[ppml] IPv6 assignment - proposal for change to nrpm

[Ted Mittelstaedt]

>-----Original Message-----
>From: Stephen Sprunk [mailto:stephen at sprunk.org]
>Sent: Wednesday, October 31, 2007 2:10 PM
>To: Ted Mittelstaedt
>Cc: ARIN PPML
>Subject: Re: [ppml] IPv6 assignment - proposal for change to nrpm
>
>
>Thus spake "Ted Mittelstaedt" <tedm at ipinc.net>
>>>>>I've seen plenty of horrifying examples, though NDAs prevent me
>>>>>from naming names.
>>>>
>>>> Please don't say stuff like that, it is just a bunch of straw men.
>>>> We do not sign NDAs with any customers we do service work
>>>> for, (none have asked)
>>>
>>>Lucky you.  I'm under NDA to that (past) employer, and that
>>>employer is under NDA to those customers; my NDA bound me to
>>>their NDAs.  I've asked, and I'm not even allowed to say who those
>>>customers are, and certainly not details of their internal networks.
>>>Even on my own, I've never done consulting work for any company
>>>that _didn't_ demand an NDA, nor have I been employed by a
>>>company that didn't since I was worked retail as a teenager.
>>
>> Any contract that obligates you to conceal something illegal is
>> unenforceable.
>
>If I had been aware of someone committing a crime, I would have contacted
>the appropriate law enforcement agency.  AFAIK, no laws were
>broken.  There
>was no fraud, for example, since they never represented that their
>utilization _was_ efficient to anyone -- and it so obviously wasn't that
>nobody would even attempt to claim such.
>
>>>For that matter, a substantial fraction of legacy assignments are
>>>to defense contractors, who have parts of their network that are
>>>not only under NDA but classified.  ARIN can't get details about
>>>those networks, since AFAIK they have no staff with the appropriate
>>>clearances, and no court can order disclosure.  Even employees
>>>in the "white" parts of those companies often have no clue what
>>>the "black" parts look like.
>>
>> That is a different deal.  However, those classifications only hold true
>> in the US.  If I am not a US citizen and I live outside the US I can talk
>> publically about any US DoD classified things I feel like.
>
>The only non-citizens outside the US which _should_ be able to get such
>information in the first place will be under similar laws from their own
>government.

Of course.

>If anyone else obtained DoD classified information, someone
>with a clearance illegally gave it to them

There have been lots of security breaches - Lawrence Livermore Lab just
lost a backup tape or laptop or some such a couple months back for example -
no need for someone with a clearance to actually make an effort to give
out classified info.

>and they'll likely end up in a
>deep, dark hole.

Valerie Plame?

>Depending on how sensitive the information is,
>the USG may
>perform a "rendition" and bring the unauthorized person to US soil for
>detention.

correction - TRY TO bring the person to US soil for detention.

>In case you missed it, in the 80s Congress asserted worldwide
>jurisdiction and enforcement of its laws -- including over non-US citizens
>on non-US soil.  Since victims don't usually get trials or press coverage,
>we have no clue how often it happens.
>

Yep, there's standing orders to detain all members of the DeBeers family
for questioning on violations of the Sherman-anti-trust act for price fixing
in the diamond industry.  I think those were issued sometime in the 70's
Needless to say, none of the DeBeers visit the US

Almost certainly if any US citizen who published specs of, say, Israel's
military arms were to travel to Israel, they would similarly find themselves
in very uncomfortable quarters.  There's lots of that data out there, by
the way.

>>>> A holder like SBC Global who is under RSA is arguably violating
>>>> their contract with ARIN by assigning an overage of IP addresses
>>>> to customers that the customers aren't asking for, in an effort to
>>>> hoard IPs.
>>>
>>>That's a matter for ARIN's counsel and/or staff, not us.
>>
>> ARIN's policy is set by us, we elect ARIN officers, this is definitely
>> a matter for us.
>
>No, it is not.  If you are unhappy with the actions of ARIN's board and
>you're a member, you can vote for different candidates.  That's where your
>control ends.  Only ARIN's employees and counsel are privvy to information
>given to ARIN under NDA

I didn't say NDA I said RSA, two different things.  I signed no NDA with
SBCGlobal, so your claim that that example is only a matter for ARIN staff
due to some specious NDA isn't true.

> -- even the BoT isn't due to potential
>conflicts of
>interest.
>
>> It's no different than any other representative government.
>
>ARIN is certainly not a government but rather a Virginia non-stock
>corporation.
>
>> I think your probably not that familiar with how these sorts of
>> organizations operate?  Openness rules the roost.
>
>Openness of process and policy, yes, but not of implementation
>necessarily.
>Try getting someone else's tax records or individual census records less
>than 70 years old.  Some things are beyond FOIA's reach for a reason.
>

"implementation necessairly" covers quite a bit of ground.  Sure,
competitive
information like customer data and suchlike that is given to an RIR must
remain confined to the RIR.  There's plenty of moral and legal reason
for that to happen.

But to try to construe this to cover up someone's embarassment of not
playing
by the rules, that is wrong and there is no reason for it.

Currently there's enough different orgs assigned IPv4 that clearly there are
no
vast caches of unused IPv4.  Even those possibly-mythical /8's are small
potatoes
in the grand scheme of things, as they would hardly push the date of IPv4
runout
more than a few years out.  So, much of this is merely theoretical
discussion.
But, if there WERE large caches of IPv4 not being used out there that would
possibly extend runout date out for another 20 years - then I think it would
make it blindingly clear to you how much an org's utilization efficiency is
everyone's concern.

>>>For that matter, since the details are almost assuredly under NDA,
>>>we have no clue if staff has reviewed the practice and whether or
>>>not they've found it acceptable for reasons we're not privvy to.
>>
>> ARIN is required to abide by it's policies which call for, what is it,
>> 100% utilization?
>
>Per 4.3.2.4.1, each customer must meet 80% utilization; there is no
>indication if that's to be assessed per assignment or somehow averaged
>across all assignments to a given customer.
>
>Per 4.2.4.1, an LIR has to have "efficiently" utilized all prior
>allocations
>and at least 80% of the most recent one.  Since there's no explicit
>definition given for "efficient", let's say that means "100% assigned".
>However, those assignments only need to be 80% utilized themselves.
>
>For end users getting direct assignments, 4.3.3 says they must be able to
>reach 50% utilization within a year, and 4.3.6 says 80% of all previous
>assignments, if any.
>
>> In other words, ARIN staff has no ability to give a group, whether
>> under NDA or not, a special exemption from the utilization
>> requirements unless such exemption is spelled out in policy.
>
>The wording in the policy is intentionally loose so that staff can make a
>reasonable assessment of the records they're given.  It's entirely
>possible
>that there is technical justification showing that a /30 is not
>possible in
>the case you described.  I can't imagine what it may be, but
>SBCGlobal must
>have a reason for doing it that way since it's unusual, and staff will
>review that reason when they come back for more space -- if they haven't
>already.
>

Why do you fight Occams razor on this?  Obviously there is no technical
justification, it is merely padding because a /29 can be assigned to a
customer without complaint from the RIR.

>> Which gets back to the original thrust of my response - the devil
>> is in the details.  What is your definition of 100% utilization?
>> Mine certainly isn't an empty /8.
>
>I'm unaware of any "empty" /8s, though it's common belief that many are
>poorly utilized.  I'm personally aware of plenty of "empty" /24s and a few
>"mostly empty" /16s.  All are legacy.
>
>I've also heard someone claim they were aware of one or more non-legacy
>allocations which were originally justified but the company went under and
>one of the employees/owners kept paying the bill so they could retain the
>block (perhaps "empty" today) for future purposes.  That does appear to be
>an RSA violation, but I don't know who the alleged offenders were/are; I
>can't even recall who made the claim.
>
>> I know you are certain in what you have seen.  You must understand
>> that me saying what you have seen has to be considered mythical,
>> does not mean I personally disbelieve you have seen this.  I am
>> just saying nobody can do anything about these since we don't know
>> who the abusers are.
>
>_We_ don't know, except for the "abusers" hiding among us.  ARIN staff may
>know or, failing that, have the power to ask for that information, which
>they will most likely only get under NDA.  All we can do is tell
>them (a) to
>go do it and (b) what they should do if/when they get the information (or
>don't).  We might be able to deduce some of what they find from the end
>results, but we might not; either way we have to trust they're doing what
>policy and the BoT tells them to do.
>

Except as far as I know the policy isn't telling ARIN to go out there and
spend money beating the bushes trying to do IPv4 reclamation.  So for them
to
do it we need to tell it to them, and which leads back to the beginning of
the discussion which is what to tell them?

>>>> By the time the law of diminishing returns acts on a reclamation
>>>> effort, the wasteful holders still out there who have so far ignored
>>>> the nice pleas aren't going to respond to anything other than
>>>> a threat.
>>>
>>>If they have ignored the "nice pleas", of course they won't respond
>>>to anything other than a threat.  That doesn't mean we need to
>>>start working out what that threat may eventually be, or if we'll even
>>>use one, before we see how well the "nice pleas" work.
>>
>> It doesen't mean we shouldn't work out that threat now, either.
>
>The threat (to non-legacy folks) is clearly stated in section 8 of
>the RSA:
>"If ARIN determines that the number resources or any other
>Services are not
>being used in compliance with this Agreement, the Policies, or the
>purposes
>for which they are intended, ARIN may: (i) revoke the number
>resources, (ii)
>cease providing the Services to Applicant, and/or (iii) terminate this
>Agreement. "
>
>The LRSA's threat is a bit weaker, since it's only to stop providing
>services that ARIN is providing to legacy holders anyways even if they
>haven't signed the LRSA.
>
>The only threat remaining to discuss, then, is what (if anything)
>ARIN might
>do to folks that haven't signed either the RSA or the LRSA.
>

No, there is also to discuss whether ARIN is "determining that the number
resources are being used in compliance"  What evidence do you see that
they are, other than for new assignment requests?

>>>OTOH, I bet we could recover 64k /24s for less in legal fees than
>>>a single /8; the folks with /8s have hundreds of lawyers each at
>>>their disposal with nothing better to do than sue annoyances like
>>>ARIN out of existance.
>>
>> Throwing hundreds of lawyers on a lawsuit does not change the
>> basic dispute or conflict.
>
>No, but it may change the outcome if you can bankrupt the other party
>through legal costs or business distruptions before the case is settled.
>Many lawsuits are filed _knowing_ the plaintiff would lose on merit, and
>many defendants that would win end up settling because it's cheaper.
>
>> That's why Erin Brockabitch won, and why there's tons of other
>> David vs Goliath court cases out there.  The only thing that
>> helps is the quality of the lawyer you use, and ARIN has enough
>> money to hire lawyers that are every bit as good as the best
>> lawyers the other side has.
>
>ARIN, with annual revenues of a few million and a small operating reserve,
>would be unlikely withstand a determined legal assault by a dozen
>companies
>that each rake in billions per month.
>

That isn't true.  It would depend greatly on the nature of the dispute.
If ARIN didn't have all it's ducks in line, then things would go bad for
them.  But if they did, then they would win and the countersuit would
be very lucrative.  But even if they lost, then so what?  They can't go out
of business as they have a guarenteed source of revenue - and if a
winning company were to somehow gut ARIN and make it stop doing what
it's doing, then everyone would stop paying and allow their allocations
to revert back to ARIN, and you would have a free-for-all in which now
the very assetss that these dozen companies were suing over would be
subject to poaching and all kinds of stuff.

ARIN is a goose and the numbering are the golden eggs, and if you kill it,
you kill the RIR system and thus the Internet.  The ONLY reason a
single company would file a lawsuit against ARIN is to benefit
-themselves only- because otherwise it makes no sense at all.

>>>And if we go after one, the rest will counterattack to prevent a
>>>precedent being established that they don't like.
>>
>> "the rest" aren't going to spend a nickle on counterattacking.  It's
>> like the old saw that they came for this guy and I didn't speak up,
>> they came for that guy and I didn't speak up, they came for this
>> other guy and I didn't speak up, now they are coming for me, darn,
>> I should have spoke up.
>
>Counterexample: Novell's actions related to SCO v. IBM.
>

Ah - but, SCO was -wrong- in the beginning and everyone knew that, even
I am sure, SCO.  Otherwise they would have posted the actual sections of
the offending code as they were called on to do hundreds of times.

Your also assuming that the SCO lawsuit was intended to win, rather than
what it actually was intended to be - namely, a diversion to the
stockholders
so the exec staff of SCO had enough time to bleed the company dry before
the stockholders realized they were pulling their pants down.

Ted