From sethm at rollernet.us Thu Oct 4 11:26:42 2012 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 04 Oct 2012 08:26:42 -0700 Subject: [arin-tech-discuss] arin.net IPv6 routing loop? Message-ID: <506DAAB2.1090809@rollernet.us> There appears to be some kind of IPv6 routing loop for arin.net: traceroute to arin.net (2001:500:4:13::80), 30 hops max, 80 byte packets 1 2607:fe70:0:beef::1 (2607:fe70:0:beef::1) 0.541 ms 0.678 ms 0.804 ms 2 core1-eth0.rollernet.net (2607:fe70::7:1) 0.084 ms 0.130 ms 0.125 ms 3 2607:fe70::4:2 (2607:fe70::4:2) 0.783 ms 0.780 ms 0.924 ms 4 sl-gw34-stk-se10-0-2.v6.sprintlink.net (2600:6:300::6) 5.576 ms * * 5 sl-crs2-stk-te0-5-0-1.v6.sprintlink.net (2600:0:2:1239:144:232:6:63) 6.490 ms 6.488 ms 6.482 ms 6 sl-crs2-sj-bu-2.v6.sprintlink.net (2600:0:2:1239:144:232:7:126) 10.335 ms 9.268 ms 9.258 ms 7 sl-st31-sj-po0-15-0-0.v6.sprintlink.net (2600:0:2:1239:144:232:8:151) 9.775 ms 9.788 ms 9.306 ms 8 * * * 9 10gigabitethernet3-3.core1.den1.he.net (2001:470:0:1b4::2) 56.730 ms 56.714 ms 57.186 ms 10 10gigabitethernet8-2.core1.chi1.he.net (2001:470:0:1af::1) 56.669 ms 56.679 ms 55.425 ms 11 2001:470:0:286::2 (2001:470:0:286::2) 73.657 ms 74.064 ms 73.141 ms 12 arin.10gigabitethernet14.switch3.ash1.he.net (2001:470:1:20f::2) 74.449 ms 72.766 ms 73.940 ms 13 cr2.arin.net (2001:500:4:10::12) 72.885 ms 73.177 ms 72.880 ms 14 cr1.arin.net (2001:500:4:10::1) 73.140 ms 73.512 ms 73.238 ms 15 cr2.arin.net (2001:500:4:10::12) 73.756 ms 75.662 ms 78.528 ms 16 cr1.arin.net (2001:500:4:10::1) 73.912 ms 73.643 ms 73.447 ms 17 cr2.arin.net (2001:500:4:10::12) 74.108 ms 74.142 ms 74.084 ms 18 cr1.arin.net (2001:500:4:10::1) 73.322 ms 74.743 ms 72.977 ms 19 * * * 20 cr1.arin.net (2001:500:4:10::1) 75.067 ms 74.634 ms * 21 * * * 22 * * * 23 * cr2.arin.net (2001:500:4:10::12) 74.118 ms * 24 cr1.arin.net (2001:500:4:10::1) 74.296 ms 74.127 ms 74.591 ms 25 * cr2.arin.net (2001:500:4:10::12) 73.775 ms 73.789 ms 26 cr1.arin.net (2001:500:4:10::1) 74.091 ms 74.077 ms 74.213 ms 27 cr2.arin.net (2001:500:4:10::12) 73.990 ms * * 28 cr1.arin.net (2001:500:4:10::1) 74.190 ms 75.286 ms 74.401 ms 29 * cr2.arin.net (2001:500:4:10::12) 73.907 ms * 30 * * cr1.arin.net (2001:500:4:10::1) 72.991 ms From markk at arin.net Thu Oct 4 15:05:22 2012 From: markk at arin.net (Mark Kosters) Date: Thu, 4 Oct 2012 19:05:22 +0000 Subject: [arin-tech-discuss] arin.net IPv6 routing loop? In-Reply-To: <506DAAB2.1090809@rollernet.us> Message-ID: Hi Seth Thank you for your report. IPv6 routing to ARIN was interrupted from approximately 11:19AM EDT until 11:34AM EDT today. IPv4 was not affected at any time. The issue has since been resolved and I believe everything now is operating normally. Thanks, Mark Kosters ARIN CTO On 10/4/12 11:26 AM, "Seth Mattinen" wrote: >There appears to be some kind of IPv6 routing loop for arin.net: > > >traceroute to arin.net (2001:500:4:13::80), 30 hops max, 80 byte packets > 1 2607:fe70:0:beef::1 (2607:fe70:0:beef::1) 0.541 ms 0.678 ms 0.804 >ms > 2 core1-eth0.rollernet.net (2607:fe70::7:1) 0.084 ms 0.130 ms 0.125 >ms > 3 2607:fe70::4:2 (2607:fe70::4:2) 0.783 ms 0.780 ms 0.924 ms > 4 sl-gw34-stk-se10-0-2.v6.sprintlink.net (2600:6:300::6) 5.576 ms * * > 5 sl-crs2-stk-te0-5-0-1.v6.sprintlink.net (2600:0:2:1239:144:232:6:63) > 6.490 ms 6.488 ms 6.482 ms > 6 sl-crs2-sj-bu-2.v6.sprintlink.net (2600:0:2:1239:144:232:7:126) >10.335 ms 9.268 ms 9.258 ms > 7 sl-st31-sj-po0-15-0-0.v6.sprintlink.net >(2600:0:2:1239:144:232:8:151) 9.775 ms 9.788 ms 9.306 ms > 8 * * * > 9 10gigabitethernet3-3.core1.den1.he.net (2001:470:0:1b4::2) 56.730 >ms 56.714 ms 57.186 ms >10 10gigabitethernet8-2.core1.chi1.he.net (2001:470:0:1af::1) 56.669 >ms 56.679 ms 55.425 ms >11 2001:470:0:286::2 (2001:470:0:286::2) 73.657 ms 74.064 ms 73.141 ms >12 arin.10gigabitethernet14.switch3.ash1.he.net (2001:470:1:20f::2) >74.449 ms 72.766 ms 73.940 ms >13 cr2.arin.net (2001:500:4:10::12) 72.885 ms 73.177 ms 72.880 ms >14 cr1.arin.net (2001:500:4:10::1) 73.140 ms 73.512 ms 73.238 ms >15 cr2.arin.net (2001:500:4:10::12) 73.756 ms 75.662 ms 78.528 ms >16 cr1.arin.net (2001:500:4:10::1) 73.912 ms 73.643 ms 73.447 ms >17 cr2.arin.net (2001:500:4:10::12) 74.108 ms 74.142 ms 74.084 ms >18 cr1.arin.net (2001:500:4:10::1) 73.322 ms 74.743 ms 72.977 ms >19 * * * >20 cr1.arin.net (2001:500:4:10::1) 75.067 ms 74.634 ms * >21 * * * >22 * * * >23 * cr2.arin.net (2001:500:4:10::12) 74.118 ms * >24 cr1.arin.net (2001:500:4:10::1) 74.296 ms 74.127 ms 74.591 ms >25 * cr2.arin.net (2001:500:4:10::12) 73.775 ms 73.789 ms >26 cr1.arin.net (2001:500:4:10::1) 74.091 ms 74.077 ms 74.213 ms >27 cr2.arin.net (2001:500:4:10::12) 73.990 ms * * >28 cr1.arin.net (2001:500:4:10::1) 74.190 ms 75.286 ms 74.401 ms >29 * cr2.arin.net (2001:500:4:10::12) 73.907 ms * >30 * * cr1.arin.net (2001:500:4:10::1) 72.991 ms >_______________________________________________ >arin-tech-discuss mailing list >arin-tech-discuss at arin.net >http://lists.arin.net/mailman/listinfo/arin-tech-discuss From markk at arin.net Mon Oct 8 13:53:01 2012 From: markk at arin.net (Mark Kosters) Date: Mon, 8 Oct 2012 17:53:01 +0000 Subject: [arin-tech-discuss] Maintenance Notice on the OT&E Registration System Message-ID: Hi On Oct 9, 2012 from 12:00PM until 1:00PM EDT, the OT&E Registration System will be down for maintenance. All production services will remain in operation before, during, and after this maintenance period. Regards, Mark Kosters ARIN CTO From markk at arin.net Tue Oct 9 16:25:25 2012 From: markk at arin.net (Mark Kosters) Date: Tue, 9 Oct 2012 20:25:25 +0000 Subject: [arin-tech-discuss] Maintenance Notice on the OT&E Registration System In-Reply-To: Message-ID: Hi This is a belated notice but OT&E will be down until at least 5:00PM EDT on Oct 9 due to some complications. We apologize for any inconvenience that this may have caused. Regards, Mark Kosters ARIN CTO On 10/8/12 1:53 PM, "Mark Kosters" wrote: >Hi > >On Oct 9, 2012 from 12:00PM until 1:00PM EDT, the OT&E Registration >System will be down for maintenance. All production services will remain >in operation before, during, and after this maintenance period. > >Regards, >Mark Kosters >ARIN CTO > From markk at arin.net Tue Oct 9 17:25:29 2012 From: markk at arin.net (Mark Kosters) Date: Tue, 9 Oct 2012 21:25:29 +0000 Subject: [arin-tech-discuss] Maintenance Notice on the OT&E Registration System In-Reply-To: Message-ID: Hi I'm pleased to announce that OT&E is back up and willing to accept your test RESTful queries. The OT&E whois service will be reflecting changes within the OT&E environment within two hours (7:00PM EDT). Thanks for your patience, Mark Kosters ARIN CTO On 10/9/12 4:25 PM, "Mark Kosters" wrote: >Hi > >This is a belated notice but OT&E will be down until at least 5:00PM EDT >on Oct 9 due to some complications. We apologize for any inconvenience >that this may have caused. > >Regards, >Mark Kosters >ARIN CTO > >On 10/8/12 1:53 PM, "Mark Kosters" wrote: > >>Hi >> >>On Oct 9, 2012 from 12:00PM until 1:00PM EDT, the OT&E Registration >>System will be down for maintenance. All production services will remain >>in operation before, during, and after this maintenance period. >> >>Regards, >>Mark Kosters >>ARIN CTO >> > From anna.claiborne at gmail.com Fri Oct 12 16:52:56 2012 From: anna.claiborne at gmail.com (Anna Claiborne) Date: Fri, 12 Oct 2012 13:52:56 -0700 Subject: [arin-tech-discuss] ARIN API Question Message-ID: <2656AA3C-6263-4E95-8DE6-D4A14A74B4D7@gmail.com> Hello Is there a way to retrieve, via the API, a list of all sub net blocks under parent block? Or even a list of net handles to then look up the net range or cidr? For example: 69.7.160.0/19 http://whois.arin.net/rest/cidr/69.7.160.0/19/ has several swipped /28s. How do I find them from the parent block information? With RIPE, you can do a reverse lookup on a block and get a list inet num objects back. Is the equivalent to this with ARIN? Thanks in advance for any help. -Anna -------------- next part -------------- An HTML attachment was scrubbed... URL: From dhuberma at arin.net Fri Oct 12 16:57:37 2012 From: dhuberma at arin.net (David Huberman) Date: Fri, 12 Oct 2012 20:57:37 +0000 Subject: [arin-tech-discuss] ARIN API Question In-Reply-To: <2656AA3C-6263-4E95-8DE6-D4A14A74B4D7@gmail.com> Message-ID: Hiya Anna, You can use /children to get what you want: http://whois.arin.net/rest/net/NET-69-7-160-0-1/children Best, David --- David R Huberman Principal Technical Analyst, ARIN 703-227-9866 On 10/12/12 4:52 PM, "Anna Claiborne" wrote: Hello Is there a way to retrieve, via the API, a list of all sub net blocks under parent block? Or even a list of net handles to then look up the net range or cidr? For example: 69.7.160.0/19 http://whois.arin.net/rest/cidr/69.7.160.0/19/ has several swipped /28s. How do I find them from the parent block information? With RIPE, you can do a reverse lookup on a block and get a list inet num objects back. Is the equivalent to this with ARIN? Thanks in advance for any help. -Anna From brak at gameservers.com Fri Oct 12 16:58:33 2012 From: brak at gameservers.com (Brian Rak) Date: Fri, 12 Oct 2012 16:58:33 -0400 Subject: [arin-tech-discuss] ARIN API Question In-Reply-To: <2656AA3C-6263-4E95-8DE6-D4A14A74B4D7@gmail.com> References: <2656AA3C-6263-4E95-8DE6-D4A14A74B4D7@gmail.com> Message-ID: <50788479.5000105@gameservers.com> It's a pain. There's an API call that does it, but only if you've got under 255 reassignments. What we do is: 1) Request a reassignment report (/rest/report/reassignment/) 2) Wait for the report to complete 3) Download the report (/rest/ticket/) 4) Convert the XLS document returned to a CSV (xls2csv works okay) 5) Parse the CSV for all the reassignments within the subnet range It seems awful, but it's been the only reliable way of doing it that I've found. Re: /children. Note the message at the top: 'This list contains more than 256 records. Additional records are not shown.'. This restriction makes it pretty much useless. On 10/12/2012 4:52 PM, Anna Claiborne wrote: > Hello > > Is there a way to retrieve, via the API, a list of all sub net blocks > under parent block? Or even a list of net handles to then look up the > net range or cidr? > > For example: 69.7.160.0/19 > http://whois.arin.net/rest/cidr/69.7.160.0/19/ > > has several swipped /28s. How do I find them from the parent block > information? > > With RIPE, you can do a reverse lookup on a block and get a list inet > num objects back. Is the equivalent to this with ARIN? Thanks in > advance for any help. > > -Anna > > > > > > > _______________________________________________ > arin-tech-discuss mailing list > arin-tech-discuss at arin.net > http://lists.arin.net/mailman/listinfo/arin-tech-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From anna.claiborne at gmail.com Fri Oct 12 17:13:48 2012 From: anna.claiborne at gmail.com (Anna Claiborne) Date: Fri, 12 Oct 2012 14:13:48 -0700 Subject: [arin-tech-discuss] ARIN API Question In-Reply-To: <50788479.5000105@gameservers.com> References: <2656AA3C-6263-4E95-8DE6-D4A14A74B4D7@gmail.com> <50788479.5000105@gameservers.com> Message-ID: <98CC6BB1-D1C6-49AF-98F8-2FD5678E3D11@gmail.com> Thanks for quick reply David. We really need something that will return all records, not just limited to 256. Is it possible to get this limited removed, or at least raised? Brian, that is an interesting work around....I'll have to see if we could automate something like that to work. However, the best answer would be to just to get all records returned with the children call. -Anna On Oct 12, 2012, at 1:58 PM, Brian Rak wrote: > It's a pain. There's an API call that does it, but only if you've got under 255 reassignments. > > What we do is: > > 1) Request a reassignment report (/rest/report/reassignment/) > 2) Wait for the report to complete > 3) Download the report (/rest/ticket/) > 4) Convert the XLS document returned to a CSV (xls2csv works okay) > 5) Parse the CSV for all the reassignments within the subnet range > > It seems awful, but it's been the only reliable way of doing it that I've found. > > > Re: /children. Note the message at the top: 'This list contains more than 256 records. Additional records are not shown.'. This restriction makes it pretty much useless. > > > On 10/12/2012 4:52 PM, Anna Claiborne wrote: >> Hello >> >> Is there a way to retrieve, via the API, a list of all sub net blocks under parent block? Or even a list of net handles to then look up the net range or cidr? >> >> For example: 69.7.160.0/19 >> http://whois.arin.net/rest/cidr/69.7.160.0/19/ >> >> has several swipped /28s. How do I find them from the parent block information? >> >> With RIPE, you can do a reverse lookup on a block and get a list inet num objects back. Is the equivalent to this with ARIN? Thanks in advance for any help. >> >> -Anna >> >> >> >> >> _______________________________________________ >> arin-tech-discuss mailing list >> arin-tech-discuss at arin.net >> http://lists.arin.net/mailman/listinfo/arin-tech-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anna.claiborne at gmail.com Fri Oct 12 17:50:43 2012 From: anna.claiborne at gmail.com (Anna Claiborne) Date: Fri, 12 Oct 2012 14:50:43 -0700 Subject: [arin-tech-discuss] ARIN API Question In-Reply-To: <98CC6BB1-D1C6-49AF-98F8-2FD5678E3D11@gmail.com> References: <2656AA3C-6263-4E95-8DE6-D4A14A74B4D7@gmail.com> <50788479.5000105@gameservers.com> <98CC6BB1-D1C6-49AF-98F8-2FD5678E3D11@gmail.com> Message-ID: <22DCAE0F-27B9-49F4-8B4D-C3ECC3D313D4@gmail.com> Just as another note, even results paging (opposed to returning everything at once) would be extremely helpful. That would limit the data returned in one request, but still provide it all (if the concern is too much data being returned in one call). -Anna On Oct 12, 2012, at 2:13 PM, Anna Claiborne wrote: > Thanks for quick reply David. We really need something that will return all records, not just limited to 256. Is it possible to get this limited removed, or at least raised? > > Brian, that is an interesting work around....I'll have to see if we could automate something like that to work. However, the best answer would be to just to get all records returned with the children call. > > -Anna > > On Oct 12, 2012, at 1:58 PM, Brian Rak wrote: > >> It's a pain. There's an API call that does it, but only if you've got under 255 reassignments. >> >> What we do is: >> >> 1) Request a reassignment report (/rest/report/reassignment/) >> 2) Wait for the report to complete >> 3) Download the report (/rest/ticket/) >> 4) Convert the XLS document returned to a CSV (xls2csv works okay) >> 5) Parse the CSV for all the reassignments within the subnet range >> >> It seems awful, but it's been the only reliable way of doing it that I've found. >> >> >> Re: /children. Note the message at the top: 'This list contains more than 256 records. Additional records are not shown.'. This restriction makes it pretty much useless. >> >> >> On 10/12/2012 4:52 PM, Anna Claiborne wrote: >>> Hello >>> >>> Is there a way to retrieve, via the API, a list of all sub net blocks under parent block? Or even a list of net handles to then look up the net range or cidr? >>> >>> For example: 69.7.160.0/19 >>> http://whois.arin.net/rest/cidr/69.7.160.0/19/ >>> >>> has several swipped /28s. How do I find them from the parent block information? >>> >>> With RIPE, you can do a reverse lookup on a block and get a list inet num objects back. Is the equivalent to this with ARIN? Thanks in advance for any help. >>> >>> -Anna >>> >>> >>> >>> >>> _______________________________________________ >>> arin-tech-discuss mailing list >>> arin-tech-discuss at arin.net >>> http://lists.arin.net/mailman/listinfo/arin-tech-discuss >> > > _______________________________________________ > arin-tech-discuss mailing list > arin-tech-discuss at arin.net > http://lists.arin.net/mailman/listinfo/arin-tech-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: From security at mutluit.com Sun Oct 14 10:29:32 2012 From: security at mutluit.com (U.Mutlu) Date: Sun, 14 Oct 2012 16:29:32 +0200 Subject: [arin-tech-discuss] If abuse contact isn't functioning Message-ID: <507ACC4C.5010802@mutluit.com> Hello, I wanted to ask what ARIN does when it receives complaints and evidence that a published abuse contact in the ARIN WHOIS db isn't functionioning (ie. when Abuse Reports sent to that contact all bounce)? Which steps, if any, does ARIN take in such cases? Regards, U.Mutlu From jayb at braeburn.org Mon Oct 15 17:32:48 2012 From: jayb at braeburn.org (Jay Borkenhagen) Date: Mon, 15 Oct 2012 17:32:48 -0400 Subject: [arin-tech-discuss] [arin-announce] Resource Public Key Infrastructure (RPKI) Now Available to ARIN Customers Message-ID: <20604.33024.742339.365286@oz.mt.att.com> OK, I'll bite: When an ARIN resource holder publishes ROAs in ARIN's RPKI, it is clear that they want the entire RPKI universe to be able to see those ROAs and all the supporting records, to reduce the likelihood that networks around the world will believe hijack attempts. Requiring 'those wishing to validate RPKI information' to click 'accept' or to take any other explicit action only gets in the way of achieving that goal. Therefore: please publish the ARIN TAL openly to maximize the utility of the RPKI to ARIN's resource holders. On 17-September, Mark Kosters wrote on arin-announce: > ARIN is proud to announce that ARIN resource holders with either a > signed RSA or LRSA may now participate in RPKI through ARIN Online. > Additionally, those wishing to validate RPKI information may do so after > requesting a Trust Anchor Locator (TAL). ARIN's TAL is required to > validate information from ARIN's RPKI repository. > > RPKI is a free, opt-in service that allows users to certify their > Internet number resources to help secure Internet routing. This > initiative has been developed within the IETF's SIDR Working Group, with > involvement from Regional Internet Registries (RIRs), and numerous > Internet Service Providers (ISPs). > > ARIN encourages members of the Internet community to certify their > resources through RPKI. Internet routing today is vulnerable to > hijacking and the provisioning/use of certificates is one of steps > required to make routing more secure. Widespread RPKI adoption will > help simplify IP address holder verification and routing decision-making > on the Internet. > > ARIN plans to continually review and improve RPKI based upon user > feedback. Users are encouraged to report any issues via the > arin-tech-discuss mailing list. > > For more information about this crucial step in securing Internet > routing as well as future enhancement plans, visit ARIN's RPKI Home > Pageat https://www.arin.net/resources/rpki/index.html. > > Regards, > > Mark Kosters > > Chief Technical Officer (CTO) > > American Registry for Internet Numbers (ARIN) > From jcurran at arin.net Mon Oct 15 21:04:59 2012 From: jcurran at arin.net (John Curran) Date: Tue, 16 Oct 2012 01:04:59 +0000 Subject: [arin-tech-discuss] [arin-announce] Resource Public Key Infrastructure (RPKI) Now Available to ARIN Customers In-Reply-To: <20604.33024.742339.365286@oz.mt.att.com> References: <20604.33024.742339.365286@oz.mt.att.com> Message-ID: <8D3AE8D9-C64D-4196-A343-05BA35D90FD1@corp.arin.net> On Oct 15, 2012, at 5:32 PM, Jay Borkenhagen wrote: > OK, I'll bite: > > When an ARIN resource holder publishes ROAs in ARIN's RPKI, it is > clear that they want the entire RPKI universe to be able to see those > ROAs and all the supporting records, to reduce the likelihood that > networks around the world will believe hijack attempts. > > Requiring 'those wishing to validate RPKI information' to click > 'accept' or to take any other explicit action only gets in the way of > achieving that goal. > > Therefore: please publish the ARIN TAL openly to maximize the utility > of the RPKI to ARIN's resource holders. Jay - It is very important that relying parties are aware and agree to the conditions associated with the RPKI service, and it is equally important that ARIN have a legally valid record of this consent. It does mean one additional step for relying parties to undertake when setting up their RPKI infrastructure, but it only has to be done once. Without a record of consent to the RPKI relying party agreement, ARIN would not be able to offer RPKI services at all. FYI, /John John Curran President and CEO ARIN From farmer at umn.edu Mon Oct 15 22:19:58 2012 From: farmer at umn.edu (David Farmer) Date: Mon, 15 Oct 2012 21:19:58 -0500 Subject: [arin-tech-discuss] [arin-announce] Resource Public Key Infrastructure (RPKI) Now Available to ARIN Customers In-Reply-To: <8D3AE8D9-C64D-4196-A343-05BA35D90FD1@corp.arin.net> References: <20604.33024.742339.365286@oz.mt.att.com> <8D3AE8D9-C64D-4196-A343-05BA35D90FD1@corp.arin.net> Message-ID: <507CC44E.5060502@umn.edu> On 10/15/12 20:04 , John Curran wrote: > On Oct 15, 2012, at 5:32 PM, Jay Borkenhagen wrote: > >> OK, I'll bite: >> >> When an ARIN resource holder publishes ROAs in ARIN's RPKI, it is >> clear that they want the entire RPKI universe to be able to see those >> ROAs and all the supporting records, to reduce the likelihood that >> networks around the world will believe hijack attempts. >> >> Requiring 'those wishing to validate RPKI information' to click >> 'accept' or to take any other explicit action only gets in the way of >> achieving that goal. >> >> Therefore: please publish the ARIN TAL openly to maximize the utility >> of the RPKI to ARIN's resource holders. > > Jay - > > It is very important that relying parties are aware and agree > to the conditions associated with the RPKI service, and it is > equally important that ARIN have a legally valid record of this > consent. It does mean one additional step for relying parties > to undertake when setting up their RPKI infrastructure, but it > only has to be done once. > > Without a record of consent to the RPKI relying party agreement, > ARIN would not be able to offer RPKI services at all. > > FYI, > /John John, I recognize ARIN's need for terms and conditions with this, especially for entities that don't have any other relationship with ARIN other than using the TAL to validate RPKI data. However, I am also sympathetic to Jay's request too. I'm generally not allowed to agree to terms and conditions on behalf of my employer, I'm sure this is common. I'm sure ARIN has this issue when dealing with its providers too. So, this separate agreement represents an extra barrier to implementing RPKI validation for my and in expect many other organizations too. Maybe a middle ground solution could be to package or optionally integrated this and other service specific terms and conditions with or into the RSA or LRSA, so that they can be reviewed and agreed to all at once by an organization if they so desire. This is a common tactic my organization likes to use. However, it has to be balanced against including terms and conditions for service we will never use either. In particular this agreement has separate clauses for Indemnification and Governing Law, Jurisdiction, Etc... differing from those in the RSA and LRSA. If we could just add these service specific clauses into the RSA and/or LRSA it might be easier in many situations. Another possible solution could be a version of the agreement that is an addendum to the RSA or LRSA, only including the service specific clauses and using the general terms and conditions from the RSA or LRSA already in place. One way or another, I think I'll be able to make something work with ARIN, we already have an RSA and LRSA. But, thinking about this more generally, will we need to do a separate similar agreements with each of the other RIRs too? I know you can't speak for the other RIRs, but if you generalize this, it becomes a really ugly issue fast. Wasn't the RIR system created to help deal with these kinds of issues? The idea of everyone having to execute agreements with all 5 RIRs just to validate the trust seems wrong, and a legal nightmare. I know my legal counsel will not like the idea of doing 4 other agreement, especially from around the world. From jcurran at arin.net Tue Oct 16 05:26:24 2012 From: jcurran at arin.net (John Curran) Date: Tue, 16 Oct 2012 09:26:24 +0000 Subject: [arin-tech-discuss] [arin-announce] Resource Public Key Infrastructure (RPKI) Now Available to ARIN Customers In-Reply-To: <507CC44E.5060502@umn.edu> References: <20604.33024.742339.365286@oz.mt.att.com> <8D3AE8D9-C64D-4196-A343-05BA35D90FD1@corp.arin.net> <507CC44E.5060502@umn.edu> Message-ID: <7CC20F64-1367-4371-B267-4D94EAACA445@arin.net> On Oct 15, 2012, at 10:19 PM, David Farmer wrote: > John, > > I recognize ARIN's need for terms and conditions with this, especially for entities that don't have any other relationship with ARIN other than using the TAL to validate RPKI data. However, I am also sympathetic to Jay's request too. > > I'm generally not allowed to agree to terms and conditions on behalf of my employer, I'm sure this is common. I'm sure ARIN has this issue when dealing with its providers too. So, this separate agreement represents an extra barrier to implementing RPKI validation for my and in expect many other organizations too. > > Maybe a middle ground solution could be to package or optionally integrated this and other service specific terms and conditions with or into the RSA or LRSA, so that they can be reviewed and agreed to all at once by an organization if they so desire. This is a common tactic my organization likes to use. However, it has to be balanced against including terms and conditions for service we will never use either. > > In particular this agreement has separate clauses for Indemnification and Governing Law, Jurisdiction, Etc... differing from those in the RSA and LRSA. If we could just add these service specific clauses into the RSA and/or LRSA it might be easier in many situations. Another possible solution could be a version of the agreement that is an addendum to the RSA or LRSA, only including the service specific clauses and using the general terms and conditions from the RSA or LRSA already in place. David - If you'd like a Relying Party Agreement in the form of an addendum to the existing registration service agreements, I believe that is possible. Note that we did not take that approach since some relying parties will not have a registration service agreement with ARIN. > One way or another, I think I'll be able to make something work with ARIN, we already have an RSA and LRSA. But, thinking about this more generally, will we need to do a separate similar agreements with each of the other RIRs too? I know you can't speak for the other RIRs, but if you generalize this, it becomes a really ugly issue fast. Wasn't the RIR system created to help deal with these kinds of issues? The idea of everyone having to execute agreements with all 5 RIRs just to validate the trust seems wrong, and a legal nightmare. I know my legal counsel will not like the idea of doing 4 other agreement, especially from around the world. In general, you're going to be subject to the certificate practice statement and relying party agreements of all RPKI parties, the only question is whether or not you're made plainly aware of these terms up-front or not before being bound to them. ARIN requires explicit binding and hence makes it very clear that there are terms that apply, but your use of RPKI information is still subject (in theory) to other parties terms and conditions even if you've never actually reviewed them. If you make use of such information in your official capacity in an organization, you easily may be agreeing to terms and conditions on behalf of your employer (whether you intended to do so or not...) Rather than relying on questionable implied agreements to such terms and conditions, we have made it quite explicit so that parties can make thoughtful determination as to their use of RPKI services as a relying party. FYI, /John John Curran President and CEO ARIN From ispcolohost at gmail.com Wed Oct 24 14:59:56 2012 From: ispcolohost at gmail.com (David H) Date: Wed, 24 Oct 2012 13:59:56 -0500 Subject: [arin-tech-discuss] Any notification needed when changing advertising ASN? Message-ID: Hi all, couldn't find this using the search tool; I was wondering if there is any documentation requirement when changing the ASN that advertises a given allocation? In our portal it just lists AS numbers and ip networks as separate items but I don't see where there's any association between a given allocation and a given ASN. I know when we used to apply for addresses via the email template it asked for the ASN and we'd use the one that would be advertising the new block but we've got disparate networks with separate ASN's and want to transition services/customers/ips from one to the other once everything is ready. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From dhuberma at arin.net Wed Oct 24 15:25:49 2012 From: dhuberma at arin.net (David Huberman) Date: Wed, 24 Oct 2012 19:25:49 +0000 Subject: [arin-tech-discuss] Any notification needed when changing advertising ASN? In-Reply-To: Message-ID: Hello David, There is no need to notify the Registry when changing the origin_as of a given prefix. The change you're describing happens solely in the routing equipment you operate and the equipment of your BGP peers. ARIN's Whois does include origin_as information on an optional basis. This information is not operational in nature, but rather, is offered for use by the research community. If you look at your registration and see out-of-date origin_as information, it's probably best to insert updates as time allows. Regards, David --- David R Huberman Principal Technical Analyst, ARIN 703-227-9866 On 10/24/12 2:59 PM, "David H" wrote: Hi all, couldn't find this using the search tool; I was wondering if there is any documentation requirement when changing the ASN that advertises a given allocation? In our portal it just lists AS numbers and ip networks as separate items but I don't see where there's any association between a given allocation and a given ASN. I know when we used to apply for addresses via the email template it asked for the ASN and we'd use the one that would be advertising the new block but we've got disparate networks with separate ASN's and want to transition services/customers/ips from one to the other once everything is ready. Thanks! From mysidia at gmail.com Wed Oct 24 23:49:15 2012 From: mysidia at gmail.com (Jimmy Hess) Date: Wed, 24 Oct 2012 22:49:15 -0500 Subject: [arin-tech-discuss] Any notification needed when changing advertising ASN? In-Reply-To: References: Message-ID: On 10/24/12, David H wrote: > Hi all, couldn't find this using the search tool; I was wondering if there > is any documentation requirement when changing the ASN that advertises a > given allocation? Not a _requirement_. If you have chosen to enter an Origin AS for the network; it would be best practice to either update the data to be correct, or remove data that is no longer accurate, from the network. Keeping inaccurate data might result in confusion or other unexpected negative results in the future. It would be more important, to update/ensure any IRR records for the new AS are accurate with the registries such as RADB; especially, since some transit providers may use the IRR data in an automated manner to construct certain filters. Again, not absolutely mandatory. -- -JH From cspears at internet2.edu Wed Oct 24 23:44:33 2012 From: cspears at internet2.edu (Chris Spears) Date: Wed, 24 Oct 2012 22:44:33 -0500 Subject: [arin-tech-discuss] Determine unvalidated POC via RWS? Message-ID: <020980FF-B26D-49BE-B7E1-F622E1F98827@internet2.edu> Is there a way to determine an unvalidated POC record via the RWS? While it appears nice and clear on the ARIN website (when logged in, for resources you control), it's not possible to glean elsewhere. I'm curious, as I'd like to help a few folks clean house. Is this possible with the way the RWS is implemented now (ie, some knob I'm not seeing)? Thanks, Chris From andy at arin.net Thu Oct 25 10:27:42 2012 From: andy at arin.net (Andy Newton) Date: Thu, 25 Oct 2012 14:27:42 +0000 Subject: [arin-tech-discuss] Determine unvalidated POC via RWS? In-Reply-To: <020980FF-B26D-49BE-B7E1-F622E1F98827@internet2.edu> Message-ID: On 10/24/12 8:44 PM, "Chris Spears" wrote: >Is there a way to determine an unvalidated POC record via the RWS? While >it appears nice and clear on the ARIN website (when logged in, for >resources you control), it's not possible to glean elsewhere. I'm >curious, as I'd like to help a few folks clean house. Is this possible >with the way the RWS is implemented now (ie, some knob I'm not seeing)? > >Thanks, >Chris > Hi Chris, Unfortunately neither the Whois port 43 service nor the Whois-RWS service indicate if a POC has been marked valid or not. This would require an enhancement to the Whois-RWS service. You can submit a request for this enhancement via the ACSP submission form: https://www.arin.net/app/suggestion/ And though this is not exactly what you are seeking, ARIN does generate a report of resources without valid POCs. You can download that report under the "Download & Services" section via ARIN Online. I hope this is helpful information. Andy Newton Chief Engineer, ARIN From andy at arin.net Mon Oct 29 08:56:58 2012 From: andy at arin.net (Andy Newton) Date: Mon, 29 Oct 2012 12:56:58 +0000 Subject: [arin-tech-discuss] ARINr - RESTful command-line scripts Message-ID: All, ARIN is making available command-line scripts, written in Ruby, that utilize ARIN's Whois-RWS and Reg-RWS restful services. These scripts are available under the open-source, BSD-style ISC License. They were originally created for internal use but with a little a side effort have been polished up for general usage. They should be considered beta-quality and do not yet encompass the full capabilities of ARIN's restful services. This set is currently composed of the following scripts: * arininfo - queries ARIN's Whois-RWS and displays the information in a tree format * poc - creates, modifies, and deletes Point of Contacts (POCs). * ticket - downloads, displays and responds to Reg-RWS / ARIN Online tickets. Man-page style documentation, including instructions for obtaining the scripts either via a Git repository or downloadable ZIP file, can be found at: http://projects.arin.net/arinr/arinr.7.html Andy Newton, Chief Engineer, ARIN From Sean.Zhao at CenturyLink.com Mon Oct 29 15:24:40 2012 From: Sean.Zhao at CenturyLink.com (Zhao, Sean) Date: Mon, 29 Oct 2012 19:24:40 +0000 Subject: [arin-tech-discuss] Question about POC Handle searching. Message-ID: Hi, David. Does Arin have new feature on searching POC handle? If user provide first name, last name, physical address, email address and phone numbers, Arin will return the poc handle of this person? I remember Arin had the feature if user provide the poc handle, Arin will return the address, last name and last names. But not the other way. So Arin developed new feature? Another question, to create an Org Handle, Arin requires an AD poc handle at least. Is that correct? Thanks, Sean Zhao Sean.Zhao at CenturyLink.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From andy at arin.net Mon Oct 29 15:56:31 2012 From: andy at arin.net (Andy Newton) Date: Mon, 29 Oct 2012 19:56:31 +0000 Subject: [arin-tech-discuss] Question about POC Handle searching. In-Reply-To: Message-ID: Sean, There are multiple ways to search on POC names. If you are using a classic Whois client (over port 43), the syntax is "p / " where is the name you are searching for. For example: whois -h whois.arin.net "p / kosters" The RESTful interface allows you to search by name using matrix parameters. For example: xmllint --format "http://whois.arin.net/rest/pocs;name=kosters" You can also you "first" or "last" instead of "name" to narrow the search to specific first and last names. For example: xmllint --format "http://whois.arin.net/rest/pocs;last=kosters;first=mark" More information about these types of matrix parameters are available in Section 4.4.2 of our Whois-RWS API manual: https://www.arin.net/resources/whoisrws/whois_api.html#whoisrws I hope this answers your question. Andy Newton, Chief Engineer, ARIN -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sean.Zhao at CenturyLink.com Mon Oct 29 15:59:51 2012 From: Sean.Zhao at CenturyLink.com (Zhao, Sean) Date: Mon, 29 Oct 2012 19:59:51 +0000 Subject: [arin-tech-discuss] Question about POC Handle searching. In-Reply-To: References: Message-ID: Thanks a lot Andy!! I ran it. It is nice! Thanks, Sean Zhao Sean.Zhao at CenturyLink.com From: Andy Newton [mailto:andy at arin.net] Sent: Monday, October 29, 2012 3:57 PM To: Zhao, Sean; 'arin-tech-discuss at arin.net' Cc: Roehrs, Mike; Fredrickson, Joann; Mazzella, John; Grimes, Ronald Subject: Re: [arin-tech-discuss] Question about POC Handle searching. Sean, There are multiple ways to search on POC names. If you are using a classic Whois client (over port 43), the syntax is "p / " where is the name you are searching for. For example: whois -h whois.arin.net "p / kosters" The RESTful interface allows you to search by name using matrix parameters. For example: xmllint --format "http://whois.arin.net/rest/pocs;name=kosters" You can also you "first" or "last" instead of "name" to narrow the search to specific first and last names. For example: xmllint --format "http://whois.arin.net/rest/pocs;last=kosters;first=mark" More information about these types of matrix parameters are available in Section 4.4.2 of our Whois-RWS API manual: https://www.arin.net/resources/whoisrws/whois_api.html#whoisrws I hope this answers your question. Andy Newton, Chief Engineer, ARIN -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sean.Zhao at CenturyLink.com Wed Oct 31 15:58:27 2012 From: Sean.Zhao at CenturyLink.com (Zhao, Sean) Date: Wed, 31 Oct 2012 19:58:27 +0000 Subject: [arin-tech-discuss] Question about the rules of the fields in the payload. Message-ID: Hi, Do you have the web site that shows the list of rules of the fields in the playload? Exp., the length of the contact name and length of the email address in the POC payload. Thanks, Sean Zhao Sean.Zhao at CenturyLink.com -------------- next part -------------- An HTML attachment was scrubbed... URL: