BRINGING YOU ANSWERS SASKATOON, SK 14 SEPTEMBER 2017

Transcription

1 BRINGING YOU ANSWERS SASKATOON, SK 14 SEPTEMBER 2017

2 Here Today From ARIN Eddie Diego, Senior Resource Analyst Susan Hamlin, Director Communications and Member Services Alyssa Moore, ARIN Advisory Council Andy Newton, Chief Engineer Bill Sandiford, ARIN Board of Trustees Jon Worley, Technical Services Manager (Registration Services)

3 Let s Get Started! Housekeeping items Self introductions: One question you would like answered today? Wireless: Connect to Guest Tek, Password: River

4 9:30-9:45 AM Welcome and Introductions 9:45-10:15 AM ARIN Mission and Services 10:15-10:45 AM ARIN Technical Services Break Morning Agenda 10:55 11:30 AM ARIN Internet Number Resource Policy 11:30 Noon DNSSEC Noon - 1:00 PM Lunch

5 1:00-1:50 PM Life After IPv4 1:50-2:20 PM Resource Certification (RPKI) Break Afternoon Agenda 2:30-3:15 PM Everything You Ever Wanted To Know About IPv6 3:15 3:30 PM Saskatoon s IXP 3:45 4:00 PM Open Mic and Wrap Up pocket presentation: Whois Accuracy

6 ARIN and the RIR System: Mission, Role and Services Bill Sandiford ARIN Board of Trustees

7 What do the RIRs do? Manage the distribution of IP addresses and Autonomous System numbers (ASNs) Provide reverse DNS and a public Whois database Support Internet infrastructure through technical coordination

8 Regional Internet Registries

9 ARIN s Service Region The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the United States and outlying areas.

10 The RIRs are Independent Not-for-profit Fee for services, not number resources 100% community funded Membership-based Internet service providers (ISPs), telecommunication organizations and large corporations Community Regulated Community developed policies Member-elected governing boards Open and transparent

11 Distribution of IP Addresses

12 ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach.

13 The ARIN Community includes 37,000+ organizations served 20,000+ customers paying fees for services 5,600+ members 80+ professional staff and anyone with an interest in Internet number resource management in the ARIN region.

14 Community-based Leadership ARIN is governed by individuals who are elected by our membership. Board of Trustees: 6 elected, 3 year terms Advisory Council: 15 elected, 3 year terms Number Resource Organization Number Council 2 elected, 3 year terms; 1 member appointed by the ARIN Board

15 Board of Trustees 8 Member Board of Trustees 6 elected by the membership 1 (optionally) appointed by the BoT President and CEO also a member all voting 2 seats open each election/year Ability to appoint an additional voting member for diversity Maintains authority over the scope, mission, and establishes the strategic direction and fiscal oversight

16 Advisory Council 15 Member Advisory Council Elected by the membership 5 seats open each year/election Serves in an advisory capacity to the Board on Internet number resource policy and related matters Forwards consensus-based policy proposals to the Board for ratification

17 NRO NC/ ASO AC Number Resource Organization Number Council (NRO NC) Address Supporting Organization Advisory Council (ASO AC) 15 member body/3 per RIR 2 elected and one appointed Global policy development process Selects ICANN Board seats 9 and 10 Provides advice to the ICANN Board on number resource allocation policy, in conjunction with the RIRs

18 Strategic Planning ARIN performs its mission according to a Strategic Plan. Updated annually, this plan drives the creation of organizational objectives and the internal work plan. ARIN s Strategic Plan And Objectives:

19 2017 Organizational Objectives Maintain accountability to membership Perform audits (security, registration services) Make Board aware of community needs for services Participate in global discussions to maintain the community-based multi-stakeholder policy development model Conduct two ARIN Public Policy and Member meetings Maintain a strong outreach in the Caribbean

20 2017 Organizational Objectives Support law enforcement efforts consistent with ARIN s mission Support community discussions on global routing table management Continue IPv4/IPv6 transition awareness campaign Continue to review and enhance online services, including making significant user interface improvements per user feedback and customer survey

21 ARIN Manages: IP address allocations & assignments ASN assignment Transfers Reverse DNS Record Maintenance Directory services Whois, Whowas...

22 ARIN Services ARIN Online (customer web portal) Security (DNSSEC, RPKI) Community Software Project Repository Whois-RWS Whois and Registration Data Access Protocol (RDAP) directory services Operational Test & Evaluation (OT&E) Environment

23 Training and Education Educational Materials library Instructional Video Library In-person Training/Education ARIN on the Road ARIN + NANOG on the Road Other fora upon request

24 Outreach & Community Engagement Policy Development through Public Policy Meetings and Consultations Work closely with the technical community to ensure education, empowerment, engagement Collaborate with Caribbean organizations to maximize inclusion

25 Global Community Engagement Foster working relationships on a global scale Be a key technical resource Support cooperation and direct involvement alongside governments and international organizations

26 IPv6 Outreach Get6 - teamarin.net/get6/ Focus on getting public websites IPv6-enabled Featuring Forward Thinkers who have done it already Wiki list of IPv6 webhosters, DNS providers, trainers, & consultants - getipv6.info

27 ARIN Mailing Lists ARIN Announce: ARIN Discussion: (members only) ARIN Public Policy: ARIN Consultation: ARIN Issued: ARIN Technical Discussions: Suggestions:

28 You Can Participate! Subscribe to an ARIN mailing list Attend a Public Policy and Members Meetings (remote participation available) Voice your opinion - ARIN s Consultation and Suggestion Process Volunteer Committees of the Board: Fellowship Selection, Nomination, Mailing List Acceptable Use Policy and serves as a Meeting Mentor Write a guest blog for TeamARIN.net Members Vote in annual elections

29 Questions & Discussion

30 ARIN Technical Services Andy Newton Chief Engineer

31 How Many Records Do We Manage? Networks Direct Indirect ASNs Reverse DNS Delegations Organizations Org IDs Customers Points of Contact Web Users... for a grand total of?

32 Networks: 3,069,469 Direct: 57,764 Indirect: 3,011,705 ASNs: 25,920 Almost 8 Million! Reverse DNS Delegations: 606,584 Organizations: 3,183,197 Org IDs: 733,927 Customers: 2,449,270 Points of Contact: 725,975 Web Users: 121, for a grand total of 7,732,279

33 Major Technical Service Areas Core Registry Functions (ARIN Online) Resource Registration & Management Whois Reverse DNS New Services Web-based reassignment management (SWiP-EZ) DNSSEC & RPKI WhoWas RDAP RESTful Interfaces Operational Test & Evaluation Environment (OT&E) Technical Support

34 Core Registry Services ARIN Online Registering ASNs and IPv4/IPv6 blocks Including reassignments and reallocations Transferring ASNs and IPv4/IPv6 blocks Managing org & contact information Managing reverse DNS & RPKI Bulk Whois and WhoWas Reports Invoices and Bill Payment All now available via ARIN Online

35 ARIN Online - Total Users 140, , , , ,000 92,866 80,000 60,000 49,524 64,185 78,074 40,000 20, ,831 12,799 2,

36 ARIN Online Usage Frequency # Users 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10, ,607 Occasional (0-5 Logins) 23,438 Regular (6-25 Logins) 10,921 Active ( Logins) One user logged in 1,319,292 times! 1,533 Very Active (> 100 Logins)

37 Web-Based Reassignment Management Manage customer reassignments (SWIPs) via ARIN Online Comprehensive reassignment report Generates a spreadsheet of all reassignments made from your space along with holes (unassigned space) Recommended for ISPs managing a small number of records

38 DNSSEC & RPKI Security for core Internet protocols Stay tuned for details...

39 WhoWas Spreadsheet with registration history for one ASN/IP address Requested by the community Common uses include Researching the history of an IPv4 block prior to entering into a transfer Investigating possible unauthorized changes Law enforcement

40 Registration Data Access Protocol (RDAP) Designed by the IETF to replace Whois Whois was designed for humans to read, not for machines to interact with Provides standardized HTTP-based RESTful JSON responses Plays well with machines Can offer referral responses If you ask ARIN for a record that s held by another RIR, we point you to it

41 RDAP In Action Client Bootstrap Server ARIN APNIC ? Ask ARIN ? Ask APNIC ? JSON

42 Automating With REST Services Reg-RWS Reassignments (SWiP) Reports DNS / RPKI Management Whois RDAP Whois-RWS

43 What is REST? REpresentational State Transfer Uses HTTP & URLs to create, read, update, and delete data Widespread industry adoption Easily understood Any modern programmer can incorporate it

44 The BIG Advantage of REST Allows you to automate your interactions with ARIN Customer reassignment management Reverse DNS management Can use existing tools ARINcli 6connect Or, write your own!

45 What does REST look like? Where the data is. What type of data it is. The ID of the data. It s a standard URL. Anyone can use it. Go ahead, put it into your browser. We dare you.

46 Reg-RWS Transactions (cumulative restful/templates) 7,000,000 6,000,000 5,000,000 4,000, M 1.0M 4.3M 1.3M 4.7M 1.5M 5.0M 1.7M 5.6M 2.0M 6.0M 6.2M 2.2M 2.4M 6.5M 2.5M 3,000,000 2,000,000 1,000, k 40k 596k 320k 846k 841k 0

47 For more information RESTful Web Services O Reilly Media Leonard Richardson Sam Ruby

48 Operational Test & Evaluation (OT&E) Lots of people test in production Is not the best place to test Things do get stuck may impact others Operational Test & Evaluation Goodness of OT&E Place to test code/processes All services now under ote.arin.net except Need to register to participate

49 Ask ARIN Technical Support Phone Help Desk 7AM 7PM ET M-F support via arin-tech-discuss mailing list Make sure to subscribe Archives contain useful information

50 In the works a new design!

51 Q&A

52 ARIN Internet Number Resource Policy your participation matters Alyssa Moore ARIN Advisory Council

53 ARIN s Policy Development Process Video

54 What Do Internet Number Resource Policies Do? ARIN applies policies to the management of Internet number resources and certain directory and registry services. Policies are given effect through the application of business rules and operating procedures

55 What is the NRPM? The Number Resource Policy Manual (NRPM) is the collection of all ARIN policies, arranged by topic. Topics include: Definitions Directory Services IPv4 IPv6 AS Numbers Transfers View the NRPM at:

56 Policy Example NRPM End-users ARIN assigns blocks of IP addresses to end-users who request address space for their internal use in running their own networks, but not for sub-delegation of those addresses outside their organization. End-users must meet the requirements described in these guidelines for justifying the assignment of an address block.

57 Policy Principles Internet number resource policy must: Enable fair and impartial number resource administration Be technically sound (providing for uniqueness and usability of number resources) Have support from the community

58 Where do Policies Come From? Proposals for policy change can come from anyone, and follow a basic template: Proposals go to policy@arin.net

59 Policy Development Process (PDP) 1) Proposal Someone sends a Proposal to policy@arin.net using the approved template 2) The Advisory Council (AC) Chair assigns AC shepherds Shepherds manage the Proposal, working closely with the author(s) and encourage feedback To be accepted as a Draft Policy, a proposal must contain a clear problem statement and be within the scope of ARIN's mission 3) Draft Policy- Work in progress, discussed on the mailing list and at Public Policy Meetings and Consultations Once a Draft Policy meets the Principles of Internet Number Resource Policy, the AC may recommended it for adoption

60 Policy Development Process (PDP) continued 4) Recommended Draft Policy More discussion and presentation at meeting(s). Does the community support turning this into policy? 5) Last call 6) Board Review and Adoption 7) Staff Implementation (NRPM)

61 Petitions The community may petition for or against several AC actions, including: Against the rejection of a Proposal Against the abandonment of a Draft Policy or Recommended Draft Policy For the movement of a Proposal to Draft Policy status For the movement of a Draft Policy to Recommended Draft Policy status Movement of a Recommended Draft Policy to Last Call status

62 Principles of the PDP Open Developed in open forums Anyone can participate Transparent All aspects documented and available on website Bottom-up Policies developed by the community Staff implements, but does not make policy

63 The Importance of Participation A single community member can propose a policy change, or spark an important discussion in support or opposition to a potential change. Many significant policies have gone through the entire PDP with only a handful of voices speaking for or against them.

64 Example: ARIN Purpose: reduce the minimum allocation/assignment size to /24 for all networks, whether end-user or ISP, and whether single or multi-homed. Discussion was extensive; many voices spoke up about how a minimum of /24 would help the community pre- and post- depletion, and PPML saw an extended last call. How Many Community Members Did it Take to Bring ARIN to Fruition?

65 Twenty-six! Out of 1,850+ PPML subscribers: Ten total contributors PPC at NANOG 61 Show of Hands Total attendees/remote participants: 49 In favor: 16 Against: 0 Board ratified in August 2014 Staff implemented one month later

66 Recently Adopted Policies ARIN : Alternative simplified criteria for justifying small IPv4 transfers Allows orgs to double holdings up to a /16 with 80% prior utilization. ARIN : Streamline Merger & Acquisition Transfers Removes additional needs test for combined resources of acquiring/acquired orgs

67 Draft Policies Under Discussion ARIN : Update to NPRM 3.6: Annual Whois POC Validation ARIN : Remove Reciprocity Requirement for Inter-RIR Transfers ARIN : Improved IPv6 Registration Requirements ARIN : Improve Reciprocity Requirement for Inter-RIR Transfers ARIN : Amend the Definition of Community Network

68 Takeaways ARIN doesn't create number policy, you do, and it s as easy as submitting a Proposal. Policy development includes assistance from the Advisory Council throughout the process. Stay informed. Join the policy list and/or attend meetings (in person or remotely).

69 References Policy Development Process (PDP) Draft Policies and Proposals Number Resource Policy Manual (NRPM)

70 Q&A

71 Securing Core Internet Functions - DNSSEC Andy Newton Chief Engineer

72 What is DNSSEC? A DNS extension which authenticates responses When you ask how to get to DNSSEC verifies the answer is from ARIN and not someone pretending to be us Doesn t ensure the answer is correct, just that it s coming from the right place

73 Why is DNSSEC Important? Standard DNS is not secure Trivial to spoof (provide false responses)... so an attacker can redirect people looking for to his own site... and then steal login information. DNSSEC is (surprise) secure An attacker can try to redirect traffic, but DNSSEC will show it s not a valid response

74 DNS Cache Poisoning Attacker gives the nameserver a poisoned (incorrect) response to If accepted, this nameserver will direct people to the fake site, typically for hours... and any nameservers that trust the poisoned one will also become poisoned.

75 Case Study: Kashpureff Attack Eugene Kashpureff didn t like Internic s control of top level domains In 1996, he used DNS cache poisoning to redirect Internic traffic to his own site Kashpureff was eventually convicted of computer fraud This attack could have been prevented with DNSSEC

76 Case Study: Kaminsky Flaw 2008: Dan Kaminsky discovered a fundamental flaw in the DNS protocol 65,536 Transaction IDs in DNS makes it easy to guess the right one & spoof Updates to DNS software makes this flaw more difficult to exploit, but not impossible These attacks can be prevented with DNSSEC

77 Case Study: Bradesco Bradesco is a bank in Brazil DNS cache poisoning attack resulted in 1% of the bank s customers being redirected to a fake site Getting login credentials for 1% of a large bank s customers could be disastrous Networks not using DNSSEC are vulnerable to a similar attack

78 Other Uses 1. Protect DKIM & SPF Without DNSSEC, an attacker can make use your addresses for spam. 2. SSH Initial Host Key Exchange Protect SSH Fingerprint (SSHFP) records. 3. PGP Key Distribution Use _pka records to distribute PGP keys easily usable by GnuPG 4. DANE Coming standard from the IETF to use DNS as a global public key infrastructure.

79 DNSSEC Usage Statistics ARIN 39 Number of Orgs with DNSSEC 139 Total Number of Delegations 620,412 DNSSEC Secured Zones 671 Percentage Secured 0.11 %

80 Using DNSSEC with ARIN Remember: this is for reverse DNS, not forward DNS Use your DNS server software to: Generate your key pair Create DS records to upload to ARIN via ARIN Online or Reg-RWS Sign your DNS zones

81 DNSSEC Configuration Ensure the required DNSKEY, RRSIG, NSEC, and DS records are published in your nameservers Consult your zone file.. ARIN provides only reverse DNSSEC Make sure to also secure your forward DNS through your domain registrar

82 How It Works DNSSEC adds new resource records into your zone file. These records are signed off-line. Two types of public/private key pairs Zone Signing Key (ZSK) is used to sign records in the zone Key Signing Key (KSK) signs the ZSK. Usually longer lived than the ZSK.

83 Signed & Unsigned Zones in-addr.arpa IN SOA ns1.arin.net. dns-ops.arin.net in-addr.arpa IN NS ns1.arin.net in-addr.arpa IN NS ns2.arin.net in-addr.arpa IN NS ns2.lacnic.net in-addr.arpa IN NS sec1.apnic.net in-addr.arpa IN NS sec1.authdns.ripe.net in-addr.arpa IN PTR host arin.net in-addr.arpa IN PTR host arin.net in-addr.arpa IN SOA ns1.arin.net. dns-ops.arin.net in-addr.arpa IN RRSIG NSEC in-addr.arpa. p33dgtslyg/qoduon6xgrfuwfrdildyqtjfl/i077alza/usj0r3furj 3FikILZOodCWez0yiKYwKaUYlGiFgZyWSlDTrbMgnLBG162tQrby8wAQ Ke1mOYRBdSOT6swRzhJx6rRRSH4C0/3YpQqmKZsplQisyTdbykhy4N3h 38M= in-addr.arpa IN DNSKEY AwEAAXCN3mUJUntP90L4F4oNxxlzKFos9FYD0wxTqxoWueBjFVAvS9vt FSAC7sV4yqKF3NbOOgk81Ep8n8BLZ3vvhnL8/y6Gf3K+d/yvK248ZWR6 +r+aasv6icmeloqhajzuam/emrlj4kj96lvjfvmewdpnnsyzen30ofpc sswvvamh in-addr.arpa IN NSEC in-addr.arpa. NS SOA RRSIG NSEC DNSKEY in-addr.arpa IN NS ns1.arin.net in-addr.arpa IN PTR host arin.net. A signed zone file will have RRSIG, NSEC, and DNSKEY records.

84 New Record Types DNSKEY records holding the public zone signing key and key signing key RRSIG records holding the cryptographic signatures of the other DNS records NSEC records cryptographically stitching the other records together DS these point to your zone like an NS record (needed in the parent zone)

85 How Do I Know It s Working? Use a DNSSEC validating resolver. Popular options include:

86 Takeaways If you re not using DNSSEC, you re vulnerable to a DNS cache poisoning attack Plenty of readily available documentation regarding implementation details If we can help, contact us

87 Q&A

88 LUNCH Starting back at 1:00 PM

89 Life After IPv4 Depletion Jon Worley Technical Services Manager

90 Overview IPv4 Request Activity Reserved IPv4 Space IPv4 Waiting List IPv4 Transfer Market Specified Transfer Listing Service (STLS)

91 IPv4 Requests Since Depletion Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17

92 IPv4 Waiting List Requesters have the waiting list option Initial /21 (ISP) or /24 (EU) with no justification Larger blocks based on 24 month need Requester may specify a smaller acceptable size One request per org on the list at a time Oldest requests filled first Requests met by transfer are removed

93 IPv4 Waiting List Block Sources IANA Redistribution (2x a year) Down from /11 May 2014 to /19 March 2017 Returned IPv4 Blocks Revoked IPv4 Blocks Generally for nonpayment Lengthy review process before reissue

94 Reissue Review Process RSD analyzes returned/revoked blocks Unrouted blocks get priority over routed blocks Need verification the return/revoke was done properly FSD confirms fees unpaid & notices sent Meeting held to confirm reissue Legal review 4 management team signatures required blocks reviewed in each meeting 328 blocks currently in the review process

95 IPv4 Waiting List Growth

96 IPv4 Waiting List Statistics Of the 799 requests added: 342 (43%) have been filled Last request filled waited ~13 months 187 (23%) dropped off Most got IPv4 via the transfer market 270 (38%) still waiting Oldest added 9 Aug 2015

97 Waiting Time Of the 342 completed requests: Average 15 months wait Longest wait: 24 months Of the 187 closed requests: Average 7 months before close Longest wait: 21 months (filled via transfer)

98 IPv4 Critical Infrastructure Reserve 2 /16s reserved for: Public exchange points ICANN-sanctioned Core DNS operators RIRs IANA New gtlds not eligible 13.1% used

99 Reserved IPv4 for IPv6 Deployment... stay tuned. J We ll discuss this policy in the IPv6 presentation.

100 IPv4 Transfer Policies Mergers and Acquisitions (NRPM 8.2) Traditional transfer resulting from a merger, acquisition, or reorganization supported by legal documentation Transfers to Specified Recipients (NRPM 8.3) IPv4 market transfer from one organization to another that it specifies, supported by justified need (within region) Inter-RIR transfers to Specified Recipients (NRPM 8.4) IPv4 market transfer from one organization to another that it specifies, supported by justified need (between regions)

101 Specified Recipient Transfer Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources Source Must be current registrant, no disputes Not have received addresses from ARIN for 12 months prior Recipient Demonstrate need for 24-month supply under current ARIN policy

102 Specified Recipient Transfer Growth Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17

103 Inter-RIR Transfers RIR must have reciprocal, compatible needs-based policies Currently APNIC and RIPE NCC Transfers from ARIN Source cannot have received IPv4 from ARIN 12 months prior to transfer Must be current registrant, no disputes Recipient meets destination RIR policies Transfers to ARIN Must demonstrate need for 24-month supply under current ARIN policy

104 Inter-RIR Transfers Completed Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16 Jul-16 Aug-16 Sep-16 Oct-16 Nov-16 Dec-16 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17

105 No Drop In IPv4 Consumption Total /24s Free Pool Transfer Market

106 Minimal Drop in IPv4 Workload IPv4 Requests Need-Based Transfer Requests

107 Transfer Pre-Approval Optional free service to confirm your 24 month projected IPv4 need Receive IPv4 addresses via multiple need-based transfers up to the pre-approved amount over the next 24 months $300 fee to complete each transfer Now paid at the time transfer is submitted

108 Specified Transfer Listing Service (STLS) Optional fee-based service to facilitate specified recipient and inter-rir transfers Sources have IPv4 addresses verified as available Recipients have a verified need for IPv4 addresses Facilitators arrange transfers between parties Approved participants can view detailed information for all other participants Public summary available on ARIN s website Available block sizes # of source ORGs and approved block sizes List of facilitators with contact information

109 Takeaways IPv4 consumption still strong If you need IPv4: Get pre-approved & look at transfer market Get an IPv6 block & use reserved IPv4 block for IPv6 deployment policy Wait List an option if you can defer need IPv6 is the future

110 Q&A

111 Securing Core Internet Functions RPKI Andy Newton Chief Engineer

112 Routing A Primer

113 Routing Architecture The Internet uses a two level routing hierarchy: Interior Routing Protocols, used by each network to determine how to reach all destinations that line within the network Interior Routing protocols maintain the current topology of the network

114 Routing Architecture The Internet uses a two level routing hierarchy: Exterior Routing Protocol, used to link each component network together into a single whole Exterior protocols assume that each network is fully interconnected internally

115 Exterior Routing: BGP BGP is a large set of bilateral (1:1) routing sessions A tells B all the destinations (prefixes) that A is capable of reaching B tells A all the destinations that B is capable of reaching / / /18 A B /24

116 What is RPKI? Resource Public Key Infrastructure Cryptographically certifies network resources AS Numbers IP Addresses Also certifies route announcements Route Origin Authorizations (ROAs) allow you to authorize your block to be routed

117 Why is RPKI Important? Allows routers (or other processes) to validate routes as authorized Provides stronger validation than existing technologies, such as: Routing registries LOAs Seems legit 117

118 Case Study: YouTube Pakistan Telecom was ordered to block YouTube Naturally, they originated their own route for YouTube s IP address block YouTube s traffic was temporarily diverted to Pakistan Could have been prevented with widespread adoption of RPKI

119 Case Study: Turk Telekom Turkish President ordered censorship of Twitter Turk Telekom s DNS servers were configured to return false IP addresses So people started using Google s DNS ( ) Turk Telekom hijacked Google s IP addresses in BGP Could have been prevented with RPKI

120 Case Study: Bitcoin Late 2013 & early 2014, Dell Secure Works noticed /24 announcements being hijacked Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba networks routed to a small network in Canada Data between Bitcoin miners and Bitcoin data pools intercepted An estimated haul of $83,000 Could have been prevented with RPKI

121 RPKI Basics All of ARIN s RPKI data is publicly available in a repository RFC 3779 certificates show who has each resource ROAs show which AS numbers are authorized to announce blocks CRLs show revoked records Manifests list all data from each organization

122 Hierarchy of Resource Certificates ICANN /0 0::/0 ARIN / /8 LACNIC AFRINIC RIPE NCC APNIC Regional ISP /16 Other Small ISP /24 Some Small ISP /20 122

123 Route Origin Authorizations (ROAs) ICANN /0 0::/0 ARIN / /8 LACNIC AFRINIC RIPE NCC APNIC Regional ISP /16 Other Small ISP / /16 AS /24 AS2000 Some Small ISP / /20 AS

124 Current Practices ICANN /0 0::/0 ARIN / /8 LACNIC AFRINIC RIPE NCC APNIC Regional ISP /16 Some Small ISP / / / AS AS53659 Other Small ISP / /24 AS

125 Using ARIN s RPKI Repository (Theory) 1. Pull down these files using a manifest-validating mechanism 2. Validate the ROAs contained in the repository 3. Communicate with the router to mark routes: Valid Invalid unknown Ultimately, the ISP uses local policy on how to 125 route to use this information.

126 Using ARIN s RPKI Repository (Practice) 1.Get the RIPE NCC RPKI Validator 126

127 Using ARIN s RPKI Repository (Practice, continued) 2.Get the ARIN TAL 3.Plug it in to your routing policy engine: Directly to the router via RTR protocol Using custom scripts and the REST API As RPSL route objects 127

128 Putting Your Routes in the RPKI 1.Determine if you want to allow ARIN to host your Certificate Authority (CA), or if you want ARIN to delegate to your Certificate Authority. 2.Sign up with ARIN Online. 3.Create Resource Certificates and ROAs.

129 Hosted vs. Delegated RPKI Hosted ARIN has done all of the heavy lifting for you Think point click ship Available via web site or RESTful interface Delegated using Up/Down Protocol A whole lot more work Might make sense for very large networks 129

130 Hosted RPKI - ARIN Online Pros Easy-to-use web interface ARIN-managed (buying/deploying HSMs, etc. is expensive and time consuming) Cons Downstream customers can t use RPKI Large networks would probably need to use the RESTful interface to avoid tedious management 130 We hold your private key

131 Delegated RPKI with Up/Down Pros Allows you to keep your private key Follows the IETF up/down protocol Allows downstream customers to use RPKI Cons Extremely hard to set up Requires operating your own RPKI environment High cost of time and effort 131

132 Delegated with Up/Down You have to do all the ROA creation Need to set up a Certificate Authority Have a highly available repository Create a CPS 132

133 RPKI Usage Oct 2012 Apr 2013 Oct 2013 Apr 2014 Oct 2014 Apr 2015 Oct 2015 Apr 2016 Oct 2016 Apr 2017 Certified Orgs ROAs Covered Resources Up/Down Delegated

134 RPKI vs The Routing Table: Globally

135 RPKI vs The Routing Table: RIPE

136 RPKI vs The Routing Table: APNIC

137 RPKI vs The Routing Table: AFRINIC

138 RPKI vs The Routing Table: LACNIC

139 RPKI vs The Routing Table: ARIN

140 Takeaways If you re not using RPKI, you re vulnerable to route hijacking Plenty of readily available documentation regarding implementation details If we can help, contact us

141 Q&A

142 Everything You Always Wanted To Know About IPv6 Jon Worley Technical Services Manager

143 The Road To IPv6 Deployment Why Move To IPv6 Now? Obtaining IPv6 From ARIN Dedicated IPv4 Block For IPv6 Deployment IPv6 Address Plans IPv6 Deployment Case Studies IPv6 Resources... and a few words about the current state of IPv6 adoption.

144 Why Move To IPv6 Now? Being IPv4-only has costs Transfer market, latency, CGN boxes, NAT Generally no additional cost for ISPs & fees recently lowered for end users IPv6 gives you access to a reserved IPv4 block One IPv4 /24 per six month period 1 4 4

145 Requesting IPv6 - ISPs Have a previous v4 allocation from ARIN or predecessor registry OR Intend to IPv6 multi-home OR Provide a technical justification which details at least 50 assignments made within 5 years 145

146 IPv6 ISP Block Size /48 typically assigned to customers Might be smaller, e.g. /56, for residential /32 default generally sufficient Enough to number 65k+ customers Larger blocks based on: # of serving sites (PoPs, datacenters) # of customers at largest serving site Block size to be assigned 146

147 Requesting IPv6 End Users Have a v4 assignment from ARIN OR Intend to IPv6 multi-home OR 2000 IPv6 addresses/200 IPv6 subnets used OR Have 13+ active sites within 12 months OR Technical justification showing ISP-assigned IPs are unsuitable 147

148 IPv6 End User Block Size Number of Sites Block Size 1 / / / ,072 /36 3,073-49,152 /32 37

149 Reserved IPv4 for IPv6 Deployment /10 reserved under policy in April /24s issued to date (99.6% remains available) Must be used to facilitate IPv6 deployment Dual stacking key servers, NAT-PT/NAT464, etc. Must have an IPv6 block One per organization every six months /24 maximum size

150 Subnetting: IPv4 vs IPv6 The IPv4 mindset: think in terms of IP addresses If a site has 50 devices, I give it a /26 The IPv4 mindset does not work for IPv6 Last 64 bits used for device autoconfiguration... and we have a ton of IPv6 addresses. The correct IPv6 mindset: think in terms of subnets, not addresses

151 IPv6 Subnetting NANOG BCOP Each individual network segment gets a /64 A /64 can hold a near-infinite number of devices Subnet on nibble boundaries for DNS /48, /44, /40, etc Addressing plans should be hierarchical, with each level using subnets of the same size Each site gets a /48 Customers generally get a /48 PoPs/aggregation points sized based on largest

152 IPv4 Address Plan: End User /23 Enterprise Network /19 /24 /24 SJO Hub 14 offices /27 for each 448 IPs CHI Hub 15 offices /28 for each 240 IPs DAL Hub 7 offices /28 for each 112 IPs ASH Hub 156 sites /27 for each 4,992 IPs

153 IPv6 Address Plan: End User /40 Enterprise Network /40 /40 /40 (256 /48s) SJO Hub 14 offices /48 for each 448 IPs CHI Hub 15 offices /48 for each 240 IPs DAL Hub 7 offices /48 for each 112 IPs ASH Hub 156 sites /48 for each 4,992 IPs

154 IPv4 Address Plan: ISP /21 FTTH ISP Network /24 /23 /22 Saskatoon Hub 952 home users (1 IP each) 5 biz customers (/29-/24) = 1,952 IPs Prince Albert Hub 214 home users (1 IP each) = 214 IPs Moose Jaw Hub 497 home users (1 IP each) = 497 IPs Regina Hub 497 home users (1 IP each) 4 biz customers (/29-/24) = 997 IPs

155 IPv6 Address Plan: ISP Saskatoon Hub 1,027 total users (home + business) = 1,027 /48s /36 (4,096 /48s) /36 Prince Albert Hub 214 total users (home + business) = 214 /48s FTTH ISP Network /36 /36 Moose Jaw Hub 497 total users (home + business) = 497 /48s Regina Hub 506 total users (home + business = 506 /48s

156 Anatomy Of An IPv6 Address 2001:0DB8:3007:000A:B9D3:284A:83E2:90DB /32 from ARIN Hub /36 0 = Saskatoon 1 = Pr. Albert 2 = Moose Jaw 3 = Regina 4 = Future Hub... etc Site / = Regina Site = Regina Site = Regina Site 7 Subnet / = Subnet = Subnet A = Subnet 10 Device /128 Autoconfigured with MAC Address

157 IPv6 Deployment Information ISOC s Deploy360 program has 16 detailed case studies covering: ISPs Hosting providers Enterprise businesses Universities Governments ARIN s IPv6 Wiki DNS, tools, translation services, etc

158 IPv6 Info Center

159 How Far Are We In IPv6 Adoption? Depends where you look... How many networks have an IPv6 block? How many networks are routing IPv6? How much traffic is using IPv6?

160 Percentage of Members with IPv6 100% 80% 60% 40% 20% 34.10% 52.83% 52.87% 87.55% 75.11% 0% AfriNIC APNIC ARIN LACNIC RIPE NCC 160

161 Customers with IPv4 & IPv6 RSP End Users ,467 1,780 2,420 6, IPv4 Only IPv4 & IPv6 IPv6 Only

162 IPv6 Adoption by ISP Size 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 3X-Small (143) 2X-Small (778) X-Small (1,656) Small (1,252) Medium (651) Large (242) X-Large (187) 2X-Large (37) 3X-Large (24) 4X-Large (7) ISPs with IPv6 ISPs without IPv6

163 IPv6 Requests Since Depletion

164 Routing Table Growth IPv4 First 14 Years IPv6 First 14 Years

165 Google s IPv6 Traffic Growing 165

166 Facebook & Akamai

167 Discussion: IPv6 & You Do you have an IPv6 block from ARIN? If so, how was the process? Have you deployed IPv6? If not, do you plan to? Are there blockers? If so, how is it working? Any experience to share? What can ARIN do to help you with IPv6 deployment?

168 Q&A

169 Q&A / Open Mic Session

170 Today s Takeaways: You make ARIN s Internet number resource policy Apply for IPv6 addresses and get started Consider implementing DNSSEC & RPKI Reach out to us with questions and suggestions - engage

171

172 Fill out & submit the survey for your chance to win a $100 Amazon Gift Card!

173 WHOIS Accuracy Eddie Diego Senior Resource Analyst

174 What is Accurate Whois Data? Comprehensive All required data is registered and complete Correct Data has been verified by staff as being accurate Current Data has been confirmed to be up to date or recently updated

175 Why Is It Important? Internet operability and stability Contact other network operators to resolve issues Public safety Law enforcement can identify the responsible party for a subpoena Protection from number resource hijacking Hijackers often target stale or inaccurate data

176 Current Verification Process Policy Annual POC validation & requirement to publish reassignment Information Business Practice All new orgs must be active/in good standing Verify active/in good standing every 12 months Service/resource requests accepted only from registered contacts Registration Services Agreement (RSA) Must comply with all policies Must provide and maintain accurate registration information in Whois

177 POC Validation Stats 743,839 total POCs in ARIN s database 177,742 are validated* 243,192 are unvalidated 322,905 are orphaned** *Validated POC has either responded to ARIN s annual POC validation or updated their POC record within the past 12 months **Orphaned POC not associated with any number resources

178 Direct/Indirect POC Validation Stats 50,881 * total direct POCs 28,555 validated (56%) 22,326 unvalidated (44%) 692,958 ** total indirect POCs 149,187 validated (22%) 220,866 unvalidated (32%) * ** 322,905 orphaned (46%) Recieved resources from ARIN or Predecessor Customer reassignments received from an upstream ISP

179 ARIN Issued vs Legacy Stats 27,645 total ARIN-issued v4 nets 25,648 (93%) have at least one validated POC 1,997 (7%) have no validated POC 24,974 total legacy nets 11,773 (47%) have at least one validated POC 13,201 (53%) have no validated POC

180 IPv4 Depletion & Data Accuracy ISPs required to publish customer assignments in Whois Required in order to get more IP addresses Since IPv4 is unavailable and IPv6 initial allocations are very large, ISPs may not continue to provide accurate customer data New approaches may be needed to ensure data accuracy Have staff confirm accuracy more frequently Contact orgs with no valid contact More outreach on the importance of accurate data

181 Takeaways Accurate Whois data is vital to the Internet Inaccurate data delays fixing operational/abuse issues We have a lot of inaccurate records today IPv4 depletion could make the problem worse We need community feedback Priorities are set based on what you tell us is important

182 Q&A