At the ARIN Meeting

By Milton Mueller
Milton Mueller

I have been attending the American Registry for Internet Numbers (ARIN) meeting in Toronto. ARIN is one of the RIRs, i.e., the Internet address registry and policy making authority for North America. Although I have observed and participated on RIR lists for some time and interacted with RIR representatives at ICANN, WSIS and IGF, this is the first time I have been able to attend a meeting. I'm glad I did.

The ARIN meeting is very well organized. It is smaller-scale and much more focused than an ICANN or IGF meeting. The staff goes out of its way to be welcoming and friendly. Attendees are mostly network technicians of various flavors. Real Internet governance is taking place here, because organizations with real control of private and shared resources and operational capabilities are involved.

Its hard not to compare-contrast ARIN with ICANN, although ICANN can only suffer by comparison. One comes away with the conviction that the so-called bottom up policymaking which ICANN constantly claims to do is actually (more or less) seriously pursued here. The key differences are the smaller scale; the homogeneity of the participants; a more well-defined process that is grounded in a membership. Activities are focused on that area where highly technical decisions (e.g. routing policies, or minimum address block size) intersect with public (Internet-wide) policy issues such as security, privacy, and efficient utilization of scarce, shared resources.

The ARIN meeting is far more focused on policy making than its European counterpart (RIPE-NCC) - which I think is good. RIPE meetings contain a lot of parallel sessions with educational/informational content, all of which are interesting. But there is less of a sense of focused, collective decision making there — it is more like a conference. I really liked the way nearly all ARIN discussions are in plenary and decisions are actually made. Participants are provided with materials which concisely and with reasonable neutrality summarize the proposals, and the issues and concerns associated with them. Even the lunches were organized around discussion topics, where tables were set aside for discussion of particular topics. I sat at a table for discussion of Governmental involvement in RIRs, and had a great exploration of that topic with a law professor from Michigan State, people from the U.S. Drug Enforcement Agency, the U.S. Department of Homeland Security, and ARIN Council members Dave Farmer and Bill Darte.

Indeed, the basic framework of the ARIN meeting was so well done that the one act of process manipulation that occurred stood out like a sore thumb. The meeting got off to a bad start on Monday, with the FBI and Royal Canadian Mounted Police making a presentation on how badly they need Whois data. This presentation came right before consideration of a proposal that attempted to increase the confidentiality of Whois information. This proposal, #2010-3 concerning "Customer Confidentiality, had been proposed by some small, independent hosting service providers. Whereas all other proposals were considered in numerical sequence, 2010-3 was taken out of sequence and considered right after the FBI/RCMP presentation, which was inserted into the program at the last minute. So instead of being given the same opportunity to speak from the floor regarding 2010-3 as the rest of us, the FBI and the RCMP got 30 minutes of proselytizing, and it was all too obvious that these police agencies had mobilised to oppose the customer confidentiality proposal. (As an aside, the proposal was supported by AT&T, while opposition was voiced by Google and Paypal.)

Although the agenda manipulation was disturbing, the results were not that bad. The proponents learned that certain aspects of the status quo Whois policy allowed them to do pretty much what they wanted to do anyway, and its main advocate withdrew his own support for the proposal. He noted that he had been lobbied heavily by the FBI contingent the night before.

The presentation of Geoff Huston on the scalability of routing was another highlight of the meeting. I don't have the space to go into the technicalities and data of the presentation, which you can download here anyway, but the upshot was this. Huston's data about growth in the number of unique routing table entries, and in the number of Autonomous Systems (networks connected to the Internet) uncovers a counter-intuitive anomaly. Despite the regular annual growth in the number of networks connected, the number of routing table updates exchanged by BGP routers is remaining more or less constant. In other words, despite massive, long-term growth in the number of networks and routes on the Internet, the number of updates is remaining almost exactly the same - about 40,000 per year. Huston interprets this to mean that the distance or diameter of the Internet as a whole is not increasing; instead, the density of connections is increasing. From there, Huston went on to to conclude that BGP is scaling because of the RIRs' "policies and practices" that encourage aggregation. The scalability of BGP is not, he claimed a "natural" phenomenon but a product of the RIR's policies. This of course was music to the ears of the ARIN community, but the claim was quickly deflated by Chris Morrow from Google. It is actually money that drives this, he claimed. Service providers don't want latency. In order to limit latency, they organize their networks to avoid too many hops and thus constrain the diameter of the internet as a whole. In other words, the result Huston found could be more a result of "natural" market incentives than a product of wise policies imposed on the Internet by wise RIRs.

The informational discussion of RPKI here was a bit disappointing — it came near the end of the day, time was short and people were getting tired. None of the governance implications were explored or discussed adequately; indeed, if you listened only to Mark Koster's presentation you would have thought that there were no policy or governance implications at all. ARIN, like other RIRs is pursuing a very aggressive implementation schedule; inital producion is planned for the end of 2010, and Koster estimated that miraculously, a single trust anchor would emerge by the end of 2011. One participant (Joe Jaegli) did raise concerns about how much this changed the openness of the system. Danny McPherson admitted that "you are trading off autonomy for security" but the nature of this trade off was not explored. Some commenters insisted that RPKI "doesn't really change anything" because ISPs can use alternative trust anchors. But if you probe this argument it is almost exactly the same as saying that we don't need to worry about ICANN because you can always form an alternate root.

To sum up, we've had pretty open, focused and (with the one exception noted) fair discussions here. For those with the technical background to understand the Internet governance implications of RIR decisions and policies, I'd encourage participation and membership in ARIN.

By Milton Mueller, Professor, Georgia Institute of Technology School of Public Policy. Visit the blog maintained by Milton Mueller here.

Related topics: Cybersecurity, ICANN, Internet Governance, Internet Protocol, IP Addressing, IPv6, Policy & Regulation, Regional Registries, Whois

Comments

Your are misrepresenting facts Neil Schwartzman  –  Apr 22, 2010 6:16 AM PDT

The Law Enforcement presentation was not inserted into the agenda at the last minute; it had been there for at least three weeks.

As a privacy advocate who cares about actual (not theoretical) violations of millions of end-users' privacy by way of spam & malware sent in the billions, daily, I did not hear "proselytizing" for 30 minutes, rather I heard two short presentations, followed by numerous questions and comments, including your own, which veered directly towards 2010-3, despite the admonishment from the Chair not to speak about the day's specific proposals. Nevertheless.

You also claim that Aaron Wendel was "lobbied heavily by the FBI contingent". While the transcripts of the meeting are not yet online, I expect they won't support that onerous description of events so much as they will indicate that Aaron spoke to Tom Grasso, and gained an understanding of the dire consequences of making this information private, by providing further obfuscation of data both LEA and grassroots researchers need on an hourly basis to do their work fighting actual privacy violations.

Stating that AT&T;supported 2010-3 is equally as disingenuous; a representative from AT&T;was there, and in favour. It was noted that were members of the AT&T;security and abuse teams present, their stance would undoubtedly be very different.

I encourage all those interested in checking out my blog entry on the CAUCE website, which includes a copy of the Messaging Anti-abuse Working Groups' MAAWG submission to ARIN. I'd also invite you to review the membership roster of MAAWG while considering the submission. That company name right up there at the top? AT&T;.

As to the vote, I believe we are finally in rare agreement. it wasn't "too bad". In fact, I found the tally to be very satisfactory: Of the 133 people in attendance, 5 voted in favour, 77 against the 'customer confidentiality' proposal.

Note to the objectivity-challenged Milton Mueller  –  Apr 22, 2010 11:37 AM PDT

>As a privacy advocate who cares about actual (not theoretical)
>violations of millions of end-users' privacy by way of spam &
>malware sent in the billions, daily, I did not hear "proselytizing"
>for 30 minutes,

When you hear things you agree with, of course it does not sound like proselytizing. To people with a bit more of a disinterested perspective, it might.
FYI, ARIN people pretty much agreed with my assessment and promised to develop a policy for ensuring better separation of presentations and policy discussions.

> You also claim that Aaron Wendel was "lobbied heavily by the FBI contingent".
> While the transcripts of the meeting are not yet online, I expect they won't
> support that onerous description of events so much as they will indicate that
> Aaron spoke to Tom Grasso, and gained an understanding of the dire consequences
> of making this information private

Yeah. That's not lobbying.

> As to the vote, I believe we are finally in rare agreement. it wasn't "too bad".
> In fact, I found the tally to be very satisfactory: Of the 133 people in
> attendance, 5 voted in favour, 77 against the 'customer confidentiality'
> proposal.

Again, your tunnel vision is evident. One of the defining characteristics of the whois debate is that one side steadfastly refuses to recognize it as a debate that involves tradeoffs. In keeping with that attitude, you mis-characterize the final straw poll as a "vote" against privacy when in fact it was a recognition that a lot of the sensitive company data could already be withheld under current policy.

I think the FBI's presentation was important Matt Sergeant  –  Apr 22, 2010 1:32 PM PDT

I think the FBI's presentation was important in that it gave a good overview of the work that LEOs need to do in order to start a case, and that work involved access to whois data. What they didn't cover was the fact that almost ALL cases of prosecution for spam and malware related incidents start with that research being done by community volunteers or commercial anti-spam and anti-virus workers (of which I am one, and have assisted the FBI in a number of cases).

I'm sure it could have been put in another time slot, but I'm unconvinced that would have changed the outcome.

It also gave balance, since the proposal was *for* the privatisation of the data (well, giving the option of doing so).

In our experience with the domain whois data, those who privatise their whois entries are in the vast majority of cases the bad actors. Though this numerical bias is also because the bad actors register a LOT of domains. But there is no reason to believe that bad actors wouldn't abuse a private IPWhois database too.

I do disagree with your statement of "lobbied heavily". Everyone at these conferences has a variety of conversations with different parties in the evenings over a nice pint of beer. In the conference Aaron quite clearly said he had a conversation with a number of people about it, including the FBI. It didn't sound like anything heavy handed to me at all, but why don't you ask him?

The gentleman from AT&T;made it clear that he wasn't speaking for AT&T;at all, but on his own behalf.

What I also found lacking was any facts to actually support making the whois information private - the privacy violations that have occurred because of the current publicity of the database. What is the scale of this problem?

Matt Sergeant
Senior Anti-Spam Technologist
Symantec Hosted Services

Here we go again... Milton Mueller  –  Apr 22, 2010 1:51 PM PDT

Note what I said in my first comment: "One of the defining characteristics of the Whois debate is that one side steadfastly refuses to recognize it as a debate that involves trade-offs." Here is a prime example. Mr. Sergeant talks repeatedly about "making the Whois data private." In fact, this proposal would have retained in the whois record the name of the ISP and the name of the commercial customer of the ISP. It would have allowed (not required) an ISP to substitute their own information for the email, phone number and street address (information which, as some critics of the proposal noted, could probably be gotten elsewhere with a google search). All of the technical information about the ISP, block used, etc. would remain.

Whether you agree or disagree with this particular proposal is no longer the point. The issue is, one side in this debate persistently pretends as if _any_ change in the availability of _any_ element Whois data is the same as removing _all_ Whois data from public access. This is a distorted and manipulative approach to the discussion - and it is done, I think, deliberately.

It doesn't matter what specific arrangement one proposes, the LEAs and their supporting drones begin chanting the same tired line about how they need "Whois data" - as if it is a binary decision between everything and nothing. Because of this droning, we can't have an intelligent discussion of exactly WHICH data elements are required to fulfill exactly WHICH purposes, and which parts of it really need to be open indiscriminately to any and all users of the Internet (including spammers and malware distributors) and which could be more restricted. Of course that is precisely the debate we need to be having.

I find it rather insulting that you Matt Sergeant  –  Apr 22, 2010 2:02 PM PDT

I find it rather insulting that you don't think I know the text of the proposal well, but given that you don't remember that it was myself that said in the meeting that the information that the proposal suggests hiding could be obtained from google, I'm not entirely surprised by your remarks.

The point being though, that the information it proposed hiding is available in google for LEGITIMATE companies ONLY. The bad guys don't have google presence because they are hiding.

Once again, what is the flip side of this? What is the harm? You have yet to adequately argue your side other than stating "privacy", and assuming that's a good enough argument. Given that the ARIN database has been around for more than a decade I presume you have good examples to hand of privacy violations resulting from the publication of this database?

And thanks for dropping down to insults with your "drones" remark. It really shows up your professionalism.

This Brian Krebs article should probably give you some more context on the Wendel proposal Suresh Ramasubramanian  –  Apr 22, 2010 11:35 PM PDT

http://krebsonsecurity.com/2010/04/isp-privacy-proposal-draws-fire/

It also suggests a possible motive behind the proposal.

One note regarding inclusion of informational presentations in Policy Meeting John Curran  –  Apr 23, 2010 4:28 AM PDT

For the record, we had several informational presentations that indirectly related to policy matters, and the possibilities for inequity in presentation time have definitely been duly noted and will be taken up by the Policy Development process review committee.  We'd like to be able to have informative presentations so the community can have good background into topics, but might need to place these elsewhere on the program, or include presentations in balanced pairs (pro and con), etc.  I'll report back to the community once there is an update in this area.

Book review Neil Schwartzman  –  Feb 19, 2011 8:56 AM PDT

I was just re-reading this thread from some time ago, and it brought to mind a review of Professor Mewler's writing I think provides important context:

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_5-4/book_reviews.html