B R I N G I N G Y O U A N S W E R S

|MINNEAPOLIS, MN 1 MAY 2018

#AOTR

Here Today From ARINEddie Diego - Senior Resource Analyst

David Farmer - ARIN Advisory Council

Susan Hamlin – Senior Director, Communications & Member Services

Richard Jimmerson – Chief Information Officer

#AOTR

Housekeeping items

Wireless: Hyatt Meeting Space

Password: ARIN2018

Agenda review

Before We Get Started…

#AOTR

Welcome & Introductions9:30 - 9:45 AMARIN's Mission & Core Functions9:45 -10:15 AMARIN Technical Services10:15 -10:45 AM

BreakARIN Internet Number Resource Policy10:55 -11:30 AM IPv4 Services – Wait List, Transfers, and more11:30 -12:00 PMLunch12:00 - 1:00 PM

Morning Agenda

#AOTR

ARIN Security Services 1:00 - 1:30 PMARIN IPv6 Services1:30 - 2:15 PM

BreakCommunity Engagement with ARIN2:30 - 3:00 PMRegistration Services Department Update3:00 - 3:15 PMOpen Microphone and Wrap-up3:15 - 3:30 PM

Afternoon Agenda

#AOTR

Self Introductions•Name•Organization and type of business•Any questions you would like answered•Any topics not on the agenda you would like

presented

Let’s Get Started!

#AOTR

ARIN 101

Susan HamlinSenior Director, Communications and

Member Services

#AOTR

Why Are We Here?

ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach.

#AOTR

ARIN’s Service Region

The ARIN Region includes many Caribbean and North Atlantic islands, Canada, the

United States and outlying areas.

#AOTR

IP Address and Autonomous System Number Provisioning Process

#AOTR

Many networks first encounter ARIN when they need an AS number for BGP

Others encounter ARIN when they want to get portable IP addresses to avoid renumbering

ARIN’s most fundamental function is registration of IP addresses and AS numbers to ensure global uniqueness

… and to operate directory services which allow the public to determine who those IP addresses and AS numbers are registered to

But it all starts with you…

#AOTR

Organizations served by ARIN37,000+

Organizations under contract with ARIN21,000+

ARIN member organizations5700+

Professional staff85+

Anyone with an interest in Internet number resource management in the ARIN region can be part of the ARIN community.

Who are you?

#AOTR

IP address allocations & assignments

ASN assignment

Transfers

Reverse DNS

Record Maintenance

ARIN Manages:

#AOTR

ARIN customer web portal

Security (DNSSEC, RPKI)

Whois-RWS

Whois and Registration Data Access Protocol (RDAP) directory servicesOperational Test & Evaluation (OT&E) Environment

ARIN Services

#AOTR

The community (that’s you!) decides what rules ARIN should apply when issuing IP addresses and AS numbers

ARIN staff are prohibited from setting policy

… but we do facilitate the policy development process (PDP) to enable the community to create & maintain policies

Fostering an open, transparent, fair, and bottom-up policy process is another key ARIN function

But who sets the rules?

#AOTR

15 Member Advisory Council elected by the membership

5 seats open each

year/election

Serves in an advisory

capacity to the Board on Internet number

resource policy and related

matters

Forwards consensus-

based policy proposals to the Board for ratification

Advisory Council

#AOTR

And who sets the fees?

Fees are set by ARIN’s Board of Trustees (BoT), who are elected by ARIN’s members

Members are primarily ISPs but can also include end users

The Board of Trustees is responsible for setting ARIN’s fee structure and providing overall guidance to ARIN’s operations and strategic plan

Conducting open and fair elections is a third key ARIN function

#AOTR

7 Member Board of Trustees

6 elected by the

membership plus

President & CEO – all

voting

2 seats open each

election/year

Ability to appoint an additional

voting member for

diversity

Authority over the scope,

mission, and establishes

the strategic direction and fiscal oversight

Board of Trustees

#AOTR

Manage efficient allocation of Internet number resources in the ARIN region

Educate the community about ongoing IPv6 adoption

Coordinate with other RIRs on registry processes and technology to maintain a globally consistent and useable registry system

Work cooperatively with network operator forums in the region as appropriate

Maintain, develop and enhance functionality of ARIN services as sought by users and supported by membership

2018 Strategic Plan:

https://www.arin.net/about_us/corp_docs/stratplan-2018-2019.pdf

#AOTR

Policy Development through Public Policy Meetings and

Consultations

Work closely with the technical community to ensure education,

empowerment, engagement

Collaborate with Caribbean organizations to maximize

inclusion

Outreach & Engagement

#AOTR

Educational Materials library

https://www.arin.net/knowledge

Instructional Video Libraryhttp://youtube.com/teamarin

In-person Training & Education•Speakers

bureau

Training and Education

#AOTR

Get6 - teamarin.net/get6/

Focus on getting public websites IPv6-enabled

Featuring Forward Thinkers who have done it already

Wiki list of IPv6 webhosters, DNS providers, trainers, & consultants -getipv6.info

IPv6 Outreach

#AOTR

Foster global working relationships

Be a key technical resource

Support cooperation and direct involvement alongside governments and international organizations

Global Engagement

#AOTR

What about the rest of the world?

Regional Internet Registry Structure:

Independent * Not-for-profit * Membership-basedCommunity driven

#AOTR

The Number Resource Organization

The NRO exists to protect the unallocated number resource pool, to promote and protect the bottom-up policy development process, and to act as a focal point for Internet community input into the RIR system.

https://www.nro.net/

#AOTR

Number Resource Organization Number Council (NRO NC) & Address Supporting Organization Advisory

Council (ASO AC)

15 member body/3 per

RIR

2 elected and one

appointed

Global policy

development process

Selects ICANN

Board seats 9 and 10

Gives advice to ICANN Board on number resource

allocation policy, in

conjunction with the RIRs

NRO NC/ ASO AC

#AOTR

Q&A

#AOTR

ARIN Technical Services

Richard JimmersonChief Information Officer

#AOTR

How Many Records Do We Manage?3,069,469 (57,764 Direct, 3,011,705 Indirect)Networks

25,920ASNs

606,584Reverse DNS Delegations

3,183,197 (733,927 Org IDs, 2,449,270 Customers)Organizations

725,975Points of Contact

133,717 Web Users:

7,744,862... For a grand total of

#AOTR

Major Technical Service Areas

Core Registry Functions (ARIN Online)• Resource Registration & Management• Whois• Reverse DNS• Internet Routing Registry

New Services• Web-based reassignment management (SWiP-EZ)• DNSSEC & RPKI• WhoWas• RDAP• RESTful Interfaces• Operational Test & Evaluation Environment (OT&E)

Technical Support

#AOTR

Core Registry Services – ARIN Online

Registering ASNs and IPv4/IPv6

blocks

Transferring ASNs and IPv4/IPv6

blocks

Managing org &

contact information

Managing reverse DNS

& RPKI

Bulk Whois and

WhoWas Reports

Invoices and Bill

Payment

All now available via ARIN Online

#AOTR

ARIN Online - Total Users

2,72712,799

29,831

49,52464,185

78,07492,866

107,627120,785

133,717

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

#AOTR

Web-Based Reassignment Management

Manage customer reassignments (SWIPs) via ARIN Online

Comprehensive reassignment report

•Generates a spreadsheet of all reassignments made from your space along with holes (unassigned space)

Recommended for ISPs managing a small number of records

#AOTR

WhoWas

Spreadsheet with registration history for one ASN/IP address

Requested by the community

Common uses include

• Researching the history of an IPv4 block prior to entering into a transfer• Investigating possible unauthorized changes• Law enforcement

#AOTR

Registration Data Access Protocol (RDAP)

Can offer referral responses

If you ask ARIN for a record that’s held by another RIR, we point you to it

Provides standardized HTTP-based RESTful JSON responses

“Plays well with machines”

Designed by the IETF to replace Whois

Whois was designed for humans to read, not for machines to interact with

#AOTR

RDAP In ActionClient ARIN APNIC

45.65.1.1?

Ask ARIN

45.65.1.1?

Ask APNIC

Bootstrap Server

45.65.1.1?

JSON

#AOTR

Automating With REST Services

What is REST?

REpresentational State Transfer

Uses HTTP & URLs to create, read, update, and delete data

Widespread industry adoption

Easily understood

Any modern programmer can incorporate it

#AOTR

The BIG Advantage of REST

Allows you to automate your interactions with ARIN•Customer reassignment management•Reverse DNS management

Can use existing tools•ARINcli•6connect•https://github.com/arineng•http://projects.arin.net

Or, write your own!

#AOTR

What does REST look like?

http://whois.arin.net/rest/poc/KOSTE-ARIN

Where the data is.

What type of data it is.The ID of the data.

It’s a standard URL. Anyone can use it.Go ahead, put it into your browser.

#AOTR

Reg-RWS Transactions (cumulative)

408k596k 846k

1.0M

1.3M

1.5M1.7M

2.0M 2.2M2.4M

2.5M2.8M

40k320k 841k

3.5M

4.3M

4.7M5.0M

5.6M6.0M 6.2M

6.5M

7.1M

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

8,000,000

ARIN29 ARIN30 ARIN31 ARIN32 ARIN33 ARIN34 ARIN35 ARIN36 ARIN37 ARIN38 ARIN39 ARIN 40

#AOTR

For more information…

RESTful Web Services

O�Reilly Media

Leonard Richardson Sam Ruby

#AOTR

Operational Test & Evaluation (OT&E)

Lots of people test in production•Is not the best place to test•Things do get stuck – may impact others•Operational Test & Evaluation

Goodness of OT&E•Place to test code/processes•All services now under ote.arin.net except email•https://www.arin.net/resources/ote.html

#AOTR

Technical Support

Ask ARIN (inside ARIN Online)

Phone Help Desk•7AM – 7PM ET M-F•+1.703.227.0660

arin-tech-discuss mailing list•Make sure to subscribe•Archives contain useful information

#AOTR

In the works… a new design!

#AOTR

Q&A

#AOTR

ARIN Internet Number Resource Policy

…your participation matters

David FarmerARIN Advisory Council

#AOTR

ARIN’s Policy Development Process Video

#AOTR

What Are Internet Number Resource Policies?

ARIN applies policies to manage Internet number resources and certain directory/registration services

Policies are given effect through the application of business rules and operating procedures

#AOTR

The Number Resource Policy Manual (NRPM) is the collection of all ARIN policies, arranged by topic.

Topics include:

•Definitions•Directory Services•IPv4•IPv6•AS Numbers•Transfers

View the NRPM at:

•https://www.arin.net/policy/nrpm.html

What is the NRPM?

#AOTR

NRPM 4.3.1 - End-users

ARIN assigns blocks of IP addresses to end-users who

request address space for their internal use in running their own

networks, but not for sub-delegation of those addresses outside their organization. End-

users must meet the requirements described in these guidelines for justifying the assignment of an

address block.

Policy Example

#AOTR

Internet number resource policy must:

Enable fair and impartial number resource administration

Be technically sound (providing for uniqueness and usability of number resources)

Have support from the community

Policy Principles

#AOTR

Where do Policies Come From?

Proposals for policy change can come from anyone, and follow a basic email template:

Proposals go to policy@arin.net

#AOTR

Proposal – Someone sends a Proposal to policy@arin.netusing the approved template

The Advisory Council (AC) Chair assigns AC shepherds• Shepherds manage the Proposal, working closely with the author(s) and

encourage feedback• To be accepted as a Draft Policy, a proposal must contain a clear

problem statement and be within the scope of ARIN's mission

Draft Policy- Work in progress, discussed on the mailing list and at Public Policy Meetings and Consultations• Once a Draft Policy meets the Principles of Internet Number Resource

Policy, the AC may recommended it for adoption

Policy Development Process (PDP)

#AOTR

Recommended Draft Policy – More discussion and presentation at meeting(s). Does the community support turning this into policy?

Last Call

Board Review and Adoption

Staff Implementation (NRPM)

Policy Development Process (PDP)

#AOTR

The community may petition for or against several AC actions, including:

Against the rejection of a Proposal

Against the abandonment of a Draft Policy or Recommended Draft Policy

For the movement of a Proposal to Draft Policy status

For the movement of a Draft Policy to Recommended Draft Policy status

Movement of a Recommended Draft Policy to Last Call status

Petitions

#AOTR

Open• Developed in open forums• Anyone can participate

Transparent• All aspects documented and available on website

Bottom-up• Policies developed by the community• Staff implements, but does not make policy

Principles of the PDP

#AOTR

A single community member can propose a policy change, or spark an important discussion in support or opposition to a potential change.

Many significant policies have gone through the entire PDP with only a handful of voices speaking for or against them.

The Importance of Participation

#AOTR

Update to NPRM 3.6: Annual Whois POC Validation2017-3

Amend Community Networks2017-8Repeal of Immediate Need for IPv4 Address

Space (NRPM Section 4.2.1.6)2017-10Require New POC Validation Upon Reassignment2017-12

Remove ARIN Review Requirements for Large IPv4 Reassignments/ Reallocations2017-13

Last Call (Ends 7 May)

#AOTR

Allow Inter-regional ASN Transfers2018-1

Recommended Draft Policies

#AOTR

• Clarification to ISP Initial Allocation and Permit Renumbering2018-2:

• Clarification on IPv6 Sub-Assignments2018-3:

• Remove Reallocation Requirements for Residential Market Assignments2018-4:

Draft Policies Under Discussion

#AOTR

• Community review ended 23 March• Advanced to the Board off Trustees

23 April• Awaiting Board of Trustees review

Reallocation and Reassignment

Language Cleanup (formerly Draft Policy

ARIN-2017-11)

• Community review ended 19 April• Awaiting Advisory Council review

Correct References to RWhois (formerly

ARIN-prop-251)

Draft Policies Under Discussion

#AOTR

NRPM CleanupARIN-prop-255

Proposals Under Review

#AOTR

Your Voice Matters!

ARIN’s community is diverse, and the more participants

there are, the more balanced and

comprehensive ARIN policy can be!

#AOTR

Join the Public Policy Mailing List at http://lists.arin.net/mailman/listinfo/arin-ppml

Attend Public Policy Meetings

• October 2018 – Vancouver• Remote participation supported - attend from anywhere!

Attend Public Policy Consultations

• Held as needed during NANOG meetings in February and June• Remote participation supported

Get Involved!

#AOTR

ARIN doesn't create number policy, you do. It’s as easy as submitting a proposal.

Policy development includes assistance from the ARIN Advisory Council throughout the process.

Stay informed. Join the policy list and/or attend meetings (in person or remotely).

Takeaways

#AOTR

Policy Development Process (PDP)•http://www.arin.net/policy/pdp.html

Draft Policies and Proposals•http://www.arin.net/policy/proposals/index.html

Number Resource Policy Manual (NRPM)•http://www.arin.net/policy/nrpm.html

References

#AOTR

Q&A

#AOTR

IPv4 Services

Eddie DiegoSenior Resource Analyst

#AOTR

Overview

IPv4 Request Activity

Reserved IPv4 Space

IPv4 Waiting List

IPv4 Transfer Market

Specified Transfer Listing Service (STLS)

#AOTR

IPv4 Requests Since Depletion

0

50

100

150

200

250

300

350

400

450

Jul-15 Oct-15 Jan-16 Apr-16 Jul-16 Oct-16 Jan-17 Apr-17 Jul-17 Oct-17

#AOTR

IPv4 Waiting List

Requesters have the waiting list option• Initial /21 (ISP) or /24 (EU) with no justification• Larger blocks based on 24 month need• Requester may specify a smaller acceptable

size• One request per org on the list at a time

Oldest requests filled first

Requests met by transfer are removed

#AOTR

IPv4 Waiting List – Block Sources

IANA Redistribution (2x a year)•Down from /11 May 2014 to /20 September 2017

Returned IPv4 Blocks

Revoked IPv4 Blocks•Generally for nonpayment

Lengthy review process before reissue

#AOTR

Reissue Review Process

• RSD analyzes returned/revoked blocks• Unrouted blocks get priority over routed blocks• Need verification the return/revoke was done properly

• FSD confirms fees unpaid & notices sent

•Meeting held to confirm reissue• Legal review• 4 management team signatures required• 20-40 blocks reviewed in each meeting

• 328 blocks currently in the review process

#AOTR

IPv4 Waiting List Growth

0

50

100

150

200

250

300

350

400

450

Jun-15 Oct-15 Feb-16 Jun-16 Oct-16 Feb-17 Jun-17 Oct-17

#AOTR

IPv4 Waiting List Statistics

Of the 913 requests added:

503 (55%) have been filled•Last request filled waited ~8 months

212 (23%) dropped off•Most got IPv4 via the transfer market

198 (22%) still waiting•Oldest added 16 Aug 2016

#AOTR

Waiting Time

•Average 15 months wait•Longest wait: 24 months

Of the 503 completed

requests:

•Average 7 months before close•Longest wait: 21 months (filled

via transfer)

Of the 212 closed

requests:

#AOTR

IPv4 Critical Infrastructure Reserve

2 /16s reserved for: • Public exchange points• ICANN-sanctioned Core DNS

operators• RIRs• IANA

New gTLDs not eligible

15.4% used

#AOTR

Reserved IPv4 for IPv6 Deployment

..... stay tuned. J We’ll discuss this policy in the IPv6 presentation.

#AOTR

Mergers and Acquisitions (NRPM 8.2)• Traditional transfer

resulting from a merger, acquisition, or reorganization supported by legal documentation

Transfers to Specified Recipients (NRPM 8.3)• IPv4 market transfer from

one organization to another that it specifies, supported by justified need (within region)

Inter-RIR transfers to Specified Recipients (NRPM 8.4)• IPv4 market transfer from

one organization to another that it specifies, supported by justified need (between regions)

IPv4 Transfer Policies

#AOTR

Specified Recipient Transfer

Allows orgs with unused IPv4 resources to transfer them to orgs in need of IPv4 resources

Source

Must be current registrant, no disputes

Not have received addresses from ARIN for 12 months prior

Recipient

Demonstrate need for 24-month supply under

current ARIN policy

#AOTR

Specified Recipient Transfer Growth

0

50

100

150

200

250

Jul-15 Oct-15 Jan-16 Apr-16 Jul-16 Oct-16 Jan-17 Apr-17 Jul-17 Oct-17

#AOTR

Inter-RIR Transfers

RIR must have reciprocal, compatible needs-based policies• Currently APNIC and RIPE NCC

Transfers from ARIN• Source cannot have received IPv4 from ARIN 12 months prior to transfer • Must be current registrant, no disputes• Recipient meets destination RIR policies

Transfers to ARIN• Must demonstrate need for 24-month supply under current ARIN policy

#AOTR

Inter-RIR Transfers Completed

0

5

10

15

20

25

Jul-15 Oct-15 Jan-16 Apr-16 Jul-16 Oct-16 Jan-17 Apr-17 Jul-17 Oct-17

#AOTR

IPv4 Consumption

0

50000

100000

150000

200000

250000

300000

350000

400000

450000

Jun-14Nov-14

Apr-15Sep-15

Feb-16Jul-16

Dec-16May-17

Oct-17

Tota

l /24

s

Free Pool Transfer Market

#AOTR

IPv4 Workload

050

100150200250300350400450500

Jul-15Oct-15

Jan-16Apr-16 Jul-16

Oct-16Jan-17

Apr-17 Jul-17Oct-17

IPv4 Requests Market Transfer Requests

#AOTR

Transfer Pre-Approval

Optional free service to confirm your 24 month projected IPv4 need

Receive IPv4 addresses via multiple need-based transfers up to the pre-approved amount over the next 24 months

$300 fee to complete each transfer

• Now paid at the time transfer is submitted

#AOTR

Specified Transfer Listing Service (STLS)

Optional fee-based service to facilitate specified recipient and inter-RIR transfers

• Sources have IPv4 addresses verified as available• Recipients have a verified need for IPv4 addresses• Facilitators arrange transfers between parties

Approved participants can view detailed information for all other participants

Public summary available on ARIN’s website

• Available block sizes• # of source ORGs and approved block sizes• List of facilitators with contact information

#AOTR

TakeawaysIPv4 consumption still strong

If you need IPv4:•Get pre-approved & look at transfer market•Get an IPv6 block & use reserved IPv4 block for

IPv6 deployment policy•Wait List an option if you can defer need

IPv6 is the future

#AOTR

Q&A

#AOTR

LUNCH

Starting back at 1:00 PM

#AOTR

ARIN Security Services

Richard JimmersonChief Information Officer

#AOTR

Two-Factor AuthenticationAvailable for all ARIN Online accounts

In use today by 2,744 ARIN Online users

Strengthens the security of your account beyond standard password and challenge question recovery methods

Currently supported authenticators:

• Google Authenticator• Salesforce Authenticator• FreeOTP

• https://www.arin.net/features/twofactor.html

#AOTR

DNS Security (DNSSEC)

A DNS extension which authenticates responses •When you ask how to get to www.arin.net,

DNSSEC verifies the answer is from ARIN and not someone pretending to be us

Doesn’t ensure the answer is correct, just that it’s coming from the right place

#AOTR

Why is DNSSEC Important?

Standard DNS is not secure•Trivial to spoof (provide false responses)•... so an attacker can redirect people looking for

www.arin.net to his own site•... and then steal login information.

DNSSEC is (surprise) secure•An attacker can try to redirect traffic, but DNSSEC

will show it’s not a valid response

#AOTR

DNS Cache Poisoning

Attacker gives the nameserver a

“poisoned” (incorrect) response

to www.arin.net

If accepted, this nameserver will

direct people to the fake site, typically for

hours

... and any nameservers that trust the poisoned

one will also become poisoned.

#AOTR

Case Study: Kashpureff Attack

Eugene Kashpureff didn’t like Internic’s control of top level domains

In 1996, he used DNS cache poisoning to redirect Internic traffic to his own site

Kashpureff was eventually convicted of computer fraud

This attack could have been prevented with DNSSEC

#AOTR

Case Study: Kaminsky Flaw

2008: Dan Kaminsky discovered a fundamental flaw in the DNS protocol• 65,536 Transaction IDs in DNS makes it easy to guess the right

one & spoof

Updates to DNS software makes this flaw more difficult to exploit, but not impossible

These attacks can be prevented with DNSSEC

#AOTR

Case Study: Bradesco

Bradesco is a bank in Brazil

DNS cache poisoning attack resulted in 1% of the bank’s customers being redirected to a fake site•Getting login credentials for 1% of a large bank’s customers

could be disastrous

Networks not using DNSSEC are vulnerable to a similar attack

#AOTR

Other UsesProtect DKIM & SPF

• Without DNSSEC, an attacker can make use your email addresses for spam.

SSH Initial Host Key Exchange• Protect SSH Fingerprint (SSHFP) records.

PGP Key Distribution• Use _pka records to distribute PGP keys easily usable by GnuPG

DANE• Coming standard from the IETF to use DNS as a global public key

infrastructure.

#AOTR

DNSSEC Usage Statistics

ARIN 39

Number of Orgs with DNSSEC 139

Total Number of Delegations 620,412

DNSSEC Secured Zones 671

Percentage Secured 0.11 %

#AOTR

Using DNSSEC with ARIN

Remember: this is for reverse DNS, not forward DNS

Use your DNS server software to:

• Generate your key pair• Create DS records to upload to ARIN via ARIN Online

or Reg-RWS• Sign your DNS zones

#AOTR

DNSSEC Configuration

Ensure the required DNSKEY, RRSIG, NSEC, and DS records are published in your nameservers• Consult your zone file…..

ARIN provides only reverse DNSSEC

• Make sure to also secure your forward DNS through your domain registrar

#AOTR

How It WorksDNSSEC adds new resource records into your zone file.

These records are signed off-line.

Two types of public/private key pairs

•Zone Signing Key (ZSK) is used to sign records in the zone•Key Signing Key (KSK) signs the ZSK. Usually longer lived than the

ZSK.

#AOTR

Signed & Unsigned Zones0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.arin.net.0.43.199.in-addr.arpa. 10800 IN NS ns2.lacnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.apnic.net.0.43.199.in-addr.arpa. 10800 IN NS sec1.authdns.ripe.net.1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.10.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-10.arin.net.

0.43.199.in-addr.arpa. 10800 IN SOA ns1.arin.net. dns-ops.arin.net. 2016072520 10800 3600 604800 36000.43.199.in-addr.arpa. 3600 IN RRSIG NSEC 5 5 3600 20170131143127 20170117133127 13093 0.43.199.in-addr.arpa. p33dgTSLyg/qoDuoN6XGRFUwfRdILdYQtJfl/i077aLZA/usJ0r3furj 3FikILZOodCWez0yiKYwKaUYlGiFgZyWSlDTrbMgnLBG162tQrby8wAQ Ke1mOYRBdSOT6swRzhJx6rRRSH4C0/3YpQqmKZsplQisyTdbykhy4N3h 38M=…0.43.199.in-addr.arpa. 10800 IN DNSKEY 256 3 5 AwEAAXCN3mUJUntP90L4F4oNxxlzKFos9FYD0wxTqxoWueBjFVAvS9vt FSAC7sV4yqKF3NbOOgk81Ep8n8BLZ3vvhnL8/y6Gf3K+d/yvK248ZWR6 +r+AAsV6icMEloQhaJzuam/eMrlj4kJ96lVjFvMEwdPNNSYzen30OfpC sswVvamh…0.43.199.in-addr.arpa. 3600 IN NSEC

1.0.43.199.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY0.43.199.in-addr.arpa. 10800 IN NS ns1.arin.net.…1.0.43.199.in-addr.arpa. 10800 IN PTR host-199-43-0-1.arin.net.…

A signed zone file will have RRSIG, NSEC, and

DNSKEY records.

#AOTR

New Record TypesRecords holding the public zone signing

key and key signing keyDNSKEYRecords holding the cryptographic signatures of the other DNS recordsRRSIG

Records cryptographically stitching the other records togetherNSEC

These point to your zone like an NS record (needed in the parent zone)DS

#AOTR

How Do I Know It’s Working?

Use a DNSSEC validating resolver.

Popular options include:•www.internetsociety.org/deploy360/dnssec/•www.isc.org/downloads/bind/dnssec/

106

#AOTR

TakeawaysIf you’re not using DNSSEC, you’re vulnerable to a DNS

cache poisoning attack

Plenty of readily available documentation regarding

implementation details

If we can help, contact us

#AOTR

Securing Core Internet Functions – RPKI

#AOTR

What is RPKI?

Resource Public Key Infrastructure

Cryptographically certifies network resources• AS Numbers• IP Addresses

Also certifies route announcements• Route Origin Authorizations (ROAs) allow you to

authorize your block to be routed

#AOTR

Why is RPKI Important?

Allows routers (or other processes) to validate routes as authorized

Provides stronger validation than existing technologies, such as:•Routing registries•LOAs•“Seems legit”

110

#AOTR

Case Study: YouTube

Pakistan Telecom was

ordered to block YouTube Naturally, they

originated their own route for YouTube’s

IP address block

YouTube’s traffic was temporarily diverted to

Pakistan

Could have been

prevented with widespread adoption of

RPKI

#AOTR

Case Study: Turk Telekom

Turkish President ordered censorship of Twitter

Turk Telekom’s DNS servers were configured to return false IP addresses• So people started using Google’s DNS (8.8.8.8)

Turk Telekom hijacked Google’s IP addresses in BGP

Could have been prevented with RPKI

#AOTR

Case Study: Bitcoin

Late 2013 & early 2014, Dell Secure Works noticed /24 announcements being hijacked•Amazon, OVH, Digital Ocean,

LeaseWeb, Alibaba networks routed to a small network in Canada

Data between Bitcoin miners and Bitcoin data pools intercepted•An estimated haul of $83,000

Could have been prevented with RPKI

#AOTR

RPKI Basics

All of ARIN’s RPKI data is publicly available in a repository

RFC 3779 certificates show who has each resource

ROAs show which AS numbers are authorized to announce blocks

CRLs show revoked records

Manifests list all data from each organization

#AOTR

Hierarchy of Resource Certificates

115

ICANN0.0.0.0/0

0::/0

ARIN128.0.0.0/8 192.0.0.0/8

Regional ISP128.177.0.0/16

Some Small ISP128.177.46.0/20

Other Small ISP192.78.12.0/24

LACNIC AFRINICRIPENCC APNIC

#AOTR

Route Origin Authorizations (ROAs)

116

ICANN0.0.0.0/0

0::/0

ARIN128.0.0.0/8 192.0.0.0/8

Regional ISP128.177.0.0/16

Some Small ISP128.177.46.0/20

Other Small ISP192.78.12.0/24

LACNIC AFRINICRIPENCC

APNIC

128.177.46.0/20AS53659

128.177.0.0/16AS17025 192.78.12.0/24

AS2000

#AOTR

Current Practices

117

ICANN0.0.0.0/0

0::/0

ARIN128.0.0.0/8 192.0.0.0/8

Regional ISP128.177.0.0/16

Some Small ISP128.177.46.0/20

Other Small ISP192.78.12.0/24

LACNIC AFRINICRIPENCC APNIC

128.177.0.0/16AS17025

192.78.12.0/24AS2000

128.177.46.0/20AS53659

#AOTR

Using ARIN’s RPKI Repository (Theory)

Ultimately, the ISP uses local policy on how to route to use this information.

Communicate with the router to mark routes:

Valid Invalid Unknown

Validate the ROAs contained in the repository

Pull down these files using a manifest-validating mechanism

118

#AOTR

Using ARIN’s RPKI Repository (Practice)

Get the RIPE NCC

RPKI Validator

119

#AOTR

Using ARIN’s RPKI Repository (Practice, continued)

Get the ARIN TAL•https://www.arin.net/resources/rpki/tal.html

Plug it in to your routing policy engine:•Directly to the router via RTR protocol•Using custom scripts and the REST API•As RPSL route objects

120

#AOTR

Putting Your Routes in the RPKI

Determine if you want to allow ARIN to host your Certificate Authority (CA), or if you want ARIN to delegate to your Certificate Authority.

Sign up with ARIN Online.

Create Resource Certificates and ROAs.

#AOTR

Hosted vs. Delegated RPKI

Hosted

•ARIN has done all of the heavy lifting for you

•Think “point click ship”•Available via web site

or RESTful interface

Delegated using Up/Down Protocol

•A whole lot more work•Might make sense for

very large networks

122

#AOTR

Hosted RPKI - ARIN Online

Pros

• Easy-to-use web interface

• ARIN-managed (buying/deploying HSMs, etc. is expensive and time consuming)

Cons

• Downstream customers can’t use RPKI

• Large networks would probably need to use the RESTful interface to avoid tedious management

• We hold your private key

123

#AOTR

Delegated RPKI with Up/Down

Pros

•Allows you to keep your private key

•Follows the IETF up/down protocol

•Allows downstream customers to use RPKI

Cons

•Extremely hard to set up

•Requires operating your own RPKI environment

•High cost of time and effort

124

#AOTR

Delegated with Up/DownYou have to do all the ROA creation

Need to set up a Certificate Authority

Have a highly available repository

Create a CPS

125

#AOTR

RPKI UsageOct2012

Apr2013 Oct 2013 Apr 2014 Oct 2014 Apr 2015 Oct 2015 Apr 2016 Oct 2016 Apr 2017

Certified Orgs 47 68 108 153 187 220 250 268 292

ROAs 19 60 106 162 239 308 338 370 414 470

Covered Resources 30 82 147 258 332 430 482 528 577 640

Up/Down Delegated 0 0 0 1 2 1 2 2

#AOTR

Takeaways

If you’re not using RPKI,

you’re vulnerable to

route hijacking

Plenty of readily available

documentation regarding

implementation details

If we can help, contact us

#AOTR

Q&A

#AOTR

IPv6 Services

Eddie DiegoSenior Resource Analyst

#AOTR

The Road To IPv6 Deployment

Why Move To IPv6 Now?

Obtaining IPv6 From ARIN

Dedicated IPv4 Block For IPv6 Deployment

IPv6 Address Plans

IPv6 Deployment Case Studies

IPv6 Resources

... and a few words about the current state of IPv6 adoption.

#AOTR

Why Move To IPv6 Now?

Being IPv4-only has costs

•Transfer market, latency, CGN boxes, NAT

Generally no additional cost for ISPs & fees recently lowered for end users

IPv6 gives you access to a reserved IPv4 block

•One IPv4 /24 per six month period

131

#AOTR

Requesting IPv6 - ISPs

•Have a previous v4 allocation from ARIN or predecessor registry

OR• Intend to IPv6 multi-home

OR•Provide a technical justification which details at least 50 assignments made within 5 years

132

#AOTR

IPv6 ISP Block Size

• Might be smaller, e.g. /56, for residential/48 typically assigned to customers

• Enough to number 65k+ customers/32 default generally sufficient

• # of serving sites (PoPs, datacenters)• # of customers at largest serving site• Block size to be assigned

Larger blocks based on:

133

#AOTR

Requesting IPv6 – End Users

Have a v4 assignment from ARINOR

Intend to IPv6 multi-home OR

2000 IPv6 addresses/200 IPv6 subnets usedOR

Have 13+ active sites within 12 monthsOR

Technical justification showing ISP-assigned IPs are unsuitable134

#AOTR

IPv6 End User Block Size

37

Number of Sites Block Size

1 /48

2-12 /44

13-192 /40

193-3,072 /36

3,073-49,152 /32

#AOTR

Reserved IPv4 for IPv6 Deployment

/10 reserved under policy in April 2009 214 /24s issued to date (98.7% remains available)

Must be used to facilitate IPv6 deploymentDual stacking key servers, NAT-PT/NAT464, etc.

Must have an IPv6 block

One per organization every six months/24 maximum size

136

#AOTR

Subnetting: IPv4 vs IPv6

• The IPv4 mindset: think in terms of IP addresses• “If a site has 50 devices, I give it a /26”

• The IPv4 mindset does not work for IPv6• Last 64 bits used for device autoconfiguration• ... and we have a ton of IPv6 addresses.

• The correct IPv6 mindset: think in terms of subnets, not addresses

#AOTR

IPv6 SubnettingNANOG BCOP:

• Each individual network segment gets a /64• A /64 can hold a near-infinite number of devices

• Subnet on nibble boundaries for DNS• /48, /44, /40, etc

• Addressing plans should be hierarchical, with each level using subnets of the same size• Each site gets a /48• Customers generally get a /48• PoPs/aggregation points sized based on largest

#AOTR

IPv4 Address Plan: End User

Enterprise Network

SJO Hub14 offices

/27 for each448 IPs

CHI Hub15 offices

/28 for each240 IPs

DAL Hub7 offices

/28 for each112 IPs

ASH Hub156 sites

/27 for each4,992 IPs

/23

/24 /24

/19

#AOTR

IPv6 Address Plan: End User

Enterprise Network

SJO Hub14 offices

/48 for each448 IPs

CHI Hub15 offices

/48 for each240 IPs

DAL Hub7 offices

/48 for each112 IPs

ASH Hub156 sites

/48 for each4,992 IPs

/40

/40 /40/40 (256 /48s)

#AOTR

IPv4 Address Plan: ISP

FTTH ISP Network

Chula Vista Hub952 home users

(1 IP each)5 biz customers

(/29-/24) = 1,952 IPs

EscondidoHub

214 home users

(1 IP each)= 214 IPs

OceansideHub

497 home users

(1 IP each)= 497 IPs

El Cajon Hub497 home users

(1 IP each) 4 biz customers

(/29-/24)= 997 IPs

/21

/24 /23

/22

#AOTR

IPv6 Address Plan: ISP

FTTH ISP Network

Chula Vista Hub

1,027 total users (home +

business) = 1,027 /48s

Escondido Hub

214 total users (home + business)= 214 /48s

Oceanside Hub

497 total users (home + business)= 497 /48s

El Cajon Hub

506 total users (home + business= 506 /48s

/36 (4,096 /48s)

/36 /36

/36

#AOTR

Anatomy Of An IPv6 Address

2001:0DB8:3007:000A:B9D3:284A:83E2:90DB

/32 from ARIN

Hub /360 = Chula Vista1 = Escondido2 = Oceanside3 = El Cajon4 = Future Hub... etc

Site /48001 = El Cajon Site 1002 = El Cajon Site 2....007 = El Cajon Site 7

Subnet /640001 = Subnet 10002 = Subnet 2....000A = Subnet 10

Device /128Autoconfiguredwith MAC Address

#AOTR

IPv6 Deployment Information

• ISOC’s Deploy360 program has 16 detailed case studies covering:• ISPs• Hosting providers• Enterprise businesses• Universities• Governments

•ARIN’s IPv6 Wiki, https://getipv6.info• DNS, tools, translation services, etc

#AOTR

IPv6 Info Centerwww.arin.net/knowledge/ipv6_info_center.html

41

www.GetIPv6.info

www.TeamARIN.net

ARIN IPv6 Resources

#AOTR

IPv6 Adoption

How far are we?Depends where you look...How

many networks have an

IPv6 block?

How many

networks are

routing IPv6?

How much

traffic is using IPv6?

#AOTR

% of Members with IPv6

147

34.10%

52.83% 52.87%

87.55%75.11%

0%

20%

40%

60%

80%

100%

AfriNIC APNIC ARIN LACNIC RIPE NCC

#AOTR

Customers with IPv4 & IPv6

148

2,467

2,420

449

RSP

6,432

1,780

295End Users

IPv4 Only IPv4 & IPv6 IPv6 Only

#AOTR

IPv6 Adoption by ISP Size

0%10%20%30%40%50%60%70%80%90%

100%

3X-Small(143)

2X-Small(778)

X-Small(1,656)

Small(1,252)

Medium(651)

Large(242)

X-Large(187)

2X-Large(37)

3X-Large(24)

4X-Large(7)

ISPs with IPv6 ISPs without IPv6

#AOTR

IPv6 Requests Since Depletion

150

0

20

40

60

80

100

120

Jul-15

Sep-1

5

Nov-1

5

Jan-1

6

Mar-16

May-1

6Jul-16

Sep-1

6

Nov-1

6

Jan-1

7

Mar-17

May-1

7Jul-17

Sep-1

7

Nov-1

7

#AOTR

Routing Table Growth

IPv4 – First 14 Years IPv6 – First 14 Years

#AOTR

Google’s IPv6 Traffic Growing

152

#AOTR

Facebook & Akamai

#AOTR

Discussion: IPv6 & You

Do you have an IPv6 block from ARIN? If so, how was the

process?

Have you deployed IPv6?

If not, do you plan to? Are there

blockers?If so, how is it

working? Any experience to share?

What can ARIN do to help you with IPv6

deployment?

#AOTR

Q&A

#AOTR

Community Engagement with ARIN

Susan HamlinSenior Director, Communications and Member Services

#AOTR

Ways to Engage

#AOTR

• ARIN Announce: arin-announce@arin.net

• ARIN Discussion: arin-discuss@arin.net (members only)

• ARIN Public Policy: arin-ppml@arin.net

• ARIN Consultation: arin-consult@arin.net

• ARIN Issued: arin-issued@arin.net

• ARIN Technical Discussions: arin-tech-discuss@arin.net

• Suggestions: arin-suggestions@arin.net

https://www.arin.net/participate/mailing_lists/index.html

ARIN Mailing Lists

#AOTR

Open Consultations:• Fee Schedule• Expanding the Size of the ARIN Board of

Trustees• Prioritizing open suggestions from the

community• Should we remove attachments from

mailing list• Join arin-consult and share your thoughts

You Can Participate!

• 2 -31 July Call for Nominations• 20 August Deadline to establish

Voting Contact• Each member organization (org id)

has one vote• 24 September Final slate of

candidates• 4-12 October Online voting

#AOTR

Feedback on New WebsiteVisit preview@arin.net by 4 May

Click on Feedback , upper right, to complete a short survey

Your comments are critical to helping us provide you a functional site

Goals:• Responsive• Intuitive• Informative

#AOTR

Q&A

#AOTR

Registration ServicesDepartment Update

Eddie DiegoSenior Resource Analyst

#AOTR

RSD Team

Senior DirectorJohn Sweeting

ManagersCathy ClementsLisa LiedelJon Worley

Resource AnalystsMisuk KwonDoreen MarraffaJames RicewickJonathan RobertsShawn Sullivan

Senior Resource AnalystsEddie DiegoMike Pappano

ParalegalSuzanne Rogers

#AOTR

• Staff assessments and implementation plansPolicy development & implementation

• Provide requirements, perform testing and feedbackSoftware development support

• ARIN On The Road, trade shows, presentationsOutreach

•Collect and provide monthly statistics to the Communication & Member Services Department•Respond to community requests for data, research, and statistics

Statistics & database analysis

RSD Support Functions

#AOTR

Registration Services Plan5,536 (15%)

End User15,893 (42%)

Legacy16,250 (43%)

37,679 Total Orgs Served

Organizations Served

#AOTR

Internet Routing Registry (IRR)

Used to publish routing information

Current IRR not integrated with registration database

(Whois)

Work beginning on a new IRR this year

#AOTR

IPv6 Outreach Campaign

#AOTR

2017 ASN Requests

0

50

100

150

200

250

Jan-17

Feb-17

Mar-17

Apr-17

May-17

Jun-17

Jul-17

Aug-17

Sep-17

Oct-17

Nov-17

Dec-17

#AOTR

2017 ASNs Issued

020406080

100120140160180200

Jan-17

Feb-17

Mar-17

Apr-17

May-17

Jun-17

Jul-1

7

Aug-17

Sep-17

Oct-17

Nov-17

Dec-17

4 Byte ASNs 2 Byte ASNs

#AOTR

Telephone Help Desk

Phones staffed 7 AM to 7 PM ET M-F

Average wait time: 17 seconds

Most common topics:• Point of contact validation• Ticket status• ARIN Online use• Transfer related questions

#AOTR

Open Mic Session

#AOTR

You make ARIN’s Internet number resource policy

Apply for IPv6 addresses and get started

Consider implementing DNSSEC & RPKI

ARIN serves you, our community

Share your opinions, reach out to us with questions and suggestions - engage

Today’s Takeaways:

#AOTR

https://www.arin.net/participate/meetings/fellowship.html

#AOTR

Fill out & submitthe survey for your chance to win a

$100 Amazon Gift Card!