ARIN 54 Public Policy and Members Meeting, Day 2 Transcript - Friday, 25 October 2024

Skip to main text Jump to related content
This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Opening and Announcements

Hollis Kara: Welcome, everybody, to day two of ARIN 54 in Toronto. Waiting for a few people to file into the room and we will get started. I’ll give them maybe a minute.

Okay. Folks, we’re going to get going.

First of all, if I could get a big thank you for all of our elected volunteers, the ARIN Board of Trustees, Advisory Council, and Number Resource Organization Number Council. Round of applause. Thank you for all you do.

(Applause.)

Remember, elections are open right now. If you are a Voting Contact for a General Member Organization, please log into your ARIN Online account and cast your ballot before November 1.

Couple quick reminders. In case you weren’t here yesterday or just forgot what things in the bottom of your menu mean. Chat is for chat. That is informal and off the record.

If you have a question or a comment that you’d like to be read into the room as a virtual participant, please either raise your hand. We’ll unmute you and you can ask your question yourself or you can drop it in Q&A, if you want to type it. But also remember to provide your name and affiliation so we can get that for the record.

Virtual Help Desk is currently open if you’re having any issues getting situated on the Zoom. We’ve got a real person there in that room that can help you out.

And if Zoom disconnects, same drill as yesterday. Try connecting again. Maybe it’s you. If it’s me, click over to the live stream. You can watch us there. We’ll keep you updated when Zoom becomes available.

If Zoom and the live stream are gone, I’m having a worse day than you are, keep an eye on email, we’ll let you know when you can rejoin.

Those in the room, you are welcome to hop onto Zoom and can talk to virtual participants in the chat. If you choose to do so, make sure you’re disconnected from audio.

Reminders once again, when we open discussion periods in the session today, please come to the mic. The producers on the riser and folks here on stage will help manage the flow of discussion to allow virtual participants to be woven into the conversation.

Please do try to speak slowly, perhaps a tad more slowly than I am speaking now. You can see me slowing down as I say that.

Then also be sure to give your name and affiliation at the opening of your comment.

Recording in progress. Wi-Fi is available.

Hopefully you all found it by now. If you have any issues connecting or need the password, please check at the registration desk. Someone there can help you out.

All the slides are available for this morning online already. We are live streaming, and there’s a live transcript. All of these things are available on the Meeting Materials page.

You can also access the presentation directly on the agenda page of the meeting website.

This morning, we’ve got some interesting reports this morning. We’re going to kick it off with an update from the Number Resource Organization Executive Council. And then we’ll have an update from IANA on the work that is happening inside that space, followed by an update from the Address Supporting Organization Advisory Council.

We will then also go into an Information Security Update from ARIN’s own CISO Christian Johnson. Then we’ll take a break.

Coming back and rounding out the day with an Engineering Update, Routing Security Update, and an update on ARIN services. It’s a CXS Update, but it’s our services report card. And then we’ll have an Open Microphone to round out the day.

With that, also remember and appreciate everybody’s adherence to Standards of Behavior and making sure ARIN is a safe and welcoming place for all attendees.

Same rules apply today. Let’s keep our conversations on topic and working toward consensus and community understanding.

All right. Talked about that. I don’t know – hi, Wade. Everybody wave to Wade. Hi. Very glad to have our ombudsman here, ombudsperson. If you have a question or an issue, please find Wade. He’ll be happy to help you out or he’ll find you in chat because he’s a chatty guy.

I’d like to thank our Network Sponsor Rogers. If I could get a round of applause.

(Applause.)

Our Webcast Sponsor, Google. More applause.

(Applause.)

You guys are good at this game. Our Platinum Sponsor Kalorama IPv4 Brokers and Advisors. Please don’t forget to take your goodies. They brought them all the way from the D.C. area and they don’t want to pack them up and take them home. Take one for you and your friend.

Our Silver Sponsor, IPv4.Global by Hilco Streambank.

(Applause.)

And our Exhibitor Sponsor, IPXO.

(Applause.)

We rely on our sponsors to be able to support these meetings, and we appreciate all they do to help us make sure that we can conduct these for you.

With that, I will stop talking and bring back John Curran, who is going to be giving the Number Resource Organization Executive Council Update.

He’s smiling already. He’s even not on the screen yet. There we go.

Number Resource Organization Executive Council (NRO EC) Update

John Curran: Good morning. I’m John Curran, President and CEO of ARIN. Welcome back to our ARIN meeting. It’s my privilege to give the Number Resource Organization Executive Council Update.

So let me start right in. This is something we give at all the RIR meetings. Let’s get some slides up there. Lovely. Okay.

So let me start right in. Next slide. What is the NRO? The NRO is the Number Resource Organization. It was founded in 2003. More than two decades old. It’s the mechanism by which we take joint action.

So, in other words, if you have to deal with the Internet number registry system and you need to do something jointly with all the RIRs, you can go to the NRO and work with us, and we’re a coordination mechanism for the RIRs for joint activities.

We did an addendum in July of 2020 to update the MoU, and the addendum included specific commitments to not violate uniqueness and take effective measures to promote the Internet number registry system, to publish entries in the Internet number registry system globally to enable timely global Internet operations, and to cooperate together in the provision of consistent, effective global Internet number registry system. More than 20 years old, we decided to update and make sure it’s clear what our purpose was and how we work together.

Now, to give you an idea of the scope – next slide – of the NRO, we did a review of our Strategic Plan, and we wanted to make sure that we had a purpose for this organization.

The purpose is very clear. It’s to coordinate and support the joint activities of the RIRs to provide and promote the joint Internet number registry and to be the leader in number resource management, collectively, to enable an open, stable and secure Internet.

And so there’s a lot of activities in there that people don’t realize. Well, the RIRs each individually do their share. There’s a huge amount of coordination in the Internet ecosystem that takes place between the RIRs and other entities, and a lot of that happens through the NRO. In addition, the NRO itself has some projects, which I’ll talk about, to help coordinate activities between the RIRs.

Next slide. So how do we make decisions? We have an Executive Committee, which is made up of appointments, generally the Executive Director or CEO of each of the RIRs.

So right now it’s Oscar, myself, Hans Petter, Jia Rong, and TBD for AFRINIC. We have a permanent secretary which helps coordinate and keeps things moving forward, and that’s German and Laureana. They both provide support for the NRO activity.

Note that very shortly there will be changeover, and we’ll end up with Oscar stepping down. We’ll end up with Ernesto coming aboard as the Executive Committee. We’ll also change the Chair of the NRO EC, and that will be Hans Petter coming on next month.

Next slide. The NRO prepared a Strategic Plan, and we looked at the activities that we do. We realized that there’s actually some activities that aren’t just coordination among the RIRs. They actually require our joint project. They actually require the RIRs to work together on one project plan, not five coordinated project plans.

We actually undertake starting joint programs among the RIRs. RPKI was the first one. So we have an RPKI joint project between the RIRs, which I’ll talk about more later.

We do intend to actually do one on RIR security and one on government engagement. This is the first time we’ve ever done a single program and assigned resources from each of us to a single program and a single project plan. We wanted to see how RPKI would go before we enhanced it by doing additional projects.

Next slide. You might have heard of it if you attended some of the RIR meetings. The NRO RPKI program to provide more consistent and uniformly secure, resilient RPKI services.

This is pretty important because, as I said, there’s a lot of different moving parts to RPKI. When you’re an entity that works with multiple RIRs, right now there’s not a high level of consistency in terms of the services, the interface, even just the specification of the service.

So we’re trying to do that through a single, more common definition between the RIRs. Also improved transparency. We use different things like different timers on things like manifests, and we have different ideas about synchronization. If you’re an operator and you have to deal with multiple RIRs, this can be a little confusing.

We’re trying to look and say why is this different? Does it have to be? Are there best practices that should be deployed across all RIRs?

That project just started out, and we’re in the assessment phase. We’ve actually already had some good progress. But looking at the different RPKI services among the RIRs, trying to come up with commonality, trying to come up with a more consistent interface, and I think this has been a really good project.

Sofia is the Program Manager, hired by the NRO to handle the joint program, and she’s been doing a great job going out. If you attended NANOG, you’ve probably seen it, RIPE, APNIC, she’s given updates at each of the RIRs about some of the specifics of some of the progress the RPKI programs made.

Now I want to talk a little bit more about more coordination we do. Next slide. We do a lot of coordination with other programs, and we do that through the NRO Coordination Groups.

Each of our various pieces of our organizations work with their counterparts at other RIRs. If we have to do joint communications, we have to respond jointly to a legal activity, an MoU or some other coordination activity, there’s a Coordination Group made up, and that’s an informal function that allows us just to make sure that when we have to do something, that we have a reasonable level of coordination.

Each RIR is responsible for its own actions in these areas, but you want to understand what the other RIRs are doing, what their timing is, so on and so forth. And this has worked out very well.

I want to go on and talk about finances,how we pay for all of this. Next slide. There we go. We have a couple of expenses. One is keeping the Secretariat running. And now our Program Managers,paying for the various meetings. There’s certain meetings that we do where we send, for example, the ASO AC. And so each of those were an expense that’s all joint.

We also have various support for things like Internet governance activities around the world and support for RIRs, AFRINIC support, for example.

Those general operations are $939,000 right now in 2024. Then we also have a significant contribution we make every year to ICANN. It’s $823,000. We’ve been making it since ICANN’s inception every year. We’ve recently clarified after the IANA stewardship transition that this is made up of IANA services of $650,000 and a voluntary contribution to ICANN’s overall activities of $173,000.

Those two are the two line items that represent the NRO’s expenses, the $939,000 and the $823,000. We also have a Stability Fund that’s not an expense but it’s a set of pledges each RIR has done that is on standby if an RIR were to have an untoward event and they needed to actually have to tap the resources of each other. We all pledged a certain amount.

The joint pledge is about $2.6 million of joint support available to help stabilize if there were to be an issue and we need to expend very quickly to make sure the Internet number registry system wasn’t impacted.

When you look at the numbers we spend every year, the $939,000 and $823,000, they have to be divided out among the other RIRs. Next slide. That’s based on Registration Services revenue. We look at the size of each RIR in terms of their Registration Services revenue. Each RIR commits to a prorated portion of the NRO expenses based on that.

So the formula basically for 2022 was about 32 percent for ARIN and about 36 percent for RIPE. LACNIC with 12. APNIC with about 21. In terms of ongoing development, you see that we didn’t have expenses for AFRINIC that year.

Next slide. For people who are aware of what’s going on, AFRINIC had a governance situation occur where they had an election that was deemed invalid. It led to a situation where they couldn’t seat a formal Board of Directors. Without that, they had some challenges recovering from that. Eventually, various positions timed out, including the CEO and the Chair, and so AFRINIC actually ended up without a governing process.

This has gone back and forth for a while and we’ve been doing everything we can with support. We’ve provided on-site legal support. We worked closely with ICANN, which is also working with them, and we’ve helped the staff make sure that they’re available, make sure the staff has resources it needs, knows that despite having not a valid leadership function that they can ask any of us for support or assistance.

We’ve also been doing quite a bit of outreach, making sure people know even though it was going through a challenging time, that all the RIRs were available for resources, available for support, to make sure that AFRINIC continued to provide Registry Services, and we were providing resources to AFRINIC if AFRINIC needed funding for travel or something, there’s times where we would step in and support them.

The good news here is that we have – recently there’s been clarification of an order that was issued. The order was to appoint an official receiver in Mauritius to basically step in and, for a brief period of time, do the necessary work to hold elections. And that’s what they really need. They need elections in order to establish a governing board.

The official receiver of the court has been reinstated with a directive to do very prompt elections in AFRINIC. We’re encouraging the AFRINIC community to help make that happen and participate so it can get a new governing structure in place, and hopefully this will close the chapter of this governance issue that we faced.

So a very good thing in terms of at least having a timeline and a process by which AFRINIC will be able to restore its governance.

I want to move on and talk about some of the other activities we’re doing. So next slide. One of the big things is that we realize that we have a document for the criteria that an RIR should meet to be recognized. That’s called ICP-2.

It is the process for recognition of an RIR. We never really flushed that out with implementation procedures, how an RIR is recognized or de-recognized if it doesn’t meet the criteria.

We actually asked the ASO AC to help with that task. We did a set of implementation procedures and asked the ASO AC, the elected community body of the NRO, to review those. Those are actually in final form, and they’re in discussion between us and ICANN to get those adopted.

Then we realized ICP-2 is a very dated document, back to 2001. There’s been a lot of learning since then. We actually told the ASO AC, while we need implementation procedures for us to use the current ICP-2, it would be good if they would do a community-based process to update ICP-2 and provide clearer guidelines, better accountability to the community.

So you heard a little bit about that, and that’s an activity that again the ASO AC, the Address Supporting Organization Advisory Council, is busy working on with the community in a process throughout all of the RIRs.

That global consultation is actually out and underway, and we’ll put the URL up there. But you can go to NRO.net and you’ll find a page about it.

I ask anyone who is interested in how the RIRs are governed, what the criteria are, to get involved, read that, provide comments. There’s an open consultation period right now on the ICP-2.

We’ll move on to more routine things we’re doing. It’s important for the RIR system to have clear information about how the registration is running. We do global Internet number stats, statistics that are published. The NRO coordinates collection of that in publication so you can see the global stats on IPv4, IPv6, and ASNs.

We also do a Comparative Policy Update. This was briefly mentioned yesterday in our meeting where there’s a process by which the staff works with the policy teams in each of the RIRs to put a single table together that explains each RIR’s policies in various areas.

For example, for the issuance of address space or transfers of address space, and you can go online and see a Comparative Policy overview at the NRO of each RIR and a brief summary of its policies in various areas and see how they compare between the RIRs. This is sometimes helpful to get an idea of what the differences are at a high level between each RIR and the policy areas.

Next slide. The other thing we do is the IANA Review Committee. So we have ICANN through its affiliate PTI providing IANA services. Those IANA services, when we need a block of ASNs to be issued to one of the RIRs or we need a new block of IPv6, we go to the IANA.

We use the global policies that are developed by all five RIRs, a common policy that gets ratified. The IANA follows those global policies. Looks at the RIR request, validates it, and issues it.

We don’t have a lot of requests. We probably do a handful of requests, two or three every quarter, if that. But when those are done, they’re handled by IANA as part of the services we contract with ICANN, which in turn subcontracts to the PTI.

We have a Review Committee that looks at this and makes sure the performance of the IANA in handling those requests meet what the Service Level Agreement we have between the RIRs and ICANN calls for. I will say that’s never been a problem.

IANA PTI has done a remarkable job, and this committee confirms that each and every time. You can go online and see the IANA Number Services Review Report for February. It’s published online right there.

The Review Committee members. I’m not going to read them. We appoint members from each of the committees that help participate and handle the review process.

Next slide. IANA Empowered Community. One of the other things that the NRO does, within ICANN’s bylaws the NRO serves the function of an entity in the bylaws called the ASO, the Address Supporting Organization.

We’re the NRO. When we go into ICANN, we’re branded ASO, Address Supporting Organization. It’s just been the historical tendency.

In ICANN bylaws, at the IANA stewardship transition that occurred, when that occurred, the contract to ICANN for handling the number administration – names, numbers and protocols, handling that and with the US government – ended.

In that process, the community, in the process of the IANA stewardship planning process, the community decided that it might want to have some entity that could step in if there were an issue with ICANN governance.

The community that was formed is called the ICANN Empowered Community. The ICANN Empowered Community consists of five representatives. The ASO is one of the members of those.

We do things like confirm changes to the bylaws; confirm the appointment of board of directors; confirm operational and strategic plans; confirm budgets, and there’s procedures to make sure that when ICANN does such actions, that we’re notified as one of the five Empowered Community members and that we send that out to you to say, what is the right process followed?

Is ICANN following the processes that it declared it would use in the development of these decisions? Is there something inappropriate? Is there a reason for the community to step up and say we need to have a consultation about this and whether it was done in accordance with what we all expected.

So you’ll see every now and then we’re publishing announcements like ICANN has directed directors for appointment or ICANN has a new plan for ratification. These are all very routine. It’s very much a check-and-safety function, but the ASO is called to do it. So the NRO steps up in that role, and we run the ICANN Empowered Community function, one-fifth of that.

That actually concludes my presentation.

Next slide. I thank you for listening to my whirlwind tour of the Number Resource Organization and what we do. Of course I’ll open it up for questions.

Hollis Kara: Alright with that, microphones are open. If you have any questions for John about the NRO EC Report, whether you’re here in the room or online, now would be the time to get those submitted or approach the microphones. I’m going to give it just a moment.

John Curran: Sure.

Hollis Kara: Just in case. Okay, if we wait long enough.

Namra Naseer: Thank you so much for your presentation. I am Namra Naseer from Columbia University, also a Fellow.

My question to you is about the government engagement, when you speak about the strategy plan, if you could briefly talk about what does that look like and if there are any challenges that you face while working with them.

John Curran: It’s a great question. So as I said, the NRO has – historically we’ve coordinated activities between the RIRs through coordination groups.

That works very well. And it allows each RIR to do its own activity plan and strategy but to keep informed of the others. We realize that there’s some areas where we may want to have a more common interface and a more uniform strategy. So RPKI is the first such program we’ve kicked off, and it’s done very well.

We have not kicked off RIR cybersecurity as a joint program or government engagement because we’ve done our first joint program. We want to see how that works, what works well, what doesn’t.

So you’re talking about a program that we’re going to look at, after we look at – after we see how the RPKI has done and after we do RIR cybersecurity, we’ll look at government engagement.

The challenge in doing a joint government engagement program is that that requires that we have joint goals that we all agree to. In RPKI, even just building those requires a lot of understanding of where we all are and what we’re all trying to accomplish, find the commonality there.

I will have the same thing when we do the cybersecurity. When it comes to government and government engagement, I think there’s very easily some joint goals we’ll probably end up with, goals that involve making sure we have contact with each of the governments or economies in each region to make sure that we all know that every government knows how to engage with the Internet number registry system.

And that there’s lines of communication open with every government. That’s a pretty easy goal. It’s still a lot of work to do, and I don’t know because we haven’t yet set the goals for the program.

Now, beyond the goals, we’ll probably need to work on messages, and that’s even more challenging. So you’re asking about how we see this going on, a program that we haven’t launched and haven’t started goals or messaging for, it’s going to be a lot of work.

The RIR Boards need to actually come up with common messaging and a common engagement plan that we’re going to use, and right now I could not forecast what such messaging says or what that engagement plan is, but we still need to do the RIR RPKI program, let that get some momentum.

We need to do another joint program, the RIR cybersecurity one, and then we’ll look at whether we want to do a joint program for government engagement.

I expect you’re looking at activities that are 2026, 2027. So it’s a little premature to understand how it’s going to work. But certainly at least a joint approach to making sure we have consistent and uniform engagement, make sure every economy, every government knows where the RIR system is, and hopefully some common messaging as well.

Hollis Kara: All right. Thank you. Seeing no further questions, I think we’re done with this one, John.

(Applause.)

John Curran: Thank you all very much.

Hollis Kara: Don’t worry, he’s still listening.

Next up, let’s bring up Kim Davies, Vice President of IANA Services, to give us an update on what is happening at the Internet Assigned Numbers Authority.

Internet Assigned Numbers Authority (IANA) Update

Kim Davies: Good morning, everyone. My name is Kim Davies, as you just heard. And I lead a team of folks that you know of as IANA, but actually I work for PTI. I’ll explain what that difference is in my presentation today.

So first I’ll start with some updates on number resources, which is why we’re all here, in terms of what we do in the Number Resource space.

We manage the global pools of IPv4 addresses, IPv6 addresses, and Autonomous System Numbers. Predominantly, we do that by allocating them to the five Regional Internet Registries.

In terms of the status of our pools that are available for allocation, roughly 86 percent of the overall IPv4 address space is allocated for unicast use, that is to say, assigned to Regional Internet Registries for distribution.

IANA really doesn’t have a lot to do here. We allocated the last /8s in our unallocated pool all the way back in 2011. Subsequent to that, a policy was implemented called the Recovery Pool, where any small allocations that were returned to IANA were then subsequently assigned to RIRs based on a formula, essentially giving each RIR an equal slice of that pool, and it sort of spent down small assignments that IANA had in its inventory. Even that pool is now effectively exhausted.

We have three /24s left. There’s five RIRs. Since we can’t divide it any further, we just hold on to those. If someone would be so generous to return some IP addresses back to us, we might do a further allocation. But for now, I think that’s pretty much static and the way it’s going to be.

IPv6 is obviously a very different story. If we look at the /12s we allocate to RIRs under the current policy, we have something of the magnitude of 504 of those left in the space that’s allocated for unicast. That space can obviously grow as well. In terms of exhaustion, no risk there in the foreseeable future.

You heard a little bit about from John in the last presentation about accountability. And accountability is important to us, not just the IANA Review Committee that you heard a little bit about, but adhering to the SLAs that we have with the communities, making sure that we’re meeting our customers’ needs, and essentially being as transparent and open as possible and adapting our operations based on evolution in the industry.

So how do we do that? Well, in terms of SLA performance, we do a lot of reporting. You can find copious performance reports on our website at iana.org/performance. You will find we do post-transaction surveys, which is, every time we complete a request for one of our customers, we ask them how we did.

If there’s anything actionable in that response, we’ll do follow-up and work out what we could have done better, or if there was some kind of miscommunication, we will try to iron that out.

We used to do annual surveys of the community at large, and just to preview my very last slide in this presentation, I’ll be asking you to fill out such a survey.

The RIR community, in particular, it’s very hard for us to get a pulse on, to be honest with you, because we have very few touch points with this community. So it’s an opportunity for you to share your views with us on things we could be doing differently, how we’re doing. If you could fill that out at the end of the presentation, that would be very welcome.

Then we also have annual community reviews conducted by a variety of different community groups.

Now, in terms of updates, I wanted to share with you work that we’re doing on managing the DNS Trust Anchor. Formerly this was referred to as the Root Zone Key Signing Key. Quite a mouthful.

But essentially, if you want to do cryptographic verification using DNSSEC, you need to have the Root Zone Key Signing Key essentially programmed into your resolver software. It’s something we manage as part of our operations, and we do it in an unusual way.

Usually when it comes to managing private keys for cryptography, it’s all about secrecy. It’s all about private operations. It’s not something that’s particularly transparent.

The way we built our infrastructure does it quite differently. Whilst we obviously don’t share the public key itself, the way we administer the public key is through a series of very public, highly transparent events that we call key signing ceremonies. We invite security experts to participate. We stream it live on YouTube.

The basic idea is that if we show everything we’re doing and security experts can look at it and say, yes, you’ve done that well, that helps engender trust in the broader community that we’re doing things the right way.

Now, the operational update on that is that this key needs to be rotated every once in a while. As with all cryptographic keys, it’s good practice to not use the same key indefinitely. We’ve only ever changed it once. So DNSSEC started in the Root Zone in 2010. We changed it for the very first time in 2018. And now we’re looking to do it for a second time.

Now, changing the key is quite complex. Not from our side, but for the community because the community essentially needs to update all of its resolver software or its configuration to recognize that new key as a trusted entry point into the DNS.

We were planning to do this a little while ago but the pandemic happened, and then we had some other complications. But we’re now underway.

So for us, this is ideally a three-year process, which began this year. We generated the new key around April of this year. That key is now available for propagation, and essentially we now, in front of us, have a two-year propagation window.

The idea is that over the next two years, network operators, resolver operators, anyone that might have the set of trusted keys programmed or configured in their systems, should now be adopting this new key so that ideally, on October 11, 2026, when we roll over, nothing happens. That’s essentially what happened in 2018, and that’s something we’d like to repeat.

It’s available now for propagation as an XML file. This is one of the formal formats we distribute it in. It’s what most software vendors will use.

Probably not of immediate interest to this community. If you just use a fairly off-the-shelf configuration for your DNS software, as long as you keep your software up to date, it will probably get updated through that process. If you do, however, have manually configured DNS software, there’s actions you need to take.

There’s also an adoption process where DNS resolver software will notice the new key in the DNS itself. This is a technique called RFC 5011. That process will begin January 11, 2025. So around January, February of next year, software that learns about new keys in that way will start to do so, and it is a time to be wary of, to monitor networks, to monitor systems, to see if there’s any unusual effects from that.

Switching to a different topic. I wanted to briefly share a decision that ICANN took recently, which was to reserve .internal for private networks.

This is very similar in concept to RFC 1918 address space which has existed for a very long time. Essentially, this is a space in the DNS that network operators can use and have free rein over to configure as they see fit.

It’s not globally visible. It will be shared space. Every network operator can use it as they see fit. It’s different to .local, .alt, .home, .ARPA and possibly some other address spaces that serve similar but not quite the same purposes.

We are developing an Internet Draft hopefully to be published as an RFC that spells out in more detail exactly how to use this address space.

That’s it for the update portion of my update. The one thing we’ve heard at recent ARIN meetings where we’ve been present at is this community would like to hear a bit more about what IANA does more broadly.

IANA is a bit of an interesting organization because we service so many different communities and we kind of do it a bit in a silo.

This community is obviously very concerned about number resources. So the presentations we give here are focused on number resources. When we work with IETF on standards, we tend to focus on what they work on. When we talk to the DNS community, we focus on them. To take one of the unusual things we do, we manage a time zone database, how most smart devices know what time it is. We work with a very narrowly defined community on that, for example.

It’s probably good to step back and reflect on the broad expanse of what the IANA team does.

So let’s do that. Usually I like to do a level set and talk about, at a very fundamental level, the role of unique identifiers on the Internet, and I think one way to conceptualize unique identifiers, which is essentially what IANA is here to administer, is to think about just a very common activity that we do every day, which is going to a website. Just the simple act of typing in a URL and receiving a webpage back.

If we think about that interaction, typing in a URL, hitting enter, waiting for it to load, getting the images, getting the text back, underlying that transaction is all manner of interactions on the wire involving any number of different protocols that all need to work in a consistent, standardized way for that webpage to be successfully downloaded.

Making sure that all the identifiers use each layer of the stack there are globally consistent and globally administered is really what IANA’s job is all about. In brief, these are just, at a very high level, some of the unique identifiers that we use in just that one transaction.

Obviously there’s the domain name of the website, it’s part of the URL. But if we look at a URL, there’s also the URI scheme. Usually it’s HTTP or HTTPS, but there’s dozens of other URI schemes.

I don’t need to tell this community that domain names get converted into the IP address. IP address is where ultimately the TCP connection, or these days the quick connection, is going to.

There’s the AS Number. Again, don’t need to explain that. But also when you get to the server, the endpoint with a particular IP address, how does it know that it’s performing a web connection as opposed to sending an email or something else? We do that through port numbers. We do that through service names.

When data starts coming back from the web server, how does it know that it’s an image or a video or a text or a PDF file or any number of other different kinds of encodings? You might think it’s the file extension, but it’s not.

There is an encoding called a Media Type, formerly known as a Mime Type, and that is how the nature of the content is understood by the recipient.

In the header of the transaction, all sorts of information is passed back and forth. Things like, I have a cached version of this webpage, is your version still the same or do I need a more recent version?

Requests about preferences on languages, for example. So based on the configuration of your browser, you browser might inform the web server, my priority is to read something in English. That’s conveyed in the header.

But alternatively, if you’ve configured it for Spanish and the web server has a Spanish version of the website, then Spanish version will be returned.

How does it designate, to use that example, the specific language that you’re requesting? There’s a series of tags that mark language encodings that again are maintained by IANA.

So here is just nine examples of unique identifiers that are triggered just by this one transaction. If we’re to go even deeper down the stack, just thinking about BGP. We maintain something like 60 identifier types for BGP.

So within BGP packets and the like, there’s all sorts of encodings that are used that need to be globally consistent.

So what do all these have in common? I think I’ve sort of shared the story. If any one of these identifiers, different parts of the world, thought they meant different things, the Internet simply wouldn’t interoperate in the way that we would expect.

It’s important that the Internet just works. It works everywhere, doesn’t matter what network you’re connected to, doesn’t matter what location you’re in. If I go to a webpage, I expect to get to the same destination and get the same content and view it in the same manner.

That’s fundamentally what IANA is about. It’s about making sure that all these allocations are made in a globally consistent way.

Now, IANA itself is something that really predates probably all of us here. Certainly predates ICANN. IANA is really a manifestation of a role that Jon Postel took on, one of the very first researchers there at the dawn of the Internet. He was, by all accounts, the person best at keeping records in that research team. With pen and paper, he started writing notes and capturing details of how the network was configured.

Over time, that all evolved into a more formalized role. In 1998, ICANN was established to be the home of IANA. Even before ICANN had a name, it was called The New IANA, but that’s really where ICANN was established, amongst other things, but to be a corporate home for IANA.

Even today, IANA really still, its mission traces back to Jon Postel, but we’re really doing the same kinds of things today. Noting that oversight is very different, Jon Postel used just his judgment for the most part. Now we have all sorts of global policies that govern how the work of IANA is conducted.

We divide IANA into three core functional areas, protocol parameters, number resources and domain names.

Protocol parameters really captures the bulk of what we do. These are those sort of internal identifiers used in individual protocols. Usually not seen by an end user. You don’t tend to see IP header flags, for example, in your interaction with, day-to-day interaction with your computer. It’s something that’s used full interoperability within protocols, just not seen by the end user.

Here we work very closely with standards developers, implementers and the like, and we work within the context of the IETF.

IETF is the predominant standards body for Internet protocols. Every document that the IETF produces has a mandatory section called IANA Considerations. This is the section where each document, each RFC, spells out the role of IANA as it pertains to that particular protocol. Specifies things like what registry requirements are, the registration policy, how IANA is to administer into the future once the standard is finalized.

Number resources, I won’t belabor it, I think we’re all very familiar with it. As I mentioned before, those three key identifier types, and our predominant role there is handling the unicast variants of those IP addresses, as well as Autonomous System Numbers to the Regional Internet Registries.

For the domain name system, our primary task is pretty clear. We administer the DNS Root Zone. The DNS Root Zone is the official record of what is a top-level domain. Here we’re talking about .com, .us and .ca and the like.

Much like with the RIRs – this is the whole domain name space. You don’t come directly to IANA to register a domain name. We maintain the highest level of hierarchy and delegate down the next level, who in turn delegate down to the next level and so forth.

So our tasks here involve including speaking with top-level domain administrators, both those existing and those who wish to be TLD operators. For existing TLD operators, it’s routine maintenance, keeping their nameservers up to date and points of contact and the like. Much like an RIR does for number resource allocations.

When it comes to creating new TLDs or transferring responsibility of a TLD, that’s different. We do due diligence. In the case of ccTLD, very extensive due diligence, all in accordance with what the global policy specify needs to happens.

Once we’re satisfied with a particular change, we work with partners including, the root server operators, to disseminate those updates to the Root Zone out into the world.

We do a few other things that are kind of related. For historical reasons, we operate .INT, intergovernmental treaty organizations, and we also operate a significant repository of IDN knowledge, internationalized domain names.

So for there, it’s important that policies around how language and scripts are allocated are coordinated, and that’s a role that we take.

I mentioned the key ceremonies already. Again, very important that we do these in a very open and transparent manner. It’s a very significant activity we do typically every three months.

So all up, I mean, that is just a very quick run-through of the scope of the IANA functions. Overall, there’s something like three and a half thousand registries we maintain of which, for the number resource community, we maintain three. That’s just to give you a sense of the size and scope of the registries.

That’s not to say that the transaction volume across all of them is uniform. Some registries haven’t been touched in 10 years. Some registries, we literally make hundreds of allocations every day. So there’s a big, wide gamut of different registrations there.

Now, this pie chart, this division between these three categories, is somewhat arbitrary, because technically all the identifiers are protocol parameters, even domain names, even IP addresses.

They’re just specialized forms of protocol parameters that have essentially hierarchical delegation as well as different global oversight. It’s really that global oversight that makes us divide it into these three categories.

Let’s talk about PTI. I work for a company called PTI. PTI was a company that was established in 2016 as a result of a transition of the IANA functions from being under U.S. government oversight, up until 2016, to having global multistakeholder oversight after then.

As part of that effort, the functions were actually taken out of ICANN operating directly and put into a new organization called Public Technical Identifiers, or PTI.

PTI hires the IANA staff, including myself. Now, it is closely related to ICANN. I don’t want to give you the sense that it’s a completely independent organization. ICANN provides 100 percent of PTI’s funding. ICANN is what’s called a sole member. And I suggest you think of it kind of like a subsidiary of ICANN. As we’re a nonprofit, you don’t have subsidiaries. So the correct legal term is affiliate. But we are closely tied to ICANN.

Why is that? It’s essentially to provide a lot of safeguards. The community has a lot of powers of oversight of PTI, so that should the IANA functions not be performed correctly, there are sort of mitigations and remediations available to it by virtue of it being a different legal entity.

I have a team of 20 people. I won’t go through all their names. But we have a very dedicated team, many of which are very well tenured. You probably recognize some of these names if you interact with us. So all credit to my team. It makes the job very enjoyable.

Let’s talk about ICANN. As I mentioned, PTI is very closely related to ICANN. ICANN is responsible, ultimately, for overseeing PTI’s performance of the IANA functions.

Again, as you heard earlier, different community groups contract with ICANN for performance of the IANA functions.

So there’s a contract between the five RIRs and ICANN on how IANA should be performed, and then ICANN oversees PTI to actually do the work.

My team of 20 do a lot of great work focused on core and operations, but we can’t do everything. We don’t have legal resources within our team. We don’t have HR personnel in my team. So we rely on joint resources that ICANN helps provide us on that front.

So kind of back-office support. ICANN is really helpful there, as well as engagement. ICANN community is spread far and wide around the world and we can’t be everywhere in person all at once. So we do use the resources of ICANN in terms of global engagement to help support our mission.

To sum up, our job is to be a record keeper. Probably a bit boring when you talk about it that way. But it’s an important record keeper. We’re here to keep records of allocations that are made just to make sure the Internet works, that it’s interoperable, that no one claims a port number that’s not theirs, that no one starts using a type code, a value code in a packet, in a header somewhere in a different way than what is expected.

Our job is ultimately to keep doing this in a way that maintains trust of the community. It’s a voluntary system. There’s no laws that say you have to follow IANA’s assignments. It only works because everyone looks to IANA as the authority.

For us to maintain our role in this ecosystem successfully, it means continuing to convince the world at large that we’re doing a good job, that there’s value in interoperability by having a single source of truth for a lot of these allocations. To that end, our job is to keep engaging with the community, make sure we’re doing the right thing, and where we have room for improvement or where there’s an opportunity to evolve in a different direction, that we heed that advice. We take it on board, and we adapt accordingly.

To that end, every five years we set a strategic plan. And we are now developing our 2025 to 2030 Strategic Plan. This will be put out for public comment, first draft of our strategic plan, very soon. Next month.

When that time comes, I would really encourage feedback on the strategic plan to help guide us on where the IANA should evolve in the next five years.

This is only our second dedicated strategic plan that PTI has ever had. We’re just wrapping up the last year of our first strategic plan. This is an important way of just calibrating with the community about where we want IANA to go into the future.

Then I mentioned this was coming. Here’s a QR code. The questions are designed to be filled in in less than five minutes. If you want to take a picture of that and provide feedback on the IANA functions, it would be very much appreciated.

It’s a very much reduced survey to what we have done in previous years because response rates aren’t great, to be honest with you. But any feedback you can provide will be very welcome to us there.

With that, thank you very much, and I’m happy to answer any questions.

Hollis Kara: Thank you so much, Kim. If there are any questions about this presentation, please approach the microphone or start typing.

Darren Kara: Good morning, Kim. Darren Kara, still currently unaffiliated. I want to commend you and your team on the expansion of the slide deck. I’ve seen things before. There were a number of things here that I hadn’t seen before, and the way you walked us through some of the transactions and the number of different protocols and unique identifiers that take place, we take it for granted these days.

We think it’s just IP-to-IP-based communication, but this definitely helps to point out why PTI and why there’s the IANA in order to make this happen. So commend on the expansion of the deck.

I do want to go back and have one question about the IPv4 pool that you still have three /24s, I think, which can’t be evenly distributed.

Under what circumstances would somebody go directly to IANA to return space rather than through their local RIR? I can think of maybe a couple, if you wanted to be equitable and return it to IANA, if you had a /16 or something like that.

But has this happened before? Is there an example? Thank you.

Kim Davies: So it has happened very rarely that pre the RIRs existing, when IANA did make direct allocations, a lot of those Class A, Class B kind of allocations that, my recollection is some were returned – this is many years ago.

You’re right, I mean, essentially all that address space is now managed directly with RIRs, and I would expect, if space is to be returned, it would probably go back to the sponsoring RIR today.

Hollis Kara: He’s here.

Kim Davies: I’m sure John has some perspective on that as well.

But, in essence, it’s not happened, in my memory, the last 10 years or longer. I wouldn’t necessarily expect it to happen again.

John Curran: I think Kim has it right.

It’s certainly theoretically possible an organization that received directly from the predecessor organization ARIN. ARIN took over from InterNIC, predecessors include GSI, NSI, SRI, and ISI, and Jon himself.

An organization that had a legacy assignment might, if it were to decide that it really needed to return it, could in theory return it – well, to one of the RIRs, to ARIN, likely, as we ended up with a lot of them, or directly to IANA in its current form as the PTI.

I don’t see a lot of returns coming into ARIN even now. We do have them occasionally. But they’re very rare and very small. So the odds of someone actually doing a direct IANA return, I expect, it’s rather a remote thing.

Hollis Kara: Thanks John. Come over here, go ahead.

Mohibul Mahmud: Mohibul Mahmud, Microsoft. Kim, thanks for the nice presentation and nice rundown on the IANA functions and how we evolved from Jon Postel’s notebook to keep track of unique identifier to the current state it is now.

You also mentioned about five years’ plan. So my question is related to that. How does IANA or PTI plan to use the community feedback to shape its goal for the next five years? And what are the ways it’s considering to make sure that it is more accountable to the community and to keep track with the changing needs of the community?

Kim Davies: Good question. So as staff, we have ideas of how IANA should evolve based on our day-to-day interaction with our customers.

This is a way of sort of validating what we think we should be focused on. So we’ll be presenting a draft strategic plan with what the staff and board of PTI think are the right focus areas. But the community feedback will be essential in either validating that or helping us identify blind spots where we’re not looking at the right things.

I think one thing we’ve been focused on the last five years, we still have much room to go in the next, is essentially automation.

Because we have so many diverse identifier types that we manage, we’ve done a lot of stuff quite manually. And I think that will always be true.

There’s a manual dimension to a lot of it because everything is so specific and unique to the protocol.

That said, a lot of our processes are a bit more manual than we would like. I mentioned before that we work a lot with the IETF, and the IETF has done great strides in automating their business workflows with systems, and it’s something we would like to do more of ourselves.

So using automation as a tool to not just make the customer experience easier and quicker, but then taking some of that clerical work off my team so our expert assessors spend less time doing paperwork and more time doing analysis, I think is a win-win for everyone and that’s something we’d like to focus on. That’s an example.

As to accountability, we have a pretty comprehensive accountability structure, but that doesn’t mean there isn’t room for improvement there.

I personally don’t see any big gaps in accountability that we have through all of our reporting, community reviews of our work.

But if there are areas to evolve that, improve that, we’re very willing to hear that feedback.

Mohibul Mahmud: Thank you.

Adair Thaxton: Adair Thaxton, Internet2.

You showed photos of people that you work with. That seems like an awfully small staff to deal with so many very exacting standards.

So just general curiosity, what’s the educational and employment background of the people that you work with? Is it a wide range of specialties, or how does that get done?

Kim Davies: That’s an excellent question. So we have a mixture of people. Myself and some of the team have come from the community. I have an ISP and DNS background, for example.

Some of the team members do come from community organizations that are pretty familiar with IANA when they come in. But that’s not common.

The truth is that most of our staff, when they start, don’t have any background in our industry, and it’s something we have to actually spend a lot of time training them up.

To be able to do expert analysis of RFC language takes several years of growth. I don’t have a good story to tell there.

I’m really gratified our team, once they are on board, tend to stay a long time because it’s a huge investment in training each of our staff because it is so specialized, and it is quite difficult.

So unfortunately, no magic bullet there. It is a challenge for us. Every time we have an opportunity for new hires, often a lot of work to find the right person.

Hollis Kara: Thank you. Going to wrap it up.

Robert Seastrom: Hi. Rob Seastrom, Capital One, ARIN Board of Trustees. An affiliation that I don’t usually give at the microphone is I also sign the DNSSEC root. I’m one of those people.

I’d like to zoom in on one thing you said. I don’t think you gave this slide deck at NANOG, but if you did, I apologize for not being there when you did.

RFC5011, which is the roll forward automatic, believed to work, tested to work by your team, among others, has been tested in anger once in 2017.

So if you are in a position to influence people in your organization for what gets monitored both for does it validate and does it fail properly when it doesn’t validate, even though we aren’t using the new key yet when we pre-staged them, there’s a disturbance in the forest. If you’re in a position to influence what gets monitored in your organization, use this as a talking point in the discussion about, like, are we monitoring all the things that we ought to be monitoring.

Thank you.

Hollis Kara: Thank you, R.S. And thank you, Kim.

Kim Davies: Thank you.

(Applause.)

Hollis Kara: All right. Good stuff to think about.

More good stuff. Kevin is on his way up to update us on the ASO Address Council, and I suspect we’re going to hear more about ICP-2.

Address Supporting Organization Address Council Update

Kevin Blumberg: Good morning, everybody. So I usually start off with a small joke. I’ve been given 15 US minutes, a couple extra in Canadian dollars. Okay. We still need to wake up a little bit.

My name is Kevin Blumberg. I’m from the ARIN region. I’m one of the ASO AC members. I’ll do a little bit of an update on who we are, what we’re working on and, more specifically, on some of the work we’re doing with ICP-2.

So the ASO – and we’ll start with a very simple thing. You’re going to hear the word ASO and you’re going to hear the word NRO.

The ASO AC and the NRO NC for all intents purposes are the same thing.

When I’m in the ICANN world, I’m the ASO AC. When I’m in the RIR world, I’m the NRO NC. It’s the same people. It’s the same functions, by and large. It’s just much easier, a lot of historical as John sort of mentioned earlier.

I’m going to use ASO AC during this talk. We’re 15 members normally. Three from each region. Two are elected. There’s an election going on right now. One is appointed. I’m the appointed person.

Each region has different terms, but the average is about three years for most of the positions.

Our role: We advise the ICANN Board.

That’s part of the MoU. We oversee Global Policy Development. Kim Davies just talked about that. The last Global Policy Development, 2011 for the ability to hand out smaller allocations from IANA to the RIRs.

We appoint two members to the ICANN Board of Directors. That’s two over a three-year period. So it’s sort of staggered a little bit. And we appoint one member to the ICANN NomCom.

We meet monthly. Over the past year we’ve actually met a little bit more than that. As well as we have face-to-face meetings. In 2024, that was twice. But generally, in the normal course of action, it would be once a year that we meet, usually at the first ICANN meeting.

So as you can see, here’s a list of all the current members, and we are missing four slots. Three are from AFRINIC, as the people that were there termed out and they weren’t able to replace them. We’re looking forward to when they’re able to serve with us again.

And the last is currently in the RIPE NCC. One of the members joined, I believe, the RIPE Board. That would be considered a conflict, so they stepped down, and the elections are going on, I believe, next week. So that position will be replaced.

Hervé Clement from the RIPE region is our Chair, and Ricardo Patara and Nicole Chan are Vice Chairs.

We are a global volunteer body. This is very important. You’ll see there’s a lot of regions but also a lot of procedures that go into this.

You can’t have two Vice Chairs from the same region. The Vice Chairs can’t be the same region as the Chair, et cetera. We define and mold the ASO AC to being as global and group-oriented as possible in how we work how we operate, et cetera.

It is a wonderful group to be a part of.

That’s not something I usually say, but it is actually – everybody in this really tries the best that they’re able to. There is very big differences culturally in terms of how RIRs work, their own procedures, their own policies. And merging those into something that matches with everybody is not an easy task, and I’m really happy with the last seven years that I’ve been on the ASO AC and how that’s worked.

I want to take one pause here and thank two people. Nick Nugent, who is not in the room, but who has put in an unbelievable amount of time and energy into phenomenal penmanship towards the ICP-2.

It has shaved hundreds of hours off of the group’s work by having somebody like Nick able to help us.

And the second is Chris Quesada. His term ends at the end of this year. He’s not seeking reelection. I want to thank, and I want the community to thank, Chris for the years of service that he provided to everybody.

(Applause.)

We have a lot of things that we do, I talked about. We had a review a number of years ago. One of the key outputs from that review was open up things more up. We had a lot of closed – not intentional – wasn’t a big deal, but we had a lot of things that were closed. So we really tried to keep as many of the things open as we can.

Our face-to-face meeting, most of it is open to observers. I’ll talk about that in a second. Our mailing lists and our teleconferences. We routinely have observers, both from RIRs, from communities, individuals, coming onto those calls. You’re absolutely welcome to join them.

Things that would be closed would be an example of deliberations related to the ICANN Board appointments, things like that. But we try to keep most of the general work that we do open.

And now we’re going to get to ICP-2. John sort of talked about it a little earlier in that the NRO requested, sent a letter to the ASO AC asking us to do some work in this area.

The work was, we’d like you to review it.

We’d like you to go through it and come back with recommendations based on community feedback and based on everything that we’ve seen from the various stakeholders, because there’s a lot of stakeholders, obviously, as you can imagine.

So the last time that ICP-2 was touched was in 2001. That was when the document was created.

There were three RIRs at the time, RIPE, APNIC, and ARIN.

Since then, ICP-2 has been used by LACNIC and AFRINIC for their establishment. They used that process to establish those RIRs.

In the document, it said it would be reviewed. Every once in a while you should review this. The ASO, you helped write this document, you should review it.

The NRO felt it was well past. It was definitely time to do that. They gave us a long extension to allow us to do multiple iterations of coming back to the community in multiple steps through this process.

As I said, we’re on step two, which is the ICP-2. Our goal was to strengthen it through community feedback. Now, let’s look at the timelines a little bit and where we’re at.

So the main part to all of this was ICP-2 is a document about the formation of RIRs. It has terminology in it that is dated. While it doesn’t use the word “dialup,” there was a lot of terminology that was very common and practical in 2001 and needs updating.

If you saw from the policy sessions that we had yesterday, focusing on the text isn’t necessarily the right way to go because everybody gets very, very focused on very specific words in the text and not the meaning, not the overall intention, not the problem or not the solution. They just are looking at the text.

So it was decided early on to do this as a two-step process. Let’s open up questionnaire comments on the principles, the most important questions related, and if we’ve missed a principle, you have an opportunity to comment on that, to put the principles up front first.

Then once we had all of the feedback from those principles, do another round where we actually did the text. So we’re focused in ARIN nomenclature. We’re focused on the problem statement right now, and then we will move to the text in that next phase.

So we’ve done a lot of different work through the 2024. We’re coming up into – next slide – October, where we’ve published our principles document, and we’ve opened the consultation that’s going to go into November.

So once we finished with that and everybody – we are speaking at all the different RIRs. Myself and Hervé were on a call, a webinar yesterday – sorry – on Wednesday, with the AFRINIC community, as an example. They organized that.

We are trying to reach out to all of the communities, explain a bit about what ICP-2 is and the work that’s being done. And, more importantly, ask you to take a look at the principles document. If you’re able to, please, we would love the support and the information that you can provide. Positive or negative.

We’re not looking to have people just check

off a box. We’d like you to comment if you feel there’s something good, bad, indifferent, we’d like to hear from you on that.

So we’re in that phase now. That will close after ICANN in November. So we’re giving everybody an opportunity, and there’s a lot of coordination. So thank you to the CCG team for putting up with us in very last-minute requests. But also thank you to ICANN because they managed to run a public consultation, because they have their own version of that, at the exact same time as us.

So there was a lot of coordination that went on among many. So there’s a consultation in ICANN. There’s a consultation in the RIRs.

We’ll have all of those results within a very similar time frame, which is very helpful, that things are not staggered off six months apart, et cetera.

Once we have all of this data, it’s going to

be a lot of work to then piece together what was said, work through it, and then come up with a draft.

That will probably be in July of 2025, we’re going to have another consultation. It will be around the March time frame, March/April time frame, try to keep it with some of the RIR work that’s being done.

But our goal – and this is not a fixed in stone – there’s a lot of different moving parts here – it’s our best attempt as volunteers to put dates to things, is to have this out in July.

One thing that has been asked, and I’ll help with it a little bit, we have been asked to provide a document. Once that document is provided and it’s gone through the processes of the community, it’s gone through the processes of the ASO AC and we’ve put our stamp, this is the final document, here you go, thank you, that’s it for us in terms of there is still a lot of work to be done between ICANN, the NRO.

There’s contractual work. We’re not responsible for any of that. We’re just responsible for making the document. So there’s some things that we just won’t be looking at because it’s outside the purview. We’re just here to write what we believe to be the best document on how to form an RIR, how to strengthen an RIR, et cetera, how to maintain an RIR. That’s what we’re responsible for. Not any of the more complicated iterations that go on.

There’s an MoU. That wasn’t something that

we would have handled or signed. It’s we would have reviewed, and that’s what our task is. I want to open it up, because at least in some of the other regions there’s been questions. If I miss something – I get very involved in this obviously. If I’ve missed something or you have any questions about ICP-2, by all means.

Hollis Kara: Folks, that’s your opportunity. Please feel free to approach the microphones or start typing if you’re coming in remotely.

Please go ahead, Mohibul.

Mohibul Mahmud: Mohibul Mahmud. First, I’d like to thank Kevin for his dedicated work and for contributions to the NRO and the Internet community.

And I understand what ICP-2, you and team worked quite hard. So thanks for that.

My question is on ICP-2, as per your observation, what is the most important principle that you are adding, you and team are adding, to the updated ICP-2? And how that will improve the accountability of the RIRs?

Kevin Blumberg: I’m going to throw it back at you and say, you get to decide what the most important principle is. I don’t want to impact what the results are of the questionnaire that’s open right now.

I think it’s important that everyone in the community look at the principles and say, this is important; we don’t believe this is important and here’s why, or we believe you’re missing something.

I don’t want to pick individually my own personal view of what one principle is more important than another.

We really want that feedback. I’ve been very involved in it, but we now want the feedback from the community on what they believe that is. But I appreciate the question.

Mohibul Mahmud: Thank you.

John Brown: Good morning. John Brown, no logo. First of all, commend that you are working on doing not only drafting something that has the spirit and intent but also the letter of what you’re trying to do and to bring those together, because many times I’ve seen documents where the spirit and the intent of the people doesn’t necessarily match the written word well and it creates a bunch of problems downstream.

Pardon me if this is a stupid question. You earlier said that the NRO and the ASO are effectively the same organizations.

Kevin Blumberg: NRO NC and ASO AC. The NRO is the umbrella which contains the NRO EC, which are the executives, and the ASO AC.

John, the wizard, go ahead. Did I miss that explanation?

John Curran: Let me make it simple. So let’s talk about what the organization is itself. The NRO, the Number Resource Organization. The Number Resource Organization consists of an Executive Council, which I talked about, appointees from each of the RIR executive leadership, and then the NRO has a Number Council made up of three individuals from the community from each RIR, 15-member body. That’s what is the organization.

Within the ICANN structure, they’ve used the term “ASO” for quite some time. And so the ICANN bylaws say the NRO shall serve the function of the ASO within ICANN.

So when someone is in ICANN and they say, can the ASO attend a meeting? Can we hear from the ASO on this, they’re literally saying can we hear the NRO in coordinating on behalf of the five RIRs.

Now the ICANN also has a body called the ASO, the ASO Advisory Council. The NRO Number Council serves as the ASO AC. So similarly, when you hear, we have an initiative with the ASO AC, the ASO AC has a consultation, that is the NRO Number Council acting within ICANN. That’s it.

Kevin Blumberg: Simple.

John Brown: Clear as an IPv6 address.

Kevin Blumberg: We’re 15 volunteers that do this work. I think that’s the easiest way to handle it.

It is on the website, aso.icann.org. It sort of lays it out, but it’s a lot to digest. It’s taken some ASO AC members, some volunteers, years to understand.

John Brown: There was a thread I was headed towards with the question, but back to the wizard.

John Curran: There’s an obvious question. One could change the name of the NRO to ASO, or one could change the ICANN bylaws references to ASO to NRO.

I would point out that the most important distinction is that many of the ICANN bodies are defined within the ICANN’s bylaws and structure. It’s ICANN saying these are these bodies, here they are and here’s how they’re set up and running.

In the case of the RIRs, we predate ICANN. We exist. We have a function called NRO, and we have worked with ICANN to say we believe that this NRO serves everything you wish your concept of an ASO to be.

So we’re willing to have the NRO serve as the ASO, but we are defined by the RIR community, not by ICANN’s bylaws.

So it is a recognition by ICANN that the NRO serves as the ASO. It’s a recognition that we are an independent entity that defines our own structure and operation, if that helps.

John Brown: Thank you. So the final part of the question is, you have these bodies that need to review and so forth and you’re projecting September 2025 to hand a draft to the ICANN Board.

If you had a crystal ball in front of you, where would you see the timeline going before it became an ICANN Board-adopted policy process, et cetera? Is that 2026? 2027?

Kevin Blumberg: We don’t know.

John Brown: Never?

Kevin Blumberg: No, no. It’s asking a third-party question that –

John Brown: That’s the crystal ball.

Kevin Blumberg: Yeah, there’s some consultations that are fairly fast. Some take a long time. I don’t know which one this will be.

There’s an appetite, obviously, between different things. It’s just not something I’m able to answer.

And I think we need to get closer to the draft before even then, because it depends on, even just like good Draft Policy, it can go to recommended fast. It could have to go back to draft before it goes back to recommended.

So it really comes down to an unknown state right now.

Hollis Kara: Great. One last question.

Kathleen Scoggin: We’ll see if you can hear me; I’m a little short. I’m Kathleen Scoggin, researcher with American University.

So part of the principles document is a potential conflict between an amendment to ICP-2 and existing RIR policies, practices or bylaws, and that in itself make an RIR noncompliant. They’ll have a chance to rectify it, but it would make an RIR noncompliant.

I was wondering if you could speak to what it means for an RIR to be noncompliant and what the implications of that is.

Kevin Blumberg: I think the point is that we’re seeking – like I said, we’re seeking feedback on what the community wants. This is what the ASO believed were the principles, and we’re seeking feedback on that.

The level of noncompliance, what is noncompliance, is great feedback. The remediation of noncompliance, et cetera, is great feedback.

I don’t want to specify an example that sort of takes away from it. But, ultimately, all of these things would be put into the draft then for community. But we want to see what the community believes is the right way of doing that first.

Hollis Kara: We’ll take one last.

Lu Heng: Thank you. One question. So –

Hollis Kara: Could you please state your name and affiliation?

Lung Heng: Lu Heng, LARUS Ltd.

How is this implemented when there was an adversary or hostile situation? Let me explain. If we’re all on good terms, or on good terms as such, you know, there’s some teeth in that new ICP-2 would not be triggered, if everybody is in good terms, if things need to be ratified or approved, people sit down, talk, do that.

But let’s say that wasn’t the case, and that probably was where those things would stand for. As we all know, the RIR system is separated into five pieces. Everybody have different backends, different customer database, private contact information.

If you have a noncooperative entity such as an RIR, what, we go to court? What happens to the Internet process? What’s the implementability when you actually need to use these things in the situation, and how are you going to go up and convince, like, what, thousands – at a minimum two or 5,000 members of RIRs. Bigger ones have five or 10,000 members.

One second. So how are you going to implement that in an adversary and hostile situation, which most likely it’s what it’s used for? If you go to court, will all these members follow you or they follow the old RIR, then we have fragmentation of the Internet, which is the last thing we wanted.

How practically to implement those things is something that the Internet community really needs to sort through?

Kevin Blumberg: That’s not my role or responsibility. My role and responsibility is to take community feedback, to create a draft. All of the implementation, all of the work that goes into it, is not the role of the ASO AC.

So I appreciate that there’s a bigger question that you have – and I’m sure you can put in some comments towards that – but my role and the role of the ASO AC is purely to write good Internet draft documents, and then the organizations that are responsible for them need to take that and work through what those processes are.

We can’t put absolute stipulations in this type of document. It would get handled elsewhere. It just needs to be good policy that we are writing.

So I appreciate your concern, but it’s outside, actually, of the scope of what the ASO AC is doing.

Lu Heng: I understand. One comment is that good implementation – implementation needs to be based on something which is implementable, which is based on what the policy rises to. If you write a policy that say, let’s say, let’s be on Mars in three days, that’s not implementable. Right? So that’s where, when we are taking feedback – this is feedback – and when you draft the document, think the implementability of such a draft, because it’s something which I saw here is technically very difficult, near impossible, to implement.

Thank you.

Hollis Kara: Thank you. John, did you have a comment?

John Curran: Let me speak here. So you have two activities going on. One is the development of implementation procedures for the existing ICP-2, and the other is the work that Kevin mostly described, which is the long-term plan to do an update to ICP-2.

When ICP-2 was done, it was mostly about recognition of an RIR. It wasn’t discussion about how to handle the details of that. And so obviously implementation procedures for the existing ICP-2 would be very challenging to use, for example, to de-accredit an RIR would be, as Mr. Lu Heng points out, would provide enormous operational and business implications.

In the other hand, if we’re talking about long term and the update to ICP-2, it’s conceivable that structures could be put in place to make this process far easier.

ICANN has, in another role with DNS, done extensive work with things like escrow of registry data, emergency registry backup operation procedures. These are things that actually, some of these work directly with the IANA actually, as it turns out, and so that the idea of a registry that has an operational failure and the need to handle both the technical and the business relationships are actually part of the structure of the DNS system that ICANN, the registries, work together to do.

It’s not inconceivable that we could have something similar if that’s what the community wants and that’s what the community puts in principles – if that’s the case, then many of the issues that you point out, which are valid issues right now, could be pre-planned for and wouldn’t be as bad. I don’t know. I’m not the community. I’m one of the people – when Kevin’s all done making this, I’m one of the people involved on the implementation side, but that’s after the community has its say and it decides what it wants for principles of the Internet Number Registry system and the principles that RIRs operate under.

Kevin Blumberg: I guess that’s what we would call the Staff and Legal Review in ARIN parlance after we’re all done.

Thank you, everybody.

Hollis Kara: Thank you, Kevin and thank you, John.

(Applause.)

Hollis Kara: Folks, you may notice we’ve already started to encroach on our break time. We’re going to go ahead and go to break now and start back up at 10:50, and we’ll pick up with the Information Security Update.

So please do enjoy the break and try to be back in here promptly at 10:50. Thanks.

(Break.)

Hollis Kara: We’re going to get started.

Christian Johnson, come on down.

We’ll be getting an update on ARIN’s Information Security from our Chief Information Security Officer.

Information Security Update

Christian Johnson: Good late morning. My name is Christian Johnson. I’m the Chief Information Security Officer at ARIN. I’m going to give you a quick overview of the Information Security Program, some updates since April.

Again, a quick overview. A couple of unique initiatives we’ve been working on both on the security side as well as on the certification side, and then just a couple of notes that I want to share around community communications which will be more clear when we get to it.

This is something I covered in the last briefing in a little bit different format. There’s a number of things we do. Our focus in security for ARIN is to focus on the basics. We’re talking about focus on our architecture.

We’re talking about having good policies, having good security training that we’re providing to the staff. Having good reporting capabilities. I mentioned a couple of these because we’ll have some discussion about it on a following slide.

Being able to identify and remediate threats. And to that end here’s a couple of items we’ve been working on. These seem relatively simple, security training and the ability to report phishing emails.

These particular initiatives have been multiyear initiatives that we’ve been working on. We had annual security training and new hire security training. Why do I bring up security training, just annual security training?

It’s maybe the most fundamental thing we do in sort of anything is focusing on training, but I will tell you, it’s one of the most interesting things that the insurance brokers will ask you about as well as, when you’re doing the security certifications, they’re looking for these fundamentals to be addressed.

So, it’s one of the reasons why I say focus on the fundamentals. We got a new centralized learning management system within ARIN this past year where we had a separate system that we were using just for training.

We now share within the entire company a learning management system, one system for all of our needs. So, we rolled out new security training this year to all of the staff on that new platform, and then previously we had a reporting button within the email system that we had.

It was really only available until – this year it was only available for Windows users because that was the version that we had and we knew that we were going to be doing some changes to our email stack over the earlier part of the year. So, we didn’t advance moving to a unified system for all of the users.

But, we eventually did, and we got it to the point now where all of the employees within ARIN have the ability to have a reporting button within their email so that they can, in an automated fashion, report phishing emails that they get so that they can be analyzed and we can act on them.

So those were multiyear initiatives. These are also – but these are sort of ongoing. One is we had the second year of our Board-level tabletop incident response exercise – it just took place in September – for the company leadership and for the Trustees. The focus is really on strategic decision-making, the communications and things that take place at that level, decisions and talking through functions and actions.

Separately, at more of the technical level, we’ve been conducting – it says we’re doing it in annual drills a little bit lower, but we’re actually doing two different drills.

Twice a year we’ll have a drill. One is more focused on incidence response and the other is more focused on disaster recovery. The participants for that are at the first responder level, so that we’re going through those incident response drills and doing the exercises for strategic decision-making at the same time.

So, compliance. These are the security certifications, SOC 2, PCI DSS. Quick update on these. I won’t go into detail. I’ve covered them in previous conversations, and there’s a lot of information on our website as I will cover to sort of further describe this.

We’re at the very tail end of our SOC 2 certification cycle this year. Fingers crossed.

We’ve provided the last requested information to our auditor as of this morning. We’ve been going back and forth. We provided them all of the information they needed. They came back with follow-up questions, and we answered the last follow-up question this morning, to be more clear.

Our hope was that we would have our renewed SOC 2 certification done and have a report back by the 31st of October.

Interesting thing about that is that our auditor is located in Tampa, Florida. During the 90 days that we worked with them on our audit, they actually had to evacuate Tampa, Florida, twice for hurricanes.

So, we’re giving them a little bit of grace, being patient with them, and they can get us that report when they’re ready. They’ve got some ground to make up. But they’ve been great. We love working with them. We have a great vendor. We have a good working relationship, and so we fully expect – we haven’t had any negative feedback at all. We fully expect those reports to come back clean as soon as they’re able to finish the report.

For PCI DSS, this is for ARIN Online. I will say the SOC 2 is for RPKI. PCI DSS is for ARIN Online. This is a requirement that we go through each year to make sure we remain compliant.

This is related to the payment card industry. It has similar controls but not identical controls to SOC 2 and, very simply, we remain compliant with that.

This is one of those things, we don’t go through a formal audit. We do all the requirements per the PCI DSS documentation. As long as we’re meeting those requirements, we stay compliant.

So, we’re compliant again. That’s good. So, I do want to spend a little time here. I did mention this in April. I’ve talked about this before.

We have an information security page at arin.net, at our home page, and it covers a lot of great information with regards to our information and data security practices, what we do to secure your data, what you can do to improve the security of your data, for example, and within that there is a link embedded.

There’s a better description of our SOC 2 and PCI efforts, and within that, embedded in that text there is a link to our publicly available, publicly releasable, SOC report.

I say that because there’s a big trend in the security industry. That trend is around what’s referred to as vendor security.

Within every organization, your security teams, if you’re not a part of that, your security teams are spending a lot of time looking at their critical vendors, the critical vendors for your organization, and determining whether or not the security that they are doing is sufficient to protect you from any vulnerabilities that may be created when you’re dealing with them.

There have been some real-world incidents that happened this year that made that more concrete and more necessary. But this is something that’s been increasing over the last two to three years.

So, what we are getting at ARIN is, obviously we’re a critical vendor to all of your organizations, to thousands of organizations. As the security teams, mostly for medium and larger-sized organizations, the smaller organizations may not have the staff to be proactive, to reach out to do the analysis or gather documentation and do that level of initiative.

But for the medium- and larger-sized organizations, we are getting requests regularly for us to answer along security questionnaires, to go to websites to provide lots of security documentation and things of that nature, and we get statements thrown at us like, “We’re not going to allow this organization to renew with ARIN until you provide us this information,” variations of that.

What we have found is in almost every single instance, the questions that they were looking to get answered are answered by information that is available on our website.

Either the information that is literally on the website, the data there, or it’s within the SOC report that’s available on the website. That’s one of the reasons that we make that report available, especially for those organizations that may be SOC 2 compliant.

The SOC report that we provide them is exactly what they need to collect to do their analysis.

So here’s my ask of you, if you will, because there’s probably a lot of you in this organization that don’t see that side of it and may not be involved in the contract renewal process or procurement process on an annual basis or periodic basis, but you have people from your organizations who may reach out and request this information from us, and you may be aware they’re going to conduct those types of activities.

I would ask, if you could – please take back to them – that we have a lot of great information on our website, that they can go and harvest from that information the answers to their questions.

They can pull that SOC report with all the information that they need to do their analysis, and if they have any further requests beyond that, that they can submit a ticket through ARIN Online for further information and we can go from there.

What we have found is, in those instances where they have done that, they’ve actually been able to get all the information that they need from the website.

Once we complete our audit, we’ll get the new report and that will be updated so that we maintain the newest report on the website. And that’s the gist of what I had to cover.

I’m not going to draw it out any longer, but if you have any questions.

Hollis Kara: Come on down. Start typing.

Raise your hand. Any or all.

John Brown: How are you handling training or testing fatigue? You sit there and you ask people all the time, hey, we’re going to keep throwing phishing things at you, pretty soon folks are like, yeah, whatever and they just keep clicking through. I’m just curious on that.

Christian Johnson: In a previous life, I worked for a phishing vendor and there were a lot of great analyses that came out of that. Every vendor is chockful of their own data and the tests that they run.

One of the things that was pretty clear in the data that we analyzed there was that there is obviously a tipover, is what you’re referring to, the crossover point from being valuable to actually diminishing returns.

And so, what we do is – I stick with basically the tempo of training. When we start talking about phishing exercises specifically, I stick with a tempo that we found at that organization is ideal for most organizations, varying sizes, and I’m not shy to say that is monthly.

Anything more than monthly – and we had organizations who literally ran multiple events during the course of a single week every week, every year, and people were exhausted, is a great way to describe it. They would literally just delete it. They just didn’t care anymore.

When you get to the point where you’re doing it once a quarter or twice a year, for example, people just forget because it feels like it’s been a long time since they saw something like that.

Monthly has been, just from the data that we use there, has been a great tempo to follow, and that seems to be working here as well and all the metrics that I’ve been able to review, I’ve been lucky enough to be running it over the last three years that I’ve been here now, and I’ve seen the statistics continue to improve quarter over quarter as we run it monthly.

And especially with the implementation of the reporting capability to the entire company, we’ve seen reporting go through the roof. So, it’s been a really positive experience there, in terms of annual security training, I don’t know that people are exhausted with it when you do it once a year. So, there’s not a lot you could do there.

Hollis Kara: All right. We’ve got one last question.

Chris Woodfield: Chris Woodfield, ARIN AC, otherwise unaffiliated.

When you say “forget,” are you referring to people who fail to report the phishing attempt or that actually click on the phishing link?

Christian Johnson: When I said forget when.

(Laughter)

No, just kidding.

When I said “forget” in the context of not doing it frequently enough and so they forget? I think it’s more of a recognition.

What we used to say when I was in that company was that, when you’re just walking around and you’re doing your thing, you think of threats and risks quite arbitrarily.

But the reality of it is – I’m not shy to continue sort of hammering the gong, beating the gong on this one – is that in your email, you have – that is the front lines for most people when it comes to the battle against phishing is your inbox.

Whether you’re working from home or you’re working from your cell phone right now, or whether it’s here, home, in the office, and so regular exposure keeps people sensitive to the threat.

And to the point of me saying forget, some of it is people just forget that there is a risk. And they kind of get used to doing their day to day.

They’re doing their business. I’m expecting a spreadsheet. I’m going to open that thing because – and they forget that there’s a threat there, and sometimes they do forget in some organizations how to report it even if they do identify it.

That’s why we made the phishing reporting button is available in the ribbon of our email clients, for example, just makes the process of identification easier because they’re sensitive to the threat existing and then they know they can just go and just push that button. It deletes it out of their available email, dumps it into the deleted folder, and it kicks it over to our analysis tools to start sandboxing.

Hollis Kara: Awesome. Thank you, Christian.

(Applause.)

All right. Next up, we’ve got Mark Kosters, ARIN CTO, to give the Engineering Report.

Engineering Update

Mark Kosters: All right. So as Hollis says, I’m Mark Kosters. I’m actually here from ARIN’s engineering room.

Since we have the water nearby, I figured I’d go for a little bit of a nautical theme this time.

So let’s go ahead and get started. So services that ARIN Engineering supports: Statistics, and I’m bringing in a little bit more statistics at every meeting. So there’s a few more graphs here that you can see.

Software releases and improvements, and end with focus points we plan on doing in the near future.

Okay. There we go. Here are the core services that ARIN Engineering supports. And this is our catalog of services that we have.

Our core services include RPKI, ARIN Online, the IRR, DNS, Directory Services. And we have three of them. Some day I’d like to go down to two. Maybe some day we can get rid of Whois-RWS. That work is – it sort of requires more work to be done with RDAP to make that happen. But I would like to see Whois-RWS go away at some point.

Email, ARIN Mailing Lists, ARIN website, of course. The Vault. OT&E. And File Transfer Protocol.

Wait a minute. That one is going to go away. You might not see this one in the future.

Also internally we have a staff interface for ARIN Online to handle all those Help Desk requests.

Security and performance monitoring that we do on a daily basis, and we have weekly meetings to review how the week has gone. Cloud-based tools, we have lots and lots of those tools that we use.

We have lots of development and testing environments, and I’m going to talk a little bit about this more in the future.

Email analytics, infrastructure tools like Jira and Confluence, all the Atlassian tools that many of us know and love, as well as financial systems.

Statistics: ARIN Online. I’m always amazed the consistency that we have here in terms of number of accounts created every year.

ARIN Online logins: Also it’s pretty consistent in terms of people that are using ARIN Online. Notably, the one-and-dones, they’re actually going away, mainly because they’re being locked out. But there’s more and more people going to having over 16 times that they’ve logged in over the history of their account. Some of them have been in the billions. Automated, of course.

Here’s our MFA adoption, and you’ll notice that everybody who used ARIN Online now must have one of these three authentication mechanisms to use to get an ARIN Online account.

So this is a good thing. I hope that you all go ahead and use these things to your ability. Does anyone here, just a poll, anyone here actually only have password authentication on ARIN Online? All right. That was actually a trick question.

All right. Whois-RWS, it’s like everything else on the Internet, it keeps on going up to the right.

You can see that Whois-RWS, which I’d like to get rid of at some point in the future, you might be hearing about that in the future. This is way in the future. This isn’t in the next six months’ future, this is in the years’ future.

But you can see that it’s seeing about a thousand queries per second, whereas Whois is drifting down to four. But it definitely sees some higher numbers there.

Here is RDAP. RDAP is interesting because we have a lot of work going on in RDAP. This is something that all the regional registries are trying to do, to have a consistent directory service interface between all of us. So when you do your query, it will go to the right place, you’ll get the expected result, no matter which RIR you actually end up with.

The thing that I find interesting about this graph is actually it’s something that Geoff Huston noted earlier this week at the keynote at the NANOG meeting, that is that v6 traffic has basically gone flat, not going up to the right as much anymore.

One of the reasons I bring this graph up to you all is that this is not using web browser so much, this is using a client tool which is fairly modern. The people that are using v6 for it are actually fairly small. So you can see here that it dwarfs the amount of traffic using our v4.

Here is our RRDP traffic. You’ll see it’s fairly noisy and fairly consistent. But you can see that this is something that we see across our constellation.

Here’s RSYNC, which is even more noisy, but you’ll notice that it sees substantially less than RRDP, which is preferred. RRDP is using basically HTTP transport, and this is using RSYNC and almost all the relying parties’ software vendors actually use the HTTP transport or RRDP over RSYNC.

Here’s our DNS traffic. Again, what’s interesting about here is predominantly what people are looking for are PTI records, and that’s, of course, its intended use. So that makes a lot of sense.

Releases and improvements: So publicly, haven’t had much this past six months. We’ve had lots of bug fixes. We’ve had 10 releases. We’ve done a lot of work internally whether it be tech debt or financial controls.

One of the things that we’re pivoting to is using Kubernetes for our infrastructure internally. It includes all the applications and sort of making sure that they’re tuned this way as we go forward.

This is something that you’ll be seeing in a theater near you as we go forward going into this. As Christian talked about, we’ve done a lot of SOC 2 work, the PCI audit as well, and we are continually doing availability enhancements for provisioning systems, aka moving to Kubernetes.

Here’s our system improvements that we continually do: end-of-life boxes and rolling out new hardware to our PFS sits, which we’ve done, and Prometheus monitoring, so that’s the things that have been worked, underway.

Focus points within each area of engineering is what I’ll get on to next.

Program Management: These are the people on the bridge and are looking for our future, look at the roadmap, what ARIN’s going to be doing and up to basically a year and a half a release planning making sure that it aligns to holidays, ARIN meetings, et cetera.

Sprint and team management. We are also planning for a new data center move. We’re planning on moving our facility from ARIN HQ to a new facility. This is something that we’re really excited about because in the engineering room it gets kind of hot and nobody likes a computer room that’s hot.

And sadly to say, there have been times where our computer room has gotten slightly hot that we’ve had to call in the CRAC vendors to go ahead and fix things, and it’s just something that we just don’t want to do going forward.

So it is what it is. Here’s our software development teams and for each year that we’re going to be working in these particular areas: RPKI, IRR, routing security in general, ACSPs, internal tooling and workflows, elimination of technical debt – which is a continual theme – and containerization, moving towards Kubernetes.

We also have a team that looks at UIs. So our web interfaces can be seen across multiple platforms, whether it be mobile or on to your laptops, making sure they are as good as they can be.

We strive for having three developers and two testers per team. I’ll note that this is not uniform across our teams but that’s something that we strive to achieve.

So the testers actually concentrate on making sure that the tester is taken care of, and we have a very robust environment set up for making sure that we have end-to-end testing done every day.

Our ISS team, Information Systems and Security team, is dealing with Business Central, which is our billing system, security monitoring, SOC 2 and PCI compliance, Exchange Online and other Microsoft tools which are all in the cloud, of course, and employee IT support.

System and Network Operations is involved with converting, provisioning automation to support Kubernetes, hardening the Kubernetes applications so that we are good to go across the board. Hardening our database infrastructure, which is also going to be using Kubernetes.

Improving our DNS support in the Caribbean region, we’re going to be seeing expansion in that area. Right now we have one Anycast node in St. Martin, and we’re looking to increase that presence in the future.

Our new data center environment preparation: This is going to be a lot of work for us to go move this data center in the next year. And updates across the entire fleet, of course.

Here’s our planned roadmap going forward and its RPKI integration with IRR. Routing intelligence with RPKI, which Brad will talk more about in the future here in a little bit.

New fee calculator which is coming out quickly.

RDAP enhancements to actually make us more in line with other regional registries, and we’re dealing with a lot of standards work on RDAP, as well as RPKI, making sure that we’re in line with all the good work that’s going on in IETF.

So with that, I am done and are there any questions?

Hollis Kara: Microphones are open, so please raise your hands. Start typing or approach the microphone.

I saw Leif be to the microphone first. We’ll start over there.

Leif Sawyer: Good morning, Mark. Leif Sawyer, GCI Communications.

Under MFA slide, I noticed 38 percent of people are still using the very insecure SMS second factor. Are we seeing that decreasing overtime?

Mark Kosters: Actually, that’s a good question. And for a while there have been like 50/50 and actually TOTP is actually overtaking that.

Leif Sawyer: Second follow-up question to that. When can I have a second backup factor?

Mark Kosters: That’s something that’s in the roadmap. But it’s not currently even scheduled.

Leif Sawyer: Ah. Thanks.

Kat Hunter: Hi Mark. Kat Hunter, Comcast and ARIN AC. I absolutely support the RDAP work going on. The problem is the Whois-RWS had functionality in it that the new one does not.

Mark Kosters: Correct.

Kat Hunter: If you have reallocations that are done a couple of times, it’s buried, and RWS is almost the only way to crawl up the tree and figure out where that block actually belongs. And for the people in the room that don’t know reallocations, the last person that has a reallocation, it’s your problem.

So it becomes an issue when people are starting to look for the owner and you can’t figure out who the block belongs to.

Mark Kosters: Yes.

Kat Hunter: Something to consider. I don’t know if this is a suggestion process thing or not. But some way to figure out how to get up that tree and find out where it goes.

Mark Kosters: I agree. So they can go five levels deep.

Kat Hunter: Used to just be able to click right up it and figure out exactly where it went, and now you have kind of the end of the line, which doesn’t work very well if you have multiple linked ISPs, some of which may or may not know that they’re part of the chain.

Mark Kosters: That’s true. Speaking of RDAP, that work is not done yet. It’s feature enhancements we have in Whois-RWS will actually roll into RDAP. So you will ll have that same feature functionality in RDAP as well.

Kat Hunter: Awesome. Fantastic. Thanks.

Jonathan Stewart: Jonathan Stewart, Manitoba Internet Exchange. First, thanks for keeping the lights on and the bits flowing. That’s really important.

You were talking about DNS Anycast footprint. I was just curious about that, how widespread is it? Do you have 100 nodes? Twelve sites? I’m just curious.

Mark Kosters: That’s a really good question. So currently our Anycast sites, we were hoping to make it larger than we currently have. We currently have three main sites and one sort of small site that’s in the Caribbean.

We hope to grow that. But we needed some time to make sure we have consistency in sort of our build process to make sure that we can push these things out correctly. And that’s taken us a while.

Jonathan Stewart: Okay, and then a follow-up: Does any of the ARIN’s DNS data, is it published by other organizations, like maybe another IRR servers or maybe a three-letter acronym?

Mark Kosters: So yes. Our secondary servers, for the most part, for the /8s, for example, are the other regional registries as well as ICANN. If you look at the delegation list, you will see that.

The ones underneath that, if you look again further down the tree, you’ll notice that it’s ARIN, ISC, and also Verisign that are serving up those zones.

Jonathan Stewart: Cool, okay. Thank you.

Mark Kosters: To further that, all of us have Anycast on those parts of the tree. So there’s lots and lots of nodes out there, but I was just focusing on our /8s and how we want to sort of disburse that even further.

Jonathan Stewart: I know what you mean, delegation down the tree. Cool. I guess the thought process maybe is, is there ways we can help ARIN deploy that more widely to be very low latency and high resiliency from the operators around the region?

Mark Kosters: Yes. Thank you so much.

Hollis Kara: All right. If anybody else has a question or comment, it’s time to drop it in the queue. Go ahead and take this, then we’ve got one online.

Sam B.G.: Sam B.G. from Securitech Systems. I’m a new member of ARIN. I had a question about the data center change and what considerations are – where is that process, and what are the considerations for that?

Mark Kosters: Yeah, so we’re going through the process now of the financial evaluation as well as site selection.

We’ve been looking – this site we’re looking for, we’re looking to actually be in the D.C. area because this is something that our personnel need to go to, not quite daily, but quite often. So we’re looking at something that’s fairly close to us.

If you have anything you want to offer, let’s talk off line.

Sam B.G.: Thank you very much. Appreciate it.

Hollis Kara: We have one last virtual question, and then we’ll be done.

Beverly Hicks: Tomas Jonsson from Spotify. Considering the real risks of SIM swapping and the quite high adoption rate, 38 percent of SMS is 2FA, are there any plans to address that part, or is it not considered a risk?

Mark Kosters: Yes. But right now it’s really up to customers to decide which solution they want to use.

Hollis Kara: All right. I think that’s all our questions. Thank you very much, Mark.

Mark Kosters: Thank you.

(Applause.)

Hollis Kara: Next up, I’d like to invite Brad Gorman to join me on stage to talk a little bit about routing security at ARIN. I’m not going to talk, he’s going to talk, but I’d still like him to come up here.

Routing Security Update

Brad Gorman: I’m going to quickly go over some of the updates and uptake on RPKI in the community, as well as specifically at ARIN.

I’m going to talk about the global infrastructure a little bit, point at the ARIN uptake and how we’re working with RPKI within our region for our customers. Talk a little bit about the new features that we’re about to support and some of the work that’s being done in the standards community that will be on the horizon of additional work that’s being done.

John Curran brought up and discussed the charter for the RPKI program that’s going on inside of the NRO, and I’ll get a little bit more specifics in there.

So RPKI has come of age. The benefits of using RPKI, I can’t say it enough, so I had to throw this slide in there. It gives you, the operators, a way to make better judgment calls on how you want to handle announcements that are coming to you.

It protects you, the resource holder, by giving you the opportunity to make statements about your resources on where they should be coming from. It reduces the overall attack surface that bad actors can take advantage of in the Internet as a whole, and RPKI is the tool in the bag that we like to now put out as being best available and it is continuing to be developed moving forward. So that’s again, another one of the benefits of using RPKI as a method of routing security.

The numbers really tell a story about what’s going on in the global community. As reported by the NIST RPKI monitor that they run, in May of this year, on May 1, the number of prefixes that were on the Internet that were showing up as RPKI valid crossed over the 50 percent threshold for the first time.

As time has gone on, six months later, that number continues to grow and now we’re at 53 percent. The v6 announcements across that threshold earlier, that was in October of last year – it’s a little bit more than a year ago – that v6 did again cross that threshold.

It’s a very good indication that we’re past the peak. We’re starting to move downhill as adoption picks up and moves forward. We expect these numbers globally to accelerate, showing the adoption rate of users with RPKI.

RPKI is on the government radar. There’s been a little bit of discussion about it, but clearly the U.S. government has been putting the messaging out internally to themselves, putting messaging out to operators that are integral in making RPKI beneficial for the North American community.

And the OCND – the Office of the National Cybersecurity Director, and I will forever call them ONCD after that – they have put out a roadmap to all of the agencies and how they would like departments and the lower organizations beneath the departments to move forward with applying routing security. Their first steps are going to begin using origin validation and creating ROAs for their resources. So this is a really big step.

Another slide. They’re not only looking at what’s available today, but they’re also paying attention to the community, working with ARIN, and looking to expand their use case and footprint moving forward.

So in the standards community, there’s been pretty steady activity. I can’t say that it’s fast, but it is not silent. There were a couple new standards that have been ratified in the last six months, maybe a little bit before our last April meeting.

The list there, proposed standards. This is definitely not the complete list. Three here that are focused on what RIR’s need to be paying attention to and what we’re going to have to be responsible for supporting when they become ratified.

A list of three here is a list of 14, actually, going on in the working group inside the IETF.

I want to show you numbers of our adoption within our region. Just as a reminder, there are three different RPKI services that are available to you when you start using them here inside of ARIN.

There’s a hosted service. That hosted service is a method where ARIN performs most, if not all, of the heavy lifting. We are the registry. We will run as the Trust Anchor for the resources in our registry.

We run the certificate authority that handles all the cryptographic functions that are built into the RPKI infrastructure. We run the high-availability repository, and then we also develop tools that you can use within the community of hosted RPKI users at ARIN. So that’s the easy button.

The next type of service is a delegated RPKI. It’s kind of a total flip side of the coin. ARIN is still the source of authenticity for any resources, but the operator who chooses to use delegated runs, their own certificate authority.

They run their own high availability repository. They have total cryptographic control. It’s for organizations that want to take on that responsibility because they want to be truly in that full control.

In the community, there’s a colloquial term called “hybrid RPKI.” And what that is, is a side shoot of what people who want to use delegated RPKI but don’t want to have those high availability responsibilities, and ARIN will then be asked to pick that up and run that repository for customers who choose to use them.

Inside of ARIN’s community, what you can see is over time, over the last year, there’s been a pretty steady growth of organizations that are continuing to sign up to use our RPKI services. But if you look at the counts of the different types, you can clearly see that hosted RPKI is by far the largest adoption rate or deployment type of the services that are at ARIN.

If you looked across the entire RIR infrastructure and throughout the whole global RPKI community, that percentage which is upwards of 80 – 90, 97, 98 percent, it holds pretty true across the globe for people using RPKI.

This one is a little different. It’s showing the same thing, but the point that we really want to try to get across here is, in the last 18 months, 24 months, there has been a very rapid uptake in signups in using RPKI. Some of the numbers behind this were really part of ARIN’s endeavors to get people to sign up their legacy resources, getting them under the legacy contract over the last year. That was what pushed the numbers from 2023 up.

At the rate that we’re moving through this calendar year, we will pass that number of new registrations in 2024. It’s a continuation of getting more resources under contract and ultimately signed up for and using the services that ARIN offers.

This last thing here, these numbers here, really, in the ARIN repository, we’ve got roughly 1.6 billion addresses or registrations in the repository.

Of those, the percentage and the number of things that are under a services contract continues to increase. It’s now roughly 1.19 or 1.2 billion addresses, and the last number is effectively showing resources, holders that resources have made RPKI statements about.

So currently, in comparison to the full registry, we’re about at a 37 percent, 37.5 percent usage of RPKI in statements being made about those.

But if you take the number of resources that are eligible to use RPKI, of which being under agreement is one of those, we’re closer to 50 percent or above 50 percent utilization and statements being made. So that number puts us basically on par of where global registration and coverage of resources is.

Just by entity type, want to put a point out there, whether in the government, educational institution, organizations or commercial organizations, the adoption type – not shaming anyone – but there’s definitely a different level of acceptance and usage of RPKI amongst the different entities.

The last number at the bottom, when we’re referencing in the commercial and surface of users of RPKI, the percentage of covered IPs is significantly higher.

As you can understand, commercial entities do have a much larger subset or set of addresses when they cover them, it makes a significant difference.

We’ve had some community consultations on tools that have been recently or recently about to be released. We had one that came out talking about adding a vision and forethought and presenting to customers, RPKI information and potential impact or results of moving forward and applying ROAs to resources, or using that option to make those statements, what will happen or what is the expected outcome and change by creating this.

This is something that ARIN hasn’t provided in the past. It has been asked for more than once in the community. We definitely got the message clear to us what you all want, and this is the next large development effort that we’re going to be putting forward.

So, you’ve been waiting for it. We’re going to get started working on it, and we’re going to delivery this kind of capability in these futures, in the not so distant future. Let’s put it that way.

In the pipeline, this RPKI/ROA intelligence that’s what was on the last slide, that’s what we’ll call it – we’ll begin that development in the first half of next year. That is a priority that we’re working on, and moving forward, that’s what’s coming next.

We have features as well that we’re going to be adding to the online interface, bring some capabilities into parity with what’s available within our API.

And then the working group also is talking about things across the whole RIR infrastructure that we are going to work together and try to develop a common functionality or feature or at least give multinational organizations that have resources in multiple of the RIR regions a similar look and feel to further enhance their experience using RPKI.

Help us shape the future. We have a great portal where we can make suggestions. There’s an email list for specifically the routing security team, routing.security, not dash. There’s one in there. Routing.security to arin.net. Please use those to contact us. We’re here; we’re listening.

I’ll give a brief update about the Steering Group in the NRO. Beyond the charter of what we had, the one big initiative that we’ve been working on and have been moving forward with in the last quarter is we put out a questionnaire to the community about, “hey, maybe what are the roadblocks to organizations who want to use RPKI but can’t or are reluctant to do so?”

To get that information, we put out a questionnaire, announcements on the RIR websites, blog posts, emails to the mailing lists, and we’re soliciting and have been soliciting feedback from those multinational organizations that were coming together and helping them have that common experience, but certainly the features that we’re looking at and working on will also impact and benefit everyone in the RPKI community.

So, the survey had gone out. We’ve received the feedback. There were additional interviews, one-on-one, whether Zoom interviews or, in fact, even in-person interviews at times when it’s possible. We have those results, and our next upcoming meeting of our team, we’re going to be going over the outcome and more of the details which we will be publishing through our methods of on the NRO site and on the RIR sites with our results.

There were an original 203 responses to this survey. We wish we had had more respondents from the community that really reached target. We did have – like I said, there were additional people that signed up for the extra special interface with the team and getting their point across.

And, like I said, we’re going to get these updates compiled and defined and make it aware to the rest of us, to the rest of the community what our plans are, how we’re going to do that.

So, looking for obstacles, looking for better coordination, looking to improve the overall functionality of the RIR system, that’s what we’re trying to do in this working group. But we need input from you in order to make this happen.

We can only imagine what you all need. You know what you need and want. So please communicate with us. The mailing list at the bottom goes straight to the team that’s putting our heads together and making it happen.

But our program manager, Sofia, who John brought up earlier when he was talking about this working group, she’s really spearheading the communication and the interaction both with the community and in the team that’s doing the work and with the NRO Executive Council.

We really do have a focused effort, dedicated individuals and people we’re looking at it and we’re trying to do what we want, what we think we want you to do; you need to tell us what you want us to do. That’s what I have today. Thank you. Do you have any questions?

Hollis Kara: While people are coming to the microphone, we do have a few questions that were queued up from the virtual audience. Let’s go ahead and start with those.

Beverly Hicks: Venkata Bandlapalli from Colovore: “Are there any certification programs available for RPKI training, either for individuals or organizations?”

Brad Gorman: Excellent question. I think Christian brought it up a little bit in his portion of the presentation. We have acquired an LMS system that we’re going to be building in training for the community, and RPKI is the pet guinea pig project.

We’re going to be putting forth RPKI specific test modules, and we’ll get to maybe a certification state. We are working on that now.

There are other similar training initiatives in the other RIRs, but that sort of individual hands-on remote is coming. ARIN does also have a way you can request and we can work together on our schedules and provide online webinars for dedicated community group of people all interested at the same time, ready to go. That’s an option for people who are looking for it.

We’re always open to other opportunities where things like that can happen. In fact, I did hold a Deployathon – ROAthon – at the NANOG meeting earlier this week. It was well received. We’ll continue doing things like that in the future.

Hollis Kara: Let’s take thelast comment online.

Beverly Hicks: Anthony Delacruz, Lumen: “I really like the features that have been added for reassigned/reallocated ranges, like how those folks can now do IRR entries for ranges that have been loaned to them, but have a concern if they will be allowed to create ROAs on a loaned space in some cases. Will there be an on/off switch for space owners to control what the loaned folks can do? I’m not trying to stifle RPKI adoption, but our concern is, as an ISP, when we loan space, we expect it to be routed with us. When the receiving entity can add a ROA on ranges we loaned to them and then move that space to a large cloud provider that rely on that ROA for authorization, we may not notice that that space has been run off with and not routing with us. No major ISP is telling folks receiving blocks from them “just sure to take our blocks wherever you want.”

Brad Gorman: Okay. To the last bit right there, it’s certainly an agreement between you and your customers with regards to the usage of prefixes that you then distribute to them through an allocation or reassignment.

But in the broader scheme of things, we do have NIST consultation method, and methods will be put out, questions to you, the community, on features like this. I encourage you and anyone who is interested to pay attention to the next couple of weeks. There might be something that is definitely geared towards the question that you’re asking, Anthony.

Hollis Kara: All right. Start over here.

Matthew Wilder: Matthew Wilder, Telus. I just want to say, first of all, RPKI ROAs from ARIN have been a killer app, a killer feature that I think is really driving member engagement and positive outcomes for our members.

So, I can speak from experience, there’s a few customers of ours who have engaged with ARIN in putting in their ROAs and it’s made a meaningful difference to them. And the changes with respect to the hosted, they made it simpler. Last year, that was big.

I look forward to the BGP intelligence as well. That will be interesting to see and help that much further. Thank you very much. I think it’s going great.

Brad Gorman: Thank you. It’s always good to hear positive feedback and people like it. We’re also open to negative feedback and concerns. So, please, send that in as well. But I’m very happy that your customers are happy with what we’ve been doing.

Hollis Kara: We’ll bounce across the aisle here. Pivot!

Alison Wood: Alison Wood, State of Oregon. That was an awesome presentation.

The State of Oregon was a very early adopter of RPKI. We’re in that seven percent of government entities that use RPKI.

I’d just like to offer any assistance I can give to any other state or government agencies. If you have any questions on how Oregon’s experience was with setting up RPKI, I’d like to encourage you to email me, alison.wood@oregon.gov. I’d be more than happy to help you move to using RPKI.

John Brown: (From audience) Blog post!

Hollis Kara: Alison, let’s talk.

Brad Gorman: I want to just add on and show, as the statement at the microphone of, hey, we’ve done it before, we can help you out, that’s what the RPKI community, the whole community is like that.

If you know someone who has already deployed it and you have questions, there’s no doubt in my mind that there are people that will help you. As a whole, the community wants to make sure that this is done well and right. Ask your questions; we’re here to answer them. Thank you.

Leif Sawyer: Leif Sawyer, GCI Communications. Following up with what Matthew said. Thank you for all your hard work. I’m really looking forward to that “what happens when I do this” feature that’s coming up.

I’m really hoping I can use that to excite my team into moving past the 18 percent mark on what we have currently validated.

Brad Gorman: Right. And the anxious to get to this next feature, you brought it up. On November the 4th is our next major deployment cycle. A tool that’s going to be coming out is the reintroduction of the opportunity and the option to customers who, at ROA creation, can also agree to creating a matching managed route object with the same information that’s going into the ROA.

So, the goal to that is going to be pulling together those two datasets, more into harmony to better bolster the benefits of all of the routing security options that are available out there.

It’s coming, and you’ll see notices of that very soon. So, thank you for bringing that out.

John Brown: Good morning, John Brown, no logo. Question/comment and then feedback.

Question/comment is, – I think we talked about this maybe during NANOG, but the ability to basically have a delegation from a larger provider down to a smaller provider and then allowing them to have sort of their own RPKI destiny control.

If I remember right from the NANOG place where that was talked, that’s a roadmap down the road; and if so, do you have any thoughts on when that might be there? And then I have a separate comment.

Brad Gorman: The interest and intent to pay attention to the next consultations, the next few consultations coming out, in fact, we will be asking what you would like us to do with regards to entities that are recipients of resources, the ones who directly received them from ARIN and the different options that they have, or that you would like us to develop allowing them to have their own RPKI destiny. So that is coming.

It’s not just on our roadmap, it is clearly something we’d like to do, and we need your feedback on telling us how you want us to implement that. We have ideas, but we need to hear from you.

John Brown: And then I have a separate feedback, but I’m happy to yield a moment over to the other gentleman from I-2.

Jeff Bartig: Jeff Bartig, Internet2. I’d like to thank you for providing stats based on organization. A lot of the stats that I see on adoption of things like RPKI, IPv6, are looking at route advertisement counts, IP address counts, traffic to these destination counts, which make it look like we’re making great progress, which some networks are.

But looking at organizations, I think, is another important statistic that’s getting ignored.

I want to thank you for putting it out there and happy to see that education is in the lead at 14.6 percent, but it’s really sad that it’s only 14.6 percent. Still have a lot of work to do.

Brad Gorman: Jeff, I have to thank you, the Internet2 community, as well as the CANARIE community here in Canada, with the amount of work and outreach that you’re doing to your communities and education and getting the understanding of what RPKI is and its importance out there.

And as we, ARIN, have been working with you, certainly that’s a priority moving forward, and we’re going to continue doing that, get some of the underutilized or under – getting people to drink the Kool-Aid to understand what it is and get it out there.

The point is true, there might be resource numbers that are created that look really good, but we really need to make sure that everyone is doing the right thing and adopting and using RPKI. Even if you’re just creating your ROAs, that’s a huge step towards the benefits of RPKI being realized.

If you don’t make those statements about your resources, RPKI is only as good as the data that’s in the registry or in the database.

Jeff Bartig: And a few large providers who have a lot of address space or a lot of traffic can really influence some types of stats to make it look like we’re doing better.

Brad Gorman: It does skew some of the numbers, it really does. There are numbers out there that we need to reach and we’re continuing to do.

Again, thank you to Internet2 doing it with their community.

Hollis Kara: All right. The queues are now closed but we’ll finish with these two questions.

John Brown: John Brown with my WISPA membership hat on as a member. I want to thank you and the ARIN team who come to the WISPA events and the amount of work and effort you guys have been doing to help that community get RPKI rolled out and pushed out.

I strongly encourage, what was it, Hollis, you said, the Chief Experience Officer, the Chief Old Guy, was that what it was?

Hollis Kara: He said that, not me.

John Brown: He said that, okay. From an experience perspective and as an ARIN member, John, that’s money well spent. Please keep doing it. Wizard, please keep spending the money.

Hollis Kara: Thank you.

John Curran: I am here. (Laughter.)

Adair Thaxton: Adair Thaxton, I was assuming my colleague Jeff would say the thing, but he didn’t say the thing. So, I’m going to say the thing.

My colleague Steve Wallace has done an outstanding job of outreach for RPKI within the research and education community. Just the other day, his efforts have reached a celebration point for us. We now have more IPv6 RPKI-signed routes than we have unsigned routes.

Brad Gorman: Way to go, research community. Because IPv6 is the future.

(Applause.)

So, please, that’s great.

Hollis Kara: All right. Thank you, Brad.

Brad Gorman: Thank you, Hollis. Thank you, everyone.

(Applause.)

Hollis Kara: I will note, as Joe walks up to the stage to give the last presentation, Alison or any organization that’s successfully implemented and started relying on RPKI that would like to share a case study with the community for their education, just email us at blog@arin.net, we’re more than happy to work with you to get that content and information out there. So that’s my brief advertisement.

And Joe Westover, all you.

Customer Experience and Strategy Update

Joe Westover: Thanks, Hollis. I was trying to determine if going last was a good or a bad thing, but I’ll assume everybody is paying attention because they’re looking at the doors for Last Call.

This will be a little bit different. I don’t have any graphs. People know me know I normally do, but that’s not the cusp of what we’re talking about today.

I’m the Director of Customer Experience and Strategy. I work for John Sweeting. I want to talk about a couple of things today. Some of this is the behind-the-scene stuff that you don’t typically hear about.

We see a lot of outreach. We coordinate that, but there’s things you don’t know. I just want to emphasize the continued investment that ARIN is continuing to make.

So we have things like indirect and direct customer support, customer journey mapping, data-driven process improvement. Something a little bit new. Some key program updates and outreach and engagement.

So areas of focus of the team. This is by no means all-inclusive. The team kind of manages from a programmatic component.

The Premier Support Plan, which a few people in here are part of, either as 2XL free or as a paid member and benefit by.

We had a new Qualified Facilitator launched a little over a year ago. We managed that. A certification program. That’s an up-and-coming thing, and that will be dependent on the LMS that will launch. Maybe you’ll see something of that in the next six to 12 months or see some of this bucketing and packaging of materials.

We have other Member Support activities across my team which consists of approximately seven people. We field everything from fee inquiries to third-party requests, to requests for security questionnaires, which we’re then able to aggregate, track and pivot to the site that Christian was talking about before. The SOC 3, the SOC 2 has been tremendously beneficial in pointing them there.

95 percent of the time that solves what they need and we can be efficient, but we’re also as an aggregating organization able to see everything that’s coming in, react to it, determine if you want to make changes to process or otherwise.

Election Support. It’s going on right now.

Public Policy Support. Obviously right now also.

Some of the new items are Business Process Excellence, Continual Improvements. Data Accuracy is something we’re supremely focused on. There will be more to come on that in the coming year or two also.

Fraud Prevention. You’ve heard that come up here. That’s a topic almost by design on our own design but we have to maintain it and manage to it which can be challenging resource-wise.

There’s a Fellowship Program. Welcome again to the Fellows who are here. We’re happy to have you.

The Community Grant Program. Peter mentioned that yesterday. That will be upcoming in a little bit.

And, of course, we’re managing – a lot of times you see Brad, Jon Worley, John Sweeting out there, but internal to the team and Amanda, we’re managing all those outreach events, which is a herculean effort.

Managing the development of the presentations, working with Hollis’ team. It’s not an easy thing to do. So we’re a bit of a catchall team in the CXS office.

This is really meant to kind of emphasize kind of the foundational investment we’ve made. I know when I came on board with John, we kind of had a long-term plan we put together. None of this is like changes year to year.

This talks about second half 2022, about implementing the Premier Support Plan. Q1 2023, we really established the department I’m officially in charge of right now with a focus on process architecture, optimization, et cetera. Just bringing in some of that more mature, formal quality improvement efforts.

Q2, Customer Satisfaction Survey. Qualified Facilitator Plan launched. We did get a plan for the initial training certification program so it’s ready to go when the LMS is ready and we can actually get the training content developed.

Q4, Registration Services audit concluded. The team that I run, we also concluded with what we call a high-level foundational requirements document. That was based off a year-long analysis to help determine the areas we thought there were gaps. And all of these areas obviously fed into that.

I wanted to talk a little bit about direct and indirect support. Direct support is all the stuff you see today. Personalized assistance with IPv6. That’s happening in outreach. That’s happening in webinars. There will be an output of that from here today.

It’s happening with RPKI with Brad and others. We have a lot of follow-up customer engagement when folks come out. I go to a few. Others go. There’s a lot of activities that happen after the fact.

We do a lot of proactive and targeted outreach efforts. People see, they feel that.

Indirect support, and this is kind of what we really have been focusing on putting in place over the last one to two years, and actually we’re implementing as we speak, is that process improvement initiatives, like just systematic stuff.

Requirements identification and prioritization, that’s a huge output so we can be efficient. And we hand to Mark’s team to develop on to make sure it’s the right thing that we’re doing. And, of course, just general continual improvement, which could be anything from changing people, process tools. Doesn’t have to necessarily be an automation or process change, but there’s a rigor to looking at that.

All the stuff feeds into the benefits of the customers. You’re going to see efficiency, streamlined interactions, faster resolution times on the ticketing, which is a topic of consideration at times.

Higher satisfaction, and hopefully we’ll start to see that in some of the surveys. The last part is probably the most important, just developing a stronger relationship with our customers.

We do this in a couple of ways. I won’t read all the details. I know we’re anxious to go. But we do a lot of work to kind of gather customer feedback. You saw that we get feedback from the PSP. We get feedback from the Qualified Facilitator Program, anecdotal from Registration Services. We get it from internal process discoveries. We get it from conversations and outreach where we record this and bring it back. We put it all in one big mix.

We’re evaluating needs and pain points from that. That’s the hard part. We’re learning from that data. A little harder part, and then we’re having goals from that to really prioritize and stagger the information there so we can put it into really a limited – we have a limited funding engagement. We have limited resources to do things, as you all know.

I go to a lot of events at times where people are amazed that we’re not this big herculean organization of a thousand people, and here it’s only a hundred and we have to make do with less.

We’ve just put some rigor into how we are doing our quality control. A lot of this is about kind of processes and efficiency. I like to throw stuff like this in every once in a while.

Joseph Juran, he’s like a godfather of quality. We’re really focusing in on the quality of the product, meaning the quality of services you deliver. The quality of interacting with ARIN is really a result of the quality of the process.

So what you see, just be rest assured that we’re actively working on the back end and making that a priority.

One of the first things we looked at is kind of looking at transfers. So one item I do want – I’m not throwing out Six Sigma, as people roll their eyes. I’ve used it extensively in the past. We’re using it formally in the sense that we’re using a version of it called Lean Six Sigma. It’s not the statistical side. That tends to be overkill and you don’t need to use it.

But we are systematically applying it in our process discovery to value-added exercises. Meaning, as we’re walking through – and I have two dedicated process people who came on board the beginning of last year – they’re walking through process steps. We’re evaluating internally if these steps have value, don’t have value, or have value but are required. Out of that, we can actually quantify that.

How often do these things happen? How much does it cost? That helps prescribe some of the requirements so we can eliminate some of those and/or introduce automation opportunities for requirements.

We’re implementing procedural changes based off that. One of the first items we apply that to is transfers. Anecdotally, we saw off the bat there were some personnel things we can move around. We made those changes. We looked back over three to six months and we saw an end-to-end 20 percent reduction in time.

That’s just the beginning. We’re going to keep looking for more, turning over more stones, but we’re going to continue to do this.

Again, it’s the long-term investment you’re not seeing, but I hope at some point you do kind of feel it out in the community.

I’m going to shift away from that to some program updates. So the Premier Support Plan, as I noted, it’s been out for a bit. It’s consistent. There’s not a whole lot else to say. It works well. We continue to have quarterly roundtables. The engagement has been consistent. We haven’t had a lot more people out, we haven’t had people really drop. It’s been level set. We’re getting good feedback. It’s really had a sustained, two-year engagement at this point.

They’re getting personalized support. Maybe even more important to that, we’re getting more granular feedback from it, which gets fed back from RSD into our team to determine what kind of changes, or just understand the culture, what’s going on.

Qualified Facilitator Program. It’s been well received. We’re getting good feedback, not only from our internal staff and working with the qualified facilitators, but also people out in the region and the facilitators themselves.

Again, it’s had a steady membership since launch, not terribly unexpected to folks in this room. We did just initiate quarterly roundtables for that. So we’re getting either yet another form for the qualified facilitators that meet with John, provide feedback, and that’s something else we can bring in and look at to prescribe requirements changing and process other things we may be able to improve. Again, positive anecdotal feedback all around.

So we have a Community Grant Program. I think this came up – I guess it was NANOG. So for those at NANOG, this might be a bit of a repeat. We had a few recipients: Open Source, Reg CDL, Prefix CDL, IPv6 Test Pod, NTP TCP Services. You can go and kind of look at those on our website. There are final reports coming soon, which should be posted you can read. But you know where some of that money is going or has gone.

We have two recipients for 2024, and you can see those here sporting potential use cases for RPKI. Timely, right? Mitigating Internet abuse through IP addresses. It seems like there’s a theme here, right? You’ll hear an update at the next ARIN meeting on that, from the actual grant recipients.

And just a little shout-out. The application process will open in April for the next one. We definitely encourage people to, in this room, to spread the word to apply yourselves and to spread the word to other people in the community who could benefit as part of that program.

We have a Fellowship Program. You’ve had a number of them at the mic here. Again, other than saying it’s a great thing to see, we’re very pleased and proud of the program at ARIN, and we’re just going to continue to do it. You just knock it out of the park every time. You have to turn people away at times.

When I came, I’m like, are people doing that? Do you have to look for people? No, you have too many people all the time, which is just a fabulous piece. In addition to the actual interaction here and the things they’re doing at the mic, you just almost wouldn’t expect that a lot of times. It’s very encouraging. Especially at the NANOG meeting, there was a lot of talk about the next generation. Probably not so different from the conversation here. So that’s great to see.

I won’t go into some of the details. We know we get a lot of in-depth stuff for that. There will be another one for ARIN 55. So stay tuned for just a couple months, the program will open up again in January.

Outreach and Engagement. Just to touch on this. A bit of an eye chart. We like the picture visual representation. We have staff that go to a lot of places. We’re out there in the community from January right through December. That’s coming up.

Again, you’ll see the faces here for the people who go there. There’s also a team of people behind the scenes, as they were referred to earlier, that are making this happen. Not an easy feat. But collectively, all that coordination is happening. It’s really reaping rewards.

I think we hear a lot of that anecdotal feedback here today of people, we’re happy to have you out there; thank you for coming. We’d like to do more, if anything else.

However, the impact of that is, like I said, positive and there’s a rising demand. We have to be smarter internally about how to manage our limited resources for that. So we’re trying to look at some data analysis in that also to see just what questions we ask ourselves for the benefit piece of going to these because we can only do so many at some point.

But, again, the feedback is immense. It’s hard to put any limit on it because it really does prescribe our goals and requirements for the future. There’s no better way to hear the pulse of the community.

This one I have to throw in. There’s a Connected Caribbean Summit coming up in December. I encourage anybody to tune in, Hollis, or go there.

Hollis Kara: Yes. Registration for Connected Caribbean is open. I’m not sure if they’re going to be offering virtual participation options, but your best place to go and learn more about that event is either through our event calendar where we have it listed. It will give you a link to their website. If you’re going to be in the Miami area in December or need an excuse to be there, you might want to check that out.

Joe Westover: Thank you. Just the takeaway for this I’d like everybody to take back with them, is that there’s things you don’t see, but ARIN is making very strategic, systematic and committed commitments within the organization that we’re following up on year over year to support the community. If that’s the only thing people take away from that, I’m happy.

I’m happy to answer questions or talk about process discovery or anything else. But it’s a little bit different than the other topics, but if you can take that away, we’ll be happy.

Hollis Kara: All right. Did anyone have any questions for Joe?

Kathleen Hunter: Kathleen Hunter, Comcast, ARIN AC. I just wanted, one, the Grant Selection Committee is fantastic. If anyone wants to, there will be volunteers that open up for that. I’ve done it before. It’s a great program to actually see what goes on behind the scenes. You can do it as an Advisory Council participant and as a member of the community.

Second program, the Fellowship Program, I can’t even say enough fantastic things about it. We have all the Fellows that are here, but there are 28 returning Fellows just to this meeting. Three of them are running for the Advisory Council. We have people that are on the Board and on the Advisory Council, one of which is my Vice Chair.

So there are other organizations that have problems with people coming back, and that’s definitely not an issue here.

Joe Westover: It’s a resounding success. And that’s fantastic to hear that repeated feedback. Thank you.

You’re right about the grant. There’s a selection committee. It is open for people both within the AC and with the general public. So there will be some communications – not a lot of communications – going out about that opening up in the near term.

Anything else?

Hollis Kara: Do we have anything coming in from online?

Beverly Hicks: One just came through, an acknowledgment: Matthew Cowen, current Fellow, unaffiliated. “Echoing Kat, the Fellowship Program is an excellent experience. Thank you.”

Hollis Kara: Thank you, Matthew. Thank you, Joe.

Joe Westover: Easiest Q&A ever.

(Applause.)

Hollis Kara: All right. And that brings us to the Open Microphone. So if we can get John back up on screen and Bill back up on stage, we are happy to take any final questions and comments from the audience. Feel free to start approaching and queueing up.

Open Microphone

Bill Sandiford: Let’s start with the online one, since we have one.

Beverly Hicks: Sindhu Bandlapalli from Colovore. “I’m new to the ARIN community. I’ve opened two tickets to the Staff, and their support has been very help in clarifying questions. I’ve gained valuable insights from the policy sessions and appreciate the detailed information provided, especially on the security measures and RPKI. I’m looking forward to the next meeting. What additional resources or events would you suggest for gaining deeper insights into ARIN policies and best practices?”

Bill Sandiford: John, do you want to take that one?

John Curran: Sure. If you’re looking for ARIN policies and best practices, I would recommend actually joining first the ARIN PPML Mailing List, because while we do meet twice a year like this, a lot of the discussion of policies takes place in the mailing list in between.

I encourage everyone, everyone who has been in the room and all the great comments we heard yesterday, those comments can be done in advance of the meeting. You can do it online at PPML and work out with the shepherds and people who are interested in those issues.

Similarly, when it comes to ARIN’s practices, we have a Mailing List, ARIN Consult, which gets a bit of traffic as someone noted. When we go to change our operational practices, I often force it to go up to consultation just to make sure the community knows what we’re thinking about and to get the feedback, because ARIN is a small set of people and the community’s large. We want to understand what the implications are when we do changes.

So I would, first and foremost, if you’re interested in ARIN’s policies and practices, join those two lists and participate. That would be enormously helpful.

ARIN also does do events on the road. We go to various conferences, but those are generally the same content you have here. You have ARIN going and doing outreach at various industry events, WISPA, FISPA, Internet2, Canadian ISP Association, and you can go, but we have a Help Desk there and that’s predominantly to help people work through their requests with ARIN similar.

I would only say that if you’re interested in activities beyond ARIN, well, then, there’s certainly a larger audience. There’s four other RIRs and ICANN, and all of them have their own Policy Discussion lists. All of them have programs to help get people on board. That’s the next circle out beyond ARIN is the other four RIRs and ICANN. Thanks.

Bill Sandiford: Great. Let’s go to the right microphone there.

Brian Morisette: Brian Morisette. ARIN Fellow. I’ve had a great experience. This is my first ARIN. The organization of the meeting has been something that has been overwhelmingly refreshing in the nonprofit space. So I want to commend ARIN for the structure that’s really here. It’s been really easy to kind of follow along and kind of participate. Participation is encouraged.

Then the hallway track has been excellent. Met a lot of great folks. Had a great experience. Just wanted to comment on that. Thank you very much.

Bill Sandiford: Thanks for the feedback.

John Curran: Thank you. I miss the hallway track.

Heng Lu: Heng Lu, Larus Limited. I’ve got a question for ARIN, actually, just on the RPKI front.

Because the increased adoption in recent years especially, RPKI software is still vastly developed by each RIRs which create operational difficulties for people like us who manage massive amounts of IPs, both for ourselves as well as for our customers.

So would ARIN be open from an operational point of view, not policy point of view, but operational point of view, to provide a unified and standardized API access to the automated RPKI update across with other RIRs, would ARIN be open to that idea?

John Curran: Actually, this is a great topic for Brad, who just spoke. But I’ll say, one of the things we’re working on is making more consistent APIs among the RIRs and looking to see if we can make that easier for everyone to use, because it’s an issue if you have to deal with multiple RIRs.

Ideally, we would have a circumstance where an API would be very common among the RIRs. Certainly we have our own authentication services and our own accounts, so there’s going to be some differences. We have some differences in how we structure our schemas, but there should be a high level of commonality.

Ideally, you should be able to interface with ARIN without ever going to ARIN Online to get the vast majority of functions. But that’s going to take us some time. You’re going to need a year or two for us all to get there with APIs and getting common APIs among the RIRs.

Heng Lu: Thank you. To add to that. Our current experience, I talked to my colleague at IPXO as well, we need to write a code from bottom up for each RIR for the API access.

And AFRINIC and LACNIC still don’t even offer API access, which is a pain in the ass for us because we have such huge range.

But even for RIPE and APNIC and ARIN, which has a great operation team and great staff members, still our dev team have to write a code from bottom up from each RIR’s API access, which I think, number one, it’s unnecessary; number two, it’s inconsistent; and number three, which is the most important bit because RPKI to date does dictate in some large part of the Internet of your routing possibilities, right, if you block the RPKI, your Internet is down.

So consistent access API and with minimum modification across RIRs is greatly appreciated. So if the tech team of non-RIRs can get together to allow folks with operators especially across regions with minimum code modification to access each of the authentication services would be much appreciated and that maybe should be put in the roadmap of RIRs.

Bill Sandiford: Thank you. Brad, did you want to comment?

John Curran: One comment.

Bill Sandiford: We’ve got Brad here.

John Curran: The one thing I want to say – okay. Let Brad.

Bill Sandiford: Go ahead, Brad.

Brad Gorman: John didn’t see me running up to the microphone.

Absolutely, Lu Heng. The intent of setting up this working group inside of the NRO is to address exactly your kind of question. Someone who is having challenges given different inputs and entry methods into putting your resources into RPKI at different RIRs.

Please come by and stop me after we’re done here and I can answer some of your questions. But your interest and your feedback is welcomed and desired from this RPKI group, and I’ll let you know how to get in contact with us there.

Bill Sandiford: Anything online? We’ve got one online. For those in the room, queues will be closing soon.

Hollis Kara: We have one online.

Bill Sandiford: Queues will be closing soon. Please join the queue. Let’s take the online.

Beverly Hicks: Arash Seyed Haghighi, Smilegate West Inc. I’d like to ask the ARIN team two questions. First is, I’d like to know whether there are any plans or defenses in place to protect against DDoS attacks on ARIN servers and infrastructure? That’s the first one.

Bill Sandiford: Do I see Mark?

John Curran: There is. Mark should take that.

Bill Sandiford: Here he comes. Queues are now closed. We’ll take Mark and then we’ll be done.

Beverly Hicks: He has a second piece to this question, but I’ll let him answer that.

Mark Kosters: I dressed down for this, John. I don’t know if you can see me, but I’m not wearing my jacket.

To answer that question, we actually have defense in depth here, coupled along with analytics. So we have ISPs with inline DDoS mitigation, as well as protection at our edges as well.

Have we been under attack? Yes. Have you seen it? I hope not. So those are things that we’ve been very serious about making sure that we are protected against. Thank you.

Bill Sandiford: Thanks. Part two of the question.

Beverly Hicks: (second part of Arash Seyed Haghighi’s question) I wonder if ARIN has a system in place to identify the types of attacks and blocks to suspend or suspend the IP addresses or ASNs that provide these services either by their members or their members’ clients. If a company or an organization is contacted by the US Federal Courts Victim Notification Service regarding being victims of a cyber-attack DDoS and the court’s final judgments on that issue?

Mark Kosters: John, do you want to take it? Go ahead.

John Curran: Mark, if you’re there, go ahead.

(Laughter.)

Mark Kosters: One of the things we do is that we log this information, what we can. And it’s brought to law enforcement agencies for further analysis and actually trying to identify the source and actually seeing what we can do to actually go to court. Thank you.

Bill Sandiford: All right.

John Sweeting: I’ll just add a little bit.

Because my team, with the fraud and everything, we work very closely with Mark and his team. There’s a lot of tools that engineering has to use to slow down attacks and identify people everything. We’re not going to share those, of course. But we do get them. We do take the action. And sometimes the final action is turning it over to law enforcement.

Bill Sandiford: Thanks, John. All right.

And the final comment for Open Mic.

John Brown: First comment is I think everybody in this room, let’s give a hand, applause to our wonderful AV team that’s been here all week with NANOG and ARIN.

(Applause.)

Bill Sandiford: Yeah, they do a great job.

John Brown: They always make these events rock compared to other events. I hardly ever see a glitch here. So you guys and gals knock it out of the park.

The one critical criticism I heard in the hallway tracks last night, bar track, whatever, maybe if we can put – I think we’re going to see more policy issues coming up here soon and so forth. If we can put some of the business update operational things in one day and policy things all in another day to make sure we have good focus on that through the entire day for the policy.

You may have people that want to travel for policy but don’t necessarily need to be here for the more membership-y kinds of things.

I have a slight opinion one way or the other. I’m not going to share that here. I’m just feeding that back from what I heard at multiple tables last night. Other than that, cheerios.

Bill Sandiford: On that, I will say that the team that plans the meetings does an incredible job of trying to assemble the schedule and the various content they have.

They don’t have crystal balls. They don’t know how long each policy might take or what presentations might go over. Some of them we expect no questions and there’s a line up at the mic. Some of, you expect lots of questions and there’s none at the mic. They do a great job.

They have to assemble the schedule in a way that is best for the entire event, and they draw upon 53 previous meetings to try and gauge where that might be.

I think I recall in years gone by there was days where we tried to do a lot of policy, and I will tell you that policy from 9:00 a.m. to 5:00 p.m. generated a lot of complaints of, oh, my God, I can’t sit through policy all the way through the day; or, oh, my God, please don’t put me at the 4:00 p.m. policy because everybody will be tuned out because all they’ve been doing is policy all day.

So the comments are well heard, well noted. It really is a delicate balancing act, and I think the staff that puts this together does a pretty bangup job, but they’re always welcome to take that type of feedback away.

John Curran: I’ll add to that, and I posted some comments to PPML to this effect. I do believe, first, policy is important, and we don’t short shrift policy. We make sure we have all the time we need for all the discussions and all of the comments, and I think Hollis and Chair Sandiford did a great job with that.

But I also want to point out that in the past we did have a very clear delineation, and one of the things that we’ve seen recently is that the people who are coming and participating in policy are hearing about things like ICP-2 and the ASO AC, the NRO Number Council. They’re hearing about issues that the Board are facing and issues in governance and operational issues, cybersecurity.

It’s possible that someone who comes to participate in Public Policy Development today, whether they’re there on their own or a Fellow, may say, oh, I just learned about something else, some other aspect of ARIN, the grant program that I want to be involved in.

We have seen a high level of cross-pollination that’s actually helped with our community leadership development, capacity to engage ARIN, have people involved at the AC, have people involved on the Board.

Some of the people who have participated in these are people who came only for policy or only for something else in the past, and by having a little more collaboration, a little more mix, we’re actually helping develop people who will be the future leaders of ARIN.

I’m not sure I would vote to keep a clean separation of line because I think that mix is invaluable. But ultimately it’s your meetings. So please continue to provide feedback. Feel free to reach out to the Board members. Feel free to send me email. But I want to point out, I think there’s some real benefits to what we’re doing, and I’m not sure what problem gets solved if we try to tease this out.

That’s in addition to Chair Sandiford’s comments, the effect that an entire day of policy is often the day that somebody people will skip, and I don’t want to lose those people in the room. But give us your feedback. Think about the tradeoffs involved, because we will continue to evolve the format.

Bill Sandiford: All right. On that note, we’ll close the Open Mic, pass it back to you, Hollis.

(Applause.)

Closing Announcements and Adjournment

Hollis Kara: Thank you to everyone for sticking around. It’s been a great meeting.

I’d like to start off the closing by thanking our sponsors, Network Sponsor Rogers and our Webcast Sponsor Google. If I could get a round of applause.

(Applause.)

I’d also like to thank our other sponsors, Kalorama IPv4 Brokers and Advisors, IPv4.Global by Hilco Streambank and IPXO, if I could get a round of applause for them.

(Applause.)

Going straight to the last point. We do have a survey. If you complete the survey, you could win some really cool headphones. But, more importantly, you can give us feedback on how this meeting experience was for you, suggestions for improvements to the future tracks, topics, organization of the agenda, anything. We’re happy to hear it, and we do hope you will submit your meeting survey over the next week while that survey period is open.

Also do please go ahead and mark your calendars. ARIN 55 will be April 27 to 30 in Charlotte, North Carolina, next spring, and we do hope to see you there.

And thank you again for your time. It’s been a great meeting, and I wish everybody who is traveling home safe travels and hope to see you again at a future ARIN meeting. Thank you so much.

(Applause.)

(Adjourned at 12:30 p.m.)

Related