Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
On Fri, Sep 16, 2022 at 12:45 PM William Herrin  wrote:
>
> On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl  wrote:
> > On Fri, Sep 16, 2022 at 11:55 AM William Herrin  wrote:
> > > No, the best option for me right now is that I just don't participate
> > > in RPKI and the system has one less participant. And that's a shame.
> >
> > That's only true in the current environment where RPKI is only used to
> > invalidate bogus routes. When any reachability for RPKI-unknowns is
> > lost, that will change.
>
> Hi Rubens,
>
> If you want to bet me on folks ever deciding to discard RPKI-unknowns
> down in the legacy class C's I'll be happy to take your money.

I don't think people will look at even the class, and definitively not
to legacy or non-legacy partitions.
They will either drop it all, or not drop it at all.

Note that when the only IP blocks that spammers and abusers can inject
in the system are non-signed ones, those blocks will get bad
reputations pretty fast. So the legacy holders use case for RPKI might
come sooner than you think.

> Anyway, the risk/reward calculation for NOT signing the LRSA right now
> is really a no-brainer. It's just unfortunate that means I won't get
> an early start on RPKI.

Discarding RPKI-invalids is something you can do right now and that
doesn't come with a price tag. Good BCP38 and RPKI-invalid hygiene is
the thankless gift you can give to the community.


Rubens

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread William Herrin 
On Thu, Sep 15, 2022 at 9:09 PM Rubens Kuhl  wrote:
> On Fri, Sep 16, 2022 at 11:55 AM William Herrin  wrote:
> > No, the best option for me right now is that I just don't participate
> > in RPKI and the system has one less participant. And that's a shame.
>
> That's only true in the current environment where RPKI is only used to
> invalidate bogus routes. When any reachability for RPKI-unknowns is
> lost, that will change.

Hi Rubens,

If you want to bet me on folks ever deciding to discard RPKI-unknowns
down in the legacy class C's I'll be happy to take your money.


> But it will be too late then to join the
> system, so you just sell it for USD 50k and start using NAT.

Since I can convert to the regular ARIN RSA at any time and gain
access to RPKI the concept of "too late" doesn't really exist here.


> Just a calculation: current LRSA fee is USD 150, cap is 25 USD per
> year increase. 2X-Small is USD 500 per year, so it will take 14 years
> to reach that level. Pick your poison, NAT or LRSA.

Yah, except at some point I'll get a /48 bumping my $150/yr AS fee up
to a $250/yr service fee. Then the delta to add my legacy /23 is only
$250. In 4 years, the LRSA fee will be $250, the same amount. But
that's not the break-even point. If I wait one year, its $250*3=$750
vs $150+$175+$200+$225=$750. I break even on the legacy fee schedule
by waiting just one year and then taking the regular annual fee.

Actually, it's a little funkier than that because my AS and /23 are
under different org ids. When I do all this, I'll have to pay the one
time $500 M fee or else in year 5 the LRSA for the /23 plus the
$250/yr for IPv6 and an AS will actually cost more than $500/yr and
will keep growing annually to $750.

Anyway, the risk/reward calculation for NOT signing the LRSA right now
is really a no-brainer. It's just unfortunate that means I won't get
an early start on RPKI.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
On Fri, Sep 16, 2022 at 11:55 AM William Herrin  wrote:
>
> On Thu, Sep 15, 2022 at 8:51 PM Rubens Kuhl  wrote:
> > On Fri, Sep 16, 2022 at 10:56 AM William Herrin  wrote:
> > > Well, I'm one of the people who'd publish RPKI records for my /23 if I
> > > had the ability to do so and I definitely would NOT pay merit $595/yr
> > > (let alone $1k or $2k) to gain that ability. YMMV but I'm willing to
> > > bet there's not enough money out there to fund it with direct user
> > > fees and even if there was, the level of participation in the presence
> > > of more than trivial user fees would be too low to be worth the
> > > effort.
> >
> > Your /23 is worth only USD 30k, so you are definitely not in a
> > position to find that affordable.
> > It seems ARIN LRSA with the current fees and caps would be the best
> > option, and that option has a time limit.
>
> No, the best option for me right now is that I just don't participate
> in RPKI and the system has one less participant. And that's a shame.

That's only true in the current environment where RPKI is only used to
invalidate bogus routes. When any reachability for RPKI-unknowns is
lost, that will change. But it will be too late then to join the
system, so you just sell it for USD 50k and start using NAT.

Just a calculation: current LRSA fee is USD 150, cap is 25 USD per
year increase. 2X-Small is USD 500 per year, so it will take 14 years
to reach that level. Pick your poison, NAT or LRSA.


Rubens



Rubens

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread William Herrin 
On Thu, Sep 15, 2022 at 8:51 PM Rubens Kuhl  wrote:
> On Fri, Sep 16, 2022 at 10:56 AM William Herrin  wrote:
> > Well, I'm one of the people who'd publish RPKI records for my /23 if I
> > had the ability to do so and I definitely would NOT pay merit $595/yr
> > (let alone $1k or $2k) to gain that ability. YMMV but I'm willing to
> > bet there's not enough money out there to fund it with direct user
> > fees and even if there was, the level of participation in the presence
> > of more than trivial user fees would be too low to be worth the
> > effort.
>
> Your /23 is worth only USD 30k, so you are definitely not in a
> position to find that affordable.
> It seems ARIN LRSA with the current fees and caps would be the best
> option, and that option has a time limit.

No, the best option for me right now is that I just don't participate
in RPKI and the system has one less participant. And that's a shame.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
On Fri, Sep 16, 2022 at 10:56 AM William Herrin  wrote:
>
> On Thu, Sep 15, 2022 at 7:46 PM Rubens Kuhl  wrote:
> > Legacy holders are sitting on millions or billions worth of assets.
> > RADB USD 595 a year is pennies in comparison, and USD 1k or 2k a year
> > for the RPKI service would still be 1E-10 of the asset value.
>
> Hi Rubens,
>
> Well, I'm one of the people who'd publish RPKI records for my /23 if I
> had the ability to do so and I definitely would NOT pay merit $595/yr
> (let alone $1k or $2k) to gain that ability. YMMV but I'm willing to
> bet there's not enough money out there to fund it with direct user
> fees and even if there was, the level of participation in the presence
> of more than trivial user fees would be too low to be worth the
> effort.


Your /23 is worth only USD 30k, so you are definitely not in a
position to find that affordable.
It seems ARIN LRSA with the current fees and caps would be the best
option, and that option has a time limit.


Rubens

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread William Herrin 
On Thu, Sep 15, 2022 at 7:46 PM Rubens Kuhl  wrote:
> Legacy holders are sitting on millions or billions worth of assets.
> RADB USD 595 a year is pennies in comparison, and USD 1k or 2k a year
> for the RPKI service would still be 1E-10 of the asset value.

Hi Rubens,

Well, I'm one of the people who'd publish RPKI records for my /23 if I
had the ability to do so and I definitely would NOT pay merit $595/yr
(let alone $1k or $2k) to gain that ability. YMMV but I'm willing to
bet there's not enough money out there to fund it with direct user
fees and even if there was, the level of participation in the presence
of more than trivial user fees would be too low to be worth the
effort.

Regards,
Bill Herrin



-- 
For hire. https://bill.herrin.us/resume/

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
On Fri, Sep 16, 2022 at 10:41 AM William Herrin  wrote:
>
> On Thu, Sep 15, 2022 at 7:32 PM Rubens Kuhl  wrote:
> > On Fri, Sep 16, 2022 at 9:46 AM William Herrin  wrote:
> > > On Thu, Sep 15, 2022 at 4:07 PM Randy Bush  wrote:
> > > > > You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
> > > > > anchor and provide such services to legacy block holders.
> > > >
> > > > the rpki design cabal assumed the iana would be the rpki root.  rir
> > > > power players blocked that.  so each rir is 0/0.  brilliant, eh?
> > >
> > > Which means that all you'd need is a volunteer group with "street
> > > cred" to set up an RPKI for legacy holders and then convince folks to
> > > use their trust anchor too. Or have I missed something?
> >
> > Merit, perhaps ?
> >
> > But they would need to do a much stricter validation that they
> > currently have in RADB, which is more like Sledgehammer motto "Trust
> > me, I know what I'm doing".
>
> Hi Rubens,
>
> Last I checked, Merit was -really- expensive for RADB. I don't really
> see getting more than about 5 figures total per year out of the legacy
> registrants for RPKI, if that much. I think it'd have to be a
> volunteer effort or something funded by someone who finds it to their
> advantage that the legacy registrants publish RPKI records. Like the
> way Letsencrypt is funded.


Legacy holders are sitting on millions or billions worth of assets.
RADB USD 595 a year is pennies in comparison, and USD 1k or 2k a year
for the RPKI service would still be 1E-10 of the asset value.

Rubens

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread William Herrin 
On Thu, Sep 15, 2022 at 7:32 PM Rubens Kuhl  wrote:
> On Fri, Sep 16, 2022 at 9:46 AM William Herrin  wrote:
> > On Thu, Sep 15, 2022 at 4:07 PM Randy Bush  wrote:
> > > > You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
> > > > anchor and provide such services to legacy block holders.
> > >
> > > the rpki design cabal assumed the iana would be the rpki root.  rir
> > > power players blocked that.  so each rir is 0/0.  brilliant, eh?
> >
> > Which means that all you'd need is a volunteer group with "street
> > cred" to set up an RPKI for legacy holders and then convince folks to
> > use their trust anchor too. Or have I missed something?
>
> Merit, perhaps ?
>
> But they would need to do a much stricter validation that they
> currently have in RADB, which is more like Sledgehammer motto "Trust
> me, I know what I'm doing".

Hi Rubens,

Last I checked, Merit was -really- expensive for RADB. I don't really
see getting more than about 5 figures total per year out of the legacy
registrants for RPKI, if that much. I think it'd have to be a
volunteer effort or something funded by someone who finds it to their
advantage that the legacy registrants publish RPKI records. Like the
way Letsencrypt is funded.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
On Fri, Sep 16, 2022 at 9:46 AM William Herrin  wrote:
>
> On Thu, Sep 15, 2022 at 4:07 PM Randy Bush  wrote:
> > > You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
> > > anchor and provide such services to legacy block holders.
> >
> > the rpki design cabal assumed the iana would be the rpki root.  rir
> > power players blocked that.  so each rir is 0/0.  brilliant, eh?
>
> Which means that all you'd need is a volunteer group with "street
> cred" to set up an RPKI for legacy holders and then convince folks to
> use their trust anchor too. Or have I missed something?

Merit, perhaps ?

But they would need to do a much stricter validation that they
currently have in RADB, which is more like Sledgehammer motto "Trust
me, I know what I'm doing".


Rubens

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread William Herrin 
On Thu, Sep 15, 2022 at 4:07 PM Randy Bush  wrote:
> > You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
> > anchor and provide such services to legacy block holders.
>
> the rpki design cabal assumed the iana would be the rpki root.  rir
> power players blocked that.  so each rir is 0/0.  brilliant, eh?

Which means that all you'd need is a volunteer group with "street
cred" to set up an RPKI for legacy holders and then convince folks to
use their trust anchor too. Or have I missed something?

Regards,
Bill Herrin

-- 
For hire. https://bill.herrin.us/resume/

Re: [External] Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 20

2022-09-15 Thread John Curran 

On 15 Sep 2022, at 9:29 PM, Tom Krenn via NANOG 
mailto:nanog@nanog.org>> wrote:

An interesting idea, but like others have said I think the ship may have sailed 
for RPKI. Really I have no problem with the ARIN fees. They are a drop in the 
bucket for most network budgets. In fact as a legacy holder I would gladly pay 
the same as an RIR-allocated resource holder if it would allow the use of the 
more advanced services. It's the ownership question and RSA/LRSA language that 
throws the wrench in everything.

As John said " I will note that ARIN’s approach is the result of aiming for a 
different target – that more specifically being the lowest possible fees 
administered on an equitable basis for _all resource holders_ in the region.". 
If that's the goal, give us the option to pay the same without all the legal 
mess around signing the RSA/LRSA. I'm sure that's what has been holding some 
organizations back for the couple decades mentioned. It has been the major 
stumbling point for a few of the ones I've been part of over the years.

Tom -

Over the years, ARIN has made several revisions to the RSA/LRSA to make it both 
clearer and more customer friendly,
and the most recent version (announced earlier this week - 
) strikes
much of the language in section 7 that some legal teams had objection to…   It 
is likely not everything you want, but I
would suggest taking a fresh look at it as it was substantially reduced 
specifically to address the most cited customer
concern regarding the legal obligations in the prior version of the RSA/LRSA.

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

RE: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Tom Krenn via NANOG 
An interesting idea, but like others have said I think the ship may have sailed 
for RPKI. Really I have no problem with the ARIN fees. They are a drop in the 
bucket for most network budgets. In fact as a legacy holder I would gladly pay 
the same as an RIR-allocated resource holder if it would allow the use of the 
more advanced services. It's the ownership question and RSA/LRSA language that 
throws the wrench in everything.

As John said " I will note that ARIN’s approach is the result of aiming for a 
different target – that more specifically being the lowest possible fees 
administered on an equitable basis for _all resource holders_ in the region.". 
If that's the goal, give us the option to pay the same without all the legal 
mess around signing the RSA/LRSA. I'm sure that's what has been holding some 
organizations back for the couple decades mentioned. It has been the major 
stumbling point for a few of the ones I've been part of over the years.

Tom Krenn
Network Architect
Enterprise Architecture - Information Technology




-Original Message-
From: Rubens Kuhl 
Sent: Thursday, September 15, 2022 5:56 PM
To: Tom Krenn 
Cc: John Curran ; John Gilmore ; North 
American Network Operators' Group 
Subject: Re: [External] Re: Normal ARIN registration service fees for LRSA 
entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the 
Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

You could try suggesting IANA/PTI/ICANN to have a different RPKI trust anchor 
and provide such services to legacy block holders. As you mentioned, that would 
probably have a price tag attached to it to cover the costs for such 
operations, but a contract could stay away from ownership issues and not either 
say the blocks are yours or that the blocks could be taken from you. Pay for 
the services, get RPKI; don't pay them, RPKI ROAs expire.

I have a feeling that the recurring cost would be higher than using the scale 
that the RIR system has in providing those services, and that doing 
RIR-shopping (like what was already suggested here, moving the resources to 
RIPE) is simpler and more cost effective. But this would at least expose the 
real costs without making the RIR-allocated resource holders subsidize legacy 
resource holders, which is the good thing I see in the direction ARIN is going.

Rubens

On Fri, Sep 16, 2022 at 5:18 AM Tom Krenn via NANOG  wrote:
>
> Speaking from the enterprise / end site perspective I would bet there are a 
> lot of legacy holders that other than maybe updating their reverse DNS 
> records once or twice haven’t looked at ARIN policies or their allocation 
> since the late 1980s. In most cases there really is not strong technical 
> reason to, the stuff just keeps working.
>
> We are put in kind of an awkward place by the current policies. On one
> hand some of us would like to be good Internet citizens and implement
> things like IRR and RPKI for our resources to help the larger
> community. But show the RSA/LRSA to your lawyers with the
> justification that "I would like to implement RPKI, but everything
> will keep working even if we don't." You can bet they will never jump
> on board. On one hand there is a push from ARIN and the larger
> community to use these advanced services, but on the other hand the
> fees and risk far outweigh the benefits. (Heck the fees aren’t even
> that big of a deal, just the risk of loosing control of our legacy
> allocations.)
>
> Tom Krenn
> Network Architect
> Enterprise Architecture - Information Technology
>
>
>
>
> -Original Message-
> From: NANOG  On Behalf
> Of John Curran
> Sent: Thursday, September 15, 2022 3:35 PM
> To: John Gilmore 
> Cc: North American Network Operators' Group 
> Subject: [External] Re: Normal ARIN registration service fees for LRSA
> entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of
> the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December
> 2023)
>
> CAUTION: This email was sent from outside of Hennepin County. Unless you 
> recognize the sender and know the content, do not click links or open 
> attachments.
>
> John -
>
> Your summary is not inaccurate; I will note that ARIN’s approach is the 
> result of aiming for a different target – that more specifically being the 
> lowest possible fees administered on an equitable basis for _all resource 
> holders_ in the region.
>
> For more than two decades legacy resource holders have been provided the 
> opportunity to normalize their relations with ARIN by entry into an LRSA - 
> thus receiving the same services on the same terms and conditions as all 
> others in the region (and also with a favorable fee cap applied to their 
> total annual registry fees.)  While many folks have taken advantage of that 
> offer over the years, it’s quite possible that all of those interested have 
> already considered the matter and hence going forward we are returning to the 
> refrain of the entire community in

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
On Fri, Sep 16, 2022 at 7:07 AM Randy Bush  wrote:
>
> > You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
> > anchor and provide such services to legacy block holders.
>
> the rpki design cabal assumed the iana would be the rpki root.  rir
> power players blocked that.  so each rir is 0/0.  brilliant, eh?

I'm not fond of that decision either, but at this point it is how it
is. We already have the operation of inter-RIR reverse DNS
synchronization since each /8 is not single-RIR anymore, and I believe
a similar mechanism could have allowed for a single RPKI root.

But I note that the 0/0 trust anchors preceded IANA transition to PTI,
and that even after the transition, we still have an organization that
doesn't have jurisdictional immunity in the US to prevent possible
petty challenges to the system. So the world at large still benefits
from the multiple trust anchor design, when all trade-offs are
accounted for.


Rubens

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Randy Bush 
> You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
> anchor and provide such services to legacy block holders.

the rpki design cabal assumed the iana would be the rpki root.  rir
power players blocked that.  so each rir is 0/0.  brilliant, eh?

randy

Re: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Rubens Kuhl 
You could try suggesting IANA/PTI/ICANN to have a different RPKI trust
anchor and provide such services to legacy block holders. As you
mentioned, that would probably have a price tag attached to it to
cover the costs for such operations, but a contract could stay away
from ownership issues and not either say the blocks are yours or that
the blocks could be taken from you. Pay for the services, get RPKI;
don't pay them, RPKI ROAs expire.

I have a feeling that the recurring cost would be higher than using
the scale that the RIR system has in providing those services, and
that doing RIR-shopping (like what was already suggested here, moving
the resources to RIPE) is simpler and more cost effective. But this
would at least expose the real costs without making the RIR-allocated
resource holders subsidize legacy resource holders, which is the good
thing I see in the direction ARIN is going.

Rubens

On Fri, Sep 16, 2022 at 5:18 AM Tom Krenn via NANOG  wrote:
>
> Speaking from the enterprise / end site perspective I would bet there are a 
> lot of legacy holders that other than maybe updating their reverse DNS 
> records once or twice haven’t looked at ARIN policies or their allocation 
> since the late 1980s. In most cases there really is not strong technical 
> reason to, the stuff just keeps working.
>
> We are put in kind of an awkward place by the current policies. On one hand 
> some of us would like to be good Internet citizens and implement things like 
> IRR and RPKI for our resources to help the larger community. But show the 
> RSA/LRSA to your lawyers with the justification that "I would like to 
> implement RPKI, but everything will keep working even if we don't." You can 
> bet they will never jump on board. On one hand there is a push from ARIN and 
> the larger community to use these advanced services, but on the other hand 
> the fees and risk far outweigh the benefits. (Heck the fees aren’t even that 
> big of a deal, just the risk of loosing control of our legacy allocations.)
>
> Tom Krenn
> Network Architect
> Enterprise Architecture - Information Technology
>
>
>
>
> -Original Message-
> From: NANOG  On Behalf Of John 
> Curran
> Sent: Thursday, September 15, 2022 3:35 PM
> To: John Gilmore 
> Cc: North American Network Operators' Group 
> Subject: [External] Re: Normal ARIN registration service fees for LRSA 
> entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the 
> Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)
>
> CAUTION: This email was sent from outside of Hennepin County. Unless you 
> recognize the sender and know the content, do not click links or open 
> attachments.
>
> John -
>
> Your summary is not inaccurate; I will note that ARIN’s approach is the 
> result of aiming for a different target – that more specifically being the 
> lowest possible fees administered on an equitable basis for _all resource 
> holders_ in the region.
>
> For more than two decades legacy resource holders have been provided the 
> opportunity to normalize their relations with ARIN by entry into an LRSA - 
> thus receiving the same services on the same terms and conditions as all 
> others in the region (and also with a favorable fee cap applied to their 
> total annual registry fees.)  While many folks have taken advantage of that 
> offer over the years, it’s quite possible that all of those interested have 
> already considered the matter and hence going forward we are returning to the 
> refrain of the entire community in seeking the lowest fees applied equitably 
> to all in the region.
>
> As we’ve recently added more advanced services that may be of interest to 
> many in the community (RPKI and authenticated IRR) and also have just made a 
> favorable simplification to the RSA in section 7 (an area that has been 
> problematic for some organizations in the past), it is important that ARIN 
> not subset availability of the legacy fee cap without significant notice, as 
> there many be a few folks out there who were unaware of LRSA with fee cap 
> availability and/or haven’t recently taken a look at the various tradeoffs.
>
> In any case, legacy resource holders who don’t care for these advanced 
> services (whose development and maintenance is paid for by the ARIN 
> community) can simply continue to maintain their legacy resources in the ARIN 
> registry.  They do not have to do anything, as ARIN is continuing to provide 
> basic registration services to the thousands of non-contracted legacy 
> resource holders (including online updates to your resources, reverse DNS 
> services,
> etc.) without fee or contract.
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
> > On 15 Sep 2022, at 3:41 PM, John Gilmore  wrote:
> >
> > John Curran wrote:
> >>> We strongly encourage all legacy resource holders who have not yet
> >>> signed an LRSA to cover their legacy resources to
> >
> > Randy Bush  wrote:
>

Re: Contact info for Level 3 CDN GeoIP

2022-09-15 Thread Josh Luthman 
Did you check these services?

https://thebrotherswisp.com/index.php/geo-and-vpn/

On Wed, Sep 14, 2022 at 6:34 PM Christopher Munz-Michielin <
christop...@ve7alb.ca> wrote:

> Hey All,
>
> For my dayjob I help run an Anycast DNS network and we've recently had
> complaints from our users in the APAC region that sites using Level 3's
> CDN have poor performance.  Upon looking into this, it seems that they
> (Level 3) have incorrect geolocation data for some of our Singapore
> servers and are returning IPs for CDN servers in Australia.  I've
> validated the WHOIS information for the blocks in question is correct,
> and every GeoIP site I check against comes back as Singapore, so this
> must be some internal database.
>
> I've tried emailing the whois contact, as well as the technical contact
> for the domain footprint.net but have yet to receive a response.  Wonder
> if anyone else has been able to get in touch with the CDN people at Level
> 3?
>
> Cheers!
> Chris
>
>

RE: [External] Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 Decembe

2022-09-15 Thread Tom Krenn via NANOG 
Speaking from the enterprise / end site perspective I would bet there are a lot 
of legacy holders that other than maybe updating their reverse DNS records once 
or twice haven’t looked at ARIN policies or their allocation since the late 
1980s. In most cases there really is not strong technical reason to, the stuff 
just keeps working.

We are put in kind of an awkward place by the current policies. On one hand 
some of us would like to be good Internet citizens and implement things like 
IRR and RPKI for our resources to help the larger community. But show the 
RSA/LRSA to your lawyers with the justification that "I would like to implement 
RPKI, but everything will keep working even if we don't." You can bet they will 
never jump on board. On one hand there is a push from ARIN and the larger 
community to use these advanced services, but on the other hand the fees and 
risk far outweigh the benefits. (Heck the fees aren’t even that big of a deal, 
just the risk of loosing control of our legacy allocations.)

Tom Krenn
Network Architect
Enterprise Architecture - Information Technology




-Original Message-
From: NANOG  On Behalf Of John 
Curran
Sent: Thursday, September 15, 2022 3:35 PM
To: John Gilmore 
Cc: North American Network Operators' Group 
Subject: [External] Re: Normal ARIN registration service fees for LRSA entrants 
after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap 
for New LRSA Entrants Ending as of 31 December 2023)

CAUTION: This email was sent from outside of Hennepin County. Unless you 
recognize the sender and know the content, do not click links or open 
attachments.

John -

Your summary is not inaccurate; I will note that ARIN’s approach is the result 
of aiming for a different target – that more specifically being the lowest 
possible fees administered on an equitable basis for _all resource holders_ in 
the region.

For more than two decades legacy resource holders have been provided the 
opportunity to normalize their relations with ARIN by entry into an LRSA - thus 
receiving the same services on the same terms and conditions as all others in 
the region (and also with a favorable fee cap applied to their total annual 
registry fees.)  While many folks have taken advantage of that offer over the 
years, it’s quite possible that all of those interested have already considered 
the matter and hence going forward we are returning to the refrain of the 
entire community in seeking the lowest fees applied equitably to all in the 
region.

As we’ve recently added more advanced services that may be of interest to many 
in the community (RPKI and authenticated IRR) and also have just made a 
favorable simplification to the RSA in section 7 (an area that has been 
problematic for some organizations in the past), it is important that ARIN not 
subset availability of the legacy fee cap without significant notice, as there 
many be a few folks out there who were unaware of LRSA with fee cap 
availability and/or haven’t recently taken a look at the various tradeoffs.

In any case, legacy resource holders who don’t care for these advanced services 
(whose development and maintenance is paid for by the ARIN community) can 
simply continue to maintain their legacy resources in the ARIN registry.  They 
do not have to do anything, as ARIN is continuing to provide basic registration 
services to the thousands of non-contracted legacy resource holders (including 
online updates to your resources, reverse DNS services,
etc.) without fee or contract.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

> On 15 Sep 2022, at 3:41 PM, John Gilmore  wrote:
>
> John Curran wrote:
>>> We strongly encourage all legacy resource holders who have not yet
>>> signed an LRSA to cover their legacy resources to
>
> Randy Bush  wrote:
>> consult a competent lawyer before signing an LRSA
>
> Amen to that.  ARIN's stance on legacy resources has traditionally
> been that ARIN would prefer to charge you annually for them, and then
> "recover" them (take them away from you) if you ever stop paying, or
> if they ever decide that you are not using them wisely.  If you once
> agree to an ARIN contract, your resources lose their "legacy" status
> and you become just another sharecropper subject to ARIN's future
> benevolence or lack thereof.
>
> The change recently announced by John Curran will make the situation
> very slightly worse, by making ARIN's annual fees for legacy resources
> changeable at their option, instead of being capped by contract.  ARIN
> management could have changed their offer to be better, if they wanted
> to attract legacy users, but they made an explicit choice to do the
> opposite.
>
> By contrast, RIPE has developed a much more welcoming stance on legacy
> resources, including:
>
>  *  retaining the legacy status of resources after a transfer or sale
>  *  allowing resources to be registered without paying annual fees to

RE: iCloud/Apple Mail contact.

2022-09-15 Thread Nathan Anderson 
Did you ever manage to find out who at Apple to speak to about getting things
added to or changed in this database?

 

Quite irritating how there is zero public-facing information about this.  Also,
an Apple employee authored RFC 6186, yet they don't implement it??

 

-- Nathan

 

From: NANOG [mailto:nanog-bounces+nathana=fsr@nanog.org] On Behalf Of Matt
Hohman
Sent: Wednesday, July 20, 2022 10:28 AM
To: nanog@nanog.org
Cc: Jonathan Dukes
Subject: iCloud/Apple Mail contact.

 

Hello,

 

Looking for an iCloud/Apple admin contact me off list. 

 

I’ve exhausted all the usual support channels on this one and some of the
responses have been quite comical.

 

Background:

Every time you setup an email account in Apple Mail it will check the domain
entered against a database of email server settings and conveniently autofill
those settings.

 

10 or so years ago we reached out to our business contact at Apple to setup
email server auto discovery for our domain, over the last decade our contact
has left and any attempts to reach Apple to get this info updated have been
fruitless. The autofilled info now points to a long dead email server.

 

 

Thanks,
Matt Hohman
Technical Director
New Heights Foundation

Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

2022-09-15 Thread John Curran 
On 15 Sep 2022, at 4:45 PM, Gary E. Miller  wrote:
> 
> On Thu, 15 Sep 2022 20:34:43 +
> John Curran  wrote:
> 
>> In any case, legacy resource holders who don’t care for these
>> advanced services (whose development and maintenance is paid for by
>> the ARIN community) can simply continue to maintain their legacy
>> resources in the ARIN registry.  They do not have to do anything, as
>> ARIN is continuing to provide basic registration services to the
>> thousands of non-contracted legacy resource holders (including online
>> updates to your resources, reverse DNS services, etc.) without fee or
>> contract.
> 
> Not been my experience.

Gary -

We do have some cases where folks have difficulty demonstrating that the 
resources were issued to
them (and/or have disputes between parties over who is the actual rights 
holder), but otherwise you
should be able to create an ARIN Online account and administer ARIN services 
for the address block
without any agreement - see  
https://www.arin.net/resources/guide/legacy/services/ 
 for details.   The
intent is that legacy resource holders receive the same registry services (w/o 
fee or contract) as they
did before ARIN’s inception.

If you’ve got a situation where you believe that has not been the case, reach 
out to our Registration
Services Helpdesk >, and if that fails, reach out 
to
me and provide a reference to the appropriate ARIN ticket(s) so that I can 
review.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers






signature.asc
Description: Message signed with OpenPGP

Ziply Fiber contact

2022-09-15 Thread Jay Hennigan 
Is there someone from Ziply Fiber in the PNW here who can contact me 
offlist?


Thanks!

--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

2022-09-15 Thread Gary E. Miller 
Yo John!

On Thu, 15 Sep 2022 20:34:43 +
John Curran  wrote:

> In any case, legacy resource holders who don’t care for these
> advanced services (whose development and maintenance is paid for by
> the ARIN community) can simply continue to maintain their legacy
> resources in the ARIN registry.  They do not have to do anything, as
> ARIN is continuing to provide basic registration services to the
> thousands of non-contracted legacy resource holders (including online
> updates to your resources, reverse DNS services, etc.) without fee or
> contract. 

Not been my experience.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin


pgpwmHLc4gXYU.pgp
Description: OpenPGP digital signature

Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

2022-09-15 Thread John Curran 
NANOGers - 

My bad – one typo in the message that follows; it should read “… it is 
important that ARIN not _sunset_ availability of the legacy fee cap …”(NOT 
subset, subnet, subject, etc.)

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers


> On 15 Sep 2022, at 4:34 PM, John Curran  wrote:
> 
> John - 
> 
> Your summary is not inaccurate; I will note that ARIN’s approach is the 
> result of aiming for 
> a different target – that more specifically being the lowest possible fees 
> administered on an 
> equitable basis for _all resource holders_ in the region. 
> 
> For more than two decades legacy resource holders have been provided the 
> opportunity to 
> normalize their relations with ARIN by entry into an LRSA - thus receiving 
> the same services
> on the same terms and conditions as all others in the region (and also with a 
> favorable fee cap 
> applied to their total annual registry fees.)  While many folks have taken 
> advantage of that
> offer over the years, it’s quite possible that all of those interested have 
> already considered 
> the matter and hence going forward we are returning to the refrain of the 
> entire community 
> in seeking the lowest fees applied equitably to all in the region. 
> 
> As we’ve recently added more advanced services that may be of interest to 
> many in the 
> community (RPKI and authenticated IRR) and also have just made a favorable 
> simplification 
> to the RSA in section 7 (an area that has been problematic for some 
> organizations in the past), 
> it is important that ARIN not subset availability of the legacy fee cap 
> without significant notice, 
> as there many be a few folks out there who were unaware of LRSA with fee cap 
> availability 
> and/or haven’t recently taken a look at the various tradeoffs. 
> 
> In any case, legacy resource holders who don’t care for these advanced 
> services (whose
> development and maintenance is paid for by the ARIN community) can simply 
> continue to 
> maintain their legacy resources in the ARIN registry.  They do not have to do 
> anything, as
> ARIN is continuing to provide basic registration services to the thousands of 
> non-contracted 
> legacy resource holders (including online updates to your resources, reverse 
> DNS services, 
> etc.) without fee or contract. 
> 
> Thanks! 
> /John
> 
> John Curran
> President and CEO
> American Registry for Internet Numbers
> 
>> On 15 Sep 2022, at 3:41 PM, John Gilmore  wrote:
>> 
>> John Curran wrote:
 We strongly encourage all legacy resource holders who have not yet
 signed an LRSA to cover their legacy resources to
>> 
>> Randy Bush  wrote:
>>> consult a competent lawyer before signing an LRSA
>> 
>> Amen to that.  ARIN's stance on legacy resources has traditionally been
>> that ARIN would prefer to charge you annually for them, and then
>> "recover" them (take them away from you) if you ever stop paying, or if
>> they ever decide that you are not using them wisely.  If you once agree
>> to an ARIN contract, your resources lose their "legacy" status and you
>> become just another sharecropper subject to ARIN's future benevolence or
>> lack thereof.
>> 
>> The change recently announced by John Curran will make the situation
>> very slightly worse, by making ARIN's annual fees for legacy resources
>> changeable at their option, instead of being capped by contract.  ARIN
>> management could have changed their offer to be better, if they wanted
>> to attract legacy users, but they made an explicit choice to do the
>> opposite.
>> 
>> By contrast, RIPE has developed a much more welcoming stance on legacy
>> resources, including:
>> 
>> *  retaining the legacy status of resources after a transfer or sale
>> *  allowing resources to be registered without paying annual fees to RIPE
>>(merely paying a one-time transaction fee), so that later non-payment
>>of annual fees can't be used as an excuse to steal the resources.
>> *  agreeing that RIPE members will keep all their legacy resources even if
>>they later cease to be RIPE members
>> 
>> You are within the RIPE service area if your network touches Europe,
>> northern Asia, or Greenland.  This can be as simple as having a rented
>> or donated server located in Europe, or as complicated as running a
>> worldwide service provider.  If you have a presence there, you can
>> transfer your worldwide resources out from under ARIN policies and put
>> them under RIPE's jurisdiction instead.
>> 
>> Moving to RIPE is not an unalloyed good; Europeans invented bureaucracy,
>> and RIPE pursues it with vigor.  And getting the above treatment may
>> require firmly asserting to RIPE that you want it, rather than accepting
>> the defaults.  But their motives are more benevolent than ARIN's toward
>> legacy resource holders; RIPE honestly seems to want to gather in legacy
>> resource holders, either as RIPE members or not, without reducing any of
>> the holders' rights

Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

2022-09-15 Thread John Curran 
John - 

Your summary is not inaccurate; I will note that ARIN’s approach is the result 
of aiming for 
a different target – that more specifically being the lowest possible fees 
administered on an 
equitable basis for _all resource holders_ in the region. 

For more than two decades legacy resource holders have been provided the 
opportunity to 
normalize their relations with ARIN by entry into an LRSA - thus receiving the 
same services
on the same terms and conditions as all others in the region (and also with a 
favorable fee cap 
applied to their total annual registry fees.)  While many folks have taken 
advantage of that
offer over the years, it’s quite possible that all of those interested have 
already considered 
the matter and hence going forward we are returning to the refrain of the 
entire community 
in seeking the lowest fees applied equitably to all in the region. 

As we’ve recently added more advanced services that may be of interest to many 
in the 
community (RPKI and authenticated IRR) and also have just made a favorable 
simplification 
to the RSA in section 7 (an area that has been problematic for some 
organizations in the past), 
it is important that ARIN not subset availability of the legacy fee cap without 
significant notice, 
as there many be a few folks out there who were unaware of LRSA with fee cap 
availability 
and/or haven’t recently taken a look at the various tradeoffs. 

In any case, legacy resource holders who don’t care for these advanced services 
(whose
development and maintenance is paid for by the ARIN community) can simply 
continue to 
maintain their legacy resources in the ARIN registry.  They do not have to do 
anything, as
ARIN is continuing to provide basic registration services to the thousands of 
non-contracted 
legacy resource holders (including online updates to your resources, reverse 
DNS services, 
etc.) without fee or contract. 

Thanks! 
/John

John Curran
President and CEO
American Registry for Internet Numbers

> On 15 Sep 2022, at 3:41 PM, John Gilmore  wrote:
> 
> John Curran wrote:
>>> We strongly encourage all legacy resource holders who have not yet
>>> signed an LRSA to cover their legacy resources to
> 
> Randy Bush  wrote:
>> consult a competent lawyer before signing an LRSA
> 
> Amen to that.  ARIN's stance on legacy resources has traditionally been
> that ARIN would prefer to charge you annually for them, and then
> "recover" them (take them away from you) if you ever stop paying, or if
> they ever decide that you are not using them wisely.  If you once agree
> to an ARIN contract, your resources lose their "legacy" status and you
> become just another sharecropper subject to ARIN's future benevolence or
> lack thereof.
> 
> The change recently announced by John Curran will make the situation
> very slightly worse, by making ARIN's annual fees for legacy resources
> changeable at their option, instead of being capped by contract.  ARIN
> management could have changed their offer to be better, if they wanted
> to attract legacy users, but they made an explicit choice to do the
> opposite.
> 
> By contrast, RIPE has developed a much more welcoming stance on legacy
> resources, including:
> 
>  *  retaining the legacy status of resources after a transfer or sale
>  *  allowing resources to be registered without paying annual fees to RIPE
> (merely paying a one-time transaction fee), so that later non-payment
> of annual fees can't be used as an excuse to steal the resources.
>  *  agreeing that RIPE members will keep all their legacy resources even if
> they later cease to be RIPE members
> 
> You are within the RIPE service area if your network touches Europe,
> northern Asia, or Greenland.  This can be as simple as having a rented
> or donated server located in Europe, or as complicated as running a
> worldwide service provider.  If you have a presence there, you can
> transfer your worldwide resources out from under ARIN policies and put
> them under RIPE's jurisdiction instead.
> 
> Moving to RIPE is not an unalloyed good; Europeans invented bureaucracy,
> and RIPE pursues it with vigor.  And getting the above treatment may
> require firmly asserting to RIPE that you want it, rather than accepting
> the defaults.  But their motives are more benevolent than ARIN's toward
> legacy resource holders; RIPE honestly seems to want to gather in legacy
> resource holders, either as RIPE members or not, without reducing any of
> the holders' rights or abilities.  I commend them for that.
> 
> Other RIRs may have other good or bad policies about legacy resource
> holders.  As Randy proposed, consult a lawyer competent in legacy domain
> registration issues before making any changes.
> 
>   John

Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)

2022-09-15 Thread John Gilmore 
John Curran wrote:
> > We strongly encourage all legacy resource holders who have not yet
> > signed an LRSA to cover their legacy resources to

Randy Bush  wrote:
> consult a competent lawyer before signing an LRSA

Amen to that.  ARIN's stance on legacy resources has traditionally been
that ARIN would prefer to charge you annually for them, and then
"recover" them (take them away from you) if you ever stop paying, or if
they ever decide that you are not using them wisely.  If you once agree
to an ARIN contract, your resources lose their "legacy" status and you
become just another sharecropper subject to ARIN's future benevolence or
lack thereof.

The change recently announced by John Curran will make the situation
very slightly worse, by making ARIN's annual fees for legacy resources
changeable at their option, instead of being capped by contract.  ARIN
management could have changed their offer to be better, if they wanted
to attract legacy users, but they made an explicit choice to do the
opposite.

By contrast, RIPE has developed a much more welcoming stance on legacy
resources, including:

  *  retaining the legacy status of resources after a transfer or sale
  *  allowing resources to be registered without paying annual fees to RIPE
 (merely paying a one-time transaction fee), so that later non-payment
 of annual fees can't be used as an excuse to steal the resources.
  *  agreeing that RIPE members will keep all their legacy resources even if
 they later cease to be RIPE members

You are within the RIPE service area if your network touches Europe,
northern Asia, or Greenland.  This can be as simple as having a rented
or donated server located in Europe, or as complicated as running a
worldwide service provider.  If you have a presence there, you can
transfer your worldwide resources out from under ARIN policies and put
them under RIPE's jurisdiction instead.

Moving to RIPE is not an unalloyed good; Europeans invented bureaucracy,
and RIPE pursues it with vigor.  And getting the above treatment may
require firmly asserting to RIPE that you want it, rather than accepting
the defaults.  But their motives are more benevolent than ARIN's toward
legacy resource holders; RIPE honestly seems to want to gather in legacy
resource holders, either as RIPE members or not, without reducing any of
the holders' rights or abilities.  I commend them for that.

Other RIRs may have other good or bad policies about legacy resource
holders.  As Randy proposed, consult a lawyer competent in legacy domain
registration issues before making any changes.

John

Imperva / Apple Private Relay issues

2022-09-15 Thread Lyndon Nerenberg (VE7TFX/VE6BBM) 
We have been receiving a steady stream of calls from customers
complaining they cannot reach our websites when they have Apple's
Private Relay enabled.

For those in the dark, Private Relay sends (only) Safari connections
through an assortment of CDNs to anonymize the client's IP address.

What we are seeing is that, more often than not, connections to our
public servers that route through Imperva's DDoS service do not go
through.  When we look on the uplink interfaces on our firewalls,
there is nothing from those addresses.  But connections to other
hosts in the same cage, but which bypass Imperva, connect fine.

We've opened a ticket, but thus far Imperva's support team has been
unhelpful.  What I'm wondering is if anyone else is seeing similar
behaviour with their Imperva-protected hosts.  A quick way to test
is to turn on Private Relay on an iPhone (System Preferences ->
iCloud -> iCloud -> Private Relay) and then try connecting to a web
service hosted behind Imperva's DDoS service.  For our servers, not
all the connections fail, but a large percentage do, and it's
definitely tied to the proxy address you get assigned (verified
using whatismyip.com).  We are seeing failures on connections relayed
through both Cloudflare and Akamai.  Apple could be using other
CDNs as well, but those are the two we have specifically identified
as having unusable addresses.

--lyndon