[ppml] Policy Proposal 2007-14 - Staff Assessment

Fri Mar 21 14:48:01 EDT 2008

Policy Proposal 2007-14	
Title:   Resource Review Process
Proposal Submitted: Feb 21, 2008
Date of Assessment: Mar 21, 2008

ARIN Staff Assessment

The assessment of this proposal includes comments from ARIN staff and
the ARIN General Counsel. It contains analysis of procedural, legal, and
resource concerns regarding the implementation of this policy proposal
as it is currently stated. Any changes to the language of the proposal
may necessitate further analysis by staff and Counsel.

I.	Proposal

Policy Proposal is available as Annex A below and at:
http://www.arin.net/policy/proposals/2007_14.html

II.	Understanding of the proposal

This policy proposal provides clear policy authority to audit or reclaim
resources, guidelines for how it shall be done, and a guarantee of a
(minimum) six-month grace period so that the current user shall have
time to stop using any resources to be reclaimed.

III.	Comments

A.	ARIN Staff

1.  2c does not reconcile with the RSA, which grants ARIN authority to
request any data necessary and does not specify any sort of limitation
to frequency.

2.   Item 3 requires staff to share the results of an audit of an
organization’s resources.  Staff often reviews an organization’s
transaction history and resources during fraud or suspicious activity
investigations and feels that it is not always prudent to share those
results.

3.  Point 4b uses the term “single aggregate block” Does this refer to a
single CIDR prefix, or to “a contiguous range of addresses”?

B.	ARIN General Counsel

This policy will be looked at very carefully in those instances where
ARIN demands data, or seeks to terminate and revoke resources previously
granted. It will guide ARIN, and any reviewing adjudication court who
may be required to evaluate a dispute, review it because it sets up
procedures for revocation, and requires production of data. Writing down
such policies may be important support for ARIN's application of such
policies. However, the same benefit can become a problem if the language
is not carefully constructed. Counsel supports a version of this policy
being enacted and believes adoption of this policy could reduce future
legal fees.

Some language tweaks may help. For this reason I am suggesting the
author and AC consider language that tightens the policy from a legal
perspective but is consistent with the perceived intent of the author.
Some language changes are more important than others.  Please note:
Outlook doesn't permit redlining to show; it automatically accepts the
redlined changes.  Therefore, the redlines have been accepted in 1-8 below.

1. ARIN may review the current usage of any resources issued by ARIN to
an organization. The organization shall furnish whatever records are
believed to be necessary by ARIN to perform this review.

2. ARIN may conduct such reviews:

a. when any new resource is requested, b. whenever ARIN has reason to
believe that the resources originally were obtained fraudulently, or in
contravention of existing policies, c. at any other time, without cause
having to be established, unless a prior review has been completed in
the preceding 24 months.

3. ARIN shall communicate the results of the review to the organization.

4. Organizations found by ARIN to be substantially out of compliance
with current ARIN policy shall be requested or required to return
resources to bring them into (or reasonably close to) compliance.

4a. The extent to which an organization may remain out of compliance
shall be based on the reasonable judgment of the ARIN staff and shall
balance all facts known, including the organizations utilization rate,
available address pool, and other factors as appropriate so as to avoid
forcing returns which will result in near-term additional requests or
unnecessary route de- aggregation.

4b. To the extent possible, entire blocks should be returned. Partial
address blocks shall be returned in such a way that the portion retained
will comprise a single aggregate block.

5. If the organization does not voluntarily return resources as
requested, ARIN may revoke any resources issued by ARIN as required to
bring the organization into overall compliance. ARIN shall follow the
same guidelines for revocation that are required for voluntary return in
the previous paragraph.

6. Except in cases of fraud, or intentional violations of policy, an
organization shall be provided a reasonable period of time to effect a
return. ARIN shall agree to a longer term with the organization if ARIN
believes the organization is working in good faith to restore compliance
and has a valid need for additional time to renumber out of the affected
blocks.

7. ARIN shall continue to maintain the resource(s) while their return or
revocation is pending, except no new maintenance fees shall be assessed
for the resource(s). (?)

8. Legacy resources in active use, regardless of utilization, are not
subject to revocation by ARIN, pursuant to this subsection. However, the
utilization of legacy resources shall be considered during a review to
assess overall compliance.

  Counsel continues not to agree with the first sentence of the
rationale which states ARIN "feels that current policy does not give
them the power to review or reclaim resources except in cases of
fraud...."  Counsel requests this be rewritten to reflect that such
powers need to be carefully delineated for application and ease of
understanding.

IV.	Resource Impact –  Minimal

The resource impact of implementing this policy is viewed as minimal.
Barring any unforeseen resource requirements, this policy could be
implemented within 30 – 90 days from the date of the ratification of the
policy by the ARIN Board of Trustees. Depending on the impact to RSD
this may require additional staff. It will require the following:

• Guidelines Changes
• Registration System Changes
• Staff training
• May increase RSD workload
• May increase turnaround times

Respectfully submitted,

Member Services
American Registry for Internet Numbers (ARIN)

##*##

Annex A

Policy Proposal 2007-14
Resource Review Process

Author: Owen DeLong, Stephen Sprunk

Date: 21 February 2008

Proposal type: modify

Policy term: permanent

Policy statement:

Add the following to the NRPM:

Resource Review

1. ARIN may review the current usage of any resources issued by ARIN to
an organization. The organization shall furnish whatever records are
necessary to perform this review.

2. ARIN may conduct such reviews:

a. when any new resource is requested,
b. whenever ARIN has cause to believe that the resources had originally
been obtained fraudulently, or c. at any other time without cause unless
a prior review has been completed in the preceding 24 months.

3. ARIN shall communicate the results of the review to the organization.

4. Organizations shown to be substantially out of compliance with
current ARIN policy shall return resources as needed to bring them into
(or reasonably close to) compliance.

4a. The extent to which an organization may remain out of compliance
shall be based on the best judgment of the ARIN staff and shall balance
the organizations utilization rate, available address pool, and other
factors as appropriate so as to avoid forcing returns which will result
in near-term additional requests or unnecessary route de- aggregation.

4b. To the extent possible, entire blocks should be returned. Partial
address blocks shall be returned in such a way that the portion retained
will comprise a single aggregate block.

5. If the organization does not voluntarily return resources as
required, ARIN may revoke any resources issued by ARIN as required to
bring the organization into overall compliance. ARIN shall follow the
same guidelines for revocation that are required for voluntary return in
the previous paragraph.

6. Except in cases of fraud, an organization shall be given a minimum of
six months to effect a return. ARIN shall negotiate a longer term with
the organization if ARIN believes the organization is working in good
faith to substantially restore compliance and has a valid need for
additional time to renumber out of the affected blocks.

7. ARIN shall continue to maintain the resource(s) while their return or
revocation is pending, except no new maintenance fees shall be assessed
for the resource(s).

8. Legacy resources in active use, regardless of utilization, are not
subject to revocation by ARIN. However, the utilization of legacy
resources shall be considered during a review to assess overall compliance.

9. In considering compliance with policies which allow a timeframe (such
as a requirement to assign some number of prefixes within 5 years)
failure to comply cannot be measured until after the timeframe specified
in the applicable policy has elapsed. Blocks subject to such a policy
shall be assumed in compliance with that policy until such time as the
specified time since issuance has elapsed.

Delete NRPM sections 4.1.2, 4.1.3, 4.1.4

Remove the sentence "In extreme cases, existing allocations may be
affected." from NRPM section 4.2.3.1.

Rationale:

ARIN feels that current policy does not give them the power to review or
reclaim resources except in cases of fraud, despite this being mentioned
in the Registration Services Agreement. This policy proposal provides
clear policy authority to do so, guidelines for how and under what
conditions it shall be done, and a guarantee of a (minimum) six- month
grace period so that the current user shall have time to renumber out of
any resources to be reclaimed.

The nature of the "review" is to be of the same form as is currently
done when an organization requests new resources, i.e. the documentation
required and standards should be the same.

The intent of paragraph 2c is to prevent ARIN from doing more than one
without-cause review in a 24 month period.

The renumbering period does not affect any "hold" period that ARIN may
apply after return or revocation of resources is complete.

The deleted sections/text would be redundant with the adoption of this
proposal.

Timetable for implementation: Immediate