[ARIN-consult] Consultation on Transfer Fees Now Open

[Rob Seastrom]

> On Sep 12, 2016, at 1:13 AM, David Farmer <farmer at umn.edu> wrote:
> 
> I agree transfer fees should be due regardless of the success of the transfer.  Additionally, I think pre-payment, before any work by ARIN begins, is a justified when the source resources are not already covered under an RSA, there seems to be an additional risk of fraud in these cases.  There is an argument to be made that these changes would increase the cost to the fraudsters, therefore helping to reduce occurrence of such fraud, but let's be clear, it won't eliminate fraud.  
> 
> However, I wonder if the risk of fraud is low enough when the source resources are already covered under an RSA to allow post-payment instead of pre-payment, the fees are still due regardless of success of the transfer.  Note: the RSA contract has serious consequences for failure to pay an invoices, eventually the loss of the resources. 

I kind of feel as if allowing deferred payment for folks with an existing RSA (or tying non-payment of the generated invoice to a sense of "non-payment of fees due ARIN") creates an attack surface against the misfortunate resource holder, not unlike ordering someone a dozen unsolicited pizzas with their own credit card.

I'm in favor of an implementation that requires as little effort on the part of the resource holder in order to reject the beginning of the request (ignore the invoice) as possible.

JC, any thoughts on the potential implementation risk to the resource holder in the form of a DoS attack?

-r