[arin-ppml] Draft Policy 2010-11: Required Resource Reviews

George, Wes E IV [NTK] Wesley.E.George at sprint.com
Wed Jul 28 16:30:13 EDT 2010


I support this proposal, with the exception of item d, which I believe needs to be reworded.

The rationale (which refers to it as section E) makes sense to me, but I don't think that the wording stands on its own to convey that intent. It's too easy to misinterpret. A reference simply to 4.2.3.7.6 does not clarify this enough in my opinion, and should also include references to 4.2.3.7.2 and 4.2.3.7.5, possibly even explicitly stating "larger than /29" so that it's much clearer that you're referring specifically to closing a loophole (allocations larger than /29 for privacy as a means to hide/hoard addresses) without dramatically increasing the likelihood of audit for ISPs whose primary customers are residential.

Thanks,
Wes George
-----Original Message-----

Draft Policy 2010-11
Required Resource Reviews

Version/Date: 20 July 2010

Policy statement:

Replace the text "under sections 4-6" in section 12, paragraph 7 with
"under paragraphs 12.4 through 12.6"

Add to section 12 the following text:

10. Except as provided below, resource reviews are conducted at the
discretion of the ARIN staff. In any of the circumstances mentioned
below, a resource review must be initiated by ARIN staff:

a. Report or discovery of an acquisition, merger, transfer, trade or
sale in which the infrastructure and customer base of a network move
from one organization to another organization, but, the applicable IP
resources are not transferred. In this case, the organization retaining
the IP resources must be reviewed. The organization receiving the
customers may also be reviewed at the discretion of the ARIN staff.

b. Upon receipt by ARIN of one or more credible reports of fraud or
abuse of an IP address block. Abuse shall be defined as use of the block
in violation of the RSA or other ARIN policies and shall not extend to
include general reports of host conduct which are not within ARIN's scope.

c. In the case where an organization wishes to act as recipient of
resources pursuant to a transfer under section 8.3, unless otherwise
prohibited by paragraph 12.2(c).

d. An organization which submits a request for additional resources when
more than 25% of their existing resources are obscured in SWIP or RWHOIS
pursuant to section 4.2.3.7.6 (residential customer privacy).

e. Other than as specified in 12.10(c), paragraph 12.2(c) does not
exempt organizations from the reviews required under section 12.10.

Rationale:

The first change is a minor correction which improves clarity and
consistency of the original policy without changing the meaning.

The addition of 12.10 (a) through (e) serves to create a set of
circumstances under which a resource review is required, rather than
optional and entirely at ARIN staff discretion.

The majority of early comments on this proposal focused on 12.10 (e).
Mostly it was confusion about the exact ramifications. This section will
cause ARIN to maintain greater scrutiny only in cases where a given ISP
issues more than 25% of their total space to residential customers who
wish to remain anonymous and receive network blocks of /29 or larger. To
the best of my knowledge, there are not currently any ISPs which meet
this criteria. Additionally, it would only apply that scrutiny to IPv4,
and will not carry forward into IPv6 residential assignments.

This policy should improve the compliance verification of ARIN policies
and may result in the improved reclamation of under-utilized IP address
space. It should also serve as a deterrent to certain address hoarding
tactics which have come to light in recent history.

Timetable for implementation: Immediately upon ratification by the Board


#####


STAFF ASSESSMENT

Proposal: (117) Required Resource Reviews
Proposal Version (Date): 07 July 2010
Date of Assessment:  14 July 2010

1. Proposal Summary (Staff Understanding)

This draft policy establishes new criteria to enact NRPM 12 resource
reviews. It requires ARIN staff to initiate resource reviews when M&A
activity occurs but IP addresses are not transferred to the acquirer;
when fraud or abuse is reported to ARIN, either about a specific IP
address range or about an OrgID; when any NRPM 8.3 transfer occurs; or
when staff are reviewing an additional IP address request and find that
more than a quarter of an OrgID's downstream SWIPs are covered under the
Residential Customer Privacy policy.

2. Comments

A. ARIN Staff Comments

*  This proposal could cause ARIN staff to conduct resource reviews on a
more frequent basis. Any prescription for prioritizing such reviews
could delay other important registration activities from being processed
in a timely manner.

B. ARIN General Counsel

Pending


3. Resource Impact

This policy would have moderate resource impact.  It is estimated that
implementation would occur within 6 months after ratification by the
ARIN Board of Trustees. The following would be needed in order to implement:

*  Resource reviews, audits, and fraud research require many man-hours.
  These new requirements to conduct audits on a much more regular basis
could necessitate hiring and training additional registration staff.
*  Changes to current business practices
*  Staff training
*  Updated guidelines


4. Proposal Text

Policy statement:

Replace the text "under sections 4-6" in section 12, paragraph 7 with
"under paragraphs 12.4 through 12.6"
Add to section 12 the following text:

10. Except as provided below, resource reviews are conducted at the
discretion of the ARIN staff. In any of the circumstances mentioned
below, a resource review must be initiated by ARIN staff:
a. Report or discovery of an acquisition, merger, transfer, trade or
sale in which the infrastructure and customer base of a network move
from one organization to another organization, but, the applicable IP
resources are not transferred. In this case, the organization retaining
the IP resources must be reviewed. The organization receiving the
customers may also be reviewed at the discretion of the ARIN staff.
b. Upon receipt by ARIN of one or more credible reports of fraud or
abuse of an IP address block. Abuse shall be defined as use of the block
in violation of the RSA or other ARIN policies and shall not extend to
include general reports of host conduct which are not within ARIN's scope.
c. In the case where an organization wishes to act as recipient of
resources pursuant to a transfer under section 8.3, unless otherwise
prohibited by paragraph 12.2(c).
d. An organization which submits a request for additional resources
when more than 25% of their existing resources are obscured in SWIP or
RWHOIS pursuant to section 4.2.3.7.6 (residential customer privacy).
e. Other than as specified in 12.10(c), paragraph 12.2(c) does not
exempt organizations from the reviews required under section 12.10.

Rationale:

The first change is a minor correction which improves clarity and
consistency of the original policy without changing the meaning.
The addition of 12.10 (a) through (e) serves to create a set of
circumstances under which a resource review is required, rather than
optional and entirely at ARIN staff discretion.

The majority of early comments on this proposal focused on 12.10 (e).
Mostly it was confusion about the exact ramifications. This section will
cause ARIN to maintain greater scrutiny only in cases where a given ISP
issues more than 25% of their total space to residential customers who
wish to remain anonymous and receive network blocks of /29 or larger. To
the best of my knowledge, there are not currently any ISPs which meet
this criteria. Additionally, it would only apply that scrutiny to IPv4,
and will not carry forward into IPv6 residential assignments.

This policy should improve the compliance verification of ARIN policies
and may result in the improved reclamation of under-utilized IP address
space. It should also serve as a deterrent to certain address hoarding
tactics which have come to light in recent history.






_______________________________________________
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net if you experience any issues.


This e-mail may contain Sprint Nextel Company proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.




More information about the ARIN-PPML mailing list