ARIN 48 Public Policy Meeting, Day 1 Transcript - Tuesday, 19 October 2021 [Archived]

OUT OF DATE?

Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.

This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

Public Policy Meeting, Day 1 - Opening Announcements

Beverly Hicks: Welcome, everyone, to ARIN 48, day one. We’re so glad you’re here with us today. I still see people rolling in. But we’re going to go ahead and get started with just a few housekeeping items to get us going.

Can I have the next slide, please? We thank our Board of Trustees for all the important work that they do for us and all of our community.

And we know that many of them are here today. So we are thankful that they’re here and – glad to see you.

Next. We also have huge thanks out for our Advisory Council. They’re working hard to get these policies through, and we are thankful to them and the many of them that are here today as well.

We also have our NRO Number Council here today. You’ll be hearing from one of them this afternoon. And we’re super thankful that they’re here as well.

Next slide, please. So I just want to briefly talk about how to be successful getting around the ARIN 48 platform. And while I know that you’ve probably been to 437,000 Zoom meetings or meetings of some sort virtually in the last few years, let’s talk about how to be successful today.

Go ahead. So we all know where the chat function is. It’s at the bottom of your screen. And it has a speech bubble by it. Please note that our chat is for our general conversation. It’s for the opportunity to ask questions of each other. It’s a chance to cheer people on and everything else. But it is meant for general conversation. And we like to keep it on topic.

Go ahead. Notoriously, Zoom likes to – sorry, if you can back up – notoriously, Zoom likes to default to an all-panelist situation where it notifies the host and panelists of your awesome comments, but forgets to let everybody else know. So make sure you’ve dropped that box down and made sure it says “everyone” instead.

Go ahead. We like to keep our chat professional, on topic and following the ARIN Standards of Behavior. We appreciate your help with that today.

The question and answer text – when you have a thought or a question for a presenter today, feel free to put that into the Q&A box right when you think of it. We ask that you add your name and affiliation. And we will – the moderators at the time will present that back to the group at appropriate times. So, feel free to put them in and we’ll hold them in queue until it’s time.

Next. You can also raise your hand. We love to hear from you even if we’re not in person. So when you raise your hand, it will turn green for you just so that you know. And that will also put you in queue to speak just as if it was an open microphone. And we’ll let you know when it’s your turn and make it so you can unmute yourself.

Next. Again, it will turn green; that’s how you know your hand is up. You can lower your hand by clicking it again.

Just a couple of rules and reminders for you. Our Board of Trustees Chair, Mr. Paul Andersen, will moderate discussion of the draft policies so that all can be heard during this time.

We really appreciate that any time you are on the microphone that you clearly state your name and affiliation each time you’re recognized to speak. I’m also going to ask that you probably speak slower than I have been because I notoriously speak too fast. And our transcriptionist would truly appreciate that.

Again, when you’re filling in your name – I’m sorry, filling in your question in Q&A, take a minute and make sure your affiliation is there as well. We’d greatly appreciate it.

If your name is in, you do not have to include your name, but including your affiliation so we can read it out with the question helps us. Standards of Behavior can be found on the ARIN website.

Today we have lots of people with us. Some joining immediately and some others – as of a few minutes before the meeting started we had 13 registered from Canada, 134 in the United States, five in the Caribbean and 17 from outside the ARIN region. So we thank you all for being here today.

We are recording and live streaming this and we have the slides available in PDF form for today’s event. They’re all at the ARIN 48 materials page. Just a note when you type in that URL, it comes – it does require that ARIN 48 is capitalized. I believe it defaults otherwise, but that’s the easiest way to get there. Live transcription is there as well.

I just wanted to let you know that the registration site that you used to get here is way more than just a registration site this time. With this meeting being spread out across different things and us having a great new platform to use, there’s lots of resources there that you may find useful during this meeting.

Feel free to check that out. The big blue bar across the top of the registration site will get you to all of the different places, including the event hub, which gets you to each of the day’s Zoom links if you ever can’t find your access to that link that day. Just go to arin.net/ARIN48, and you can get to that.

We welcomed our newcomers last week. And we were super thankful to all who attended. As a result of that, we did a drawing. And unfortunately you have to be present to win and the person we drew did not show up this morning. And so we had to draw another name.

And I’m going to feel horrible because I’m probably going to struggle over her last name. But she’s one of our fellows. So Meri B – and I’m not even going to try because I’m afraid I’ll hurt your last name, but I wanted to let you know you’re our newcomer orientation winner and also one of our ARIN fellows this round. So, congratulations, Meri.

I also want to say thank you to our Network Sponsors. USI is providing our network assistance and thank you to Lumen for providing the backup.

Let’s talk about our agenda today. On docket today we have – right after me, we will have Leif Sawyer discussing our AC Docket Report. Then we’ll talk about Policy Implementation and Experience, Routing Security, and Software. And then we’ll move to a break. And after the break we’ll have our policy block.

Today we’re going to be talking about three policies. After those three policies we’ll have presentations from grant recipients from the last year, a Training and Outreach update, and Open Microphone.

And with that, I get to stop talking and turn it over to Mr. Leif Sawyer and say welcome and introduce you to talk about what’s on the AC docket this year.

AC Docket Report

Leif Sawyer: Great. Thank you. Good morning – make sure everybody can hear me fine?

Beverly Hicks: Yes.

Leif Sawyer: Okay. I’ll start off with the next slide. Thank you, good morning. I’m Leif Sawyer, I’m the Chair of the Advisory Council and we’re a 15-member body.

Everybody on the screen right now is an important member of the community, all helping to shepherd the policies that the community brings forward to us and considers important enough that we work on so we can address the concerns for how ARIN manages its resources.

Next slide, please. So we’ve had a number of activities happen since ARIN 47. We’ve sent the three policies on the screen to the Board of Trustees for adoption. I’m not going to read all of these here for you.

But all of these were adopted and implemented in the last revision of the NRPM in August.

Next slide. And we’ve also sent these two policies to the Board. And they are working on implementing them currently, and we’ll have that out for the next NRPM revision.

Just a reminder for everybody who may not know, you can look at past revisions of the NRPM online at ARIN. And we can probably find a URL and put it in chat for you.

We have a GitHub – Git repository, so you can see all the history of changes in there as well.

Next slide. So since ARIN 47, four have advanced to Draft Policy, the four listed below. We’ve had one policy withdrawn by the author. And the two pending shepherd review, you should see activity on those very, very quickly, but they will not be discussed here at ARIN 48.

Next slide. So one Recommended Draft Policy on the docket, Special Use Case for IPv4 Space Being Out of Scope for determining waitlist eligibility.

This is a pretty strong one, so we’re really looking forward to getting some feedback from the community about this policy – recommended policy.

Next slide. And the five draft policies here. One’s fairly new. That’s the 2021-6. That’s one of the – ones that have come in very recently. But all of these, obviously, we’re very excited to get community feedback from.

Next slide. And that’s it for this quick introduction to the docket report. And I’ll take any questions if you have any.

Beverly Hicks: Just a reminder for those who may be typing a question, and we’ll give it a few seconds, that you need to include your affiliation, please. You can raise your hand if you have questions for Leif. But I’m sure that the majority of those questions are probably coming later specific to the policies coming in.

Leif, it does not look like there’s any questions. So thank you so much.

Leif Sawyer: Thank you. And thanks, Sean, for dropping the URL in chat.

Beverly Hicks: At this time I’d like to introduce Ms. Lisa Liedel from ARIN to do our Policy Implementation and Experience Report.

Policy Implementation and Experience Report

Lisa Liedel: Good afternoon, everyone. I’d just like to say that the policies that we have now, they all seem to be working very well. So this isn’t really a problem that we want to discuss; it’s more of just some discussion to make sure that the community believes we’re implementing a process correctly.

Next slide, please. We’re seeking guidance from the community about multiple discrete networks as it relates to Section 8.3 and 8.4 transfers. We’ve been encountering some organizations that are trying to receive space under the 8.3 transfer specifically. And they do operate multiple discrete networks.

Their overall organization doesn’t really qualify based on the utilization requirements outlined in Section 8.5.6. But they do have one or two or a few networks individually that would meet these utilization requirements.

Next slide, please. So what we’ve been doing is we kind of look at each of the networks as sort of a stand-alone entity. We’ve borrowed the information from Section 4.5 for multiple discrete networks so that each of the networks has to qualify based on the items in the Number Resource Policy Manual, like I said, Section 4.5, items one through six.

So, they can’t be a consortium. They have to have a compelling criteria for creating the networks, such as regulatory restrictions, they’re geographically distant from one another, very diverse, that type of thing.

And then we look to see that each network meets the utilization requirements and the projection requirements in Section 8.5.5 and 8.5.6.

And that way we can help the organizations get space for the networks that really need it while they continue to use their other space for other networks that have just been turned up. And that’s really all that we wanted to discuss about this.

Beverly Hicks: Thank you so much. At this time if anyone has any questions for Lisa, this would be the time to ask them or raise your hand. And we’ll give just a minute.

Lisa, looks like we’re good for now. Thank you so much.

Lisa Liedel: Thank you.

Beverly Hicks: Next we’ll turn it over to Brad Gorman for a Routing Security Update.

Routing Security Update

Brad Gorman: Good morning, afternoon, evening, everyone. I’m Brad Gorman, the Senior Product Owner for Routing Security here at ARIN.

Next slide, please. So we’re going to go over what’s new since our last meeting, since ARIN 47. We’re going to talk about the Internet Routing Registry – the NONAUTH shutdown specifically – the changes in growth in RPKI here at ARIN – talk about some of the new training opportunities and talk about the new product development that is underway in the routing security domain.

Next slide, please. Since we had our last meeting and discussed a shutdown of ARIN’s non authenticated IRR, our object count has grown. We sent out a notification to all of the Points of Contact that have the ability to make IRR entries or deletions at ARIN, and that went out on June 14th.

We are offering suggestions internally with how we can help reduce the number of objects that you have in our NONAUTH and the NONAUTH opportunities or – different places where you can put your objects that are in our NONAUTH, should you choose to do so.

It’s work under the Chief Customer Officer’s organization and the Registration Services teams, one of our team members, Jon Worley. There’s the routing.security@arin.net mail alias that comes to me on the ARIN team. And the ARIN help desk can give assistance where needed.

Next slide, please. So since ARIN 47, 6,000 new objects have been created. And that’s 6,000 out of – there are 6,000 out of 62,000 objects. The fact is one organization is responsible for 92.5 percent of those objects. And of the ones created almost 99 percent of them are route objects.

Now, we’ve been in communication with that one particular organization, giving them the awareness that what they’re creating is showing up in the nonauthenticated IRR, and certainly offering assistance and suggestions on how to clear them out of there.

But still that leaves 510 objects that have been added to the NONAUTH area through whatever mechanisms that happen that got them put in there. And we certainly want to work with everybody and start decreasing the number of objects we have.

Next slide, please. So, March 31st, 2022 is the date we all need to keep an eye on. We need to prepare for that date when it shuts down. Suggestions would be – taking an inventory of your objects. What are in – what’s in that NONAUTH? What do you want to do with those objects? Do you want to make changes that will put them into ARIN’s authenticated IRR or do you want to choose a third-party location to store your objects?

Once you know what the options are, you need to make a plan to execute. And there’s only 163 days to go. So if you have questions, you want some help, please reach out. We’re here to help.

And otherwise just know that March 31st is coming and at that date, if you still have objects in the NONAUTH database, they will be – that database is going to be turned down. They will no longer be available.

Next slide please. So with RPKI, it’s going in the right direction, thankfully. Since the end of our last meeting, the number of Orgs has grown by 20 percent. There are currently – that included 364 new Orgs selecting the hosted RPKI option. Seven new Orgs selecting up/down, which is delegated RPKI, to a total – as of last week – to 2,193 ARIN organizations have enabled and are participating in one of the RPKI solutions that we offer.

The number of ROAs in this case, 74 percent growth, which is astounding. There have been a great uptick in the number of large and small Orgs that are creating route origin authorization objects. And these are truly the first step in the foundation for how RPKI works. So, good job to everybody who is doing it and we recommend keep moving forward.

Next slide, please. Again, since April, we have had a couple events where we’ve done webinar training, and there’s been some new training videos created. Notably in the end of August and beginning of September we had two sessions for how to enhance your routing security with ARIN’s hosted RPKI. Those are available to us – or you, everyone – on the link following below where we have all of our training and webinars linked.

And there are also some easy short how-to videos that certainly are helpful – very clear, hopefully, to you – and kind of answer a lot of the questions, a lot of the recurring questions that our RSD team addresses.

So, please take advantage of those, have a look. The videos are very short. The training sessions that we have are certainly more in depth.

The webinars are typically about 60 minutes long. But there’s a lot of good information, answers a lot of questions. And maybe it generates a few more.

So when it comes to it, again, that’s what we’re here to do. We’re here to help. You can reach out to that routing.security@arin.net email alias, and we’ll get back to you as soon as we can.

What’s coming up that’s new? The feature development that we have in flow right now on our roadmap. There are four of the larger work efforts, development efforts that we have in place. First one is the development of an RFC 8181-compliant publication service. Colloquial term is “hybrid RPKI.”" Essentially it’s an opportunity for an organization to run their own certificate authority and maintain a central location for all of the resources that they have. But using a third-party resource, ARIN in this case, to run their publication server.

That alone takes a lot of the responsibility and requirements for running your own repository and publication server. The uptime requirements and the maintenance and general upkeep for having those repositories is viewed as having been one of the sticking points or really the hurdles to get over towards deploying your own certificate authority.

So, hybrid will give you the opportunity to run your certificate authority, which is a much lower requirement, but also offload that repository and reporting server responsibility to ARIN in this case.

One of the next major development efforts we have is we’re going to set up automated reroll of RPKI objects. This is something that has been asked for and discussed in the ARIN community, in the greater RPKI community.

It will range from creating default times for your ROAs, doing default rollovers, so that the expiry timers – we’re hoping to reduce or remove the untimely expiration of your ROAs inside the repository that we run.

And the intent is so that organizations maybe that don’t have an active role in creating the deleting on the regular programmatic basis, that it will remove the inadvertent loss of your information in the RPKI infrastructure on the Internet. Notification times, all of this is being bundled into this offering. And if you have any more interest in learning about this, please reach out.

And the last two work efforts that we’re putting in, we’re looking at tighter integration between the two main routing security offerings that we have through IRR and RPKI.

This could include creation of a ROA upon creation of an IRR object or the reverse. Creation of an IRR object at the point when an organization creates a ROA. Certainly there are requirements of this – we are not going to create a ROA if your organization hasn’t chosen to start implementing RPKI or using those services.

But the desire in this product is that it will simplify the administration of both of these different services and hopefully reduce the impact towards you having to maintain it and hoping to make sure that the most up-to-date information is available to you and to the people on the Internet that use these products.

The last thing is two-factor authentication. This is something that’s been asked for a fair amount in the community. We’ve had suggestions that have asked for this. Amongst other pieces of it, people are looking for – organizations are looking for further security controls over Point of Contacts that have access to make changes to IRR, to RPKI, to Billing.

And we have had some external requests for making it so that the privileged accounts can effectively enforce users before they can get into and make these changes beyond assigning them the proper privilege by making them a Technical POC or a Routing POC, things along those lines.

So it is something that we are working on in this case, and as the features come to be developed, we’ll be reaching out to you. And please make additional requests into our system for any things or features that you would look for to ARIN to provide to you, or requests for enhancements or changes in the ones that we already have now.

Next slide, please. Next slide. Still there. OK. Great. If anybody has any questions, please, I’m here.

Beverly Hicks: At this time, if anyone has any questions for Mr. Gorman, please put them in the Q&A box or raise your hand so we can get you unmuted for the right place. Just give it a second. And I’ll – at the same time thank you for your presentation.

It does not look like there are any questions at the moment. I will – thank you so much. And move on to the next presenter. Thanks, Mr. Gorman.

And our next presenter is Mr. Mark Kosters, with our Software Update.

Software Update

Mark Kosters: Good afternoon, everybody. So this is Mark Kosters. Hopefully you can see me. And so I am here to talk about the Software Update.

It’s a little more than the software update. The team works together on essentially everything. So whether it be the developers or the people in Systems Integration dealing with the testing or the people dealing with Operations, making sure everything runs – we all work together as a team.

And one of the things I really appreciate about doing these presentations is it allows me and others to see how we’re doing. And, so, what I like to do is go through our agenda.

Next slide, please. Here we’ll talk about statistics, which is always one of the funnest things that I like to bring to the table. And then I’m going to talk about software releases, our operational improvements that we’ve made, our challenges – what kind of things that we’re dealing with that’s taking a significant amount of unscheduled time. And also what’s next.

Next slide, please. Let’s go on and talk about statistics. This is one of the funnest things I have that I like to bring to the table.

Now the first thing I’m going to talk about is ARIN Online. One of the things that continuously amazes me is the number of people who set up accounts on ARIN. You can see here we’re on track for doing another 15,000 accounts this year, which is pretty spectacular given our community. And the people who have to deal with us. That’s a lot of accounts that go into ARIN Online.

And the system is obviously very – can handle this very easily.

Next slide, please. Here you have ARIN Online logins over a period of time. And again what’s interesting here is there’s approximately 30,000-plus people who have logged in to ARIN Online at least 16 times, if not more.

And some of the numbers that are obviously automated are just astounding on the number of logins that come in.

Anyway, what’s interesting here is that you have a lot of people that log in once and say, okay, that was kind of interesting; I don’t know if I need this again.

You have a few people who log in a few times, maybe to make sure that their account is linked to their POC or something like that. But there’s a lot of people who use ARIN Online managing on a day-to-day basis.

Next slide, please. Here’s an interesting slide. And this is our provisioning transactions, and we have two ways of actually going about it.

First one is using architecture called templates, which have been around since the early ’90s. And these templates have been around forever. And ARIN has been moving away from them as much as we could by giving opportunities to do either – use a RESTful API service that we call RESTful here, or you can actually use ARIN Online’s web interface to input information.

And you can see here that over time that templates have sort of slowed down. In fact, looking at this number, the graph really doesn’t do enough justice to it. There’s a policy change made a couple of years ago requiring that POCs be validated, Points of Contact be validated before they’re put in for either reassignments or reallocations.

What this meant is that there’s a lot of Internet Service Providers at that time said, hey, this is a great time for us to actually modernize our infrastructure when we report information to ARIN; let’s move from issuing templates via email, let’s go ahead and use the RESTful interface.

And you can see here that the red line, the RESTful interface line, has grown by quite a bit more than templates have. So there’s a lot of people who have followed this. It’s starting to flatline, which I expect to see on templates, and it’s getting to be less and less each month.

Next slide, please. Here’s Whois and Whois-RWS. Whois is the pink line, and it’s the traditional Port 43 service. And you can see here that we’ve had a pretty significant dip in traffic. I’m going to talk about this and the challenges.

But you can see we were having quite a bit of growth. And during that time of growth, we would prune people from time – or organizations or bad actors – from time to time, on seeing sort of abusive traffic. We have all kinds of criteria we put in place in terms of tarpitting that I’ve talked about in previous NANOG or ARIN meetings. I believe I talked about it at a NANOG meeting.

Where we actually put in some form of rate limiting. And we used that to safeguard our infrastructure from people bringing something and saying, I could use AWS to create all these instances and get basically a directory of ARIN’s inventory here if I keep on doing Whois requests.

There’s also a RESTful Whois-RWS service that we put in as a predecessor to RDAP, which is coming on the next slide. You can see that when the traffic went down with Whois, traffic went up with Whois-RWS. And what is interesting here, some of the people that we’ve detected as abusers, on using Port 43, actually pivoted and went to Whois-RWS.

Next slide, please. Here’s our RDAP traffic. And you can see here that we have – essentially growth. It’s not a huge amount of growth. And, again, there was a vector here where things actually decreased quite a bit because we – again, part of the challenges that we’re going to talk about – we found some people that were doing things that – was kind of surprising to us. And we’ll talk about that a little bit more in the future.

But you can see overall that RDAP traffic is increasing. This is an Internet Protocol standard that’s being promoted by the IETF as a replacement to Whois off of Port 43. And this is something that not only are the regional registries a part of, but also registrars and registries in the domain industry are also following the standard going forward.

Next slide, please. So, now, let’s pivot and talk about the software releases that ARIN has put out since the last ARIN meeting.

Next slide, please. Here we’ve had the releases since ARIN 47. One of the things that we had is that we had a, much like RIPE, we had a brute force password attack, which basically, at that point in time, created a lot of locked accounts.

At that time, we had a system in place where after a number of attempts we would actually lock the accounts out. We had a request come in saying, hey, we really need to follow the NIST standards and other standards, if relevant, and actually follow their standards going forward in terms of dealing with login throttling and password guidance implementation and so on.

So, we follow the NIST SP 800-63B standard that has very specific guidance on what login throttling should be, as well as password guideline implementations to make things fairly complex.

Accordingly, we also added a password generator. So, not only do you have a password generator that’s part of your web browser, perhaps, but you can also use the one that is found in ARIN.

And actually what’s interesting here, there’s a lot of people that actually use this password generator.

We also have some new fees coming out. And we put up a system that actually shows per Org what the account changes – what the implications of this new fee schedule will be like. So, that’s another thing that we put out.

The next thing that we put out that Brad’s talking about – a lot of things that Brad has brought up are things that I’m bringing up, because we work together quite closely.

We have a number of new IRR RESTful commands that we put out, list of routes, list of route-sets, list of AS sets, et cetera.

And we also now are adding in RPSL inclusion with IRR objects and we’ll have more to come.

We’ve also upgraded DNSSEC zone generation, or reverse zones, as part of our system in terms of tech debt. We had some old libraries that were removed that are no longer in support and haven’t been in support for a decade. We’ve been moving forward with that.

We have our Premier Support Plan, PSP rollout that we’re doing in line with the CCO office. And we have quite a bit of reduction of technical debt that we put forward.

And the big thing here is actually the conversion of some of the Java libraries that we have underneath core to our system, moving from Seam to Spring within the ARIN Online applications.

Seam hasn’t been used, hasn’t been approved for a long period of time. Shortly it will not be supported in upcoming versions of Java. This is something that we need to move away from and move to Spring.

Next slide, please. And, so, now let’s talk about some of the operational improvements that we put out within ARIN.

Next slide, please. Here you can see that we’ve done a lot of things that many of them are transparent to you all, which I think is great, because this means that we did our job.

So the first thing that we did is – regarding DNSSEC. We signed reverse zones, in-addr.arpa and ip6.arpa. And we upgraded, first of all, the DNSSEC signer boxes that we use. We used what’s called a bump in the middle technology where zoned updates are made, DNS updates are made. They’re sent to this one box that actually signs it and then sends it out to basically what’s called a master. And that hidden master sends it out to secondary services you see out on the Internet.

But this system was woefully behind on updates. We had asked our vendor a long time ago to put in some custom code based on some unique keys that we created.

And at that point in time we were frozen in terms of updates because they weren’t supporting our fix that we asked them to put in, at that point in time, the very initial point in time where we started DNSSEC for a number of years.

They finally put in our fix, which was very nice of them. We were able to upgrade our signer boxes. And at that point we moved from an old algorithm, algorithm five within the DNSSEC parlance, to algorithm eight transparently.

This moves us to a much stronger set of security algorithms that the community now recommends. Algorithm five is soon to be deprecated – not yet, but it’s on its way.

Next thing we’ve done is to sort of enhance RPKI. We added a new RRDP - Repository Delta Protocol - instance, and we put that in the cloud. Now, instead of three instances of RRDP service, you’ll now see four. Three of them are run at ARIN within our three data centers. And the fourth is run in the cloud.

So, that is a new system that we put out. Again, it’s transparent to you, but it allows for better and more diversification for this important service that Brad is heading up.

We’ve had a lot of end-of-life, EOL, box replacements that we’ve done. ARIN’s systems are quite significant. We have lots of boxes that we end-of-life that have served its purpose, five years if not more. And so it’s time for the replacement.

We also have moved our production NetApp boxes, our file servers, that are used behind our various boxes that we use to help provide services to you all. They’ve all been moved to Dell and oVirt. So we used a virtualization technology moving from Red Hat virtualization technology to the sort of public domain equivalent, which is called oVirt.

So, we have one NetApp, that’s in Red Hat Virtual environment, that’s still left, and that serves our internal systems. It’s a mongo, huge box. And it turns out that we just didn’t have time to get it done this year. We hope to do it next year.

Next slide, please. What I’d like to do is talk about some of the challenges we have. So ARIN is quite diligent on updating its technology. We’re quite diligent on adding new features. But what I’d like to do is share with you – and all those things are scheduled, right? We have an estimate on how long those things will take and what needs to be done.

But then we have these bumps that come up. And as I mentioned very early, at the very beginning, we work as a team. Whether you’re in Operations or Development or within the Systems Integration team, we all work together when there’s a challenge underway.

So, for example, what I’d like to talk about is Directory Services. This is something that is quite high volume. It’s something that’s fairly unique between the regional registries; we all do the same things here. Our system seems – I don’t know why – but we get a tremendous number of queries.

Basically two or three times what the highest number two does in terms of number of queries per second that are served through our infrastructure.

Over time, we actually realize that we need to create some safeguards. So we put in this tarpitting service that I talked about in previous ARIN meetings, how we safeguarded our Whois infrastructure.

Basically what we do is we have a limit and say that limit is five queries a second, or maybe it’s ten. Let’s just say ten. And you have ten queries per second as your limit. And you come in at 11 queries per second.

That one query, that’s above the ten queries per second gets quarantined and put on the side. And the next time, the next second, you come in at nine. That one query that was put in quarantine is then added to the mix and coming back with an answer.

If you kept on with that threshold of 11 queries per second and that one is quarantined, then another 11 and another is quarantined, then over time that sort of – it peels off and atrophies. And on that particular query, that’s when quarantine actually dies off.

That way we have a sustained rate that you can actually have, but yet we’re safeguarding our systems. When you have anything over that sustained rate, we’re actually going to drop.

And this allows people to do some traffic and then realize, okay, I need to back off here a little bit and allows those questions to come back.

So we do occasionally have periodic high loads. And when those things happen, we call in a team, whether it be Ops, Dev, QA (we call it Systems Integration, or SI, internally). At that point we look at what’s really going on with the system here. We review the logs and the code. And we spend a significant amount of time on each event.

Some of the events are, okay, this turns out to be a slow query. It’s like being on a mountain road and you’re behind a large truck, which in this case is a very expensive query, and you have lots of cars behind it.

You can actually have a higher throughput if you had lots of cars and not a big truck going up the hill. But since you have this big truck it basically creates a backup.

We’ve had those sorts of things before. And we eradicate those large queries as best we can going forward. Some of those queries are frankly just more expensive than others.

As I said, we spend a significant amount of time going through logs trying to figure out, is this a query issue or a configuration issue or a database performance issue, what’s the issue?

And what I’m going to do now is sort of move on to a most recent example where we had evidence of a very large botnet. It had thousands, hundreds of thousands of unique IPs coming across from disparate regions of the world.

And these queries would come in and we’d have a couple of coming from one IP address. And then it would go away. It wouldn’t come back.

Then we’d have a different one. We were looking at this. And what was interesting, and how we could identify it, is that we detected a very unique signature associated with this botnet.

And at that point we called in the FBI, and we contacted various ISPs from the source IPs that we saw. And the FBI, in particular, was very interested in this because this was an emerging botnet that they had not heard about. And they wanted to know more.

And one of the ISPs actually came back and said, hey, it’s this other service over here that allows you to add some free software to your mix. But in return they’re able to use your machine as sort of a conduit for people to do third-party sort of queries. And it turns out there’s a number of legitimate organizations that were using that, including the FBI.

And so when we were going through this, we talked to this company that’s actually providing this proxy service. And we found out through them that there’s a couple of threat intelligence companies that were generating a large part of this traffic that we at first thought was a botnet.

And we talked to them with some of their developers virtually over Zoom and we found out what they were doing, and how we could actually give them some improvements so that they wouldn’t actually hit our system so hard.

And they were very thankful for that and went ahead and actually went to a new way of getting that information. Anyways, that took a tremendous amount of time.

And you say, that shouldn’t have been so bad. But when you’re sort of in the heat of the battle, a lot of things are not quite as clear as they are when you exit the battle.

When you’re in those battles, you have to actually deal with it and you figure out what the problem is and you move on. But it does take a significant amount of time.

The next thing that we had that was quite abusive is WhoWas reports. We have a lot of people who actually create – ask us for these reports – and there’s two ways of going about it. And these requests are made.

And what’s interesting is that these adversaries actually do their best at trying to figure out what their limits are and how can they actually get close to their limit without breaking it, or find other interesting ways of trying to get around the limits that we put into the system.

Again, we have to actually look at this and try to figure out what the issues are, detect the actual issues and challenges and actually – in this case – talk to RSD, the Registration Services Department, in terms of contacting the customer and saying, hey, what are you doing and maybe you need to stop this. That was another case that we have.

And last one of course is brute force attacks. We still see them. We see them on a weekly occurrence. And if there’s any actionable items we actually give it to RSD for them to do follow-ups.

These are things that are unscheduled that we actually have to look at and follow through on.

Next slide, please. Let’s talk about what’s next. What is Engineering doing as we go forward?

Next slide, please. Again, we’re working on fee harmonization, so we have this new fee schedule that’s coming out. It’s quite a bit of work for us.

We found out that fees actually touch a good part of ARIN’s Engineering operations. Not only does it affect the billing systems that are used by third parties, but we have tight integration with those billing systems within ARIN Online.

You can see that when you actually display an invoice through ARIN Online, that it’s actually a result of that tight integration.

Maintenance reminders and those sort of things also come through ARIN Online. And again, those things are tightly tied with our third-party vendor that we use for our accounting system.

We also have secure routing announcements. Brad was quite good at bringing up things that are going on within ARIN in terms of improvements.

Adding RPSL with ARIN Online and adding the publication service as well as multiple other things that Brad actually talked about, those were things that we’re adding on right now.

We have a lot of technical debt that we’re still challenged with. We’re continuing to replace libraries that are end-of-life. We have a significant amount of end-of-life activities still underway. Most of this, if not all of it, will be transparent to you, but it’s very apparent to us.

We run audits, automated audits against our systems to make sure there are no security vulnerabilities that known through the community through these libraries to make sure that we’re covered. And we do that on a weekly basis just to ensure that we’re in a good security posture.

We’re also looking at fixing any issues that may come out of our current security audit – that will be complete at the end of the year. This is something we do every year.

And if there are any issues that do come out of that report we actually fix them right away.

We’re also enhancing our operations to comply with new insurance and security certification requirements. As you may know, we hired a Vice President of Security and – Information Security. And we’re going to be following and actually doing some security certifications for 2022.

There will be some resultant work within Engineering Operations to make that happen.

We have some PBX improvements we’re going to make. I think some of you know that from time to time our telephone service has gone out, that RSD Help Desk has not been available.

If you look at our availability, you’ll see that this is one thing that ARIN is actually not 100 percent on, our Help Desk phones have been down.

When we moved offices, we kept the same PRI vendor. And we’re using POTS lines right now, as we went forward. And when they groomed the circuits to make this happen, it turns out that the vendor we’re using actually has two levels of subcontractors underneath them. So whenever there’s an issue it’s typically with the lowest level, that’s the physical provider that actually has an issue.

It just takes time for them to actually get this stuff worked out. So, we’re actually going to go to a voice-over-IP solution, which should eradicate this issue.

We also have some public facing services, PFS, site improvements. And our systems are starting to show its age. A lot of the systems there are at least five years old now. And we’re reengineering a more efficient way, providing services like Whois and RDP and rsync and all these services that ARIN provides.

Next slide, please. At that point, I am done. If there are any questions, I’m happy to answer.

Melissa Goodwin: Thanks, Mark. Looks like we have a question from Donnie Lewis with the Obsidian Group: “Is the security audit available to the group?”

Mark Kosters: That’s a very good question, and basically, the answer is no. And the reason why the answer is no is – we, as the security audit actually comes out, we’re very – we work very quickly and diligently to fix any issues. But we don’t want to do is to compromise ARIN security by saying these are the issues that ARIN has.

So, the short answer to that is no, it’s not a part of it. And maybe Mr. Curran, I see you’re online right now. If you want to add anything further.

John Curran: I am, Mark, thank you. I just wanted to say, it’s a valid question because clearly people want to know, not just that we have a security audit, but that we actually don’t have any security compromise risks remaining open.

We’ve actually, as someone might have noted – we noted earlier – we just brought in a VP of Information Security.

And that’s the first step in working towards an actual accreditation framework for security availability, reliability.

So we will not be providing our security audit – I don’t feel like giving a roadmap – but we will be moving towards a certification and accreditation framework in that area. So thanks.

Mark Kosters: Thank you, John. Any other questions?

Melissa Goodwin: Donnie Lewis had a follow-up question. Is there a summary? Or will a summary be available?

Mark Kosters: Not at this point in time. Just be assured, one of the things that Mr. Curran mentioned, and I’ll sort of reiterate this, is we’re going to be going through a number of security certifications, processes, this coming year, which involves a number of audits as well.

And part of that is, some of these things will become more transparent in terms of us asserting some sort of security practices that I think people will feel much more comfortable in terms of ARIN security posture.

So to that end, we hired a Vice President of Information Security to actually sort of, to spearhead this effort. And I think you’ll see some very good transparency based on that.

Melissa Goodwin: Thank you, Mark, another question from Robert Seastrom from Capital One: As you may be aware, multiple VOIP vendors have been subject to attack in recent weeks. Perhaps it would be good to consider adding phones to the https.arin.statuspage.io dashboard, so if there’s a problem it’s apparent to those who pay close attention.

Mark Kosters: It actually is. Those phones are actually on the status page. I believe it’s under Help Desk, if I’m not mistaken, or something close to that.

So you can see that. And I believe there’s announcements for those who do subscribe to see that when we do have outages, that they would actually be shown to those who are interested.

Good question, though. Very good question, R.S. Thank you.

Melissa Goodwin: All right. I do not see any other questions.

Beverly Hicks: All right. So I will thank you, Mr. Kosters. We appreciate all that information. That was a lot to digest over here. I appreciate it.

Mark Kosters: You’re welcome.

Beverly Hicks: Very quickly before we go to the break, I’d actually like to bring Mr. Gorman back. We had a question that came in for his session that actually came in after we had moved on to the next session, and I just wanted to make sure that got read into the record.

So one of our fellows, I’m sorry – it’s Shearvon Devenish asked, are we only focusing on two-factor authentication for premium accounts, or did he hear that wrong?

Brad Gorman: No, we’re not focusing exclusively on either. When you say premium accounts, I’m going to differentiate, whether it’s either premium Orgs or premium support customers, or just the privileged accounts on an Org.

The two-factor authentication is being developed so that an organization can blanket put the two-factor authentication requirement on anyone who is linked to an Org. There will be additional features to the privileged POCs, the admin, for example, will be able to have controls over the additional accesses that people may have, even beyond just what that POC, whether they’re a Tech POC or a Touting POC. Hopefully that answers your question.

Beverly Hicks: Perfect. Thanks so much for coming back to us. We appreciate that. We definitely want to get questions answered.

At that point I’ll tell everyone to stick around during the break. Next slide. We will have a quick five-minute break so everybody can step away if they need to, and then our famous Stretch with Erin will be broadcast for about ten minutes of a seated stretch to get everybody moving, because we all know we’re sitting in these chairs for way too long.

And we have our word scramble game today. I’ll be hosting a word scramble game today with a prize at the end. So you never know. We will be back with our policy block at 1:30. Thank you so much, and we’ll move on to our break.

See you all back at 1:30.

[Break]

Beverly Hicks: Welcome back to the second half of ARIN 48’s day one. At this time, we are entering into our policy block, and I want to introduce Paul Andersen, the Chair of our Board of Trustees, to take us forward.

Paul Andersen: Thank you, Beverly. Hello, everyone. This will be an opportunity for anyone who is on the Zoom to participate in the policy process, which develops the policies which staff use when dealing with Number Resource requests.

So, this is an open process. Please feel free to comment and question and give your feedback. Normally at this point I’d hold up a book that we give in person that gives you a great flow chart and an explanation for the policy process if you’re new to it. But we’ll put it in chat for those that are newer.

So we’re going to discuss three policies this break. The first one: ARIN-2020-6: Allowance for IPv4 Allocation “Swap” Transactions via 8.3 Specified Transfers and 8.4 Inter-RIR Transfers.

As we do with every policy, we have the Advisory Council will pick one of its members who has been shepherding the policy to come up and present and give you all a bit of background on where we are.

And that person to start us off will be Rob Seastrom. Rob, hopefully you’ll appear magically. There we are, and you’ll take it away.

Draft Policy ARIN-2020-6: Allowance for IPv4 Allocation “Swap” Transactions via 8.3 Specified Transfers and 8.4 Inter-RIR Transfers

Rob Seastrom: Thank you, Paul. This is Draft Policy ARIN-2020-6: Allowance for IPv4 Allocation “Swap” Transactions via 8.3 Specified Transfers and 8.4 Inter-RIR Transfers.

My co-shepherd on this is Amy Potter.

Next slide, please. So how did we get here? The proposal came in at the end of May 2020.

It has been accepted as a Draft Policy, gotten Staff and Legal Review and it has been presented at two conferences, two Public Policy meetings. It was last revised on August 26, 2021.

Next slide, please. So the short executive summary of what we’re trying to do here is to allow organizations to swap out a larger block that they currently have for a smaller one. And the idea here is if that they transferred out a larger block and got another block from somewhere else – that any deaggregation had already been done, the damage was already done. You wouldn’t be adding bloat to the Internet Routing table by breaking up a block unnecessarily.

Next slide, please. So, the formal problem statement is organizations wishing to swap out a larger block for a smaller one in the interest of avoiding deaggregation as opposed to breaking up their existing block and transferring only a part of it, are forbidden by existing 8.3 policy for being the source of the transfer for their larger block, after receiving a smaller one – for 12 months after receiving the smaller block.

In practice ARIN staff has been allowing Orgs to transfer out blocks after receiving smaller ones inside of the 12 month window but many ARIN resource holders are not aware of this. Some resource holders have worked around the restriction by creating a new Org to receive the smaller block. But this practice has implications on waitlist policy, as the new Org is now technically eligible to apply for waitlist space while the original Org cannot.

Similar language is present in NRPM Section 8.4 – as such, the practice should be sanctioned for these types of transfers as well.

Next slide, please. The policy statement is short and to the point. It says “clarify the conditions under 8.3 and 8.4 that explicitly allows transfer of a larger block in exchange for a smaller one as part of a renumbering plan by making the following changes in 8.3, 8.4 and 8.5.”

Next slide, please. Side by side, we have the current text on the left and the thing that we’re going to add or change on the right. And there will be a succession of these. The current text on the left, I’ll save the time and not read that aloud because it’s there in the NRPM for anyone who wishes to read it.

For the first change, the proposal is to add Section 8.5.5.1, transfer for the purpose of renumbering. Organizations with larger direct allocations or assignments than they require may receive transfer of a smaller block for the purpose of renumbering onto the smaller block if they transfer the entire larger block to a qualified recipient under Section 8 within one year of receipt of the transfer of the smaller block.

If the larger block is not transferred within one year of receipt of the smaller block, the smaller block will be ineligible for transfer under sections 8.3 and 8.4, and the organization will be ineligible to receive any further transfers under this policy.

Next slide, please. The second change to 8.5.5 is to add Section 8.5.5.1.1, smaller block size. Organizations may qualify to receive transfer of a smaller block by providing documentation to ARIN which details the use of at least 50 percent of the smaller block size within 24 months. Current use of the larger block may be used to satisfy this criteria.

And an officer of the organization shall attest to the documentation provided to ARIN.

Next slide, please. The second policy statement change in 8.5.6, add Section 8.5.6.1, transfer for the purpose of renumbering. Organizations receiving transfer of a smaller block under Section 8.5.5.1 may deduct the larger block they are transferring to a qualified recipient when calculating their efficient utilization of previous blocks under Section 8.5.6.

Next slide, please. Third policy change is to add in both sections 8.3 and 8.4 under “conditions of source of transfer” add the following: This requirement may be waived by ARIN for transfers made in connection with a renumbering exercise designed to more efficiently utilize Number Resources under Section 8.5.5.1.

Next slide, please. We got a bunch of community reactions on PPML. And these are quoted pretty much verbatim, some editing for brevity. But one of the reactions was, “If I’m reading it correctly, the prohibition on transferring the smaller block kicks in if the larger block isn’t transferred within a year. Have we considered the option of having that restriction kick in immediately?”

Another is, “I’ve noticed that the officer attestation language is present in the new 8.5.5.1.1 subsection. Will this remain in place despite the separate discussion on removing the need for officer attestations if that passes?”

Next slide. Another reaction was, “I think the larger blocks should be allowed to be sold in pieces, notwithstanding the disaggregation.”

Another reaction was, “I think the recipient should lose the ability to receive addresses immediately upon receipt of the smaller block until the larger block is completely sold, including waitlist addresses, not included other reserved addresses.”

And the last reaction was, “If the smaller block is a /24, there should be no needs test.”

Next slide, please. So we’d like to hear from you. What do you think? Is it good the way it’s written? Is it something that you completely oppose? Would you favor one or more of the changes that were suggested on PPML, or perhaps something entirely different?

Next slide, please.

Paul Andersen: Thank you, Rob. Actually let’s go back a slide, it’s more interesting to have that reminder there. If we’re in person, the microphones would be open and you’d all be running down the aisles to get there.

But since this is the first policy, a bit of a reminder. We’ve found this works pretty well. You have two options – the Q&A, so you can type your question, we’ll read it out. My only reminder, as I see the first one pop in, and I thank Mike for that, is please make sure you put your affiliation of your company as part of question.

If you do forget, just ask another question and put your affiliation in because we do want that for the record.

You also have the option to raise your hand and we will open your microphone and you will be able to speak here and you can ask a question of myself, of Rob, of staff, or just make a statement.

What is very useful, especially for a policy that’s been kind of circulating now for a couple of meetings is, while – any of the input that Rob’s asked for, but please don’t feel shy just saying, I support or I’m against the concept that the AC is trying to solve so they can know whether or not it makes sense for them to keep proceeding or whether they have to make a change or if they should abandon it. Please try and give that feedback.

And with that, we see the first question from Mike Burns of IPTrading who would ask staff, “Do we know how often ARIN is providing the exception?”"

Rob Seastrom: I do not know that. We’ve not asked that as part of the Policy Development Process. We can send that as a question to staff.

Paul Andersen: I don’t know if John Sweeting has a off-the-cuff response.

Rob Seastrom: John or Lisa, are you able to speak to that?

John Sweeting: Could you repeat the question?

Paul Andersen: How often is ARIN providing this exception right now?

John Sweeting: Is Lisa on?

John Curran: I think we’re going to need a minute to dig into that.

Paul Andersen: Let’s work on that and come back to it. Now I would be happy to come back if I had questions. This is when I encourage, again, it’s good to give feedback even if you say, I’m in favor or I’m against.

Beverly Hicks: We have – if would you like me to make that available?

Paul Andersen: Yes, could you please? I just realized I wasn’t on the right screen.

Beverly Hicks: Absolutely. I’m happy to read them in as well. Mr. Woodfield, you should be able to unmute yourself at this point.

Chris Woodfield: Hello, I’m Chris Woodfield with Twitter. I’m speaking as one of the co-authors of the original proposal.

To answer Mike’s question, excuse me, this proposal was a product of the AC’s Policy Experience Report Working Group. This issue was raised in a Policy Experience Report, which was the impetus for writing up this proposal. The language has evolved quite a bit since it was originally submitted. But I still support as written.

I do like the proposal that the prohibition on further transfers be immediate as opposed to one year. I think that is a good idea that would enhance the policy, given that an organization doing this sort of transfer is, in fact, representing that the amount of space that they’re transferring in is going to be sufficient for their needs.

There may be some wisdom in allowing for exceptions similarly to other places where we have language about unforeseen circumstances that an organization can represent.

But if I were to suggest any of the proposed changes, I would suggest that one, but that doesn’t mean that – I still support it as it’s written. That is just –

Paul Andersen: Okay, supported as written. Thank you. I see we have John Sweeting now.

John Sweeting: It’s been about a dozen times.

Paul Andersen: Dozen times.

John Sweeting: 10 to 12 times.

Paul Andersen: Alright. Thank you.

I see Mike Burns saying, “I support the general idea. But if it’s infrequent I wouldn’t clutter the NRPM. We get this request maybe a few times per year.”

Thank you, Mike.

Other comments, questions? We have some in favors and against, so I’ll have Beverly get those.

Beverly Hicks: Sure. Donnie Lewis from the Obsidian Group, in favor as written. And Marlin Martes from AWS, in favor as written.

Paul Andersen: Thanks for the feedback.

We’ll give it another 30 seconds or so to put in comments. Then we’ll close the virtual mics if we don’t see a rush to the hand-up or virtual mic. So please type now – if you do have a long thing to type, if you put in Q&A and say “typing” and then start the next one so we know to at least not move on without you.

Let’s go on to the next one and then we’ll close the mics after that if there’s no further feedback.

Beverly Hicks: Joe Provo, from Google, ARIN AC, speaking for myself, I support in principle, support the idea of immediate rather than delayed prohibition.

Paul Andersen: Thank you, Joe. And Joe Pace, could you quickly give us your affiliation so we can put that on the record?

Beverly Hicks: Joe Pace, in favor as written – member of the American Honda Motor Company.

Paul Andersen: Thanks for that, Joe.

Mike Burns has a question. Isn’t the small block restricted – Mike Burns of IPTrading has a question – isn’t the small block restricted from sale for a year anyway? Mr. Rob Seastrom.

Rob Seastrom: I believe it is. But the issue here that this is addressing is confusion. And it does not hurt to note that inline in the policy. Although you may find it redundant, the Policy Experience Report had a lot to do with customers being – members being confused.

Paul Andersen: Just a reminder, I know that while there’s the odd discussion occurring in chat, we pretend that almost didn’t happen. If you have comments or questions, the only way to get it on the record so that it can be information provided to the AC is to either raise your hand or put it in the chat.

So, we will delay closing because we seem to be getting a little bit of activity here. So let’s go to our next comment.

Beverly Hicks: Louie Lee, NRO NC, ASO AC, Google Fiber, support as written, support immediate restriction for transferring in additional addresses.

Paul Andersen: Okay. We’ve come to the end of the time allotted for this block. I’ll give the Last Call for questions or raising of hands.

I know there’s a delay on the video cast, so we’ll give it 20 seconds and then we’ll close off.

Seeing none, we’ll close the mics. We thank Rob for his presentation and move on to our next proposal. Thank you very much, Rob. We’ll give you a little virtual applause now.

Rob Seastrom: Thank you.

Paul Andersen: We’ll move on to Kerrie Richards. Kerrie will be presenting ARIN-2021-2: Special Use of IPv4 Space Out of Scope for Purposes of Determining Waitlist Eligibility.

Just as a reminder, the last one was Draft Policy. That’s still in earlier stage of the policy process. You will see it again if it continues to advance because it will need to come as a Recommended Draft Policy as this one.

As Recommended Draft Policy, this is one of, not your last, but one of your last opportunities to give feedback.

So I’ll turn it over to Kerrie to give us a presentation on the proposal. And then we’ll have a discussion and then we’ll be having a poll. Please go ahead, Kerrie.

Kerrie Richards: Thank you, Paul.

We have quite a long title for ARIN policy 2021-2. And Paul just gave a wonderful preview of that.

Next slide. So this proposal came onto the docket on the 16th of February this year. It was accepted as a Draft Policy the following month. And my co-shepherd, Matthew Wilder, presented in my place in ARIN 47. In August of this year, it received staff and legal review.

Next slide, please. So the problem statement is one of clarity. It says current policy does not clearly indicate whether special use addresses for critical infrastructure, defined under Section 4.4, as well as special use addressing for facilitating IPv6 deployment, definition in Section 4.10, should be considered as part of the /20 equivalent IPv4 space in aggregate, which would make an organization ineligible for the ARIN waitlist defined under Section 4.1.8 of the NRPM.

So this is really a question of – or a statement of problem of clarity and ensuring that we aren’t leaving out – so the right people are making it to the waitlist or being eligible for the waitlist.

Next slide, please. So the policy statement – so the policy as it exists now, as I just read it, and the author is suggesting that we replace it with organizations which hold more than a /20 equivalent of IPv4 space in aggregate, which is exclusive of special use space received under Section 4.4 or 4.10, are not eligible to apply.

So that’s the policy statement that we would like to, that we’re working with now. And on the left-hand side – yes, left – we have the statement as it exists now.

Next slide, please. So based on staff and legal feedback, this Draft Policy revises Section 4.1.8 to explicitly exclude space issued under sections 4.4 and 4.10 from consideration when weighing the total aggregate holdings of an organization applying for space from ARIN’s IPv4 waitlist.

Now, rather than highlighting, I’m not the one to do all the fancy dancy stuff. I think underlining it makes it much clearer.

So the suggested text is clear and understandable based on what staff – and the feedback from staff and legal.

Next slide, please. Community support so far: at ARIN 47 we recorded community support for this policy. It was a first airing.

On PPML there were five contributors that made a statement in support of the draft. Most of them were plus-ones.

Next slide, please. So for the previous policy, we had Mike Burns as a poser of questions. And now he appears here in a quote: “Anything that makes the NRPM easier to understand is a winner,” which is true.

Next slide, please. This is another step towards removing ambiguity in the policy applied to determining the waitlist eligibility.

Next slide. So any questions?

Paul Andersen: Any questions, please start queueing up. Sorry for being pedantic, but I know we have new people. So at this stage, it’s a Recommended Draft Policy. We’ll have a discussion. And I’ll ask you, again – name and affiliation, and specifically if you’re in favor or against the policy as it’s written.

We’ll do that for a bit. There will then be a poll, which all of you are eligible to participate in, and we’ll get to that in a bit.

And then it will go back to the AC where they’ll make a determination. And they’ll have an opportunity to send it to Last Call, which is a discussion on the Mailing List.

After that it can be sent to the Board, at which point it will become policy. So, this is really your best interactive last time to – sorry, potentially last time – to talk about this policy.

So, hopefully my preamble, we have – somebody has raised their hand, or would like to, or there’s some Q&A popping in.

All right. Beverly, let’s go on that one.

Beverly Hicks: Gary Giesen, E-Gate Communications, ARIN AC, support the policy as written.

Paul Andersen: Thank you, Gary. I won’t joke that I can actually see Gary from where I’m sitting, which is kind of amusing. Next, please.

Beverly Hicks: Donnie Lewis, Obsidian Group, in favor as written.

Paul Andersen: Thank you, Donnie.

Beverly Hicks: Also, Gus Reese, Cogent Communications, support the policy as written.

Paul Andersen: And the next one.

Beverly Hicks: Rob Seastrom, ARIN AC, ClueTrust and Capital One, proposal author, support as written.

Paul Andersen: They just keep coming. Mike Burns, IPTrading, support as written.

I see lots of support as written. Would anyone like to raise their hand and speak against this, or give reasons why we should not, not that I – John Sweeting has raised his hand. I don’t think for that purpose but –

John Sweeting: It’s not to speak against it. I wanted to clarify to everybody that the purpose of this is to clarify what is actually staff practice today.

We are - we exclude those special reserve pools from evaluations for the waitlist today. I just wanted to point that out.

Paul Andersen: Understood, and it’s good to get it codified. We’re just making sure we have support.

We have Chris Woodfield of Twitter, has support as written.

I’ll give it another 30 seconds to let the video to catch up and ask if somebody would like to raise their hand or give any discussion. And if not we’ll go to our poll.

A few questions coming in here.

Donnie Lewis from Obsidian Group asks, what is the actual wait time, Kerrie. Or if John Sweeting wants to answer.

Kerrie Richards: I prefer John to answer.

Paul Andersen: John Sweeting, can you address the question from Donnie Lewis? What is the actual wait time?

John Sweeting: What is the actual wait time currently for the waitlist? For the last four to five quarters we have been fulfilling every waitlist request up to that period. So it’s – right now it’s at 90 days.

Paul Andersen: Okay. And that’s just because that’s when the cycle actually runs.

John Sweeting: At most it’s 90 days. It could be less than 90 days.

Paul Andersen: John Curran has magically appeared. OK, that means there’s a play on the field.

John Curran: Just to note. And this is the same disclaimer you see when you’re investing. Past performance is not an indicator of future performance.

While we have been basically successfully draining the waitlist requests, almost all of them every quarter, it’s not at all assured that will be the case going forward.

Paul Andersen: I believe some of the sources – yes, may not continue to occur. We do continually get address space back, but the crumbs are getting smaller and smaller.

Next comment, please. And then I think we’ll take one more comment and if you have not got your name in by the end of these – well actually, let’s go to Donnie Lewis. To staff again – Donnie Lewis of the Obsidian Group, “are there surges?”" I’m not sure –

John Sweeting: I think what he’s asking is – are there surges – it’s been pretty steady, actually. We get a pretty steady amount of waitlist requests each week, each month through the quarter. It’s been somewhere around between 200 and 250 organizations that have been filled each quarter.

But as John Curran has put out there, there’s no telling how long that will go. The crumbs are definitely getting smaller and smaller. And this might not be the case for much longer.

Paul Andersen: Before it’s going to run out – really.

Donnie Lewis, can you let us know if you are in favor or against based on us addressing your question? Appreciate it, for the record.

Let’s take our next two comments. Three comments, actually. Go for it, Beverly.

Beverly Hicks: Joe Pace, American Honda Motor Company, support as written.

David Farmer, University of Minnesota, support as written. Would parentheses or commas be grammatically more correct or more consistent with NRPM style?

Paul Andersen: We can certainly take a request for a grammar check, which would always be something the AC can make minor edits without doing another cycle.

Let’s take this as our last one since we’ve given everyone an ample opportunity to get in.

Beverly Hicks: Donnie Lewis, Obsidian Group, in favor as written.

Paul Andersen: Thank you, Donnie, for getting that in. Kerrie, any last comments before we go to our poll?

Kerrie Richards: No last comments here.

Paul Andersen: I do notice – if this was at a public meeting we wouldn’t do it, but there is just this delay with video. So let’s take the slightly late comment from you, Beverly.

Beverly Hicks: Apologies. Gary Buhrmaster, unaffiliated, support as written.

Paul Andersen: Thank you, Gary. This is actually the only poll that you potentially will have at this policy meeting. There potentially could always be one on a Draft Policy, but we always, as a Recommended Draft Policy, ask the question.

The question that I’m going to ask all of you is: Are you in favor or against the Recommended Draft Policy ARIN 2021-2 as written?

If you’re hearing my voice, you have the opportunity to answer the poll. So please say either in favor or against. If you’re having a problem, if you don’t see a poll right now, please let us know in chat and we’ll try and sort you out here. We’ll give everyone a bit of time.

Beverly Hicks: Just a note, if you’re running on the web version rather than the downloaded version, feel free to, just as Mr. Andersen mentioned, mention in the Q&A and we can add it.

Paul Andersen: Yes, Q&A is where we prefer that. So, if you cannot, for whatever reason – we do ask only if you technically can’t – please put in the Q&A whether you’re in favor or against.

Give it a couple seconds here. Last call, closing in ten seconds. Closing it now.

I’m going to ask you, Beverly, to add one in favor because one of the members of the panelist, they could not, but they have indicated in chat.

Beverly Hicks: At the close of the poll, there were 94 in attendance. And 37 voted in favor and zero against.

Paul Andersen: This information will be provided to the ARIN Advisory Council for their consideration.

Thank you very much, Kerrie, for your presentation. We’ll keep rolling on here because this will get us back on time, I believe.

We’ll have our last policy of the day. It’s 2021-3: Private AS Number and Unique Routing Policy Clarifications.

I believe we have Chris Tacit, as always, to give us a lovely presentation. Chris, if you could magically appear. And, Kerrie, if you could turn off your video.

And take it away. Thanks, Chris.

Draft Policy ARIN-2021-3: Private AS Number and Unique Routing Policy Clarifications

Chris Tacit: Thank you very much, Mr. Chair. I’m pleased to present this Draft Policy at the meeting. It’s the first time that this policy has been presented at a Public Policy Meeting.

Next slide, please. Sorry, my co-shepherd, first of all, is Joe Provo. I wanted to make that clear.

So this is the history. I’m not going to go over it. This hasn’t been around for a terribly long time. It just started in July.

And the AC accepted it as a Draft Policy. And we basically wanted to wait and get both PPML and PPM feedback before deciding whether to take it further. And if so, how.

Next slide, please. The Draft Policy came from a Policy Experience Report that identified a lack of clarity for ARIN customers when it comes to applying for AS numbers.

And some of the issues dealt with the extent to which people were aware of the need to apply for unique AS numbers depending on whether they utilized them on the public Internet, what the whole meaning of unique routing policy was, what type of network plans they had to submit as justification, and cases where there is a unique need for an AS number outside of utilizing a unique routing policy such as BGP.

Next slide, please. As a result of this, there have been a number of proposed changes to the text by the authors. To this point, the shepherds have not yet edited this text in any way.

And this is one of the changes right here: “Sites that do not require a unique AS number should use one or more of the AS numbers reserved for private use” is being changed to “Private ASNs should be used only when there is no plan to use them on the public Internet.” That is one of the proposed changes.

Next slide, please. The next change is “A unique routing policy (its policy differs from its Border Gateway peers)… or a multihomed site” is changed to “a plan to connect their network using a unique routing policy such as BGP, or a network requiring routing policies to be deployed which are unique only to that network.”

The other change being proposed is “AS numbers are issued based on current need. An organization should request an AS number only when it is already multihomed or will immediately become multihomed” is being changed to “AS numbers should be requested when an organization has network plans ready and is either planning to use a unique routing policy with BGP given as an example or has a unique need for an AS number.”

Next slide, please. There’s been a bit of discussion on PPML. It ranged as to scope and nature. It pretty much took place in July and everything’s been quiet since then. Some of the language focused on tweaking the language to make it clear that BGP is just an example of one protocol.

Others asked if this policy is the correct approach given how ASNs are used by cloud providers.

Others question whether there should be a reference to RFC 6996. And some questioned the premise that private ASNs should be used only when there’s no plan to use them on the public Internet.

Some of the comments did address kind of the issues that led to the Policy Experience Report. And others went beyond that and kind of reevaluated the policy more broadly.

Next slide, please. So, based on that, we have some questions for you to consider.

First of all, does the proposed text clarify things sufficiently as identified in the Policy Experience Report?

If not, what additional changes are needed? And finally are there any other comments relating to this policy?

So we’d be very interested in your feedback. Thank you.

Paul Andersen: Thank you, Chris, for that. And so the queues are now open. We have some great questions here that would be great to get feedback on, but as I said earlier, this is Draft Policy. The AC’s most imperative thing is just getting feedback on whether or not this is something that they should continue to pursue.

So even just in-favors or againsts are useful. Any reasonings helps as well, but that just gives direction to the shepherds and the AC.

So we open it up. Looking for – of course at this point of the day, I’m told I have to start singing, and we don’t want that. Chris has heard me sing. It’s not pretty.

John Sweeting: I think you and John Curran should do a duet. Come on.

John Curran: Lalalalala.

Paul Andersen: We’ll leave it open for a couple of seconds. Again, while it may seem that silence is golden – no, no dad jokes – it really is useful just to get in-favors or againsts. It gives a little bit of a barometer to the AC so they can decide – because what they will do at the end of this, they will be meeting virtually soon. Normally it would be right after. And they will need to decide whether to keep moving it forward, abandon, or start it again.

All right, my banter has worked. Chris Woodfield from Twitter says, “I feel that the term unique routing policy itself can be a bit vague and doesn’t, by itself, always imply the need for a unique ASN versus a private one. A replacement I would suggest is routing policy that requires a unique ASN.”"

He would like to know if anyone shares his opinion. Thank you, Chris Woodfield, for that.

Chris Tacit, let me know if you want to jump in on any of these.

Chris Tacit: I’m just wondering if that’s a bit circular in its reasoning, that’s all.

I understand where he’s coming from, but I wonder if that language that he’s proposing isn’t a bit circular, perhaps.

Paul Andersen: Chris Woodfield, feel free to raise your hand and we’ll open your mic and get a little more interactive, which can speed things up.

Let’s go now to Joe Pace from the American Honda Motor Company. He suggests including a representative example of a unique routing policy requirement with a diagram. Thank you for that feedback.

And Chris Woodfield has magically taken me up on my offer. So let’s go to Chris Woodfield’s mic, please.

Beverly Hicks: All right. Chris. You can unmute yourself now.

Chris Woodfield: It’s an offer I just couldn’t refuse, Paul.

So my thought here is that if you – having a policy that’s unique to your network doesn’t necessarily mean that you need an ASN that’s public because there are definitely cases where you could have a unique routing policy and connect with a private ASN or sometimes not even necessarily, BGP.

But I, think a better approach here would be to say that these are the conditions under which a public ASN is required, a unique ASN was required. And if you have a routing policy that requires that, then you qualify – multihoming being one of them. But I’m sure that there are others that could be submitted that would justify that test.

So it’s not necessarily a set – I’m trying to get out of the mindset that we have these explicit set of conditions and more of – if you have – if you can just show that need through describing your routing policy, then you qualify.

Chris Tacit: Is there any way to provide some guidance? Because at the end of the day this has to be implementable of how that kind of determination would be made by staff.

I’m not trying to be difficult, Chris. I’m trying to figure out if there’s a way we can refine the language. By the way, I agree with you, just to make it a bit clearer for implementation purposes.

Chris Woodfield: I’m thinking that the policy could certainly provide – multihoming being 90 percent of the cases and the most common. But I could also, like there are definitely cases where an organization can submit a – can submit a plan that says, “okay, I’m not necessarily multihomed, but I am doing blah, whatever blah is, and because I’m doing blah, I require a unique ASN. This won’t work with a private ASN,” and empower staff to consider those cases as well.

I think, obviously, you don’t want to get rid of the multihome language because that’s the most common example. But I don’t think we should close the door to other cases as well that could come up.

Chris Tacit: Would one way of solving this be introducing a word like “technical?” In other words, there’s a technical requirement without which it won’t work properly?

Chris Woodfield: Actually that’s a good idea. I agree.

Chris Tacit: Okay, thanks for that. Appreciate it.

Paul Andersen: Thanks, Chris. And I assume we can take you as supportive of the problem to be solved, with some questions about things?

Chris Woodfield: Yes.

Paul Andersen: Thanks, Chris.

Paul Andersen: We have one feedback. Let’s go to that, please.

Melissa Goodwin: We have David Farmer with the University of Minnesota, support continued work.

Paul Andersen: Okay, and we then have a comment from Rob Seastrom, ARIN AC, ClueTrust and Capital One, and he notes, to Chris’ point, given that the 32-bit ASNs are approximately as scarce as individual IPv4 addresses, I’m in favor of policy with minimal gatekeeping language. If your engineering team thinks that you need an ASN, you probably need a ASN. Not big on pushing the use of private ASNs for the same reason I’m not big on inter-organizational use of the RFC 1918 space. In other words, let’s remove all restrictive language whatsoever.

So I’ll take that, Rob, as supportive. But, again, for those larger comments, please feel free to raise your hand and use the mic. That gives us more interactivity.

Anthony – yes, you did, sorry. Anthony – Sorry, did you have a question there, Chris, on that one?

Chris Tacit: No.

Paul Andersen: Anthony Delacruz of Lumen, there are instances like BGPLU where there are many unique ASN, and it is often a struggle to get those through approval since prior ones do not appear to be used globally.

We also have many times overused and reused all the private ones. That is fun keeping it straight.

Thank you, Anthony, and I think we’ll take that as also as supportive.

Good, Chris, I thought you were disappearing on me there for a second.

Okay, as we have no further questions or raised hands, we’ll give it another 30 seconds and then we’ll move on to our great Grant Program. Another five seconds.

Microphones and queues are closing. And they’re closed. So, Chris, thank you as always for a great presentation.

Chris Tacit: Thank you.

Paul Andersen: The AC will take this into consideration. This ends our policy block for today, but come back tomorrow for exciting policies such as clarifications to sections 8.3, 8.4 and 8.56, an update to IP end user references and removing the circuit requirement. It should be fun.

Thank you all for your participation and turn it over to our wonderful hosts.

Beverly Hicks: Thank you so much. And at this time, I’d like to introduce Jennifer Bly to discuss our Community Grant Program and introduce the project reports.

Community Grant Program Update

Jennifer Bly: Thanks, Beverly. Hello, everyone. Today I’ll tell you about the ARIN Community Grant Program, and then I’ll introduce our grant recipients who recently completed their final project reports. And they’re very excited to share about how their individual projects went this year.

Next slide, please. So the ARIN Community Grant Program was launched in 2019. And it’s designed to provide operational and research grants that support initiatives that improve the overall Internet industry and the Internet user environment.

So in summary, it enables projects that benefit the Internet community in the ARIN region.

Next slide. So, since the program began, ARIN has funded 15 projects. To be eligible for a grant, projects must be noncommercial in nature. And they also must broadly benefit the Internet community within the ARIN service region. And they must align with ARIN’s mission and fit into one or more of the four broad categories that you see here: Internet, technical improvements; registry processes and technology improvements; informational outreach on topics such as IPv6 or Internet governance, things like that; or research related to ARIN’s mission and operations.

Next slide, please. In 2021, we received eight applications from a variety of organization types. And in this chart you can see how applicants self-identified their projects, including the region where the applicant organization is located, the category the project could fall under. And then you can see we received requests for more than $108,000 with an average request for funding at about $13,500.

Next slide, please. This year we were pleased to award grants to three projects, a $15,000 grant for raising awareness on digital standards for ARIN service region countries by Diplo US; a $14,975 grant for IPv6 Integrated Database Phase Two by Saatvik Research; and a $5,000 grant for the Virtual School of Internet Governance, Phase Two by the Foundation for Building Sustainable Communities.

Congratulations to our 2021 grant recipients – a virtual round of applause for each of you.

These projects are off to a great start and they have an update report due at the end of March and a final report due in September of 2022.

Next slide, please. So now that you’ve heard all about the program, if you are interested in applying for a grant next year, the call for applications will be issued in the spring of 2022. So stay tuned for that announcement.

The best way for you to be alerted when that opens is to subscribe to ARIN Announce, the mailing list where we’ll post the opening message. And for details and application information, you can find that at arin.net/grants.

And we have one more slide. Now what you’ve all been waiting for – I’m happy to introduce you to the seven individuals who’ll let you know about how their 2020 to 2021 community grant projects went, including Nalini, Stephen and E. Marie today. And tomorrow we’ll hear from Glenn and Alfredo, Job, Phil and Keith.

Thanks to each of you for making a positive impact on the Internet in the ARIN region, and we look forward to hearing what you’ve accomplished over the past year.

With that I’ll let our first three grant recipients take it away. Or if you have any questions, happy to answer those.

Voiceover: First, we would like to welcome Nalini Elkins with IPv6 Security Applications and Training for Enterprises.

Nalini Elkins: Hi, this is Nalini Elkins. I’m the President of Industry Network Technology Council. And let me start by thanking ARIN for their generous grant and all the support that they have given. It has been just wonderful.

And so let me tell you a little bit about the problems that we have been working on. And we were working on it last year as well. And so what the problem is that a lot, maybe most, of the brick-and-mortar enterprises, all the folks who have private-managed networks – and that’s really most of the federal government, a lot of the state government in the ARIN region, a lot of the financial – basically the backbone, the backbone of our financial and governmental network.

Well, you know what? They’ve not deployed IPv6, nor do they have any plans to be doing that. And a lot of them are still, like, “Yeah, good thought, Nalini. Yeah, we’re not doing that.”

And this is a problem. I mean, we can’t just be bifurcated like that. And so that’s what we wanted to do is we know a lot of enterprises. The people on our team are enterprises.

And so we want to raise the priority of IPv6. But one of things we wanted to do is, because there’s a lot of mythology going on about, well, you’re going to run into this kind of problem, you’re going to run into that kind of problem.

So we thought, you know what, let’s take a deep dive into what that will be. Because, you know, once you know a little bit about what you’re going to be up against, you feel a little bit better. At least you know what the problems are going to be.

I think what really scares people is unknown problems. What we did is we gathered a bunch of enterprises together and we had a number of conversations with them about application conversion and security.

We also gave a number of webinars. And there’s a whole other set we gave in collaboration with APNIC. You’ll see all these webinars that we did.

As I said, APNIC was kind enough to support us in partnership with the India Internet Engineering Society. That’s our Indian partner.

And I’m going to say we had nearly about a thousand attendees from large and small enterprises, globally, globally. And quite a few of them went to every single webinar in the series.

So, to talk about what the problems might be, just in terms of application conversion. We came up with these ten large problems that people might have.

And really a lot of it is going to be doing that transition. We’ll talk a little bit more about that later. It’s not once you are – once you get started, that’s when you’re going to see it.

Once you get to the end, you’re just fine. But it’s in between, changing all the IP addresses for disaster recovery in your load balance and so on.

And that’s where things can be a problem. And this is where I think a lot of enterprises have resisted. And this is what we really wanted to talk about – maybe take a look at that blog, because I think this is a conversation that doesn’t happen all that often. And people are just, like, “Well, enterprises just need to convert.” Well, easier said than done.

And then when you get into the area of security, I’m going to say that in our experience enterprises are even more intimidated by this area. Mostly because it’s hard enough to understand security in your world today, but you’ve got all these different areas of security.

What are you really – because security is a broad area – what are you really talking about? Are you talking about my security audit? Are you talking about confidentiality and privacy and if there’s any implications of that?

Or are you talking about risk analysis? And you know, if you’re talking about risk analysis, well, actually you’re changing your entire network.

So there is going to be some potential problems. It’s going to take a long, long time for people to switch over. So please help us. We’re still – we’re still collecting data. And we’ll go on for quite a while.

And then we’ll, of course, publish our results. Preliminary results show that the issues that we point out are shared by many enterprises. What’s next – we’re going to start getting organizations talking about deployment, doing case studies.

Lots more webinars. We’ve got a grant from APNIC, we think. But we’re still in the process of finalizing to go forth for next year.

So, thank you so much for your time. And thank you again to ARIN for your kind help with the grant.

Voiceover: The next presentation is from Stephen Lee, with CaribNOG’s project to build out Internet Exchange Points in the Caribbean region.

Stephen Lee: Good day, everyone. Thank you. Good to be here with you at ARIN 48.

My name is Stephen Lee. I’m the program coordinator at the Caribbean Network Operators Group, CaribNOG. And CaribNOG was one of the recipients of the ARIN Community Grant Program 2020-2021.

I want to talk to you and report back on our project, the buildout of Internet Exchange Points in the Caribbean region.

CaribNOG, as the name suggests, is a network operators group. So we have a technical community who is engaged in helping to operate the public and service and enterprise networks in the Caribbean region.

And one of the focuses of CaribNOG over the last years is the establishment of Internet Exchange Points, so that we can exchange Internet traffic within countries and within the region without expensive long-haul links.

This has been ongoing for over a decade. But we have a situation now where some of our IXPs have slowed down in their development. And there’s some which are on the table which have not been fully developed.

So CaribNOG has stepped in over the last few years to help those IXPs be started and become a significant part of the Internet infrastructure in the region.

So it’s intended to help IXPs find their rightful place in the Internet economy.

It’s a multiyear, multicountry project. The Caribbean region has quite a few island nations – and in South America. We don’t expect all of this to be completed in a couple of years. So our scope is all of the countries in the CaribNOG region, which we would tackle over a number of years.

We want to bring together the technical community and stakeholders to see where the issues are and what needs to be done, want to give our Internet Exchange Points access to expertise to help build IXPs. And we know we have a lot of that inside our wider community with Internet organizations, ARIN included.

And we want to help in areas in which training on IXP development is needed. And the practical, most practical parts with it are to help with the installation, design and installation of the Internet Exchange Points which are needed.

In keeping with the approach we wanted to take with our project, we broke it down into these activities, consultation with our Internet organizations in the region, discussion within the CaribNOG community, research to understand the current state of IXP training, collaboration with training organizations such as the Network Startup Resource Center, and there’s one Internet Exchange Point which we’re actively engaged in currently with their development, and that’s the Internet exchange in Saint Kitts and Nevis.

The outcomes: as we proceeded through the project this year, we had three capacity-building workshops as part of CaribNOG and/or CarPIF, that’s the Internet peering forum meeting. And one project spun out of this, which is the development of an IXP directory. That will help to give knowledge or accurate knowledge of the state of IXPs.

We saw improved collaboration between the stakeholders and members of the technical community. And as I mentioned, our work with the Saint Kitts and Nevis IXP is in progress. One thing we did note is that a lot of the activity was slowed down due to the COVID-19 pandemic which severely restricted travel and generally took people’s focus away from the actual – some of these projects.

We’ve been working around that. And what we do expect is that the projects will continue to flow out into the rest of this year, and will basically keep moving in this direction from this point.

So, that is basically where we are. One of the big things that came out of this is that we have a much clearer understanding of where our Internet Exchange Points are currently. And we have a roadmap to building them out over there in the next few years.

Want to close by thanking ARIN and the Community Grant Program for the support. It has been an excellent and developmental process so far. And to find out more, here’s our contact information for CaribNOG. Thank you.

Voiceover: Finally today, we will hear from E. Marie Brierley about her IPv6 integrated research.

E. Marie Brierley: IPv6 integrated research project by E. Marie Brierley, with the collaboration of NIST.

We attempted to identify leading indicators for IPv6 adoption for enterprises. The first step we needed to take in doing that was to build the foundation and integrate the data. We are integrating data from ARIN and from NIST.

From ARIN we’re getting the address acquisition data for v6. And from NIST we’re getting all three services that they are tracking as they turn up on v6. That’s DNS, email and web.

This is the first time anything like that’s been done. So entity matching was our biggest challenge. This is the first attempt. There are no shared keys between those datasets.

And they use different methods for identity identification. ARIN uses an Org ID and Org name. NIST uses domains.

This was a critical effort for data integrity. And because v6 adoption for enterprise is relatively low at this point, we were really concerned about being able to capture a sufficient sample size for the follow-on statistical analysis.

We were hoping it would be easier than it turned out to be. We have complex results in terms of that heuristic for matching those entities.

And it was highly iterative. So what we ended up with was a hybrid heuristic which was programmatic, accompanied by manual validation.

So the way this evolved, I started this project a few years ago while in grad school. And I was manually matching the NIST domains to the ARIN Org names. It was obviously very resource intensive and not really repeatable.

Once NIST volunteered to collaborate, then we were able to move forward with making this programmatic.

Email was our first attempt. We matched the NIST domain with the ARIN email contact domain. That resulted in a very low match count, and it was also some pretty interesting data, primarily because a lot of the members are using generic email services rather than using their organization email for that contact information. And obviously anything programmatic is repeatable.

And so then we moved on to matching domains. This is again programmatic. We then went on to matching the NIST domain with the ARIN Org name. This really improved our match count.

Now we’re at the hybrid where we think we’ve gotten the best set of results, which is matching the NIST domain with the ARIN Org name plus the email contact and there’s some tiebreakers involved in that as well.

So our result, what we’re looking to do – is this is just a short sample of the NIST domain name that they’re tracking. They’re tracking about a thousand of them.

This is the Org ID. Ultimately we want to capture the ARIN Org ID for as many as possible. And we’re getting the address acquisition dates from ARIN, and we’re getting the first seen dates from NIST. That’s what they’re tracking: DNS, email and web. And from this we’ll move into the statistical analysis and build the models.

What you see here in the red is that some of them have first seen service dates, turn-up date that is prior to the address acquisition date. Those are the ones in red. We did see a fair number of those.

We’ll be incorporating BGP data in order to filter out some of those and limit those as much as we can.

For those that we cannot identify a reason for and correct it, then they will be just eliminated from the statistical analysis.

Big indicators of enterprise IPv6 adoption is critical to understanding enterprise behavior and adoption, then leading to adoption acceleration. We consider this to be in addition to the lagging indicators that we use already, which is traffic.

Thank you for your time.

Beverly Hicks: Okay. Thank you so much for those amazing presentations. And thank you, Jennifer, for that information about the upcoming grants as well.

We will next move on as soon as our presenter is ready. There we go. We’re next moving on to Ms. Hollis Kara for our Training and Outreach Report. Take it away whenever you’re ready.

Training and Outreach Report

Hollis Kara: Thanks, Beverly. Thank you, everybody, for hanging with us today. I know I’m the only one between you and the open microphone, which is what you’ve probably been waiting around for.

Let’s talk about what’s happened in training and outreach since ARIN 47.

Next slide, please. It’s been an adventure. 2021 is the gift that does not stop giving. Let’s move on.

What I’m going to cover today is some updates on what’s happening inside the team. Big changes with our blog; updates on outreach events; our fellowship program and training, and a little bit of a look ahead into what we hope to accomplish in 2022.

Can I have the next slide? All right. So we did have a transition within the team this year, this summer. Kim Kelly, who was our long-standing communications writer, left us to pursue new opportunities. And we wish her well in that new pursuit.

We were very fortunate to bring on board Ashley Perks, who joined us toward the end of summer, beginning of September, and she’s here with us through the meeting. This is her first meeting. So be nice to her.

She’s helping out Jennifer with a lot of our social media and blog coverage. And why is that? That’s because Erin Pratt, who we saw at stretch earlier, is actually out on maternity leave right now. What you were watching was a video from her stretch presentation from ARIN 47.

She’s at home, happy and healthy, with a beautiful new baby girl. And we’re missing her terribly.

So we’ve had lots of big challenges and lots of creative solutions. And the big thing Erin was holding out delivery was – go to the next slide – her other baby.

We moved TeamARIN. Since 2009, we had TeamARIN as our site where we hosted our blog and our community calendar and a bunch of other great content.

We started the process kind of toward the beginning of the year, end of last year, to integrate all of that inside of arin.net. And we did it.

Actually just days before Erin’s baby arrived. So they’re almost twins. Go to the next slide.

So if you go to arin.net/blog you’ll find our new blog home page. All the content that was at TeamARIN has been moved over with redirects. So your experience should be pretty seamless. We have a subscription option. Don’t rush to sign up yet.

Our first vendor is not working out great. So we’re going to be making a switch here hopefully in the next few weeks, and we’ll really start promoting that subscription option, once we know we’ve got it up and working well.

As I said, all the blog history is there. We also have an improved community event calendar. All of our community events carried over from the old site as well. So all that history has been retained, but the new event calendar is really cool in that you can sort it based on events that are community events, ARIN events, and even a little bit granular within that space about categories of events.

So if you’re looking for something specific, it should help you find things a little bit more quickly.

We also moved over our library of IPv6 case studies and our ARIN Bits newsletter library.

It’s really cool. We’re really happy with how it turned out. We hope you’ll go poke around. If you see anything that you like, don’t like, whatever, please reach out to us.

We’re always happy to get your feedback and make adjustments where we can. The other point I wanted to make is we just updated our site search and now blog is actually a category under site search when you’re at arin.net.

You can actually use the arin.net website search to specifically search the blog if you aren’t interested in using the category tags that are displayed on the blog home page. There’s a couple different ways to find your way around.

Next slide. Okay. Outreach has been an interesting scene through the summer and into the start of the fall. We had spun up a really great – Jennifer Bly took the lead on our strategic partnership program. That was really a way for us to keep engaged with a lot of the organizations where we would typically present in person or host help desks or have presenters because there’s carry-over between the audiences and they’re folks we wanted to do outreach to.

When everything kind of locked down, we started moving that more into the webinar space. We were working directly with a lot of these organizations in the beginning of the year to host webinars, content that was ARIN content but that they wanted us to bring into the space where their members are comfortable, which was in their front yards.

So we were doing that through a series of webinars. What we found as we started to hit the summertime is that those organizations were really shifting their focus to back to getting to their in-person events. They really wanted to host their conferences and get people back in the same place.

We get that. We want that, too. What that meant was we saw a sharp dip in webinars. We were starting to schedule a lot more in-person events, and then we hit summer. And we had all the Delta variant fun and a lot of those things were canceled.

So we’re still trying to work through trying to find the best ways to connect with those organizations and their audiences as we’re moving forward.

We did have one, by request, live Q&A session for Internet 2 about IPv4 legacy resources. Actually had 156 attendees at that one. It was a successful outing. We were pleased with that event.

Next slide. All right. Our other big program which we have carried on started at the end of last year.

We’ve carried it through this year thus far is ARIN Optimized. That is our ARIN welcome for new customers. Basically we grab everybody who has come in for the quarter. We send them an invite, and we have a one-hour, hour-and-a-half webinar to kind of walk them through all the things that are available to them as customers.

We’ve had 74 attendees across the sessions we’ve held so far this year. We have a lot of other people who register and choose to watch it afterwards because we send that link out to them.

So we have one more scheduled for December and then we’ll probably be revamping the program a little bit now that we have a year of experience with it, some refinements we want to make going into 2022.

But overall we’ve been really happy with the outcome and we know it’s working because we see folks that have registered and attended that going on and immediately showing up and registering for our on-demand training. It’s a nice on-ramp for folks that are new to the ARIN space.

Next slide. And then event presentations. As I mentioned we had mostly been doing that inside of the strategic partnership program. We’ve been trying to shift that more to in-person events as we’re able. And we have had some events which have been conducted in person and others where it’s been an online only.

So even just last week we were at the Indigenous Connectivity Summit. John Sweeting gave a presentation there. We’re continuing to look for those opportunities and schedule them out into 2022 as we’re aware of conferences coming online and folks opening up their calls for presentations.

The next slide. Just one last quick shout out to our fellows. Our Fellowship Program has been around since 2009. This year has been our first year fully virtual.

We are not yet sure what 2022 will bring. But the one thing that we have learned is that this more structured program has allowed for a much richer and deeper engagement with our fellows and with the mentors to really help our fellows come into the meeting and feel like they can really hit the ground running, which is great.

It’s exactly what we want. So my assumption is even once we are able to be bringing fellows back to meetings in person, we’re still going to retain some of these features that we’ve added in the virtual program because they’ve done such a great job of helping our fellows really, really get comfortable and familiar inside the policy development space and familiar with the players in the organization so that they feel comfortable and confident walking into the meeting for the first time and taking an active part.

Next slide. All right, training. I’ll recap. Brad mentioned a lot of this earlier in his presentation early this afternoon. We did have two new webinars since last meeting.

One was on ARIN’s RESTful API for IRR. And the other was our first webinar on RPKI. Both of these are currently available as on-demand.

So I encourage you, if you or someone you know needs to learn more about either of these services, that those are available to you on the ARIN website.

Next slide. We had a crazy month in May. We actually had one if not two events all through May, which was a load of fun now that we’re passed it. But we ended up serving over 250 live attendees and had over 160 on demand views. We know that our efforts in that area are working.

We are able to reach people and folks are able to get the information they need. We’ll continue to build on that strength as we head into next year.

And we also have two great new on-demand videos. Not on-demand videos, I’m sorry, just-in-time trainings. One is on creating your route origin authorization using ARIN Online. That one is just a very quick, simple screen shot walk-through to help you understand what you’re doing if you’re new to creating ROAs.

That’s wonderful. We have a new six-minute ARIN 101, everything you need to know about ARIN, which is really a helpful piece for folks that are brand new to the space or coming from a different area and just needing to get bootstrapped in on what ARIN is all about.

The next slide. All right. As I said, quick look ahead to 2022. Next slide. All right. It’s going to be fun. I’m excited. We’re actually bringing back in-person. Q1 we already have three events that we’re working on scheduling out.

You’ll see registration open in January. Most likely for all three. We’re bringing back ARIN on the Road and Lunch by the Numbers.

We’re hoping to continue that across the year. We’ll have three events in the first quarter. We’re looking forward to getting back to delivering some of this content to folks in person and having those conversations that, as much as we try, you can’t quite replicate in the virtual space.

That said, we will still be growing our online events. Brad and the team are already hard at work on an RPKI 201 which will hopefully debut in the first quarter next year. That’s the plan.

As I said, we’re going to be looking at how to freshen ARIN Optimized as we carry it forward for our new customers. One of the things long on our list, we’ve had a couple of attendees at events bring it up at this point, that they’ve said that a dashboard tour for ARIN Online would be really helpful to them.

And our teams are also busy making some improvements to that dashboard. We’re hoping to sync up all those things and be able to put out a video to help people understand how to navigate and where to find what they need when they’re logged into their ARIN Online account.

For hybrid, as you know this meeting is spaced out: we keep saying it’s four days, three weeks, two time zones. It’s a wild ride. But actually the great thing about what we’re doing with our Member Meeting in Minnesota is it’s giving us a chance to test drive a hybrid meeting before we have to do it for a full Public Policy Meeting in the spring, which is what we’ll do.

We’ll have folks – as long as everything permits for us to do it safely, we will have an on-site meeting in Nashville in April, but we will also be offering a full hybrid option for folks that are not comfortable or unable to travel at that point in time so that we can try to take remote participation to the next level and bring those folks into the meeting in an even more meaningful way.

And as I mentioned, we’re not sure yet for the Fellowship whether we’ll be bringing them in person or whether that will remain a completely virtual program. But stay tuned for news. We’ll be updating as decisions are made and as applications open and registration opens – all that information will be available early next year.

And then the other item that I just – I didn’t want to skip over it because I had mentioned it at ARIN 47, and frankly we haven’t had time to make much progress on it, is that we still do hope to launch a pro series of IPv6 webinars.

And that would be us coordinating with folks in the community who want to come in and we would do hosting the training, they’d bring the content and we’ll bring them their audience.

As we move forward with spec’ing out that plan, you can be looking for news of that in the new year and hopefully we’ll be finding folks that are interested in working with us on that.

If you’re interested or know someone who might be and wants to kind of get ahead of the eight, you can email us at training@arin.net, and we’re happy to take your information and as we start planning, pull you into that conversation right up front.

Next slide. All right. That was a speed drive through everything that’s been happening in training and outreach since ARIN 47.

Before I hand it off for Open Microphone, were there any questions from the audience?

Beverly Hicks: Thanks so much. I’m looking – I’m not seeing any questions at the moment. I was trying to give everyone a minute to see. But if they come in through Open Microphone we can grab them then, too. Thanks for your presentation.

Hollis Kara: Thank you.

Beverly Hicks: At this time I’ll turn it over to Mr. Curran for Open Microphone time.

John Curran: Okay. Thank you, everyone, for coming to this meeting. I think it’s been wonderful. I want to take an opportunity now to do something that’s a bit of a tradition at ARIN which is our Open Microphone.

We generally end each day with that. So at this time the microphones are open. I’m available. Our Chair, Paul Andersen, is available. Staff is standing by.

If you have any questions, please raise your hand or put them in the Q&A. Thank you. Standing by on open mic. Mics are open.

Open Microphone

Paul Andersen: Open Microphone will be tomorrow and also at our in-person and hybrid virtual meeting in Minneapolis. Many of us are looking forward, to those who can make it, seeing you all.

John Curran: Last chance. It’s been a long day with policy, but we’re here for you now. I’m going to be closing the mic shortly.

Okay. Thank you, everyone. Again we’ll have an Open Microphone tomorrow. Thank you for your participation in the meeting. I’ll turn it back over to our moderators.

Closing Announcements and Adjournment

Beverly Hicks: With that, we just want to thank you. We want to thank our Network Sponsors, USI and Lumen.

Next slide. And remind you that tomorrow at noon eastern we will be ready for day two of ARIN, some more policy, but also our NRO reports as well as a Government Affairs update.

With that, we’d like to thank everybody for attending today and hope we will see you again tomorrow. Have a great afternoon.

[Meeting adjourned at 2:50 PM]

OUT OF DATE?

Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.