Presentation given by Adam Gosling at 9th Policy and Regulation Forum for Pacific (PRFP-9) in Port Moresby, Papua New Guinea (PNG)

1. Issue Date:
Revision:
Whois that?
Addressing the Asia Pacific
Adam Gosling
Internet Policy Development Consultant, APNIC
PRFP-9
29 June 2016, Port Moresby, Papua New Guinea

2. Agenda
• What is APNIC?
• APNIC’s role in Cybersecurity
• Delegation and Registration
• Whois Improvements
• Policy SIG discussion

3. What is APNIC?

4. What is APNIC?
• The Regional Internet number
Registry for the Asia Pacific
region
• A neutral, independent,
not-for-profit, open membership
organization
• A Secretariat with ~ 70-75 staff
• Operating since 1993
• Based in Brisbane, Australia
4

5. APNIC’s Vision
A global, open, stable and secure
Internet that serves the entire Asia
Pacific community
5

6. What APNIC does
• Number resource management
– IPv4 & IPv6, ASN
• Whois Database – public register
– Technical & abuse tracking & troubleshooting
– Protect against address hijacking
• Information dissemination
– APNIC Conferences & events
– Publications & Research
• Capacity Building
– Training, Technical assistance, & Development

7. How do we work?
• Events
– APNIC / APRICOT Conferences and Regional meetings
– Network Operators Groups (NOGs) and Security Conferences
• Training and Technical Assistance Services
– https://training.apnic.net
• Collaboration
– With International, Regional
& Local Organizations
• Blog & Social Media
– https://blog.apnic.net
• Outreach campaigns
– Ready to ROA!

8. APNIC Events
8
2015
16 economies: PK,
BD, LK, MM, KH, TH,
MY, SG, PH, ID, SB,
JP, MN, GU, LA, MG
Attendance
• Conferences:
1,364
• Member outreach
events: 614
ARM, Philippines
APNIC 40
APRICOT
2015
APNIC 40
APRICOT
2016
2016 so far
• Conference: 531
(NZ)
• Member outreach
events: 186 (NP);
14 (TH)

9. APNIC Training
9
2016
(to date)
• 24 F2F courses
held in 15
locations
• 616 F2F trainees
• 456 trainees in
57 eLearning
sessions
• Video archives:
101 videos;
377,541 views

10. Technical Assistance
TAS - Thailand TAS - Bangladesh
Support for scalable and resilient
networks and best practices in
network operations
• Distribution and registration of resources
• Supporting reverse DNS delegation
• Managing whois and IRR
• Resource Certification
• IPv6 deployment
• Internet infrastructure security
www.apnic.net/tas
10
2016 outreach (to date)
Indonesia (2 Members)

11. NOG Outreach
BTNOG 1 SANOG 24
MMNOG
SGNOG 2015
11
MMNOG 2015
www.apnic.net/nog
2016: JANOG
(Jan), PHNOG
(Jan), SANOG
(Jan), bdNOG (Apr)
… and many more
to come!
• Technical and
APNIC updates
• Hostmaster
consultations
• Training
sessions
• Sponsorship and
logistical support
bdNOG 5

12. RIPE Atlas anchor deployment in
Maldives – Dhiraagu staff
Community Development
Supported 5 RIPE Anchor
deployments; distributed 120
RIPE Atlas probes
24 fellowships for APNIC 40
including 6 youth fellowships;
24 for APRICOT 2016
Supporting new L-root
(ICANN) server instance in
Apia, Samoa
Working with NSRC in New
Caledonia and Samoa on IXP
support
SANOG
Probe hosts in the Philippines
MoU signing for
L-root
12
SANOG 27

13. The APNIC Development Program
13
Supports the growth of
the Asia Pacific
community by
providing:
• Training and
technical assistance
• Infrastructure
support
• Grants and awards
• Research

14. The APNIC Foundation
14
Established in Hong
Kong to support and
expand the APNIC
Development
Program

15. APNIC’s role in
Cybersecurity
15

16. Can APNIC stop network abuse?
• No, because…
– APNIC is not an ISP and does not provide network
connectivity to other networks
– APNIC does not control Internet routing
– APNIC is not a law enforcement agency
– APNIC has no industry regulatory power
• What can we do?

17. Collaboration: Working together
17
Adli
Wahid
Craig Ng
Participation in NOGs,
CSIRTS and LEA events to
educate and learn
Promoting new initiatives &
security best practices
among Members
Internet Investigation
Training for LEAs:
NZ, SG, BN & ID

18. Best Current Practices in Security
• Target Audience
– IP Network Operators & Internet Service Providers
– Regulators and Policy Makers
• Philosophy
– Operationally relevant
– Up to date
• Topics
– Routing security: Resource Public Key Infrastructure (RPKI)
– DNS and DNSSEC
– Source Address Validation (SAVE)
– Whois Database – IRT records
– Establishing CSIRTs

19. Security Outreach
Craig Ng
NOGs, CSIRTS and LEA
events
PK, CN, HK, KR, JP, PH, SG,
MY, ID, AU, LK, MV, TW
Collaboration with JICA and
KISA to deliver regional
CERT training
Geoff Huston member of
ICANN SSAC
Adli Wahid member of FIRST
Board; invited to join
INTERPOL Global
Cybercrime Expert Group
19
www.apnic.net/security
Adli Wahid

20. RPKI
20
RPKI presentations to NOGs
and conferences
‘Ready to ROA’ Campaign –
hands-on sessions to help
Members create ROAs
Shirts, stickers, web content to
promote campaign
Regional RPKI adoption grown
rapidly in past 15 months –
0.8% to 3.24% and rising
www.apnic.net/roa
• 10 face-to-face and eLearning RPKI
training courses delivered in 2015
• Offline simulation of production system
• Create and revoke ROAs, observe
changes to routing state in lab

21. Delegation and
Registration
21

22. Delegation Hierarchy Diagram
22
Allocated to APNIC:
Maint-by can only be
changed by IANA
Allocated to Member:
Maint-by can only be
changed by APNIC
Sub-allocated to Customer:
Maint-by can only be
changed by Member

23. The APNIC Whois Database
• Holds IP address records within the AP region
• Can use this database to track down the source of
the network abuse
– IP addresses, ASNs, Reverse Domains, Routing policies
• Can find contact details of the relevant network
administrators
– not the individual users
– use administrators log files to contact the individual
involved

24. Resource Registration
• As part of the membership agreement with APNIC, all
members are required to register their resources in the
APNIC Whois database.
• Members must keep records up to date:
– Whenever there is a change in contacts
– When new resources are received
– When resources are sub-allocated or assigned
24

25. Customer Privacy
• Public data
– Includes portable addresses (inetnum objects), and other
objects e.g. route objects
– Public data: must be visible
• Private data
– Can include non-portable addresses (inetnum objects)
– Members have the option to make private data visible
• Customer assignments
– Can be changed to be public data (public data is an
optional choice)

26. What can you do?
• Use the APNIC Whois Database to obtain network contact
information
• APNIC Whois may or may not show specific customer
assignments for the addresses in question
– But will show the ISP holding APNIC space
• Contact the network responsible and also its ISP/upstream
• Contact APNIC for help, advice, training or support
• Community discussions can be raised in the APNIC
conferences, mailing lists, etc.

27. Whois
improvements
27

28. Steps we take to ensure Whois
accuracy
• Member account opening
– verification of corporate existence with corporate
registries or regulators (where possible)
• Membership renewal
– once a year
– email to corporate contact, with payment record
– Internet resources revoked if account not paid or
renewed
• Transfer policies
– encourage registration of resources
– “value” of Internet resources encourage registration

29. Whois Accuracy Project
29
Simplifying contact
update process
Assisting with IRT
registration process
Clearer information
about PoC in IP
address object
Guidelines on using
and updating
information in whois
Monthly cleanup
program on
referenced objects
(12 months+)
Easily report invalid
contacts
Improving
database and
information
accuracy to
provide better
user experience

30. MyAPNIC Improvements
30
Improving major
features of
MyAPNIC
Authorized contact
management
Bulk Whois record
management
Reverse DNS
management
Route and ROA
management
MyAPNIC speed
improvement – 24%
faster response time
Simplified whois
updates

31. Registration Data Access Protocol
31
Standardizes the query format
Standardizes the response format
Commonly-used technologies
Supports redirection
Internationalization using UTF-8
RDAP Deployed in
production 2015
Solves a number of
limitations to WHOIS
protocol
www.apnic.net/rdap

32. What if Whois info is invalid?
• Customer assignment information is the responsibility
of ISPs
– ISPs are responsible for updating their customer network
registrations
• Tools such as ‘traceroute’, ‘looking glass’ and RIS may
be used to track the upstream provider if needed
• Members (ISPs) are responsible for reporting changes
to APNIC
– Under formal membership agreement
• Report invalid ISP contacts to APNIC
– http://www.apnic.net/invalidcontact
– APNIC will contact member and update registration details

33. Community
Discussion
33

34. Internet Policies
• Policies change to the meet current needs
• There is a system in place called the Policy
Development Process
– Anyone can participate
– Anyone can propose a policy
– All decisions & policies documented & freely available to
anyone
• Decisions made in the Policy SIG by consensus of
those participating

35. Whois data quality improvement
35
Community discussion
APNIC 41 SIG Meeting
SIG discussion on APNIC whois
data quality improvement
Mailing list
Chairs send call for further
community participation
Secretariat Initiatives
Improved online tools
Continuous improvement of
MyAPNIC online services
Services outreach
Staff work with individual
Members to check whois
What can be done to improve accuracy?
Should operators be punished, or lose their resources?
Have your say: www.apnic.net/policy-sig

36. Next APNIC Conference
36
APNIC 42 (with bdNOG 6),
Dhaka, Bangladesh
29 Sep - 6 Oct 2016
conference.apnic.net/42

37. APNIC Conferences in 2017
• APRICOT 2017 / APNIC 43
– Ho Chi Minh City, Vietnam
– 20 February to 3 March 2017
• APNIC 44
– Taichung, Taiwan
– 7 to 14 September 2017
37

38. Coming soon: APNIC Survey 2016
38
We want your views on
APNIC!
Survey opens July –
more details soon

39. Thank you
Adam Gosling
adam@apnic.net
@bout_policy