I have been attending the American Registry for Internet Numbers (ARIN) meeting in Toronto. ARIN is one of the RIRs, i.e., the Internet address registry and policy making authority for North America. Although I have observed and participated on RIR lists for some time and interacted with RIR representatives at ICANN, WSIS and IGF, this is the first time I have been able to attend a meeting. I'm glad I did.
The ARIN meeting is very well organized. It is smaller-scale and much more focused than an ICANN or IGF meeting. The staff goes out of its way to be welcoming and friendly. Attendees are mostly network technicians of various flavors. Real Internet governance is taking place here, because organizations with real control of private and shared resources and operational capabilities are involved.
Its hard not to compare-contrast ARIN with ICANN, although ICANN can only suffer by comparison. One comes away with the conviction that the so-called bottom up policymaking which ICANN constantly claims to do is actually (more or less) seriously pursued here. The key differences are the smaller scale; the homogeneity of the participants; a more well-defined process that is grounded in a membership. Activities are focused on that area where highly technical decisions (e.g. routing policies, or minimum address block size) intersect with public (Internet-wide) policy issues such as security, privacy, and efficient utilization of scarce, shared resources.
The ARIN meeting is far more focused on policy making than its European counterpart (RIPE-NCC) – which I think is good. RIPE meetings contain a lot of parallel sessions with educational/informational content, all of which are interesting. But there is less of a sense of focused, collective decision making there – it is more like a conference. I really liked the way nearly all ARIN discussions are in plenary and decisions are actually made. Participants are provided with materials which concisely and with reasonable neutrality summarize the proposals, and the issues and concerns associated with them. Even the lunches were organized around discussion topics, where tables were set aside for discussion of particular topics. I sat at a table for discussion of Governmental involvement in RIRs, and had a great exploration of that topic with a law professor from Michigan State, people from the U.S. Drug Enforcement Agency, the U.S. Department of Homeland Security, and ARIN Council members Dave Farmer and Bill Darte.
Indeed, the basic framework of the ARIN meeting was so well done that the one act of process manipulation that occurred stood out like a sore thumb. The meeting got off to a bad start on Monday, with the FBI and Royal Canadian Mounted Police making a presentation on how badly they need Whois data. This presentation came right before consideration of a proposal that attempted to increase the confidentiality of Whois information. This proposal, #2010-3 concerning “Customer Confidentiality, had been proposed by some small, independent hosting service providers. Whereas all other proposals were considered in numerical sequence, 2010-3 was taken out of sequence and considered right after the FBI/RCMP presentation, which was inserted into the program at the last minute. So instead of being given the same opportunity to speak from the floor regarding 2010-3 as the rest of us, the FBI and the RCMP got 30 minutes of proselytizing, and it was all too obvious that these police agencies had mobilised to oppose the customer confidentiality proposal. (As an aside, the proposal was supported by AT&T, while opposition was voiced by Google and Paypal.)
Although the agenda manipulation was disturbing, the results were not that bad. The proponents learned that certain aspects of the status quo Whois policy allowed them to do pretty much what they wanted to do anyway, and its main advocate withdrew his own support for the proposal. He noted that he had been lobbied heavily by the FBI contingent the night before.
The presentation of Geoff Huston on the scalability of routing was another highlight of the meeting. I don't have the space to go into the technicalities and data of the presentation, which you can download here anyway, but the upshot was this. Huston's data about growth in the number of unique routing table entries, and in the number of Autonomous Systems (networks connected to the Internet) uncovers a counter-intuitive anomaly. Despite the regular annual growth in the number of networks connected, the number of routing table updates exchanged by BGP routers is remaining more or less constant. In other words, despite massive, long-term growth in the number of networks and routes on the Internet, the number of updates is remaining almost exactly the same – about 40,000 per year. Huston interprets this to mean that the distance or diameter of the Internet as a whole is not increasing; instead, the density of connections is increasing. From there, Huston went on to to conclude that BGP is scaling because of the RIRs' “policies and practices” that encourage aggregation. The scalability of BGP is not, he claimed a “natural” phenomenon but a product of the RIR's policies. This of course was music to the ears of the ARIN community, but the claim was quickly deflated by Chris Morrow from Google. It is actually money that drives this, he claimed. Service providers don't want latency. In order to limit latency, they organize their networks to avoid too many hops and thus constrain the diameter of the internet as a whole. In other words, the result Huston found could be more a result of “natural” market incentives than a product of wise policies imposed on the Internet by wise RIRs.
The informational discussion of RPKI here was a bit disappointing – it came near the end of the day, time was short and people were getting tired. None of the governance implications were explored or discussed adequately; indeed, if you listened only to Mark Koster's presentation you would have thought that there were no policy or governance implications at all. ARIN, like other RIRs is pursuing a very aggressive implementation schedule; inital producion is planned for th end of 2010, and Koster estimated that miraculously, a single trust anchor would emerge by the end of 2011. One participant (Joe Jaegli) did raise concerns about how much this changed the openness of the system. Danny McPherson admitted that “you are trading off autonomy for security” but the nature of this trade off was not explored. Some commenters insisted that RPKI “doesn't really change anything” because ISPs can use alternative trust anchors. But if you probe this argument it is almost exactly the same as saying that we don't need to worry about ICANN because you can always form an alternate root.
To sum up, we've had pretty open, focused and (with the one exception noted) fair discussions here. For those with the technical background to understand the Internet governance implications of RIR decisions and policies, I'd encourage participation and membership in ARIN.