NARALO Trip Assessment 4

ARIN47 was a meeting of the American Registry for Internet Numbers discussing policies regarding the assignment of IP addresses within ARIN region (which mostly overlap’s with ICANN’s NARALO region). During this meeting, proposals made to the ARIN community (with input of the advisory council) are discussed, and voted upon upon by members attending the sessions before being sent to the board for final resolution.

As a NARALO representative, my goals were to familiarize myself with ARIN operation, push for policies supporting Internet End-Users, help define and vote on policies regarding the deployment of IPv6, and help define paths regarding the transition of IPv4 to IPv6. In this role, I spoke on my positions regarding the difficulties deploying IPv6 in the real world, difficulties with end user and SoHo businesses in obtaining provider-independent address space, access to BGP, and other roadblocks regarding v6 allocation.

Additionally, I wanted extend awareness of ICANN and NARALO to those new to ARIN, the interdependence of IP address space, and DNS, provide understanding of the differences of IPv6 deployment vs. IPv4 deployment, and make new connections between the NARALO and ARIN communities.

ARIN43 was organized as a single track meeting with an initial newcomers orientation, followed by a review of RIR policies across the globe, IP usage statistics, and differences in policies between regions. This was followed up by a review of policies proposed to the ARIN Board (listed below) in which I provided as much input as possible, and closing with a summary on ARIN’s financial status and current state/projects. I attended all sessions and social events at ARIN43 aside from the Women’s Networking Forum. Throughout the conference, I was actively live-tweeting from the sessions under my handle @fossfirefighter with the hashtag #ARIN43.

The following policies were discussed over the two days, with my comments and notes following:

• Recommended Draft Policy ARIN-2018-2: Clarification to ISP Initial Allocation
• Recommended Draft Policy ARIN-2017-12: POC Notification & Validation Upon Reassignment or Reallocation
• Recommended Draft Policy ARIN 2018-5: Disallow Third-party Organization Record Creation
• Draft Policy ARIN-2018-6: Clarify Reassignment Requirements in 4.2.3.7.1
• Draft Policy ARIN-2019-1: Clarify Section 4 IPv4 Request Requirements
• Draft Policy ARIN-2019-3: Update 4.10 IPv6 Deployment Block
• Draft Policy ARIN-2019-4 Allow Inter-regional IPv6 Resource Transfers
• Draft Policy ARIN-2019-2: Waiting List Block Size Restriction
• Draft Policy ARIN-2019-6: Longer Hold Time Requirements for 4.1.8 Recipients
• Draft Policy ARIN-2019-7: Elimination of the Waiting List

Starting from the beginning, the following information was covered; these was procedural reports from various ARIN sponsors and community members and did not have panels for discussion. This is summarized from my notes and the ARIN transcripts:

Sponsor Updates

• C&W Business successfully deployed the first IPv6 commercial network in the Caribbean region with the help of ARIN

RIR Updates:

• AfriNIC
• Work towards simplification of ASN acquirement, IPv6 blocks, and streamlining deployment requirements
• APNIC
• Ongoing policy development of abuse mailbox validation
• Clarifying policies regarding IPv6 block acquisition
• Covered on Day 2
• Limits IPv4 allocation to a /23 or /24
• LACNIC
• ASN Merger Policies
• RIPE NCC
• Defining BGP hijacking as a RIPE policy violation

Advisory Committee On-Docket Items

• Clarification of policies regarding initial allocation of IP space to ISPs
• Point of contact notification and validation procedures
• Clarifying how ISPs can get additional IPv4 space in light of exhaustion
• Work towards cleaning up ARIN WHOIS information
• Note: WHOIS in this context is related to the database of who owns a given block of IP address space, and is not related to the DNS WHOIS database
• Policy regarding unmet requests greater than a /22

---

Policy Experience Report:

Provides feedback to the ARIN community on policies that may not be working as expected, identified gaps or inconsistencies, customer feedback, and ideas towards new policies. The ARIN community is tasked with deciding if a policy change is necessary, or if things should be listed in place. Questions asked are noted directly below:

Two policies were listed in the PER:

• 4.10 - Dedicated IPv4 Block to Facilitate IPv6 Deployment & 4.5. Multiple Discrete Networks
• Discussion on if multiple discrete networks (networks which have multiple AS numbers but one parent Org ID) should be treated independently or treated as one organization.
• Absent community input, [ARIN] staff would interpret 4.10 to allow one /24 per six months per MDN
• 6.5.8.1. [IPv6] Initial Assignment Criteria
• Policy written prior to IPv4 depletion
• Doesn’t explicitly address how to interpret the case where the organization can not qualify due to depletion
• Staff has interpreted to mean “have or qualify for an IPv4 block”

I did not have a direct opinion on either policy, but asked a clarifying question to better understand the current state of 4.10 address space. From the transcript:

“Michael Casadevall: Do we have current statistics on what is currently available in the 4.10 pool and projections towards exhaustion since that, I think, would influence the policy decisions?

John Sweeting:  Yeah, I'm going to give that in the RSD department update. I believe it's somewhere around 98 percent of that pool is still available.”

---

IETF Report

Cathy Aronson summarized current work in the IETF regarding IP space developments and discussion. She covered the following topics in brief:

• IPv6 Address Assign to End-SItes
• Simple Internet Protocol (first attempt to replace IPv4) marked Historic
• 464XLAT: Combination of stateful and stateless transition
• QUIC Observations
• QUIC is net internet protocol over UDP to help reduce latency; used heavily by Google, YouTube/etc. but is only faster if packets arrive in order.
• Work to measure how "unreliable" UDP actually is on packet ordering
• BGP blackholing
• Reaction of SLAAC to Renumbering Events
• IETF is trying new approach to build "Modern Router Arch"
• IPv6 extension headers
• KSK side meeting - dealing with the rollover of KSK2010, how often to rollover and how to smooth rollovers in the future.
• Futures BoF is dealing with key roll and removing KSK2010 and the fallout of how it was managed.
• A lot of places just turned of DNSSEC validation and measuring what actually broke.
• DHC - Dynamic Host Configuration
• Defining DHCP protocol extensions, and new options and standards mechanics
• Link State Routing
• DNSOP serve stale - method to serve stale records if upstream servers are dead/DDoSed increasing reliability
• Creation of NAME RR type similar to CNAME but only for A/AAAA records
• Decentralized Ids to use URI scheme to ID things such as blockchain
• OPSEC for IPv6 started in 2012 and close to publishing, and removing things aren't security such use of PI address space. Should be soon ready for last call.
• IPv6 ops:
• Develops guidelines for ops of a shared v4/v6 networks deploying v6 in v4-only members
• Working on ways to get routers to handle IPv6 deallocation, and IPv4 on IPv6 networks.
• Dealing with very large IPv6-only networks with edge translation within China so only one translation is necessary.
• DIscussion of pros/cons of v4/v6 transition services such as 464XLAT
• HOMENET work
• IPv6 Maintenance (6MAN)
• Global Routing Ops
• No documentation how to roll out BGP documentation, maybe create living document
• Using BGP blacklisting to migate DDoS attacks without massive access lists
• SUIT WG - What is it
• Defining standards for deploying and updating IoT devices and create protocol/models that can be easily be implemented
• QORP - Quantum Internet Research Group

During the open floor, I asked if there were any discussions on possibly using Class E address space to help provide new transition methods for IPv4<->IPv6. Transcript below:

“Michael Casadevall: This might be a slightly touchy subject, but has there been any discussions on possibly opening up the last remaining blocks of IPv4, the Class E space, for future transition five to ten years down the line?

Cathy Aronson:  No. Because -- well, there have been discussions. But the thing is that the amount of time it would buy us pitched against the amount of engineering and host changes it would take, it's just not worth it. I mean, that's basically --

Robert Seastrom:  What Cathy said, we discussed that even for private space 10 years ago, and it got no traction because too much effort.

John Curran:  Right. There's been at least two Internet drafts that talk about that that were discussed in the IETF, both of which were panned by that community. There have been drafts suggesting that to the IETF; both were panned in the IETF community.”

---

After the initial reports, the conference shifted to covering policy proposes in which I had the most input in. I’ll cover these in the order they were presented, and my votes for each item:

Recommended Draft Policy ARIN-2018-2: Clarification to ISP Initial Allocation

This policy provides clarification on how ISPs can obtain initial address space up to a /21, the size of their allocation, and guidelines for ISPs that already have blocks.

In effect, this policy would make it easier for new ISPs to get their IP space, as well as allowing them to automatically get at least a /24. It also clarified that ISPs receiving blocks via transfer would be treated the same as though it received a direct allocation from ARIN.

I voted in favor of this policy as it reduces the bar to entry for new entries into the market. Community votes were 108 present with 40 in favor, and 0 against.

---

Recommended Draft Policy: POC Notification and Validation Upon Reassignment or Reallocation

Summarized, this policy change is to require that any organization that receives a reassignment or reallocation must both be notified and validated before any such request will be processed by ARIN. The current situation allows for ISPs to assign blocks without validated point of contact information, and has lead to inaccurate or invalid information in WHOIS.

I spoke in favor of this policy:  “I want to speak in support of this policy because having up-to-date and accurate POC information is incredibly valuable when dealing with network DDoS attacks or bad traffic of determining who owns a block, who to contact and being able to help mitigate issues from point to point. So the Whois is incredibly valuable, and more accuracy goes a long way.”

I voted in favor of it, the vote total was total participants 113, in favor: 41 against: 1.

---

Recommended Draft Policy ARIN-2018-5: Disallow Third-party Organization Record Creation

Summarized, this policy change disallows third-parties to create point-of-contacts for organization that receive simple allocation blocks. Instead, each organization must have an authorized representative create the PoC via ARIN’s tools. The hope is to decrease the number of organization ids in the database, or organizations that have no awareness of holding ARIN resources.

I was tentatively supportive of this policy as having accurate WHOIS information is important in contacting networks generating bad traffic, but was concerned for those who operate as contractors or “third-party” helpdesks would have additional barriers to entry. I spoke at the mic to this effect:

“I'm tentatively supportive of this policy as written, but I have concerns for companies that manage other companies' properties. For example, it is not uncommon for one company to completely manage all aspects of another customer's networks IP allocations, so forth and so on.

And this would create a -- this currently can be an entirely transparent process since organization one can create and manage all the resources for organization two.

This would add some burden to that, and while it may be relatively straightforward to create an Org ID, it may adversely impact those that act as a middleware for clients, especially those that are grabbing a bunch of IP blocks and releasing them because of demand scaling up and down. So I have tentative -- I have concerns about this.”

Owen DeLong, member of the advisory council directly addressed my concerns as follows:

“Owen DeLong, independent contractor and member of the ARIN AC. Yeah, I've done a lot of the kind of contract work he's talking about. And I've got a lot of clients as well.

And we discussed this actually on the Mailing List. It was pointed out by ARIN staff that, as written, the policy would be implemented such that if you are able to create the Org ID with the proper documentation showing that the Org in question has authorized you to do that on their behalf, you're fine.

So you're going to need some form of documentation from your client that says, yeah, this guy's authorized to interact with ARIN on our behalf, but that should not be hard to obtain if you're legitimately operating with ARIN on their behalf.

So I think it's actually a solved problem. I don't think that there's a need for changes to the policy text or acrobatics to address it.”

---

ARIN-2018-6: Clarify reassignment requirements in 4.2.3.7.1

The policy in question intends to simplify requirements related to “simple” reassignment vs “complex” reassignment. As policy is currently written, it is unclear when a simple reassignment is sufficient and many transfers are doing complex reassignments when unnecessary. It was also raised  During the discussion phase of this proposal, a lengthy discussion followed on how this problem case deals with customers not capable of managing their own IP space.

I found the problem statement and that usecase to be invalid, and raise that concern during public discussions:

“Michael Casadevall: I dislike the proposal for several reasons. The first one is the example of the [havoc] system that requires a stack IP and only having customer name.

For someone to have a block of routable IP addresses, they need to be responsible for it. And the concept of the customer is not smart enough to manage it, I don't think that's a valid argument, because if you're going to have stack IP space, you need to be able to manage it, or have someone manage it for you on your behalf.

In addition, limiting the amount of information about transfers could both lead to abuse of people's hoarding IP blocks via shell games and other -- the lack of transparency is extremely concerning. Having more detailed information about how blocks are being assigned to individual customers is very important for dealing with tracking down DDoS, sources, botnets and other information.

So moving -- allowing simple transfer, simple reassignment for these sort of things removes clarity into how ISP networks are delegating their networks, and the detailed information should be the standard way to do it, in my personal opinion.

Paul Andersen:  I understand you're against the policy statement, clearly. Are you also against the problem itself being solved?

Michael Casadevall:  Personally, I'm not sure I see it as a problem. If anything, I would completely flip this policy on its head and require detailed information for all reallocations except for those that are being directly broadcast and routed by BGP, in which case that organization has the POC and is responsible for that network because they're doing the announcement on BGP.“

---

Draft Policy ARIN-2019-1: Clarify Section 4 IPv4 Request Requirements

In short, this policy dealt with fixing the minimum and maximum allocations of an IP allocation; specifically, raising the minimum to a /24, and reducing the max to a /21 for waiting list IP space. Allocations smaller than a /24 are unusual as they’re not BGP routable, and ARIN internally can’t handle these type of requests as of writing (a full /24 for is allocated even if a smaller block is requested).

I spoke up to at the mic stating that although smaller blocks are unusual, if a customer is fully aware of the consequences of using said block size, these requests should be allowed in light of IPv4 exhaustion as you can fit in multiple smaller blocks within a /24.

---

Economic Factors Affecting IPv6 Deployment

This was an open panel going into details about why IPv6 deployment is very slow as looked from an economic point of view. As described, NAT and RFC1918 drastically increased the longevity of IPv4, and many of the unique features of IPv6 such as SLAAC and IPSec were implemented one way or another in IPv4. As such, this helped reduce motivation for deploying IPv6. Things are also further complicated by the fact that one can’t simply just deploy IPv6; backwards compatibility with IPv4 remains essential.

I commented on my own experiences in trying to get customers onto IPv6, including difficulties in getting provider independent space, and BGP broadcast announcements.

---

Day 2

RPKI

RPKI (Reverse Public Key Infrastructure) BGP is designed as a method to verify routes and prevent hijacking via securing announcements through certificate management. All five RIRs run RPKI infrastructure (with the root key known as a TAL, similar to the root key KSK ICANN manages), although ARIN (due to US legal requirements) has a click through license to get it’s public key which has drastically reduced deployment in the region of RPKI deployment. It is an alternative to the BGPSEC proposal (which fully encrypts BGP traffic)

Current work is being done to try and lift these legal barriers and allow the ARIN CA to be automatically included with BGP software. Several ISPs such as AT&T and Google are now validating routes according to RPKI. Currently, Penn State has been contracted to determine how to improve the RPKI situation for ARIN.

I brought comments relating to liability caused by making the key difficult to access, and also compared the situation to browser CA stores and how they manage liability risk.

---

ARIN-2019-4: Allow Inter-regional IPv6 Resource Transfers

The first policy proposal of the day was discussing aligning IPv6 transfer policies to be in place with those of IPv4. As the rules are written, only RIPE NCC allows for out of region transfer of IPv6 blocks. An argument was also made for RPKI, due to the previously mentioned issues with deploying the ARIN key en-massWhile I was initially neutral on this proposal, the discussion swayed me towards a negative view.

Michael Casadevall:  Michael Casadevall, NARALO.  I'm currently neutral on this policy.  While I can see a valid use case for mergers and acquisitions of bringing all IPv6 under a single umbrella, I'm somewhat wondering about the need and logistical overhead, given that most

of the IPv4 transfers, especially across regions, is to deal with the fact that exhaustion and moving of v4 blocks -- the v4 blocks are very valued commodity while we have lots of v6 address space. So I'm looking at this and I'm trying to see if there's a real upside versus being able to consolidate because it means that then when you look at the blocks allocated to each RIR, you'll have IP addresses within those blocks that then exist in a different RIR, and it sort of muddles which IPs actually belong to which region.  And I worry of opening Pandora's box here.

Paul Andersen:  I know you're neutral on the policy, but do you have a view on the problem statement, whether it's a problem that should be solved?  

Michael Casadevall:  I'm currently neutral because I'm not hearing a strong use case.  I'm not against it, but I'm not for it either.

David Farmer:  So, hearing you, I think I hear you saying probably those other use cases are important if we're going to further consider this?  

Michael Casadevall:  If it's strongly important that v6 resources need to be transferred and those use cases are valid then I would support the policy as written.  I'm hesitant that the use cases are valid. I'm not sure that type of consolidation really is all that important. And you deal with the risk of basically carving up the / -- I don't remember the size of [R1] has and their allocation to /12 becomes very messy instead of having it in organized blocks that we currently have it in.

David Farmer:  Thank you.

Inter-regional transfer was only allowed for IPv4 in light of exhaustion. Furthermore, IPv4 doesn’t support route building so seperating out /48s to different internet point-of-presence would unbundle routes and bloat up the region table. Furthermore, allowing RIR transfers would allow for forum shopping for IP block space and gaming of the RIR policies which made me feel that allowing inter-region transfers was a very ugly can of worms to open. There may be worth an exception for an organization that is entirely leaving the region, but I could not support the policy as written.

---

4.18 Potential Policy Actions

ARIN 4.1.8 handles the waitlist of IPv4 blocks and allocations for new blocks (this is separate than 4.10 space used for the allocation of clients that are deploying IPv6 and need blocks to get started). The discussion was framed around weighing various pros/cons of various solutions. Among those described were the following:

• 4.1.8 space to be held in a replenishment pool for 4.4/4.10 (essential internet services/IPv6 transition space)
• Distribute 4.1.8 space with a one time issuance surcharge attached
• Make 4.1.8 space non-transferable, reduced incentitive for fraud applications with notion of profiting
• Longer holddown period for 4.1.8 space (the period of time a block must be held before it can be transferred)
• Currently must hold space for a year before transferring
• Policy proposal for two years is on the table
• Additional officer attestation at the time of being placed on waiting list
• Reduce max allocation six to /24 or /22.
• Serves the most applicants, max reduces fraud incentive. RIPE is discussing doing this.
• Prioritize NGO/not-for-profits
• Distribute 4.1.8 space via the transfer market

For my end, I advocated towards moving 4.1.8 space into 4.4/4.10, and then increasing 4.10 allocation space to push up pressure on organizations deploying IPv6.

---

ARIN-2019-2: Waiting List Block Size Restriction

Discussion on changing the size of the max allocation on the waitlist. Currently one can wait for any size block and be issued it if/when it becomes available; I favored reducing the issuance size with again putting pressure on deploying IPv6.

The remainder of the conference covered ARIN’s status and finances, and board elections. I did not actively participate in these sections.