Meeting Notes - November 2003 IEPG Meeting

Notes

Notes taken by Bruce Campbell.

Opening Comments - Elise Gerich

1. RIR Report - Ray Plzak, ARIN

Statistics and Activities

Internet Number Resource Status Report

RIR Activities Joint NRO individual

IPv4 /8 Address space status IANA reserve 2nd largest after 'Central Registry' (91 and 94)

Q: Clarify what the experimental (16 /8s) is?

A: The old 'class E' space

Q: Would that be allocatable space?

A: Problem with doing that is that its hardwired (into various software/hardware etc). Don't know what IANA's plans are for it or IETF's.

Q: We don't know what the experimental space is being used for.

A: Right.

IPv4 Allocations RIRs to LIRs/ISPs - Yearly comparision. People in Asia not having any trouble getting IP space

IPv4 Allocations RIRs to LIRs/ISPs - Cumulative Total

Q: How has this changed from last IEPG?

A: Its gone up, largest jump is the RIPE NCC

ASN Assignments from RIRs to LIRs/ISPs - Yearly Comparison all RIRs roughly following the same curve ARIN has the largest chunk in cumulative total

IPv6 Allocations RIRs to LIRs/ISPs - Yearly Comparision Largest is RIPE NCC, ARIN 2nd and APNIC following

Total IPv6 Allocations from RIRs to LIRs/ISPs by economy All other countries, JP/US (equal), DE, NL, UK

Number resources in Africa across RIRs Estimations: IPv4 /24 37890 IPv6 /32 4 ASNs 179

Joint Activities

ASO: currently with APNIC, moving to RIPE NCC 2004

Outreach: Participate in WSIS

Coordination: NRO MoU

Policy: IANA to RIR v4 & v6, RIR to ISP/LIR v6 200 /48s in 2 years - arbitary number

ERX Project - Early Registrations eXchange Moving at a steady pace, no real hiccups

Staff Exchange Primarily outreach/communications related

RIR / ICANN MoU

Number Resource Organisation

Formalise the RIR coop efforts
services
activites
Provide single interface to RIRs
ICANN - service contracts, budget, etc
IETF - addressing issues eg 6to4
Protect the bottom up policy process
Protect the Unallocated Number Resource Pool
Single Point of Failure in form of IANA (contract)
Need a fallback place.
Organisation:
Exec council (1 from each RIR board)
Next meeting with LACNIC meeting
Numbers Council
Would take role of current address council
3 from each region - 2 at-large and 1 appointed by RIR boards
Secretariat
http://www.arin.net/library/rir-docs/
nro-comments email list

APNIC

APNIC 16 Policy Update:
List of proposals - ref slides
Create a guidelines document to explain existing IPv6 policy more clearly.
Technical Services
Anycast root mirror servers
F - Hong Kong, Seoul, Beijing
New agreement with I
5 sites in planning for deployment in next 6 months
Database cleanup
Next APNIC Open Policy meeting in conjunction with APRICOT 2004 in KL

ARIN

Activities:
Native IPv6
Stronger (db) auth
Hijacking issues
CRISP
ERX
Improved stats and graphics
Collecting Overdue Accounts

Q: Whats the timescale for the completion of ERX?

A: Cathy: class Bs in April, 2 (/8s) with class Cs. Would be 2nd/3rd quarter 2004

Policy Proposals (ARIN-X)
5 deferred
8 going to last call
see slides
On-demand training
Registration processes flowchars
ARIN database and templates
Querying ARIN's WHOIS
http://www.arin.net/library/training/
Next Meeting - Vancouver BC, CA, April 18-21 2004

LACNIC

Just completed first full year of operation. Very positive evaluation, growing at a good rate.

eng:
v6 services before end of year
SIARI (see later presentation)
Client Accounting system under dev - more interactive
Customisation of ARIN's voting system with some new Add-ons
Proactive in reverse delegation lame checking with good results (see later presentation)
policy:
LACNIC 4 - April 2003
3 approved and now implemented
LACNIC 5 - Nov 2003
dns lame
allocation of internet resources for experimental use
IPv6 policies revision
modifications to microallocations
Policy development status
LACNIC V
nov 19-20 2003
http://www.lacnic.net/en/lacnicV.html

RIPE NCC

policy:
PI task force
straw man proposal to decrease mim alloc size
inetnum status attribute
IP address space management
IANA -> RIR
RIR onwards
started out as RIPE NCC, will be considered in others

Q: discussion started because allocations were being made >/24 K anycast cluster deployment done. AMS-IX/LINX/Assessing further locations.

Documentation renewal
IPv4 policy document
new forms and supporting notes
LIR Portal

RIPE NCC GM 2003
Adjacent to RIPE 46
2004 activity plan, budget and charging scheme - approved
RIPE NCC Regional Meeting - middle east
Dubai 7-9 December 2003
2004 Activities
Improving Quality of service
shorter fulfilment time
simpler procedures
Stronger membership support
widen and improve communication channels
telephone contact (in/out)
support members ain specific areas

information access and quality

AFRINIC

Call for hosting proposals in Feb 2003 - 5 received. Via consensus, AFRINIC functions will distributed across 4 locations:
Mauritius - HQ and inc of Afrinic
SA - technical ops
Ghana - training coordination
Egypt - mirroring and disaster recovery
Kampala Jun 2003 (AFNOG IV)

AfriNIC - Johannesburg Sep 17 2003
Reviewing terms of reference for hosting countries
Outreach and input from local
Facility inspection
Formal support from >20 ISPs in Africa
Activity reports
transition plan (complicated as 3 registries to 1)
new web site under contruction
launch of information letter "afrinic news"
Appointment of Adiel Akplogan as Project Manager
Africa address allocations from same /8 (196/8) by RIPE NCC, ARIN and APNIC: makes for easier migration

Questions on all RIR reports:

Q: Clarification of IPv6 policies?

A: You need to meet the qualification. Service Provider with expectation of 200 customers in 2 years, thats easy. End-user - nothing in any policy now for IPv6 directly from any RIRs. Go find an ISP that provides service; growth should mean that soon there will be coverage locally. Its just something that will take a while

Q: Working on a draft to denounce practice of embedding (magic) IP addresses in routers. Is there any listing of 'tainted' prefixes within the RIRs (when returned and re-issued)

A: RIRs do not keep track of the use that prefixes were put to. When it gets returned, it gets put in a pool and thats the last place we allocate from, so any issues with a particular prefix should have gone away after a few years.

A: The logical place to have a blacklist of used prefixes is perhaps IANA, not RIRs. On RFCs, 2101 (?) says its a really bad idea to embed IP addresses, but it hasn't really been followed.

A: Maybe a whois query should state this (previous purpose, its blacklisted, etc)

A: Perhaps a document (method) to pull the information down, informational RFCs, searchable

A: In order for the RIRs to do something, have to be told by their respective communities

2. SIARI by Pablo Allen - German Valdez - LACNIC

Sistema Interactivo de Analisis de Recursos de Internet Internet Resources Analysis Interactive System

Tool to perform analysis of information in an interactive way - based on OLAP and multi-dimensional models

Java or HTML - local or remote execution - updated daily http://lacnic.net/en/siari.html (demonstration of entering interface)

Client server platform (diagram)

Cubes - repositories between users and db
Dimensions - variables to be analysed
date
country
resources
client
member
prefix CIDR
Measures - quantitative criteria to measure the variables
allocation number
amount of IPs
(number of) class Cs
amount of clients
(demonstration of java interface)
(an interesting abstraction model - different levels)
questions? - [email protected]

Q: is the code available?

A: only the system is

3. Lame Delegation Control (LACNIC) - Frederico Neves

Current procedures
accept delegation only on correct configured servers
Check - correct delegations weekly
- lame delegations every 2 days
report in WHOIS output
report to contacts twice a month for lame delegations lasting
more than a week

Lame definition
executes a non-recursive SOA query to delegated servers
checks for:
non auth answers
unknown domain name
unknown host
servfail
query/connection refused
not soa
cname
soa version
Concept of multizone lameness - If an entity has a /20 delegated to it, and one /24 is lame, then the whole /20 is considered lame (as far as the Registry is concerned, as the Registry db only has the /20)

sample of whois output

Statistics of lameness
3/12/2002 - 45.2% lame
26/6/2003 - 34.9% lame
6/11/2003 - 26.7% lame (now a breakout of specific problems)

Graph of amount of lame delegations going down over last few years, taking into account overall number of delegations going up.

Q: whats the increase in the graph?

A: multizone lame tagging - one or more (large) servers went lame

Q: The multizone thing is a registry thing, not directly DNS.

A: more coordination of the measurement terms needed

Next steps
Community policy enforcing the removal of lame delegations
Check NS records correctness and glue absence (avoids excessive requeries)
Possibly adopt or work to define a 'standard' for lame delegation

Q: Are the RIRs talking about definitions?

A: Yes, but we haven't taken it much beyond RIPE45 in May (Barcelona)

A: A lot of it is specific to the way each RIR operates its database

4. DNS Report - George Michaelson, APNIC

1 min tcpdump sample every 15 min 24/7
Map to ccTLD of registry object
known limitations to accuracy of source attribution
Measure src,dst ccTLD, volumes, types
samples not retained
4 points of samples - brisbane, japan, hongkong

IPv4 and IPv6 relative volume trends
log scale:
v4 is relatively flatlined
v6 is relatively small, but growing.

Q: what are the interesting points in the time? (IPv6 specific)

A: some of the fuzziness is due to really low query rate Most of the peaks tend to be coincide with major conferences, or Bill Manning walking the tree.

Q: Does v6 mean queries on v6 transport?

A: Yes

Q Bruce: Do you have mapping of which tree (v4 or v6) comes in on which transport?

A: Not measuring that yet.

v6 queries has a slight upward trend, but has a long way to go.

DNS view of 'attacks in the net?'

Downshift in number of queries when shifted delegation model from step to flat. Spike up when the worms got released in July/August.

Curious peak of Mexico in June 2003 - possible an attack incident somewhere.

5. IP Address Hijacking - An ARIN perspective - Ray Plzak, ARIN

Definition of Hijacking
Individuals targeting mainly legacy IP address blocks to make
unauth changes to reg records in WHOIS
Then gives illusion that the individual now has some authority
over the resource records.
Affected includes IPs and ASNs

Effects/Implications
Misleads net ops
compromises (consistency and trustworthyness of) whois db
creates liability issues
increased workload
slower response times
increased costs - staffing, legal fees

Current status (apr-oct 2003)
110 incidents opened (reported to or discovered by ARIN)
11 no evidence
84 reverted - reverted, reclaimed or returned
15 under investigation

1 /8
48 /16s
45 /24s
4 direct allocations
1 reassignment

This is mostly legacy space, so this problem will occur with other RIRs as ERX continues.

Typical hijacking MO - flowchart
Identify target (not routed, stale POCs, no POCs)
Identify associated domain information
Name expired?
Yes - register domain name
No - register similar domain name
May incorporate
Make incremental changes (POC, ORG, Netmod)
Route Network

They don't take steps which requires (extensive) documentation; easier to deal with them legally if they do.

What is ARIN doing?
Identified patterns used by hijackers to uncover unauth db changes
Monitor 'hijacked' mail list
( Not used as official channel of reporting, ARIN may investigate things seen there, but formally expects people to explicitly report to ARIN. )
Research every reported or discovered hijacking
Document and track every case
Working with law enforcement agencies
Developed/modified processes and procedures
Developed new database 'status' attribute that can lock down records
RIR coordination

Q: Do you have a policy of handing out information (regarding investigations)? A: We have NDAs, and follow them. Must have a valid legal reason for seeing info.

What is ARIN not doing?
Reporting all incidents to law enforcement agencies
Disclosing investigation details to the general public (NDAs)

Possible actions:
Require additional verification info
tax ID
raised seal corporation documents
Pursue legal options
Revise the registration services agreement
add AUP clause
strengthen transfer clause
Display WHOIS historical 'change log'
(this is a good idea)
Stronger validation software
bi-annual whois data validation
re-registration
more stringent authentication, authorisation and accountability

Possible actions - legacy records
seperate registration database (Registry of Legacy Resources (RLR)
contains all legacy records
update options:
no updates permitted without joining an RIR, or validated updates within the RLR to NS and POC records, on a fee-for-service basis
Legacy space holders encouraged to move their records into the RIR system over time

Considerations:
Pre-RIR contractual relationship
legal obligations
maintenance fees
criteria to determine user legitimacy

What can you do?
ensure ORG and Resource records are (kept) updated
your records
your customers
Use stronger authentication methods

6. riswhois.ripe.net or IP to AS mapping - Henk Uijterwaal, RIPE NCC

Motivation:

TTM service shows (a.o) routes at the IP level
Routing change:

inside an AS usually not that interesting

except for a few very big ISPs
load balancing, backup-router, renumbering

different AS path usually very interesting

Added AS information
Used IRR to do the mapping

How accurate is the mapping?

Which IRR? About 60 of them
Used RIPE NCC, plus ARIN, ARPNIC, CW, RADB, Verio

1 day of TTM data

3618 unique IP addresses

IRR finds an AS for 2856 IPs (79%)
Looking at Routing Table, one finds an AS for 3584 (99%)

Differences:

54 (IPs) not in IRR
17 outdated IRR information (AS no longer there!)
11 in aggregates (less specific in IRR)
9 multiple objects in IRR
5 not in routing tables (IX's)

Q: Can you define 'unique IP addresses' ?

A: 50 measuring points, uniqued that way.

Solution: Build a better tool for IP2ASN mapping

Use routing tables
RIS has views from all over the world

10 collectors
325 peers

Side effect:

this tool can be useful for other tools and services
Add a public interface to tool

riswhois.ripe.net

A new interface to RIS data

answers in RPSL
provides a quick summarised view of prefixes seen in an entire set of RIS collected RIB dumps
use existing tools
all in memory, no external queries, fast

Example-0 - see slide
Example-1 - see slide - shows less specific (aggregate) route
Example-1b - see slide - only the aggregate was registered in an IRR
Example-2 - see slide - show IPv6

What is it good for:

A quick view in the distributed route collector data

how is my address space announced worldwide?

Assigning origin AS numbers to IP addresses

traceroute with AS infor, AS level traces
up to now, tools consulted IRRs, and possibly invalid data

Limitations

A (recent) snapshot of the RRC routing tables
No sense of history

Code available

Misconfigurations
Existing RIS tools invaluable for more detailed data, but they take longer to complete (exhaustive backend db searches)M/ul>

How to query:

Default output - any whois client
Pass options

RIPE whois client
netcat
?

Q Elise: Are any other RIRs considering adopting this type of tool?

A: I hope so, but this was released on Friday, so don't know yet

7. IPv4 Address lifetime Expectancy Revisited-Revisited Geoff Huston, Presented by George Michaelson, APNIC

Emphasis on Geoff's point of view, not an RIR point of view.

Reworking of July model (see prev IEPG)

Modelling the process step function of RIR/IANA reserves End of reserves predicted around 2025.

Its noisy data, lots of spikes applied smoothing

applied models to the data - linear and polynominal

But which model to use to get the best predictions?

Downward trend in rate of growth

Q: Is it economy or policy basis?

A: My personal (George) view is its economic, not RIR policy basis.

4-5/8 blocks in 99-00, now 2-4/8 blocks per year

Log of (smoothed) data

More recent data shows a declining rate in growth of the log of the data. (ie, the rate of growth is decreasing)

George Comment - available data is small, and all projection models (linear, poly, exponential) currently fit.

Observations see slide

Modelling the process see slide

Exponential shows next 2 decades - 2018 - 2020 Linear shows next 3 decades - 2030 - 2037 other model shows slightly longer - 2030 - 2040

Questions: Externals: what are the underlying growth drivers? What forms of disruption? effects of the disruption?

Q: Agree with Geoff in economics - some global issues missing, take china, its currently on an upward slope in history. (more about economies - not many have enough address space for 20% of population). Potential for some economies to explode in growth and change projections significantly.

A: Yup. Noise in some media about a 2year horizon for addresses. The longer time (of any model) needs to be in the public eye.

Q: That story came up through the BBC - reporter asked what would cause depletions, the 2 years is a worst worst case, eg all telephones etc.

Q: Its a 20+ year prediction based on 2-3 years of data. No-one knows whats behind NATs etc. New applications, new (exploding) countries, very difficult to model
A: Would slightly disagree with some things not being taken account of. Eg, APNIC had a /10 request for a 3g network, should be in Geoff's data.

Q: Things may change in that (and other) space. They (3g) might figure out how to get past it quickly. Could also be a driver of IPv6 (if they can't get IPv4 quickly enough). If these things start happening, the model will be skewed.

Q Kurtis: More what you are seeing is that the state of the economy is preventing growth to the extent that effects of RIR policy could be seen.

A: Yes, also reflected in change in memberships (mergers and acquisitions), so change in allocation rate.

Q Ray: Same in ARIN meeting, a lot more companies that effectively get address space by acquisitions than direct from RIR.

Q: Pricing models of ISPs affect (end-user) uptake

Q Kurtis: 3g networks might copy 2g networks and NAT everything.

A: Yes, NAT pressure isn't about addresses, its about control.

A: the whole presentation isn't good for IPv6, if the drive is economic.

Q Brian: There is a clear argument that there is a demand for IPv4 availability, suppressed by NAT. Its not about address space at the moment, its about (end-to-end) connectivity. We don't know what the demand (and growth) rate would be without NAT.

Q: ( Applications can be NAT'd, continuing the possible suppression of demand )

Q: Data is from poor economic performance globally, could change remarkably as economy improves. (Awareness of?) v4 availabilty could delay IPv6 rollout.

A: And could be a crux point in the future.

Q: Important to give clear message that IPv4 can continue until much longer under current economic conditions, but need to move to IPv6 (?)

A: Study to do potential size of the (suppressed?) demand pool. Measurements are good.

Q: No-one is criticising Geoff's projections based on data - its the reasons driving the data that are being looked at.