ARIN-PPML Message

[arin-ppml] Draft Policy 2010-10 (Global Proposal):GlobalPolicy for IPv4 Allocations by the IANA Post Exhaustion- Last Call (textrevised)

On Nov 6, 2010, at 11:20 AM, Stephen Sprunk wrote:

> On 06 Nov 2010 04:08, Owen DeLong wrote:
>> On Nov 5, 2010, at 9:25 AM, Stephen Sprunk wrote:
>>> On 05 Nov 2010 01:56, Owen DeLong wrote:
>>>> On Nov 4, 2010, at 9:06 PM, Stephen Sprunk wrote:
>>>>> On 02 Nov 2010 22:30, Ted Mittelstaedt wrote:
>>>>>> Ultimately the goal should be to take legacy resources away that
>>>>>> are either being hoarded, or are abandoned.
>>>>> "Hoarded" is a loaded term, and it's difficult to prove someone's
>>>>> doing it.  "Justified" is easily determined, though, since we
>>>>> _already_ have dozens of pages of policy describing exactly what
>>>>> that means.
>>>> What we don't have is any form of agreement by the legacy holders
>>>> that the ARIN definition of justified applies to them.
>>> 
>>> OTOH, absent an LRSA, there is no formal agreement that it doesn't.
>>> 
>> 
>> Uh, generally it's pretty hard to claim that a contract is binding on
>> an opt-out basis.
>> 
>> I can't just make up a contract and then say you are subject to it's
>> terms just because you don't have a contract that says otherwise.
> 
> A homeless shelter is quite certainly free to dictate people wear shoes
> in order to get a free meal.
> 
Yes, but, once you had a man that isn't wearing shoes a meal, you
can't then take the meal back because you now require shoes.

>>>> Non-signatories to the LRSA are, thus, in an uncertain area.
>>>> Signatories of the LRSA are clearly protected from current and
>>>> future ARIN policies in this regard.
>>> 
>>> Yes, that's an excellent carrot for folks to sign the LRSA.  We
>>> disagree only about the stick.
>>> 
>>> I don't like using sticks, but eventually we're going to run out of
>>> folks that are interested in the carrot.
>>> 
>> 
>> So? I really don't see the problem with leaving them alone to do their
>> own thing. I'd rather see them join the community, but, I simply don't
>> see any valid argument for attempting to do so by force.
> 
> There are several problems.  The most relevant to this discussion is
> that, without regular contact (e.g. via annual dues), it is difficult to
> keep information in WHOIS current and it's much easier for fraudsters to
> steal resources.
> 
Which is why I advocate annual contact and marking of unresponsive
contacts. That should make it possible to solve the theft problems
through filtration.

>>> I was willing to accept granting special privileges to _all_ legacy
>>> holders prior to the LRSA being made available; now that it is,
>>> though, I'm reluctant to accept continuing to grant those same
>>> special privileges to those who do not sign.
>>> 
>> First, I don't agree with your use of the term "special privileges".
> 
> You don't think that being exempt from revocation or having limits on
> fee increases (or no fees at all, if one doesn't sign an LRSA) qualify
> as "special privileges"?  How does someone with an RSA get those terms?
> 
No, I do not. I think they are the existing T&Cs of yesteryear.

There are lots of examples of T&Cs given to people in the past that are
not available to new customers. For example, if you have an AT&T
unlimited plan for your iPhone or iPad, you are on different T&Cs than
anyone can get with new service today.

Would you call people on unlimited plans "people with special privileges"?
I wouldn't.

>> Second, I really don't think legacy holders are a major problem and I
>> don't see the point in pursuing them with pitchforks and torches just
>> because they choose not to join the ARIN community.
> 
> I don't think pitchforks and torches are necessary, but I do think _at
> minimum_ ARIN owes the community some due diligence to make sure WHOIS
> is correct.
> 
Agreed. However, it appears that your definition of due diligence has
some elements in common with my definition of pitchforks and torches.

>>>> I think that involuntary reclamation of legacy resources or
>>>> "termination of services" to legacy holders is contrary to ARIN's
>>>> best interests.
>>> 
>>> I disagree.
>>> 
>> 
>> And you are free to do so.
>> 
>> Care to back that up with what ARIN possibly gains by doing so other
>> than litigation expenses?
> 
> First, a stick would get more legacy holders to sign the LRSA--or
> perhaps even an RSA.  Second, I believe a significant amount of
> abandoned or unused resources would be discovered and reclaimed.  Both
> outcomes benefit the community.
> 
Sticks can accomplish lots of things. However, the question isn't whether
or not it is possible to get signatures using a stick. The question is whether
or not it is valid to use a stick.

Information can be obtained through torture or "enhanced interrogation
techniques". Often it isn't reliable information, but, that's a digression.
The real question is whether or not it is appropriate to use torture
or "enhanced interrogation techniques" to obtain information regardless
of quality.

I don't support "enhanced interrogation techniques" and I think it would
not be correct to use sticks here, either.

>>>> I think that going beyond "termination of services" to the step of
>>>> placing resources back into the free pool and issuing them to other
>>>> organizations would be outright counter-productive for all concerned
>>>> (except in the case of clear abandonment).
>>> 
>>> It depends on the legal explanation of exactly what it is ARIN does.
>>> At the end of the day, the "resources" that ARIN "issues" to
>>> registrants are merely entries in WHOIS and rDNS.  ARIN cannot
>>> actually issue numbers to (or take them away from) registrants
>>> because numbers themselves cannot be owned, leased, etc.
>>> 
>> 
>> Yep.
> 
> If you can agree to that explanation, I don't see how you can continue
> to hold the position that you do.
> 
It's really not that hard.

>>> I do not see a significant difference between removing a non-paying
>>> registrant's entries from WHOIS/rDNS and replacing them with a paying
>>> registrant's entries that happen to have the same or similar
>>> numbers.  And, frankly, if we don't do the latter, what's the point
>>> in the former?  Marking a bunch of space as "permanently unavailable"
>>> accomplishes little.
>>> 
>> 
>> It makes it easy to filter it out so it doesn't get hijacked.
> 
> Okay, that's of benefit.
> 
>> Besides who said anything about permanently unavailable. The space is
>> either held by an organization or it isn't.  If we can't findthe
>> organization, we record that fact and make it visible. Eventually,
>> either we find out for sure that the organization is defunct, or, we
>> find out that they do still exist. In the former case, resources can
>> be reclaimed. In the latter case, they cannot.
> 
> Based on John Curran's recent messages, it is very difficult and
> time-consuming to reliably determine that a company is defunct.  Given
> ARIN's demonstrated unwillingness to take on work that policy doesn't
> explicitly require them to take, the likely result is that space would
> forever be "temporarily" unavailable.
> 
Which I don't see as a particular problem as long as it is at least marked
that way.

1.	Recovering the space isn't of any particular benefit to the community.

2.	Having legacy holders that are using the space able to continue doing
	so is of benefit and is our moral obligation IMHO.

3.	Identifying blocks which are in disuse or have invalid contact information
	and making the community aware of blocks with that status is of benefit
	to the community.

Re-issuing the space to someone else absent definite knowledge that
it is no longer in legitimate use for its original purpose is going beyond
3 to achieve 1 to the detriment of 2.

>> I'm just saying we shouldn't reclaim resources until we are certain
>> that the organization no longer exists.
> 
> In contrast, I think we should reclaim resources if we cannot, after a
> reasonable amount of effort, determine the registrant still exists _and_
> either is still using those resources or is willing to sign an LRSA.
> 
Yes... I understood that before. I still disagree with you, as I have
restated above.

>>>> There is no document anywhere that I know of which gives ARIN any
>>>> such authority to revoke legacy resources based on current ARIN
>>>> policy where it differs from the policies in effect under which the
>>>> legacy resources were issued.
>>> 
>>> I forget the original Latin, but there's a famous legal principle
>>> that "what is not illegal must be legal".
>> 
>> It is illegal to enforce terms of a contract against a non-signatory.
> 
> Yes, but I don't see the relevance of that statement.
> 
What you are proposing isn't something that is legal because it isn't
illegal. What you are proposing is attempting to enforce terms of a
contract that doesn't exist against an organization that never
agreed to the non-existant contract in the first place.

>>> ARIN can add or remove any WHOIS/rDNS entry it wishes unless
>>> restricted by policy or by a contract, i.e. an RSA or LRSA.  IOW,
>>> since non-LRSA legacy holders have no contract restricting what ARIN
>>> does, they have no (legal) standing to complain if ARIN decides to
>>> stop providing them unpaid, uncontracted registry services--just like
>>> a homeless person has no (legal) standing to complain if a shelter
>>> decides to stop giving them free meals.  That's purely a moral issue.
>>> 
>> 
>> That's an interesting theory, but, I doubt that as the successor
>> registry to registries that granted the registrations to organizations
>> on very different terms with no contract stating that the terms could
>> be subsequently changed without agreement, ARIN would actually have as
>> good a standing as you
>> claim in that situation.
> 
> ARIN only inherited an obligation to provide services gratis and in
> perpetuity if its predecessors actually contracted with registrants to
> do so _and_ ARIN is their legal successor in interest.  I'm fairly sure
> the latter is true, but I'm almost certain the former is not.
> 
It's very gray, but, whether there is a written contract or not, certainly,
at the time the resources were issued, it was the standard policy
and expectation that whois, in-addr, and registration services would
be performed by the registry gratis in perpetuity.

> A contract is only valid if there is an exchange of "consideration"
> (usually goods or services in one direction and money in the other).  If
> I promise you a free meal tomorrow but fail to provide one, you _cannot_
> sue me for breach of contract because you paid no "consideration" for my
> promise and therefore it was not a valid contract.
> 
The exchange required does not have to be direct. There are many
instances where contracts create third-party rights and/or obligations.

In this case, the USDoD, DARPA, and USDoC have provided consideration
and a contract to the predecessor registries to operate the services.
Legacy holders are a third-party obligation of those contracts.

>>>>> One can address most of those by having other processes that add to
>>>>> the same list of resources to be reviewed.  For instance, one might
>>>>> consider a resource not appearing in the DFZ to be a sign of
>>>>> probable non-compliance which triggers a review.  Or resources
>>>>> which have not been updated in the last N years.  Or not having
>>>>> valid rDNS servers.  If the review concludes they're valid, the
>>>>> registrant has 24 months before they have to worry about being
>>>>> hassled again.
>>>> There are specific policies allowing for non-connected networks and
>>>> always have been. Why would the fact that a resource does not appear
>>>> in one particular view (or even several views) of the DFZ be
>>>> considered a sign of probable non-compliance? As to update cycle,
>>>> some organizations are actually extremely stable. ... When did
>>>> maintaining valid rDNS become a requirement even for a non-legacy
>>>> holder? I can't find that requirement anywhere in the NRPM.
>>> 
>>> Those are merely possible reasons to put someone into the review
>>> queue.  If it turns out their use is justified (or close to it), no
>>> action will be taken against them and they're exempt from another
>>> without-cause review for 24 months.
>>> 
>>> This is _precisely_ why I put that clause in 2007-14: to clarify that
>>> ARIN could review resources that _appeared_ to be unjustified without
>>> needing a priori proof of such.  The remainder of 2007-14 is there to
>>> make sure that, when ARIN makes use of this power, the registrant is
>>> protected.  I believe that ARIN has _always_ had this power, but the
>>> response to an ACSP suggestion of mine indicated that ARIN was
>>> uncomfortable wielding that power without explicit policy supporting it.
>>> 
>> 
>> I'm saying that going after all or even some random number of
>> resources on that basis is a dubious set of selection criteria at best
>> and seems rather arbitrary to me.
> 
> If I see an elderly lady down the street from me tending her garden
> every day for years, but then a few days go by without any sign of her
> and there's an awful smell coming from her house, it's not unreasonable
> for the police to enter and check to make sure she's still alive.  If it
> turns out she's fine, no harm was done.
> 
Sure... But, what you are proposing is that if the police don't find her
and don't find a body, they should let you sell her house.

That's where we are disagreeing. I'm all for ARIN contacting the POCs,
flagging the resources as potentially abandoned if there's no old
lady and no corpse. Where we disagree is when it comes to selling
her house if we can't find her.

>>>>> Yes, a sufficiently cagey registrant may be able to avoid all of
>>>>> our heuristics, but most won't even try to.  It's reasonable to
>>>>> lose a battle to a skilled and dedicated opponent; it's absolutely
>>>>> indefensible to surrender a battle when your opponent doesn't even
>>>>> show up, which is where we are right now.  Let's fix the latter
>>>>> problem before we worry about the former.
>>>> When did this shift from stewardship to seeking battles with legacy
>>>> holders? That certainly was not my intent in NRPM 12.
>>> 
>>> It's a metaphor.
>> 
>> It doesn't sound like one. It sounds like an attempt to go after
>> legacy holders just because they didn't sign the LRSA. I don't think
>> that's right.
> 
> Regardless of how you may have interpreted, it was a metaphor.
> 
> And, for the record, I'd like to see LRSA signatories reviewed as well. 
> We can't revoke their space, but it's useful for the community to
> understand exactly what it is we're sanctioning so that we can decide if
> it's a good idea to continue offering the LRSA.
> 
I have no problem with reviewing LRSA signatories so long as we
stick to our contractual obligations and don't attempt to revoke their
space.

>>>> What reasons do you have for actively seeking to reclaim legacy
>>>> resources that are not abandoned ... ?
>>> 
>>> Primarily, it is the moral obligation we have to the _entire
>>> community_ to act as stewards in an impartial manner, and IMHO that
>>> overrides any moral obligation we have to individual
>>> registrants--particularly ones that refuse to participate in the
>>> community or take advantage of the (exceedingly generous, IMHO) terms
>>> that the LRSA offers.
>> 
>> I think that mis-characterizes the situation. Legacy holders received
>> their resources under a different set of terms from predecessor
>> registries. ARIN, if it doesn't want to be the successor registry and
>> wants to terminate its services to legacy holders is welcome to do so.
>> In that case, ARIN should identify a successor registry to transfer
>> the stewardship of those resources to.
> 
> I'd be happy for ARIN to be rid of the legacy mess if anyone were
> willing to operate a viable successor registry.  However, who is going
> to do that when none of its registrants will be paying for the services
> they receive?
> 
I don't know, but, the point is that ARIN isn't somehow magically
entitled to the resources just because they are the (current) successor
registry.

>> This theory that ARIN is somehow entitled as the successor registry to
>> retroactively change the terms under which legacy resources were
>> issued without the consent of the recipients really strikes me as
>> being quite odd.
> 
> That's exactly what happened with domain names and with the other RIRs
> that inherited legacy numbers.  ARIN has been far more generous to
> legacy registrants, but IMHO now that we have the LRSA, it's time for
> the honeymoon to end.
> 
Holding up what happened with domain names as an example of how
ARIN should behave is not going to win any points with me. I think that
domain names have become an unmitigated mess and a profiteering
opportunity for ICANN which has led to some seriously misguided
policies in that area.

>>> Also, I am concerned about the complaints (and potential legal
>>> action) ARIN will face if we start actively reclaiming non-legacy
>>> resources but do not attempt to reclaim (non-LRSA) legacy resources.
>>> Worse, showing irresponsibility here may justify attempts by others
>>> to impose governmental (i.e. ITU) interference or end community-based
>>> governance entirely.
>>> 
>> 
>> I think it's pretty easy to show that those resources were issued by
>> predecessor registries under different terms and conditions.
> 
> IMHO, that is irrelevant.
> 
I think it's extremely relevant because that is a valid defense to the
actions you are claiming would arise.

Owen