But what the industry shouldn't overlook, especially in the face of the expected critical responses this week and next, is that the Governmental Advisory Committee's (GAC's) formal advice from the ICANN Beijing meeting represents an opportunity for the domain name industry to lock-in self-regulation at a critical point in its evolution.

IFFOR has been focused for some time on the question of what registries will need to do in a world where domain names can end in any word. As such, we see the GAC advice as a simple reflection of genuine, and understandable, concerns from a body whose main job is to identify public policy issues.

It is also nothing new: IFFOR went through this exact process to find policy solutions to questions raised by GAC over the dot-xxx top-level domain. Many of the same issues are present in this most recent advice — something we highlighted at the beginning of the year.

So here is the good news: it is perfectly possible to find a simple, effective and lightweight solution that will meet the concerns of governments — including that it be contractually binding — while keeping ICANN firmly out of content regulation.

It is also possible to do it right now without compromising business plans, redrawing financial projections, or seeking hundreds of thousands of dollars in new investment.

So what is this solution?

As part of the process for reaching agreement with both ICANN and the GAC over the dot-xxx top-level domain, a set of "baseline policies" was created (by IFFOR) to demonstrate a clear commitment to resolving concerns.

Those baseline policies covered issues such as:

• Scanning domains for malware, spam and phishing
• Audit and compliance systems
• Enhanced trademark protections
• Handling complaints
• Registrant verification
• Tackling child abuse images
• Disqualifying applicants that consistently break the policies

The implementation of those policies was then left up to the registry operator — ICM Registry — and IFFOR was also given the role of auditing the subsequent systems.

In response to the GAC advice in Beijing, IFFOR is close to completing a new set of "Safeguard Policies" designed specifically to encompass the six most broad safeguards that the GAC wishes to see apply to all new gTLDs.

In so doing, we have drawn on our original "baseline policies" to develop policies for the gTLD market as a whole, and have used our experience as a registry policy body to ensure all six GAC safeguards are fully addressed.

In an effort to make this work as widely accessible as possible, we plan to simply license these policies for a low annual fee. As well as the right to use, publish and reference the Safeguard Policies, each license will come complete with documentation to help registries implement each policy in the way most suited to their circumstances. We will also extend IFFOR's internal information service that provides ongoing information on related policy and regulatory topics to all licensees. Again, for one, low annual fee.

We believe this approach solves a number of issues:

• It provides applicants with a simple, swift and low-cost answer to government concerns
• It answers government calls for new safeguards
• It builds on a contractual solution that has already been shown to work within the ICANN system
• It removes the need and cost for applicants to develop their own policies
• It keeps the new gTLD program on track

Perhaps most importantly, adopting such an approach will give the industry a chance to demonstrate that it is committed to be a good actor while retaining the flexibility to develop the right systems for the right markets in the right way.

The mark of a self-regulated market is how well it responds to issues identified by a third party. With the right mix of creative pragmatism, the GAC safeguard advice can act as a catalyst for this industry.

If you are interested in learning more about IFFOR's Safeguard Policies, please visit our website at http://iffor.org/safeguard.

Written by Kieren McCarthy, Executive Director at IFFOR; CEO at .Nxt

CENTR Paper – Fifth World Telecommunication/ICT Policy Forum (Download PDF)

Introduction

Many nations, particularly from the developing world, look to the International Telecommunications Union (ITU) for advice on telecommunications issues and, increasingly, Internet governance issues. The ITU's Fifth World Telecommunication/ICT Policy Forum (WTPF-13), 14-16 May 2013, Geneva, Switzerland, will be the first WTPF to focus exclusively on Internet issues. Positions agreed to by ITU Member States on the management of Internet resources — including ccTLDs — and the roles and responsibilities of stakeholders in Internet governance are of particular importance to ccTLD operators due to the close association of ccTLDs to the territorial boundaries of sovereign nations.

WTPF-13

WTPF-13 has been convened to discuss the issues raised in ITU's three key Internet-related resolutions:¹

• Resolution 101:"Internet Protocol (IP)-based Networks" (Rev. Guadalajara, 2010)²
• Resolution 102: "ITU's role with regard to international public policy issues pertaining to the Internet and the management of Internet resources, including domain names and addresses" (Rev. Guadalajara, 2010)³
• Resolution 133: "Roles of administrations of Member States in the management of Internationalized (multilingual) domain names" (Rev. Guadalajara, 2010)⁴

The main policy outcomes of WTPF-13 will be the "Opinion" documents, which are non-binding on ITU's membership. However, the Opinions and final meeting report will be a good indicator of the Internet issues that may become the focus of ITU discussions, and in turn, more formal resolutions and recommendations, in the near future. In particular, WTPF-13 outcomes will inform the discussions at the Council Working Group on International Internet-Related Public Policy Issues (CWG-Internet), the ITU Plenipotentiary 2014 and the WSIS+10 review process.

In preparation for WTPF-13, two meetings of the Informal Experts Group (IEG)⁵ have already been held to fine-tune the Secretary- General's report.⁶ The report's summary of issues, which includes ccTLD processes, will form the basis of WTPF-13 discussions in May. Draft Opinions have been made available in the fourth, and latest, version of the Secretary-General's report. It is possible that more Draft Opinions will appear in the next and final version of the Secretary General's report, which will be published 1 March 2013.

WTPF-13 Draft Opinions

There are six Draft Opinions in the January 2013 version of the Secretary-General's report. The final WTPF-13 Opinions will be based on these drafts and onsite discussion of the contents of the Secretariat-General's report.

Overall model of Internet governance and development

There are three Draft Opinions on this topic. Two of the three drafts, submitted by Saudi Arabia, focus on the need for "immediate operationalization of the enhanced cooperation process" via an existing or new intergovernmental organization, in consultation with other stakeholders. The third draft, submitted by the United Kingdom, focuses on open, transparent and accountable Internet development, freedom of expression, universal access, and invites all stakeholders — not only Member States and Sector Members — to collaborate towards the ongoing expansion of the Internet.

Why these Opinions matter: These three Draft Opinions reflect fundamentally different views on how the Internet should be governed. On one side are States who believe it is important to have a government-only platform to discuss international Internet governance matters (this does not exclude other venues for Internet governance discussions). In many cases, these governments focus on the security risks the Internet can pose and seek an intergovernmental venue that can address these risks. On the other side are States who prefer to maintain the current multi-stakeholder environment, believing that governments already have enough opportunities to participate in Internet governance processes. These States often prefer to focus on the opportunities the Internet offers, such as freedom of expression and the development of an information society for all.

IPv6 deployment Both Draft Opinions on IPv6 encourage Member States to develop policies and incentives for IPv6 deployment within their territories. The Saudi Arabian draft also proposes ITU to develop policies to manage IPv4 address transfers in the wake of the exhaustion of the unallocated IPv4 pool. The United Kingdom's draft emphasizes the need to build human capacity in developing countries to enable IPv6 deployment.

Why these Opinions matter: If ITU Member States recommend the ITU should actively develop policy for IP address space management — an area already served by Regional Internet Registries (RIRs) — it may open the door for ITU to consider policy development in other areas of Internet resource management. In many cases, such policy development already has a home within existing organizations, such as the ICANN.

IXPs as the long-term solution to better and more robust Internet connectivity

The final draft opinion, from the United Kingdom, invites Member States and Sector Members to work collaboratively with developing countries in promoting IXPs.

Why this Opinion matters: In contrast to the other Draft Opinions, where views on the same topic are the result of ideological differences, this Draft Opinion is an example of practical ways to develop Internet capacity in developing countries. In addition, an improved Internet quality for regions served by new IXPs, will create new useful locations to host anycasted Root DNS Servers and secondary ccTLDs nameservers.

Internet issues contained in the Secretary-General's WTPF-13 report

Any of the topics included in the Secretary-General's report may be included in the final Opinions and meeting report. In particular, the broad scope of the three Draft Opinions on the overall model of Internet governance and development leaves room to add text on a variety of Internet issues summarized in the Secretary-General's report. The issues of most relevance to the ccTLD community in the report are:

1. Roles and responsibilities of stakeholders in Internet management

While the WSIS Tunis Agenda⁷ recognized the multi-stakeholder model as the appropriate global model for Internet governance, the Secretary-General's report summarizes debates on whether the model has been fully implemented. One view maintains that the current Internet governance framework is sufficiently multi-stakeholder and that intergovernmental forums that discuss the Internet, such as the ITU, also need to adopt a multi-stakeholder approach. The ITU has itself been keen to change the world's perceptions of its working methods, publicizing that the WTPF IEG process is open to all stakeholders.⁸

The other view is that the role of governments in Internet governance has not been allowed to evolve according to the "enhanced cooperation" text in the Tunis Agenda, which states:

"We further recognize the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues."

According to this second view, the failure to operationalize an intergovernmental mechanism for enhanced cooperation has contributed to the world's failure to adequately address ongoing Internet challenges, including spam and cybercrime. States holding this view often also question the adequacy of the ICANN Government Advisory Committee (GAC).

2. Management of Internet resources

The Secretary-General's report notes concerns with the current Internet infrastructure's ability to support the Internet's continued growth — in particular, the ability to support security, identity management and multilingualism. Under the topic of Internet resource management are the following topics of interest:

• Internet connectivity – The high cost of international Internet connectivity for Least Developed Countries (LDCs) is seen to be particularly problematic, with IXPs reported as a long-term solution to the problem. Included in the report are descriptions of some of the main challenges LCDs face in closing the digital divide.
• IP addresses – The ITU has a long history discussing IP address management, which is reflected in the Secretary-General's report. The slow rate of IPv6 deployment, in particular, is a concern, with continued debate about whether today's "first come, first served" IPv6 allocation policies could penalize late adopters. The ITU has issued a number of IP address-related resolutions⁹, so it is a certainty that WTPF 2013 will result in an IP address-related Opinion.
• Resource Public Key Infrastructure (RPKI) – RPKI is still in its infancy but it is hoped it will make the Internet's IP routing system more secure. Given the security implications, RPKI is a topic of interest to ITU Member States and therefore is included in the Secretary-General's report. In particular, the report notes that questions have been raised about whether the operation of the RPKI certifi cate chain by ICANN and RIRs fundamentally changes their role in Internet governance.

3. gTLDs

The new gTLD process is detailed in the report, with the Secretary-General noting discussions about new gTLDs' impact on gTLD market competition and trademark or rights holders, particularly those in developing countries. The report also notes that concerns have been raised about the potential misuse of acronyms reserved for use by intergovernmental organizations (IGOs), geographic names, and cultural and language descriptors.

4. ccTLDs

The report notes that there is not a one-to-one relationship between a ccTLD string for a "territory" as defined in the ISO-3166 list and the name of a sovereign nation, with some nations having more than one ccTLD string reserved for their use (for example, Finland has both .fi and .ax). The ccTLD re-delegation process is also described in depth, including the need for the US government to evaluate IANA's report on the ccTLD request. The report includes a reference to ITU's role in requesting the re-delegation of .so in 2009 and notes that the Tunis Agenda states that countries should not be involved in decisions regarding another country's ccTLD. It is not clear whether this reference is meant to be compared directly with the earlier reference to the US government's role in overseeing re-delegation. The effect, however, is to highlight the US government's role in the re-delegation process of other nations' ccTLDs.

5. DNS security

The report describes how DNSSEC works and notes concerns about the processes that create the DNSSEC "chain of trust". However, given the sources of such concerns have not attended IEG meetings, the majority of the text reflects the views of those who support the current DNSSEC trust chain.

6. Multilingualism and IDNs

The report states that internationalized domain names (IDNs) are seen as an important step in overcoming linguistic barriers to Internet access, while also highlighting views that there are a number of challenges regarding intellectual property and the IDN deployment. The report notes some countries believe the current Unicode-based IDN implementation is "effectively a patch on an ASCII-based system and that the DNS will properly refl ect multilingualism when support is native to the system".

7. Regional distribution of Root DNS Servers

The report notes that there is a disparity between the geographical distribution of Root DNS Servers and the global distribution of Internet users but does bust the myth that there are only 13 Root Servers by explaining the concept of anycasting. However, the report also points out that only three of the Root Server operators have administrative headquarters outside the USA.

WTPF-13 and other Internet-related discussions at the ITU

The ITU has held many Internet-related discussions in its meetings and Study Groups. Discussion at WTPF-13 will both be informed by these previous discussions as well as inform future discussions on the Internet at the ITU. The key interactions are described below.

World Conference on International Telecommunications

Many of the proposals submitted during the two-year preparatory process of WCIT¹⁰ contained explicit Internet-related content, including:

• Adding principles for Internet governance
• Asserting that "Member States have equal rights to manage the Internet, including in regard to the allotment, assignment and reclamation of Internet numbering, naming, addressing and identification resources"

Ultimately, the final set of International Telecommunication Regulations (ITRs)¹¹ produced in Dubai in 2012 did not include the word "Internet" anywhere. However, there are still many traces of Internet-related issues visible in the ITRs. For example, the ITRs' recognition of States' rights to access to international telecommunication services was added in response to trade blockades that prevent Internet-based services, such as electronic payments, being available in some countries. In addition, a new ITR article on accessibility to international telecommunication services is most applicable to Internet-based services (such as web services). There were strong disagreements on Internet-related issues at WCIT, and, following the intergovernmental practice of discarding proposals that cannot reach consensus amongst States, all direct references to the Internet were removed. A number of States, however, chose not to sign the ITRs — amongst them, the US government. Given the US government provides IANA with the authority to global coordinate the DNS Root and IP addressing systems, the refusal of the USA to sign the ITRs may be seen by a number of States as a sign that the USA "continues" to "control" the Internet. Many of the ideas expressed in Internet-related WCIT proposals have previously appeared in submissions to other ITU meetings, reflecting the fact that some Member States continue to feel strongly that current Internet governance arrangements — particularly the relationship between the US government and IANA — are unsatisfactory. Given the "unsatisfactory" Internet governance arrangements were not addressed in the WCIT outcomes, it is highly probable that many of the same issues will be create equally strong discussion at WTPF-13.

Council Working Group on International Internet-Related Public Policy Issues

Since 2010, the Member States-only CWG-Internet¹² — previously known as the Dedicated Group (DG) on International Internet- Related Public Policy Issues — has discussed ccTLDs, gTLDs, IDNs, IP addresses, DNSSEC, and RPKI under the banner of "critical Internet infrastructure". It has also discussed how ICANN and the ICANN GAC work. Although the group discusses many Internet issues that are currently managed under the open multi-stakeholder model of Internet governance, the CWG's documents are available only to Member States. One of the key documents produced by the group, "Internet Governance: Background Information on Mechanisms, Arrangements, Organizations and some Current Topics" is the source of much of the Secretary-General's report for WTPF-13, including information on ccTLD operations and re-delegation procedures. The Opinions produced by WTPF-13 are likely to affect future discussions within the CWG.

WSIS, the Tunis Agenda and WSIS+10

The World Summit on the Information Society (WSIS)¹³ produced the Tunis Agenda, which has become one of the key documents informing intergovernmental discussions on Internet governance. While it clearly stated that the multi-stakeholder model was the appropriate model for global Internet governance, its text on the need for "enhanced cooperation" between governments in relation to Internet governance remains the subject of debate to this day. WTPF-13 discussions on the appropriate way to further implement, if necessary, governments' roles in Internet governance result directly from differing interpretations of this Tunis Agenda text. To mark the tenth anniversary of the WSIS process ("WSIS+10"), there will be a high level event in 2014 or 2015 that will assess the implementation of WSIS goals. As the tenth anniversary of WSIS is only two years ago, governments that have been pushing for an intergovernmental organization to enhance their role in Internet governance are beginning to express their frustration at the lack of progress to date. With the WCIT outcomes not meeting their goals, the WTPF is the next major ITU event at which governments can continue this debate.

Plenipotentiary 2014

WTPF-13 is based on the Internet-related resolutions that were updated at Plenipotentiary 2010 and will, in turn, influence the Internet-related resolutions developed at the next Plenipotentiary¹⁴. Resolutions passed at Plenipotentiaries are particularly important as these meetings set the agenda for the following four years of ITU's work.

How to participate in WTPF-13

The final version of the Secretary-General will be published 1 March 2013. The WTPF-13 will be held 14-16 May 2013, in parallel with ITU's WSIS Forum, in Geneva, Switzerland. Anyone can attend the WTPF and ask for the floor to make statements.

Nominet, responsible for .uk, has already made a submission to the IEG process.¹⁵ Stakeholders can also contact their government representatives at ITU to help their government develop positions on the issues under discussion at WTPF-13. Many governments who support the multi-stakeholder model of Internet governance are also happy to place non-government stakeholders on their official delegation at meetings such as WTPF-13.

If you are unsure whom to contact within your government, a good place to start is the Participants List from WCIT:
http://files.wcitleaks.org/public/S12-WCIT12-ADM-0004!!PDF-E.pdf

All information relating to WTPF-13 is posted at:
http://www.itu.int/wtpf

¹ Given the recent WCIT held in Dubai also adopted an Internet-related resolution, it is possible that the issues it raises will also be incorporated in the next version of the Secretary- General's report.

² http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_101.pdf

³ http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_102.pdf

⁴ http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_133.pdf

⁵ http://www.itu.int/en/wtpf-13/Pages/ieg.aspx

⁶ http://www.itu.int/en/wtpf-13/Pages/report-sg.aspx

⁷ http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

⁸ The recent WCIT Resolution 3 (see http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf) also called on Member States to "to engage with all their stakeholders" on "international Internet-related technical, development and public-policy issues within the mandate of ITU" but stopped short of opening ITU meetings to the full participation of all stakeholders.

⁹ For example: WTSA 2008 Resolution 64, http://www.itu.int/dms_pub/itu-t/opb/res/T-RES-T.64-2008-PDF-E.pdf; WTDC 2010 Resolution 63, http://www.itu.int/osg/csd/intgov/ resoultions_2010/resolution63.pdf; Plenipotentiary 2010 Resolution 180 http://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_180.pdf

¹⁰ http://www.itu.int/en/wcit-12/Pages/default.aspx

¹¹ http://www.itu.int/en/wcit-12/Pages/itrs.aspx

¹² http://www.itu.int/council/groups/CWG-internet

¹³ http://www.itu.int/wsis

¹⁴ http://www.itu.int/en/plenipotentiary/Pages/default.aspx

¹⁵ http://www.itu.int/md/S12-WTPF13PREP-C-0024/en

Written by CircleID Reporter

Last week, we made our 1000th allocation from the final /8 and five months after reaching this point, we can report back on what we've seen so far.

Prior to reaching this milestone, the RIPE community had already developed policies to govern how the RIPE NCC would allocate the remaining space. The last /8 policy ensures that each member of the RIPE NCC can receive one final /22 of IPv4 address space (1,024 IPs) from the last /8. With approximately 16,000 /22s in a /8, and around 8,800 RIPE NCC members, the RIPE community decided that this approach would give Local Internet Registries (LIRs) some breathing room to make the transition to IPv6, and would also ensure new entrants to the industry could access IPv4 address space.

As pointed out in the most recent article RIPE NCC Membership - 2012 Statistics, the number of IPv4 allocations issued since September has remained stable. In Figure 1 below, you can see the number of IPv4 /22 allocations per week since September 2012. The numbers were a little lower in the second half of December but they increased again in January 2013.

Figure 1: Number of IPv4 allocations since September 2012 on a weekly basis

Note that the last bar doesn't show a full week but ends on 31 January — the day we handed out the 1,000th IPv4 /22.

As you can see in Figure 2, most allocations in the first two months were existing LIRs claiming their final /22 (additional allocations). This might be due to those requests that were already ongoing when we started allocating from the last /8.

Figure 2: Number of /22s as first (blue) vs. additional allocations (red) since reaching the last /8 of IPv4 address space

Since November 2012, the majority of /22 allocations were made as first allocations to new LIRs. This indicates that the last /8 policy is ensuring that new entrants in the industry can still receive a small block of IPv4 address space for the foreseeable future. This had been one of the motivations behind the RIPE community putting this policy into place.

In summary, we can say that even though the number of IPv4 allocations has been fairly consistent since September, we haven't see a big run on the last block of IPv4 addresses. Considering the fact that we have over 8,800 members, 1,000 /22s allocated over five months is a moderate number. Also, when looking at the distribution of first verses additional allocations, the last /8 policy is working to allow new organisations to enter the market.

For more information and additional graphs, please refer to the background article on RIPE Labs: 1,000 /22s Allocated from Last /8.

Written by Mirjam Kuehne

The Internet is inexorably changing, and the predominate theme of today's network is the dramatic uptake of the mobile device. Whether its an Apple iPhone, or a Samsung Galaxy SIII, a Nokia Lumina, or any one of a myriad of other mobile devices that have transformed the mobile phone onto an Internet device, the sheer volume of deployment of these devices has been the dominant factor in the growth of the Internet in 2012.

In November 2012 Gartner released its estimate of the worldwide mobile device sales for the third quarter for 2012, showing a total sales volume for the quarter of 169 million smartphone devices, a growth of 15.4 million devices over the previous quarter. It will be a few weeks before the figures are out for the final quarter of 2012, but at this rate it appears that we will have purchased a total of 657 million mobile smartphone devices by the end of this year. In terms of market share, Android-based devices account for some 64% of all sales, and Apple's iPhone some 20%. If you add to this number a further 122 million estimated tablet sales for 2012, the total number of these mobile devices sold during 2012 looks like totalling some 779 million units seeking Internet connectivity in the wireless world.

The growth in the wired world of the Internet is not so dramatic. The large scale deployment exercised for residential broadband has achieved market saturation in many of the more developed parts of the world where the GDP per capita exceeds some $20,000. Where the GDP per capita is lower the levels of broadband penetration are also lower, perhaps because of the higher rural populations and the basic issues of affordability. The estimated total number of Internet users worldwide grew from 2.06 billion at the start of the year to 2.3 billion by the end of the year, a growth of some 240 million million users.

So growth continues, and if one looks at the mobile numbers this is the highest level of growth of the Internet that we've ever witnessed. It would appear that we've added some 850 million new devices to the Internet, and perhaps retired some 200 - 300 million over the same period, leaving a net growth of 500 million new devices.

Where are these devices? How is the Internet changing as a result of this activity? Let's use the lens of address allocation records to see how the Internet fared in 2012.

Growth of the Internet

In terms of the allocation of public address space as a metric, pace of growth of the Internet slowed down substantially in 2012. The allocation of 115 million addresses in 2012 on top of a base of 3,368 million addresses that were already allocated at the start of the year represents a growth rate of 3.4% for the year. This is approximately one half of the growth in 2011, and represents the lowest relative growth rate we've seen in recent years.

I suspect this is due to the exhaustion of available IPv4 address space in Asia throughout the year, and the onset of the same exhaustion state at the RIPE NCC in mid-September, affecting the European and Middle East region. This is compounded by a long-standing economic malaise that has impacted much of the European and North American markets over 2012, which has impacted consumer sentiment and the sales volumes of mobile devices throughout the year.

	2005	2006	2007	2008	2009	2010	2011	2012
Allocated IPv4 Addresses (Millions)	174.4	168.1	203.9	203.3	189.4	248.8	201.0	114.0
Relative Annual Growth	8.0%	7.7%	8.8%	8.0%	6.9%	8.4%	6.3%	3.4%

Table 1 – IPv4 Allocated Addresses by Year

During 2012 the total number of IPv4 addresses allocated from the RIRs, supporting the growth of the Internet, was one half of record 2010 level. However before leaping to conclusions relating to a dramatic decline in investment in new network infrastructure, its useful to break this number down on a per-RIR basis, to understand the impact of address exhaustion in APNIC relative to the other regions.

Which economies received these addresses? At a regional level its possible to compare the allocations made by each RIR.

IPv4 Addresses	2005	2006	2007	2008	2009	2010	2011	2012
APNIC	53.6	51.4	69.6	87.8	86.9	120.2	105.2	1.0
RIPE NCC	61.2	55.0	60.7	44.0	43.4	56.0	43.1	40.0
ARIN	47.2	46.5	53.0	57.1	41.1	45.2	23.5	45.0
LACNIC	10.4	10.7	14.2	12.0	10.5	13.0	24.4	21.0
AFRINIC	0.9	2.6	5.5	1.6	5.9	8.5	9.2	7.9

Table 2 – IPv4 Allocated addresses (millions) - Distribution by RIR

In 2012 APNIC allocated 1 million addresses, down 99% from the 105 million that were allocated in 2011. APNIC effectively exhausted its general use pool of addresses in April 2011, and since then it has been operating under the terms of a "last /8" policy that limits each allocation to at most 1024 addresses. APNIC recorded some 1,160 individual address allocations in 2012, with an average allocation size of 869 addresses per allocation.

The RIPE NCC also exhausted its general use pool of addresses in mid-September 2012. The RIPE NCC allocated some 40 million addresses in 2012, of which 39.3 million addresses were allocated in the first 9 months of the year, and some 700,000 addresses were allocated in the ensuing three months. The average allocation size in the first nine months of the year was 8,876 addresses (over a total of 4,426 allocations) while in the last three months the average allocation size was 1,138 addresses (over a total of 606 allocations). The address allocation rate post-exhaustion stands at 5% of the pre-exhaustion address allocation rate.

But what of the other regions? In the case of ARIN the total allocated address count has doubled from 2011 levels, and it is now at the same level as 2010. In South America and the Caribbean the count of allocated addresses is only slightly lower than the 2011 level, which, at 20 million addresses per year, is approximately double the 2005 — 2010 allocation rate. A similar jump in address allocation rates was experienced by Afrinic in 2010, and the 2012 address allocation rate is similar to the past 2 years.

Which economies are leading this continued growth in IPv4 services?

IPv4 Addresses (/32s, Millions) / 2007-2009
Rank	2007		2008		2009
1	USA	48.47	USA	53.79	China	50.67
2	China	37.29	China	46.49	USA	38.55
3	France	13.38	Japan	10.06	Japan	11.04
4	Germany	11.22	Rep.Korea	7.96	Rep.Korea	10.95
5	Rep.Korea	7.73	Germany	7.29	Russia	5.46
6	Japan	7.14	Brazil	6.29	Brazil	4.19
7	UK	6.41	Russia	6.12	UK	4.19
8	India	5.61	Italy	5.85	Italy	4.16
9	Mexico	5.24	India	4.23	France	3.85
10	Italy	5.09	Taiwan	4.18	Germany	3.6

IPv4 Addresses (/32s, Millions) / 2010-2012
Rank	2010		2011		2012
1	China	45.2	China	53.07	USA	28.2
2	USA	42.32	USA	21.21	Canada	16.7
3	Rep.Korea	25.73	Japan	16.91	Brazil	8.4
4	Japan	10.02	Rep.Korea	7.68	Russia	5.3
5	Australia	9.63	Indonesia	7.09	Iran	4.5
6	India	9.43	Brazil	6.29	Germany	3.4
7	UK	8.13	India	6.01	South Africa	3.4
8	Germany	6.97	France	5.39	Italy	3.3
9	Russia	6.46	Russia	5.02	Colombia	2.6
10	Brazil	6.29	Germany	4.92	Romania	2.6

Table 3 – IPv4 Allocated addresses (Top 10 Economies 2007-2012)

With the exhaustion of IPv4 addresses in the Asia Pacific region, China, Korea, Japan and India no longer are in the top 10 countries for IPv4 address allocations. Europe and Middle East economies, namely Russia, Germany, Italy and Romania will also be listed here for the last time.

Running out at RIPE: was there last minute panic?

In the Asia Pacific region there was a strong element of panic visible in the address consumption figures for the period January — April 2011. The average number of addresses allocated per week by APNIC across 2010 was some 2.3 million addresses per week, whereas the first 14 weeks of 2011 saw the volume of allocations triple to an average of some 6.9 million addresses per week. Figure 1 shows the week-by-week allocated address volume comparing 2010 (green) with 2011 (red). The surge in address allocations in weeks 8 — 20 in 2011 in APNIC is clearly evident here.

Figure 1 – APNIC Weekly Address Allocation Levels: 2010-2011

The RIPE NCC did not experience the same level of a last minute "rush" at the registry. Through 2011 the average weekly address allocation vole was some 828,000 addresses per week. For the first 37 weeks of 2012 the average address allocation rate rose by some 25% to 1.05 million addresses per week, a far lower rise than that experienced by APNIC. Figure 2 shows a similar week-by-week comparison for the RIPE NCC, comparing 2011 with 2012. While the final two weeks in September 2012 saw the RIPE NCC distribute more than 2 million addresses per week, this is not that unusual, in that this weekly allocation volume had been reached twice earlier in 2012 and three times in 2011.

Figure 2 – RIPE NCC Weekly Address Allocation Levels: 2011-2012

The data for RIPE shows that in this region there was no last minute rush of IPv4 address applications being lodged at the registry. The registries actions in informing the industry actors in the region of the evolving situation and the timeline to exhaustion appears to have averted much of the last chance panic that was evident in the Asia Pacific region.

A similar set of figures for the other four registries, comparing 2011 with 2012 in a week by-week basis are shown in Figure 3.

APNIC Allocations
ARIN Allocations
LACNIC Allocations
AFRINIC Allocations

Figure 3 – Weekly Address Allocation Levels: 2011-2012

The major notable allocation events in 2012 are a set of allocations totalling some 13 million addresses in week 20 by ARIN, and a rising average allocation rate at AFRINIC at the end of 2012, rising to an average of 0.5 million addresses per week with 2 weeks with more than 1 million allocated addresses. However, there is no clear signs of a "last minute" rush on the three RIRs that still have available IPv4 addresses to distribute.

Address Distribution
Another way to look at the address distribution is in terms of "skew". If the Internet is populated by a largely homogenous population of service providers then the distribution of address allocations would be relatively uniform, such that the group of largest allocations would not be vastly larger than the group of smallest allocations. On the other hand , if the service provider population is skewed such that there is a small number of very large providers that service the bulk of the user population, then we would expect to see the bulk of addresses being allocated to a small number of providers. One way to look at the level of skew is to use a cumulative distribution plot, comparing the number of allocations to the amount of address space, shown below.

Figure 4 – IPv4 Allocation Distribution CDF 2010-2012

Figure 4 shows the address distribution for 2010 (green), 2011 (red) and 2012 (blue). The shift from 2010 to 2011 showed an increase in the proportion of address space being allocated to the larger providers. The largest 10% of allocations in 2010 received, 89.8% of the total allocated address space, while this rose slightly to 91.6% in 2011. The impact of address exhaustion in APNIC was evident in 2012, as the largest 10% of allocations received 89.8% of all addresses, the same level as 2010.

Who received the largest of these allocations in 2012?

Rank	Economy	Organization	Addresses (M)
1	United States	NTT Communications Corporation	9.7
2	Brazil	Comite Gestor da Internet no Brasil (Brazil NIR)	8.4
3	United States	AT&T Internet Services	3.1
4	Canada	Rogers Cable	3.1
5	Iran	Iran Cell and Communication	1.0
6	Iran	Gostaresh Ertebatat Mabna	1.0
7	Germany	Telekom Deutschland	1.0
8	France	Free Mobile SAS	1.0
9	United States	Windstream	1.0
10	United States	Amazon	1.0
11	South Africa	MTN Business	1.0
12	South Africa	Vodacom	1.0
13	Argentina	Telecom Argentina	1.0
14	Colombia	Comcel	1.0
		Total	33.8

Table 4 – IPv4 Allocated Addresses (Top 14 allocations for 2012)

Of note here is the inclusion of a number of new economies in this list, notably Iran and South Africa.

This "heavy tail" distribution of the largest allocations has not always been the case. In looking at the distribution of IPv4 allocations over the past decade the following table shows the percentage of address space that were allocated to the 1% largest individual allocations and the lower half of the individual allocations.

IPv4	'01	'02	'03	'04	'05	'06	'07	'08	'09	'10	'11	'12
Top 1%	30%	39%	38%	38%	51%	45%	51%	47%	50%	49%	60%	63%
Lower 50%	5%	5%	4%	3%	1%	2%	1%	1%	1%	1%	1%	2%

Table 5 – IPv4 Allocated addresses (2011-2012)

What appears to have happened across the period 2000 - 2005 was a marked phase of aggregation in this industry, where the economies of scale in a mass market for Internet services started to exercise significant influence over the deployment of services on the Internet. This picture has remained relatively consistent since 2005, and the largest 100 Internet enterprises across the world appear to undertake at least one half of the volume of deployment of new Internet services. To the extent that the Internet on the 1990's was a poster child of a strongly competitive environment and highly diverse supply industry in the communications sector, the 2000's has seen the Internet progress into an environment which is dominated by economies of scale and large scale supplier enterprises. A marketplace that is strongly influenced by a small number of larger enterprises is often not as agile in areas of technical and service innovation, and competitive pressures are not as strong a factor when one or two providers assume a dominant market position.

The distribution of addresses in the IPv4 Internet paints a picture of an industry that has now completed a process of aggregation, and the pressures that will lead to further evolution of the Internet in the coming years will probably be different to those that drove the Internet of some years ago.

IPv4 Address Exhaustion

One further milestone occurred in 2012 on the path to IPv4 address exhaustion, namely the exhaustion of its general use address pool, by the RIPE NCC in September 2012.

The Internet continues to rely very heavily on IPv4, and the consumption of a further 114 million addresses in 2012 leaves 219 million addresses in the pool of unallocated addresses, or a total of some 23 months if we were able to access these addresses at the same rate as we have been to date. However this is not the case.

Figure 4 – RIR Address Exhaustion Model

APNIC holds some 15 million addresses, but at this stage has is operating under an allocation policy where each entity can receive a maximum of 1024 addresses. The RIPE NCC holds some 16 million addresses and is managing this pool under a policy that is similar to APNIC's.

At the end of 2012 ARIN holds some 50.4 million addresses. At this point in time the average monthly address consumption rate for ARIN is 1.9 million addresses per month, and if this rate remains steady, then ARIN's pool of addresses will last a further 1 ½ years before ARIN reaches a low threshold of 16,777,216 addresses (or the equivalent of a /8 address block) remaining.

LACNIC holds 48 million addresses at the end of 2012. The average address consumption rate for LACNIC is some 1.5 million addresses per month, which implies the LACNIC will reach its final /8 of address holdings in some 1½ years from now, in September 2014.

AfriNIC holds some 64 million addresses, and have an average address consumption rate of some 0.47 million addresses per month.. At this rate AfriNIC will reach its final /8 in some 9 years from now.

IPv6 in 2012

IPv6 uses a somewhat different address allocation methodology than IPv4, and it is a matter of choice for a service provider as to how large an IPv6 address prefix is assigned to each customer. The original recommendations published by the IAB and IESG in 20012 (RFC3177) envisaged the general use of a /48 as an end site prefix. Subsequent consideration saw a more flexible approach being taken with the choice of the end site prefix size being left to the service provider, and today's IPv6 environment has some providers using a /60 end site allocation unit, some use a /56, and other providers use a /48. This variation makes a comparison of the count of allocated IPv6 addresses somewhat misleading, as an ISP using /48's for end sites will require 256 times more address space to accommodate the same customer base as a provider who uses a /56 end site prefix, and 65,000 times more address space than an ISP using a /60 end site allocation.

So for IPv6 let's use both the number of discrete IPv6 allocations and the total amount of space that was allocated to see how IPv6 fared in 2011.

Comparing 2011 to 2012 the number of individual allocations of IPv6 address space curiously fell slightly, from 3,587 to 3,304. What is perhaps surprising is the absence of a sharp uptake of IPv6 in 2012.

Allocations	2005	2006	2007	2008	2009	2010	2011	2012
IPv6	240	234	475	860	1,236	2,436	3,587	3,304
IPv4	4,774	5,646	6,312	6,969	6,701	7,758	10,061	8,619

Table 6 – Number of individual Address Allocations, 2005-2012

The amount of IPv6 address space distributed in 2012 is comparable to the volume of 2011. If one was searching for evidence that there is a concerted effort to deploy IPv6 across the entire Internet in the coming months, then these figures would not assist. It seems that the level of interest in IPv6 remains at a level that is somewhere between lackadaisical and slight in the Internet at large.

Addresses	2005	2006	2007	2008	2009	2010	2011	2012
IPv6 (/32s)	26,991	9,792	6,678	80,996	1,064	5,835	15,018	17,756
IPv4 (/32s)(M)	174.4	168.1	203.9	203.3	189.4	248.8	201.0	114.9

Table 7 – Volume of Address Allocations, 2005-2012

In terms of the number of individual allocations 2012 was not a big year for IPv6. Indeed in ARIN (North America), APNIC (Asia Pacific) and AFRINIC )Africa) the number of IPv6 address allocations fell in 2012. The numbers for the RIPE CC (Europe and the Middle East) are only slightly higher than the 2011, and it is only in LACNIC (Latin America and the Caribbean) that the number of IPv6 allocations almost doubled in 2012, although this was from a small base to start with.

Allocations	2005	2006	2007	2008	2009	2010	2011	2012
RIPE NCC	93	89	158	427	622	1,042	1,647	1,756
ARIN	59	69	210	227	378	623	1,038	611
APNIC	54	43	63	161	190	666	641	599
LACNIC	31	16	25	29	33	50	132	253
AFRINIC	3	17	19	16	13	55	129	83
	240	234	475	860	1,236	2,436	3,587	3,302

Table 8 – IPv6 allocations by RIR

The assignment data tells a slightly different story. Table 9 shows the number of allocated IPv6 /32's per year (Table 9) and dividing addresses by allocations gives the average IPv6 allocation size in each region (Table 10). Of note is the jump in average allocation size in AFRINIC and LACNIC in 2012, and a fall in the average allocation size in APNIC. The overall average allocation size is slightly larger than a /30. The difference here point to some differences in IPv6 allocation policies between the regions, as well as some difference in the IPv6 applicants (large scale core infrastructure vs edge networks) between the regions.

IPv6 Addresses (/32s)	2005	2006	2007	2008	2009	2010	2011	2012
RIPE NCC	17,495	6,481	1,251	606	602	1,867	2,425	3,729
ARIN	57	52	137	14,488	249	579	2,280	1,675
APNIC	9,373	3,226	5,237	141	174	3,239	9,506	3,807
LACNIC	53	16	39	65,749	30	46	652	4,325
AFRINIC	3	17	14	12	9	104	155	4,203
	26,981	9,792	6,678	80,996	1,064	5,835	15,018	17,739

Table 9 – IPv6 address allocation volumes by RIR

Average IPv6 Allocation (/32s)	2005	2006	2007	2008	2009	2010	2011	2012
RIPE NCC	188.12	72.82	7.92	1.42	0.97	1.79	1.47	2.12
ARIN	0.97	0.75	0.65	63.82	0.66	0.93	2.20	2.74
APNIC	173.57	75.02	83.13	0.88	0.92	4.86	14.83	6.36
LACNIC	1.71	1.00	1.56	2,267.21	0.91	0.92	4.94	17.09
AFRINIC	1.00	1.00	0.74	0.75	0.69	1.89	1.20	50.64
	112.42	41.85	14.06	94.18	0.86	2.40	4.19	5.37

Table 10 – Average IPv6 address allocation size by RIR

Rank	2008		2009		2010		2011		2012
1	US	211	US	349	US	556	US	924	US	549
2	DE	67	DE	86	AU	146	AU	176	UK	199
3	UK	34	UK	66	DE	124	DE	160	DE	187
4	RU	33	NL	56	UK	106	UK	150	RU	186
5	NL	33	AU	53	RU	102	RU	147	NL	124
6	CH	33	RU	46	NL	86	FR	110	AU	113
7	AU	30	JP	32	CN	86	CA	107	FR	111
8	JP	28	FR	29	ID	72	NL	107	SE	90
9	IT	22	CZ	29	JP	62	SE	96	AR	78
10	VN	22	SE	27	FR	60	CZ	88	PL	77

Table 11 – IPv6 allocations by Economy

Table 12 shows the amount of IPv6 address space assigned on a per economy basis for the past 5 years (using units of /32s). In 2012 the major allocations were /20 address blocks to entities in Argentina and Egypt. The address space allocated to the United States was down on 2011 levels, as was the IPv6 address allocations to China.

Rank	2008		2009		2010		2011		2012
1	BR	65,728	US	225	JP	2,518	CN	8,997	AR	4,178
2	US	14,478	DE	143	DE	600	US	2,205	EG	4,098
3	SE	143	UK	61	US	523	ES	641	CN	3,136
4	FR	82	AU	45	CN	339	UK	384	US	1,346
5	DE	66	NL	44	BE	270	VE	262	IT	635
6	UK	34	RU	43	FR	181	MX	261	RU	414
7	CH	33	JP	33	AU	100	NL	229	DE	380
8	RU	33	FR	24	SE	94	DE	187	UK	353
9	NL	32	CZ	21	RU	94	RU	146	CA	325
10	CN	26	SE	21	UK	94	AU	124	JP	283

Table 12– IPv6 Address Allocation Volumes by Economy

The major IPv6 allocations in 2012 by end entity are shown in Table 13.

Rank	Country	Organisation	Address Count (/32s)
1	Argentina	Cablevision	4,096
2	Egypt	Link Egypt	4,096
3	China	China Unicom	3,072
4	Italy	Wind Telecomunicazioni SPA	512
5	Japan	Softbank	256
6	United States	Cable One	256
7	United States	U.S. Department of Agriculture	256
8	United States	Start Communications	256
9	United States	Charter Communications	256
10	United States	U.S. Department of Veterans Affairs	256
11	India	Indian Ministry of Communication & IT	64
12	Switzerland	UPC Cablecom GmbH	32

Table 13 – Largest IPv6 Address Allocations in 2012 by Organisation

Notable here are two large allocations of a /20 prefix to ISPs in Argentina and Egypt, and three assignments to public agencies (2 in the US and 1 on India)

The Outlook for the Internet

The past five years has shown that the Internet is now an integral part of the portfolio of conventional business activity across the world, and the deployment of internet services and the opening up of markets through deployment of Internet services is subject to the same economic opportunities and constraints as any other business activity. Those economies that were adversely impacted by the global financial situation saw a drop in the expansion of new Internet services and a drop in their demands for IP address allocations across 2009-2012, while other economies that managed to avoid the worst impacts of a financial recession continued to see growth in new Internet markets across the year.

The past three years has been dominated by the mass marketing of mobile internet services, and the growth rates for 2012 perhaps might have been the highest so far recorded were it not for the exhaustion of the IPv4 address pools in the Asia Pacific region and Europe and the Middle East. In address terms this growth is being masked by the use of Carrier Grade NATs in the mobile service provider environment, so that the resultant demands for public addresses in IPv4 are quite low. In theory there is no such requirement for IPv6 to use NATS, and if the mobile world were deploying dual stack ubiquitously then this would be evident in the IPv6 address allocation data. Unfortunately no such deployment was visible in the address statistics for 2012. This points to a mobile Internet that is almost completely reliant on NATs, and this, in turn, points to some longer term elements of concern for the continued ability of the Internet to support further innovation and diversification in its portfolio of applications and services.

We are witnessing an industry that is no longer using technical innovation, openness and diversification as its primary means of propulsion. The widespread use of NATs limit the technical substrate of the Internet to a very restricted model of simple client/server interactions using TCP and UDP. The use of NATs force the interactions into client-initiated transactions, and the model of an open network with considerable flexibility in the way in which communications took place is no longer being sustained. Today's internet is serviced by a far smaller number of very large players, each of whom appear to be assuming a very strong position within their respective markets. The drivers for such larger players tend towards risk aversion, conservatism and increased levels of control across their scope of operation. The same trends of market aggregation are now appearing in content provision, where a small number of content providers are exerting a dominant position across the entire Internet.

This changing makeup of the Internet industry has quite profound implications in terms of network neutrality, the separation of functions of carriage and service provision, investment profiles and expectations of risk and returns on infrastructure investments, and on the openness of the Internet itself.

Written by Geoff Huston, Author & Chief Scientist at APNIC

The most egregious of the paragraphs in this proposal refer to routing, naming and addressing, to wit:

(management of Identification resources)
31B 3A.2 Member States shall have equal rights to manage the Internet, including in regard to the allotment, assignment and reclamation of Internet numbering, naming, addressing and identification resources and to support for the operation and development of basic Internet infrastructure.

This is either completely meaningless or incredibly dangerous to the day to day operation of the current Internet depending on interpretation. If one considers that Member States already have "equal rights" to participate in the current Internet governance regime (some would say they have more than equal rights given the exalted position of the GAC inside ICANN), then this is redundant text that should be removed. However, a more pernicious interpretation is that the ITU would entirely replace the existing institutions that have been responsible for naming and addressing with a completely intergovernmental model.

Why they have proposed this seeming non-starter is anybody's guess, as no mechanism exists for nation states to force the naming and addressing bodies to hand over responsibilities to an intergovernmental body. In fact there are contracts, policy documents and MoU's in place that would absolutely prevent it. The authors and the ITU staff who helped edit this proposal surely know this (and if they don't know, that in itself shows willful ignorance of how the current system works).

Seemingly, some of the Arab States who saw their previous proposal to form an intergovernmental Regional Internet Registry sent to a Working Group to die a quiet death are thinking that proposing direct control of Internet numbering resources is a good second choice. ICP-2 is the document that precludes the ITU from forming their own RIR (they could actually do it if it only served Antarctica but that isn't an attractive option for the ITU), so they have proposed:

(Fundamental Right)
31F 3B.1 Member states have the right to manage all naming, numbering, addressing and identification resources used for international telecommunications/ICT services within their territories.

Not only is this a complete rejection of the current system, but it is completely unworkable idea. Say for example I have registered a .ug domain name (which I have), but the webserver is located in the USA. Is that .ug domain name used for international telecommunications/ICT services within the USA or is it used in Uganda? The answer is both, but no one would suggest that the .ug ccTLD be managed by the USA. Nevertheless, that is what 31F 3B.1 says! Another example is that Autonomous System numbers (inter-domain routing identifiers) frequently cover multiple countries or regions, so who gets to "manage them" when they are used by routers in many nations to determine where to send traffic??

In terms of routing, the proposal introduces much more unworkable ideas:

30 3.3 Operating agencies shall determine by mutual agreement which international routes are to be used. A Member State has the right to know the international route of its traffic where technically feasible.

and

MOD
1/7 1.4 In cases where one or more international routes have been established by agreement between administrations/operating agencies and where traffic is diverted unilaterally by the administration/operating agency of origin to an international route which has not been agreed with the administration/operating agency of destination,the terminal shares payable to the administration/operating agency of destination shall be the same as would have been due to it had the traffic been routed over the agreed primary route and the transit costs are borne by the administration/operating agency of origin, unless the administration/operating agency of destination is prepared to agree to a different share.

Currently routers forward packets based on economic choices made by the owner of that router. The two modifications above change that paradigm completely, giving Nation States the ability to control the choice of provider networks that packets transit. In addition, if an ISP tries to skirt these "toll booths", they still have to pay for traffic that would have transited the "agreed" network. In other words, even though a provider did not receive service from a provider, they still have to pay for services they didn't receive! This would seem counter-intuitive to most people, but when you understand that there is no mechanism built in to the current routing protocol to count traffic in this way, it enters the realm of the absurd.

Fred Baker, Adrian Farrel and Benoit Claise have written an excellent primer on routing for regulators at WCIT, which it seems none of the authors of this proposal have read. In it they conclude by saying:

"Maybe increased connectivity between ASes through IXPs will magnify the
benefits of Internet connectivity, will attract more local online business, and
provide a significant economic stimulus as larger percentages of the population
are able to get on line. Perhaps these benefits will go some way to offset the lost
revenues from the declining legacy telephone systems. What is the for sure is
that using DPI to monitor and charge VoIP calls in the same old way ... will
simply not work!"

Internet infrastructure (IXPs, submarine and other fiber builds, data centers, etc.) have developed outside of a treaty body. Internetworking is done between networks, not between Member States. Trying to retrofit the Internet to include toll-booths and points of governmental control at this point is self-defeating. During the last revision of the ITRs, revenue from international voice calls were the golden eggs laid by the telephony golden goose, but the Internet has disrupted that model to the point where the ITRs are an anachronism that is no longer of great utility. Ultimately, it will be end-user customers of the affected businesses that will pay the price for the type of folly.

Of course, some cynics suspect this "compromise text" is a tactical ploy in a much longer game, that diplomats are human and don't want to be seen as the cause of a failed international treaty conference, that the USA and its "Hands Off the Internet" allies will tire of saying "No" and eventually relent to some of their bad ideas. It's also possible that the USA will throw Russia a bone in hopes of getting their cooperation in other areas of international relations (think Syria).

This proposal shows that those who were concerned about the agenda of some ITU Member States and the Secretariat were right. They are out to take over the Internet, they just weren't honest about it. The ITU does useful work in, inter alia, spectrum and satellite slot allocation. They should stick to those tasks and if they really want to help spread the edge of the network to the billions who don't yet have access, perhaps they should focus on access issues instead of asserting intergovernmental control over things they clearly don't understand.

William S. Burroughs wrote "Paranoia is just having the right information". It turns out that the folk who have had great concerns about WCIT over the last year were not paranoid, they just had the right information.

Written by McTim, Internet policy and governance consultant

The Data (Information) Quality Act (DQA, aka IQA) sets standards for the integrity of data used by federal agencies in public information disseminations. Since cybersecurity breaches have the potential to compromise the integrity of federal data, OMB has defined the integrity provisions of the law to encompass FISMA and other federal information security policies.

Moreover, the DQA's Integrity, Objectivity and Utility requirements apply to third-party data used and relied on by federal agencies as well as to federally-generated data. In explaining the applicability of the DQA to third-party data, then Office of Information and Regulatory Affairs Administrator Graham stated, "If third-party submissions are to be used and disseminated by federal agencies, it is the responsibility of the federal government, under the Information-Quality Act, to make sure that such information meets relevant information-quality standards."

The question arises therefore, as to whether the DQA provides the federal government with the authority to issue regulations protecting the integrity of data obtained from third parties, prior to its submission to the government, given the federal responsibility of making sure that such data "meets relevant information-quality standards."

The DQA states that the "Director of the Office of Management and Budget shall...with public and Federal agency involvement, issue guidelines under sections 3504(d)(1) and 3516 of title 44, United States Code, that provide policy and procedural guidance to Federal agencies for ensuring and maximizing the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Federal agencies..."

Based on a plain reading of the text, the answer appears to be no since the law authorizes guidance to federal agencies, not regulations binding on the private sector. Although this straightforward reading of the statute may well prove to be correct, it's worth exploring the scope of OMB's authority under the Act given the two sections of the Paperwork Reduction Act (PRA) cited in the DQA. In particular, as discussed below, OMB's DQA authority needs to be understood in light of the law's interpretation by the US Court of Appeals for the DC Circuit.

44 USC 3504(d)(1), part of the US Code's Subchapter on Federal Information Policy, states that with "respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to — (1) apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated;"

This section of the Code gives the Director permission to take actions with respect to virtually all information publicly disseminated by the Executive Branch. By citing 3504(d)(1), the DQA is granting the Director broad authority, on an intra-governmental level, to protect the integrity (and objectivity and utility) of data disseminated by agencies.

The other section of the Code referenced by the DQA, 3516, states that the "Director shall promulgate rules, regulations, or procedures necessary to exercise the authority provided by this subchapter." Thus, even though the DQA refers to "guidance," by utilizing section 3516 of the PRA, Congress appears to grant the Director the authority to issue binding rules and regulations to carry out the DQA, including protecting the integrity of data disseminated by agencies.

The DC Circuit Court's decision in Prime Time Int'l Co. v. Vilsack provides additional insight into the Director's authority under the DQA. In a unanimous opinion the court stated that "Congress delegated to OMB authority to develop binding guidelines implementing the IQA...." Moreover, in deferring to OMB's reasonable construction of the statue, the decision stated, "See United States v. Mead, 533 U.S. 218, 226 — 27 (2001)."

The Center for Regulatory Effectiveness (CRE), in groundbreaking analysis opined,

The citation of Mead at those particular pages is significant. The only statement by the Supreme Court in Mead that overlaps those two pages is the following: "We hold that administrative implementation of a particular statutory provision qualifies for Chevron deference when it appears that Congress delegated authority to the agency generally to make rules carrying the force of law, and that the agency interpretation claiming deference was promulgated in the exercise of that authority.” (Emphasis added)

A detailed analysis of the Prime Time decision by Multinational Legal Services, PLLC supporting CRE's statement may be found here. The MLS analysis explained that:

The Mead opinion makes clear that when an agency issues a rule that is entitled to Chevron-level deference, "any ensuing regulation is binding in the courts unless procedurally defective, arbitrary or capricious in substance, or manifestly contrary to the statute."

It is important to note that the Department of Justice, representing USDA, took exception to CRE's interpretation of the Prime Time decision. So strong was DOJ's disagreement with CRE's understanding of the opinion that they filed a Petition for a Panel Rehearing of a case they had already won, asking "the panel amend its opinion to clarify that the Court did not decide whether the Information Quality Act ("IQA") creates judicially enforceable rights." DOJ took the extraordinary step of including a printout of CRE's website as Exhibit B of their petition. The court rejected the DOJ petition.

Thus, we can see that the DQA gives OMB: 1) the duty to protect the integrity, utility and objectivity of data used in federal information disseminations; and 2) the authority to create binding rules carrying the force of law in order to fulfil its DQA duties. Moreover, we have seen that the scope of the DQA encompasses data collected by agencies from third parties that is then used in federal information disseminations.

Does this mean that the DQA gives OMB the authority to issue regulations protecting the integrity of third-party data used in federal information disseminations? Not necessarily but the issue is worthy of further analysis.

Written by Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

While IPv6 is definitely the way of the future for the Internet, the sheer size of the IPv6 address pool, combined with simplified allocation policies that have deliberately reduced barriers to entry, means there are very few organizations that can't get IPv6 directly from the RIRs these days.

As a response to these changes, an APNIC policy proposal, prop-103, popped up on 9 July 2012 suggesting that there is no need for any more IP address policy development.

Early reaction to the proposal has been mixed. Some have agreed that it is pointless to play around with IPv4 policies any more; some think that IPv4 policy may still need to be changed. There is greater agreement that IPv6 policy may still need to be refined at some point in the future when there has been more experience in IPv6 deployment.

In a larger Internet governance context, however, the APNIC proposal highlights a major challenge facing the RIRs: what is their role in a post-IPv4 world?

Where will RIRs get their income?

Each RIR has a different fee structure, but broadly speaking the current RIR business model means that the majority of RIR income comes from membership fees associated to IPv4 allocations and management.

Looking forward, ISPs are likely to request far fewer allocations in IPv6 than in IPv4 due to the large size of the initial IPv6 allocations made by RIRs. The smallest allocation size, a /32, is likely to be sufficient for a significant percentage of ISPs, meaning that for RIR fee structures based on the graduated tiers of IP address holdings, most members, if judged solely on their IPv6 holdings, will be in the smallest tier. Currently, fee schedules for IPv6 address allocation and management provide a far smaller portion of RIR income, and given the above, will continue to do so, unless member fees associated with IPv6 are radically increased. Given RIRs are membership-based organizations, there is probably going to be little member support for such an increase.

As RPKI is deployed, RIRs may find it possible to turn certification into a non-insignificant source of income by charging "legacy" IPv4 address holders for certificates that regular RIR members receive for free. "Legacy" address holders, by the way, are organizations that received their IPv4 addresses before the RIRs were created, or before RIRs had member agreements that ensured members had to pay regular address maintenance fees. For a recent article on legacy addresses, see Legacy IP Addresses on Janet.

Unless RIRs make significant hikes in their IPv6 fees, or can make RPKI certification a financial success, however, the reality is that RIRs, in the next few years, will find themselves with significantly smaller incomes.

What will happen to RIR community dynamics?

RIR members and stakeholders have traditionally met and developed their sense of being an IP addressing community via RIR mailing lists and RIR meetings.

RIR meetings began for the purpose of developing policy and, to support the ability of RIR stakeholders to participate in policy making, meetings have included presentations and discussions on industry trends and practices. In a sign of the times, however, APNIC has dropped the use of "Open Policy Meeting" in favour of the policy-free title, "APNIC conference". AfriNIC and ARIN are now the only RIRs that call their meetings "Public Policy Meetings", but if the sentiments expressed by Randy Bush in his prop-103 prove true for all regions, it might only be a matter of time before these RIRs change the focus of their meetings, too.

Today, RIR meetings and mailing lists attract a mix of those who want to influence IP address policy development, those who want to understand the policies so they can successfully request resources, and those who are there to build their knowledge on the latest IP address-related industry developments.

With IPv4 becoming less important, both in terms of allocation and policy development, and with IPv6 space large enough and being governed by policies liberal enough to probably need only minor tinkering over time, will the policy-focused community members no longer be attracted to RIR discussions?

With simpler and easier to understand IPv6 policies, will RIRs also find that ISPs don't need to attend RIR training to figure out how to ask for addresses in future?

Will RIRs find themselves with a community that transforms itself to become ISP staff primarily interested in learning more about industry developments? If so, this leads to the next question:

What is the future core business of RIRs?

RFC 2050 states, "Regional Registries provide registration services as its primary function". Over time, to support this primary function, RIRs have developed a range of supporting services. However:

• A post-IPv4 world won't require the current number of trainers, help desk operators or document writers to explain the complexities of multiple-choice policies for IPv4 allocations and assignments.
• A post-IPv4 world doesn't require as many hostmasters to evaluate IP address requests, not only because IPv6 criteria are simpler and easier to meet, but also because the overwhelming majority of organizatons will never come back with an additional request for addresses. Compare that to the last 10 or so years of RIR operations, where ISPs have regularly returned with additional IPv4 requests.

Will RIRs decide that their core function, IP address management and distribution, has become a lighter function that can be met by slimmed down Secretariats?

A world in transition from IPv4 to IPv6 most probably will require more training and documentation on IPv6 deployment and dual IPv4/IPv6 networks. Will RIRs look to these as their new main activities and sources of income? Or will RIRs refocus their central functions to be RPKI certificate authorities, or expand training departments to cover a wider range of technical training (some of the RIRs already offer training courses outside the strict IP address management function that is the RIRs' current core business), or reframe RIR meetings and events as regional hubs that provide a platform for Internet operators to exchange best practices?

To place an emphasis on training services would require RIRs to compete with commercial training providers. If this is the case, the probability is that the training costs will need to be borne by those being trained, rather than being subsidized by member income, as is the case today. To place an emphasis on becoming platform for Internet operators to exchange best practices could work nicely, if RIRs work as partners with existing regional Network Operator Groups.

What does the potential change in RIR focus mean for their role in Internet governance?

If the RIRs do reframe their business models, what does this mean for their place in the Internet governance ecosystem? Currently, the five RIRs occupy an impressive three of the 10 places allocated to the academic and technical community on the IGF MAG.

The RIRs, with their traditional focus on technical policy development, have generally been able to occupy the high ground in Internet governance discussions. For example, while domain name policy and governance is seen to be open to influence from all sorts of conflicting interests (intellectual property advocates, privacy advocates, business entrepreneurs, etc.), criticism of addressing policy is less likely to be about conflicts of interest, and more likely to be about interpretation of statistical distribution of addresses (witness the debate in the recently-closed ITU IPv6 Group where some member states came to the conclusion that RIRs were failing to achieve equitable distribution while the RIRs were able to use the same statistics to conclude the opposite.) or whether something is or is not a technical trend that address policy should be changed to accommodate.

If RIRs cease to be organizations that have policy development as part of the core of their new business models, does this also change their position within the Internet governance world? Do RIRs become more like domain name registrars, focused more on resource distribution (albeit without the focus on profit)? Or, if RIRs reposition themselves to be closer in function to the Network Operator Groups (NOGs), do RIRs embrace a more NOG-like role in Internet governance? That is, NOGs seem to play a role in regional and local IGF initiatives, and similar capacity building efforts, but play little role in the larger political Internet governance sphere.

And tangentially, what happens to the ICANN Address Supporting Organization if RIRs change focus?

Could a change in RIR focus mean that they could survive a removal of IP management functions altogether?

If RIRs downsize and/or change focus, a possible side-effect is that they will lose the capacity to respond to any future attempts by other organizations to relocate IP addressing activities to another form of institution-most likely intergovernmental. (I'm not going to discuss the pros and cons of moving IP address management into an intergovernmental framework here. There has been a lot written about that already, and I'm sure more will be written in future.)

Right now, with RIRs rightly being well-known for their IP address delegation work, the notion of addressing functions being moved elsewhere seems unthinkable. Not only because the current possible alternative homes for such a function are seen as antithetical to the Internet's multistakeholder, bottom-up approach to governance, but also because to remove IP address functions from the IRs right now would be to remove the beating heart of the organizations. Without that heart, the RIRs would, right now, almost certainly not survive.

However, if the RIRs do, indeed, refocus their central activities outside pure address management, perhaps the RIRs could survive removal of addressing functions and become Regional Internet Registries of Internet technical information and practices, instead of registries of address information. And perhaps become homes for the regional NOG activities (AfNOG, NANOG, etc.).

Time for the community to discuss

Randy Bush's prop-103 touches on the most immediate change facing the RIRs: the declining role of address policy in the RIRs. The proposal has sparked off some interesting discussion on the APNIC Policy SIG mailing list. But for me, the larger discussion the RIR communities need to have is what they want the RIRs to become in a post-IPv4 world. RIR surveys have touched on this, but as we all know, there are a couple of drawbacks with surveys:

• As I learned well during a short stint working for a PR company specializing in the oil and gas industry, survey questions are often framed in ways that encourage participants to respond in ways the survey authors find favourable to their own goals.
• Surveys tend to attract a very small sample of the stakeholders, and don't necessarily reflect the true diversity of stakeholder opinions.

Like ICANN, all RIRs have sections of their meetings that encourage the open mic discussions. RIRs have mailing lists for discussion too. I hope RIR communities take the opportunity afforded by Randy Bush's proposal to starting think about what forms they'd like RIRs to take as they move towards a post-IPv4 world. After all, the RIRs are community-based organizations, and it is through the active participation of the community that the RIRs will be sustained, in whatever form RIRs may take in future.

Written by Sam Dickinson, Internet Governance Specialist

(While there is some disagreement whether broadband goes as slow as a few hundred kilobits per second, or whether true broadband only begins when we manage to deliver a clear hundred megabit carrier signal to every endpoint, here is one definition that does find pretty universal agreement — a modem over a old analogue phone circuit is definitely NOT broadband!)

The IPv6 Country Deployment – An interactive map of IPv6 deployment and number resource distributions by country. (Source: APNIC Labs)This ranking of national economies had an electrifying impact on this industry and upon public policies for broadband infrastructure in many countries. Perhaps this happened because there were some real surprises lurking in the numbers at the time. South Korea featured at the top end of the list (and still does if you equate broadband with fibre-based access services), while other countries which supposedly had an advanced domestic infrastructure for telecommunications services had surprisingly low broadband penetration rates. This caused a wealth of policy debates in many national regimes. Some countries, such as Australia, used their relatively poor ranking as part of the justification to the voters for a truly impressive public investment in a national fibre access network that would deliver very high speed data services to almost every residence in the continent. Other countries used the figures to justify widespread changes in the industry structure around the last mile copper loop, and opened up the DSL to vibrant competition, with consequent expansion of the DSL broadband service infrastructure (as happened in the United Kingdom, for example).

Regardless of the form of policy response in each country, this ranking of countries by such a simple metric as broadband penetration had a transformational impact on many national policies in this area, with its own impact on the growth of the broadband market and the consequent growth of ever-richer digital service environments. A highly capable, highly efficient domestic telecommunications infrastructure is a well recognised enabling factor for further economic growth, as the OECD has been telling us for many years.

But of course it's not all roses as we peer into the immediate future. While the growth figures of the Internet have been truly impressive in recent years, the downside is that the entirety of this growth is in IPv4 — a protocol that has unfortunately run out of addresses! Much has been written about the exhaustion of IPv4 and the pressing need for this industry to adopt IPv6, and no doubt much more will be written about this. And of course much will also be written about the risks if we get this transition wrong. If we don't manage this carefully we will surely witness the Internet stutter and fall apart on the back of a proliferation of idiosyncratic network middleware, perverse application gateways and other forms of ad hoc network intermediation devices that attempt to leap over the gap of a broken end-to-end network architecture. Lots of little Internets does not necessarily make one large Internet if we all start to use the same address pool in every little Internet. The state of the IPv6 transition is a critical item in today's public policy agenda for the Internet. Possibly even the single most important topic for today. Without a coherent address infrastructure those broadband deployments are of far lesser utility and far less valuable. Without a coherent address infrastructure all those new global top level domain names will be of far less value. Without the prospect of a single coherent capable and efficient Internet almost all the other topics around the state of telecommunications infrastructure and services will inevitably wane into petty squabbles and finger pointing about who allowed such a disaster to happen and why. If we manage to break this IPv6 transition we will inevitably break the Internet.

Perhaps a useful question to ask is: "How can we place this topic in a position of prominence in the public policy agenda at a national level?" It's been possible to bring the Internet itself to prominence within national and international policy debates, and it's been possible to highlight such issues as the state of broadband infrastructure, content distribution, service delivery quality and Internet service costs. But that's not been the case with the state of the IPv6 transition. What have they managed to do that we're missing within the IPv6 transition?

This is not a topic that is easy to highlight at a policy level: There are many aspects of this topic that are highly technical, there are many diverse views on the way to tackle this issue, and some significant levels of disagreement within the industry as to where and how to start. It seems like we keep on encountering chicken and egg scenarios everywhere we look, where one industry sector claims that it would get moving with the deployment of IPv6 services if only that other sector over there did something first. For example, access providers still claim that they would move with more speed if there was more IPv6 content, while the content providers claim that without IPv6-active customers there is little point in setting up IPv6-enabled services, and on and on and on.

We've now had a couple of IPv6 events, with "IPv6 Day" in 2011 and "IPv6 Launch" in early June of 2012. These were efforts to try and orchestrate a larger common momentum behind this transition. But in 2011 after a burst of activity just prior to the day, the rest of the year saw the activity level wane. This year was a little more positive in terms of its effects and we have seen some pronounced shifts in the use of IPv6 in some countries, notably in China and the United States. But more must be done here all over the world.

So, how can we motivate IPv6 as a subject of discourse at the level of national and international policy debates?

Perhaps if we took a leaf from the broadband infrastructure book, and started ranking countries using a metric of the per cent of their user populations that are connected with IPv6 and have a capability to use it. Maybe this metric would act as a clear indicator that some countries are indeed managing this transition very well, while others are, well to put it bluntly, lagging far behind.

At APNIC Labs we've been measuring IPv6 deployment for some time now. But we're not counting bytes or packets, and we are not counting routing advertisement for this work. And no, we are not counting DNS resource records either. What we set out to answer is very simple:

"What proportion of the Internet's users are capable of using IPv6 when offered a choice of protocols?"

Or, in other words if the true endpoint of this transition is 100% of the Internet's users actually using IPv6, how far along that path are we?

What we found is that there is a very simple way of silently and quickly testing users' IPv6 capabilities within the conventional web browser function. We started by measuring users' IPv6 capabilities when they visited certain web sites. The test was silent, non disruptive and very lightweight. The test took an exchange of some 30 IP packets, each of which were minimally-sized packets. We set up the test as one that was lightweight, simple and silent.

But unfortunately we were not really measuring the Internet — we were measuring the capabilities of visitors to certain web pages.

We had the testing technique, but the next problem was the methodology of the test rig. How do you measure the entire Internet? Obviously getting each and every user to perform a IPv6 test once a day would be wonderful, but at APNIC we just don't have a means of doing this.

We rephrased the question somewhat - how can we reach out and test a reasonably large random sample of users from across the entire Internet each and every day?

This question has a surprising answer, and it comes in the form of the online advertising delivery networks. Given the proliferation of advertiser-funded content provision these days the advertising delivery networks are now at the cutting edge of techniques that try to reach out to each and every user. And many of these ads use a programming language to deliver the content. If we were able to embed the IPv6 capability test inside a conventional advertisement, then we could use an advertising distribution network as the means of reaching out to a statistically significant proportion of the Internet's user population over time

This task has been just within our capabilities, and with the generous assistance and support of Google, the RIPE NCC, Internet Software Consortium and the Internet Society, we've managed to set up an IPv6 deployment measurement environment that tests a randomly selected set of some 1 million users per day by posing to their web browser the same simple IPv6 capability test.

That's a lot of users, and they truly are spread out all over the Internet. Is there a way to break down this Internet-wide number on a country-by country basis? Again the answer is "yes," as the IP addresses used by the end users can be geolocated to a level of countries very efficiently.

It is now possible to look at the state of IPv6 deployment on a country-by-country basis.

And the answers are surprising. Perhaps as surprising as the early broadband metrics.

Who is leading the IPv6 deployment effort? Japan? China? Slovenia? Sweden? Yes, they are all in the leading set of countries, but none of them are out in front. Who is in front? Relatively speaking, today it's Romania. Some 7.4% of that country's 8.6 million users are IPv6 capable today. That's impressive! Next is France, with some 4.0% of that countries 50 million users enabled with IPv6. In France it amy well be indicative of the efforts of a single access provider, Free, who operates in the French ISP market with a highly efficient business model that has proved popular with consumers that includes IPv6 capability bundled into their product sets. China is also up there with 1.1% of its estimated 516 million users enabled with IPv6. On absolute terms China has an estimated 5 million IPv6-enabled users, with the next largest country being the US with some 2.5 million IPv6-enabled users.

The other end of the list also contains some surprises, with the United Kingdom, who has an extremely good record in broadband deployment, showing an IPv6 deployment level of some 0.08% of their 52 million Internet users, grouped with New Zealand (0.07%), Kazakhstan (0.07%) and South Korea (0.04%).

And yes, Norway (0.52%) is truly well ahead of both Sweden (0.16%) and Denmark (0.09%) according to this form of national rankings!

The other somewhat surprising metric is that the overall Internet metric of IPv6 use is still well below 1%. Given that the supplies of available IPv4 addresses have run dry in the Asia Pacific, are about to run dry in July this year in Europe and the Middle East, and similarly we anticipate a run-down date of early in 2013 for North America, our overall state of preparedness to get this IPv6 transition underway is not looking good.

Getting this transition started is not enough — we need put it on track to be completed within the next couple of years. So perhaps the best message I can offer to Canada (0.06%), Brazil (0.03%) and Italy (0.01%) is to look very carefully at programs in Slovenia (0.76%), Switzerland (0.93%), the US (1.01%), China (1.06%), Japan(1.64%), France (3.90%) and Romania (7.28%) and get this transition moving! National pride is at stake!

The IPv6 Country Deployment Reports

• The report on IPv6 deployment levels on a country-by country basis is generated each day and published at http://labs.apnic.net/dists/v6dcc.html.

• A complete report of V6 deployment and number resource distributions by country is also published at http://labs.apnic.net/dists.

• An interactive map of this data can be found at http://labs.apnic.net.

Written by Geoff Huston, Author & Chief Scientist at APNIC

The Claim

The issue being discussed here is really all about RIR (Regional Internet Registry) Whois database accuracy. The RIR Whois databases contain the records of who holds what IP addresses, down to a level of granularity dependent on that RIRs specific policies. When law enforcement agencies like the FBI, DEA, and RCMP want to find out who was using an IP address (say to post child pornography or host an illegal prescription sales website) at a given time, they first go to Whois to determine who is responsible for the network that IP address belongs to. If everything is as it should be, Whois will provide the name (and contact info) of the responsible party. "Responsible party" in this context means the organization responsible for the network that the offending IP address belongs to. This is typically either the enterprise which holds that network directly, or the ISP who's customer is using the address. When law enforcement officials get the party directly responsible for that specific IP address from Whois, they are able to obtain and serve warrants most efficiently. In cases where Whois information is stale (out of date) or not granular enough (perhaps Whois lists the ISP of the ISP of the ISP of the person using the IP address); they must embark on a goose chase of sorts, obtaining and serving warrant after warrant as they work down the chain to the responsible party who should have been listed in Whois in the first place.

The hypothesis being presented is that IPv6 Whois information will be less accurate than IPv4 Whois information, causing more of those wild goose chases and ultimately making it harder for law enforcement to track criminals by IP address. The rationale behind this claim is basically that Internet number registrants (ISPs and others who hold AS numbers and IP addresses) only update Whois in order to receive more addresses from the RIR. Since IPv4 has been known to be an ultimately scarce resource since as far back as the early 1990s, IPv4 addresses have been handed out in relatively small chunks. This requires organizations who consume lots of addresses, like ISPs and data-centers, to come back to the RIRs and request more IPv4 addresses with great regularity. Because the RIRs will not grant addresses to organizations who are out of compliance with RIR policy, this in effect forces such organizations to keep their Whois records up to date. In the brave new world of IPv6, things have changed. Since the IPv6 addressing space is effectively some 16 million to 17 billion times larger than IPv4; RIRs are handing out IPv6 in much larger blocks, allowing these very same organizations to come back to the well much less frequently and perhaps never at all. This is great for network address planning and route aggregation but not so great for Whois database accuracy if you believe that folks only make updates in order to get more addresses.

The (Recent) History

I think we should first realize that this is not a new story. I have personally been working on this subject, often with members of the FBI and the RCMP, for around four years now. I am, by far, not the first champion of Whois accuracy, as registration requirements have been present in RIR policy since the very beginning. I have however contributed to some of the more recent reforms directly related to IPv6 and law enforcement's ability to use IP addresses and Whois to track down criminals as quickly and efficiently as possible, without infringing on anyone's individual or organizational rights. In these past four years we have seen some major "wins" for Whois database accuracy.

The first happened in the ARIN region with the adoption of draft policy 2008-7, which was eventually implemented by ARIN in the second half of 2010. This policy requires ARIN staff to conduct an annual Whois POC validation during which all POC (Point Of Contact) records in ARINs Whois database are verified via response to an email message. In the context of today's discussion, this means that every single POC in ARINs Whois is contacted and asked to make updates every year, regardless of their organizations need for more addresses. This is true for POCs associated with IPv4 and/or IPv6 records.

The second victory came with the adoption and subsequent implementation of ARIN-2010-14 in mid 2011. ARIN-2010-14 encompassed fairly sweeping changes to the ARIN policies regarding Whois data for both IPv4 and IPv6. The key reforms directly associated with criminal traceability in IPv6 were threefold: First, to require that all static IPv6 assignments to downstream organizations be recorded in Whois. Second, to define the organizational information required in Whois as; legal name, full physical address, and at least two POCs (both with a verifiable email address and phone number). Third, and perhaps most importantly, to specifically allow ARIN to conduct resource reviews if an organization fails to maintain accurate and complete Whois records (including downstream assignments to other organizations).

Most recently (and further south) we scored another win for global Whois data accuracy when the LACNIC community approved LAC-2012-02 following LACNIC XVII in May 2012. This policy was crafted based on the reforms in ARIN-2010-14 following a brief presentation I gave at the October 2011 LACNIC meeting. They key difference is that the LACNIC policy sets the boundary for downstream IPv6 assignments at /48 rather than /64. This effectively means that while ARIN policy requires all static IPv6 assignments to be recorded in Whois, in the LACNIC region only assignments of larger than a /48 prefix must be registered.

There have obviously been great strides, within the ARIN region and elsewhere, with regard to Whois data accuracy in the past few years but there has been at least one setback as well. Draft policy ARIN-2011-7 was recently abandoned by the ARIN AC after not gaining clear consensus among the ARIN community. This proposed policy change would have supplied some added clarity and additional tools to ARINs Whois data enforcement abilities.

The Current (IPv6) Situation

Perhaps even more important than tallying the recent wins and losses is understanding the current state of affairs more clearly.

The first thing to realize is that this is not just a law enforcement issue. Accurate Whois information is extremely helpful in all sorts of abuse reporting which happens directly between network operators. The very same wild goose hunts that can plague LEAs can cost Internet connected businesses substantial amounts of time and money. Not to mention the fact that knowing you can be easily identified regardless of your physical location would likely have a chilling affect on abuse in the first place.

The next thing to realize is that this is not just a U.S. or Canadian issue. Internet users (including the nefarious types) span the globe. IP addresses are used all over this planet. Five distinct Whois databases for Internet numbers are operated by the five individual RIRs representing the various regions of our world. In order to understand where we are today, we need to examine all five RIRs policy on Whois and re-assignment registration.

Working alphabetically, AFRINIC is the first RIR. AFRINIC's IPv6 policy has a section titled "5.5. Registration" which simply requires that all organizations holding IPv6 addresses must register all downstream assignments larger than a /48 in the "AFRINIC database." Their policy further states that this data will be used "to calculate the HD-Ratio at the time of application for subsequent allocation and to check for changes in assignments over time" and does not appear to have any additional auditing or 'enforcement' mechanisms in place (although they do encourage the inclusion of an abuse contact).

APNIC has a very similar registration policy to AFRINICs. Theirs is titled "5.6. Registration” and also requires all downstream assignments of /48 or larger to be "registered in an RIR/NIR database" and they also state that "RIR/NIRs will use registered data to calculate the HD-Ratio at the time of application for subsequent allocation and to check for changes in assignments over time." However, there is a key difference in the APNIC policy. "Organizations that receive an allocation from APNIC can choose whether or not their customer assignment registrations should be publicly available." So while APNIC address holders must register reassignments, that info does not have to be viewable in Whois. They do require (since late 2010) the registration of an "Incident Report Team (IRT) object for each allocation and assignment record in the APNIC Whois Database." This object provides abuse contact information.

We have discussed ARINs IPv6 registration policy already, since it was re-written by ARIN-2010-14, but to keep it simple let's cover the basics: ARINs policy states that all static IPv6 assignments of a /64 or larger must be registered publicly within 7 business days of being made. Further, these "reassignment registrations" must include the pre-defined "organizational information" of name, address, and two POCs - unless the assignment is to an individual residential customer (for privacy protection). Finally, ARIN is granted the ability to conduct a "resource review” specifically "whenever ARIN has reason to believe that an organization is not complying with reassignment policies."

LACNIC is another one that we covered above. Post-LAC-2012-2 LACNICs IPv6 policies (yet to be updated with the new text) will include a revised section "4.5.6. Registration" which states that all assignments of /48 or larger must be visible in Whois within 7 days of issue and that those registrations "must include the organization's name; address; administrative contact, technical contact, and contact in case of abuse, with their updated telephone numbers and email addresses" except again in the case of residential customers. While LACNICs policy is not as clearly specific to reassignment registrations as ARINs is, they do have a provision stating that a "breach of LACNIC policies" (presumably including registration policies) may be used as evidence to "initiate the resource recovery process."

Finally we turn to RIPE NCC, the final RIR alphabetically speaking. RIPEs IPv6 policy has a familiarly titled section "5.5 Registration," which requires quite simply: "When an organisation holding an IPv6 address allocation makes IPv6 address assignments, it must register these assignments in the appropriate RIR database." However, it does go on to qualify that assignments smaller than a /48 can be aggregated and simply indicate the "size of the individual assignments made to End Users." I am unaware of any auditing/review or 'enforcement' policies at RIPE NCC but they do allow for an optional "IRT (Incident Response Team) object."

The Other (IPv4) Side

We've taken a fairly in depth view of IPv6 Whois policy around the world, including some of the most recent reforms. But all of that is hard to judge in a vacuum. What about the other side of this comparison? If IPv6 really is (going to be) worse for tracing criminals, what is it worse than? To answer that we must take a look at IPv4 traceability. I mentioned in the opening section of this post that IPv4 Whois accuracy has benefited from the constant and frequent return of many organizations to ARIN and the other RIRs for additional addresses. There are however two major factors that work against Whois accuracy in IPv4.

One of these challenges is the "legacy" or "swamp" IPv4 address space. This problem affects folks in the ARIN region the worst, since most of this so-called legacy address space resides within the ARIN service region but there is also legacy space under the oversight of other RIRs as well. The problem with legacy space as it relates to Whois accuracy is twofold: First, legacy address holders received their assignments and/or allocations before the current RIR system was in place (that's what makes them "legacy" registrations). This is problematic because it means that many of these organizations have no relationship with their RIR. This in turn means that while "regular" address holders pay dues every year (i.e. must be in contact with the RIR at least once a year), many legacy registrants have no contact at all with any RIR. With no formal relationship ever established, there is no way for the RIR to know if the organization is still using the addresses or if they even exist at all (the annual Whois POC validation policy was created in large part to help resolve this lack of contact issue). Second, legacy allocations were made during the period of classful addressing. The effect of this that concerns us here is that many legacy allocations were far larger than what the organization truly needed at the time, thus they have never needed to come back to the RIRs for more addresses. Now, this may or may not be an impact-full issue but it certainly puts them in the same boat with IPv6 address holders from that perspective - and legacy allocations are a significant portion of the total IPv4 address space.

The other primary challenge to criminal tracing in IPv4 is the eminent exhaustion of free IPv4 addresses. This is actually causing two new phenomenon which have the potential to make IPv4 address based identification much more difficult: The emergence of CGN (Carrier Grade NAT) as an IPv4 life-extension technology and the emergence of IPv4 address transfers as a CGN avoidance technique. CGN means that multiple users share a single IP address. While not directly related to Whois data accuracy, this will make IPv4 users increasingly harder to identify and track down. The more users that are forced to share a single address, the harder identification becomes (along with other problems related to IP address reputation and port consumption, etc.). More on this challenge can be found here and (perhaps surprisingly) here. On the other hand, the transfer of IPv4 addresses will hopefully not cause too much disturbance to Whois data accuracy, and may actually improve it if done properly. Unfortunately it could also cause chaos and confusion if profiteers are able to set up even quasi-successful "alternate registries." This is a vast topic in its own right so I won't go any further here other than to say that having multiple conflicting Whois databases is obviously not a good thing for abuse reporting and law enforcement.

The Bottom Line

There are two preliminary conclusions to be drawn from all of this:

• Tracing criminals using IPv4 is no bed of roses and its getting worse.
• IPv6 Whois policies exist and they're getting stronger.

Beyond that, we can also see that coming back to get more addresses is only one touch point between address holders and the RIRs who maintain these invaluable Whois databases. Regular billing cycles and recurring Whois POC validations are two others that will actually be more efficient in IPv6 due to the absence of "legacy" registrants. Resource reviews and ultimately reclamations are another potentially effective (albeit much more drastic) tool available to the RIRs. Weigh this against the impending age of IPv4 CGN and address transfers, add in the increasingly formalized Whois registration policies, and I think we can likely agree that abuse reporting and criminal tracing based on IP address will very likely actually be better in the future with IPv6 than it is today with IPv4.

Even so, we can all help ensure that the future is much better, rather than marginally better, by continuing to reform Whois registration policies in all five regions. From my perspective as I write this, sitting at my desk where much of its current text was written, ARIN has set the benchmark for Whois policy today. One of our first steps should be to bring the other four regions policies as close to that mark as possible. Of course the reason we have five regional registries rather than one global registry is to accommodate local differences, so alignment will never be perfect, but we can continue working in the right direction. I send kudos and congratulations to the folks at LACNIC who recently did just that and I offer my assistance to folks in other regions who want to do the same.

No one and no thing is perfect though, and ARINs Whois policy is no exception. There are pieces of the failed ARIN-2011-7 that need to be resurrected and submitted again, and other pieces that need to be revisited and reconsidered. Other, new policies are likely needed as well. One of the primary areas of further exploration needs to be policy enforcement, or even better, incentivising policy compliance. While all the RIRs have policies regarding Whois data accuracy, which are likely to grow stronger over time, they lack a strong enforcement mechanism. Yes, there is the ability to revoke addresses for non-compliance, but no RIR is likely to yank addresses from hundreds or possibly thousands of innocent parties simply because their ISP failed to update downstream assignments in Whois. So how do we ensure that even the laziest of engineers at the most lackadaisical organizations always update their Whois data properly? Answering that question will not be easy but is necessary if we are to avoid imposition of solutions from above upon the Internet community (something no one wants, including the folks at the FBI). Perhaps Internet service providers can provide effective enforcement of Whois policies by peer pressure, or perhaps other mechanisms are needed. In either case I have full confidence in the many bright and capable minds now working on Internet numbering policy. Who knows, it may even be you who solves this final puzzle.

So, bottom line: Is there work still to be done? Absolutely, plenty to go around. Is IPv6 a major threat to law enforcement? No, and its only getting better.

Written by Chris Grundemann, Network Architect, Author, and Speaker

The first image shows the number of IPv6 allocations the RIPE NCC made to LIRs in each quarter, starting in 2008. (Note that the RIPE NCC started allocating IPv6 address space from 1999. For a long-term overview of IPv6 allocations, please see the earlier article on CircleID: A Look at IPv6 Allocations Since 1999.) Each year is depicted in a different colour, the last one showing the number of allocations made in Q3 2012. The Y-axis shows the number of IPv6 allocations form 0 to 500.

Figure 1: Number of IPv6 allocations made by the RIPE NCC per quarter

We saw quite an increase in the number of IPv6 allocations in the last quarter of 2010 and the first two quarters of 2011. IANA handed out its last IPv4 address blocks to the Regional Internet Registries (RIRs) in February 2011 and this seemed to have encouraged many LIRs to request IPv6 address space. After Q2 2011, the number of allocations decreased again, but it is still higher than it was before Q4 2010.

In the next image, you can see the number of IPv6 provider independent (PI) assignments the RIPE NCC made since 2009 (when the RIPE NCC started to assign IPv6 PI addresses). Again, each year is depicted in a different colour, the last one showing the number of allocations made in Q3 2012. The Y-axis shows the number of IPv6 assignments form 0 to 140.

Figure 2: Number of IPv6 PI assignments made by the RIPE NCC per quarter

You can see the same peak as in Figure 1, but after a small drop in Q3 2011, the numbers are now increasing again.

For more information, please refer to the background article on RIPE Labs: Update on IPv6 Address Distribution. This article details what affect the removal of the requirement to be multihomed had on the number of assignments and the relationship between the age of an LIR and the number of IPv6 addresses they have received.

Written by Mirjam Kuehne

The RIPE NCC became the first Regional Internet Registry in September 1992 (six months after it was set up as the secretariat for the European operators community, RIPE). During the course of 1993, the distributed IP allocation system was established in which Local Internet Registries (LIRs) received blocks of IP addresses from the RIPE NCC which were then further assigned to their customers and others who wanted to connect to the Internet.

By the end of 1993, there were 83 LIRs registered as members of the RIPE NCC. Most of these LIRs were operated by academic networks and the first commercial ISPs that started around that time in some European countries.

Now, 20 years later, 8,000 members are registered with the RIPE NCC (March 2012). The RIPE NCC's membership has been steadily growing since 1998 when it passed the 1,000-member milestone, followed by 3,000 in 2001 and 6,000 in 2008 (as you can see in the graph below).

It is interesting to note that despite the fact that IPv4 is becoming very scarce, we still see a large number of organisations join the RIPE NCC. In fact, in the first quarter of 2012, we saw the highest number of new membership applications ever. In 2011, we experienced the highest growth since the dot com bubble around the year 2000. Also, that the graph only shows the number of LIRs that were active at any point in time. It doesn't show any of the members who closed in the meantime (if we counted every registry ever opened, we would be looking at a total of over 13,000).

In the graphic below, you can see which industry area our members are from. Note that this is a self-chosen category and it is possible to choose more than one category. Organisations that provide the following services are highest on the list: service hosting, collocation and broadband. But Telecom operators, dial-up service providers and transit providers also make up a big portion of the RIPE NCC membership. There are also quite a number of government institutions are members of the RIPE NCC.

It is also interesting that currently the same six countries account for 50% of the membership, 50% of the number of IPv4 allocations and 50% of the number of IPv6 allocations in the RIPE NCC service region. For more information, please refer to the background article on RIPE Labs: RIPE NCC Membership from 80 to 8,000

Written by Mirjam Kuehne

Back when those articles were posted, the percentage of ASes announcing one or more IPv6 prefixes in the five Regional Internet Registry (RIR) service regions were approximately: APNIC 10%, RIPE NCC 8.5%, LACNIC 8.5%, AfriNIC 6% and ARIN 5%.

We looked at the progress since then. In the image below you can see the current status in all regions.

The percentage of IPv6-enabled networks has increased in all regions. Now, the percentage of ASes announcing one or more IPv6 prefixes in the RIR regions are approximately: APNIC 17%, LACNIC and RIPE NCC 14-15%, AfriNIC 11.5% and ARIN 10%.

It is interesting to note that the graphs for most regions show some flattening after a rather steep increase earlier last year (around the time the IANA allocated the last IPv4 address space to the RIRs).

We also looked at the countries with the highest IPv6 penetration worldwide. For more information and other graphs, please refer to the background article on RIPE Labs: Networks with IPv6 - One Year Later. More information about IPv6 can be found on IPv6ActNow.

Written by Mirjam Kuehne

K-root operates 18 instances; You can find a map http://k.root-servers.org/ on the RIPE NCC's website.

VisualK is a new tool that monitors the load of the K-root name server supported by each instance. It further shows load migrations between pairs of instances over time. ViskalK is one of the tools our operations staff use to monitor the health of K-root.
The image below is a screenshot of the output of the tool. Each instance of K-root is represented by two concentric circles:

• The first one, filled with colour, has a size proportional to the number of queries per second received on that instance;
• The other one, indicated by a dotted line, shows the average load over the previous 30 minutes. This is used as a reference value.

In most cases, these circles overlap. But in some cases you can see that the dotted line is much larger, for example at the root name server instance in Poznan, Poland. This means that something has changed recently: the number of queries has dropped significantly.

In the image you can also see that pairs of instances are connected by links (or "tentacles") if they are considered topologically adjacent. Links between root name server instances are generally invisible, but become active when traffic migration is detected: colour and size of the link indicate the origin and volume of traffic flow, together with bubbles pouring into the instance receiving the traffic. In our example you can see that some load has moved from the instance at NAP (in Miami, Florida) to the one located at LINX (in London, UK).

In addition, VisualK highlights unusual behaviour. Flashing arrows show load migrations between instances that are not considered adjacent. Root name server instances start to blink if their traffic load decreases significantly. The goal is to help spot unexpected changes while they are happening and to allow root name server operators to investigate what causes these changes.

For more information, please refer to the background article on RIPE Labs: VisualK — Monitoring K-root in Near Real Time

VisualK has been developed by Claudio Squarcella, intern at the RIPE NCC, in collaboration with the Compunet Lab at Roma Tre University.

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC

In April 2011, the APNIC (the Regional Internet Registry for the Asia Pacific region) started allocating from its last /8. At the RIPE NCC we did not see a big jump in IPv4 address allocations in 2011, as anticipated by some observers.

The image below shows the total amount of IPv4 address space allocated each year (calculated as /16s on the y axis). You can see that in 2011 there was a drop in the amount of IPv4 address space from the previous year, bringing it down to the level of 2008 and 2009. There was no big run on the remaining IPv4 addresses.

Note that this does not correspond with the number of requests. Especially the number of requests for /21s increased in 2011 (you can find more on this in the background article on RIPE Labs).

IPv4 is certainly running out, but there is no great rush for the last addresses as feared by some. It was all pretty much "business as usual". As we've said in the past, predicting exactly when the RIPE NCC will run out of IPv4 address space is difficult. We cannot anticipate the size of requests we'll receive.

For more information and more statistics, please refer to IPv4 Allocation Statistics in 2011 on RIPE Labs.

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC