Having just spent two and a half days at an ARIN Public Policy Meeting, ARIN 39, I’d like to share some of my impressions of the meeting and the state of address policy in the region served by ARIN.
It’s clear that ARIN has largely undertaken its mission with careful and considered distinction. It has achieved much of what is efficiently achievable in a consensus-driven, open process and left what is overly contentious, or too enmeshed in the vagaries of history to even attempt to unravel. What this means is that these days, ARIN meetings are generally not filled with high drama and fraught contentious debate, and this latest meeting was no exception.
In terms of policy, the meeting largely dealt with matters that were obvious or could be seen as “precise” clarifications of existing policies. However, there was one point where I thought that there was some level of disconnect, and that concerns the contents of the ARIN number registry.
Managing and curating whois database policies
Over the years, ARIN and its predecessors have made some 50,000 allocations of IP addresses and/or Autonomous System Numbers; these entities and the resources they currently hold, are listed in the ARIN registry. However, that’s not all that you can find in this registry.
For many years, it has been a requirement to submit to ARIN the details of certain address sub-assignments made by recipients of ARIN addresses. ARIN’s database holds more than 600,000 records that list addresses and points of contact (PoCs).
It is unclear to what extent this secondary set of records of sub-assignments is complete, or even whether it was accurate at any point in time. Such records were evidently reviewed at those times when the original address holder requested additional addresses and revised their sub-assignment records as part of the ARIN review of address use. But at other times the level of attention paid to the completeness and currency of these sub-assignment records was somewhat variable.
It was evident in the policy discussion at this meeting that a number of agencies, generally associated with aspects of law enforcement (LEAs), would like to see more attention paid to this registry. Two policy proposals – Draft Policy ARIN-2016-8: Removal of Indirect POC Validation Requirement and Draft Policy ARIN-2017-3: Update to NRPM 3.6: Annual Whois POC Validation – essentially proposed to task ARIN with some level of continual activity that would monitor the accuracy of all of these records in the database.
It’s certainly the case that almost all forms of criminal and extreme behaviours are “cyber crimes” of one form or another, and relating traces of online criminal or extremist behaviour to the identities of individuals is a natural desire by these LEAs.
— ARIN (@TeamARIN) April 3, 2017
The analogous reference in the days of telephony was a ‘reverse phone book’ where a phone number could be traced to a subscriber. If this was possible for the telephone network, why can’t we do this for the Internet? After all, everyone who generates an online transaction uses an IP address. Why can’t we publish some form of ‘Internet Reverse Phone Book’ listing all IP addresses with end entities?
It was evident from the discussion at ARIN 39 that some LEAs are interested to see this happen, and in the case of North America, they are keen to see ARIN take a leading role in facilitating this. And this registry of some 600,000 IP address holders is thought to be a really good place to start. This policy proposal is advocating that ARIN regularly audit all these PoCs and ensure that they are accurate.
That is all well and good, but there are some additional aspects to consider here. In the US alone, there are estimated to be some 282 million individual users of the Internet. Which subset of this rather significant set of users is listed in the ARIN database as a PoC for an IP address?
Obviously, there are a massive number of assigned IP addresses where no PoC exists in ARIN’s registry. These sub-assignment records are not records that were created by ARIN and are not curated by ARIN. Indeed, it is probably the case that for many of these listed entities they are unaware that they are listed in this database.
It does seem a little far-fetched to compel ARIN to contact a set of folk that have no relationship – and potentially no knowledge of ARIN – and start a conversation about the accuracy of the contact information that ARIN holds.
The obvious weakness of this database, in terms of its level of comprehensive coverage of attribution of effective end user assignment of IP addresses, is probably as much to do with the architecture of today’s Internet as it is to do with any failings in attempting to keep these sub-assignment records up to date. Many retail access providers use either dynamic address assignment pools in those cases where public IP addresses are assigned to end users, or, more commonly these days, the use of public addresses is completely automated by virtue of carrier grade NAT deployments. In the latter case, not only is the address dynamically assigned, but it is likely to be shared over many customers, possibly up to tens of thousands of customers in a large CGN pool.
The overall numbers of today’s Internet point to the scope of address sharing. Current estimates indicate that the Internet is populated by between 12 to 14 billion attached devices, which use an estimated 1.5 to 2 billion IP addresses. Obviously, not every endpoint has its own unique IP address.
Maybe it’s time to walk away from phone books and from the concept that there is some underlying persistence in the association of individual IP addresses and connected end point devices.
It’s certainly reasonable for a registry such as ARIN, or any of the other four Regional Internet Registries, to work diligently to ensure that the data in their registry that relates to address assignments directly made by the registry is complete and accurate at all times. But it is perhaps not so reasonable to compel these same registries to create a public repository of sub-assignment of addresses and the related record keeping of dynamic address assignments by service providers.
The registry has little in the way of effective inducement or enforcement abilities to ensure that any such records are complete, current or accurate. And partial data sets of dubious provenance are often less valuable than having no data in the first place.
What might help here is for ARIN to very clearly mark all data that relates to address assignments made by them, and ensure they actively curate such data, even to the extent of being able to query the ARIN-only entries for address records. As for the other 600,000 or so entries, maybe the case can be made that no data at all is better than incomplete bad data!
Address transfer policies
In policy discussions, the long-standing debate over address transfer policies was raised.
- Draft Policy ARIN-2017-1: Clarify Slow Start for Transfers
- Recommended Draft Policy ARIN-2016-9: Streamline Merger & Acquisition Transfers
- Recommended Draft Policy ARIN-2016-3: Alternative simplified criteria for justifying small IPv4 transfers
In ARIN, there continues to be a school of thought that strongly believes that a recipient of an address transfer needs to be able to meet some “demonstrated need” criteria before the transfer will be recorded in ARIN’s registry.
There is also a school of thought that strongly believes that the imposition of policies that prevent the registration of address transfers does not prevent the transfer, but instead disconnects the registry from the “ground truth” of the network itself, demeaning the utility of the registry as a common reference source relating to the current disposition of addresses.
There is no commonly acceptable resolution to this debate that has emerged so far, and certainly not at ARIN 39! Instead, we are seeing some policy proposals tinkering with the very fine level details surrounding the handling of address transfers. No doubt this topic will be revisited at future ARIN meetings.
As is usual, ARIN 39 was a well-organised meeting, fulfilling ARIN’s undertaking to support an open and transparent policy development process.
The meeting was also well supported for both local and remote participants and the efforts to ensure that all participants were well briefed on the matters under consideration were nothing short of exemplary. For this both ARIN, and participants at these public address policy meetings, deserve plaudits in undertaking an important and at times difficult task with friendliness and a common desire to seek a working consensus wherever and whenever that’s achievable.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.