Post on 13-Jan-2017
Issue Date:
Revision:
Whois that? Addressing the Asia PacificAdam Gosling
Internet Policy Development Consultant, APNIC
PRFP-9
29 June 2016, Port Moresby, Papua New Guinea
Agenda
• What is APNIC?
• APNIC’s role in Cybersecurity
• Delegation and Registration
• Whois Improvements
• Policy SIG discussion
What is APNIC?
What is APNIC?
• The Regional Internet number Registry for the Asia Pacific region
• A neutral, independent, not-for-profit, open membership organization
• A Secretariat with ~ 70-75 staff
• Operating since 1993
• Based in Brisbane, Australia
4
5
APNIC’s Vision
A global, open, stable and secure Internet that serves the entire Asia
Pacific community
What APNIC does
• Number resource management– IPv4 & IPv6, ASN
• Whois Database – public register– Technical & abuse tracking & troubleshooting– Protect against address hijacking
• Information dissemination– APNIC Conferences & events– Publications & Research
• Capacity Building– Training, Technical assistance, & Development
How do we work?
• Events – APNIC / APRICOT Conferences and Regional meetings– Network Operators Groups (NOGs) and Security Conferences
• Training and Technical Assistance Services– https://training.apnic.net
• Collaboration – With International, Regional
& Local Organizations
• Blog & Social Media – https://blog.apnic.net
• Outreach campaigns – Ready to ROA!
APNIC Events
8
201516 economies: PK,
BD, LK, MM, KH, TH, MY, SG, PH, ID, SB, JP, MN, GU, LA, MG
Attendance• Conferences:
1,364• Member outreach
events: 614
ARM, Philippines
APNIC 40
APRICOT 2015
APNIC 40
APRICOT 2016
2016 so far• Conference: 531
(NZ)• Member outreach
events: 186 (NP); 14 (TH)
9
APNIC Training
2016(to date)
• 24 F2F courses held in 15 locations
• 616 F2F trainees
• 456 trainees in 57 eLearning sessions
• Video archives: 101 videos; 377,541 views
10
Technical Assistance
TAS - Thailand TAS - Bangladesh
Support for scalable and resilient networks and best practices in
network operations
• Distribution and registration of resources• Supporting reverse DNS delegation• Managing whois and IRR• Resource Certification• IPv6 deployment• Internet infrastructure security
www.apnic.net/tas
2016 outreach (to date)Indonesia (2 Members)
11
NOG Outreach
BTNOG 1 SANOG 24
MMNOG
SGNOG 2015
MMNOG 2015
www.apnic.net/nog
2016: JANOG (Jan), PHNOG (Jan), SANOG (Jan), bdNOG (Apr)
… and many more to come!
• Technical and APNIC updates
• Hostmaster consultations
• Training sessions
• Sponsorship and logistical support
bdNOG 5
12
RIPE Atlas anchor deployment in Maldives – Dhiraagu staff
Community Development
Supported 5 RIPE Anchor deployments; distributed 120
RIPE Atlas probes
24 fellowships for APNIC 40 including 6 youth fellowships;
24 for APRICOT 2016
Supporting new L-root (ICANN) server instance in
Apia, Samoa
Working with NSRC in New Caledonia and Samoa on IXP
support
SANOG
Probe hosts in the Philippines
MoU signing for L-root
SANOG 27
13
The APNIC Development Program
Supports the growth of the Asia Pacific community by
providing:
• Training and technical assistance
• Infrastructure support
• Grants and awards• Research
14
The APNIC Foundation
Established in Hong Kong to support and expand the APNIC
Development Program
APNIC’s role in Cybersecurity
15
Can APNIC stop network abuse?
• No, because…– APNIC is not an ISP and does not provide network
connectivity to other networks– APNIC does not control Internet routing– APNIC is not a law enforcement agency– APNIC has no industry regulatory power
• What can we do?
Collaboration: Working together
17
Adli Wahid
Craig Ng
Participation in NOGs, CSIRTS and LEA events to
educate and learn
Promoting new initiatives & security best practices
among Members
Internet Investigation Training for LEAs: NZ, SG, BN & ID
Best Current Practices in Security
• Target Audience – IP Network Operators & Internet Service Providers– Regulators and Policy Makers
• Philosophy– Operationally relevant– Up to date
• Topics– Routing security: Resource Public Key Infrastructure (RPKI) – DNS and DNSSEC – Source Address Validation (SAVE) – Whois Database – IRT records– Establishing CSIRTs
19
Security Outreach
Craig Ng
NOGs, CSIRTS and LEA events
PK, CN, HK, KR, JP, PH, SG, MY, ID, AU, LK, MV, TW
Collaboration with JICA and KISA to deliver regional
CERT training
Geoff Huston member of ICANN SSAC
Adli Wahid member of FIRST Board; invited to join INTERPOL Global
Cybercrime Expert Group
www.apnic.net/security
Adli Wahid
RPKI
20
RPKI presentations to NOGs and conferences
‘Ready to ROA’ Campaign – hands-on sessions to help
Members create ROAs
Shirts, stickers, web content to promote campaign
Regional RPKI adoption grown rapidly in past 15 months – 0.8% to 3.24% and rising
www.apnic.net/roa
• 10 face-to-face and eLearning RPKI training courses delivered in 2015
• Offline simulation of production system• Create and revoke ROAs, observe
changes to routing state in lab
Delegation and Registration
21
Delegation Hierarchy Diagram
22
Allocated to APNIC: Maint-by can only be changed by IANA
Allocated to Member: Maint-by can only be changed by APNIC
Sub-allocated to Customer: Maint-by can only be changed by Member
The APNIC Whois Database
• Holds IP address records within the AP region• Can use this database to track down the source of
the network abuse– IP addresses, ASNs, Reverse Domains, Routing policies
• Can find contact details of the relevant network administrators – not the individual users– use administrators log files to contact the individual
involved
Resource Registration
• As part of the membership agreement with APNIC, all members are required to register their resources in the APNIC Whois database.
• Members must keep records up to date:– Whenever there is a change in contacts– When new resources are received– When resources are sub-allocated or assigned
24
Customer Privacy
• Public data– Includes portable addresses (inetnum objects), and other
objects e.g. route objects– Public data: must be visible
• Private data– Can include non-portable addresses (inetnum objects)– Members have the option to make private data visible
• Customer assignments– Can be changed to be public data (public data is an
optional choice)
What can you do?
• Use the APNIC Whois Database to obtain network contact information
• APNIC Whois may or may not show specific customer assignments for the addresses in question– But will show the ISP holding APNIC space
• Contact the network responsible and also its ISP/upstream
• Contact APNIC for help, advice, training or support
• Community discussions can be raised in the APNIC conferences, mailing lists, etc.
Whois improvements
27
Steps we take to ensure Whois accuracy• Member account opening
– verification of corporate existence with corporate registries or regulators (where possible)
• Membership renewal– once a year– email to corporate contact, with payment record– Internet resources revoked if account not paid or
renewed
• Transfer policies– encourage registration of resources– “value” of Internet resources encourage registration
Whois Accuracy Project
29
Simplifying contact update process
Assisting with IRT registration process
Clearer information about PoC in IP address object
Guidelines on using and updating
information in whois
Monthly cleanup program on
referenced objects (12 months+)
Easily report invalid contacts
Improving database and
information accuracy to
provide better user experience
MyAPNIC Improvements
30
Improving major features of MyAPNIC
Authorized contact management
Bulk Whois record management
Reverse DNS management
Route and ROA management
MyAPNIC speed improvement – 24% faster response time
Simplified whois updates
Registration Data Access Protocol
31
Standardizes the query format
Standardizes the response format
Commonly-used technologies
Supports redirection
Internationalization using UTF-8
RDAP Deployed in production 2015
Solves a number of limitations to WHOIS protocol
www.apnic.net/rdap
What if Whois info is invalid?
• Customer assignment information is the responsibility of ISPs– ISPs are responsible for updating their customer network registrations
• Tools such as ‘traceroute’, ‘looking glass’ and RIS may be used to track the upstream provider if needed
• Members (ISPs) are responsible for reporting changes to APNIC – Under formal membership agreement
• Report invalid ISP contacts to APNIC– http://www.apnic.net/invalidcontact – APNIC will contact member and update registration details
Community Discussion
33
Internet Policies
• Policies change to the meet current needs• There is a system in place called the Policy
Development Process– Anyone can participate– Anyone can propose a policy– All decisions & policies documented & freely available to
anyone
• Decisions made in the Policy SIG by consensus of those participating
35
Whois data quality improvement
Community discussion
APNIC 41 SIG MeetingSIG discussion on APNIC whois
data quality improvement
Mailing listChairs send call for further
community participation
Secretariat Initiatives
Improved online toolsContinuous improvement of MyAPNIC online services
Services outreachStaff work with individual Members to check whois
What can be done to improve accuracy?Should operators be punished, or lose their resources?
Have your say: www.apnic.net/policy-sig
Next APNIC Conference
36
APNIC 42 (with bdNOG 6), Dhaka, Bangladesh29 Sep - 6 Oct 2016
conference.apnic.net/42
APNIC Conferences in 2017
• APRICOT 2017 / APNIC 43– Ho Chi Minh City, Vietnam– 20 February to 3 March 2017
• APNIC 44– Taichung, Taiwan– 7 to 14 September 2017
37
Coming soon: APNIC Survey 2016
38
We want your views on APNIC!
Survey opens July – more details soon
Thank youAdam Goslingadam@apnic.net@bout_policy