RIRs in the future (and past) of Internet Governance · 1 9 Network Working Group J. Postel Request...
Transcript of RIRs in the future (and past) of Internet Governance · 1 9 Network Working Group J. Postel Request...
RIRs in the future
(and past)
of Internet Governance
Paul Wilson
Director General
APNIC
1
So, what is the Internet?
• A “Network of Networks” – Independent networks joining a single global infrastructure
– Interconnected and interoperable
• Open
– Anyone can implement standards – no license fees
– Minimal barrier to entry
• Voluntary
– Build by collective, optional efforts
– Minimal operational control or administration
– Minimal “Governance”…
2
History of Internet Governance…
• 1980s and 1990s: “Dark ages”
– Internet grew and succeeded behind the scenes
– Not much thought or talk of “governance”
– ICANN established 1999
• 2000s: Renaissance
– Discovery of the Internet (by WSIS)
– Discovery of “Internet Governance” and MS Model (WGIG)
– Mainstreaming of IG (IGF)
• 2010s: Modern reality
– Ubiquity
– Rise of the Platforms (Facebook, Google, etc)
– Cyber*: Cybercrime, Cyberthreats, Cybernorms, Cyberwar…
3
Internet Governance 2005
4
https://trends.google.com/
"Internet governance is the development and application by Governments, the
private sector and civil society, in their respective roles, of shared principles,
norms, rules, decision-making procedures, and programmes that shape the
evolution and use of the Internet."
Internet Governance 2005
What is Internet Governance today?
• Any aspect of the Internet which requires regulation, coordination or oversight, such as… – Technical standards and coordination
– Management of critical resources
– Cybercrime, security, abuse, norms
– Content, Intellectual property etc
– Commerce, competition, trade and taxation
– Development and education, access, rights
– Norms, treaties, etc
• “The set of tasks required to ensure that the Internet remains voluntary, open, interoperable and interconnected”
– Ted Hardy, IAB Chair 2018
Internet Governance 2015
7
Internet Governance 2015
8
Internet Technical Coordination
• AKA the “code layer” or “logical layer”
• Subset of Internet governance
– DNS administration and coordination
– IP address / number resource management
– Internet standards development and management
• Activities of various types
– Administrative
– Operational
– Technical R&D
• Implemented by IETF, RIRs, DNS Registries, ICANN etc
– Working to ensure that the Internet remains
voluntary, open, interoperable and interconnected.
9
An RIR History (by RFC)
1
0
Regional Internet address Registries
• Allocating and registering IP address space
– Serving ISPs in 5 regions of the world
– Bottom up policy making – voluntary and open
• Membership organisations
– Non-profit, neutral and independent
– Consensus-based, open and transparent
• First established in early 1990’s
– Voluntarily by consensus of community
– To satisfy emerging technical/admin needs
• Proposed and agreed by the IETF
– In an “Internet Tradition”
1
1
Regional Internet Registries
Where do IP Addresses come from?
Assignment
Allocation
RIR
Standards
Allocation
RIR History by RFC
• RFC 739, 1977 – ASSIGNED NUMBERS
• RFC 791, 1981 – INTERNET PROTOCOL
• RFC 801, 1981 – NCP/TCP TRANSITION PLAN
• RFC 812, 1982 – NICNAME/WHOIS
• RFC 870, 1983 – ASSIGNED NUMBERS (again)
• RFC 1366, 1992 – Address Assignment and Aggregation Strategy
• RFC 1883, 1995 – Internet Protocol, Version 6 (IPv6)
• RFC 2050, 1996 – INTERNET REGISTRY IP ALLOCATION GUIDELINES
• And more…
1
4
RFC 739, 1977
1
5
NWG/RFC# 739 JBP 11 Nov 77 42341
Assigned Numbers
Network Working Group J. Postel
Request for Comments: 739 USC-ISI
NIC: 42341 11 November 1977
ASSIGNED NUMBERS
This Network Working Group Request for Comments documents the currently
assigned values from several series of numbers used in network protocol
implementations. This RFC will be updated periodically, and in any case
current information can be obtained from Jon Postel. The assignment of
numbers is also handled by Jon. If you are developing a protocol or
application that will require the use of a link, socket, etc. please
contact Jon to receive a number assignment.
Address management: 1977
“The assignment of numbers is also handled by Jon. If you are developing
a protocol or application that will require the use of a link, socket, port,
protocol, or network number please contact Jon to receive a number
assignment.” (RFC 739)
1977:
NIC
RFC 791, 1981
1
7
RFC: 791
INTERNET PROTOCOL
DARPA INTERNET PROGRAM
PROTOCOL SPECIFICATION
September 1981
prepared for
Defense Advanced Research Projects Agency
Information Processing Techniques Office
1400 Wilson Boulevard
Arlington, Virginia 22209
…
RFC 791, 1981
1
8
3.1. Internet Header Format
A summary of the contents of the internet header follows:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Example Internet Datagram Header
Figure 4.
Note that each tick mark represents one bit position.
Version: 4 bits
The Version field indicates the format of the internet header. This
document describes version 4.
RFC 801, 1981
1
9
Network Working Group J. Postel
Request for Comments: 801 ISI
November 1981
NCP/TCP TRANSITION PLAN
Introduction
------------
ARPA sponsored research on computer networks led to the development
of the ARPANET. The installation of the ARPANET began in September
1969, and regular operational use was underway by 1971. The ARPANET
has been an operational service for at least 10 years. Even while it
has provided a reliable service in support of a variety of computer
research activities, it has itself been a subject of continuing
research, and has evolved significantly during that time.
...
It was clear from the start of this research on other networks that
the base host-to-host protocol used in the ARPANET was inadequate for
use in these networks. In 1973 work was initiated on a host-to-host
protocol for use across all these networks. The result of this long
effort is the Internet Protocol (IP) and the Transmission Control
Protocol (TCP).
RFC 812, 1982
2
0
Ken Harrenstien RFC-812
Vic White 1 March 1982
Network Information Center
SRI International
NICNAME/WHOIS
INTRODUCTION
The NICNAME/WHOIS Server is an NCP/TCP transaction based
query/response server, running on the SRI-NIC machine, that
provides netwide directory service to ARPANET users. It is
one of a series of ARPANET/Internet name services maintained
by the Network Information Center (NIC) at SRI International
on behalf of the Defense Communications Agency (DCA).
RFC 870, 1983
2
1
Network Working Group J. Reynolds
Request for Comments: 870 J. Postel
ISI
Obsoletes RFCs: 820, October 1983
790, 776, 770, 762, 758, 755,
750, 739, 604, 503, 433, 349
Obsoletes IENs: 127, 117, 93
ASSIGNED NUMBERS
This Network Working Group Request for Comments documents the currently
assigned values from several series of numbers used in network protocol
implementations. This RFC will be updated periodically, and in any case
current information can be obtained from Joyce Reynolds. The assignment
of numbers is also handled by Joyce. If you are developing a protocol
or application that will require the use of a link, socket, port,
protocol, or network number please contact Joyce to receive a number
assignment.
…
RFC 870, 1983
2
2
Assigned Numbers RFC 870
Network Numbers
Assigned Network Numbers
Class A Networks
* Internet Address Name Network References
- ---------------- ---- ------- ----------
000.rrr.rrr.rrr Reserved [JBP]
R 003.rrr.rrr.rrr T RCC-NET-TEMP BBN RCC Network [SGC]
R 004.rrr.rrr.rrr SATNET Atlantic Satellite Network[DM11]
D 005.rrr.rrr.rrr T DEMO-PR-1-TEMPDemo-1 Packet Radio Network[LCS]
D 006.rrr.rrr.rrr T YPG-NET-TEMP Yuma Proving Grounds [2,BXA]
D 007.rrr.rrr.rrr T EDN-TEMP DCEC EDN [EC5]
R 008.rrr.rrr.rrr T BBN-NET-TEMP BBN Network [JSG5]
D 009.rrr.rrr.rrr T BRAGG-PR-TEMP Ft. Bragg Packet Radio Net [JEM]
R 010.rrr.rrr.rrr ARPANET ARPANET [2,17,REK2]
C 012.rrr.rrr.rrr ATT ATT, Bell Labs [MH12]
C 014.rrr.rrr.rrr PDN Public Data Network [REK2]
R 018.rrr.rrr.rrr T MIT-TEMP MIT Network [11,51,DDC2]
R 023.rrr.rrr.rrr MITRE MITRE Cablenet [54,APS]
Address management: 1983–1992
“The assignment of numbers is also handled by Joyce. If you are
developing a protocol or application that will require the use of a link, socket,
port, protocol, or network number please contact Joyce to receive a
number assignment.” (RFC 790)
1983:
NIC
RFC 1366, 1992
2
4
Network Working Group V. Fuller
Request for Comments: 1338 BARRNet
T. Li
cisco
J. Yu
MERIT
K. Varadhan
OARnet
June 1992
Supernetting: an Address Assignment and Aggregation Strategy
...
Abstract
This memo discusses strategies for address assignment of the existing
IP address space with a view to conserve the address space and stem
the explosive growth of routing tables in default-route-free routers
run by transit routing domain providers.
RFC 1366, 1992
2
5
Network Working Group E. Gerich
Request for Comments: 1366 Merit
October 1992
Guidelines for Management of IP Address Space
...
1.0 Introduction
With the growth of the Internet and its increasing globalization,
much thought has been given to the evolution of the network number
allocation and assignment process.
...
2.0 Qualifications for Distributed Regional Registries
The major reason to distribute the registration function is that the
Internet serves a more diverse global population than it did at its
inception. This means that registries which are located in distinct
geographic areas may be better able to serve the local community in
terms of language and local customs.
Regional Internet Registries
“…it is [now] desirable to consider delegating the registration function to
an organization in each of those geographic areas.” (RFC 1366) 1992:
RFC 1883, 1995
2
7
Network Working Group S. Deering, Xerox PARC
Request for Comments: 1883 R. Hinden, Ipsilon Networks
Category: Standards Track December 1995
Internet Protocol, Version 6 (IPv6)
Specification
Abstract
This document specifies version 6 of the Internet Protocol (IPv6),
also sometimes referred to as IP Next Generation or IPng.
Table of Contents
1. Introduction..................................................3
2. Terminology...................................................4
3. IPv6 Header Format............................................5
...
RFC 2050, 1996
2
8
Network Working Group K. Hubbard
Request for Comments: 2050 M. Kosters
Obsoletes: 1466 InterNIC
BCP: 12 D. Conrad
Category: Best Current Practice APNIC
D. Karrenberg
RIPE
J. Postel
ISI
November 1996
INTERNET REGISTRY IP ALLOCATION GUIDELINES
Abstract
This document describes the registry system for the distribution of
globally unique Internet address space and registry operations.
Particularly this document describes the rules and guidelines
governing the distribution of this address space.
Regional Internet Registries
Success: Global allocations
Success: Global routing table
3
1
http://bgp.potaroo.net/as1221/bgp-active.html
Dotcom
Bust
GFC
Success: IPv6
3
2
Success: IPv6
3
3
Success: IPv6 (TW)
3
4
World Average
23%
The Future
3
5
What has changed since 2000?
• Size and scale
– Users: 250M to 4,500M (x18)
– Traffic: 84 to 166,000 PB/month (x2000)
– Devices: 0.5B to 20-40B (x40-x80)
• Security threats
– Massive increase in number
– Massive increase in value and damage
• Importance of the IP Address Registry function
– Primary mechanism for attribution
– Must be reliable, available, adaptable, fit-for-purpose
Demands
• Health/Quality
– Complete, correct and current
• Availability
– Consistent data and query formats
– Data available where it is needed
• Utility
– Authorised access
– Multi-lingual content capability
• Automation
– API-based accessibility
– Applicability to automated security functions
3
7
RFC 812, 1982
3
8
Ken Harrenstien RFC-812
Vic White 1 March 1982
Network Information Center
SRI International
NICNAME/WHOIS
...
PROTOCOL
The NICNAME protocol is similar to the NAME/FINGER protocol
(RFC 742). To access the server:
Connect to the service host (SRI-NIC)
TCP: service port 43 decimal
NCP: ICP to socket 43 decimal, establishing two 8-bit
connections
Send a single "command line", ending with <CRLF>.
Receive information in response to the command line. The
server closes its connections as soon as the output is
finished.
Internet registry services – Tomorrow
• Registration Data Access Protocol (RDAP)
(NEW since 2015)
– For both names and numbers
– API for access to “whois” registry data
– Automation, AAA, i18N, redirection, extensibility
• Resource Public Key Infrastructure (RPKI)
(since 2010)
– PKI for Internet Number Resources
– Cryptographically verifiable “ownership” of INRs
– Mechanism for authorisation to route IPv4/v6 blocks
whois
whois – limitations
• Non-standardised query and result formats
– Registry-specific questions and answers
– Automation is difficult
• No AAA model
– Built for public service only
• Most servers serve US-ASCII only
– Internationalisation is not defined
• No redirection
– User/client must know or find the right server to query 41
Query
Free text
result
$ whois -h whois.apnic.net 210.17.9.242 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '210.17.0.0 - 210.17.127.255' % Abuse contact for '210.17.0.0 - 210.17.127.255' is '[email protected]' inetnum: 210.17.0.0 - 210.17.127.255 netname: TTN-TW descr: Taiwan Telecommunication Network Services Co.,LTD. descr: 110 , 8F , No 89 , Sung Jen RD , Taipei country: TW admin-c: IP11-AP tech-c: IP11-AP remarks: service provider mnt-by: MAINT-TW-TWNIC mnt-irt: IRT-TFN-TW mnt-lower: MAINT-TTN-AP status: ALLOCATED PORTABLE last-modified: 2011-06-01T04:13:58Z source: APNIC
whois query
42
RDAP
Registration Data Access Protocol
RDAP
• RDAP is the successor to the ageing WHOIS protocol
• Like WHOIS, RDAP provides…
– Access to Internet registry data:
domain names, AS numbers, and IP addresses
• Unlike WHOIS, RDAP provides…
– Structured request and response semantics
– Differentiated access
– Internationalisation
– Redirection
– Extensibility
Query
Structured
result
RDAP query
RDAP application (whowas)
46
https://www.apnic.net/whowas
RDAP application (vizAS)
47
https://www.apnic.net/vizas
RDAP application (vizAS)
48
https://www.apnic.net/vizas
RDAP benefits
• Automation – JSON input to common programming languages – Integration with firewall, NMS, IPAM…
• “Differentiated Access” – If needed
• Speaks your language (and character set) – Can implement server-side or in-client language preference
• One stop query – Servers can redirect clients to the right authoritative server
• Web protocol is CDN friendly – Serve local, via anycast or DNS redirection methods
– Cacheable, survives DDoS longer since distributed
RPKI
Resource Public Key Infrastructure
RPKI
• RPKI is a public key infrastructure (PKI) framework,
designed to secure Internet routing
– Based on X.509 PKI standards
• RPKI adds INR information to X.509 certificates
– Representing “ownership” and other status
– Certification issued with INR allocations
– APNIC: Available through MyAPNIC
RPKI objects
• Resource certificates
– Extended X.509 certificates
– Providing authority to use given IPv4/6 and ASN resources
– Issued/Signed by IP address registry
• Route Origin Authorisation (ROA)
– Giving an ASN authority to route specific IP blocks
– Issued/Signed by IP resource holder
• Resource Tagged Attestation (RTA)
– Plus other useful objects proposed
Internet routing…
The Internet Global Routing Table
4.128/9
60.100/16
60.100.0/20
135.22/16
…
Global Routing Table
4.128/9
60.100/16
60.100.0/20
135.22/16
203.176.32.0/19 …
Announce
202.12.29.0/24
AS17821
203.176.32.0/19
?
?
Routing security breaches
54
Facebook, Mar 2019
Google, Nov 2018
Google, Nov 2012
YouTube, Feb 2008
Amazon, Apr 2018
Route Origin Validation
• Use of Route Origin Authorisation (ROA)
AS17821
203.176.32.0/19
Peer/Upstream
or IXP
? ROA
☺︎
ISP 3
ISP 1 ISP 2
ISP 3
ROV at IXPs
Validated
cache
Validator
RPKI-to-Router (RTR)
Routes
Tagged/filtered
routes
Route
Server
RPKI status
RPKI status – Global
Valid 17.80%
Invalid 0.90%
https://rpki-monitor.antd.nist.gov
RPKI status – Global
https://rpki-monitor.antd.nist.gov
RPKI benefits
• Improved verification of resource holdings
– Much safer than manually checking whois, LOAs etc
– Ease of automation
• Improved security of the routing system
– ROV helps prevent BGP attacks and errors
– BGB path validation is under development
• Deployment is accelerating
– AWS BYOIP service requires ROA for customers
– Cloudflare ROV at all POPs, and public validator service
– And other IXPs, CDNs and Tier 1 providers and starting to require it
How do I start?
• Create your ROAs
– APNIC members, use MyAPNIC
– Encourage your IXP to implement ROV
• Then
– Set up route validation at your own border routers
– Encourage your peers/customers
• APNIC can help!
– Please contact APNIC Helpdesk
Conclusions
The RIRs (and NIRs)
• Part of “Internet Governance”
since before “Internet Governance”
• Proving the role and the success of the Technical
Community’s bottom-up self-Governance
– Working to ensure that the Internet remains
voluntary, open, interoperable and interconnected
• The Internet has a long way to go (and grow)
– Our responsibilities can only get more important
• We all have plenty of work to do
• Let’s do it together!
6
3
http://2020.apricot.net
Call for Papers and Registration
open now
APNIC 49
APNIC 50
• Dhaka, Bangladesh
6
5
Thanks!