- address-policy-wg - mailman.ripe.net

Assignments from a /24 allocation
by denis walker 24 Nov '21

24 Nov '21

Colleagues The issue came up again today at the AP-WG session at RIPE-83 about making assignments from a /24 allocation. People are forced to create two 'artificial' /25 assignments. Again this is used as one argument against having to register assignments in the RIPE Database. Regardless of the bigger picture about registering assignments, there is a simple solution to the /24 allocation issue. Make the "status:" attribute multiple. Then this /24 INETNUM object can have: status: ALLOCATED PA status: ASSIGNED PA Business rules can restrict the use of multiple status to very specific use cases. Maybe only allow a second status of 'ASSIGNED PA' in an object with status 'ALLOCATED PA'. The normal rules then apply to an assignment, so there can be no more specifics. Then any allocation of any size can be assigned in its entirety without having to create more specific pseudo assignment objects. Business rules could also allow this option for 'SUB-ALLOCATED PA'. cheers denis co-chair DB-WG

2 1

Excellent Presnetations & Videos, how can I help?
by Karla Wagner 23 Nov '21

23 Nov '21

Good Morning! The material presented hung together well, and the speakers asked excellent questions. Thank you for that !! Having a keen interest (and a course or two) in public policy, I'd be interested in helping out. Please let me know. (The speaker indicated that help was needed, and to refer to the mailing lists.) Met vriendelijke groet, Karla Verzonden door ProtonMail Secure Email.

2 1

IPv6 Stockpiling
by _ _ 23 Nov '21

23 Nov '21

Hi, Re: 'who does IPv6 hoarding really hurt' or 'what's the danger', we should learn from some very harsh real-life lessons that happened with IPv4 stockpiling. - when IPv4 was plentiful, a number of RIPE members we able to hoard vast volumes of IPv4 and distribute large IPv4 network prefixes (e.g. full /18s) to their customers but provide little to no technical services (became de facto local RIRs) - this was attractive to their customers at the time - often network operators - because the RIPE members would lease the address space for a much lower price than a RIPE NCC membership fee - as their customers became increasingly dependant on those IPv4 network prefixes over time to run their operations, the RIPE members abused their power and raised the lease costs to absolute extortionate and unaffordable amounts - often to sell the parent allocation on the IPv4 market This is in addition to conflicting with RIPE IPv6 goals and policy, and reducing the RIPE NCC's ability to check and verify that the address space is being used in line with RIPE IPv6 goals and policy. Do we really want to sleepwalk into a similar situation with IPv6? If not, how can we proactively safeguard IPv6 from such abuse while ensuring easy access to IPv6 for real deployments? Change IPv6 transfer policy, and/or lower the RIPE NCC membership fee (e.g. a cheaper IPv6-only membership category)? Regards, James apwg co-chair

1 0

1st Draft Agenda for Address Policy WG at RIPE 83
by Leo Vegoda 21 Nov '21

21 Nov '21

Dear Address Policy WG, Here is the first draft agenda for RIPE 83's Address Policy WG. We want to give as much time as possible to discussion. For this reason, we are continuing with the concept of pre-publishing videos and slides for report items on the agenda. This way, people can review the presentations at their leisure, allowing us to dedicate more time to answering questions and discussing issues with each other. You will be able to watch pre-recorded presentations and review slides from Monday, 15 November. They will be available on https://ripe83.ripe.net and we will send a note linking to the relevant page. Kind regards, Leo Vegoda for the Address Policy WG co-Chairs A. Administrative Matters (5 mins) Chairs Welcome, thanking the scribe, approving the minutes, etc. B. ASO AC Report Summary and Questions (10 mins) This will be pre-recorded and published a week ahead. A 2 slide recap will be presented live before questions are taken. James Kennedy / Nurani Nimpuno / Hervé Clement C. NRO NC/ASO AC Candidate Introductions (10 mins) This will be pre-recorded and published a week ahead. A 2 slide recap will be presented live before questions are taken. Ulka Athale, Sr. Communications Officer, RIPE NCC D. Q&A on Current Policy Topics (15 mins) This will be pre-recorded and published a week ahead. A 2 slide recap will be presented live before questions are taken. Angela Dall'Ara, Policy Officer, RIPE NCC E. Q&A on Feedback from the RIPE NCC Registry Services (15 mins) This will be pre-recorded and published a week ahead. A 2 slide recap will be presented live before questions are taken. Marco Schmidt, Registry Services, RIPE NCC F. RIPE Database Requirements TF (10 mins) This will be pre-recorded and published a week ahead. A 2 slide recap will be presented live before questions are taken. James Kennedy G. Break (5 mins) H. Review of RIPE IPv6 Policy Goals (20 mins)

1 2

IPv6 Stockpiling
by Marco Schmidt 04 Nov '21

04 Nov '21

Dear colleagues, During RIPE 82, we provided you with an update on our observation of IPv6 stockpiling [1]. Based on the feedback we received and in preparation for the coming RIPE meeting, we would like to give you another update on that issue. According to the IPv6 Address Allocation and Assignment Policy, an LIR can receive up to a /29 IPv6 allocation without needing to supply any additional information. The RIPE community considered this size sufficient for most organisations for long-term IPv6 deployment. Additionally, LIRs may qualify allocations greater than /29 by submitting documentation that reasonably justifies this request [2]. However, over the past few years we have noticed that some organisations are collecting multiple IPv6 allocations in ways that are permitted by current RIPE policies but might conflict with the above-mentioned intent of the IPv6 policy. For example, it is possible for a single RIPE NCC member to receive a /29 allocation for each of the multiple LIR accounts that it holds. This is the result of a policy change in 2018 [3]. LIRs can also receive multiple IPv6 allocations via policy transfers without needing any further justification. However, when the IPv6 transfer policy was discussed in 2014, it was assumed that there wouldn't be an active transfer market [4]. We have gathered data showing the significant development of the collection of IPv6: - Almost 700 IPv6 allocations have been transferred in 2021 so far (and there have been more than 3,900 transfers since policy implementation in 2015) - About 60% all IPv6 allocations ever handed out by the RIPE NCC are now held as multiple allocations - In the last three months, more than 75% of all new allocations were given to members that already hold at least one IPv6 allocation - More than 1,500 members hold multiple IPv6 allocations, exceeding the size /29 - Almost 100 members hold more than 10 IPv6 allocations (the maximum is 102 IPv6 allocations held by one member) It is the RIPE NCC’s understanding that some of these situations are within the intent of previous policy changes, for example, to avoid renumbering of deployed IPv6 networks during holdership changes, or if a large company has multiple network departments that prefer to manage their own allocation. However, the huge volume indicates that most are for other reasons. While members can collect multiple IPv6 allocations without evaluation by the RIPE NCC, we still were able to gather some feedback how members plan to use their allocations. Many members simply stockpile them for an undefined future use, others plan to use them for activities which temporarily require a vast amount of IPs, and some plan to offer IPv6 on a large scale to other ISPs in their country. We believe that this situation could create several issues: - IPv6 might be deployed in conflict with RIPE policies, underlying RFCs and other best practices, resulting in challenges to that IPv6 deployment once the policy violation is discovered during an audit - There could be a negative impact on the quality of the registry if large parts of allocations were given to third parties without clear registration requirements - The policy requirement to justify larger IPv6 allocations would then be rendered useless If you agree that this is a problem, we would like to initiate a discussion in this Working Group about possible solutions. We see at least two potential paths forward. Firstly, if the Working Group believes that this trend is an indication of a widespread need for IPv6 address space larger than /29, then the requirement for justification could perhaps be adjusted for a larger allocation size. Members could then more easily get the address space they need, but as an aggregated block. Stockpiling would still be possible under this potential policy change, in fact on an even bigger scale. Secondly, if the Working Group believes that this trend is in conflict with the original intent of the IPv6 policy, adjustments to the policy can be proposed that give the RIPE NCC a stronger mandate to enforce it. One challenge here would be defining what IPv6 usages are considered within or outside of the intent of the policy and how to ensure better oversight without too much impact on IPv6 deployment. There might be other options that this working group can consider and discuss. If required, the RIPE NCC can provide additional information for this discussion. Kind regards, Marco Schmidt Registry Services Assistant Manager RIPE NCC [1] https://ripe82.ripe.net/presentations/7-RIPE82-Feeback-from-RS.pdf from slide 9 [2] https://www.ripe.net/publications/docs/ripe-738#initial_allocation [3] https://www.ripe.net/participate/policies/proposals/2018-01 [4] https://www.ripe.net/participate/policies/proposals/2014-12

8 9

RIPE 82 Minutes
by Leo Vegoda 14 Jun '21

14 Jun '21

Dear WG, The RIPE NCC has now published draft minutes of our session at RIPE 82. The page also links to the stenography transcripts and chat logs. Please inform the co-chairs of any issues or corrections. https://www.ripe.net/participate/ripe/wg/active-wg/ap/minutes/ripe-82-addre… Kind regards, Leo Vegoda for the Address Policy WG co-chairs

1 0

Mass deletion of assignments from RIPE Database?
by denis walker 18 May '21

18 May '21

Colleagues [Apologies for the long email, but I feel the video is an oversimplification of the issues involved.] I have watched the video from the AP-WG agenda for RIPE 82 by the RIPE Database Task Force (TF). As a netizen, rather than in any other capacity, I am totally opposed to this recommendation which would allow the removal of all IPv4 assignments from the public registry of IP addresses. I would like to present some opposing arguments before the discussion tomorrow in the AP session at RIPE 82. In the video there are 4 justifications given. None of these can actually be considered as a justification for this recommended policy change. 1/ some allocations have no registered assignments This should be followed up by the RIPE NCC with ARCs. If the current policy has not been followed, then assignment objects should be created. If a few resource holders don't follow the policy, that is not a justification for changing the policy. Encouragement to follow, or enforcement of, the policy is the answer to this. 2/ Small (/24) allocations require even smaller (/25) assignments There is an action point in the DB-WG (NWI-4) to allow multiple status values in INETNUM allocation objects which would address this issue without policy change. 3/ data minimisation, less data to maintain = more accurate [implying that having no data gives 0% error] Googling for 'data minimisation' it is hard to find any definition that doesn't relate to personal data. This is the best fit I found: "The principle of data minimization involves limiting data collection to only what is required to fulfill a specific purpose." If there is a valid purpose for assignment data then this isn't 'data minimisation', it is 'data loss' resulting in reduced functionality. So the historical, present and future use of assignment data is the real question to consider. 4/ justify additional allocations This was 'one of' the historical reasons for creating assignments in the DB. Since run out this reason no longer applies. But that does not mean there are no other reasons for having assignment data in the DB. In the video the TF suggest that 'now' this reason no longer applies, perhaps we can drop this policy requirement. As ripe-733 (assignment policy) no longer even mentions this as a reason for creating assignments in the RIPE Database, I don't see the connection between this long since discarded reason and changing the policy now. The video ignores any other reasoning for the existence of assignments in the DB. The suggestion in the video was that creating (PA) assignments would be optional. It also said "Partitions and sub-allocations 'should' be registered. It is important to note that in policy speak, 'should' is not the same as 'must'. This makes everything more specific to (PA) allocations optional. What are the likely consequences to this change? Many operators maintain internal software to align their internal address management with the RIPE Database. This involves a lot of time, effort and money to keep the RIPE Database up to date. They are also open to criticism if anyone finds a single email in the DB that is invalid. It also exposes their publicly identified customers to being directly accountable for their use of address space assigned to them. While most end users probably don't have an issue with that, internet abuse originates from somewhere. Those networks probably prefer to be hidden out of view. By making all this data optional, resource holders can simply delete all this data from the RIPE Database. They can archive the software used to align their internal systems with the RIPE Database. They can shield their customers behind the court order firewall from any exposure to questioning of their usage of their assigned address space. The resource holder can hide themselves behind a contract putting responsibility of usage of address space on their (now) hidden customers. Without a court order this all becomes private, hidden data. It is easy to see benefits to resource holders and operators for this change, but does it have a negative impact on other RIPE Database data consumers? I suspect making this policy change could/would result in a mass deletion of (PA) assignment data from the RIPE Database leaving only the allocations made by the RIPE NCC. In this scenario what happens with abuse reporting? All reports would have to be sent to the LIR holding the allocation resource. They could put a simple mail forwarder on that email address and forward all reports to the appropriate (hidden) customers. If anyone questions a report sent, the answer could be "I forwarded it on to the user. If they haven't replied to you, get a court order to reveal the customer details and take it up with them directly." What happens with blocking & blacklisting addresses? Unless it is possible to determine assignment sizes from other data (routing perhaps?) then the only option is to block or blacklist the whole allocation. There are no aggregated objects with assignment sizes like with IPv6. Removing assignment objects also impacts the use of the RIPE Database as a contact DB for network operators. Resource holders will have to weigh up if the need for more specific network contacts was important enough to justify them maintaining all their assignment data in the RIPE Database. For larger resource holders, given the savings to them by ditching this data, they may well choose to sacrifice network contacts. In the video the TF talks about the 'freedom' of LIRs to choose if they want to enter assignment data or not. Their freedom is someone else's denial. They also talk about a smaller, common, useful database. This smaller, common database is not very useful to anyone who uses the assignment data that is discarded to make it smaller. Looking at it from the perspective of accountability, openness and abuse issues, deleting 94% of the IPv4 registry data from this public registry and turning all this information into private data requiring individual court orders to access each bit of what was public data, I believe would be a huge backwards step. Even if the reality turned out to be half the assignments being deleted, is a partial data set, with less eyes focussed on the reliability and accuracy of the data, of any use to anyone? In recent years the use of the DB by LEAs, abuse handlers and researchers has been hotly debated and contested. If you look at recent policy discussions and DB functionality issues, two phrases come up time and time again. "It's not the purpose of the RIPE Database to do 'abc'." "It's not the function of the RIPE NCC to do 'xyz'." So many engineers and operators seem to have difficulty accepting that the purpose of the RIPE Database has evolved over time and is now more than an engineer's and operator's tool. In today's society the internet is not only an essential part of every day life, it is also a dangerous place. The DB has become an essential tool for LEAs and companies & organisations that try to address internet abuse. That is despite many engineers and operators constantly dismissing this as not a (historical) purpose of the RIPE Database. The same argument is used against researchers. Use as a research tool was not on the original list of purposes of the DB. The whole umbrella of research is an essential part of moving forward with technology. It is time to stop the endless arguments about the purpose of the RIPE Database and accept that use by LEAs, abuse handlers and researchers is now part of the fabric of the RIPE Database. Whilst the TF acknowledges this friction in their draft requirements document, there are no recommendations to resolve this issue. I would like to see the TF address this and recognise these as valid purposes of the RIPE Database. I hope recommendations will be included in a future draft of the TF's requirements document that recognises these new and important purposes of the RIPE Database by an expanding and diversifying set of data consumers. Moving forward on address policy with these newly accepted purposes of the DB, the IPv4 assignments take on a more important role. In this context I do not believe assignments should be made optional, and almost certainly deleted to become hidden, private data, behind a court order firewall. cheers denis long standing, but forward looking, netizen Question to the RIPE NCC... Can you select a random week day and calculate the total number of queries where the query string is an IPv4 address. If possible can you determine if the query string address is contained within a PA assignment object and calculate the percentage of these queries that would have returned an assignment object. If this recommendation is accepted, these queries in future would most likely only return the resource allocation object.

2 1

New on RIPE Labs: SCION - A Novel Internet Architecture
by Alun Davies 17 May '21

17 May '21

Dear colleagues, At RIPE 81, a group of enthusiastic researchers and practitioners from industry and academia discussed with the RIPE community what role RIRs and LIRs could take on in the SCION next-generation Internet architecture. Ahead of the SCION BoF taking place today at RIPE 82, David Hausheer looks back at what happened at the last BoF, reports on what has happened since then, and presents what potential RIPE involvement could look like in the future. Read more on RIPE Labs: https://labs.ripe.net/author/hausheer/scion-a-novel-internet-architecture/ Kind regards, Alun Davies RIPE Labs Editor RIPE NCC

1 0

recorded RIPE NCC presentations are now online
by Gert Doering 14 May '21

14 May '21

Dear AP WG, as Erik already announced, this meeting is different :-) - in the last meeting, we noticed that Meetecho is actually quite good in enabling a "real" discussion - but we had no time. So, this time, the "we want to discuss this!" topics are online as a pre-recording, as of right now for the NCC PO/RS talks (Marco and Angela). Because I'm already enjoying my soon-to-be WG chair retirement, I'm just being lazy and forward Marco's Mail with the links and with the reminder: to have an informed discussion, you are expected to watch these before the actual meeting on Tuesday (or at least look at the Slides). We will *not* use our WG time to play back videos - we'll do Q&A, and then discussion, on the questions raised by these talks. See you next week (virtually...) Gert Doering creaky APWG chair ----- Forwarded message from Marco Schmidt <mschmidt(a)ripe.net> ----- From: Marco Schmidt <mschmidt(a)ripe.net> Hello Erik, Gert, James and Leo, The pre-recorded presentations from Angela and me are now online and published as part of the APWG agenda https://ripe82.ripe.net/programme/meeting-plan/ap-wg/ With the direct links https://ripe82.ripe.net/wp-content/uploads/presentations/ripe-82-policy-dev… https://ripe82.ripe.net/wp-content/uploads/presentations/ripe-82-feedback-r… Please feel free to inform that WG members to watch these presentations before the session. I see the risk that some people will not expect that they need to watch the presentation upfront. So as earlier they know about it, the more this risk is minimized. Have a nice weekend and see you next week! Regards, Marco Schmidt ----- End forwarded message ----- -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

1 0

WG chair rotation 2021
by Gert Doering 10 May '21

10 May '21

Dear AP WG, according to our WG Chair Selection process, one of the WG chairs has to step down every two years, and a new WG chair is selected by the WG. This time, it is my time to step down, and I will not(!) run again - I've been one of your chairmen for a long time, and I think it's time for a change. Do not despair :-) - as you are aware, we brought in two "trainee chairs" at the last meeting, Leo Vegoda and James Kennedy. Both have used the time to look "behind the curtains" and see what they will be getting themselves into, and last I heard, were willing to take the job. That said: it is your decision, as WG, not our decision as WG chair team. So other interested volunteers are free to make their interest known, and then the WG will decide. Please make your interest known to the remaining chair (Erik Bais) erik(a)bais.name and please include a short bio and your reason for applying. Erik will collect applications and publish them collectively on March 31st. Gert Doering -- creaky chair -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

10 12