ARIN 42 Public Policy Meeting, Day 2 Transcript - Friday, 5 October 2018 [Archived]

Please Note: This transcript may contain errors due to errors in transcription or in formatting it for posting. Therefore, the material is presented only to assist you, and is not an authoritative representation of discussion at the meeting. If additional clarification and details are required, videos from our original webcast are available on our YouTube channel.

For an executive summary of this day of the meeting, read the daily digest on the TeamARIN website.

Public Policy Meeting, Day 2 - Opening Announcements

John Curran: If people will come in and be seated, we’ll get started.

Good morning and welcome. I’m John Curran, president and CEO of ARIN. Welcome to the second day of our Public Policy Meeting. We’ll also be having our open Member Meeting later on today.

I’d like to start out with some brief announcements. Thank you for our sponsors, network sponsor and webcast sponsor, TELUS and Google.

(Applause.)

We have an election underway. People may have figured that out. There’s an Election Help Desk outside. We’ve done the announcements yesterday. We’ve had candidate speeches. It’s time to vote. Voting is open and will remain open through the 12th of October.

So if you have any questions, find the Election Help Desk. But please vote. This is very important. It’s how the governance of ARIN is done.

We’re going to have a policy discussion coming up in our first block. I’d like to make sure everyone can follow the courtesies in the program, i.e., when you approach the microphone, identify yourself and your affiliation.

When you are speaking, speak so that everyone can hear you clearly. Please be polite. This is how we advance the policies and programs.

So if you have any questions, look at your program, there’s a full list of the proper courtesies.

Agenda. So today we’re going to have the NRO Activities Report, the NRO Number Council Report, also known as the ASO AC. We’ll have the IANA Review Committee Report.

And we have a Recommended Draft Policy that’s going to be in the policy block that we do at 9:40 this morning. We don’t have a Software Development Update, but we will hear an update of ARIN’s activities with law enforcement.

We’ll have a break. And then when we come back from the break we’ll do Open Microphone, and we’ll close formally the Public Policy part of the meeting.

Later on, right after that, we’ll move on to the Member Meeting where ARIN presents to its members how the organization is doing and all the various departments. Again, the Member Meeting is open to everyone.

So at the head table we have the ARIN Board of Trustees: Chair (coughing) Paul Andersen. Paul, when I look at you, I just break up.

(Laughter.)

I’ve got to compose myself. Chairman, Paul Andersen; Vice Chair, Bill Sandiford; and Board member Aaron Hughes and Daniel Alexander. And, yes, Nancy is joining us. Nancy is our treasurer.

Very good. Okay. We’re going to move on at this point. And I’m going to give the first presentation, which is the NRO Activities Report.

NRO Activities Report

John Curran: So many of you are aware of the term the NRO, the Number Resource Organization. It’s the name we use for the collective activity of the coordination of the five RIRs.

So the NRO aims to be the flagship and global leader for collaborative Internet number resource management as a central element of an open and stable and secure Internet.

The five RIRs have to work together to make the Number Resource Registry work collectively, because it’s actually one registry that we all operate a portion of. We have to coordinate to make sure it is one registry.

So to that extent, we have a coordination function called the NRO. It’s basically composed of the executive body. I’ll talk about it. It’s composed of the five CEOs of the five RIRs.

We also do global policy coordination through the NRO Number Council. So let me talk about this. We were formed in 2003. There’s an MoU for coordinating the RIR system.

We support the multi-stakeholder model which is a model where all parties are welcome to participate.

Board member Patrick Gilmore joining us. Thank you.

And we have a relationship with ICANN that we interface with them through the NRO through the collective activity of the five RIRs.

Our executive committee is made up of the five executives of the RIRs. Paul Wilson from APNIC is the Chair of the NRO. Alan Barrett is our Vice Chair and Secretary. He’s from AFRINIC. Axel, who is here, from RIPE, is a Board member, as is Oscar and myself.

We have a secretariat function. We have a modest staff. German and Susannah Gray are the ones that handle the collective administrative tasks of the organization.

We have coordination groups, which are composed of the leads of those activities in each of the RIRs. So all the communications leads work together for communications group. They coordinate our press releases, our outreach, our joint – when we do a joint booth somewhere.

Engineering department has an ECG, Engineering Coordination Group, made up of the engineering leads of all the RIRs, coordinate on such things as transfers and similar, making sure that we are reporting for statistics, making sure we have common report formats.

And we have a Registration Services Coordination Group that works on the procedures and how we actually handle inter-RIR handoffs, for example; how we interact with the IANA to get new address blocks, for example.

So we also have informal groups that coordinate among the RIRs in areas like public affairs, policy. Our CFOs coordinate to make sure there’s one NRO budget. Our legal staffs coordinate when we have joint agreements to be drafted. For example, agreements with ICANN.

So amongst other things, the NRO is the group that produces the Internet Number Status Report. It’s not a product of one RIR; it’s a product of all five. That provides the global stats that you saw yesterday that John Sweeting presented.

The new Extended Stats Project is underway, to be released in the fourth quarter. You can hear more about it there. Common statistics formats and reporting.

We do the Comparative Policy Overview, which people may not be aware of. There’s a matrix that shows – when you’re looking at an issue such as allocation versus assignment, or membership versus customer, or policies regarding what’s the definition of need, or how transfer policies in the regions compare – there’s a matrix that shows the differences between the RIRs.

Particularly helpful if you are aware of one RIR and you want a quick introduction to what’s different in another, you can go online and look at the Comparative Policy Matrix.

We also are known within the ICANN structure as the Address Supporting Organization. ICANN has a structure which includes supporting organizations. When the NRO works within the ICANN structure, we are referred to as the ASO.

This causes some sort of confusion. People think there’s two bodies and one of them is secret. No, it’s the same body. It’s the NRO or the ASO. We just put on our ASO cape when we’re at ICANN. So that’s the name we use.

Budget allocation: So NRO does have some expense from the secretariat, also the expense we pay to ICANN for the IANA team for – sorry. The group that was in ICANN which is now a separate affiliate known as the Public Technical Identifiers Organization. We pay money to ICANN. They pay money to that.

So all those add up. So we’ve got general operations for the NRO, secretariat, the communications, travel and meetings.

We have the IANA services and then – we seem to have a line with the two same expenses there.

That’s interesting. I really don’t know. Let me think. The second line is the secretarial expense of the NRO. First one is our general operations. The second one is the secretarial staff, the third one is our cost to ICANN every year. Adds up to about 1.4 million.

It’s allocated by the budget allocations which are based on the size of the RIRs.

When you actually break down each RIR based on its operating costs or revenue, it’s approximately the same. The ratios of the RIRs are there. So ARIN, for example, pays 29 percent of that $1.6 million you see there.

We also have a stability fund. We’ve jointly pledged each RIR if necessary to support another RIR if it were to be in duress, if it has a circumstance where it couldn’t provide registry services. We’ve all pledged funds and personnel. You can read more about it there under Joint RIR Stability Fund.

So one of the things the NRO handles is the IANA Review Committee. So we collectively contract with the IANA to provide IANA registry services. This is administration of the top number resource pools.

And as part of that contract we have a review committee that reviews the performance of the IANA and reports back to the community.

The review committee has one member from each – three members from each region. Two are community-elected members. One’s a staff rep. They have public archive. They review the performance of IANA to make sure it’s serving us appropriately. You’ll hear more about that when you hear about the IANA Review Committee Report.

Those are the members. I’ll pass by.

Empowered Community: This is a strange concept. So when ICANN – when the community decided that it would be good for the IANA and the functions done by the IANA to be supervised by the community, the IETF said – the IETF already has an MoU with ICANN. That suffices. We said we, the RIRs collectively, the numbers community, will put together a contract and we’ll have a review committee.

In the DNS community, they said we want ICANN to contract with the IANA to run the root zone. And so ICANN will represent us, and that ICANN should spin out the IANA as an affiliate.

This led to the Public Technical Identifier affiliate. But then later on they said ICANN’s not completely accountable to the community, or we can’t be certain of that. And so we need an extra layer of protection.

So while ICANN represents the domain community and contracts effectively with its affiliate, PTI, to operate the root zone, ICANN inherited a new layer of supervision above it called the ICANN Empowered Community, which has the ability to modify ICANN’s bylaws. It’s the party that actually legally puts people on the Board and has the power to remove them, a whole bunch of other things. So above the ICANN Board is now the ICANN Empowered Community.

When that was set up, the RIRs asked if we would hold a seat in the ICANN Empowered Community. And we do. We have procedures for how we manage that responsibility. You can go see them online. But it’s an oversight body for ICANN.

ASO Review: There’s a function in the ICANN bylaws that requires ICANN to review periodically its supporting organization. And in our MoU with ICANN it says the NRO shall provide a periodic review of ICANN’s effectiveness acting within ICANN.

We had a review in 2011. We recently had another one, whose final report was published in 2017.

And that called for a number of things. Mostly improving the clarity of how we work within ICANN. The independent review recommendations and the NRO EC, the Executive Council, and the ASO AC, which we call the NRO Number Council, provided a joint response on the 18 recommendations. You can go read them.

Most of them are clarifying terms, making things simpler, making engagement with the ICANN community more clear. But the 18th recommendation was that we should look at the structure of the ASO and figure out what we call the ASO and figure out what that should be long term.

And so we initiated a process at all of the RIRs for a independent review about the future structure of the ASO.

I reported this at the last ARIN meeting. Based on the consultation on the list and the discussion in that meeting we actually published a set of four outcomes.

One of them says let’s not use NRO and ASO and alternate back and forth randomly; let’s actually come up with one name.

So you can go see that online. The other RIRs are also considering the future structure of the ASO. We hope to converge on one set of recommendations. And so hopefully we’ll hear about that soon.

Technical projects: RPKI All Resource Trust Anchor. Been a lot of interest in RPKI. RPKI right now has five certification authorities which you access via the Trust Anchor Locator. There’s been discussion of having a single Trust Anchor Locator. You can go see – sorry. All Resource Trust Anchor. That’s slightly different.

So, one of the problems we have with RPKI is that it is possible, due to the validation algorithm, for an RIR, in the process of, like, resources moving from an RIR to an RIR, it’s possible for an RIR to exhibit overclaiming. If a resource – because it’s moving from one to the other, we have to prune our tree. Someone else has to grow their RPKI resource tree. And the way the validation works, if that’s a mismatch, then there’s invalidation of parts of the tree.

Because of that, it’s fairly fragile. We actually have all deployed now trust anchors for each RIR which has what’s called 0/0, or all IPv4 resources. And actually – all resources.

That allows us – each RIR can have any resources in its RPKI tree and there’s no chance that we’ll invalidate the tree through overclaiming.

This is necessary because of PKI’s validation algorithm. There’s actually work within the IETF on a new validation algorithm which is less fragile, but in the meantime, we have deployed – each RIR has a 0/0 Trust Anchor.

Emergency Back-Up Operations Project: You heard earlier that we have a stability fund and we’re pledged to deploying the stability of each RIR. The Emergency Back-Up Operations Project is actually going through some of the steps to plan out how we would recover an RIR – and how we would recover the operations of an RIR if we actually had to do that.

Internet Technology Health Indicators Consultation: ICANN, in its role of overall coordination of the identifiers of the Internet, has set up a project within its office of CTO called the Internet Technology Health Indicators Project, which is trying to reflect high-level metrics for the availability, the accuracy of the identifiers in the Internet: domain names, IP addresses, protocol identifiers.

We agreed to work with them. And we’ve been working on developing those metrics. We held an open consultation on how we propose to prepare those metrics and report them, when it comes to number resources.

So if you’re interested in the metrics for measuring the health of the Internet Number Registry system, that would be it.

We’re in the middle of an NRO website revamp. In fact, the preview of that is available online and is a fairly significant look, change, should make it easier to find things. Boom. That’s it.

Questions on the NRO Activities Report?

(No response.)

No questions whatsoever. Wow. I’m going to ask Louie Lee to come up, and he’s going to give the NRO Number Council Report. Come on up, Louie.

NRO NC Report

Louie Lee: Good morning, everyone. I’m Louie Lee, and this is Louie’s hat, here to give you the ICANN ASO, Address Support Organization, ASO AC Update.

So we are the NRO Number Council. So the Number Resource Policy advisory body. As you heard from John just now, we are 15 members, three from each region; two are elected at large and one appointed by the RIR Board.

In the ARIN region, it’s three-year terms, but it does vary across RIRs.

So what do we do? We advise the ICANN Board on the Internet numbers matters; select ICANN Board members, two of them, seats 9 and 10; and we select representatives to the ICANN bodies of the NomCom.

We also, coincidentally, help manage the Global Policy Development Process. So as for global policies that are agreed upon across all five RIRs, we shepherd that up to the IANA and ICANN.

We meet telephonically monthly, and we do get together physically once a year.

So the ASO AC chair elections will begin at the end of this year as per our procedures. And nominations will open in December and we’ll have an online confidential ballot if there’s more than one candidate.

And then the chair would select two vice chairs at the beginning of the year, and the term of the chair and vice chair is one year.

So these are the 15 members. And as listed in the middle there, you’ll see Jason Schiller, Kevin Blumberg and myself as the ARIN representatives.

This is a new slide for this year. This is a slide showing the record attendance for our meetings.

It is to call out for the audience, for our membership, the level of participation within the meetings. Of course, it doesn’t highlight the participation in the mailing list, but it is one indicator.

And for the NRO Executive Council, we have Paul Wilson as Chair; Vice Chair Alan Barrett; treasurer, Axel; and Oscar and John being the sitting members because they’ve done much work in the previous years.

These positions do rotate across RIRs through the years. Now, since our last ARIN meeting, we have reappointed – that’s a nice picture.

(Laughter.)

Ron da Silva to the ICANN Board. This is his second three-year term. We had four candidates from three different regions. But one candidate did withdraw from the process.

So we are going to be starting the seat 10 appointment process. We are starting this week, September 15th. And I expect that the announcement will be made early April. Seat 10 is currently served by the Asia Pacific representative Maemura Akinori. And we will be putting out nominations to be published in all regions, except for ARIN, early next week.

The “except for ARIN” part is because we cannot have a candidate from a region where we already have a candidate from a sitting Board member. So Ron being from the ARIN region, we cannot have a second Board member from the ARIN region.

Pardon my deep voice. It does that in the mornings. I’m not sick. Feel free to shake my hand.

(Laughter.)

The ASO AC activities, along with the ICANN Board, we do appoint members to various ICANN bodies, including the CC Working Group, the Accountability Work Stream 2, with Fiona and Jorge Villa; and the final report was published this past June.

We have reappointed Brajesh Jain from APNIC to the ICANN NomCom.

For global policy management, we are still observing each RIR’s policy forum for new global policy proposals.

The facilitator team are the members listed there. From the ARIN region is Jason Schiller.

This is a timeline of the ASO review that we’ve been tracking. You’ve already heard quite a bit from John about that. So I would just leave it up there for a minute there for you to look at the September piece where the NRO EC had proposed input to the RIR consultant – for the RIR consultations, in case you can’t read that tiny font there.

And continuing on, the third consultation is during the APNIC 46.

Of course you can view all these activities at our website aso.icann.org.

Are there any questions for me? Center mic, Andrew.

Andrew Dul: Andrew Dul. So I understand you cannot accept a nomination for a Board candidate in this region, but are people from this region prohibited from making a nomination?

Louie Lee: Certainly not.

Andrew Dul: So why not publish to this region that nominations are open?

Louie Lee: We’ll make that change.

Andrew Dul: Okay.

Louie Lee: Thank you.

John Curran: Any other questions for Louie?

Okay. Moving on, I think I could call Louie Lee to provide the IANA Review Committee Report.

IANA Review Committee Report

Louie Lee: Hi, I’m Louie Lee. This is Louie’s hat. We’ll go to the beginning slide here.

So this is the IANA Number Services Review Committee Report. So as you’re used to seeing from when Jason presents these presentations, it’s really boring. There’s nothing to see here. And it should be boring when IANA does the job that we contract it to do.

The Review Committee is formed by 15 members. Two as you’ve heard earlier, John mentioned. Two are elected from the community and one is appointed.

And I’ll just jump right through here. It was formed based on the CRISP team recommendation from several years ago, when we were seeing how we can have the oversight that we need for IANA services.

Specifically from the ARIN region, you have myself, Jason Schiller and currently Nate Davis, but Nate’s position on here is ending. And thank you very much, Nate. And we have already transitioned, started to transition over to…Richard Jimmerson. I’m sorry, I blank out, too, when I’m up here on names.

So since our last meeting, we haven’t had a lot of work that needed to be done, because our work is primarily based on an annual report. We have been working on redefining – refining our operating procedures. And we’ve begun preparations for the next year’s report.

By that, I mean we are seeing that there have been two transactions made this year so far: one in March and one in August – sorry, two in August – and they had to do with v4 unicast assignment and AS numbers.

And so far those two have been just fine. So the preliminaries are that there’s no indication of failure or near failure. And no concerning or interesting patterns detected.

Now, the Review Committee, though, we are expected to engage with the respective RIR communities. So please do reach out to us if you have any concerns about the IANA services being provided to you, whether it’s – what they’re providing right now is good or you don’t see it as being good or if you think we need to adjust the metrics. And we’ll start that conversation with you.

So with that, thank you very much. Any questions?

John Curran: Any questions for Louie regarding the IANA Review Committee Report?

(No response.)

Thank you, Louie.

(Applause.)

So we have a policy block next at 9:40. We don’t start those early because remote participants like to be able to rely on when we’re starting. So I’m going to call up a presentation from later in the meeting. I’m going to ask Leslie Nobile, Leslie, are you here? Paging Leslie.

That’s a problem. Wonderful. Okay. That’s actually the last content before the Draft Policy. I’m either going to end up breaking the rules, bringing member presentations up, or we’ll start the policy block early. Chair?

Paul Andersen: Member presentations.

Department Update: Engineering (Members Meeting)

John Curran: So at this time I’d like to start on the membership presentations. You folks who didn’t want to attend the Member Meeting, congratulations, here it is now. Mark, come on up. First report up will be Mark Kosters, Engineering Update.

Mark Kosters: Let me see if I can be like Louie [coughing].

Paul Andersen: Want some water?

Mark Kosters: Yeah.

From the Floor: [Inaudible].

Mark Kosters: There’s been no geese activity lately. I have ridden my bike and I’ve fastidiously stayed away from the geese, as I ride my bike to and from work.

Paul Andersen: Here, in Canada, they’ve not given you any trouble?

Mark Kosters: In Canada I have not ridden my bike, because I forgot my helmet. And I hear it’s against the law to ride a bike here in Canada without your helmet.

Great. So I’m Mark Kosters, CTO of ARIN. I head up Engineering. So let’s go ahead and get started.

So we made changes within Engineering, and I’m wondering if you know what the changes are. So does anyone remember from the last meeting? Oh, come on. Come on. I do this every time. You haven’t committed it to memory yet?

Okay. Alright. So one of the things that we did is we broke up Operations. We have an externally-focused team and an internally-focused team.

So Operations is now seven engineers with a manager externally. And internally focused, we have, as well as security, we have five engineers and a manager.

Development: You can see we have ten engineers and a manager. And we have two people with white smocks out in the hallway. I hear that they’re going to come by a little bit later and take me to the asylum.

But they are here to take care of all the UI work that we’ve been training or testing you guys with.

Software integration is headed up by Maureen Seiler now. And she’s a new member of the team in that position. Been with ARIN for a number of years.

Project management is Deb. And her sidekick Sherrie, and of course me.

Our main accomplishments that we’ve had since ARIN 41: our main technical – our main focus areas has been technical debt. So I’ve reported many times before that we’re a version or two of Java behind, versions of Java behind.

Our main operating system is CentOS. And we’re running on CentOS 6 and CentOS 7 is out there. We’ve done some technical improvements. We’ve added some ARIN staffing tools to make things more efficient for them, and of course Whois performance, which I talked about yesterday.

So technical debt completed: one is we upgraded Postgres. We’re now up to the latest stable version, actually it’s 10.5 now. We’re at 10.4. We moved to a different high-availability scheme, which meant that we can get rid of the 15-year-old Cisco switches we had in place. So that’s all good.

And then we got rid of our last CentOS 4 box. I think I mentioned in the last meeting we were going to go out and shoot it. That is not true.

It has not been shot. It’s actually safely stored in my office and the National Society – the “National Humane Society of Computers” is no longer alarmed.

So we’re working on some automated systems using Ansible and we’ve modernized the virtualization managers.

Next, we have a number of ACSPs that we’ve put out, of which you’ve probably noticed that this part of the presentation is very similar to Nate’s presentation.

And what’s interesting is Nate’s presentation from yesterday, talking about software development priorities, and Richard’s presentation on dealing with the website, we’re all working very closely together on basically a lot of the engineering efforts that are going on within ARIN.

And here’s the slide that’s very similar to what Nate has put out in terms of what we’ve done. ACSPs, which are suggestions by the community that we’ve done – adding DMARC support on our mailing lists, and adding details to annual invoices that Nate talked about before. Enhancements to the daily ASN delegation file so that things are split out more appropriately for those who want to parse.

Revision management for the NRPM: that’s really a lot of work that’s been done with Sean, but there’s some back-end work that was done by Operations as well. So that was an opportunity for a good bit of teamwork to occur.

We’ve had a lot of user interface improvements within ARIN Online. I think you’ve seen that and hopefully things are easier for you all.

Lots of Whois performance improvements that I talked about yesterday. RDAP extension for searching network using Origin AS was a suggestion that we put out.

We’ve had to tune it back a little bit because it was actually – it was computationally expensive on some of the queries. So we had to actually put a maximum limit on the number of results received on that.

We’ve had many improvements to internal customer service as well and support for the new website.

Here you can see ARIN Online usage. It just keeps on going. We have almost – well not quite – but almost 150,000 user accounts now. That’s pretty amazing. So I think that’s really cool.

What’s also really cool is the number of people that are logging in over 16 times. So you have here almost 30 – about 25,000 users that are basically people that come in quite a bit within ARIN. So this is actually saying that, hey, there’s good utilization here.

Provisioning transactions. There’s the old system which are templates, which were done in the 1990s. And I must admit, during that time, I was actually working on doing template processors. That technology is now gone and passed but we still support it.

And there’s a new RESTful interface that as you can see, as over time, the RESTful interfaces has really taken off. The reason why there’s still some growth within templates is that there are some large ISPs that come in.

One comes once a week and reSWIPs their entire inventory with us. So there’s just – and every Saturday night, Sunday morning, we see a huge influx of deletes and adds on reassignments.

DNSSEC, here’s the numbers. Still pretty low. Less than one percent. But it gives you an idea of where things stand.

RPKI: here’s one thing that I find pretty fascinating. So at the, earlier in the week, we had the NANOG conference. And there was a lot of discussion going on with RPKI. And actually there’s a pretty significant uptake now on RPKI, relative to what’s happened in the past.

It’s fairly flat lined. But you look here, you look at the number of organizations who come in, it has increased pretty dramatically over the last meeting. But the more interesting part is the number of covered resources. Almost 2,000 resources now compared to less than a thousand at the last meeting.

So there is interest here. And I would be happy to see more.

Whois and Whois-RWS queries. You can see here Whois-RWS is a RESTful interface that we have, that Andy put together – Mr. RDAP.

And it’s a predecessor to RDAP. And you can see here it has at times a lot of use, at times not so much. And the same goes with our Whois traffic off of port 43, which is in blue. Again, you can see the peaks and valleys.

We had this one tremendous spike back in 2010. Actually, we had a couple of them which was very interesting. But since then we’ve sort of had a steady state until recently, where we’ve seen a lot more traffic.

And here you can see our RDAP queries in terms of what’s going on over v6. It’s approximately four or five percent. And here you can see RDAP in terms of its query rate over both v4 and v6.

Again, v4 being in blue and v6 being in yellow. So this is sort of a repeat of what I talked about yesterday in terms of the struggles that we’re having, that we do have a lot of people using the services and we do need to do some defense.

I’m not going to go into this detail because I went through it yesterday. But just in case that presentation wasn’t going to be done I was going to talk about it here.

So, here you go you can see the same slide. Isn’t that wonderful?

And here’s tarpitting. It’s new in some people’s vernacular. I encourage you to use this as you go about your business.

Okay. IRRs. Again, it’s increased as well, the number of maintainers has increased. And one of the things I find fascinating about route and route6 objects, is we’ve had one large user actually leave ARIN and go to a different IRR provider. But you can see that it really didn’t do any change so much on the number of objects that we have within the registry.

And you can see this also with INETNUM and INET6NUM objects, which isn’t really part of the IRR, but it is in our system because they’re decoupled.

And here you can see the number of organizations that use IRR, and you can see that there’s a lot of people, especially – there’s like 100 organizations that has from 100 to 1,000 objects within our IRR today. Just an interesting factoid.

What we’re working on through 2019: new website, lot of user interface and user experience improvements. We’re working on a number of ACSPs in accordance with that, and we’ve been doing test drives. We’re doing this right now with Jesse and Jan out in the hallway in the white frocks. And we’re starting our IRR work – starting in 2019.

So we’re also working on technical backlog, moving to stateless application services for ARIN Online. This is something that’s been sort of evolutionary and this is using Angular technology as a framework.

Continuing to move to Ansible. We were actually using Puppet before. And this is all being folded into Ansible so that we have a single configuration management solution for us as an organization.

Upgrading our back-up system because it’s really old, and upgrading our bump-in-the-wire DNSSEC signer that we have within ARIN’s infrastructure.

So, we’re also working with other RIRs. One of the things that John talked a little bit about earlier was NRO activities, and a lot of the things that we’re dealing with in the engineering portion of the NRO is working on differences that we have with our implementations of RDAP and extended stats file formats.

They’re very similar. But we’ve had some very – we have some minute differences that we need to work out.

With ITHI, we’re working with the various registration services departments and coming up with common statistics. And with RPKI, we’re working within IETF – various drafts – and some of them are RFCs now, actually in terms of dealing with ways that can actually better improve RPKI within the Internet from an operational perspective.

So any questions?

Kevin Blumberg: Kevin Blumberg, The Wire. With the IRR data it would be useful to actually see the number of proxy registrations that are in ARIN. I know that that was brought up as being a significant use.

And depending on the IRR timeline – your new IRR – is there a way to phase out new proxy registrations which won’t be allowed in the – my understanding at least – is they won’t be allowed in the new IRR? So maybe disallow them in the existing. I don’t know if that’s a huge workload or not.

But I do want to see the statistics of how much cruft there is in the existing IRR. Thank you.

Mark Kosters: Thank you.

Ruediger Volk: Ruediger Volk. Following a little bit of Kevin, you mentioned the starting date for IRR activities. Despite me having suggested to essentially bypass that activity, I wonder whether you can give some date at which point you will publish your technical draft design so that the new design actually can get scrutinized.

I would doubt that kind of the mode for two years you accept suggestions and stuff from the audience, and then you go back for a year and think about it. And two years later you come back with something – well, okay, if you do not do a feedback loop in between, you are probably addressing at the end something that is not addressing the situation you will have then.

John Curran: Ruediger, that’s actually not an engineering question. So regarding ARIN’s plans, that’s a question for the Management Team like me.

And, so, the short version is ARIN did a consultation and built an IRR roadmap, which is a high-level roadmap. It says what our plans are, and it also does include a way to get that information, use that as a basis for people who want an easier way to develop their ROA publication. That high-level roadmap was done after a consultation process and was published.

We’ve had a couple of comments this week about more detailed design information, but there’s also some interesting forks in the road about how to do that design. There are people working on open source IRRs, for example, right now which could play a component but needs to be decided.

So if the question is, is the next time you hear about our plans for IRR and RPKI going to be a release notice, that’s a good question. The answer’s no. We’ll try to publish a more detailed plan.

But we’re following the roadmap that the community agreed to three months ago; look at that roadmap for now, and we’ll come up with a more detailed plan sometime when it’s finalized over the next four to five months.

But it is per the roadmap that the community agreed to, okay?

Andrew Dul: Andrew Dul. What is the roadmap document?

John Curran: If you go to ARIN and you go to –

Andrew Dul: I just searched for it and I couldn’t find it.

John Curran: For the IRR roadmap?

Andrew Dul: Yeah. Is it the slide deck from last meeting or is it something else?

John Curran: It’s a document. If go to ARIN’s Internet Routing Registry – I will find it –

Mark Kosters: It’s published out there. Andrew, actually, if John doesn’t find it I’ll find it for you.

John Curran: It’s called ARIN Staff Report on IRR Consultation. Okay? And it is May 22nd, 2008 [2018]. If you look for Staff Report on IRR Consultation, that’s what we’re proceeding with.

Andrew Dul: Got it. Thanks.

John Curran: Thank you. Any other questions for Mark?

Ruediger Volk: Ruediger Volk again. Different question. And I think this will be actually engineering.

(Laughter.)

Mark, on one of the slides you mentioned improvements on extended statistics. What exactly are you referring to there?

Mark Kosters: So there’s a number of – there’s a specification file that describes what needs to be in each of the fields.

There’s been a couple of areas that, for example, I think one of them is if the time – if the creation date is unknown, you use Z. And otherwise you can use blank. And we want to sort of clean that up.

There’s a couple of other areas, too, that we need to work on.

Ruediger Volk: Okay, I already have trouble to identify, well, okay, what data set are you talking about? Are you talking about the NRO extended delegated or delegated extended? No. Your answer is no.

Geoff Huston: Geoff Huston, APNIC. Just let me clarify this question just a tiny bit. And it’s going to be quick. Each of the five RIRs every day publishes what we call a delegated stats file, which is a complete set of all allocated resources.

They also – allocated and assigned – they also publish what we call an extended stats file, which is a complete set of all their resources including reserved and in pools.

Every day my scripts comb that, join them together, do a little bit of conflict resolution, my rules, and then publish that on the NRO website. That’s what you’re referring to when you talk about the NRO Extended Stats File. So if you have problems with that, talk to me and I’ll see if I can fix it. What Mark is talking about is ARIN’s files.

Mark Kosters: Yeah. And it’s really – those particular files that the regional registries each do, we have some very, very minute differences that we want to solidify.

John Curran: Okay. Thank you, Mark.

(Applause.)

Recommended Draft Policy ARIN-2017-12: Require New POC Validation Upon Reassignment

John Curran: That took some of the slack out of the schedule very nicely. We’re now going to start our policy block, and that’s Recommended Draft Policy 2017-12: Require New POC Validation Upon Reassignment. This is a Recommended Draft Policy. Therefore it could easily be recommended to the Board of Trustees. In fact it has been in the past. And it could be adopted. So you could have this adopted between now and the next meeting.

Origin: ARIN Policy Proposal 247, draft policy last November, revised March this year, recommended for adoption in March. Presented at ARIN 41. Went to last call. And it was moved to the Board for their review for adoption in May.

The Board reviewed it and remanded it to the ARIN Advisory Council. This doesn’t happen very often. I can think of, offhand, one or two other occasions in the history of the organization.

The AC shepherds, Chris Tacit and David Farmer.

So, what does the policy do? It requires that all requests for reallocation or detailed reassignment that will result in the creation of a new POC, Point of Contact, object be validated by ARIN prior to approving the request.

So presently you can do a detailed reassignment and put contact information in, even if that contact is unknown to ARIN. And you can put any name, any phone number, any address, any email, and it creates that as a new Point of Contact record in our database.

This says the Point of Contact has to actually acknowledge the contact. Validation will be accomplished by contacting the new POC by email.

If the contacted POC – so the POC has an email that’s supplied – if they fail to acknowledge that their contact information is correct, ARIN will reject the reassignment request. So you make a reassignment request, detailed information, and if the contact that’s created doesn’t confirm that they’re a valid contact – the information’s correct – then your reassignment is failed.

There’s a big change to business processes because people presume when their reassignment is done, it’s done – not almost done, might be thrown out. And, so, this was something that the AC has discussed a bit.

There was some discussion about the wording of the reassignment process to recommend exactly how the AC wants us to do.

And so there’s been some improvements there. The process is automated for many ISPs, therefore resulting POCs are not validated prior to being created in their own database. This creates unknowing POCs who have no idea what Whois is or even who we are.

When they receive the email annually – right now we annually tell someone, “Oh, you’re a POC in our database”. And people go “ARIN, POC; what are you talking about?”

This is why an unvalidated POC is particularly problematic. At least if it’s done when you’re creating service, you’d know about it.

It can also cause multiple POCs, since the same person with a slightly different address, slightly different email, slightly different formatting, will end up with a new POC. And you end up with one person who is actually in the database 11 times with different spellings.

The policy text represents a big change to operations. The largest change would be the Engineering department. It’s a major amount of effort because we have to not only come up with this new process but test it with the community that has automation that does these detailed reassignments.

It’s going to be about six months of planning and development work, not counting the interaction with the community.

When the work’s complete, there will have to be a period of time where ISPs need to retool the way they interact with us, because some of them may want to pre-validate, some of them are not going to pre-validate, but will want to go back and visit to see if the request is ultimately failed.

When you do a request, we give you a status code and then you go on and do other things. That status code is now incomplete if it says success, because in truth it’s “queued, might be successful, we’ll let you know in ten days depending on what the POC did.” So that means a change to business processes for ISPs.

When it’s put in production, all current systems developed by ARIN customers will have to be updated in order to continue working. There will be a synchronization issue when we deploy this policy, because the people who have automation need to coordinate with us.

We do have a test environment, but it’s going to be – it will still be on day of deployment an exciting exercise to make sure everyone knows we’re now running on the new processes.

The Draft Policy would not have a direct effect on RSD as far as processing the requests because almost all of these are done completely automated. But we will end up with an increase in customer support calls, because people will call us to ask, “Why am I getting this request?” “Why am I” – because they currently do when we do POC validation. Now they’ll be getting it when they get the detailed reassignment. The POCs will call us us up and say, “I am getting this message,” and those will be moved up in time.

This increase in interaction with organizations that do not have a direct relationship could result in the need of additional staffing, because not only is it moving it up, but the operators are going to be more anxious to get this validated because it’s their request. So we all – have the operators and the customers both trying to figure out how to get this done, so the operator can do their reassignment.

One possible improvement in the business processes regarding this would be if it says the abuse contact would be put in the reallocation or detailed reassignment record and then have the request approved. In other words, approve the request with the abuse record if nothing else goes through.

ARIN would additionally issue notification to the proposed new contact and if the new contract validated. The new validated form would replace the abuse. This way there would be certainty that the request is valid even if the POC doesn’t validate.

This request would result in reducing the number of POCs associated with a single email, which would reduce the number of POC validation requests. So that’s a benefit.

Today we’re currently sending emails. Here’s the numbers from our database. We have about 465,000 email addresses in the ARIN database. 15,000 of them are used on 5 to 9 POCs; 4,000 on 10 to 24; and we have about 1,261 are used on more than 25 POCs.

No material legal risk. Resource: This is a large change. It will take six and a half months of development work. There will need to be extensive testing.

I will now turn it on to the ARIN Advisory Council to give their presentation, and at this time I will ask Chris Tacit to come up.

Chris Tacit: Thank you very much. So we’ve been through the problem statement. We know what that is. So you can have a quick look at that just to refresh yourselves, but I won’t dwell on it.

And so the actual text that would be introduced if this change goes through is on your screen there. I’ll give you just a bit of time to read that again to refresh your memory.

So, as you heard, this is a very big implementation change for ARIN and also requires coordination with those who do automated SWIPs for detailed reassignments. So as a result of that, the significant resources that ARIN would incur in order to implement this, the proposal was sent back to the AC for further consideration, especially with respect to technical soundness.

And it was suggested that we try to interview some of the largest – some of the ISPs who make numerous delegation requests.

So we tried different ways of doing that. We posted to PPML. We sent a message out to the NANOG list, attendee list. We held consultations in a dedicated room during NANOG.

And before I get to what we’d like to discuss here, I can tell you that there was actually not a lot of feedback, perhaps not that surprisingly.

The reality is that there are probably just a handful of ISPs that do really high volumes of detail reassignments using automated systems.

We found that some of the feedback we got from even those who do large volumes of reassignments was that they were simple reassignments, so they didn’t see an issue for themselves with regard to this policy one way or the other.

So there are really a handful. Some of the feedback we got, we got feedback from one of the major ones that if they do this, the system would break and they probably wouldn’t try to develop their systems to coordinate with ARIN, suggesting that perhaps they would revert to simple reassignments instead.

So that’s where we stand. So there are really two questions that the AC would like to pose to this group and to have a discussion on.

The first is, if your organization uses automation to generate detailed customer reassignment SWIPs, would it make the appropriate system changes necessary to continue performing detailed reassignments if this policy is adopted?

And the second is, if the answer to question one is yes, what amount of reasonable lead time, if any, would your organization require before implementation of the policy to allow your organization to manage this change?

Paul Andersen: Microphones are now open. Please –

Chris Tacit: I’ll just leave those questions up.

Paul Andersen: That would be great.

So any discussion on this policy, please approach a microphone. Front microphone, please.

Daniel Dent: Daniel Dent, QA2, I stand in opposition to this policy. We’ve seen in the domain-name world the imposition of the requirement to validate Whois information, and it has been a disaster. Customers are uninterested in Whois. Whois is something that we’ve built to serve the needs of the Internet community.

And when registrars are forced to take their domains offline because the email hasn’t been – had the link clicked, especially an email that often looks like phishing, customers get angry.

So what’s ended up happening is that domain registrars have ended up getting permission from their customers to authenticate the request on their behalf. It’s ended up being a complete waste of everybody’s time, and in fact leads to less valid contact information, because what ends up happening is people put in their ISP’s contact information so they can validate the request for themselves on behalf of the customer.

So I would propose that if we look at this, the reason we do these detailed reassignments is to help the community have better contact information. And if we make that harder to do, it’s going to happen less. Thanks.

Paul Andersen: Thank you. Any comments?

Chris Tacit: We’re just taking input at this time.

John Curran: Rear microphone.

Kevin Blumberg: Kevin Blumberg, The Wire. I no longer support this proposal.

When I saw the original staff and legal and I saw the original intent of this proposal, that was one thing. This has turned into a cluster, a massive, massive overreach of what I consider to be a nuisance for myself personally and for some of my customers. It’s gone from a nuisance to a major boondoggle within both ARIN and the external ISPs.

I’m still confused as to why through automation there’s a default to detailed records. I don’t see today why that is needed en masse and maybe those ISPs or organizations need a little education.

That’s a different problem. I think there are different ways of solving this issue today. The lighter way might just be to allow a POC to get themselves out more easily on validation because, right now I believe they can only modify – maybe let them turf their POC record if they feel that it’s invalid and shouldn’t be there.

That would not be done through policy. That would just be done – “My data is invalid, I don’t want my data in the database.” That can be dealt with outside of policy. It’s just part of the standard process. But this is just – unfortunately, I like the concept of it, but it is a waste of time.

Paul Andersen: Thank you. Side microphone.

Owen DeLong: Owen DeLong, SAIL Internet, ARIN AC. The original genesis of this proposal was not people who didn’t want to be in the database. The original genesis was the issue of ISPs putting whoever was handy into reassignment data, creating large numbers of POCs that had nothing to do with administering addresses in large organizations in a way that the people actually responsible for the address space were unaware of these POCs being created until annual validation – which we have, by the way, now turned off in policy – caused the person whose name got put in to suddenly go, “Why – why am I getting this?” And then they would forward it to the responsible party within the organization who would then spend quite a few hours working on cleaning up these invalid POCs and getting them repointed to other people, because as the ISP’s customer, you couldn’t just go to ARIN and have ARIN modify the POC pointers; we had to actually go back to the ISP that issued the invalid reassignment and get them to clean it up.

And it turns into quite the large game of Whac-A-Mole. And while Kevin calls it a nuisance, I would call it a much larger thing than a nuisance for some organizations.

I know, for example, that in my last year working for one particular employer where this was a problem, I spent almost 20 percent of my time on this problem cleaning these things up around the world.

So I think that’s more than a nuisance.

Paul Andersen: Okay. Thank you for that feedback. Rear microphone.

Mike Joseph: Mike Joseph, Mode. First off, I oppose this policy as currently written. I actually spent quite a bit of time yesterday talking to Mr. Sweeting and the folks at RSD about the types of organizations that are affected by this policy.

And I don’t mean entities. I mean organization records, because I think what a lot of people don’t realize, what I didn’t realize after even many years at ARIN, is in fact there are hidden attributes about organization records that seem to exist that create multiple tiers; not just the customer records as a result of simple reassignment, but in fact, some organization records, such as those as created in a product through reallocation and detailed reassignment, aren’t actually reorganization records, not until certain actions are taken. And it’s fairly unpredictable to the entity in fact whether it’s a real record or not.

And I think Chris Tacit’s comments of the feedback from ISPs is telling. Quite frankly I think we’re at a point where there’s little to no justification for even allowing third-party creation of Org records, let alone POCs.

I think that the days of detailed reassignment need to go away, and that an ISP in the case of reallocation had better have their own Org ID to begin with.

So, therefore, I think a better approach would be to focus on simple reassignment for the majority of cases. And for those cases where an entity needs detailed reassignment or reallocation, it should be to an existing Org created by that entity. And we should begin to disallow the creation of third-party organizations and POCs.

To this end, I filed a proposal to that effect last night, and I hope to see it posted to PPML soon after review by the Advisory Council.

Therefore, my request and recommendation is not to advance this policy, to place it on hold in favor of a larger debate around the question of reallocation and reassignment in general.

Paul Andersen: Okay. Thank you for the comment.

Chris Tacit: That’s a helpful comment. Thanks.

Paul Andersen: Front microphone – actually just a reminder, please approach a microphone. We’ll be coming soon closed to the end of the discussion. And obviously if you’re remote please also inject.

Chris Woodfield: Chris Woodfield, ARIN AC, Salesforce. The problem here, in my opinion, seems to be we’ve gotten to the point where the creation of a detailed reassignment and the creation of the POC attached to that assignment has been coupled in a way that I don’t think necessarily needs to be coupled.

I’m thinking that maybe there might be a different solution here where a detailed reassignment does not create POCs, cannot create a POC.

POCs can be created separately and then when a detailed reassignment is made, could it be that a reassignment cannot be made to a POC that has not been validated?

So when a POC is created it must be validated. When a reassignment is made it must contain a validated POC. That’s procedural, not policy. But maybe that could be implemented in policy in a way that says that detailed reassignments must contain a validated POC. And we can do that I think in a much more simpler approach than the current proposal. And as such I don’t believe I can support the policy as written.

Paul Andersen: Okay. Thank you. There’s a comment here from John.

John Curran: I’ll point out that we did send a message, the staff did an assessment of the – detailed assessment of the implementation involved for this policy. And actually in that detailed assessment said, one thing that would make it perhaps more palatable and more straightforward in terms of workflow is if we – the policy was instead to say that detailed reassignments will be done on valid POCs and require organizations that wish to put detailed information in to first create a valid POC.

That would at least put us on a normal workflow as opposed to a recovery workflow with timelines in it. So, what he just mentioned is exactly what the staff posed as a lesser workload alternative to the same Policy Proposal.

Neither of that changes the fact that this Policy Proposal is about how to improve the accuracy of POCs. And regarding detailed reassignments, as was noted earlier, there is presently text in NRPM Section 4 that requires detailed reassignment information for all blocks /29 or larger.

And so if you don’t want to have detailed reassignments at all, someone needs to propose something to change Section 4 in that regard.

Paul Andersen: Okay. Rear microphone, please.

Ron Grant: Ron Grant, Skyway West. And I got up here with a very simple question, and it got very complicated by the time I got up to the microphone.

So I will try to just state my support for the policy. But I think that we should probably listen to John’s comment about that possibly modifying the implementation of the policy, because I think I like the idea of making it possible for the organizations who are doing this to do things right and therefore let the workflow flow through properly, rather than having everything stop at a grinding halt.

If somebody sends in a proper – if somebody sends in a reassignment and a Point of Contact that’s a valid Point of Contact already, that you’ve already verified, I don’t see any reason why that wouldn’t go through. I think it’s only the complete unknowns that are the problem here. That’s it.

Paul Andersen: Thank you. Please approach a microphone. We’ll be closing them shortly. Front microphone.

Joe Provo: Providing the relay of a remote participant, and then would like to re-queue for myself afterwards.

Jason Schiller, Google, ASO AC. Regrettably this policy does not go far enough. The problem of SWIPing to an unwitting POC is not only limited to new POC creation. We need some mechanism to be able to detect when I am an unwitting POC and fix to the correct info. Plus one to what Owen DeLong said, people in my Org have been unwitting POCs and we’ve had reassignments to the wrong Org ID.

Paul Andersen: Why don’t you do yours while you’re right there?

Joe Provo: I endorse Mr. Joseph’s approach as well and need to emphasize John’s observation regarding Section 4 is kind of critical to unlocking this whole problem.

Paul Andersen: Thank you. Rear microphone, please.

Michael Peddemors: Very short, Michael Peddemors, LinuxMagic. I’d like to support this proposal, and I think the community should rally around anything which can facilitate the accuracy of POC data.

And in this case, of course, we are talking about space that’s generally larger than a /29. This is not residential. These are sophisticated people.

I believe that the challenges described will be a lot less than the worst-case scenarios that have been commented on, and I fully support this.

Paul Andersen: Thank you. We’re going to close the microphones after the next comment. So please if you wish to speak, either start typing or approach a microphone, please. Thank you.

Michael Sinatra: Michael Sinatra, ESnet, and apparent PPML pot stirrer of the week.

(Laughter.)

I am concerned that this proposal’s cure is worse than the disease, and I’m a little concerned about supporting it. As such I probably don’t.

I think that – I agree with all the other issues, and I think that we should review the other possibilities like Mike Joseph’s proposal and what John talked about. But I’d also like to ask the AC if they consider just simply notifying, rather than requiring validation, just notify the POC that they’ve been SWIPed, that they are the contact now for this reassignment, and was that considered and was that rejected for what reason.

Chris Tacit: That, we really didn’t focus on that significantly because we did view it as more of a validation issue.

Paul Andersen: I see John jumping to the rear mic for an intervention.

John Sweeting: John Sweeting, ARIN RSD. I just want to point out for all new POC creations there’s an email sent to that POC email address, for any new POC creation.

Michael Sinatra: There might be a reasonable compromise then.

Paul Andersen: Alright, microphones are now closed. We’ll now empty our queue. Go ahead.

David Farmer: David Farmer, University of Minnesota, ARIN AC. I think – I support this policy’s concept and what its intent is. However, I think we went off the rails in a couple of ways.

One, this policy focuses a little bit too much on the procedure we want, that we thought we wanted and focused less on the outcomes we wanted. And so I think we should go back and rewrite this and do that a little bit.

And then I think we need to have a larger conversation of the – and reevaluate the purpose of the information we’re putting in the registry, who is actually using it for what purposes and make sure that these things all align with our intents.

And I think it’s probably well overdue for us to have – we’ve been nibbling on this for a while now and I think we just have to bite it off.

Paul Andersen: Okay. Alright, final comments.

Joe Provo: I have a remote comment to relay. And I also failed to procedurally, my previous comment, I failed to say that, Joe Provo, Google ARIN AC, speaking for myself at that point in time and support the concept. And I’ve changed my mind to not as support as written as now. Book end that.

Remote comment from Anthony Delacruz from CenturyLink. If it’s just a handful, have you considered working with those to see if they can improve the notification or selection they do? Can we share offline any stats on who are the big offenders or how my company would rank?

I think we do a good effort to inform customers they’re to be listed, but would be interested to see if that generates later work. Also, not in favor.

Paul Andersen: Thank you for the comment.

Alright. That ends comments unless there’s anything from you. Okay, thank you, Chris, for the presentation – wait. Thank you very much. My apologies, the final comment is over here.

Suzette Burley: Thank you. Suzette Burley from Digicel, Jamaica. I want to say that I’m in support of the policy. While there are some nuances to be sorted through, it is important that we get it right. I think the discussion should continue, so that we can work through the nuances so that there can be accuracy but at the same time not overwhelming to the persons that we’re validating, to the POC we’re validating.

Paul Andersen: Okay. Thank you for that final comment, and my apologies. I had not noticed you there. Thank you, again, Chris, for the presentation.

(Applause.)

With our counters in place, we are going to, as this is a Recommended Draft Policy still, have our final poll of this ARIN 42 meeting.

So the question will be, are you in favor or against advancing the policy as written. I would ask those remotely to cast their indication and those in the room that can hear my voice, please, if you’re in favor of advancing this policy, please raise your hand nice and high and keep it high. This is going to be a longer walk this time. Okay. You can lower your hands.

And I would ask those all opposed to the proposal as written, please raise your hand nice and high. Just for a minute and we’ll get it counted.

Okay. You can lower, and we just need to wait for a second. Thank you all for participating in this policy process. If you have any feedback about any of the policies that you’ve seen or you have an idea for a new policy based on what you’ve heard, I encourage you again to find your local, friendly Advisory Council member.

They will be meeting shortly after this meeting. And they, as always, appreciate any and all input on policies, even just quiet supports or againsts. Anything that you can give them, it tremendously helps them do their job. And as they’re volunteers, anything we can do to make their life easier is a good thing.

But with that, I see the final blue card of the meeting coming forward.

Thank you, Michael. And thanks to Michael and Erin who magically count and do all the counting for us. So, on the item of 2017-12, we have 102 people in the room and remote. In favor, five. Against, 31. This concludes this policy and this will be passed on to the AC. Thank you. Over to John.

John Curran: Thank you.

(Applause.)

ARIN’s Engagement with Law Enforcement

John Curran: Okay. We have one more presentation and then our break for the morning.

I’d like to ask Leslie Nobile to come up and talk about ARIN’s engagement with law enforcement.

Leslie Nobile: Thanks, John. Sorry, I missed my first cue, but I’m here this time. I’m ARIN’s Senior Director of Global Registry Knowledge. And you might ask, what in the world does that mean.

My focus is on registry accuracy data, integrity, data quality across the registry system and finding ways to improve it at ARIN. So I’m continually working on things like POC validation and deleting orphaned Orgs, et cetera.

But the other half of my job is working with law enforcement and – as ARIN’s law enforcement liaison. So I’m going to talk to you a bit about some of the work I’m doing in that area.

So ARIN is very committed to this public/private partnership that we have developed and created with law enforcement.

We have actually codified that in our strategic plan where it says “Support law enforcement efforts in a manner compatible with ARIN’s mission.” So we take this really seriously.

We’ve been directly supporting law enforcement activities, engagement, et cetera, since about 2003 when we had our first interactions with law enforcement. Actually have another slide to talk to you a little bit about that.

We do recognize – you know, law enforcement’s main purpose as far as the Internet goes – is the safety and security of the Internet and public safety.

And ARIN recognizes law enforcement as an integral part of the ARIN and Internet communities, and we’re very committed to continuing the relationship.

So we plan on increasing our direct engagement with law enforcement going forward. We’re going to be adding more law enforcement-focused training activities.

We do quite a bit of that. I do quite a bit of that now. But we’re going to more formalize the process and put more training activities in place in the coming years.

So how do we actually support law enforcement? Well, the most obvious one and the one that comes to everyone’s mind initially is that we publish the Whois data that law enforcement uses in their investigations when they’re looking to match a particular IP address to a registrant. So they’re very concerned with data registry accuracy obviously.

We answer questions on a daily basis for law enforcement. We get calls all the time on the Registration Services Help Desk and into our attorneys asking simple questions about Internet number registrations in Whois. They don’t understand what they’re looking at. They don’t know how to find what they need.

So we get regional, local, and federal law enforcement calls almost daily. We do cooperate with law enforcement to ensure that they have ongoing access to this information that they need for their investigations.

One of the ways we do that is we respond to subpoenas and court orders – fairly frequently, actually. And we often assist in the preparation of these requests in the wording.

We were finding we were getting subpoenas that, I’m sure some of you totally can relate to this, you get subpoenas asking for everything under the sun, really irrelevant information that was not efficient for anyone.

So we, our attorneys often work with law enforcement to craft the correct text for a subpoena or a court order.

We also provide training and information sharing, and I’ll talk a little bit about that in the presentation. And we work with law enforcement and the Internet community – which they are part of the same group, in fact – to improve the integrity and accuracy of the data.

So if you go back to the beginning – that’s an interesting “n” at the end of that. I don’t know where that came from. So, if you look back at the beginning, where we first started our interactions, it was 2003 and the FBI showed up at ARIN’s office.

They knocked on the door. They came inside. They flashed their badge and they said, we want to see this guy, this person that worked for me.

And so the office was all abuzz: the FBI is here; they need to talk to someone. This is the first time that ever happened.

So I went up there because it was one of my staff, and was, “Can I help you?” And they said, “Yeah, we’re here, we need you to give us some IPv4 addresses. And we’ll just take them with us and leave. It won’t take more than five minutes.”

And we’re like, “I don’t think so. Let’s sit down and talk about this.” So we went in our conference room, explained how the process works, what they needed to do.

We had a better understanding of what they needed themselves, how things worked. And basically the dialogue began from there. That was, honestly, our first direct interaction. And it has steadily evolved since then. We’ve built quite the relationship.

So, in fact, in 2004 we were asked to come to teach at the FBI Training Academy at Quantico, which is where all the elite law enforcement from around the U.S. go for training, cyber training. And they wanted us to be part of that.

So I would go out down there quarterly. I would often take a tech guy with me, so we could really explain some of the technical aspects of the Internet and then more of the sort of Internet ecosystem and how the RIRs work.

We did that from 2004 to 2006, until they started, sort of changed up their curriculum.

In 2005, for the very first time, we had law enforcement show up at an ARIN meeting. Through our communications, our ongoing communications, they were aware that there was a policy called Directory Services Overhaul, which would have denied them access to information they use every day in Whois.

It was going to basically privatize a lot of the customer reassignment information. They came en masse. They came from Canada and the U.S.

And we had both criminal and civil law enforcement show up. And they all spoke at the mic and they said, “This is how we use it; this is why we need it. You guys might not understand but we really need you to hear us.”

And our community did hear them. Totally responded. It was really great communication. And the policy did not pass, by the way.

So that was the first time they ever showed up. So we’ve been building this relationship all of these years.

In 2006 to the present, we’ve been doing these training and information-sharing sessions with law enforcement and government entities. And I listed just a few of them, the obvious ones – DEA, Homeland Security, FTC, et cetera, et cetera. There’s lots more but I just sort of named a few. Yes, we started more formally doing that in 2006.

In 2008, we got a request from Bobby Flaim, our FBI contact, and he said, “RIPE NCC has this great government working group and this great government roundtable, and we should be replicating that here. There should be more open dialogue.”

So Bobby approached Cathy Handley and I, and we sort of helped him, facilitated him in creating the ARIN Government Working Group. And we had a lot of support from Steve Ryan as well, who always offers us his fabulous office in Washington D.C., which is where most of our attendees come from.

It was basically established to facilitate the public/private partnership. And the main purpose is education and information sharing. And the goals for the law enforcement, the part of law enforcement, is to ensure the safety and security of the Internet. And they thought this was a great forum for public/private exchange of information.

The participants were civil, both civil and criminal law enforcement; government regulatory bodies; and private industry. Sometimes we would invite private industry in for technical talks, information sharing, education.

So just a couple of examples: As I said, law enforcement has attended meetings since 2005. And they’ve actually shown up at every single ARIN meeting since that time – except for this one. This is the very first time. The only time I’ve ever done a law enforcement presentation, they don’t show up. But doesn’t it figure?

But anyway, they’re all quite busy and there’s been a lot of things that have been coming up for them. And there’s some changeover and turnover in staff.

So, law enforcement, one of the things they do and what they’ve done is they’ve met a lot of the ARIN community, and they’ve worked with ARIN, us as facilitators, staff, and community members to actually make policy proposals and suggestions.

One of the proposals that came up, I don’t even remember how many years ago, was submitted by the U.S. Drug Enforcement Administration. It was at a time we were running out of IPv4 space. They were concerned because we were getting an influx of out-of-region requests, a lot of them from Asia and a lot of them from places that they have issues with.

So they said, we didn’t have any policy that said whether we should issue to out-of-region requesters or not. Nothing was clear in the policy.

So they submitted this policy and said, you need more stringent criteria. The policy morphed, it changed, but it was eventually ratified by ARIN’s Board of Trustees and is in effect today. So that was a success story, really.

And then ARIN works with the FBI in ongoing cases, different types of cybercrime, fraud, hijackings, et cetera. That’s just some of the examples.

I want to touch on global RIR law enforcement collaboration. As we all know, cybercrime tends to be transnational. It’s multi-jurisdictional. It crosses multiple countries, et cetera. So there’s a few of us at the RIRs who actually focus on law enforcement.

And we decided that we should continue to be working together to support law enforcement on a more global level because that’s how they work it; we thought we should do the same. So we continually collaborate.

We recently worked with law enforcement on Whois accuracy and enhancement policies. Basically it was POC validation policy. ARIN had one in place but we worked to enhance that to make it more effective and streamline it.

The RIPE NCC had a similar policy that was submitted by Europol, so that one has gone into effect. And the policy has now been carried to the other three RIRs, and I believe it’s getting consensus in the APNIC region. It’s a slight variation on a POC validation. And it’s also being discussed in AFRINIC and in LACNIC. So that’s a good collaboration, a good example.

And just, again, some recent examples of our engagement, the things we do together. We often do joint presentations and participate at a variety of events, including ICANN’s Public Safety Working Group. Anne-Rachel mentioned that yesterday. It’s the civil and criminal law enforcement arm of the GAC at ICANN.

E-Crimes Congress, it’s global law enforcement – actually Paul Rendek got that one started for us, and we would speak at that every year in London – all five of the RIRs, INTERPOL and Europol.

INTERPOL Americas, just a few weeks ago, we were asked to be a part of a panel – LACNIC, ICANN and ARIN, and we all support each other’s government working groups. So, these are some of the collaborations we’re doing on a global level.

Some of our recent activities. This is a cool one. I have been working with Carlos Alvarez. He’s the Director of Securities, Stability, and Resiliency Engagement at ICANN. And he does a lot of law enforcement training. And he said that he started getting questions, and he only presents sort of the ICANN domain part of things; that’s what they focus on.

And he started getting questions about ARIN and what do they do, what does the registry do. So we talked about it and we decided we should start collaborating on some joint trainings.

So we did our first one at the NCFTA, a really cool organization. It consists of the FBI, and then private industry, banking industry and other security experts. And that was a full day of training. Really went well.

We have one at the FBI field office in New York City next week. And we have one coming up with the Royal Canadian Mounted Police as well. I had reached out to them and they were interested. And then I didn’t hear anything. And we were at a meeting – which I’ll go to the next bullet – we were at a cybercrime conference that we often go to, INTERPOL-Europol, speaking to some RMCP guys, and they were asking a lot of questions, you know, how do you do this and why do you do this.

And I said, well, we’ve offered to come up to Ottawa and train you guys. He immediately shot off an email to his colleague, who was my colleague, and I got an email the next day saying, you’re in. We need you. This group needs you, and this group wants to see you. So it was a great way – you know, networking works.

The other kind of funny thing from that discussion was another one of his colleagues from the RCMP came up and was saying, well, why do you do what you do? And why is the U.S. government involved in the running of the Internet? Who are they, anyway?

I was, like, let me just explain a little history. And he said, no, no, no. The Internet was created in the ’90s by a Swiss guy. And I said, okay, now I know where I need to focus my efforts.

So I came back and created a new slide on the history of the Internet and administration. But these are the kinds of things you learn when you’re talking to these kind of people.

So, anyway, we go to trust community conferences like the ITSG, which is mentioned above, which is, again, an FBI public/private group; M3AAWG, which is coming up next week; ICANN Public Safety Working Group, we attend all their meetings; and the Caribbean Forum Justice Sector Group. That’s a new thing; I think Bevil mentioned it yesterday. It’s part of the Caribbean Forum, but it’s focusing on law enforcement.

So we’re going to be reaching out to more law enforcement within the Caribbean. We had our inaugural meeting in Miami. We had law enforcement from the U.S., Canada, and the Caribbean. And it was a really successful day of engaging. So we plan on doing more of that work.

Looking forward, as I mentioned, formalizing and increasing law enforcement training, doing more engagement within the Caribbean. Bevil and I are actually supposed to meet together to talk about two meetings that were coming up next year that we want to organize in the region.

Doing more webinars and video training, focused at law enforcement needs. Those are things I’ve been planning on doing and I think I’ll be able to get to this year.

We have a law enforcement web page that I put up. It’s kind of simplistic. I would like to enhance that. We will continue – I will continue our engagement with our global RIR law enforcement liaison colleagues.

And we’ll continue supporting the Public Safety Working Group. These are just some of the high-level things that I’m going to be focusing on.

So that’s all I have. Any questions? Wes.

Wes George: Wes George, ByteGrid. Have you, either in the past or looking at it in the future, considered interacting with the International Association of Chiefs of Police, IACP?

Leslie Nobile: I actually do that. Jim is a good friend of mine, and he’s one of the guys – and actually their Board of Directors was at our meeting in Miami. Yes, we do. I’ve been invited to their meetings as well, to speak. I just didn’t put it on there. That is a good one.

Wes George: I was going to suggest that that would be a way to – because you have a certain sort of audience that self-selects in the cybercrime community. This would get it to a broader audience of folks that would need to see this.

Leslie Nobile: Absolutely. And thank you for the suggestion because I really do need to hit him up again and get to that next meeting. So thanks. Anything else?

Ovidiu Viorica: Ovidiu Viorica, New Mexico. Are you working with first responders as well?

Leslie Nobile: We haven’t at all actually. Like I said, we’ve done a lot of work on the federal level, some on the regional level with the International Association of Chiefs of Police, a lot on the global level.

But we haven’t really gotten to – I don’t have contacts. So if you do, if you have any suggestions, I’d love to hear them. I can give you my email after.

Ovidiu Viorica: Sure. Thank you. We’ll get together offline.

Leslie Nobile: Yeah. Thanks. Anyone else? No. Okay. Thanks for your time.

John Curran: Thank you, Leslie.

(Applause.)

Okay. We have a break at this time. We’re going to – when we do the break we’ll come back here promptly at 11. We’ll hold an open microphone. And then we’ll conclude the meeting.

And the morning Public Policy Meeting should end right around 11:25. Right at the conclusion of that meeting we’ll pick up with the Member Meeting.

So for now you’re on break. Go out, down the hall, enjoy your refreshments. We’ll see you back here promptly at 11:00. Thank you.

[Break]

Open Microphone - Public Policy Meeting

John Curran: If people will come in and be seated, we’ll get started.

Welcome back, we’re now wrapping up our Public Policy Meeting. And the last item is the open microphone session.

So if you have a topic that you’d like to discuss. It can be something that hasn’t come up, something that’s come up over the last few days. Any topic relevant to ARIN, please come up and approach the microphones.

Now, because we don’t know the topics that people are going to raise, I’ll often ask someone: “Are you going to respond on this topic or a new topic?” I ask if you’re a new topic, you pay attention in your queue, step to the side, let people responding on the same topic handle that first.

So starting off, back microphone. Identify yourself and your organization, and the question you want to ask.

Michael Peddemors: Thank you very much. It’s Michael Peddemors from LinuxMagic. I have sort of a two-parter, part as a suggestion and part as related to policy around that suggestion.

Right now we’re involved in, like many organizations, in a lot of threat detection and during that exercise we also identify a lot of Whois inaccuracy reports. And I commend ARIN for allowing the community to actually help improve the accuracy by – through the Whois inaccuracy reports.

However, I’d like to make a suggestion that we actually include a public ticketing system. This will help identify, so they’d help prevent redundant reports, and it would also help those people that are volunteering to help – that they will be able to recognize that these reports are indeed being tracked, responded to, and, of course, the conclusions to that.

And then the B part: I also want to bring up, when we’re talking about a Whois inaccuracy – and this is related to, frankly, a lot of the policies that this group has been working on – one of the things that has been mentioned a lot of times that with the runout of IP space, there’s very little ability for ARIN to actually enforce the policies that we’re describing.

And what I would like to see is a little more enshrinement of how ARIN could address cases, say, such as ongoing cases of Whois inaccuracy, i.e., whether that is punitive, or whether it’s restrictive, and it would be nice to see this actually in policy so that ARIN can rectify these ongoing cases, whether they’re accidental or intentional. Thank you.

John Curran: Thank you. Stay at the microphone, please, because there may be people asking you questions; people may ask for clarification.

So, two questions. The first one is you note with respect to fraud reporting, Internet number resource fraud reporting, that a public or open ticket system would be more useful. And I’d love to hear other comments from other people on that.

And the second one is with regard to making it clearer ARIN’s ability to reclaim number resources in cases of violation of the community policy or terms of the agreement. I’ll speak to the second one just for a moment.

We do have the ability to reclaim resources that are obtained or that are used contrary to the community policy.

Now, we don’t do a lot of this. You really have to be a bad actor. If you’re fraudulent in your application to ARIN and we can show you’re fraudulent, we will do a resource review and wind back that transaction.

The community has a section, NRPM Section 12, that specifically provides us a mechanism for doing that.

For other violations of policy or other violations of terms of agreement, we’d really like to in general work out with the people who are holding the resources to come into compliance – whether it’s payment, whether it’s contact information – because these numbers are being used to build networks and operational businesses on.

When ARIN takes a number resource back, we start by, after about day 145 or so, we turn off the reverse DNS, it gets very exciting for the people using those resources.

So we try not to do this a lot. We really do. But, we do have the authority to do so. To the extent that the community wants us revoking more resources for specific violations of NRPM, please call that out. Please say, and if this is not – if the organization does not come into compliance, ARIN will revoke the resource per Section 12, fraud review.

That’s all you have to do. You’ve got to make the policy proposals, though, that direct us with unambiguous information as to when you want us to take number resources because it’s a big deal.

Remember, some of the number resources that we’re taking here are number resources that are instrumental to business, so we need to be very careful. Okay?

Michael Peddemors: In response to that, I wasn’t encouraging that we revoke or take them as a first step; I was just asking the community that possibly, for instance, as an example, where there is an inaccurate Point of Contact information for an ongoing, for an ongoing basis, to have more – have the community decide whether that is increased costs on annual costs, or whether there is some other form of restriction.

But I’d like to leave it to the community to start empowering ARIN with more explicit directives on how to deal with noncompliance with policy.

John Curran: Got it. Thank you. Anyone else want to comment on that topic? Microphones are open.

Yes. Mr. Sweeting.

John Sweeting: John Sweeting with ARIN RSD. Just to Michael’s point, ARIN can do a lot. We can contact these people. But peer pressure from the operators community can fix a lot of things.

If you refuse to accept announcements from an AS number that’s not in Whois, those people quickly come to ARIN and say, I need to pay the last 10 years I haven’t paid you, to get this put in Whois. And it’s happening. And it works well. So operators have a lot of power to help us with this, too.

John Curran: Excellent point. To some extent, you decide what’s acceptable number resource hygiene by what you’re willing to accept from your peers. Okay.

Next topic, Cathy. I’m sorry, Owen, on the same topic.

Owen DeLong: On the same topic, yes. While I have limited affinity for the idea, what Mr. Peddemors is proposing of possible fines or whatever is not something we can currently do in policy because we’re currently specifically restricted from addressing fees, fines, or anything of a monetary nature in policy or even operational matters for that matter.

So this kind of artificial boundary and constraint that’s been placed on the AC by the Board, in terms of what we’re allowed to address in policy, does limit our abilities to address these things in a more holistic manner.

And I think 2017-12 is an example of the kind of consequence that occurs there.

John Curran: So, just to be clear, though, the community definitely has the ability to direct ARIN to reclaim and revoke resources, because that’s direct management of number resources. And it affects what’s available and what’s in the database and where.

Regarding fines and policies, if you come up with something and you say “or apply an appropriate fine or fee,” then you can do that in policy. And then we can discuss as an ARIN suggestion exactly what you think that should be.

You can specify ARIN should fine someone or penalize someone, but you cannot specify the amount. That would be ultimately set by the Board based on their fiduciary duties. So there is a way around that hurdle.

And we’ve actually used that before. You can actually make policy and then when it comes down to the specific amounts, or specific fees, you turn around and you use the suggestion process. Okay?

New topic or anyone on that same topic? Okay. New topic, Cathy.

Cathy Aronson: Hi, Cathy Aronson. I just wondered, do you guys think the key signing key is going to roll on the 11th? Do you have any thoughts on that? I just kind of expected maybe there would be a presentation about it, but….

John Curran: Well, do I think it’s going to roll – last time I talked to ICANN, they said it would. Is there going to be an impact? If there were some researcher who had studied the potential impact in the room –

(Laughter.)

Paul Andersen: I was going to say, I seem to remember –

John Curran: Then we could bring him up to the microphone and have him speak – look! Geoff!

Paul Andersen: It’s like he presented at NANOG on this, too.

Geoff Huston: Geoff Huston, APNIC. Yeah, I did present at NANOG on this very topic.

Cathy Aronson: I’m sorry, I wasn’t at NANOG. Sorry.

Geoff Huston: In answer to Cathy’s specific question, as I understand it, at a Board retreat in September, an ICANN Board retreat in September, they confirmed a plan put forward from the Office of the CTO. And as far as I understand it, things are proceeding.

Twelve months ago, new data came in from a source that we weren’t expecting that gave us all a surprise. It indicated that there was failures with adoption of the key.

What it didn’t indicate was there were failures in the method of signaling, and that a lot of the issues we were seeing were not translatable into user impact.

So while some resolvers were saying, I don’t have it, if that resolver is in the pool where the other resolvers are good, you haven’t got a problem. If that resolver only services one person, like what’s on your phone, you might have a problem, but the other 6 billion folk on the planet will be just fine.

We’ve done a lot of work in the last couple of weeks using a recent version of resolvers that actually behave differently, depending on whether they’ve loaded keys. We have seen nothing in that experiment which has currently done 120 million experimental points, nothing to indicate that eyeball resolvers are going to face problems.

Now, high noise rate, you don’t see everyone. Someone is going to get left behind, yes. Will it be catastrophic? Nothing in the data predicts catastrophe. In fact, I think it’s all a bit of a mild yawn. But we’ll see.

But it will proceed, as far as I’m aware. And there’s been no last-minute data entry to say, oh, my God, this is all going to be a problem.

As far as we’re concerned, the data has said we’re looking okay. Thank you.

John Curran: Geoff’s presentation at NANOG was Tuesday?

Geoff Huston: Wednesday.

John Curran: Wednesday, okay. It’s up on NANOG’s site.

Okay, anyone else on DNS key signing key rollover? No. Good, next. Kevin.

Kevin Blumberg: Kevin Blumberg, The Wire. I just want to say maybe there should be a countdown clock so we can all see when our support tickets go up. Just a little bit of humor.

There’s been an interesting 24 hours on the PPML related to DNSSEC, mostly civil. Thankfully it didn’t devolve. Mostly a very civil discussion. But not very policy related.

And I realized that there probably is no better place to have this discussion than PPML. But maybe a suggestion is to slightly expand the scope of what is allowed on the PPML, to allow for these types of discussions officially, rather than to just allow them to go on when they really shouldn’t be going on.

I don’t think that splitting up into multiple mailing lists – but we are becoming a smaller community over time. And having one singular place to go over these broader issues that might affect the community, rather than just policy, because sometimes it’s policy. Sometimes it’s LRSA. Sometimes it’s this, sometimes it’s that. But it all comes back to the same focal point.

So just a suggestion that maybe a slight expansion officially, rather than saying is this okay, should we be talking about this on the PPML?

Paul Andersen: And, of course, there’s the ARIN membership list where in theory that is supposed to be discussed, but obviously not everyone can participate in that. So I think it’s a good suggestion, whether or not we might need to either have that list have more open posting and subscription policy, or maybe merge into the one list so that people don’t have to be subscribed to multiple lists and a busy one. So I know we can take that under advisement.

John Curran: We’re having the discussion today. It’s just the AUP, the appropriate usage of that list doesn’t align with the discussion. Does anyone object to opening up the PPL related to – matters related to legacy holders, because that’s really what it is?

Because on ARIN-discuss we can discuss services for all those people who are members, everyone who has a service agreement or customers of ARIN, but we have these people who have no agreement and no payment who are legacy resource holders, and PPML is all they have access to.

So unless someone thinks opening it up so they can have that discussion there is a bad idea, I would normally agree with you; we should just revise PPML.

Does anyone think that’s a bad idea? Does anyone in the remote queue think it’s a bad idea to align the current description of what’s allowed on PPML to match the discussions going on?

Okay. So we’ll work on that.

Okay, we’ve got this mic over here, far corner.

Gary Campbell: Thank you, John. It’s more of a comment, not a question. Gary Campbell, Government of Jamaica.

I just wanted to take the opportunity to commend ARIN on the work that you’ve been doing in the Caribbean. The Caribbean Outreach Program has been a wonderful experience for many persons.

It is surprising to just appreciate the fact that so many persons are unaware of ARIN and the work that it has been doing prior to this particular program.

So I can only, you know, encourage you to continue the Outreach Program, continue to build the awareness, and to congratulate you on the work that you’ve been doing in the Caribbean. Thanks.

John Curran: Thank you. Very good to hear.

The community asked us to do more in the Caribbean. The Board gave the staff that direction. We’ve done more last year. And we have more in our budget coming up, as Bevil covered the other day.

Okay, front and center mic.

John Springer: John Springer, I’m a member of the Advisory Council, but in this context I’m only speaking for myself as a member of the community.

This week we’ve had a number of very good discussions about RPKI and the RPA. And I have seemed to sense a willingness on the part of ARIN to engage in this process in a constructive way.

Just wondering how to track this. Who is going to engage? Is this going to become an ASCP? Is the Board going to deal with it? Is the staff going to deal with it and report back? How is that going to be handled?

John Curran: First, looking around – let me respond – first, looking around to see if we have Christopher and David still hiding somewhere.

So the first part of this process is because they’re doing an ongoing study on this. Could you two stand up, Christopher and David? From the University of Pennsylvania, in an innovation tech and competitiveness group, they’re doing an active study. So to the extent that people here have views regarding legal impediments to RPKI in the ARIN region, find them and tell them what you think, because that’s the first and foremost.

Thank you, gentlemen.

Their report is due in December. We’ve said once there’s a report that – I’ve already been told by the Board that we should immediately do a review of that and come up with suggestions for the Board to consider.

If you think we should do a consultation process, we can do that. But since hopefully everything we’re doing makes it better I actually wouldn’t mind doing changes to improve things and then a consultation to see if more can be done.

But either way, we can involve the consultation process. The challenge is, of course, we want to get a report and then we want to respond in a timely manner.

Thoughts?

John Springer: Well, I’m very interested in the subject, and I’m transitioning to a different role here. And I just want to have an idea how to keep an eye on this as time goes by.

I like the idea of having a community consultation after you get the report, but just some way that I can put it in my tickle file to take a look at this.

Paul Andersen: I suspect that in Q1 of next year the Board will be coming out with something once we’ve had done a review for sure, either be it in consultation or what we’ve come out with.

John Curran: Thank you. More on this topic – RPKI and the ARIN region?

Yes, Ruediger.

Ruediger Volk: Ruediger Volk. The previous speaker, I think, made the major point. I would like to make sure that, different from the last time, I think this was actually brought up, I think in Baltimore.

The Board actually took action and while, okay, the only thing that actually happened was a slide set was presented, as far as I can tell, and nothing happened afterwards, and there was obviously also no publicity and while, okay, unfortunately no public outcry about inactivity.

John Curran: Your assessment about what’s changed over the years is actually – probably you have a perception issue in that regard.

So we started out with an ARIN Relying Party Agreement, which for parties to obtain, had to go to a specific website, enter your email address, which we logged, and then we emailed you a link to the TAL. We emailed you the TAL, a link to the TAL, giving us a log of everyone who had agreed – very useful for purposes of knowing who you have an agreement with.

After this was raised by the community as potentially unnecessary or excessive, we went back and did additional studies, had outside experts talk about how to achieve a reasonable agreement without a bigger hurdle.

This resulted in the next change, which was that we ended up saying that you can go to the website, and when you go to the website you can click a box and specifically say “I accept the terms and conditions,” which the community said, “Well, that’s better, but not what we wanted.”

We actually then ended up doing more studies, involved more outside experts on what exactly is necessary to get a contract in the U.S.

We got to the point where the TAL is literally on the web page with a paragraph that says “Download me. But, by the way, you’re bound to an agreement by doing so.”

So, you don’t have to separately click to accept an agreement to get ARIN’s RPKI TAL. We’ve had quite an evolution over the years – though, if you’re looking at it saying, “I know what my target is and ARIN is still not there,” – no, ARIN is still not where your target is. But that doesn’t mean we haven’t been getting closer and closer.

We’ve expended an enormous amount of energy attempting to be responsible in rolling out this service, and at the same time making sure that we don’t endanger everything else we do.

Ruediger Volk: Okay. So you used the thrust of a large jet plane and you moved two inches.

(Laughter.)

John Curran: Some jets are heavier than others, particularly in the U.S.

Yes, front microphone. Same topic?

Michael Sinatra: Yes, Michael Sinatra, ESnet, and apparently PPML rules bender of the week.

(Laughter.)

I’m shifting gears a little bit away from the TAL and to the actual agreement that you sign when you’re going to sign your resources in the RPKI. And I’m wondering if there are materially different, at this point – major material differences in the agreement you signed for that ability versus the RSA/LRSA process and if they could possibly be folded together and streamlined so that when I sign an LRSA I can now – you know ARIN says, “Congratulations, you can now sign these resources in the RPKI – or generate ROAs in the RPKI.”

John Curran: To my knowledge, the indemnification and related clauses are similar, but we do bring them forth in front of you to make it explicit. We’ll take an action to look to see if they can be combined.

Michael Sinatra: Thanks.

John Curran: Still open on the RPKI topic. Yes, go ahead.

David Farmer: David Farmer, University of Minnesota, ARIN AC. Just had a quick thought on that one. If it could maybe be presented – if it’s a separate document or an attachment to the document, but if it can be presented at the same time so that we can do one round with the lawyers instead of two or three rounds with the lawyers would be kind of handy.

John Curran: I want to make sure I understand your question. If I take it literally, you’re saying when someone wants to sign an RSA with ARIN you want us also to put the RPKI services terms and conditions in front of them at the same time, even if they may not say they have any interest in RPKI.

David Farmer: They may not know they want it yet, and so – but they probably will.

John Curran: So I’m going to point something out that may be true. RSAs, every time we vet a resource for someone to get an RSA for them to potentially do a transfer, for them to potentially use it – you’re putting it in the Org recovery step and that’s a very high workflow.

So I’m not sure it’s practical to put two agreements in front of them. I think what was asked earlier if we can make sure that we don’t need a second agreement, that might be better.

David Farmer: And I agree with that. But what I’m just trying to say, it’s not that I want you to put it in front of them. Make it known that it exists so that if they wish to review it at the same time they can.

John Curran: Oh, okay. I will take that under – I’m trying to think how – we can point out to people, there are specific service terms for other services. If you’re going to your lawyer, print them out and put them in the folder, too. Okay. Understood. Point taken.

Still on RPKI. Christopher, did you want to come speak? I’m sorry, is the speaker at the microphone RPKI or different topic? Different topic.

Christopher.

Christopher Yoo: Christopher Yoo from the University of Pennsylvania. We are engaging in the National Science Foundation study, as was mentioned earlier. For those of you – in answer to John’s specific question about keeping track of this, we made a presentation about this at NANOG, both in the main session and in the security track, a smaller presentation.

It is our expectation to submit a proposal to speak at the next NANOG updating on where things stand, because that will be after the report actually issues, and talk in specific terms about what’s going on.

We are talking about two separate issues in some ways, actually three separate issues. One is about forming a contract – what’s required, but also the content of the contract.

I will say that the conversations we’ve had with the community, both at NANOG and at this ARIN meeting, have been incredibly influential in shaping our thinking.

We’re discovering – we’re still learning more the more we talk to different people and a more diverse range of people in terms of roles and in terms of the organizations they represent.

And I would really, sincerely invite anyone interested in this topic to talk to us, because the best way we can incorporate your concerns and the concerns of organizations like yours into what we do, is to talk with you. And that’s still – which we’ll discover in interview-based methodologies – you often stop hearing new things and it converges.

I’m still concerned – I’m still hearing new things, which tells me that I still need to talk to more people to make sure we fully understand the issues.

So the success of moving this project forward depends upon your willingness to engage, if not with us, but with some appropriate venue. So please, this is considered an open invitation.

We’ve also offered to John and the ARIN Board, with whom we’ve had incredibly productive discussions and really illuminating ones, we’re happy to make whatever presentations to the ARIN community, in whatever format would be the most helpful, to make sure that people remain informed about the progress we’re making.

And we will certainly – once the report is issued by the year end, it will be publicly available because it’s a National Science Foundation project. We’ll make it a point to make sure it’s circulated in the appropriate way on both the NANOG and ARIN communication lists.

John Curran: Thank you. Excellent.

Anything else on RPKI?

Okay. Next topic.

Michael Arbouet: This is Michael Arbouet. I’m a candidate for ARIN NRO NC Council. Just suggest – a question. Many times we find out that countries in the Caribbean have different needs. A need for a country like Jamaica may not be the same as a country like Cuba or whatever.

And we find out many times that a project can be denied collaboration because that country is not part of the IRR [RIR]. So this is a suggestion. Is there any way that we can have a platform where, you know, LACNIC and ARIN can have a platform where there would be collaboration? And let’s say a country wants to move from one – let’s say the country wants to move from one, from LACNIC to ARIN. What are the conditions there?

John Curran: So let me talk about your first point first, which is on collaboration. To my knowledge, all of the RIRs have open processes. So you truly can participate in ARIN’s processes for policy development in our public consultations, on operational issues, regardless of where you are.

If you’re in a country that’s an ARIN member, Caribbean country that’s a LACNIC member, if you’re in Antarctica, if you’re able to get signals from space and you’re an alien who can type, you can still participate in our processes. I have no objection.

So our processes are completely open to collaboration from anyone regardless of where they are from. And I believe the other RIRs are very much the same way regarding the openness of the dialogue. So there shouldn’t be a difficulty there.

It is true that we do have service regions. And ARIN has a service region that was established back when ARIN was originally the rest of the world’s service region, aside from APNIC and RIPE. And then over time, LACNIC was formed by the community there. And then AFRINIC was formed.

When those regions formed, there was a list of countries that participated. To the extent that a country believes it needs to move from one RIR to another, it’s a conversation with both RIRs. I’ve not heard that there’s anything that makes that impossible.

But it is very much the case that a country needs to be of one mind. So the network operator community in that country has to be able to say collectively for some reason we believe that this country should be serviced by another RIR.

We haven’t had that happen to date because, again, all the RIRs are open and allow collaboration. You can participate and benefit in the discussions in both regions.

But if it is necessary to have a discussion about the boundaries of regions, go to the RIR that’s serving you, have that discussion. If you can show that your community collectively wants to be served, then we don’t know of any reason why that can’t be updated. It’s truly supposed to serve the network operator community in that part of the region.

Okay? Questions on that? Anything related? No? Kevin, new topic? Go ahead.

Kevin Blumberg: Kevin Blumberg, The Wire. So I recently went to the NRPM in Section 6 to get some space. IPv6, it’s easy. We’ve got IPv4.

And realized that if I was an Internet service provider – click, done, no justification required. And if I’m an end user, I need to go through more steps.

And that’s policy-related, and I get all of that. Basically I can throw a little bit of money at the problem, become an ISP and make my life easier with ARIN, or I can spend more time and be an end user, which seems a little defeatist.

But I know that the community and ARIN have been looking at merging and bringing those two areas together over time. I know with the services, the membership services – allotment, et cetera. And my question is where is the end trajectory? When are we getting closer to us combining them and making it a much simpler experience for everybody, when there’s really very little difference between the two these days, except significantly in policy, but not in reality?

So what is the trajectory to bringing those to a more uniform point?

John Curran: To make sure, the “them” you’re referring to in those last six sentences was “end user and ISP?”

Kevin Blumberg: Correct.

John Curran: Not v4 and v6.

Kevin Blumberg: Correct.

John Curran: Okay, just double-checking. With respect to how we achieve unity between end user and ISP regarding policy and services, I’ll note, by the way, in ARIN we’re pretty close on the services.

So to that extent, while we do have an end user fee, any end user can turn around and say, I want to be an ISP, pay the ISP fee schedule and transition to the ISP fee schedule.

We don’t have a clear distinguishing difference of services between end users and ISPs. That’s been discussed, but we’re really looking for community guidance and whether that’s necessary.

So for ARIN, operationally, we’re already there. It’s what policy you give us. And what your policy really needs to think about is this cooperative agreement, this cooperative venture called the Number Registry. If you don’t mind a simple policy for getting a new prefix – give me an end user prefix, then hit a button and do it.

There is people – there have been people in the community historically who have said, it’s important to have some back pressure on direct end user assignments, because direct end user assignments need to be individually routed and are not aggregated.

So this is really a community question. Do you feel as though if anyone can go and get an end user assignment – and it’s a nominal fee and it’s nominal policy – will ISPs feel an impact from having many, many customers who go do it?

Kevin Blumberg: Right. And I guess what I’m saying is in 2018, with the six-inch goggles of where we’re at, I can’t really tell a difference anymore in the majority of cases between the two. The fact that they can just simply be an ISP and the fee is just a little bit more, kind of eradicates – 10 years ago there was a very big difference. And we’ve really come to a head.

So I guess maybe for the community, if it’s only about the money, that’s one thing. But we’ve got a lot of complicated policy in here to separate the two. And there’s really no difference anymore between the two.

John Curran: Acknowledged. On this topic of end user versus ISP split. Yes, go ahead.

David Farmer: David Farmer, University of Minnesota, ARIN AC. You said on the services side there’s no difference or virtually no difference.

John Curran: Less difference than before.

David Farmer: Yeah and I agree. But there’s still a difference in that basically end users can’t reassign. And that’s kind of a service –

John Curran: Right. Right. Reassignment services are for ISPs, not for end user blocks. And that’s, again, up to you folks.

David Farmer: And that’s probably, on the services side, the only significant difference.

John Curran: To our knowledge, yes.

David Farmer: Okay, thank you.

John Curran: Yes.

Kevin Blumberg: To speak to that, David, Kevin Blumberg, The Wire. I think a number of organizations have used that to their favor to not have to SWIP their space. It’s actually not a positive; it’s a negative these days.

David Farmer: Not arguing that; I just wanted to clarify – not arguing that, just wasn’t trying – I was trying to clarify the statement, that’s all.

John Curran: Yes, whether it’s a bug or feature is in the eye of the beholder.

Okay, any other questions? Open Microphone is closing shortly. Any remote questions? Yes, rear microphone.

Martin Levy: Martin Levy, Cloudflare. I must commend ARIN over the years to reach out to the operator community. This is a long-standing issue, and has done very well with things like this week of being with the NANOG meeting.

But I would point out, and I don’t think there was any solution to this, the next meeting in Barbados overlaps the same week as the Global Peering Forum. I don’t think either party is in error but ugh – and so, it’s unfortunate.

John Curran: Yeah, it’s unfortunate.

Martin Levy: It’s unfortunate, but I still take this as a commending statement to the microphone. I don’t think it can really be fixed, and I don’t know how –

John Curran: There’s an informal mechanism for coordinating Internet community meetings. I guess, do you know how far out GPF does its planning?

Martin Levy: Actually, yeah, this one I do know. They planned it a year ago from April last year.

John Curran: And do they look at –

Martin Levy: An ASRC calendar, and that’s why it’s unclear who hiccuped on this one, but so be it.

John Curran: Wow. There’s another calendar that we are all also looking at. We all end up looking at, is it ICANN or ISOC’s?

Martin Levy: ISOC.

John Curran: ISOC’s calendar. We’re also running out of meeting weeks. I’m going to just point this out. It turns out that the number of organizations times the average number of meetings per Org is greater than 52 for the Internet community. But point taken. We’ll redouble our efforts when we’re looking.

Martin Levy: It’s still said as 99 percent commendation and 1 percent oops.

John Curran: Thank you. Microphones open, closing shortly. Go ahead.

Ovidiu Viorica: Ovidiu Viorica, New Mexico. Quick comment. I know we’re a little behind. I truly appreciate the Fellowship Program as a very good way to get new people involved in this process. And many thanks to the team effort to make that happen.

John Curran: Thank you. We’ll point that out. The Board’s here; they can hear it.

We’ve been – we’re well committed to our Fellowship Program. We’ve expanded it over the years. We’ve had accolades, pretty much right across the board, and good to hear.

Okay, if there are no other comments, I’m going to be closing Open Microphone. Last chance. That ends the open mic session.

Public Policy Meeting, Day 2 - Closing Announcements and Adjournment

John Curran: I’d now like to do concluding remarks and end the Public Policy Meeting.

Coming up now. We will follow the Public Policy Meeting with our Member Meeting, which includes our departmental reports, report from the Board. Yes? That’s all we’ve got. That’s it? Okay.

Thank you. Thank you to our sponsors for the people for the public meeting.

(Applause.)

Network Sponsor

Webcast Sponsor