hosted CA services ARIN and APNIC have delegated working for the public Major routing vendor support being tested Announcement of public domain routing code support

141 ARIN Status Hosted CA deployed 15 Sept 2012 Web Delegated CA deployed 16 Feb 2013 (now deprecated) Delegated using Up/Down protocol deployed 7 Sept 2013 RESTful interface deployed 1 Feb 2014

142 RPKI Usage Oct 2012 Apr 2013 Oct 2013 Apr 2014 RPAs Signed Certified Orgs ROAs Covered Resources Web Delegated Up/Down Delegated

143 Why is this important? Provides more credibility to identify resource holders Leads to better routing security

144 Q&A

145 ARIN s Policy Development Process Current Number Resource Policy Discussions and How to Participate John Sweeting Chair, ARIN Advisory Council

146 Policy Development Process (PDP) Flowchart Proposal Template Archive Petitions

147 Policy Development Principles Open Developed in open forum Public Policy Mailing List Public Policy Meetings / Consultations Anyone can participate Transparent All aspects documented and available on website Policy process, meetings, and policies Bottom-up Policies developed by the community Staff implements, but does not make policy

148 Who Plays a Role in the Policy Process? Community Submits proposals Participates in discussions and petitions Advisory Council (elected volunteers) Facilitates the policy process Develops policy that: enables fair and impartial resource administration is technically sound is supported by the Community Determines consensus based on community input

149 Roles ARIN Board of Trustees (elected volunteers) Provides corporate fiduciary oversight Ensures the policy process has been followed Adopts policies ARIN Staff Provides feedback to community Staff and legal assessments Policy experience reports Implements adopted policies

150 Basic Steps 1. Proposal from community member 2. AC works with author ensure it is clear and in scope 3. AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM) 4. AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption 5. Recommended Draft Policy must be presented at a face-to-face meeting (PPC/PPM) 6. If AC still recommends adoption, then Last Call, review of last call, and send to Board 7. Board reviews 8. Staff implements

151 Petitions Petitions available for: Delay by the AC Proposal to Draft Policy (after 60 days) Draft to Recommended Draft (after 90) Last Call (after 60) Board (after 60) Abandonment Rejection (proposals out of scope) Petitions begin with 5 day duration, needing support from 10 people from 10 different organizations (later stages require more people) Despite low bar, attempted petitions are rare

152 Number Resource Policy Manual ARIN s Policy Document Version (17 September 2014) 35th version Contains Change Logs HTML/PDF/txt

153 Policies in the NRPM ARIN Principles IPv4 Address Space IPv6 Address Space Autonomous System Numbers (ASNs) Directory Services (Whois) Reverse DNS (in-addr) Transfers Experimental Assignments Resource Review Policy

154 Current Draft Policies/Proposals Recommended Draft Policies ARIN : Resolve Conflict Between RSA and 8.2 Utilization Requirements Last call October

155 Current Draft Policies/Proposals Draft Policies 1. ARIN : Out of Region Use 2. ARIN : Remove 7.1 [Maintaining IN-ADDRs] 3. ARIN : Removing Needs Test from Small IPv4 Transfers 4. ARIN : Change Utilization Requirements from lastallocation to total-aggregate 5. ARIN : New MDN Allocation Based on Past Utilization Draft Policy Recently abandoned: ARIN : Allow Inter-RIR ASN Transfers ARIN : Section 4.10 Austerity Policy Update ARIN : Simplifying Minimum Allocations and Assignments ARIN : Transfer Policy Slow Start and Simplified Needs Verification

156 Recently Adopted Policy 1. ARIN : NRPM 4 (IPv4) Policy Cleanup 2. ARIN : Subsequent Allocations for New Multiple Discrete Networks 3. ARIN : Remove 7.2 Lame Delegations 4. ARIN : Anti-hijack Policy 5. ARIN : Reduce All Minimum Allocation/Assignment Units to /24

157 How Can You Get Involved? There are two ways to voice your opinion: Public Policy Mailing List Public Policy Consultations/Meetings In person or remotely ARIN meetings and PPCs at NANOG

158 Public Policy Mailing List (PPML) Open to anyone Easy to subscribe to Contains: ideas, proposals, draft policies, last calls, announcements of adoption and implementation, petitions, and more Archived RSS feed available

159 ARIN Meetings Two ARIN meetings a year Attend and participate in person or remotely Check the ARIN Participate/Meetings site a few weeks prior to meeting Look at the Proposals/Draft Policies on Agenda (what and when?) Get a copy of the Discussion Guide (summaries and text) Attend/log in and state your opinion Additional Public Policy Consultations Currently being held during NANOG meetings Potential for additional ones in different venues in the future

160 Advisory Council Meetings Teleconference meetings held monthly (currently the third Thursday of the month) AC meeting results Watch PPML for AC s decisions (once a month) Read AC meeting minutes Draft Policies good or bad ideas, for or against? Last Calls For or against?

161 References Policy Development Process Draft Policies and Proposals Number Resource Policy Manual

162 Q&A

163 Q&A / Open Mic Session

164 Apply now for ARIN 35 April 2015 in San Francisco

165 Fill out & submit the survey for your chance to win a $100 Amazon Gift Card!

166 Ask ARIN ARIN staff available for your questions one-on-one

167 167 Historical Timeline

168 168 Historical Timeline