[ARIN-consult] Consultation Now Open on the Future of ARIN’s IRR

Rob Seastrom rs at seastrom.com
Fri Feb 12 14:54:30 EST 2021 

I think it has always been implicitly understood that ARIN-NONAUTH is transitional and will be sunset eventually.

A hard shutdown with less than 8 months' notice in the middle of a pandemic (which impairs information flows via live conferences) does not seem to be an appropriate way to do this.  Therefore I respond in the negative to point 1 of the consultation ("does the proposed shutdown date of 30 September 2021 provide sufficient time for migration to another IRR system").

Some years ago there was a large change in ARIN fees, and a representative from a large ISP stood at the microphone and said that he did not have problems with paying more, but that hitting him out of budget cycle with this change was a hardship. Notwithstanding the existence of ALTDB (which is both no charge and no support), discontinuation of a free service to legacy resource holders presents those dependent on it with a couple of options:  sign an LRSA or RSA and get auth and RPKI as part of your contractual relationship with ARIN, or sign up with RADB or some similar non-RIR IRR component.  Either of these requires fees, and not providing sufficient advance notice plus an annual budget cycle for stakeholders to get their ducks in a row would reflect poorly on ARIN.

I think ARIN set a reasonable standard for community outreach with the "get out the vote" efforts some years back.  A two pronged approach of email to contacts and certified mail to billing and administrative contacts is good notification.  If we do that and then wait a full year to pull the plug...  then part  of my objection goes away.

I urge that Job's thoughts for orderly burndown be given heavy consideration.  Upon further discussion with Job I have the following points to make:

* Of the total of 62,352 entries in ARIN-NONAUTH about 10k of those routes show up in the DFZ and about 1,933 are rpki invalid.

* That means about 3% of ARIN-NONAUTH are arguably bogus, and about 16% appears to contribute positively to the BGP DFZ from Job's vantage points.

* Then there's the other 79% of ARIN-NONAUTH.  These might describe 'backup routes', be out dated, or something else.  Hard to quantify the damage that might or might not cause.

RIPE has had over a year of operational experience with RIPE-731 deployed to remove RPKI-invalid routes from their non-auth (since January 2020) and nothing has blown up...  so maybe we can start by doing the same thing.  If you haven't read RIPE-731, please do - it's short and to the point.  https://www.ripe.net/publications/docs/ripe-731

Speaking for myself and GBPSW/ClueTrust (OrgId: GBPSOF), not my day job or the AC...

-r



> On Feb 8, 2021, at 5:55 PM, Owen DeLong <owen at delong.com> wrote:
> 
> I suggest to anyone likely to be caught with difficulty in the shutdown of ARIN-NONAUTH,
> there is a valid and viable alternative in ALTDB: https://altdb.net <https://altdb.net/>
> 
> It’s not user friendly like IRR-ONline, but it’s got pretty much the same automated processor
> for email submissions as ARIN-NONAUTH and provides roughly the same service.
> 
> Owen
> 
> 
> 
> 
>> On Feb 8, 2021, at 08:34 , Job Snijders via ARIN-consult <arin-consult at arin.net <mailto:arin-consult at arin.net>> wrote:
>> 
>> 
>> From: Job Snijders <job at fastly.com <mailto:job at fastly.com>>
>> Subject: Re: Consultation Now Open on the Future of ARIN’s IRR
>> Date: February 8, 2021 at 08:34:32 PST
>> To: arin-consult at arin.net <mailto:arin-consult at arin.net>
>> 
>> 
>> Dear ARIN, global community,
>> 
>> I object to the proposal to discontinue RIPE-NONAUTH. I propose an
>> alternative course of action.
>> 
>> The function of the ARIN-NONAUTH primarily appears to to serve holders
>> of Internet Number Resources which pre-date ARIN (so-called 'legacy
>> holders'). Expectations have been set by ARIN through the concept of
>> 'grandparenting' that for example Reverse DNS works in some capacity,
>> and a degree of IRR service.
>> 
>> The ARIN-NONAUTH registry since the ARIN/ARIN-NONAUT split is fairly
>> harmless (either for users with a presence expressed in the registry, or
>> for consumers of the ARIN-NONAUTH data), and clearly benefits a
>> (perhaps somewhwat under-represented) group of stakeholders.
>> 
>> My proposal is that ARIN works to apply the 'RIPE-731' cleanup mechanism
>> to ARIN-NONAUTH. This can be accomplished by enabling the 'RPKI aware
>> mode' in IRRd v4: https://irrd.readthedocs.io/en/stable/admins/rpki/#enabling-rpki-aware-mode <https://irrd.readthedocs.io/en/stable/admins/rpki/#enabling-rpki-aware-mode>
>> Enabling the feature should be fairly straightforward for ARIN (as in,
>> minimal cost and minimal burden, existing open source software can be
>> used).
>> 
>> The big advantage of RIPE-731 style IRR object filtering is that any RSA
>> / LRSA / global RPKI-capable holders of INRs can ensure the ARIN-NONAUTH
>> database does not contain conflicting information (simply by publishing
>> RPKI ROAs, allowing a graceful path towards obsolence (aka let the thing
>> die out on its own over time)
>> 
>> My fear is that discontinuation of the ARIN-NONAUTH service at this
>> point in time (or in September 2021) will have adverse negative effects
>> on the global routing system, which are easily avoided by taking a few
>> intermediate steps (such as RPKI-aware mode on the ARIN-NONAUTH DB).
>> 
>> Many considerations that applied to the RIPE / RIPE-NONAUTH split and
>> subsequent continuation of RIPE-NONAUTH also apply to ARIN-NONAUTH. It
>> is not the right time yet.
>> 
>> If ARIN for one reason or another cannot become a RPKI Relying Party of
>> the other Trust Anchors (AFRINIC, APNIC, LACNIC, and RIPE NCC), I
>> propose the service is just left 'as-is', and we revisit this topic in
>> June 2022.
>> 
>> Kind regards,
>> 
>> Job Snijders
>> 
>> On Mon, Feb 08, 2021 at 03:57:11PM +0000, John Curran wrote:
>>> From: ARIN <info at arin.net <mailto:info at arin.net>>
>>> Subject: [arin-announce] Consultation Now Open on the Future of ARIN’s IRR
>>> Date: 8 February 2021 at 10:46:18 AM EST
>>> To: arin-announce at arin.net <mailto:arin-announce at arin.net>
>>> 
>>> ARIN has been engaged in a multi-year project to create and deploy a
>>> new and improved Internet Routing Registry (IRR). On 10 June 2020
>>> (https://www.arin.net/announcements/20200610-irr/ <https://www.arin.net/announcements/20200610-irr/>), we launched
>>> IRR-online, an authenticated and web-based service designed to make it
>>> simple for users to publish routing information via ARIN’s website. At
>>> that time, the existing IRR-email system was temporarily left in place
>>> to allow organizations to continue using email-based updates to
>>> publish routing information (in the ARIN-NONAUTH data stream).
>>> 
>>> On 1 February 2021 (https://www.arin.net/announcements/20210201-rn/ <https://www.arin.net/announcements/20210201-rn/>),
>>> we deployed a RESTful API to provide a way to securely automate
>>> updates to objects in ARIN’s authenticated IRR service.
>>> 
>>> With the availability of automation for ARIN’s new IRR system, we
>>> intend to retire ARIN’s previous non-authenticated, email-based IRR
>>> service at the end of September 2021. We are providing advance notice
>>> of this plan so that organizations using the non-authenticated and
>>> email-based IRR will have time to switch publication of their routing
>>> registry information to a more current solution. Similarly, by
>>> establishing a firm end date for the non-authenticated and email-based
>>> IRR, organizations making use of the outdated and non-authenticated
>>> IRR data stream can be ready for when ARIN ceases publishing the
>>> ARIN-NONAUTH data stream.
>>> 
>>> The authenticated IRR is available to all ARIN resource holders that
>>> have resources covered by a signed Registration Services Agreement
>>> (RSA) or Legacy Registration Services Agreement (LRSA). Organizations
>>> with resources not currently under an RSA/LRSA that wish to use the
>>> authenticated IRR may contact ARIN’s Registration Services Department
>>> for assistance with bringing those registrations under an RSA/LRSA.
>>> 
>>> We recognize that this change will have significant impacts on our
>>> customers and, as always, we’re interested in your feedback regarding
>>> this proposed transition. In particular, we would appreciate hearing
>>> from the ARIN community regarding these aspects of the proposed
>>> transition:
>>> 
>>> 1. For those using ARIN’s email-based and non-authenticated IRR
>>> system, does the proposed shutdown date of 30 September 2021 provide
>>> sufficient time for migration to another IRR system?
>>> 
>>> 2. For those making use of the ARIN-NONAUTH data stream, is there any
>>> reason to provide this information beyond the system shutdown date?
>>> 
>>> The community feedback provided during this consultation will help
>>> inform how we move forward. Please provide comments to
>>> arin-consult at arin.net <mailto:arin-consult at arin.net>. You can subscribe to this mailing list at:
>>> 
>>> http://lists.arin.net/mailman/listinfo/arin-consult <http://lists.arin.net/mailman/listinfo/arin-consult>
>>> 
>>> This consultation will remain open through 5:00 PM ET on Monday, 8 March.
>>> 
>>> Regards,
>>> 
>>> John Curran
>>> President and CEO
>>> American Registry for Internet Numbers (ARIN)
>> 
>> 
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN Consult Mailing
>> List (ARIN-consult at arin.net <mailto:ARIN-consult at arin.net>).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult <https://lists.arin.net/mailman/listinfo/arin-consult> Please contact the ARIN Member Services
>> Help Desk at info at arin.net <mailto:info at arin.net> if you experience any issues.
> 
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net <mailto:ARIN-consult at arin.net>).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult <https://lists.arin.net/mailman/listinfo/arin-consult> Please contact the ARIN Member Services
> Help Desk at info at arin.net <mailto:info at arin.net> if you experience any issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210212/60aa85cb/attachment-0001.htm>

More information about the ARIN-consult mailing list