[ppml] Policy Proposal 2007-6 - Staff Assessment

michael.c.loevner at verizon.com michael.c.loevner at verizon.com
Fri Apr 20 09:36:48 EDT 2007 

Marla,

I don't see the same negatives from this policy.  While it is true that 
spammers may take advantage of ARIN, they are just as likely to take 
advantage of an ISP that may not perform due diligence to get a PA /24.  I 
think we need to concentrate more on the positives of this policy for 
organizations that need a /24 and don't want the hassle of renumbering 
rather than concentrating on the exceptions.

Also, I don't think it will deplete address space.  I think we all take 
cues from ARIN in developing ISP policies for assigning address space. All 
this means is that a /24 that an ISP would assign to a customer anyway is 
getting allocated by ARIN. 

- Mike 




"Azinger, Marla" <marla.azinger at frontiercorp.com> 
Sent by: ppml-bounces at arin.net
04/19/2007 05:11 PM

To
"David Williamson" <dlw+arin at tellme.com>, "Stacy Taylor" 
<ipgoddess at gmail.com>
cc
ppml at arin.net
Subject
Re: [ppml] Policy Proposal 2007-6 - Staff Assessment






Dave thanks for keeping discussion going.

I oppose this policy for the following reasons. 

1. From experience with spammers, I feel this could actually make things 
easier on them as pointed out in an earlier string or just simply give 
them another avenue.

2. I tend to believe that a rush of some size will be brought on if this 
were to pass and that could lead to other negative effects such as 
depletion and maybe more aggregation than what was already needed, just 
because they can. 

3.One of the rationale from this proposal is "In addition, by keeping the 
PI allocation size for multi-homed
organizations at /22, organizations seeking PI space that don't meet the 
requirements may be encouraged to exaggerate their address usage. This is 
something that should clearly not be encouraged."  I disagree with this 
rationale and here is why:

I don't see proof of the exaggeration scam working or that it is done 
alot.  For example, just this week I had a customer who tried to do this 
with ARIN and they were told no and to get IP addresses from me.  When I 
reviewed what they had, they could only justify the use of a /23 and the 
rest of it was obvious "exaggeration".  So I don't see the exaggeration 
thing working out so much.  They may try it, but that doesn't mean they 
get away with it.  And another point, if they were exaggerating /22's or 
let say /21's then what is to stop others from exaggerating /24's?  And 
honestly, it would be allot easier to exaggerate your way through a /24 
justification than it would be a /22.  Also, I like to think that the 
number of people willing to "exaggerate" is smaller than those who are 
honest (yes I know, fire away, rose colored glasses). 

So in a quick summary, I don't think the reasons for this proposal 
outweigh potential spam issues or a run on IPv4 space and its related 
issues and just may lead to an increase of those willing to exaggerate 
justification because it is suddenly easier. 

Cheers!
Marla Azinger
Frontier Communications 


-----Original Message-----
From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of
David Williamson
Sent: Thursday, April 19, 2007 12:49 PM
To: Stacy Taylor
Cc: ppml at arin.net
Subject: Re: [ppml] Policy Proposal 2007-6 - Staff Assessment


I wanted to allow some time to see if this started any further
discussion.  Regrettably, it did not.

I think your first point is inaccurate.  Similar policies already exist
in several of the other RIRs, and that hasn't led a run on space.
Additionally, organizations that need IP space will get it one way or
another.  This policy simply provides another method for them.  Indeed,
ARIN's requirements are more strenuous than most provider's, so some
organizations that need a multi-homed /24 may still go for PA space.

Here's the key point: this only changes the minimum allocation size -
all of the other requirements (multi-homing, utilization, et.c) still
stand.

On your second point...I'm not in the anti-spam community, so I don't
have any real data on how much of a threat this is.  Perhaps someone
from another RIR could chime in on this, since APNIC, for example,
already hands out PI /24s.  Has there been any sort of known abuse
involving spammers?  Like I said, I'm not in the anti-spam community
enough to know, but it seems unlikely that spammers would take the time
to meet the utilization and multi-homing requirements and then turn
around and make that space mostly unusuable.  (Lather, rinse, repeat.)
It just doesn't seem to me like a profitable business method.  As I
have mentioned before, additional information from someone with actual
data on this point would be great.  The general apparent lack of data
actually gives me some confidence that this isn't as big of a threat
as it may seem.

Thanks for the feedback and the opinion!

-David




On Mon, Apr 16, 2007 at 03:39:06PM -0700, Stacy Taylor wrote:
> Hello PPML,
> I oppose this policy.
> First, I believe there is no better way to chew through the remainder
> of the v4 space faster than to pass this policy.
> Second, I support staff comments about spammers using this policy for
> abuse of networks.  In my experience, miscreants of this sort prefer
> multiple /24s for their 'businesses' to force spam hunters to play
> whack a mole with the blacklisting of space.  A _former_ customer of
> mine had more than 30 different business names, all with different
> points of contact and physical addresses.  Because we were the
> upstream, we were notified of his violations of our AUP.  If the only
> contact were the miscreant himself, he would not have been held
> accountable.  Spammers would adore directly assigned space for this
> very reason.
> For the good of the Internet, this policy must not be passed.
> Stacy
> 
> On 4/13/07, David Williamson <dlw+arin at tellme.com> wrote:
> > I'll second the comment that it's great to get these assessments in
> > advance of the meeting.  Thanks!
> >
> > I wanted to take a moment to respond to the staff comments on this
> > one.  Comments inline.
> >
> > On Fri, Apr 13, 2007 at 02:21:49PM -0400, Member Services wrote:
> > >      1.       There is very little qualification criteria which 
could lead to
> > > policy abuse by spammers.  These entities could create many 
different
> > > accounts over time as their existing space gets blacklisted or 
becomes
> > > otherwise unusable.
> >
> > Do spammers take the time to become multihomed and then apply for IP
> > space?  If they do, I'm sure they can find a way to qualify under the
> > existing policy for a /22.  I'm not sure I understand the actual risk
> > here.  It seems to me that this could already be a problem, actually.
> > Perhaps a process to identify or report spammers would help this
> > problem, but I'm not convinced that spammers actually try to get valid
> > IP space from RIRs.  Do we (staff and or community) have any data on
> > this possibility?
> >
> > >      2.       This could significantly increase the number of 
requests for
> > > ARIN services thereby requiring additional Registration Services
> > > Department and Financial Services Department staff.
> >
> > This is true.  It is likely that a small multi-homed enterprise would 
apply
> > for space under this policy rather than applying for space via an ISP.
> >
> > >      3.       Policy applies only to end users which could be 
perceived as
> > > unfair to ISPs.  This could also lead to potential abuse of the 
policy
> > > if ISPs apply as end users for single /24 IPv4 address block.
> >
> > I respectfully disagree with the first sentence entirely.  Existing
> > policy is heavily biased towards ISPs, and is rather unfair for 
smaller
> > entities that have a critical business need to be multi-homed, but 
wish
> > to avoid being semi-permanently attached to a single ISP due to the
> > need for address space.  Indeed, the current lack of fairness is part 
of
> > the desire to change the policy.
> >
> > On the second point - I agree that this could be an issue.  I suspect
> > it could be an issue now...there's nothing to stop an ISP from 
applying
> > for a /22 as an end user, outside of the risk of getting caught by 
staff.
> >
> > >      4.       It is unclear exactly how an organization can qualify 
for a /24
> > > IPv4 address block under this policy.  It appears that NRPM section
> > > 4.3.3, Utilization rate, requires 25% immediate, 50% within 1 year,
> > > would be the justification criteria.  However, NRPM section 4.2.3.6,
> > > Reassignments to multihomed downstream customers, indicates that an 
ISP
> > > can reassign a /24 IPv4 address block without regard to planned host
> > > counts as long as the customer is multi-homed.  The question here is
> > > does this policy allow ARIN to qualify a requestor for a /24 IPv4
> > > address block based solely on multi-homing or should host counts 
also be
> > > taken into account?
> >
> > Existing policy, as written, refers to section 4.3.3.  That doesn't
> > change with the proposed policy.  ISPs can feel free to reassign a PA
> > /24 via whatever policy they choose, but direct (PI) assignments 
should
> > still be under the guidelines listed in 4.3.3, regardless of the
> > minimum assignment size.  There is explicitly no change in that.
> >
> > >      5.       The policy does not address requests for more than one 
/24 IPv4
> > > address block for multiple sites.
> >
> > My intention for this issue is that this is handled in the same way
> > that multiple /22 requests are handled now.  Is the request justified?
> > There's no change in how this would be handled, outside of the
> > differences in minimum assignement size.
> >
> > >      6.       NRPM Section 4.4, Micro-allocation, should remain as 
is since it
> > > is a policy section essential for micro-allocation for critical
> > > infrastructure related requests.
> >
> > I'm happy to concede this point, and change the policy appropriately.
> > I'd like more (as in any) community input on this point.  To some
> > extent, the IPv4 micro-allocation section is irrelevant if this policy
> > is approved.  On the other hand, it may be useful to explicitly call
> > out the allocation policy for critical infrastructure.  What that
> > infrastructure is defined to be is an interesting question, but beyond
> > the scope of the current proposal.  More opinions solicted!
> >
> >
> > Thanks again for the opportunity to get some of this discussed in
> > advance of the meeting!
> >
> > -David
> >
> > _______________________________________________
> > This message sent to you through the ARIN Public Policy Mailing List
> > (PPML at arin.net).
> > Manage your mailing list subscription at:
> > http://lists.arin.net/mailman/listinfo/ppml
> >
> 
> 
> -- 
> :):)
> /S
> _______________________________________________
> This message sent to you through the ARIN Public Policy Mailing List
> (PPML at arin.net).
> Manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml
_______________________________________________
This message sent to you through the ARIN Public Policy Mailing List
(PPML at arin.net).
Manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/ppml
_______________________________________________
This message sent to you through the ARIN Public Policy Mailing List
(PPML at arin.net).
Manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/ppml

More information about the ARIN-PPML mailing list