[arin-ppml] Draft Policy 2010-10 (Global Proposal):GlobalPolicy for IPv4 Allocations by the IANA Post Exhaustion- Last Call (textrevised)

[Stephen Sprunk]

On 05 Nov 2010 01:56, Owen DeLong wrote:
> On Nov 4, 2010, at 9:06 PM, Stephen Sprunk wrote:
>> On 02 Nov 2010 22:30, Ted Mittelstaedt wrote:
>>> I think that this is because ultimately the goal isn't to take
>>> legacy resources away that are IN USE.
>> IMHO, that depends on the degree of non-compliance.  I've worked with dozens of orgs with legacy space, and not a single one of them could even come close to justifying their space _that was in use_.
>>
>> However, I don't see any point in targeting orgs using their space inefficiently until we've dealt with all the ones (and I really do mean every last one that can be found) not using their space _at all_.
> IMHO, targeting legacy holders for non-compliance with today's ARIN policies is dubious at best.

I understand there are differences of opinion here; more on that below.

> I agree we should seek to actively reclaim abandoned resources (resources where the ORG no longer exists). I think we should possibly reach out and request that ORGs no longer using their legacy resources voluntarily return them.

I think we all agree on this much, which is why it seems a rather
obvious first step.  Once this is underway, we can debate what (if
anything) can/should be done about the other group.

>>> Ultimately the goal should be to take legacy resources away that are either being hoarded, or are abandoned.
>> "Hoarded" is a loaded term, and it's difficult to prove someone's doing it.  "Justified" is easily determined, though, since we _already_ have dozens of pages of policy describing exactly what that means.
> What we don't have is any form of agreement by the legacy holders that the ARIN definition of justified applies to them.

OTOH, absent an LRSA, there is no formal agreement that it doesn't.

> Non-signatories to the LRSA are, thus, in an uncertain area. Signatories of the LRSA are clearly protected from current and future ARIN policies in this regard.

Yes, that's an excellent carrot for folks to sign the LRSA.  We disagree
only about the stick.

I don't like using sticks, but eventually we're going to run out of
folks that are interested in the carrot.

>>> Rubbish. If ARIN takes over an abandoned Legacy resource then since
>>> it is abandoned, the original org that had it cannot suffer damages,
>>> and since it hasn't suffered damages, it has no standing to sue in
>>> court.
>>>
>>> The problem is that since the original Legacy holder did NOT ever
>>> sign an agreement with ARIN then ARIN has no contractual
>>> justification to take over an abandoned Legacy assignment even if
>>> they know it's unused,
>> AFAICT, if the registrant does not have a contract (i.e. RSA or LRSA) with ARIN for registry services, ARIN has no obligation to continue providing them, especially for free.  There are many who feel ARIN has a _moral_ obligation to do so, but that's not a matter for the courts.
> I agree that ARIN has a moral obligation to legacy holders.

I agree ARIN has some sort of moral obligation to provide services, but
that is in direct conflict with ARIN's charter to act as steward for the
entire community.

I was willing to accept granting special privileges to _all_ legacy
holders prior to the LRSA being made available; now that it is, though,
I'm reluctant to accept continuing to grant those same special
privileges to those who do not sign.

> I am uncertain about what legal obligations ARIN has to legacy holders.

We've been told in the past we should make policy we think is "right"
for the community and let ARIN's counsel inform us if there are legal
problems with our proposals.

Counsel rarely participates in policy discussions prior to a formal
proposal being on the table, so a bit of armchair lawyering is probably
unavoidable, but it shouldn't dominate the discussion.

> I think that involuntary reclamation of legacy resources or "termination of services" to legacy holders is contrary to ARIN's best interests.

I disagree.

> I think that going beyond "termination of services" to the step of placing resources back into the free pool and issuing them to other organizations would be outright counter-productive for all concerned (except in the case of clear abandonment).

It depends on the legal explanation of exactly what it is ARIN does.  At
the end of the day, the "resources" that ARIN "issues" to registrants
are merely entries in WHOIS and rDNS.  ARIN cannot actually issue
numbers to (or take them away from) registrants because numbers
themselves cannot be owned, leased, etc.

I do not see a significant difference between removing a non-paying
registrant's entries from WHOIS/rDNS and replacing them with a paying
registrant's entries that happen to have the same or similar numbers. 
And, frankly, if we don't do the latter, what's the point in the
former?  Marking a bunch of space as "permanently unavailable"
accomplishes little.

>>> because so far the community has not given ARIN permission to do this via policy in the NRPM.
>> That all depends on how one interprets NRPM 12.8.
>>
>> IMHO, ARIN _already_ had the power to apply policy to legacy space or revoke it entirely, and therefore NRPM 12 actually _limits_ how ARIN may do so, as it does for non-legacy resources.
> Where did this power come from? For non-legacy holders, it comes from
> the RSA which is a binding contract between the resource holder and ARIN
> which entitles ARIN to revoke resources according to the NRPM.
>
> There is no document anywhere that I know of which gives ARIN any such authority to revoke legacy resources based on current ARIN policy where it differs from the policies in effect under which the legacy resources were issued.

I forget the original Latin, but there's a famous legal principle that
"what is not illegal must be legal".

ARIN can add or remove any WHOIS/rDNS entry it wishes unless restricted
by policy or by a contract, i.e. an RSA or LRSA.  IOW, since non-LRSA
legacy holders have no contract restricting what ARIN does, they have no
(legal) standing to complain if ARIN decides to stop providing them
unpaid, uncontracted registry services--just like a homeless person has
no (legal) standing to complain if a shelter decides to stop giving them
free meals.  That's purely a moral issue.

>> Wrong. ARIN would need to follow the procedure in NRPM 12, which
>> governs _all_ reclamation activities.
>>
>> However, if all the POCs are unresponsive, then presumably they will
>> not respond with justification as required in 12.1, they will not
>> voluntarily return the resource(s) as required in 12.4, and
>> eventually ARIN can revoke the resource(s) under 12.5.
> Presumably the later stages of POC validation would include the notices
> required under 12.1 such that by the time the POCs were marked invalid,
> we would have at least completed the 12.4 waiting period as well, thus
> making 12.5 effective pretty much as described above.

That would be convenient.

>> One can address most of those by having other processes that add to the same list of resources to be reviewed.  For instance, one might consider a resource not appearing in the DFZ to be a sign of probable non-compliance which triggers a review.  Or resources which have not been updated in the last N years.  Or not having valid rDNS servers.  If the review concludes they're valid, the registrant has 24 months before they have to worry about being hassled again.
> There are specific policies allowing for non-connected networks and always have been. Why would the fact that a resource does not appear in one particular view (or even several views) of the DFZ be considered a sign of probable non-compliance? As to update cycle, some organizations
> are actually extremely stable. ... When did maintaining valid rDNS become a requirement even for a non-legacy holder? I can't find that requirement anywhere in the NRPM.

Those are merely possible reasons to put someone into the review queue. 
If it turns out their use is justified (or close to it), no action will
be taken against them and they're exempt from another without-cause
review for 24 months.

This is _precisely_ why I put that clause in 2007-14: to clarify that
ARIN could review resources that _appeared_ to be unjustified without
needing a priori proof of such.  The remainder of 2007-14 is there to
make sure that, when ARIN makes use of this power, the registrant is
protected.  I believe that ARIN has _always_ had this power, but the
response to an ACSP suggestion of mine indicated that ARIN was
uncomfortable wielding that power without explicit policy supporting it.

> What value of N would you propose? 5? 10? 15?

I would propose N=15 to start with, reducing over time as this
particular method ran out of folks to review.  I don't think it'd be
wise to go below N=5.

>> Yes, a sufficiently cagey registrant may be able to avoid all of our heuristics, but most won't even try to.  It's reasonable to lose a battle to a skilled and dedicated opponent; it's absolutely indefensible to surrender a battle when your opponent doesn't even show up, which is where we are right now.  Let's fix the latter problem before we worry about the former.
> When did this shift from stewardship to seeking battles with legacy
> holders? That certainly was not my intent in NRPM 12.

It's a metaphor.

>> I don't think that "mining" IPv4 blocks for reclamation will have any
>> meaningful effect on runout, but I still think it's worthwhile for
>> several other reasons.
> I understand the "other reasons" for reclamation of abandoned resources.
> They're a good target for abuse.

Agreed, and IMHO that's a good enough reason by itself.

> What reasons do you have for actively seeking to reclaim legacy resources that are not abandoned ... ?

Primarily, it is the moral obligation we have to the _entire community_
to act as stewards in an impartial manner, and IMHO that overrides any
moral obligation we have to individual registrants--particularly ones
that refuse to participate in the community or take advantage of the
(exceedingly generous, IMHO) terms that the LRSA offers.

Also, I am concerned about the complaints (and potential legal action)
ARIN will face if we start actively reclaiming non-legacy resources but
do not attempt to reclaim (non-LRSA) legacy resources.  Worse, showing
irresponsibility here may justify attempts by others to impose
governmental (i.e. ITU) interference or end community-based governance
entirely.

S

-- 
Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20101105/84f0518c/attachment.p7s>