[arin-ppml] Set aside round deux

Owen DeLong owen at delong.com
Thu Jul 29 15:13:47 EDT 2010 

On Jul 29, 2010, at 11:21 AM, William Herrin wrote:

> On Wed, Jul 28, 2010 at 6:09 PM, Owen DeLong <owen at delong.com> wrote:
>> Do you have any evidence that there are significant quantities of
>> non-legacy address space available to be reclaimed at the end of
>> an audit process? Even a basis for credible suspicion?
> 
> Hi Owen,
> 
> Didn't we hear an anecdote last week about someone who quit Verizon a
> decade ago but the addresses are still reassigned to them? Didn't one
> of the academics do a peer-reviewed study and a scan of the Internet
> last year with results suggesting (among other things) that about
> 2/3rds of the allocated address space is not employed on the public
> Internet?
> 
Not reachable by the methods employed in that study has nothing to
do with whether it is legitimately utilized or not. The problem is that
there are many many unreachable yet valid reasons to use IP address
space.

> Meaningful audits would be incredibly expensive and manpower
> intensive, no doubt about it. The odds of the POC for any given SWIP
> being correct, reachable, willing to talk and knowledgeable enough to
> confirm both their specific addresses and qualifications for that size
> of address bank is, well, not great. Working past that would be really
> hard. We could easily find that getting an accurate census requires
> sending someone into the field to knock on doors.
> 
Right.

> But let's not kid ourselves: there are plenty of credible reasons to
> believe there are lots of mislaid addresses waiting to be found. The
> question is whether finding them would be really expensive or
> impossibly expensive.
> 
I don't doubt that there are lots of mislaid addresses. I do doubt that
they are in meaningful chunks that can be recovered effectively.
I also think that the vast majority of them are legacy.

> 
> Even if expensive, I think there are a couple cases where thorough
> audits would serve the community well:
> 
> 1. Reports of fraud or undue carelessness. This should trigger a
> stochastic audit where a subset of the address space gets carefully
> checked to estimate the error rate. If the error rate looks high, give
> the registrant a chance to fix it and the do a new stochastic audit.
> If still high, proceed to a full audit.
> 
Absolutely... Obviously if you look at the draft policy I wrote for
required resource reviews as an expansion of NRPM section
12, you can see that I support doing auditing where it is reasonably
justified.

This one of the key reasons for a required resource review contained
in that draft policy.

> 2. Prior to receiving 4.10 addresses, the organization and its
> affiliates should complete a full audit, including their legacy
> address space. ARIN may or may not have any rights to an org's legacy
> address space, but we're certainly not obligated to give the org more
> addresses if it can't prove a cautious and thorough use of its
> existing addresses.
> 
Agreed. I'm happy to add a provision to 2010-11 that
specifies any application under NRPM 4.10 is subject to a
required resource review if there is community support to
do so. The fact that it isn't already in there was an oversight
on my part.

Owen

More information about the ARIN-PPML mailing list