ARIN-PPML Message

[arin-ppml] Policy Proposal 2007-14 - Staff Assessment

Policy Proposal 2007-14
Title: Resource Review Process
Revised: 6 October 2008
Assessment: 8 October 2008

ARIN Staff Assessment

The assessment of this proposal includes comments from ARIN staff and
the ARIN General Counsel. It contains analysis of procedural, legal, and
resource concerns regarding the implementation of this policy proposal
as it is currently stated. Any changes to the language of the proposal
may necessitate further analysis by staff and Counsel.

I. Proposal

Policy Proposal is available below and at:
http://www.arin.net/policy/proposals/2007_14.html

II. Proposal Summary

This policy proposal provides clear policy authority to audit or reclaim
resources, guidelines for how it shall be done, and a guarantee of a
(minimum) six-month grace period so that the current user shall have
time to stop using any resources that will be reclaimed due to
non-compliance.

III. Comments

A. ARIN Staff

1. Section 2c does not reconcile with the RSA, which grants ARIN
authority to request any data necessary and does not specify any sort of
limitation to frequency.

2. Section 3 requires staff to share the results of an audit of an
organization’s resources. Staff often reviews an organization’s
transaction history and resources during fraud or suspicious activity
investigations and feels that it is not always prudent to share those
results.

3. Section 4b uses the term “single aggregate block” Does this refer to
a single CIDR prefix, or to “a contiguous range of addresses”?

4. Section 7 states that “no new maintenance fees will be assessed”
while a return or revocation of resources is pending. Fee discussions
are not policy and should be considered separately.

B. ARIN General Counsel

This policy seeks to codify and define those instances where ARIN has
the right to demand data, or seeks to terminate and revoke resources
previously granted. It will guide ARIN, and any reviewing arbitration
required to evaluate a resulting dispute, or revocation, or refusal to
provide data. Writing down the terms of such policies and authorities
may provide greater clarity as well as support for ARIN's application of
such policies. However, this writing can become a serious legal concern
if the language is not carefully constructed or conflicts with the RSA.
Counsel shared some of these concerns with the authors. To date, counsel
has significant legal concerns regarding paragraphs 7 and 8 of the
current draft. Paragraph 7 is a broad and ambiguous description which
could contradict rights and obligations in 12,000 current RSA’s.
Paragraph 8 contains ambiguous language that is potentially overbroad
that addresses legally hazardous rights. Both need careful review.

7. ARIN shall continue to maintain the resource(s) while their return or
revocation is pending, except any maintenance fees assessed during that
period shall be calculated as if the return or revocation was complete.

In Section 8, replace the first sentence, “ARIN will not reclaim or
revoke Legacy resources in active use, regardless of utilization” with
“This policy does not create any additional authority for ARIN to revoke
legacy address space.”

IV. Resource Impact – Minimal

The resource impact of implementing this policy is viewed as minimal.
Barring any unforeseen resource requirements, this policy could be
implemented within 30 – 90 days from the date of the ratification of the
policy by the ARIN Board of Trustees. Depending on the impact to RSD
this may require additional staff. It will require the following:

    * Guidelines Changes
    * Registration System Changes
    * Staff training
    * May increase RSD workload which could slow down response times

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


#####


Policy Proposal 2007-14
Resource Review Process

Author: Owen DeLong, Stephen Sprunk

Proposal Version: 3.1

Date: 6 October 2008

Proposal type: modify

Policy term: permanent

Policy statement:

Add the following to the NRPM:

Resource Review

1. ARIN may review the current usage of any resources maintained in the
ARIN database. The organization shall cooperate with any request from
ARIN for reasonable related documentation.

2. ARIN may conduct such reviews:

a. when any new resource is requested,

b. whenever ARIN has reason to believe that the resources were
originally obtained fraudulently or in contravention of existing policy, or

c. at any other time without having to establish cause unless a prior
review has been completed in the preceding 24 months.

3. ARIN shall communicate the results of the review to the organization.

4. Organizations found by ARIN to be materially out of compliance with
current ARIN policy shall be requested or required to return resources
as needed to bring them into (or reasonably close to) compliance.

4a. The degree to which an organization may remain out of compliance
shall be based on the reasonable judgment of the ARIN staff and shall
balance all facts known, including the organization’s utilization rate,
available address pool, and other factors as appropriate so as to avoid
forcing returns which will result in near-term additional requests or
unnecessary route de-aggregation.

4b. To the extent possible, entire blocks should be returned. Partial
address blocks shall be returned in such a way that the portion retained
will comprise a single aggregate block.

5. If the organization does not voluntarily return resources as
requested, ARIN may revoke any resources issued by ARIN as required to
bring the organization into overall compliance. ARIN shall follow the
same guidelines for revocation that are required for voluntary return in
the previous paragraph.

6. Except in cases of fraud, or violations of policy, an organization
shall be given a minimum of six months to effect a return. ARIN shall
negotiate a longer term with the organization if ARIN believes the
organization is working in good faith to substantially restore
compliance and has a valid need for additional time to renumber out of
the affected blocks.

7. ARIN shall continue to provide services for the resource(s) while
their return or revocation is pending, however, any maintenance fees
assessed during that period shall be calculated as if the return or
revocation was complete.

8. ARIN will not reclaim or revoke Legacy resources in active use,
regardless of utilization. However, the utilization of legacy resources
shall be considered during a review to assess overall compliance.

9. In considering compliance with policies which allow a timeframe (such
as a requirement to assign some number of prefixes within 5 years),
failure to comply cannot be measured until after the timeframe specified
in the applicable policy has elapsed. Blocks subject to such a policy
shall be assumed in compliance with that policy until such time as the
specified time since issuance has elapsed.

Delete NRPM sections 4.1.2, 4.1.3, 4.1.4

Remove the sentence "In extreme cases, existing allocations may be
affected." from NRPM section 4.2.3.1.

Rationale:

Under current policy and existing RSAs, ARIN has an unlimited authority
to audit or review a resource holder's utilization for compliance at any
time and no requirement to communicate the results of any such review to
the resource holder.

This policy attempts to balance the needs of the community and the
potential for abuse of process by ARIN in a way that better clarifies
the purpose, scope, and capabilities of ARIN and codifies some
appropriate protections for resource holders while still preserving the
ability for ARIN to address cases of fraud and abuse on an expedited basis.

The intended nature of the review is to be no more invasive than what
usually happens when an organization applies for additional resources.
Additionally, paragraph 2c prevents ARIN from doing excessive
without-cause reviews.

The authors believe that this update addresses the majority of the
feedback received from the community to date and addresses most of the
concerns expressed.