RIRs in the future

(and past)

of Internet Governance

Paul Wilson

Director General

APNIC

1

So, what is the Internet?

• A “Network of Networks” – Independent networks joining a single global infrastructure

– Interconnected and interoperable

• Open

– Anyone can implement standards – no license fees

– Minimal barrier to entry

• Voluntary

– Build by collective, optional efforts

– Minimal operational control or administration

– Minimal “Governance”…

2

History of Internet Governance…

• 1980s and 1990s: “Dark ages”

– Internet grew and succeeded behind the scenes

– Not much thought or talk of “governance”

– ICANN established 1999

• 2000s: Renaissance

– Discovery of the Internet (by WSIS)

– Discovery of “Internet Governance” and MS Model (WGIG)

– Mainstreaming of IG (IGF)

• 2010s: Modern reality

– Ubiquity

– Rise of the Platforms (Facebook, Google, etc)

– Cyber*: Cybercrime, Cyberthreats, Cybernorms, Cyberwar…

3

Internet Governance 2005

4

https://trends.google.com/

"Internet governance is the development and application by Governments, the

private sector and civil society, in their respective roles, of shared principles,

norms, rules, decision-making procedures, and programmes that shape the

evolution and use of the Internet."

Internet Governance 2005

What is Internet Governance today?

• Any aspect of the Internet which requires regulation, coordination or oversight, such as… – Technical standards and coordination

– Management of critical resources

– Cybercrime, security, abuse, norms

– Content, Intellectual property etc

– Commerce, competition, trade and taxation

– Development and education, access, rights

– Norms, treaties, etc

• “The set of tasks required to ensure that the Internet remains voluntary, open, interoperable and interconnected”

– Ted Hardy, IAB Chair 2018

Internet Governance 2015

7

Internet Governance 2015

8

Internet Technical Coordination

• AKA the “code layer” or “logical layer”

• Subset of Internet governance

– DNS administration and coordination

– IP address / number resource management

– Internet standards development and management

• Activities of various types

– Administrative

– Operational

– Technical R&D

• Implemented by IETF, RIRs, DNS Registries, ICANN etc

– Working to ensure that the Internet remains

voluntary, open, interoperable and interconnected.

9

An RIR History (by RFC)

1

0

Regional Internet address Registries

• Allocating and registering IP address space

– Serving ISPs in 5 regions of the world

– Bottom up policy making – voluntary and open

• Membership organisations

– Non-profit, neutral and independent

– Consensus-based, open and transparent

• First established in early 1990’s

– Voluntarily by consensus of community

– To satisfy emerging technical/admin needs

• Proposed and agreed by the IETF

– In an “Internet Tradition”

1

1

Regional Internet Registries

Where do IP Addresses come from?

Assignment

Allocation

RIR

Standards

Allocation

RIR History by RFC

• RFC 739, 1977 – ASSIGNED NUMBERS

• RFC 791, 1981 – INTERNET PROTOCOL

• RFC 801, 1981 – NCP/TCP TRANSITION PLAN

• RFC 812, 1982 – NICNAME/WHOIS

• RFC 870, 1983 – ASSIGNED NUMBERS (again)

• RFC 1366, 1992 – Address Assignment and Aggregation Strategy

• RFC 1883, 1995 – Internet Protocol, Version 6 (IPv6)

• RFC 2050, 1996 – INTERNET REGISTRY IP ALLOCATION GUIDELINES

• And more…

1

4

RFC 739, 1977

1

5

NWG/RFC# 739 JBP 11 Nov 77 42341

Assigned Numbers

Network Working Group J. Postel

Request for Comments: 739 USC-ISI

NIC: 42341 11 November 1977

ASSIGNED NUMBERS

This Network Working Group Request for Comments documents the currently

assigned values from several series of numbers used in network protocol

implementations. This RFC will be updated periodically, and in any case

current information can be obtained from Jon Postel. The assignment of

numbers is also handled by Jon. If you are developing a protocol or

application that will require the use of a link, socket, etc. please

contact Jon to receive a number assignment.

Address management: 1977

“The assignment of numbers is also handled by Jon. If you are developing

a protocol or application that will require the use of a link, socket, port,

protocol, or network number please contact Jon to receive a number

assignment.” (RFC 739)

1977:

NIC

RFC 791, 1981

1

7

RFC: 791

INTERNET PROTOCOL

DARPA INTERNET PROGRAM

PROTOCOL SPECIFICATION

September 1981

prepared for

Defense Advanced Research Projects Agency

Information Processing Techniques Office

1400 Wilson Boulevard

Arlington, Virginia 22209

…

RFC 791, 1981

1

8

3.1. Internet Header Format

A summary of the contents of the internet header follows:

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|Version| IHL |Type of Service| Total Length |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identification |Flags| Fragment Offset |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Time to Live | Protocol | Header Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Destination Address |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Options | Padding |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Example Internet Datagram Header

Figure 4.

Note that each tick mark represents one bit position.

Version: 4 bits

The Version field indicates the format of the internet header. This

document describes version 4.

RFC 801, 1981

1

9

Network Working Group J. Postel

Request for Comments: 801 ISI

November 1981

NCP/TCP TRANSITION PLAN

Introduction

------------

ARPA sponsored research on computer networks led to the development

of the ARPANET. The installation of the ARPANET began in September

1969, and regular operational use was underway by 1971. The ARPANET

has been an operational service for at least 10 years. Even while it

has provided a reliable service in support of a variety of computer

research activities, it has itself been a subject of continuing

research, and has evolved significantly during that time.

...

It was clear from the start of this research on other networks that

the base host-to-host protocol used in the ARPANET was inadequate for

use in these networks. In 1973 work was initiated on a host-to-host

protocol for use across all these networks. The result of this long

effort is the Internet Protocol (IP) and the Transmission Control

Protocol (TCP).

RFC 812, 1982

2

0

Ken Harrenstien RFC-812

Vic White 1 March 1982

Network Information Center

SRI International

NICNAME/WHOIS

INTRODUCTION

The NICNAME/WHOIS Server is an NCP/TCP transaction based

query/response server, running on the SRI-NIC machine, that

provides netwide directory service to ARPANET users. It is

one of a series of ARPANET/Internet name services maintained

by the Network Information Center (NIC) at SRI International

on behalf of the Defense Communications Agency (DCA).

RFC 870, 1983

2

1

Network Working Group J. Reynolds

Request for Comments: 870 J. Postel

ISI

Obsoletes RFCs: 820, October 1983

790, 776, 770, 762, 758, 755,

750, 739, 604, 503, 433, 349

Obsoletes IENs: 127, 117, 93

ASSIGNED NUMBERS

This Network Working Group Request for Comments documents the currently

assigned values from several series of numbers used in network protocol

implementations. This RFC will be updated periodically, and in any case

current information can be obtained from Joyce Reynolds. The assignment

of numbers is also handled by Joyce. If you are developing a protocol

or application that will require the use of a link, socket, port,

protocol, or network number please contact Joyce to receive a number

assignment.

…

RFC 870, 1983

2

2

Assigned Numbers RFC 870

Network Numbers

Assigned Network Numbers

Class A Networks

* Internet Address Name Network References

- ---------------- ---- ------- ----------

000.rrr.rrr.rrr Reserved [JBP]

R 003.rrr.rrr.rrr T RCC-NET-TEMP BBN RCC Network [SGC]

R 004.rrr.rrr.rrr SATNET Atlantic Satellite Network[DM11]

D 005.rrr.rrr.rrr T DEMO-PR-1-TEMPDemo-1 Packet Radio Network[LCS]

D 006.rrr.rrr.rrr T YPG-NET-TEMP Yuma Proving Grounds [2,BXA]

D 007.rrr.rrr.rrr T EDN-TEMP DCEC EDN [EC5]

R 008.rrr.rrr.rrr T BBN-NET-TEMP BBN Network [JSG5]

D 009.rrr.rrr.rrr T BRAGG-PR-TEMP Ft. Bragg Packet Radio Net [JEM]

R 010.rrr.rrr.rrr ARPANET ARPANET [2,17,REK2]

C 012.rrr.rrr.rrr ATT ATT, Bell Labs [MH12]

C 014.rrr.rrr.rrr PDN Public Data Network [REK2]

R 018.rrr.rrr.rrr T MIT-TEMP MIT Network [11,51,DDC2]

R 023.rrr.rrr.rrr MITRE MITRE Cablenet [54,APS]

Address management: 1983–1992

“The assignment of numbers is also handled by Joyce. If you are

developing a protocol or application that will require the use of a link, socket,

port, protocol, or network number please contact Joyce to receive a

number assignment.” (RFC 790)

1983:

NIC

RFC 1366, 1992

2

4

Network Working Group V. Fuller

Request for Comments: 1338 BARRNet

T. Li

cisco

J. Yu

MERIT

K. Varadhan

OARnet

June 1992

Supernetting: an Address Assignment and Aggregation Strategy

...

Abstract

This memo discusses strategies for address assignment of the existing

IP address space with a view to conserve the address space and stem

the explosive growth of routing tables in default-route-free routers

run by transit routing domain providers.

RFC 1366, 1992

2

5

Network Working Group E. Gerich

Request for Comments: 1366 Merit

October 1992

Guidelines for Management of IP Address Space

...

1.0 Introduction

With the growth of the Internet and its increasing globalization,

much thought has been given to the evolution of the network number

allocation and assignment process.

...

2.0 Qualifications for Distributed Regional Registries

The major reason to distribute the registration function is that the

Internet serves a more diverse global population than it did at its

inception. This means that registries which are located in distinct

geographic areas may be better able to serve the local community in

terms of language and local customs.

Regional Internet Registries

“…it is [now] desirable to consider delegating the registration function to

an organization in each of those geographic areas.” (RFC 1366) 1992:

RFC 1883, 1995

2

7

Network Working Group S. Deering, Xerox PARC

Request for Comments: 1883 R. Hinden, Ipsilon Networks

Category: Standards Track December 1995

Internet Protocol, Version 6 (IPv6)

Specification

Abstract

This document specifies version 6 of the Internet Protocol (IPv6),

also sometimes referred to as IP Next Generation or IPng.

Table of Contents

1. Introduction..................................................3

2. Terminology...................................................4

3. IPv6 Header Format............................................5

...

RFC 2050, 1996

2

8

Network Working Group K. Hubbard

Request for Comments: 2050 M. Kosters

Obsoletes: 1466 InterNIC

BCP: 12 D. Conrad

Category: Best Current Practice APNIC

D. Karrenberg

RIPE

J. Postel

ISI

November 1996

INTERNET REGISTRY IP ALLOCATION GUIDELINES

Abstract

This document describes the registry system for the distribution of

globally unique Internet address space and registry operations.

Particularly this document describes the rules and guidelines

governing the distribution of this address space.

Regional Internet Registries

Success: Global allocations

Success: Global routing table

3

1

http://bgp.potaroo.net/as1221/bgp-active.html

Dotcom

Bust

GFC

Success: IPv6

3

2

Success: IPv6

3

3

Success: IPv6 (TW)

3

4

World Average

23%

The Future

3

5

What has changed since 2000?

• Size and scale

– Users: 250M to 4,500M (x18)

– Traffic: 84 to 166,000 PB/month (x2000)

– Devices: 0.5B to 20-40B (x40-x80)

• Security threats

– Massive increase in number

– Massive increase in value and damage

• Importance of the IP Address Registry function

– Primary mechanism for attribution

– Must be reliable, available, adaptable, fit-for-purpose

Demands

• Health/Quality

– Complete, correct and current

• Availability

– Consistent data and query formats

– Data available where it is needed

• Utility

– Authorised access

– Multi-lingual content capability

• Automation

– API-based accessibility

– Applicability to automated security functions

3

7

RFC 812, 1982

3

8

Ken Harrenstien RFC-812

Vic White 1 March 1982

Network Information Center

SRI International

NICNAME/WHOIS

...

PROTOCOL

The NICNAME protocol is similar to the NAME/FINGER protocol

(RFC 742). To access the server:

Connect to the service host (SRI-NIC)

TCP: service port 43 decimal

NCP: ICP to socket 43 decimal, establishing two 8-bit

connections

Send a single "command line", ending with <CRLF>.

Receive information in response to the command line. The

server closes its connections as soon as the output is

finished.

Internet registry services – Tomorrow

• Registration Data Access Protocol (RDAP)

(NEW since 2015)

– For both names and numbers

– API for access to “whois” registry data

– Automation, AAA, i18N, redirection, extensibility

• Resource Public Key Infrastructure (RPKI)

(since 2010)

– PKI for Internet Number Resources

– Cryptographically verifiable “ownership” of INRs

– Mechanism for authorisation to route IPv4/v6 blocks

whois

whois – limitations

• Non-standardised query and result formats

– Registry-specific questions and answers

– Automation is difficult

• No AAA model

– Built for public service only

• Most servers serve US-ASCII only

– Internationalisation is not defined

• No redirection

– User/client must know or find the right server to query 41

Query

Free text

result

$ whois -h whois.apnic.net 210.17.9.242 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '210.17.0.0 - 210.17.127.255' % Abuse contact for '210.17.0.0 - 210.17.127.255' is 'ethanchen@taiwanmobile.com' inetnum: 210.17.0.0 - 210.17.127.255 netname: TTN-TW descr: Taiwan Telecommunication Network Services Co.,LTD. descr: 110 , 8F , No 89 , Sung Jen RD , Taipei country: TW admin-c: IP11-AP tech-c: IP11-AP remarks: service provider mnt-by: MAINT-TW-TWNIC mnt-irt: IRT-TFN-TW mnt-lower: MAINT-TTN-AP status: ALLOCATED PORTABLE last-modified: 2011-06-01T04:13:58Z source: APNIC

whois query

42

RDAP

Registration Data Access Protocol

RDAP

• RDAP is the successor to the ageing WHOIS protocol

• Like WHOIS, RDAP provides…

– Access to Internet registry data:

domain names, AS numbers, and IP addresses

• Unlike WHOIS, RDAP provides…

– Structured request and response semantics

– Differentiated access

– Internationalisation

– Redirection

– Extensibility

Query

Structured

result

RDAP query

RDAP application (whowas)

46

https://www.apnic.net/whowas

RDAP application (vizAS)

47

https://www.apnic.net/vizas

RDAP application (vizAS)

48

https://www.apnic.net/vizas

RDAP benefits

• Automation – JSON input to common programming languages – Integration with firewall, NMS, IPAM…

• “Differentiated Access” – If needed

• Speaks your language (and character set) – Can implement server-side or in-client language preference

• One stop query – Servers can redirect clients to the right authoritative server

• Web protocol is CDN friendly – Serve local, via anycast or DNS redirection methods

– Cacheable, survives DDoS longer since distributed

RPKI

Resource Public Key Infrastructure

RPKI

• RPKI is a public key infrastructure (PKI) framework,

designed to secure Internet routing

– Based on X.509 PKI standards

• RPKI adds INR information to X.509 certificates

– Representing “ownership” and other status

– Certification issued with INR allocations

– APNIC: Available through MyAPNIC

RPKI objects

• Resource certificates

– Extended X.509 certificates

– Providing authority to use given IPv4/6 and ASN resources

– Issued/Signed by IP address registry

• Route Origin Authorisation (ROA)

– Giving an ASN authority to route specific IP blocks

– Issued/Signed by IP resource holder

• Resource Tagged Attestation (RTA)

– Plus other useful objects proposed

Internet routing…

The Internet Global Routing Table

4.128/9

60.100/16

60.100.0/20

135.22/16

…

Global Routing Table

4.128/9

60.100/16

60.100.0/20

135.22/16

203.176.32.0/19 …

Announce

202.12.29.0/24

AS17821

203.176.32.0/19

?

?

Routing security breaches

54

Facebook, Mar 2019

Google, Nov 2018

Google, Nov 2012

YouTube, Feb 2008

Amazon, Apr 2018

Route Origin Validation

• Use of Route Origin Authorisation (ROA)

AS17821

203.176.32.0/19

Peer/Upstream

or IXP

? ROA

☺︎

ISP 3

ISP 1 ISP 2

ISP 3

ROV at IXPs

Validated

cache

Validator

RPKI-to-Router (RTR)

Routes

Tagged/filtered

routes

Route

Server

RPKI status

RPKI status – Global

Valid 17.80%

Invalid 0.90%

https://rpki-monitor.antd.nist.gov

RPKI status – Global

https://rpki-monitor.antd.nist.gov

RPKI benefits

• Improved verification of resource holdings

– Much safer than manually checking whois, LOAs etc

– Ease of automation

• Improved security of the routing system

– ROV helps prevent BGP attacks and errors

– BGB path validation is under development

• Deployment is accelerating

– AWS BYOIP service requires ROA for customers

– Cloudflare ROV at all POPs, and public validator service

– And other IXPs, CDNs and Tier 1 providers and starting to require it

How do I start?

• Create your ROAs

– APNIC members, use MyAPNIC

– Encourage your IXP to implement ROV

• Then

– Set up route validation at your own border routers

– Encourage your peers/customers

• APNIC can help!

– Please contact APNIC Helpdesk

Conclusions

The RIRs (and NIRs)

• Part of “Internet Governance”

since before “Internet Governance”

• Proving the role and the success of the Technical

Community’s bottom-up self-Governance

– Working to ensure that the Internet remains

voluntary, open, interoperable and interconnected

• The Internet has a long way to go (and grow)

– Our responsibilities can only get more important

• We all have plenty of work to do

• Let’s do it together!

6

3

http://2020.apricot.net

Call for Papers and Registration

open now

APNIC 49

APNIC 50

• Dhaka, Bangladesh

6

5

Thanks!

pwilson@apnic.net