[arin-ppml] SWIPs & IPv6

Ted Mittelstaedt tedm at ipinc.net
Wed Dec 2 15:43:51 EST 2009 

Lee Howard wrote:
> 
> 
> John Curran wrote:
>  > > Under this philosophical approach, what would ARIN's responsibilities
>  > >be with respect to an organization which files no SWIP's and runs no
>  > > rwhois service?
> 
> Ted responded:
>  > My $0.02 is that the current obligations are nothing. (assuming the org
>  > never again requests more numbering)
> 
> "No obligation" might mean not accepting requests to change POC data,
> or update ip6.arpa records, or maintaining their PPML subscription, or
> honoring their vote for Board and AC, or maintaining the uniqueness of
> their allocation, or retaining their WHOIS entry.   How far should ARIN
> not go?
> 
> Lee
> 

I was speaking of obligations with respect to SWIPS.

If the org continues to pay it's yearly fee then that is what continues
to guarantee uniqueness of their allocation.

THe problem is that (in my opinion) the language in the RSA on 
maintaining the accuracy of the Whois/RWhois data is far too "loose"

Here's the relevant section:

https://www.arin.net/resources/agreements/rsa.pdf

5b

Applicant is responsible for the timely
and accurate maintenance of directory services data (WHOIS), as well as 
data concerning
any organization to which it further sub-delegates number resources.

The problem as I see it is that this is so vague as to create a huge
loophole.  Suppose the org starts out in year 2010 with an IPv4
allocation that is 80% full.  Over the next decade they move their
customers to IPv6, and they move more of their new customers to IPv4 
NAT, so over the decade utilization of that IPv4 block falls to
60%.  Now, obviously there's going to be a lot of shifting around
of use WITHIN the IPv4 block they have - but lets say that the org
has a lot of admins in it that make mistakes and over the years
the SWIPS get more and more stale and obsolete.

Now, the problem here is that the org isn't DELIBERATELY going out
and violating section 5b, it's just accumulated mistakes.  At what
point does ARIN state the org is in violation of section 5b?  When
the error rate is .01%?  A strict reading of the RSA would say
that this would be the point - but no court in the land would
uphold civil action by ARIN against the org since it's not a
reasonable error rate - GAAP and GAS allow something like a .2%
error rate for corporate accounting filings, for example. So, the 
question becomes, at what point does the error rate no longer be "timely 
and accurate"?  Since this isn't accounting data, it's WHOIS data,
would GAAP/GAS even apply in a legal sense?

And the larger question is, what constitutes "maintenance of directory 
services data...data concerning any organization to which it further 
sub-delegates"

What if a sub-delegate org makes the ISP sign a form for the ISP to
act as the sub-delegates "agent", so the ISP replaces the sub-delegate
SWIP with one of it's own?  Under the law the ISP that does this is
considered "part" of the org so they can substitute SWIP data with
their own and remain within the "data concerning any organization to 
which it further sub-delegates" rule I think - yes that's skating a
bit on thin ice, but I've seen that argument used here before.

And furthermore, reread Section 5b, there's a gigantic loophole in
it that most people miss.  The way the section is worded, all the org
has to do is make sub-delegation information available to ARIN, and
NOT to the WHOIS database - the phrase

"as well as"

creates 2 clauses within that section, they are:

Applicant is responsible for the timely
and accurate maintenance of directory services data (WHOIS),

Applicant is responsible for the timely
and accurate maintenance of data concerning
any organization to which it further sub-delegates number resources.
[to the holder of the RSA< ie: ARIN]


To eliminate THAT loophole the section should be rewritten something
like:

Responsibility for Directory Services Data. Applicant is responsible for 
the timely and accurate maintenance of data within the directory service 
(WHOIS), including but not limited to it's POC's, any organization to 
which it further sub-delegates number resources, and other WHOIS data as
applicable...

(Obviously you would probably want to check with your lawyers as to
their opinion, but I think they would agree that section 5b is rather
weaker than the rest of the RSA)

Ted

More information about the ARIN-PPML mailing list