Upload
ngokhanh
View
217
Download
1
Embed Size (px)
Citation preview
B R I N G I N G Y O U A N S W E R S
|MINNEAPOLIS, MN 1 MAY 2018
#AOTR
Here Today From ARINEddie Diego - Senior Resource Analyst
David Farmer - ARIN Advisory Council
Susan Hamlin – Senior Director, Communications & Member Services
Richard Jimmerson – Chief Information Officer
#AOTR
Housekeeping items
Wireless: Hyatt Meeting Space
Password: ARIN2018
Agenda review
Before We Get Started…
#AOTR
Welcome & Introductions9:30 - 9:45 AMARIN's Mission & Core Functions9:45 -10:15 AMARIN Technical Services10:15 -10:45 AM
BreakARIN Internet Number Resource Policy10:55 -11:30 AM IPv4 Services – Wait List, Transfers, and more11:30 -12:00 PMLunch12:00 - 1:00 PM
Morning Agenda
#AOTR
ARIN Security Services 1:00 - 1:30 PMARIN IPv6 Services1:30 - 2:15 PM
BreakCommunity Engagement with ARIN2:30 - 3:00 PMRegistration Services Department Update3:00 - 3:15 PMOpen Microphone and Wrap-up3:15 - 3:30 PM
Afternoon Agenda
#AOTR
Self Introductions•Name•Organization and type of business•Any questions you would like answered•Any topics not on the agenda you would like
presented
Let’s Get Started!
#AOTR
ARIN 101
Susan HamlinSenior Director, Communications and
Member Services
#AOTR
Why Are We Here?
ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach.
#AOTR
ARIN’s Service Region
The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the
United States and outlying areas.
#AOTR
IP Address and Autonomous System Number Provisioning Process
#AOTR
Many networks first encounter ARIN when they need an AS number for BGP
Others encounter ARIN when they want to get portable IP addresses to avoid renumbering
ARIN’s most fundamental function is registration of IP addresses and AS numbers to ensure global uniqueness
… and to operate directory services which allow the public to determine who those IP addresses and AS numbers are registered to
But it all starts with you…
#AOTR
Organizations served by ARIN37,000+
Organizations under contract with ARIN21,000+
ARIN member organizations5700+
Professional staff85+
Anyone with an interest in Internet number resource management in the ARIN region can be part of the ARIN community.
Who are you?
#AOTR
IP address allocations & assignments
ASN assignment
Transfers
Reverse DNS
Record Maintenance
ARIN Manages:
#AOTR
ARIN customer web portal
Security (DNSSEC, RPKI)
Whois-RWS
Whois and Registration Data Access Protocol (RDAP) directory servicesOperational Test & Evaluation (OT&E) Environment
ARIN Services
#AOTR
The community (that’s you!) decides what rules ARIN should apply when issuing IP addresses and AS numbers
ARIN staff are prohibited from setting policy
… but we do facilitate the policy development process (PDP) to enable the community to create & maintain policies
Fostering an open, transparent, fair, and bottom-up policy process is another key ARIN function
But who sets the rules?
#AOTR
15 Member Advisory Council elected by the membership
5 seats open each
year/election
Serves in an advisory
capacity to the Board on Internet number
resource policy and related
matters
Forwards consensus-
based policy proposals to the Board for ratification
Advisory Council
#AOTR
And who sets the fees?
Fees are set by ARIN’s Board of Trustees (BoT), who are elected by ARIN’s members
Members are primarily ISPs but can also include end users
The Board of Trustees is responsible for setting ARIN’s fee structure and providing overall guidance to ARIN’s operations and strategic plan
Conducting open and fair elections is a third key ARIN function
#AOTR
7 Member Board of Trustees
6 elected by the
membership plus
President & CEO – all
voting
2 seats open each
election/year
Ability to appoint an additional
voting member for
diversity
Authority over the scope,
mission, and establishes
the strategic direction and fiscal oversight
Board of Trustees
#AOTR
Manage efficient allocation of Internet number resources in the ARIN region
Educate the community about ongoing IPv6 adoption
Coordinate with other RIRs on registry processes and technology to maintain a globally consistent and useable registry system
Work cooperatively with network operator forums in the region as appropriate
Maintain, develop and enhance functionality of ARIN services as sought by users and supported by membership
2018 Strategic Plan:
https://www.arin.net/about_us/corp_docs/stratplan-2018-2019.pdf
#AOTR
Policy Development through Public Policy Meetings and
Consultations
Work closely with the technical community to ensure education,
empowerment, engagement
Collaborate with Caribbean organizations to maximize
inclusion
Outreach & Engagement
#AOTR
Educational Materials library
https://www.arin.net/knowledge
Instructional Video Libraryhttp://youtube.com/teamarin
In-person Training & Education•Speakers
bureau
Training and Education
#AOTR
Get6 - teamarin.net/get6/
Focus on getting public websites IPv6-enabled
Featuring Forward Thinkers who have done it already
Wiki list of IPv6 webhosters, DNS providers, trainers, & consultants -getipv6.info
IPv6 Outreach
#AOTR
Foster global working relationships
Be a key technical resource
Support cooperation and direct involvement alongside governments and international organizations
Global Engagement
#AOTR
What about the rest of the world?
Regional Internet Registry Structure:
Independent * Not-for-profit * Membership-basedCommunity driven
#AOTR
The Number Resource Organization
The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system.
https://www.nro.net/
#AOTR
Number Resource Organization Number Council (NRO NC) & Address Supporting Organization Advisory
Council (ASO AC)
15 member body/3 per
RIR
2 elected and one
appointed
Global policy
development process
Selects ICANN
Board seats 9 and 10
Gives advice to ICANN Board on number resource
allocation policy, in
conjunction with the RIRs
NRO NC/ ASO AC
#AOTR
Q&A
#AOTR
ARIN Technical Services
Richard JimmersonChief Information Officer
#AOTR
How Many Records Do We Manage?3,069,469 (57,764 Direct, 3,011,705 Indirect)Networks
25,920ASNs
606,584Reverse DNS Delegations
3,183,197 (733,927 Org IDs, 2,449,270 Customers)Organizations
725,975Points of Contact
133,717 Web Users:
7,744,862... For a grand total of
#AOTR
Major Technical Service Areas
Core Registry Functions (ARIN Online)• Resource Registration & Management• Whois• Reverse DNS• Internet Routing Registry
New Services• Web-based reassignment management (SWiP-EZ)• DNSSEC & RPKI• WhoWas• RDAP• RESTful Interfaces• Operational Test & Evaluation Environment (OT&E)
Technical Support
#AOTR
Core Registry Services – ARIN Online
Registering ASNs and IPv4/IPv6
blocks
Transferring ASNs and IPv4/IPv6
blocks
Managing org &
contact information
Managing reverse DNS
& RPKI
Bulk Whois and
WhoWas Reports
Invoices and Bill
Payment
All now available via ARIN Online
#AOTR
ARIN Online - Total Users
2,72712,799
29,831
49,52464,185
78,07492,866
107,627120,785
133,717
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
#AOTR
Web-Based Reassignment Management
Manage customer reassignments (SWIPs) via ARIN Online
Comprehensive reassignment report
•Generates a spreadsheet of all reassignments made from your space along with holes (unassigned space)
Recommended for ISPs managing a small number of records
#AOTR
WhoWas
Spreadsheet with registration history for one ASN/IP address
Requested by the community
Common uses include
• Researching the history of an IPv4 block prior to entering into a transfer• Investigating possible unauthorized changes• Law enforcement
#AOTR
Registration Data Access Protocol (RDAP)
Can offer referral responses
If you ask ARIN for a record that’s held by another RIR, we point you to it
Provides standardized HTTP-based RESTful JSON responses
“Plays well with machines”
Designed by the IETF to replace Whois
Whois was designed for humans to read, not for machines to interact with
#AOTR
RDAP In ActionClient ARIN APNIC
45.65.1.1?
Ask ARIN
45.65.1.1?
Ask APNIC
Bootstrap Server
45.65.1.1?
JSON
#AOTR
Automating With REST Services
What is REST?
REpresentational State Transfer
Uses HTTP & URLs to create, read, update, and delete data
Widespread industry adoption
Easily understood
Any modern programmer can incorporate it
#AOTR
The BIG Advantage of REST
Allows you to automate your interactions with ARIN•Customer reassignment management•Reverse DNS management
Can use existing tools•ARINcli•6connect•https://github.com/arineng•http://projects.arin.net
Or, write your own!
#AOTR
What does REST look like?
http://whois.arin.net/rest/poc/KOSTE-ARIN
Where the data is.
What type of data it is.The ID of the data.
It’s a standard URL. Anyone can use it.Go ahead, put it into your browser.
#AOTR
Reg-RWS Transactions (cumulative)
408k596k 846k
1.0M
1.3M
1.5M1.7M
2.0M 2.2M2.4M
2.5M2.8M
40k320k 841k
3.5M
4.3M
4.7M5.0M
5.6M6.0M 6.2M
6.5M
7.1M
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
ARIN29 ARIN30 ARIN31 ARIN32 ARIN33 ARIN34 ARIN35 ARIN36 ARIN37 ARIN38 ARIN39 ARIN 40
#AOTR
For more information…
RESTful Web Services
O�Reilly Media
Leonard Richardson Sam Ruby
#AOTR
Operational Test & Evaluation (OT&E)
Lots of people test in production•Is not the best place to test•Things do get stuck – may impact others•Operational Test & Evaluation
Goodness of OT&E•Place to test code/processes•All services now under ote.arin.net except email•https://www.arin.net/resources/ote.html
#AOTR
Technical Support
Ask ARIN (inside ARIN Online)
Phone Help Desk•7AM – 7PM ET M-F•+1.703.227.0660
arin-tech-discuss mailing list•Make sure to subscribe•Archives contain useful information
#AOTR
In the works… a new design!
#AOTR
Q&A
#AOTR
ARIN Internet Number Resource Policy
…your participation matters
David FarmerARIN Advisory Council
#AOTR
ARIN’s Policy Development Process Video
#AOTR
What Are Internet Number Resource Policies?
ARIN applies policies to manage Internet number resources and certain directory/registration services
Policies are given effect through the application of business rules and operating procedures
#AOTR
The Number Resource Policy Manual (NRPM) is the collection of all ARIN policies, arranged by topic.
Topics include:
•Definitions•Directory Services•IPv4•IPv6•AS Numbers•Transfers
View the NRPM at:
•https://www.arin.net/policy/nrpm.html
What is the NRPM?
#AOTR
NRPM 4.3.1 - End-users
ARIN assigns blocks of IP addresses to end-users who
request address space for their internal use in running their own
networks, but not for sub-delegation of those addresses outside their organization. End-
users must meet the requirements described in these guidelines for justifying the assignment of an
address block.
Policy Example
#AOTR
Internet number resource policy must:
Enable fair and impartial number resource administration
Be technically sound (providing for uniqueness and usability of number resources)
Have support from the community
Policy Principles
#AOTR
Where do Policies Come From?
Proposals for policy change can come from anyone, and follow a basic email template:
Proposals go to [email protected]
#AOTR
Proposal – Someone sends a Proposal to [email protected] the approved template
The Advisory Council (AC) Chair assigns AC shepherds• Shepherds manage the Proposal, working closely with the author(s) and
encourage feedback• To be accepted as a Draft Policy, a proposal must contain a clear
problem statement and be within the scope of ARIN's mission
Draft Policy- Work in progress, discussed on the mailing list and at Public Policy Meetings and Consultations• Once a Draft Policy meets the Principles of Internet Number Resource
Policy, the AC may recommended it for adoption
Policy Development Process (PDP)
#AOTR
Recommended Draft Policy – More discussion and presentation at meeting(s). Does the community support turning this into policy?
Last Call
Board Review and Adoption
Staff Implementation (NRPM)
Policy Development Process (PDP)
#AOTR
The community may petition for or against several AC actions, including:
Against the rejection of a Proposal
Against the abandonment of a Draft Policy or Recommended Draft Policy
For the movement of a Proposal to Draft Policy status
For the movement of a Draft Policy to Recommended Draft Policy status
Movement of a Recommended Draft Policy to Last Call status
Petitions
#AOTR
Open• Developed in open forums• Anyone can participate
Transparent• All aspects documented and available on website
Bottom-up• Policies developed by the community• Staff implements, but does not make policy
Principles of the PDP
#AOTR
A single community member can propose a policy change, or spark an important discussion in support or opposition to a potential change.
Many significant policies have gone through the entire PDP with only a handful of voices speaking for or against them.
The Importance of Participation
#AOTR
Update to NPRM 3.6: Annual Whois POC Validation2017-3
Amend Community Networks2017-8Repeal of Immediate Need for IPv4 Address
Space (NRPM Section 4.2.1.6)2017-10Require New POC Validation Upon Reassignment2017-12
Remove ARIN Review Requirements for Large IPv4 Reassignments/ Reallocations2017-13
Last Call (Ends 7 May)
#AOTR
Allow Inter-regional ASN Transfers2018-1
Recommended Draft Policies
#AOTR
• Clarification to ISP Initial Allocation and Permit Renumbering2018-2:
• Clarification on IPv6 Sub-Assignments2018-3:
• Remove Reallocation Requirements for Residential Market Assignments2018-4:
Draft Policies Under Discussion
#AOTR
• Community review ended 23 March• Advanced to the Board off Trustees
23 April• Awaiting Board of Trustees review
Reallocation and Reassignment
Language Cleanup (formerly Draft Policy
ARIN-2017-11)
• Community review ended 19 April• Awaiting Advisory Council review
Correct References to RWhois (formerly
ARIN-prop-251)
Draft Policies Under Discussion
#AOTR
NRPM CleanupARIN-prop-255
Proposals Under Review
#AOTR
Your Voice Matters!
ARIN’s community is diverse, and the more participants
there are, the more balanced and
comprehensive ARIN policy can be!
#AOTR
Join the Public Policy Mailing List at http://lists.arin.net/mailman/listinfo/arin-ppml
Attend Public Policy Meetings
• October 2018 – Vancouver• Remote participation supported - attend from anywhere!
Attend Public Policy Consultations
• Held as needed during NANOG meetings in February and June• Remote participation supported
Get Involved!
#AOTR
ARIN doesn't create number policy, you do. It’s as easy as submitting a proposal.
Policy development includes assistance from the ARIN Advisory Council throughout the process.
Stay informed. Join the policy list and/or attend meetings (in person or remotely).
Takeaways
#AOTR
Policy Development Process (PDP)•http://www.arin.net/policy/pdp.html
Draft Policies and Proposals•http://www.arin.net/policy/proposals/index.html
Number Resource Policy Manual (NRPM)•http://www.arin.net/policy/nrpm.html
References
#AOTR
Q&A
#AOTR
IPv4 Services
Eddie DiegoSenior Resource Analyst
#AOTR
Overview
IPv4 Request Activity
Reserved IPv4 Space
IPv4 Waiting List
IPv4 Transfer Market
Specified Transfer Listing Service (STLS)
#AOTR
IPv4 Requests Since Depletion
0
50
100
150
200
250
300
350
400
450
Jul-15 Oct-15 Jan-16 Apr-16 Jul-16 Oct-16 Jan-17 Apr-17 Jul-17 Oct-17
#AOTR
IPv4 Waiting List
Requesters have the waiting list option• Initial /21 (ISP) or /24 (EU) with no justification• Larger blocks based on 24 month need• Requester may specify a smaller acceptable
size• One request per org on the list at a time
Oldest requests filled first
Requests met by transfer are removed
#AOTR
IPv4 Waiting List – Block Sources
IANA Redistribution (2x a year)•Down from /11 May 2014 to /20 September 2017
Returned IPv4 Blocks
Revoked IPv4 Blocks•Generally for nonpayment
Lengthy review process before reissue
#AOTR
Reissue Review Process
• RSD analyzes returned/revoked blocks• Unrouted blocks get priority over routed blocks• Need verification the return/revoke was done properly
• FSD confirms fees unpaid & notices sent
•Meeting held to confirm reissue• Legal review• 4 management team signatures required• 20-40 blocks reviewed in each meeting
• 328 blocks currently in the review process
#AOTR
IPv4 Waiting List Growth
0
50
100
150
200
250
300
350
400
450
Jun-15 Oct-15 Feb-16 Jun-16 Oct-16 Feb-17 Jun-17 Oct-17
#AOTR
IPv4 Waiting List Statistics
Of the 913 requests added:
503 (55%) have been filled•Last request filled waited ~8 months
212 (23%) dropped off•Most got IPv4 via the transfer market
198 (22%) still waiting•Oldest added 16 Aug 2016
#AOTR
Waiting Time
•Average 15 months wait•Longest wait: 24 months
Of the 503 completed
requests:
•Average 7 months before close•Longest wait: 21 months (filled
via transfer)
Of the 212 closed
requests:
#AOTR
IPv4 Critical Infrastructure Reserve
2 /16s reserved for: • Public exchange points• ICANN-sanctioned Core DNS
operators• RIRs• IANA
New gTLDs not eligible
15.4% used
#AOTR
Reserved IPv4 for IPv6 Deployment
..... stay tuned. J We’ll discuss this policy in the IPv6 presentation.
#AOTR
Mergers and Acquisitions (NRPM 8.2)• Traditional transfer
resulting from a merger, acquisition, or reorganization supported by legal documentation
Transfers to Specified Recipients (NRPM 8.3)• IPv4 market transfer from
one organization to another that it specifies, supported by justified need (within region)
Inter-RIR transfers to Specified Recipients (NRPM 8.4)• IPv4 market transfer from
one organization to another that it specifies, supported by justified need (between regions)
IPv4 Transfer Policies
#AOTR
Specified Recipient Transfer
Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources
Source
Must be current registrant, no disputes
Not have received addresses from ARIN for 12 months prior
Recipient
Demonstrate need for 24-month supply under
current ARIN policy
#AOTR
Specified Recipient Transfer Growth
0
50
100
150
200
250
Jul-15 Oct-15 Jan-16 Apr-16 Jul-16 Oct-16 Jan-17 Apr-17 Jul-17 Oct-17
#AOTR
Inter-RIR Transfers
RIR must have reciprocal, compatible needs-based policies• Currently APNIC and RIPE NCC
Transfers from ARIN• Source cannot have received IPv4 from ARIN 12 months prior to transfer • Must be current registrant, no disputes• Recipient meets destination RIR policies
Transfers to ARIN• Must demonstrate need for 24-month supply under current ARIN policy
#AOTR
Inter-RIR Transfers Completed
0
5
10
15
20
25
Jul-15 Oct-15 Jan-16 Apr-16 Jul-16 Oct-16 Jan-17 Apr-17 Jul-17 Oct-17
#AOTR
IPv4 Consumption
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
Jun-14Nov-14
Apr-15Sep-15
Feb-16Jul-16
Dec-16May-17
Oct-17
Tota
l /24
s
Free Pool Transfer Market
#AOTR
IPv4 Workload
050
100150200250300350400450500
Jul-15Oct-15
Jan-16Apr-16 Jul-16
Oct-16Jan-17
Apr-17 Jul-17Oct-17
IPv4 Requests Market Transfer Requests
#AOTR
Transfer Pre-Approval
Optional free service to confirm your 24 month projected IPv4 need
Receive IPv4 addresses via multiple need-based transfers up to the pre-approved amount over the next 24 months
$300 fee to complete each transfer
• Now paid at the time transfer is submitted
#AOTR
Specified Transfer Listing Service (STLS)
Optional fee-based service to facilitate specified recipient and inter-RIR transfers
• Sources have IPv4 addresses verified as available• Recipients have a verified need for IPv4 addresses• Facilitators arrange transfers between parties
Approved participants can view detailed information for all other participants
Public summary available on ARIN’s website
• Available block sizes• # of source ORGs and approved block sizes• List of facilitators with contact information
#AOTR
TakeawaysIPv4 consumption still strong
If you need IPv4:•Get pre-approved & look at transfer market•Get an IPv6 block & use reserved IPv4 block for
IPv6 deployment policy•Wait List an option if you can defer need
IPv6 is the future
#AOTR
Q&A
#AOTR
LUNCH
Starting back at 1:00 PM
#AOTR
ARIN Security Services
Richard JimmersonChief Information Officer
#AOTR
Two-Factor AuthenticationAvailable for all ARIN Online accounts
In use today by 2,744 ARIN Online users
Strengthens the security of your account beyond standard password and challenge question recovery methods
Currently supported authenticators:
• Google Authenticator• Salesforce Authenticator• FreeOTP
• https://www.arin.net/features/twofactor.html
#AOTR
DNS Security (DNSSEC)
A DNS extension which authenticates responses •When you ask how to get to www.arin.net,
DNSSEC verifies the answer is from ARIN and not someone pretending to be us
Doesn’t ensure the answer is correct, just that it’s coming from the right place
#AOTR
Why is DNSSEC Important?
Standard DNS is not secure•Trivial to spoof (provide false responses)•... so an attacker can redirect people looking for
www.arin.net to his own site•... and then steal login information.
DNSSEC is (surprise) secure•An attacker can try to redirect traffic, but DNSSEC
will show it’s not a valid response
#AOTR
DNS Cache Poisoning
Attacker gives the nameserver a
“poisoned” (incorrect) response
to www.arin.net
If accepted, this nameserver will
direct people to the fake site, typically for
hours
... and any nameservers that trust the poisoned
one will also become poisoned.
#AOTR
Case Study: Kashpureff Attack
Eugene Kashpureff didn’t like Internic’s control of top level domains
In 1996, he used DNS cache poisoning to redirect Internic traffic to his own site
Kashpureff was eventually convicted of computer fraud
This attack could have been prevented with DNSSEC
#AOTR
Case Study: Kaminsky Flaw
2008: Dan Kaminsky discovered a fundamental flaw in the DNS protocol• 65,536 Transaction IDs in DNS makes it easy to guess the right
one & spoof
Updates to DNS software makes this flaw more difficult to exploit, but not impossible
These attacks can be prevented with DNSSEC
#AOTR
Case Study: Bradesco
Bradesco is a bank in Brazil
DNS cache poisoning attack resulted in 1% of the bank’s customers being redirected to a fake site•Getting login credentials for 1% of a large bank’s customers
could be disastrous
Networks not using DNSSEC are vulnerable to a similar attack
#AOTR
Other UsesProtect DKIM & SPF
• Without DNSSEC, an attacker can make use your email addresses for spam.
SSH Initial Host Key Exchange• Protect SSH Fingerprint (SSHFP) records.
PGP Key Distribution• Use _pka records to distribute PGP keys easily usable by GnuPG
DANE• Coming standard from the IETF to use DNS as a global public key
infrastructure.
#AOTR
DNSSEC Usage Statistics
ARIN 39
Number of Orgs with DNSSEC 139
Total Number of Delegations 620,412
DNSSEC Secured Zones 671
Percentage Secured 0.11 %
#AOTR
Using DNSSEC with ARIN
Remember: this is for reverse DNS, not forward DNS
Use your DNS server software to:
• Generate your key pair• Create DS records to upload to ARIN via ARIN Online
or Reg-RWS• Sign your DNS zones
#AOTR
DNSSEC Configuration
Ensure the required DNSKEY, RRSIG, NSEC, and DS records are published in your nameservers• Consult your zone file…..
ARIN provides only reverse DNSSEC
• Make sure to also secure your forward DNS through your domain registrar
#AOTR
How It WorksDNSSEC adds new resource records into your zone file.
These records are signed off-line.
Two types of public/private key pairs
•Zone Signing Key (ZSK) is used to sign records in the zone•Key Signing Key (KSK) signs the ZSK. Usually longer lived than the
ZSK.
#AOTR
Signed & Unsigned Zones0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.lacnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.apnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.authdns.ripe.net.1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.10.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-10.arin.net.
0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 3600 IN RRSIG NSEC 5 5 3600 20170131143127 20170117133127 13093 0.43.199.in-addr.arpa. p33dgTSLyg/qoDuoN6XGRFUwfRdILdYQtJfl/i077aLZA/usJ0r3furj 3FikILZOodCWez0yiKYwKaUYlGiFgZyWSlDTrbMgnLBG162tQrby8wAQ Ke1mOYRBdSOT6swRzhJx6rRRSH4C0/3YpQqmKZsplQisyTdbykhy4N3h 38M=…0.43.199.in-addr.arpa. 10800 IN DNSKEY 256 3 5 AwEAAXCN3mUJUntP90L4F4oNxxlzKFos9FYD0wxTqxoWueBjFVAvS9vt FSAC7sV4yqKF3NbOOgk81Ep8n8BLZ3vvhnL8/y6Gf3K+d/yvK248ZWR6 +r+AAsV6icMEloQhaJzuam/eMrlj4kJ96lVjFvMEwdPNNSYzen30OfpC sswVvamh…0.43.199.in-addr.arpa. 3600 IN NSEC
1.0.43.199.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY0.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.…1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.…
A signed zone file will have RRSIG, NSEC, and
DNSKEY records.
#AOTR
New Record TypesRecords holding the public zone signing
key and key signing keyDNSKEYRecords holding the cryptographic signatures of the other DNS recordsRRSIG
Records cryptographically stitching the other records togetherNSEC
These point to your zone like an NS record (needed in the parent zone)DS
#AOTR
How Do I Know It’s Working?
Use a DNSSEC validating resolver.
Popular options include:•www.internetsociety.org/deploy360/dnssec/•www.isc.org/downloads/bind/dnssec/
106
#AOTR
TakeawaysIf you’re not using DNSSEC, you’re vulnerable to a DNS
cache poisoning attack
Plenty of readily available documentation regarding
implementation details
If we can help, contact us
#AOTR
Securing Core Internet Functions – RPKI
#AOTR
What is RPKI?
Resource Public Key Infrastructure
Cryptographically certifies network resources• AS Numbers• IP Addresses
Also certifies route announcements• Route Origin Authorizations (ROAs) allow you to
authorize your block to be routed
#AOTR
Why is RPKI Important?
Allows routers (or other processes) to validate routes as authorized
Provides stronger validation than existing technologies, such as:•Routing registries•LOAs•“Seems legit”
110
#AOTR
Case Study: YouTube
Pakistan Telecom was
ordered to block YouTube Naturally, they
originated their own route for YouTube’s
IP address block
YouTube’s traffic was temporarily diverted to
Pakistan
Could have been
prevented with widespread adoption of
RPKI
#AOTR
Case Study: Turk Telekom
Turkish President ordered censorship of Twitter
Turk Telekom’s DNS servers were configured to return false IP addresses• So people started using Google’s DNS (8.8.8.8)
Turk Telekom hijacked Google’s IP addresses in BGP
Could have been prevented with RPKI
#AOTR
Case Study: Bitcoin
Late 2013 & early 2014, Dell Secure Works noticed /24 announcements being hijacked•Amazon, OVH, Digital Ocean,
LeaseWeb, Alibaba networks routed to a small network in Canada
Data between Bitcoin miners and Bitcoin data pools intercepted•An estimated haul of $83,000
Could have been prevented with RPKI
#AOTR
RPKI Basics
All of ARIN’s RPKI data is publicly available in a repository
RFC 3779 certificates show who has each resource
ROAs show which AS numbers are authorized to announce blocks
CRLs show revoked records
Manifests list all data from each organization
#AOTR
Hierarchy of Resource Certificates
115
ICANN0.0.0.0/0
0::/0
ARIN128.0.0.0/8 192.0.0.0/8
Regional ISP128.177.0.0/16
Some Small ISP128.177.46.0/20
Other Small ISP192.78.12.0/24
LACNIC AFRINICRIPENCC APNIC
#AOTR
Route Origin Authorizations (ROAs)
116
ICANN0.0.0.0/0
0::/0
ARIN128.0.0.0/8 192.0.0.0/8
Regional ISP128.177.0.0/16
Some Small ISP128.177.46.0/20
Other Small ISP192.78.12.0/24
LACNIC AFRINICRIPENCC
APNIC
128.177.46.0/20AS53659
128.177.0.0/16AS17025 192.78.12.0/24
AS2000
#AOTR
Current Practices
117
ICANN0.0.0.0/0
0::/0
ARIN128.0.0.0/8 192.0.0.0/8
Regional ISP128.177.0.0/16
Some Small ISP128.177.46.0/20
Other Small ISP192.78.12.0/24
LACNIC AFRINICRIPENCC APNIC
128.177.0.0/16AS17025
192.78.12.0/24AS2000
128.177.46.0/20AS53659
#AOTR
Using ARIN’s RPKI Repository (Theory)
Ultimately, the ISP uses local policy on how to route to use this information.
Communicate with the router to mark routes:
Valid Invalid Unknown
Validate the ROAs contained in the repository
Pull down these files using a manifest-validating mechanism
118
#AOTR
Using ARIN’s RPKI Repository (Practice)
Get the RIPE NCC
RPKI Validator
119
#AOTR
Using ARIN’s RPKI Repository (Practice, continued)
Get the ARIN TAL•https://www.arin.net/resources/rpki/tal.html
Plug it in to your routing policy engine:•Directly to the router via RTR protocol•Using custom scripts and the REST API•As RPSL route objects
120
#AOTR
Putting Your Routes in the RPKI
Determine if you want to allow ARIN to host your Certificate Authority (CA), or if you want ARIN to delegate to your Certificate Authority.
Sign up with ARIN Online.
Create Resource Certificates and ROAs.
#AOTR
Hosted vs. Delegated RPKI
Hosted
•ARIN has done all of the heavy lifting for you
•Think “point click ship”•Available via web site
or RESTful interface
Delegated using Up/Down Protocol
•A whole lot more work•Might make sense for
very large networks
122
#AOTR
Hosted RPKI - ARIN Online
Pros
• Easy-to-use web interface
• ARIN-managed (buying/deploying HSMs, etc. is expensive and time consuming)
Cons
• Downstream customers can’t use RPKI
• Large networks would probably need to use the RESTful interface to avoid tedious management
• We hold your private key
123
#AOTR
Delegated RPKI with Up/Down
Pros
•Allows you to keep your private key
•Follows the IETF up/down protocol
•Allows downstream customers to use RPKI
Cons
•Extremely hard to set up
•Requires operating your own RPKI environment
•High cost of time and effort
124
#AOTR
Delegated with Up/DownYou have to do all the ROA creation
Need to set up a Certificate Authority
Have a highly available repository
Create a CPS
125
#AOTR
RPKI UsageOct2012
Apr2013 Oct 2013 Apr 2014 Oct 2014 Apr 2015 Oct 2015 Apr 2016 Oct 2016 Apr 2017
Certified Orgs 47 68 108 153 187 220 250 268 292
ROAs 19 60 106 162 239 308 338 370 414 470
Covered Resources 30 82 147 258 332 430 482 528 577 640
Up/Down Delegated 0 0 0 1 2 1 2 2
#AOTR
Takeaways
If you’re not using RPKI,
you’re vulnerable to
route hijacking
Plenty of readily available
documentation regarding
implementation details
If we can help, contact us
#AOTR
Q&A
#AOTR
IPv6 Services
Eddie DiegoSenior Resource Analyst
#AOTR
The Road To IPv6 Deployment
Why Move To IPv6 Now?
Obtaining IPv6 From ARIN
Dedicated IPv4 Block For IPv6 Deployment
IPv6 Address Plans
IPv6 Deployment Case Studies
IPv6 Resources
... and a few words about the current state of IPv6 adoption.
#AOTR
Why Move To IPv6 Now?
Being IPv4-only has costs
•Transfer market, latency, CGN boxes, NAT
Generally no additional cost for ISPs & fees recently lowered for end users
IPv6 gives you access to a reserved IPv4 block
•One IPv4 /24 per six month period
131
#AOTR
Requesting IPv6 - ISPs
•Have a previous v4 allocation from ARIN or predecessor registry
OR• Intend to IPv6 multi-home
OR•Provide a technical justification which details at least 50 assignments made within 5 years
132
#AOTR
IPv6 ISP Block Size
• Might be smaller, e.g. /56, for residential/48 typically assigned to customers
• Enough to number 65k+ customers/32 default generally sufficient
• # of serving sites (PoPs, datacenters)• # of customers at largest serving site• Block size to be assigned
Larger blocks based on:
133
#AOTR
Requesting IPv6 – End Users
Have a v4 assignment from ARINOR
Intend to IPv6 multi-home OR
2000 IPv6 addresses/200 IPv6 subnets usedOR
Have 13+ active sites within 12 monthsOR
Technical justification showing ISP-assigned IPs are unsuitable134
#AOTR
IPv6 End User Block Size
37
Number of Sites Block Size
1 /48
2-12 /44
13-192 /40
193-3,072 /36
3,073-49,152 /32
#AOTR
Reserved IPv4 for IPv6 Deployment
/10 reserved under policy in April 2009 214 /24s issued to date (98.7% remains available)
Must be used to facilitate IPv6 deploymentDual stacking key servers, NAT-PT/NAT464, etc.
Must have an IPv6 block
One per organization every six months/24 maximum size
136
#AOTR
Subnetting: IPv4 vs IPv6
• The IPv4 mindset: think in terms of IP addresses• “If a site has 50 devices, I give it a /26”
• The IPv4 mindset does not work for IPv6• Last 64 bits used for device autoconfiguration• ... and we have a ton of IPv6 addresses.
• The correct IPv6 mindset: think in terms of subnets, not addresses
#AOTR
IPv6 SubnettingNANOG BCOP:
• Each individual network segment gets a /64• A /64 can hold a near-infinite number of devices
• Subnet on nibble boundaries for DNS• /48, /44, /40, etc
• Addressing plans should be hierarchical, with each level using subnets of the same size• Each site gets a /48• Customers generally get a /48• PoPs/aggregation points sized based on largest
#AOTR
IPv4 Address Plan: End User
Enterprise Network
SJO Hub14 offices
/27 for each448 IPs
CHI Hub15 offices
/28 for each240 IPs
DAL Hub7 offices
/28 for each112 IPs
ASH Hub156 sites
/27 for each4,992 IPs
/23
/24 /24
/19
#AOTR
IPv6 Address Plan: End User
Enterprise Network
SJO Hub14 offices
/48 for each448 IPs
CHI Hub15 offices
/48 for each240 IPs
DAL Hub7 offices
/48 for each112 IPs
ASH Hub156 sites
/48 for each4,992 IPs
/40
/40 /40/40 (256 /48s)
#AOTR
IPv4 Address Plan: ISP
FTTH ISP Network
Chula Vista Hub952 home users
(1 IP each)5 biz customers
(/29-/24) = 1,952 IPs
EscondidoHub
214 home users
(1 IP each)= 214 IPs
OceansideHub
497 home users
(1 IP each)= 497 IPs
El Cajon Hub497 home users
(1 IP each) 4 biz customers
(/29-/24)= 997 IPs
/21
/24 /23
/22
#AOTR
IPv6 Address Plan: ISP
FTTH ISP Network
Chula Vista Hub
1,027 total users (home +
business) = 1,027 /48s
Escondido Hub
214 total users (home + business)= 214 /48s
Oceanside Hub
497 total users (home + business)= 497 /48s
El Cajon Hub
506 total users (home + business= 506 /48s
/36 (4,096 /48s)
/36 /36
/36
#AOTR
Anatomy Of An IPv6 Address
2001:0DB8:3007:000A:B9D3:284A:83E2:90DB
/32 from ARIN
Hub /360 = Chula Vista1 = Escondido2 = Oceanside3 = El Cajon4 = Future Hub... etc
Site /48001 = El Cajon Site 1002 = El Cajon Site 2....007 = El Cajon Site 7
Subnet /640001 = Subnet 10002 = Subnet 2....000A = Subnet 10
Device /128Autoconfiguredwith MAC Address
#AOTR
IPv6 Deployment Information
• ISOC’s Deploy360 program has 16 detailed case studies covering:• ISPs• Hosting providers• Enterprise businesses• Universities• Governments
•ARIN’s IPv6 Wiki, https://getipv6.info• DNS, tools, translation services, etc
#AOTR
IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html
41
www.GetIPv6.info
www.TeamARIN.net
ARIN IPv6 Resources
#AOTR
IPv6 Adoption
How far are we?Depends where you look...How
many networks have an
IPv6 block?
How many
networks are
routing IPv6?
How much
traffic is using IPv6?
#AOTR
% of Members with IPv6
147
34.10%
52.83% 52.87%
87.55%75.11%
0%
20%
40%
60%
80%
100%
AfriNIC APNIC ARIN LACNIC RIPE NCC
#AOTR
Customers with IPv4 & IPv6
148
2,467
2,420
449
RSP
6,432
1,780
295End Users
IPv4 Only IPv4 & IPv6 IPv6 Only
#AOTR
IPv6 Adoption by ISP Size
0%10%20%30%40%50%60%70%80%90%
100%
3X-Small(143)
2X-Small(778)
X-Small(1,656)
Small(1,252)
Medium(651)
Large(242)
X-Large(187)
2X-Large(37)
3X-Large(24)
4X-Large(7)
ISPs with IPv6 ISPs without IPv6
#AOTR
IPv6 Requests Since Depletion
150
0
20
40
60
80
100
120
Jul-15
Sep-1
5
Nov-1
5
Jan-1
6
Mar-16
May-1
6Jul-16
Sep-1
6
Nov-1
6
Jan-1
7
Mar-17
May-1
7Jul-17
Sep-1
7
Nov-1
7
#AOTR
Routing Table Growth
IPv4 – First 14 Years IPv6 – First 14 Years
#AOTR
Google’s IPv6 Traffic Growing
152
#AOTR
Facebook & Akamai
#AOTR
Discussion: IPv6 & You
Do you have an IPv6 block from ARIN? If so, how was the
process?
Have you deployed IPv6?
If not, do you plan to? Are there
blockers?If so, how is it
working? Any experience to share?
What can ARIN do to help you with IPv6
deployment?
#AOTR
Q&A
#AOTR
Community Engagement with ARIN
Susan HamlinSenior Director, Communications and Member Services
#AOTR
Ways to Engage
#AOTR
• ARIN Announce: [email protected]
• ARIN Discussion: [email protected] (members only)
• ARIN Public Policy: [email protected]
• ARIN Consultation: [email protected]
• ARIN Issued: [email protected]
• ARIN Technical Discussions: [email protected]
• Suggestions: [email protected]
https://www.arin.net/participate/mailing_lists/index.html
ARIN Mailing Lists
#AOTR
Open Consultations:• Fee Schedule• Expanding the Size of the ARIN Board of
Trustees• Prioritizing open suggestions from the
community• Should we remove attachments from
mailing list• Join arin-consult and share your thoughts
You Can Participate!
• 2 -31 July Call for Nominations• 20 August Deadline to establish
Voting Contact• Each member organization (org id)
has one vote• 24 September Final slate of
candidates• 4-12 October Online voting
#AOTR
Feedback on New WebsiteVisit [email protected] by 4 May
Click on Feedback , upper right, to complete a short survey
Your comments are critical to helping us provide you a functional site
Goals:• Responsive• Intuitive• Informative
#AOTR
Q&A
#AOTR
Registration ServicesDepartment Update
Eddie DiegoSenior Resource Analyst
#AOTR
RSD Team
Senior DirectorJohn Sweeting
ManagersCathy ClementsLisa LiedelJon Worley
Resource AnalystsMisuk KwonDoreen MarraffaJames RicewickJonathan RobertsShawn Sullivan
Senior Resource AnalystsEddie DiegoMike Pappano
ParalegalSuzanne Rogers
#AOTR
• Staff assessments and implementation plansPolicy development & implementation
• Provide requirements, perform testing and feedbackSoftware development support
• ARIN On The Road, trade shows, presentationsOutreach
•Collect and provide monthly statistics to the Communication & Member Services Department•Respond to community requests for data, research, and statistics
Statistics & database analysis
RSD Support Functions
#AOTR
Registration Services Plan5,536 (15%)
End User15,893 (42%)
Legacy16,250 (43%)
37,679 Total Orgs Served
Organizations Served
#AOTR
Internet Routing Registry (IRR)
Used to publish routing information
Current IRR not integrated with registration database
(Whois)
Work beginning on a new IRR this year
#AOTR
IPv6 Outreach Campaign
#AOTR
2017 ASN Requests
0
50
100
150
200
250
Jan-17
Feb-17
Mar-17
Apr-17
May-17
Jun-17
Jul-17
Aug-17
Sep-17
Oct-17
Nov-17
Dec-17
#AOTR
2017 ASNs Issued
020406080
100120140160180200
Jan-17
Feb-17
Mar-17
Apr-17
May-17
Jun-17
Jul-1
7
Aug-17
Sep-17
Oct-17
Nov-17
Dec-17
4 Byte ASNs 2 Byte ASNs
#AOTR
Telephone Help Desk
Phones staffed 7 AM to 7 PM ET M-F
Average wait time: 17 seconds
Most common topics:• Point of contact validation• Ticket status• ARIN Online use• Transfer related questions
#AOTR
Open Mic Session
#AOTR
You make ARIN’s Internet number resource policy
Apply for IPv6 addresses and get started
Consider implementing DNSSEC & RPKI
ARIN serves you, our community
Share your opinions, reach out to us with questions and suggestions - engage
Today’s Takeaways:
#AOTR
https://www.arin.net/participate/meetings/fellowship.html
#AOTR
Fill out & submitthe survey for your chance to win a
$100 Amazon Gift Card!