ARIN-PPML Message

[arin-ppml] Draft Policy 2010-11: Required Resource Reviews

Draft Policy 2010-11
Required Resource Reviews

On 15 July 2010 the ARIN Advisory Council (AC) selected "Required
Resource Reviews" as a draft policy for adoption discussion on the PPML
and at the Public Policy Meeting in Atlanta in October.

The draft was developed by the AC from policy proposal "117. Required
Resource Reviews". Per the Policy Development Process the AC submitted
text to ARIN for a staff and legal assessment prior to its selection as
a draft policy. Below the draft policy is the ARIN staff and legal
assessment, followed by the text that was submitted by the AC.

Draft Policy 2010-11 is below and can be found at:
https://www.arin.net/policy/proposals/2010_11.html

You are encouraged to discuss Draft Policy 2010-11 on the PPML prior to
the October Public Policy Meeting. Both the discussion on the list and
at the meeting will be used by the ARIN Advisory Council to determine
the community consensus for adopting this as policy.

The ARIN Policy Development Process can be found at:
https://www.arin.net/policy/pdp.html

Draft Policies and Proposals under discussion can be found at:
https://www.arin.net/policy/proposals/index.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Draft Policy 2010-11
Required Resource Reviews

Version/Date: 20 July 2010

Policy statement:

Replace the text "under sections 4-6" in section 12, paragraph 7 with
"under paragraphs 12.4 through 12.6"

Add to section 12 the following text:

10. Except as provided below, resource reviews are conducted at the
discretion of the ARIN staff. In any of the circumstances mentioned
below, a resource review must be initiated by ARIN staff:

a. Report or discovery of an acquisition, merger, transfer, trade or
sale in which the infrastructure and customer base of a network move
from one organization to another organization, but, the applicable IP
resources are not transferred. In this case, the organization retaining
the IP resources must be reviewed. The organization receiving the
customers may also be reviewed at the discretion of the ARIN staff.

b. Upon receipt by ARIN of one or more credible reports of fraud or
abuse of an IP address block. Abuse shall be defined as use of the block
in violation of the RSA or other ARIN policies and shall not extend to
include general reports of host conduct which are not within ARIN's scope.

c. In the case where an organization wishes to act as recipient of
resources pursuant to a transfer under section 8.3, unless otherwise
prohibited by paragraph 12.2(c).

d. An organization which submits a request for additional resources when
more than 25% of their existing resources are obscured in SWIP or RWHOIS
pursuant to section 4.2.3.7.6 (residential customer privacy).

e. Other than as specified in 12.10(c), paragraph 12.2(c) does not
exempt organizations from the reviews required under section 12.10.

Rationale:

The first change is a minor correction which improves clarity and
consistency of the original policy without changing the meaning.

The addition of 12.10 (a) through (e) serves to create a set of
circumstances under which a resource review is required, rather than
optional and entirely at ARIN staff discretion.

The majority of early comments on this proposal focused on 12.10 (e).
Mostly it was confusion about the exact ramifications. This section will
cause ARIN to maintain greater scrutiny only in cases where a given ISP
issues more than 25% of their total space to residential customers who
wish to remain anonymous and receive network blocks of /29 or larger. To
the best of my knowledge, there are not currently any ISPs which meet
this criteria. Additionally, it would only apply that scrutiny to IPv4,
and will not carry forward into IPv6 residential assignments.

This policy should improve the compliance verification of ARIN policies
and may result in the improved reclamation of under-utilized IP address
space. It should also serve as a deterrent to certain address hoarding
tactics which have come to light in recent history.

Timetable for implementation: Immediately upon ratification by the Board


#####


STAFF ASSESSMENT

Proposal: (117) Required Resource Reviews
Proposal Version (Date): 07 July 2010
Date of Assessment:  14 July 2010

1. Proposal Summary (Staff Understanding)

This draft policy establishes new criteria to enact NRPM 12 resource
reviews. It requires ARIN staff to initiate resource reviews when M&A
activity occurs but IP addresses are not transferred to the acquirer;
when fraud or abuse is reported to ARIN, either about a specific IP
address range or about an OrgID; when any NRPM 8.3 transfer occurs; or
when staff are reviewing an additional IP address request and find that
more than a quarter of an OrgID's downstream SWIPs are covered under the
Residential Customer Privacy policy.

2. Comments

A. ARIN Staff Comments

•  This proposal could cause ARIN staff to conduct resource reviews on a
more frequent basis. Any prescription for prioritizing such reviews
could delay other important registration activities from being processed
in a timely manner.

B. ARIN General Counsel

Pending


3. Resource Impact

This policy would have moderate resource impact.  It is estimated that
implementation would occur within 6 months after ratification by the
ARIN Board of Trustees. The following would be needed in order to implement:

•  Resource reviews, audits, and fraud research require many man-hours.
  These new requirements to conduct audits on a much more regular basis
could necessitate hiring and training additional registration staff.
•  Changes to current business practices
•  Staff training
•  Updated guidelines


4. Proposal Text

Policy statement:

Replace the text "under sections 4-6" in section 12, paragraph 7 with
"under paragraphs 12.4 through 12.6"
Add to section 12 the following text:

10. Except as provided below, resource reviews are conducted at the
discretion of the ARIN staff. In any of the circumstances mentioned
below, a resource review must be initiated by ARIN staff:
a. Report or discovery of an acquisition, merger, transfer, trade or
sale in which the infrastructure and customer base of a network move
from one organization to another organization, but, the applicable IP
resources are not transferred. In this case, the organization retaining
the IP resources must be reviewed. The organization receiving the
customers may also be reviewed at the discretion of the ARIN staff.
b. Upon receipt by ARIN of one or more credible reports of fraud or
abuse of an IP address block. Abuse shall be defined as use of the block
in violation of the RSA or other ARIN policies and shall not extend to
include general reports of host conduct which are not within ARIN's scope.
c. In the case where an organization wishes to act as recipient of
resources pursuant to a transfer under section 8.3, unless otherwise
prohibited by paragraph 12.2(c).
d. An organization which submits a request for additional resources
when more than 25% of their existing resources are obscured in SWIP or
RWHOIS pursuant to section 4.2.3.7.6 (residential customer privacy).
e. Other than as specified in 12.10(c), paragraph 12.2(c) does not
exempt organizations from the reviews required under section 12.10.

Rationale:

The first change is a minor correction which improves clarity and
consistency of the original policy without changing the meaning.
The addition of 12.10 (a) through (e) serves to create a set of
circumstances under which a resource review is required, rather than
optional and entirely at ARIN staff discretion.

The majority of early comments on this proposal focused on 12.10 (e).
Mostly it was confusion about the exact ramifications. This section will
cause ARIN to maintain greater scrutiny only in cases where a given ISP
issues more than 25% of their total space to residential customers who
wish to remain anonymous and receive network blocks of /29 or larger. To
the best of my knowledge, there are not currently any ISPs which meet
this criteria. Additionally, it would only apply that scrutiny to IPv4,
and will not carry forward into IPv6 residential assignments.

This policy should improve the compliance verification of ARIN policies
and may result in the improved reclamation of under-utilized IP address
space. It should also serve as a deterrent to certain address hoarding
tactics which have come to light in recent history.