1 / 0

Cheyenne, Wyoming 20 May 2014

Cheyenne, Wyoming 20 May 2014. Wireless Access:. SSID: LACheyenneGuest PW: none. Welcome. Who is here today?. Cathy Aronson , ARIN Advisory Council Einar Bohlin , Senior Policy Analyst Tim Christensen , Quality Assurance Manager Jon Worley , Principal Technical Analyst.

renate
Télécharger la présentation

Cheyenne, Wyoming 20 May 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cheyenne, Wyoming 20 May 2014
  2. Wireless Access: SSID: LACheyenneGuest PW: none
  3. Welcome. Who is here today? Cathy Aronson, ARIN Advisory Council EinarBohlin, Senior Policy Analyst Tim Christensen, Quality Assurance Manager Jon Worley, Principal Technical Analyst
  4. Today’s Agenda Welcome and Getting Started ARIN: Our Mission, Role, and Services Obtaining IP Addresses I: IPv4 Inventory… Automating your Interactions with ARIN Obtaining IP Addresses II: IPv4 Wait List and Transfers Networking Lunch Current Number Resource Policy Discussions and How to Participate Securing Internet Infrastructure I: DNSSEC Number Resource Policies and Procedures Securing Internet Infrastructure II: RPKI Obtaining IP Addresses III: IPv6 Q&A and Open Microphone
  5. Let’s Get Started! Self introductions Name Organization
  6. ARIN: Our Mission, Role and Services EinarBohlin Sr. Policy Analyst
  7. ”ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach."
  8. ARIN’s Service Region ARIN’s region includes many (20) Caribbean and North Atlantic islands, Canada and the United States and outlying areas.
  9. Regional Internet Registries
  10. Who Provisions IP Addresses & ASNs?
  11. Number Resource Provisioning
  12. ARIN Structure
  13. ARIN Support Organization
  14. ARIN Services
  15. Information on Joining in the Internet Governance Discussion https://www.arin.net/participate/governance/participate.html Visit ARIN’s webpage: Ways to Participate in Internet Governance
  16. Participate in ARIN Contribute your Opinions and Ideas: Public Policy Mailing List IPv6 Wiki Attend Public Policy and Members Meetings, Public Public Policy Consultations, outreach events Submit a suggestion Participate in community consultations Write a guest blog Members – Vote in annual elections
  17. ARIN Mailing Lists ARIN Consultation - arin-consult@arin.net Open to the general public. Used in conjunction with the ARIN Consultation and Suggestion Process (ACSP) to gather comments, this list is only open when there is a call for comments ARIN Issued - arin-issued@arin.net Read-only list open to the general public. Used by ARIN staff to provide a daily report of IPv4 and IPv6 addresses returned and IPv4 and IPv6 addresses issued directly by ARIN or address blocks returned to ARIN's free pool. ARIN Technical Discussions - arin-tech-discuss@arin.net Open to the general public. Provided for those interested in providing technical feedback to ARIN on experiences in the use or evaluation of current ARIN services and features in development. ARIN Mailing Lists ARIN Announce: arin-announce@arin.net ARIN Discussion: arin-discuss@arin.net (members only) ARIN Public Policy: arin-ppml@arin.net ARIN Consultation: arin-consult@arin.net ARIN Issued: arin-issued@arin.net ARIN Technical Discussions: arin-tech-discuss@arin.net Suggestions: arin-suggestions@arin.net http://www.arin.net/participate/mailing_lists/index.html
  18. Q&A
  19. Obtaining IP Addresses I: ARIN’s IPv4 Inventory, Depletion Projections, and Countdown Plan Jon Worley Senior Resource Analyst
  20. ARIN’s IPv4 Inventory As of 20 February 2014, ARIN has 1.39 /8 equivalents of IPv4 addresses remaining IPv4 inventory published on ARIN’s website: www.arin.net Updated daily @ 8PM ET
  21. Prefix Length Breakdown
  22. IPv4 Annual Burn Rate
  23. ARIN’s IPv4 Free Pool
  24. Linear Depletion Projection
  25. APNIC Depletion
  26. “Run On The Bank” Projection
  27. Which Projection is More Likely? Probably linear, but it only takes one unexpected very large request (e.g. /9) to change things completely Policy requirement to only fill requests with one block will prevent large ISPS from depleting all of the small blocks
  28. IPv4 Countdown Plan
  29. IPv4 Countdown Plan – Phase 3 /16 and larger requests team-reviewed in a first in, first out fashion 60 days to complete payment/RSA for IPv4 requests IPv4 hold period moves from 6 to 3 months
  30. IPv4 Countdown Plan – Phase 4 Begins at 1 /8 Equivalent Left All IPv4 requests team-reviewed and processed on a first in, first out basis IPv4 hold period drops to 2 months
  31. Qualifying for IPv4 - ISPs Multi-homed 2 /24s reassigned to you data to show 2 /24s efficiently used Single-homed 16 /24s reassigned to you data to show 16 /24s efficiently used Immediate need
  32. IPv4 ISP Data Typically Requested Mapping of static IPs/subnets to customer names and street addresses List of all dynamic pools with prefix/range assigned, area served, util % Mapping of internal subnets with description and # IPs used
  33. Other IPv4 ISP Data Requested Customer justification data Customer contact information and proof of customer payments Data must be verifiable
  34. 3 Month Supply Calculation NRPM: Justified need, not solely predicted growth Utilization rate of last allocation Immediate need for exceptional circumstances
  35. Qualifying for IPv4 – End Users Multi-homed 64 IP addresses used immediately 128 IP addresses used within one year Single-homed 1,024 IP addresses used immediately 2,048 IP addresses used within one year
  36. IPv4 End User Data Requested Subnet mapping showing each subnet to be created and for each subnet description of its purpose # IPs used within 30 days # IPs used within one year
  37. Hosting: ISP or End User? Dedicated servers, VPS, colocation = ISP SaaS, VPN, ASP = End User
  38. The Bottom Line An IPv4 request submitted today could be your last Plan appropriately to ensure continued growth of your network
  39. Q&A
  40. Automating Your Interactions with ARIN Tim Christensen ARIN Engineering
  41. Why Automate? Interact with ARIN faster Not dependent on ARIN’s systems for user interface issues Build a customized system using standards-based technologies Improved accuracy Integrate multiple services
  42. Why Automate (continued) We have a rich set of interfaces Focused on reliability and completeness Welcome to share your tools with the community at projects.arin.net
  43. REST – Service Summary ARIN’sRESTful Web Services (RWS) Whois-RWS Provides public Whois data via REST Reg-RWS (or Registration-RWS) Allows ARIN customers to register and maintain data in a programmatic fashion Report Request/Retrieval Automation Permits request and download of various ARIN data (subject to AUP) RPKI using Reg-RWS
  44. What is REST? Representational State Transfer As applied to web services defines a pattern of usage with HTTP to create, read, update, and delete (CRUD) data “Resources” are addressable in URLs Very popular protocol model Amazon S3, Yahoo & Google services, …
  45. The BIG Advantage of REST Easily understood Any modern programmer can incorporate it Can look like web pages Re-uses HTTP in a simple manner Many, many clients Other HTTP advantages This is why it is very, very popular with Google, Amazon, Yahoo, Twitter, Facebook, YouTube, Flickr, …
  46. What does it look like?Who can use it? Where the data is. What type of data it is. The ID of the data. http://whois.arin.net/rest/poc/KOSTE-ARIN It is a standard URL. Anyone can use it. Go ahead, put it into your browser.
  47. Where can more information on REST be found? RESTful Web Services O’Reilly Media Leonard Richardson Sam Ruby
  48. Whois-RWS Publicly accessible, just like traditional Whois Searches and lookups on IP addresses, AS numbers, POCs, Orgs, etc… Very popular As of September 2013, constitutes 65% of our query load For more information: http://www.arin.net/resources/whoisrws/index.html
  49. Registration RWS (Reg-RWS) Programmatic way to interact with ARIN Intended to be used for automation Not meant to be used by humans Useful for ISPs that manage a large number of SWIP records Requires an investment of time to achieve those benefits
  50. Reg-RWS Requires an API Key You generate one in ARIN Online on the “Web Account” page Permits you to register and manage your data (ORGs, POCs, NETs, ASes) But only your data More information http://www.arin.net/resources/restful-interfaces.html
  51. Anatomy of a RESTful request Uses a URL (just like you would type into your browser) Uses a request type, known as a “method”, of GET, PUT, POST or DELETE Usually requires a payload Adheres to a published structure Depends upon the type of data Depends upon the method Method, Payload, and XML schema info is found at “RESTful Provisioning Downloads”
  52. Example – Reassign Detailed Your automated system issues a PUT command to ARIN using the following URL: http://www.arin.net/rest/net/NET-10-129-0-0-1/reassign?apikey=API-1234-5678-9ABC-DEFG <net xmlns="http://www.arin.net/regrws/core/v1" >      <version>4</version>      <comment></comment>      <registrationDate></registrationDate>      <orgHandle>HW-1</orgHandle>      <handle></handle>      <netBlocks>            <netBlock>                  <type>A</type>                  <description>Reassigned</description>                  <startAddress>10.129.0.0</startAddress>                  <endAddress>10.129.0.255</endAddress>                  <cidrLength>24</cidrLength>            </netBlock>      </netBlocks>      <parentNetHandle>NET-10-129-0-0-1</parentNetHandle>      <netName>HELLOWORLD</netName>      <originASes></originASes>      <pocLinks></pocLinks></net> The payload contains the following data:
  53. Example – Reassign Detailed ARIN’s web server returns the following to your automated system: <net xmlns="http://www.arin.net/regrws/core/v1" > <version>4</version> <comment></comment> <registrationDate>Tue Jan 25 16:17:18 EST 2011</registrationDate> <orgHandle>HW-1</orgHandle> <handle>NET-10-129-0-0-2</handle> <netBlocks> <netBlock> <type>A</type> <description>Reassigned</description> <startAddress>10.129.0.0</startAddress> <endAddress>10.129.0.255</endAddress> <cidrLength>24</cidrLength> </netBlock> </netBlocks> <parentNetHandle>NET-10-129-0-0-1</parentNetHandle> <netName>netName>HELLOWORLD</netName> <originASes></originASes> <pocLinks></pocLinks> </net>
  54. Reg-RWS Has More Than Templates Only programmatic way to do IPv6 Reassign Simple Only programmatic way to manage Reverse DNS Only programmatic way to access your ARIN tickets
  55. Reg-RWS adoption at ARIN In 2012… 1.09 Million transactions processed 375K processed via Reg-RWS (34%) 371K processed via Template (34%) Remainder via ARIN Online In 2013… 4.72 Million transactions processed 3.66M processed via Reg-RWS (78%) 488K processed via Template (10%) Remainder via ARIN online
  56. Testing Your Reg-RWS Client We offer an Operational Test & Evaluation environment for Reg-RWS Your real data, but isolated Helps you develop against a real system without the worry that real data could get corrupted For more information: http://www.arin.net/resources/ote.html
  57. Obtaining RESTful Assistance http://www.arin.net/resources/restful-interfaces.html Pay attention to Method, Payload, and XML schema documents under “RESTful Provisioning Downloads” Or use ARIN Online’s Ask ARIN feature Or use the arin-tech-discuss mailing list Make sure to subscribe Someone on the list will help you ASAP Archives on the web site Registration Services Help Desk telephone not a good fit Debugging these problems requires a detailed look at the URL, method, and payload being used
  58. Report Request/Retrieval For customer-specific data, access is restricted by user Permits you to request and retrieve reports But only your data For public services, you must first sign an AUP or TOU (Bulk Whois, Registered ASNs, WhoWas) ARIN staff may review your need to access this data Requires an API Key
  59. New Feature: RPKI thru Reg-RWS Delegated – very complex Hosted – easy but tedious if managing a large network through the UI Solution: Interface to sign ROAs using the RESTful API Ease of Hosted Programmatic way of managing a large number of ROAs
  60. Q&A
  61. Obtaining IP Addresses II: ARIN’s IPv4 Waiting List and the IPv4 Transfer Market Jon Worley Senior Resource Analyst
  62. IPv4 Waiting List If ARIN can’t fill a justified request, option to specify smallest acceptable size If no block available between approved and smallest acceptable size, option to go on the waiting list May receive only one allocation every three months
  63. Filling Waiting List Requests Oldest request filled first (not best fit) If ARIN gets a /16 back and the oldest request is for a /24, we issue a /24 to that org
  64. IPv4 Churn IPv4 addresses go back into ARIN’s free pool 3 ways Return = voluntary Revoke = for cause (usually nonpayment) Reclaimed = fraud or business dissolution 3.54 /8s received back since 2005 /8 equivalent returned to IANA in 2012
  65. Burn Rate vs. Churn Rate
  66. Reality Check At the rate at which IPv4 addresses were reclaimed in 2013, it would take 51 years to fill all of 2013’s approved requests Waiting List is a lottery ticket, not a savings bond
  67. IPv4 Transfer Market
  68. Types of Transfers Mergers and Acquisitions (8.2) Transfers to Specified Recipients (8.3) Inter-RIR transfers (8.4)
  69. Transfers to Specified Recipients 12 month waiting period Recipient must qualify to receive resources under ARIN policy Recipient may receive up to a 24 month supply
  70. IPv4 Specified Recipient Transfers 59 transfers completed (46,700 /24s) Transactions typically arranged through IPv4 brokers
  71. Inter-RIR Transfers From ARIN RIR must have reciprocal, compatible needs-based Inter-RIR transfer policy Currently: APNIC Under discussion in the RIPE NCC, LACNIC, & AFRINIC regions Org releasing resources must not have received IPv4 from ARIN within the past 12 months Recipient must meet other RIR’s Inter-RIR transfer policy requirements
  72. Inter-RIR Transfers To ARIN RIR must have reciprocal, compatible needs-based Inter-RIR transfer policy Currently: APNIC Recipient must qualify to receive resources under current policy Recipient may request up to a 24 month supply
  73. Inter-RIR Transfer Notes 16 transfers completed (2,127 /24s total) ARIN & APNIC for now Expectation is primarily ARIN to APNIC given the early exhaustion of IPv4 in the APNIC region
  74. Specified Transfer Listing Service(STLS) 3 ways to participate Listers: have available IPv4 addresses Needers: looking for more IPv4 addresses Facilitators: available to help listers and needers find each other Major Uses Matchmaking Obtain preapproval for a transaction arranged outside STLS
  75. Misconceptions IPv4 transactions will never be allowed Transfer of unused IPv4 started June 2009 It’s a trap! This isn’t a sting operation ARIN recognizes all IPv4 transactions Must meet policy requirements
  76. Tips and Tricks Involve ARIN as early as possible Make sure a contemplated transfer meets ARIN requirements before finalizing Use ARIN’s STLS to pre-qualify ISPs must still show efficient use of all previous allocations and 80% of their most recent allocation
  77. Other Notes ISPs can receive 24 month supply via transfer vs 3 month supply from ARIN ARIN still has IPv4 addresses and will have a post-depletion waiting list IPv6 transition still required
  78. Reality Check, Part 2 Reports say current asking prices are around $10/IPv4 address More demand post-ARIN-depletion = higher prices Even if supply is available, can you afford to pay market price?
  79. Q&A
  80. Lunch Break Take your valuables as the room will not be locked.
  81. This Afternoon’s Agenda Current Number Resource Policy Discussions and How to Participate Securing Internet Infrastructure I: DNSSEC Number Resource Policies and Procedures Securing Internet Infrastructure II: RPKI Obtaining IP Addresses III: IPv6 Q&A and Open Microphone
  82. ARIN’s Policy Development ProcessCurrent Number Resource Policy Discussions and How to Participate Cathy Aronson ARIN Advisory Council
  83. Flowchart Proposal Template Archive Petitions Policy Development Process (PDP) http://www.arin.net/policy/pdp.html
  84. Policy Development Principles Open Developed in open forum Public Policy Mailing List Public Policy Meetings / Consultations Anyone can participate Transparent All aspects documented and available on website Policy process, meetings, and policies Bottom-up Policies developed by the community Staff implements, but does not make policy
  85. Who Plays a Role in the Policy Process? Community Submits proposals Participates in discussions and petitions Advisory Council (elected volunteers) Facilitates the policy process Develops policy that: enables fair and impartial resource administration is technically sound is supported by the Community Determines consensus based on community input
  86. Roles… ARIN Board of Trustees (elected volunteers) Provides corporate fiduciary oversight Ensures the policy process has been followed Adopts policies ARIN Staff Provides feedback to community Staff and legal assessments Policy experience reports Implements adopted policies
  87. Basic Steps Proposal from community member AC works with author ensure it is clear and in scope AC promotes proposal to Draft Policy for community discussion/feedback (PPML and possibly PPC/PPM) AC recommends fully developed Draft Policy (fair, sound and supported by community) for adoption Recommended Draft Policymust be presented at a face-to-face meeting (PPC/PPM) If AC still recommends adoption, then Last Call, review of last call, and send to Board Board reviews Staff implements
  88. Petitions Petitions available for: Delay by the AC Proposal to Draft Policy (after 60 days) Draft to Recommended Draft (after 90) Last Call (after 60) Board (after 60) Abandonment Rejection (proposals out of scope) Petitions begin with 5 day duration, needing support from 10 people from 10 different organizations (later stages require more people) Despite low bar, attempted petitions are rare
  89. Number Resource Policy Manual Contains Change Logs HTML/PDF/txt http://www.arin.net/policy/nrpm.html ARIN’s Policy Document Version 2014.2 (21 January 2014) 33rdversion
  90. Policies in the NRPM ARIN Principles IPv4 Address Space IPv6 Address Space Autonomous System Numbers (ASNs) Directory Services (Whois) Reverse DNS (in-addr) Transfers Experimental Assignments Resource Review Policy
  91. Current Draft Policies/Proposals Recommended Draft Policies ARIN-2013-8: Subsequent Allocations for New Multiple Discrete Networks ARIN-2014-5: Remove 7.2 Lame Delegations ARIN-2014-12: Anti-hijack Policy ARIN-2014-13: Reduce All Minimum Allocation/Assignment Units to /24 ARIN-2013-7: NRPM 4 (IPv4) Policy Cleanup (last call) https://www.arin.net/policy/proposals/
  92. Current Draft Policies/Proposals Draft Policies ARIN-2014-1: Out of Region Use ARIN-2014-2: Improving 8.4 Anti-Flip Language ARIN-2014-3: Remove 8.2 and 8.3 and 8.4 Minimum IPv4 Block Size Requirements ARIN-2014-6: Remove 7.1 [Maintaining IN-ADDRs] ARIN-2014-8: Alignment of 8.3 Needs Requirements to Reality of Business ARIN-2014-9: Resolve Conflict Between RSA and 8.2 Utilization Requirements ARIN-2014-11: Improved Registry Accuracy Proposal ARIN-2014-14: Removing Needs Test from Small IPv4 Transfers ARIN-2014-15: Allow Inter-RIR ASN Transfers ARIN-2014-16: Section 4.10 Austerity Policy Update ARIN-2014-17: Change Utilization Requirements from last-allocation to total-aggregate https://www.arin.net/policy/proposals/
  93. How Can You Get Involved? There are two ways to voice your opinion: Public Policy Mailing List Public Policy Consultations/Meetings In person or remotely ARIN meetings and PPCs at NANOG
  94. Open to anyone Easy to subscribe to Contains: ideas, proposals, draft policies, last calls, announcements of adoption and implementation, petitions, and more… Archived RSS feed available https://www.arin.net/participate/mailing_lists/index.html Public Policy Mailing List (PPML)
  95. ARIN Meetings Two ARIN meetings a year Attend and participate in person or remotely Check the ARIN Participate/Meetings site a few weeks prior to meeting Look at the Proposals/Draft Policies on Agenda (what and when?) Get a copy of the Discussion Guide (summaries and text) Attend/log in and state your opinion Additional consultations (PPCs) at all NANOG meetings AC meeting results Watch PPML for AC’s decisions (once a month) Read AC meeting minutes (if you have insomnia) Draft Policies – good or bad ideas, for or against? Last Calls – For or against?
  96. References Policy Development Processhttp://www.arin.net/policy/pdp.html Draft Policies and Proposalshttp://www.arin.net/policy/proposals/index.html Number Resource Policy Manualhttp://www.arin.net/policy/nrpm.html
  97. Q&A
  98. Securing Internet Infrastructure: Using DNSSECwith ARIN Online Tim Christensen ARIN Engineering
  99. Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure Easy to spoof Notable malicious attacks DNSSEC attaches signatures Validates responses Can not spoof
  100. Anatomy of a (forward) DNS attack
  101. Reverse DNS at ARIN ARIN issues blocks without any working DNS Registrant must establish delegations after registration Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC
  102. Reverse DNS at ARIN Authority to manage reverse zones follows allocations “Shared Authority” model Multiple sub-allocation recipient entities may have authority over a particular zone
  103. Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records ARIN Online RESTfulinterface Not available via templates
  104. Changes completed to make DNSSEC work at ARIN Only key holders may create and submit Delegation Signer (DS) records DNSSEC users need to have signed a registration services agreement with ARIN to use these services
  105. Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…
  106. Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…
  107. DNSSEC in ARIN Online …then apply DS record to apply to the delegation
  108. Reverse DNS: Querying ARIN’sWhois Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: 81.147.204.in-addr.arpa. Updated: 2006-05-15 NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.
  109. DNSSEC in Zone Files ; File written on Mon Feb 24 17:00:53 2014 ; dnssec_signzone version 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 0.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 1.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa. 86400 IN NS NS3.COVAD.COM. 86400 IN NS NS4.COVAD.COM. 10800 NSEC 10.74.in-addr.arpa. NS RRSIG NSEC 10800 RRSIG NSEC 5 4 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )
  110. DNSSEC in Zone Files 0.121.74.in-addr.arpa. 86400 IN NS DNS1.ACTUSA.NET. 86400 IN NS DNS2.ACTUSA.NET. 86400 IN NS DNS3.ACTUSA.NET. 86400 DS 46693 5 1 ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) 86400 DS 46693 5 2 ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) 86400 RRSIG DS 5 5 86400 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) 10800 NSEC 1.121.74.in-addr.arpa. NS DS RRSIG NSEC 10800 RRSIG NSEC 5 5 10800 20140306210053 ( 20140224210053 57974 74.in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …
  111. DNSSEC Validating Resolvers www.internetsociety.org/deploy360/dnssec/ www.isc.org/downloads/bind/dnssec/
  112. Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN’s website http://www.arin.net/knowledge/dnssec/
  113. Q&A
  114. Number Resource Policies and Procedures Jon Worley Senior Resource Analyst
  115. New Fee Schedule Effective 1 July 2013 Fees continue to be based on cost recovery Goal to balance overall fees to better align fees with services provided
  116. New Fee Schedule – Initial Assignments/Allocations New categories XX-Small (v4 /22 and smaller, v6 /40) XX-Large (v4 more than /12, v6 more than /20) Lower initial assignment/allocation fees
  117. Examples /24 IPv4 and /48 IPv6 minimum assignments go down from $1,250 to $500 /22 minimum IPv4 allocation goes down from $1,250 to $500
  118. New Fee Schedule – End User Annual Maintenance $100 per ASN, IPv4, and IPv6 registration Registration = one AS number or network registration in Whois
  119. New Fee Schedule – IPv4 ISP Annual Renewal Based on aggregate holdings Roughly two thirds with lower annual fees and one third with higher annual fees Downgrades: generally ISPs with one or two blocks Upgrades: ISPs that have received lots of v4 over an extended time and/or have more than a /12 equivalent
  120. Some Examples ISP that got a /20 10 years ago and nothing since drops from $2,250 to $1,000 ISP that has been getting a /20 per year for 10 years increases from $2,250 to $4,000 ISP that has been getting a /14 per year for 10 years increases from $18,000 to $32,000
  121. New Fee Schedule – IPv6 ISP Annual Renewal Most nibble-aligned blocks in lower size brackets /36 now x-small (was small) /28 now medium (was large) /24 now large (was x-large) Almost all IPv4 ISPs can now get IPv6 without an additional annual fee
  122. New Fee Schedule – ASNs and Transfers ASNs: $550 Transfers: $500
  123. Current IPv4/IPv6 Policies
  124. Multiple Discrete Networks Applicable when you operate multiple autonomous networks If you don’t have a minimum block size free OR have used 50% overall and 50% of your last allocation, can get space for: existing networks that have efficiently used all previous allocations and 80% of their most recent allocation any new autonomous networks
  125. Residential Access ISPs Applicable to ISPs who reassign IPs to access infrastructure through which their residential customers connect Qualify by showing 80% assigned to hardware with a 50% utilization rate
  126. Reserved IPv4 Block for IPv6 Deployment /10 reserved to be issued to facilitate IPv6 deployment /24 maximum Can’t receive another block under this policy for six months
  127. IPv4 Micro-allocations /16 set aside for micro-allocations to public exchange points, core DNS operators, other RIRs, and IANA /23 maximum per new gTLD New gTLDs can’t receive space from the reserve
  128. IPv4 End User Renumbering Axed Policy that allowed /24s and /23s to end users also required renumbering of those blocks to get additional assignments Removed based in part on ARIN staff policy feedback
  129. Third Party Internet Access (TPIA) CRTC (Canadian FCC equivalent) mandates open access for cable systems Space considered used when assigned by incumbent operator to their equipment on behalf of the TPIA customer
  130. IPv6 Subsequent Allocations for Transitional Technologies Additional allocation for IPv4 -> IPv6 transitional technology (usually 6rd) /24 maximum allocation Allows a typical ISP to map a /56 to each of their existing IPv4 addresses in a 6rd deployment 8 allocations issued 2 /24s, 2 /28s, 4 /32s
  131. Q&A
  132. Securing Internet Infrastructure: Route Origin Securityusing RPKI at ARIN Tim Christensen ARIN Engineering
  133. What is RPKI? Resource Public Key Infrastructure Attaches digital certificates to network resources AS Numbers IP Addresses Allows ISPs to associate the two Route Origin Authorizations (ROAs) Can follow the address allocation chain to the top
  134. What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information Trust Anchor Locator Distributes trusted information Through repositories
  135. Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPENCC APNIC ARIN LACNIC IssuedCertificates LIR1 ISP2 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP ISP4 ISP ISP ISP
  136. Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates LIR1 ISP2 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP ISP4 ISP ISP ISP 1. Did the matching private key sign this text?
  137. Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates LIR1 ISP2 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP ISP4 ISP ISP ISP 2. Is this certificate valid?
  138. Resource Cert Validation Resource Allocation Hierarchy ICANN AFRINIC RIPE NCC APNIC ARIN LACNIC Issued Certificates LIR1 ISP2 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> ISP ISP ISP ISP4 ISP ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate?
  139. What does RPKI Create? It creates a repository RFC 3779 (RPKI) Certificates ROAs CRLs Manifest records
  140. Repository View ./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest
  141. Repository Use Pull down these files usinga manifest-validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes “valid”, “invalid”, “unknown” Up to ISP to use local policy on how to route
  142. Possible Flow RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)
  143. How you can use ARIN’s RPKI System? Hosted Hosted using ARIN’s RESTful service Web Delegated (being deprecated) Delegated using Up/Down Protocol
  144. Hosted RPKI Pros Easier to use ARIN managed Cons No current support for downstream customers to manage their own space (yet) Tedious through the IU if you have a large network We hold your private key
  145. Hosted RPKI with RESTfulInterace Pros Easier to use ARIN managed Programatic interface for large networks Cons No current support for downstream customers to manage their own space (yet) We hold your private key
  146. Delegated RPKI with Up/Down Pros Same as web delegated Follows the IETF up/down protocol Cons Extremely hard to setup Need to operate your own RPKI environment
  147. Hosted RPKI in ARIN Online
  148. Hosted RPKI in ARIN Online
  149. Hosted RPKI in ARIN Online
  150. Hosted RPKI in ARIN Online
  151. Hosted RPKI in ARIN Online SAMPLE-ORG
  152. Hosted RPKI in ARIN Online SAMPLE-ORG
  153. Hosted RPKI in ARIN Online
  154. Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.
  155. Delegated with Up/Down
  156. Delegated with Up/Down
  157. Delegated with Up/Down
  158. Delegated with Up/Down You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS
  159. Updates within RPKI outside of ARIN The four other RIRs are in production with Hosted CA services ARIN and APNIC have delegated working for the public Major routing vendor support being tested Announcement of public domain routing code support
  160. ARIN Status Hosted CA deployed 15 Sept 2012 Web Delegated CA deployed 16 Feb 2013 Delegated using “Up/Down” protocol deployed 7 Sept 2013 RESTful interface deployed 1 Feb 2014
  161. Why is this important? Provides more credibility to identify resource holders Leads to better routing security
  162. Q&A
  163. Obtaining IP Addresses III: IPv6 Adoption Jon Worley Senior Resource Analyst
  164. The Boiling Frog Parable
  165. Why Adopt IPv6? ARIN’s IPv4 free pool will be gone soon IPv4 Waiting list = loooooooooooong IPv4 Transfer Market = $$$$$
  166. Alternatives? Large Scale/Carrier-Grade NAT? equipment costs latency, application, geolocation, DMCA, etc. issues Or: solve the problem the right way
  167. IPv6 has benefits, too No more coming to ARIN multiple times a year Deploy a subnet to a site once and you’re good Improved aggregation
  168. Qualifying for IPv6 - ISPs have a previous v4 allocation from ARIN intend to multi-home provide a technical justification which details at least 50 assignments made within 5 years
  169. IPv6 ISP Data Typically Requested If requesting more than a /32, a spreadsheet/text file with # of serving sites (PoPs, datacenters) # of customers served by largest block size to be assigned (/48 typical)
  170. Qualifying for IPv6 – End Users have a v4 direct assignment intend to multi-home 2000 IPv6 addresses or 200 IPv6 subnets used within a year technical justification as to why provider-assigned IPs are unsuitable
  171. IPv6 End Users – Data Requested List of sites in your network site = distinct geographic location street address for each Campus may count as multiple sites technical justification showing how they’re configured like geographically separate sites
  172. IPv4 vs IPv6 Subscribers Total of 4,468 ISP Subscriber Members
  173. The Solution to IPv4 Depletion IPv6 must be adopted for continued internet growth Now is the time to deploy IPv6
  174. Everyone needs an IPv6 Plan Each organization must decide on a unique IPv6 deployment plan right for them Timeline will vary Investment level will vary
  175. Your IPv6 Check List IPv6 address space IPv6 connectivity (native or tunneled) Operating systems, software, and network management tool upgrades Router, firewall, and other hardware upgrades IT staff and customer service training
  176. ARIN Resources www.GetIPv6.info IPv6 Info Center www.arin.net/knowledge/ipv6_info_center.html www.TeamARIN.net
  177. Operational Guidance www.InternetSociety.org/ Deploy360/ www.NANOG.org/archives/ bcop.NANOG.org www.hpc.mil/cms2/index.php/ ipv6-knowledge-base-general-info
  178. Q&A
  179. Q&A / Open Mic Session
  180. Fill out & submitthe survey for your chance to win a $100 Amazon Gift Card!
  181. Ask ARIN ARIN staff available until 4:00 PM Ask us your questions one-on-one
More Related