350 likes | 363 Views
This article provides important information for educational and research networks about ARIN's services, IPv4 transfer market, IPv6 addressing plans, and more.
E N D
What Educational & Research Networks Need To Know About ARIN Jon Worley, Technical Services Lead I-Light 8 May 2019
Topics of Discussion • ARIN 101 • IPv4 Transfer Market • IPv4 Waiting List • Getting IPv6 • IPv6 Addressing Plans • RPKI/DNSSEC
ARIN 101 • Established in 1997 as a nonstock corporation in Virginia, USA • Nonprofit – 100% community funded, fee for services, not number resources • Membership Organization – open, broad-based from private & public sectors and civil society • Community Regulated – Open and transparent, policies developed by community, member-elected executive board
Mission Statement ARIN, a nonprofit, member-based organization, supports the operation of the Internet through the management of Internet number resources throughout its service region; coordinates the development of policies by the community for the management of Internet Protocol number resources; and advances the Internet through informational outreach.
ARIN Service Region Region includes Canada, 25+ Caribbean and North Atlantic economies, & the United States and minor outlying areas
ARIN’s Educational/Research Representation • 1 member of ARIN’s Board of Trustees • Nancy Carter, Treasurer (CFO of CANARIE Inc.) • 1 member of ARIN’s Advisory Council • David Farmer, University of Minnesota • Consider running for office to increase representation!
What Does ARIN Do? • IP address allocations & assignments • ASN assignments • Transfers • Reverse DNS • Record Maintenance • Directory services – Whois, Whowas, RDAP… • ARIN Online (customer web portal) • Security (DNSSEC, RPKI) • Community Software Project Repository • Operation Test & Evaluation (OT&E) Environment
In-Region Market Transfers • Source account submits the source transfer request via ARIN Online and provides: • resources to be transferred • recipient organization name • Recipient account submits a recipient transfer via ARIN Online
In-Region Market Transfers • Source and recipient tickets linked • $300 fee paid by source (waived if resources are under RSP) • Due diligence check to verify source is authorized to release the resources • If recipient is not pre-approved, verification of 24 month need done
In-Region Market Transfers • Upon approval, the recipient signs a Registration Services Agreement and pays any past due fees • ARIN Financial Services confirms receipt of RSA and any past due fees • Transfer is completed and both source and recipient are notified
Inter-RIR Transfers From ARIN • Source submits an inter-RIR source request via ARIN Online • ARIN verifies the source is authorized to transfer the resources • Upon approval, invoice for $300 transfer fee sent to the source organization (waived if under RSP) • Request sent to recipient RIR
Inter-RIR Transfers From ARIN • When ARIN receives approval from the recipient RIR, ARIN confirms the transfer date with the recipient RIR and waits for confirmation of completion • Upon receiving confirmation from the recipient RIR, ARIN completes the transfer and updates Whois • Notify the Recipient RIR and the ARIN source organization once the transfer process has been completed
Transfers Are Increasing # Completed Transfers 1,104
Transfer Facilitators • ARIN allows registration of transfer facilitators (aka brokers) • ARIN does not provide any information other than contact info • Consider checking with other orgs if you want information about the broker • https://www.arin.net/resources/registry/transfers/stls/registered_facilitators/
Requesting IPv6 - ISPs OR OR
Requesting IPv6 – End Users OR OR OR OR
Subnetting: IPv4 vs IPv6 • The IPv4 mindset: think in terms of IP addresses • “If a site has 50 devices, I give it a /26” • The IPv6 mindset does not work for IPv6 • Last 64 bits used for device autoconfiguration • …and we have a ton of IPv6 addresses • The correct IPv6 mindset: think in terms of subnets, not addresses
IPv6 Subnetting – NANOG BCOP • Each individual network segment gets a /64 • A /64 can hold a near-infinite number of devices • Subnet on nibble boundaries for DNS • /48, /44, /40, etc. • Addressing plans should be hierarchical, with each level using subnets of the same size • Each site gets a /48 • Customers generally get a /48 • PoPs/aggregation points sized based on largest
IPv4 Address Plan: End User Enterprise Network /23 /19 /24 /24 ASH Hub 156 sites /27 for each 4,992 IPs CHI Hub 15 sites /28 for each 240 IPs DAL Hub 8 sites /28 for each 128 IPs SJC Hub 14 sites /27 for each 448 IPs
IPv6 Address Plan: End User Enterprise Network /40 /40 (256 /48s) /40 /40 SJC Hub 14 sites /48 for each site CHI Hub 15 sites /48 for each site ASH Hub 156 sites /48 for each site DAL Hub 8 sites /48 for each site
IPv4 Address Plan: ISP FTTH ISP Network /22 /21 /23 /24 Regina Hub 497 home users (1 IP each) 4 biz customers (/29-/24) = 997 IPs Moose Jaw Hub 497 home users (1 IP each) = 497 IPs Prince Albert Hub 214 home users (1 IP each) = 214 IPs Saskatoon Hub 952 home users (1 IP each) 5 biz customers (/29-/24) = 1,952 IPs
IPv6 Address Plan: ISP FTTH ISP Network /36 (4,096 /48s) /36 /36 /36 Saskatoon Hub 1,027 total users (home + business) = 1,027 /48s Prince Albert Hub 214 total users (home + business) = 214 /48s Moose Jaw Hub 497 total users (home + business) = 497 /48s Regina Hub 506 total users (home + business = 506 /48s
Anatomy of an IPv6 Address 2001:0DB8:3007:000A:B9D3:284A:83E2:90DB /32 from ARIN Hub /36 0 = Saskatoon 1 = Pr. Albert 2 = Moose Jaw 3 = Regina 4 = Future Hub ... etc Site /48 001 = Regina Site 1 002 = Regina Site 2 .... 007 = Regina Site 7 Subnet /64 0001 = Subnet 1 0002 = Subnet 2 .... 000A = Subnet 10 Device /128 Autoconfigured with MAC Address
Resource Public Key Infrastructure (RPKI) • Functionally similar to an Internet Routing Registry (IRR) • IRRs contain route objects which associate a given IP block with an origin AS • RPKI equivalent: route origin authorization (ROA) • Adds cryptographic authentication to ensure the data hasn’t been tampered with
Using RPKI • Hosted RPKI recommended • Generate a ROA request key pair • Submit your public key to ARIN • Generate ROAs via the website
DNSSEC • Increases DNS security • Cryptographically verifies the response from the DNS server hasn’t been tampered with • More useful for forward DNS, but why not add reverse while you’re at it? • DS records you provide to ARIN point to DNSKEY records in your nameserver
Using DNSSEC • Make sure you have access to your organization’s records via ARIN’s website • Use your DNS software to generate the required records • Upload the DS records to ARIN via our website