[ppml] Revocation

Owen DeLong owen at delong.com
Wed Feb 19 17:36:40 EST 2003


Ron,
	Excellent feedback!  Thanks.

	My responses inline below.

Owen

--On Wednesday, February 19, 2003 16:11 -0500 Ron da Silva <ron at aol.net> 
wrote:

> On Wed, Feb 19, 2003 at 11:01:46AM -0800, Owen DeLong wrote:
>>
> <snip>
>> Whatcha all think?
>
> Nice detailed proposal.  One area that needs some more meat is
> the definition of abuse.  Any suggestions there would be great!
>
Agreed.  I think abuse needs to be defined for this purpose through the
RFC or BCP process in the IETF and incorporated by reference by ARIN.
In this way, there is an internet definition of abuse, which ARIN (and
hopefully other RIRs) simply facilitate the enforcement by providers.

> I do have some particulars about the details to consider...
>
>> 2.	Each RIR should publish a list of valid prefixes and the ASN to which
>> 	they were Allocated or Assigned.  Ideally, this list should be available
>>  	in a machine-readable format and published by means of a well known
>> 	protocol.
>
> Do we need a mechanism for downstream allocations/assignments to be mapped
> to an origin ASN by the ARIN member when downstreams are not members?
>
If they have an ASN, they have a maintainer record.  Whether they are
a member or not, they are a maintainer.  It is maintainers, not members,
which I believe should be subject to the policy.  If they don't have
an ASN, it's hard to consider them in ARIN policy effectively.  However,
certainly, a provider should be allowed to revoke the resource from
the assignee without penalty to the provider in such circumstance.

>> 5.	ARIN should set up a revocation review committee made up of
>> 	representatives from ARIN members with allocations and nominated
>> 	by the ASO AC.  The members should be elected for a 2 year
>> 	term by the community at large (similar to the ASO AC election
>> 	at the ARIN/NANOG meeting).  The committee should consist
>> 	of 7 members.
>
> Nominated by ASO AC or ARIN AC?  Or, by general community?  Any
> requirements for candidacy?
>
I recommend nomination by ASO AC.  My theory for this is that this is
an ADDRESS SUPPORTING role.  As I understand it, the ASO AC comes from
ARIN and other sources which have a vested interest in ASO activities.
I don't have any strong opinions on requirements for candidacy other
than 18 years of age and the ability to do the job.  Beyond that, I
think that if the ASO AC can't be trusted to nominate good candidates,
we have bigger problems than the things this committee can influence.
Again, nominated by ASO AC, and elected by general community.

>> 6.	The revocation process should look something like the following...
>> 	B.	ARIN staff investigates and confirms abuse.  If abuse is
>> 		not confirmed, the process ends here...
>
> How is abuse confirmed?  Again, related to the definition of abuse.
>
Agreed.  See my comments on the definition of abuse above.  I know this
is kind of a cop-out on my part, but I will comment on the definition of
abuse when/if I come up with a good formulation for it.  However, I do
feel that discussion should take place in an RFC/BCP context and not
on the ARIN policy list.  For now, the things I think need to be
included as abuse at a minimum are:

	+	Activities which are illegal in the jurisdictions applicable
		to the address on file for the maintainer.

	+	Activities which are intended to interferre with the normal
		functioning of the internet (DDOS, Worms, Viruses, etc.)

	+	Obviously, some definition of the sending of SPAM and/or
		hosting of sites advertised in SPAM should also be included.

>> 	D.	If, 15 days after the message is received by the maintainer,
>> 		the abuse has not been resolved, ARIN should immediately
>> 		revoke the applicable allocations and/or assignments,
>> 		and refer the matter to the committee.
>
> Similarly, how is resolution of abuse determined?
>
Basically, once abuse is defined, resolution would simply be defined
as the identified abuse no longer continuing to occur/recur.  Obviously,
some more elaborate language will need to be crafted to cover
situations like abuse->notification->stop->resolve->start again
and/or abuse->notification->stop->resolve->different abuse.
I don't have a good idea on the exact language just yet.

>> 	E.	If the maintainer wishes to appeal the decision, he should
>> 		notify the committee of his desire to appeal within 30
>> 		days.  The maintainer should submit his appeal in written
>> 		form (preferably via electronic means).  The committee has
>> 		60 days to review the information before it must render a
>> 		decision.  The committee's decision is final...
>
> How does one ensure that there is no abuse by the committee itself?
> Or do we trust the judgment of the committee based on the nomination
> process?
>
I think we have to trust the judgement of the committee and the RIR
staff.  Afterall, the committee can't originate an abuse revocation,
they can only stop one or confirm it.  As such, they have little power
to abuse other than to approve the continuing abuse.  I think we should
be able to depend on the election process to prevent this, although,
it does identify a possible need for a recall process on the committee.

> Also, would a reinstatement process be needed?
>
In my opinion, no.  However, I can see circumstances where it would be
necessary to make a revocation provisional or temporary in a case where
for some reason, 15 days isn't long enough to fully resolve the abuse
(bad contract or such).  In such a case, I think we should include language
to give the committee this flexibility.  If the committee feels that
a resource needs to be permanently revoked, then the abuser, if sufficiently
determined, can create a new org and start the process all over again.
This doesn't seem like an excessive penalty, in my opinion.

Owen




More information about the ARIN-PPML mailing list