______________________________________________________________________

DRAFT TRANSCRIPT

SIG:           Routing
Date:          Wednesday 1 March 2006
Time:          4.00pm

Presentation:  ASNs MIA: A comparison of RIR statistics and RIS 
               reality
Presenter:     Henk Uijterwaal
			       
______________________________________________________________________


PHILIP SMITH:

OK next up and last speaker is Henk Uijterwaal. He's talking about
ASNs missing in action.

HENK UIJTERWAAL:

This is work I did together with RIPE NCC an ASN missing in action.
OK. So, I will talk. This is why we started doing this. We started
to look at ASNs. I'm not going to explain what an ASN is because I
assume you all know that. What you do know about ASNs is that each
AS needs its own unique identifier. They are assigned in a hierarchical
way. Local RIRs and users. And it is guaranteed uniqueness. You
have to be able to identify it uniquely. Another observation is
that ASes are a limited resource. At the moment, a reserve for an
AS number, 60 bits means 65,000 something. A couple can get used
for private use. But you can't use all the numbers. So you only
have 64, 510 of them available on the net. So, who has an AS? It's
quite simple.

If you want an AS you go to your local RIR and you ask for one.
They all have policies, the five regions have five different policies.
They are all based on a single document. With some global places
added. If you're in a region and you think you need an AS, you just
go to your RIR and you ask for one. I want to explain the policies
in detail. And it's at the bottom of the slide and it says you get
the AS for as long as you need it. If you don't need it anymore
you're supposed to return it. I now start to look at this. I want
to see the ASes that are handed out are actually used. Something
seems to be fairly obvious. The ASN is a network of ASes. If you're
looking for your router, you should find all the ASes that are in
use at a particular time. And ASes, like I said, in the previous
slide, are demonstrated by need.

Somebody shows that they need an AS, obviously connects to the net,
and should be your router. So next you think all the assigned ASes
are in RIB. Not quite. I look at this, three years ago by now, and
I noticed a couple of things. Early 2003, the RIRs are assigned
20,000 ASN, 300 new ones per month. If I look at RIBs on a couple
of routers, only 14,000 ASNs are visible, only 200 new ones showing
up every month. So 20,000 compared to 4,600 are missing. And there
are about 100 handed out more every month than are actually showing
up on the net. So, yeah, my question was what's happening here?
This work is a result of a study trying to find out what was happening
here or what is happening here. So to study this program, you need
some data.  Fortunately, there are quite a few data around. The
first thing is - data sources around. The RIRs publish Stats Files,
where a list of all the ASes they have assigned and the day-to-day
assigns. This is a daily report, they have weekly and monthly reports
before. Of course, you can always work your way back where by just
taking the file or say today and if I wanted it for yesterday I
take today's report and remove everything that was assigned in the
last day and I know what was assigned yesterday, I can work my way
backwards. If you do that, you find some small difference, as
sometimes these files change. So we worked through all these files,
we removed them, and we found mistakes and double counting in there.
This is a list of all the ASes that has been assigned at a particular
time.  The second thing you can look at is what's happening on the
net. The RIBs, there are a couple of projects around that have RIBs
around the place. One is RIPE NCC. It's a project that is RIBs from
450 peers. IPv4 and IPv6. All BGP updates. We looked at the data
from 18 August, 2000 to 1 August, 2005. We had AS patterns. We took
and broke them down into their components, the ASes and as soon as
an AS showed up, we found it was used on a particular day. We have
a long list of ASes that were used on particular days. You sometimes
see private AS numbers, we remove them. And we also find people
make typos and things like that. We remove all ASes for less than
a week. And then there's a data sources. CIDR report, that's a
weekly report on the Internet from AS4637 has been available since
1994 and includes all the ASN seen in RIB.  And what do we have
after this? We have two lists. One is sort of the ASN is assigned.
RIR Stats Files. Theory - that should be out on the net. The second
is the ASN in use - RIS and CIDR report - Practice. The normal thing
you would expect from an ASN appears in both lists. It's assigned
as somebody is using it. You found the differences. The ASes are
used on sites and there can be two reasons for that. ASN in use but
not assigned. Some people have inappropriate use. And then there's
sometimes problem with the registration mechanism. We'll get to
that later. Then there are ASes missing in action. ASNs in use but
not registered. Over the course of the five years we found 436 ASNs
used but not registered. Some of them were used for a short while.
255 were still visible on August 1 of last year.

If you look closer at them, 215 of them are in RIPE NCC's ranges.
We went through the basement of RIPE NCC and looked at other files
other than the statistics files. Found that maybe old registrations,
10 years ago or more. Digging through more files, we found some
data for 214. These ASes are probably registered as they are in
files but they don't show up on the publicly available files. That's
something that can be corrected. We found, we still don't have any
idea who owns the ASNs, who are using it and if and how and when
it was registered. Of the remainder, those are reported to ARIN and
APNIC, the good thing is, that a lot of them are in the ARIN ranges.
None of them are found in the ARIN ranges. This is presumably a
problem with transferring of data. Over the years, records were
moved from one registry to another.  Seven of them fell through the
cracks. So, people often mention, and ask about how the files is.
We have 33,000 assigned, 41,000 without data and it's probably a
lot less. Given this is a mechanism which has been running for like
15 years or so, 0.12% with no records. So next thing is, here are
two curves. The purple one and the blue, that is blue, the data
available from 2002. And then the purple line is working your way
back which is simply removing everything from the first statistics
files, working your way backwards. And then the red, you see here.
And the green is what you see in the CIDR report. You can see a
couple of things. First of all, this is fairly straight line. This
is sort of 1999, that is start with the Internet logo.

Now, the Internet bubble lasted for a couple of years, and in 2002,
late 2001, early 2002, you can see in effect on what you see on the
net.  You don't see that, so people are still making plans, still
getting ASNs assigned that don't appear on the net. The other thing
is - you see down here, see on the net, these were pretty much
parallel lines. Yes, there are a number of ASNs missing. However,
if you look at the last couple of years, the difference and the
number of ASNs missing is global. For modelling later on, if you
look at this graph, you can see this is lit. The behaviour. We
looked at it and we think that the growth of the number of ASNs
assigned is linear We did a couple of tests. Fit to linear and
exponential curves. It still seems to be linear. Just to show that,
this is the last couple of years. Graphs and data, the solid black
line is linear, and the dotted line is exponential. Exponential
starts to deviate at the end. Growth rates - so how many ASNs are
appearing every month? Three lines here - the most important one
is the red one, that's new allocations every month. And the blue
line, that is what's disappearing. If you look at the red line,
since 2002, it's pretty much flat at about 284 a month. Also, with
this varying, it's pretty flat there. And one thing you should note
is this bit at the end, I'll explain it in the next slide. So these
are growth rates for all five registries.

So I split it up into various regions. The first one is ARIN. Here
are three curves. The red - new assignments. The green - new
re-assignment. And the blue - that's what is disappearing. And you
see a couple of things. The first thing is, from 2002, from 2004,
there was no recovery.  And then ARIN starts to recover ASNs. That's
the blue area there. The second thing you see is that the green and
the red lines are new assignments from the never used pool, assignments
that we used before are deviate. What is being recovered is being
reassigned up here. Look at RIPE NCC, a couple of things. Very
little recovery. And the other thing is the curve seems to go up.
It is clearly going up. And so far, this is compensated by ARIN's
recovery error efforts. It is still going as a linear curve. If
ARIN ever stops doing this or recover anything they can possibly
recover, it might cross from linear to exponential again. You can
see the recovery effort over early 2003. Next one is the fraction
of ASN seen. I took everything assigned over time and divided it
by what's shown up on the net.

How much you see here is OK. This is 1998 was only 40% and has been
growing up quite nicely but for the last couple of years it's been
pretty flat to about 63% which is visible on the net. And there are
some numbers here. 33,000 were assigned, 20,000 there - 60%. 5,000
were used for a while but they were retired. Next interesting
observation is the age of retired ASN. We plotted how long an ASN
was seen before it disappeared from the Net. It simply means that
people use - looking like 50 or 60 months and then disappears.
People seem to think this and then stop using it. It can be plotted
over time. This is plot, this is time and a fraction of the ASNs
used. This is time when ASN was assigned to a fraction that's still
used. This is 2005 and this is 2004. In 2004, the ASNs assigned to
2004, about 80% was used.  And then it goes down pretty rapidly.
So ones that were assigned 10 years ago, only 40% were still active.

Um, next thing I'll look at - wait a second. Why does this drop?
There are two effects that cause these drops. First thing is, sites
go out of business. And when a site goes out of business, the need
for an ASN disappears. But people are sort of scrambling out, getting
it ready, trying to find new jobs with their CVs. The last thing
on their minds is to send an email to the registry saying we get
an ASNs from you and now you can have it back. And there is very
little recovery effort there as well. The second thing that happens
is the network merge. Often when there is a merge one ASN disappears
but there's no incentive to return it to the unused pool. People
often merge their networks ASN1 and ASN2 and they call them ASN1
and one gets lost.  You then have to go through a registration
process and apply for a new one. That causes the drop there. Then,
the activation delay - how long does it take for an ASN that you
apply for to appear on the net? This is data for the APNIC region,
so on the bottom is assigned, the difference between days of
assignment and appearance. And the three curves, pink, blue and
purple are the various years. You can see a couple of things. The
first thing is, if you wait two months, 60 days, about 40% appears
within two months. If you wait 200 days, a little over half the
year, about 2 out of 3 has appeared. If you wait for a really long
time - a year and a half - essentially this curve flatters off. 80%
only appears after a year and a half and it's fairly constant. The
other way you can look at this, 20% of ASNs that has been assigned
never appears.  So that's observation. I looked at the policies.
All the regions have policies on what you have to do with an ASN.
If you read the policy, it says that there must be plans to use the
ASN  within 30 days after assignment with ARIN. In RIPE NCC, there's
no policy. There was a discussion on the mailing list three years
ago. And here in the APNIC region, policy is that you must reach
requirements on requirements upon receiving an ASN on reasonably
soon or after. So, if you look at the policies and the theory and
reality. They all say months, three months, soon, but in practice
the time between assignments and appearance on the net is a lot
longer. And the second problem is that 20% of the ASNs that are
assigned never make it through on the net even though there was
demonstrated need. Those are the raw numbers.

Now some modelling. The first question that people have asked is
when will the Internet run out of 16 bit ASN numbers? 33,681 were
assigned last year and 30,000 are still available. We have 284
assignments per month. And we have about - which means you run out
in 2016. It is sort of worrisome. If we cannot have ASNs, what do
we have to do now? So, the first thing you can do is instead of
solving the problem, postponing the problem. First we can reclaim
what disappears, to 284 -105 that equals 179 assignments/month. You
can even make it be a little bit more aggressive, by also reclaiming
what is never used. Go down to 60 assignments per month and the
period there can be 33 years. Yeah. If that's not long enough, next
thing is, let's make the ASNs a bit longer.

There is a solution that there is a proposal here. I'm not going
to make anymore detailed predictions. There is a draft that has
been around in the RIR working group for a while with an extension
of ASN numbers. Now, based on this work, and several studies by
Geoff Huston, a policy proposal in all five regions which says we'll
start handing them out. Handing out is one thing, it also has to
be implemented. You have to update your routers, have them deployed.
And you'll need a couple of years. So whenever your router is there,
make sure that this draft is implemented and that's something that
requires a push from your side. Other ways to make things last
longer - you can obviously, don't move to upgrade your kits, you
might think about changing policies, current policies are basically
demonstrate need.

20% never makes it to the net. It's probably too easy to demonstrate.
So we visit policies. That's something for the various RIRs. Not
for this forum. A couple of things - the essential thing in this
game is uniqueness. You want an ASN to be unique. You don't want
it to be used and reassigned. The first thing to do is using it
again. There's no good mechanism for recovery. A solution to that
might be the certification efforts, which are going on in the APNIC
and RIPE region. Certification is very simple. It shows that it's
assigned to somebody. This somebody is for a one-year period. You
can always renew it if you still need it. So you never have to
renumber. And if you get an ASN, you start to use it, and after a
year, if you still need it, renew it. If you don't need it, the
certificate will expire. As time goes on, it can be reused. It has
one requirement, and people need to check these certificates when
setting up. However, that's probably something that will become
standard practice for securing the routing system that's deployed.
284 ASNs assigned per month from the unused pool. The actual growth
is only 160. The pool will be empty by some time between 2013-2016.
Ways to make it last longer - reclamation, certification. If people
want to do this, it will last longer. If people don't want to do
this, then one should start to think about deploying 4 byte  ASNs.
There's a full report from the RIPE website. And with that, I have
to acknowledge a couple of people who helped with the data and a
few transport companies as well. (refers to projector slide)
 What else - any questions?

PHILIP SMITH:

Any questions at all?

DAVID CONRAD:

Do you think there should be global consistency with regards to the
ASN reclamation policies?

HENK UIJTERWAAL:

Well, I mean, my personal opinion would be it would be good if this
would be done - if this was done across all RIRs. There is no
advantage to go to one registry or their policy differences. But I
don't really have an opinion on this.

CHRIS CHAUNDRY:

The one you said that was totally unmanned, early on in the talk,
surely you can, you have the path information from the RIB and
surely the people that the ASN number is connected to know that the
number has connected?

HENK UIJTERWAAL:

You can find that out. Inside the RIPE NCC building, we couldn't
find any data on that.

PHILIP SMITH:

No other questions or comments? OK, thank you very much. So that
brings us to the end of the Routing SIG, the two sessions. I would
like to thank all the seven speakers that we've had this afternoon
for their presentations. Finished a few minutes early, so you've
really got only about 40 minutes now between this session and the
APOPS, which is the next session in this room. The APNIC social
event is tonight. Those who are going to that please remember the
last bus leaves at 7:10. If you're late, you'll miss out. Please
be there on time and directions for the transport are on the back
of the ticket, in case you're wondering what to do. Otherwise, thank
you all for coming. Thanks very much to the stenographers for their
work. See you at the next Routing SIG in six months time. Thank
you.

APPLAUSE