[arin-ppml] Draft Policy 2011-7 Compliance Requirement

[ARIN]

Correction: This draft policy will be on the agenda at the ARIN Public
Policy Meeting in Philadelphia in October.

Regards,

Member Services
American Registry for Internet Numbers (ARIN)



ARIN wrote:
> Draft Policy ARIN-2011-7
> Compliance Requirement
>
> On 19 May 2011 the ARIN Advisory Council (AC) selected "Returned
> IPv4 Addresses" as a draft policy for adoption discussion on the PPML
> and at the Public Policy Meeting in San Juan, Puerto Rico in April.
>
> The draft was developed by the AC from policy proposal "ARIN-prop-126
> Compliance Requirement." Per the Policy Development Process the AC
> submitted text to ARIN for a staff and legal assessment prior to its
> selection as a draft policy. Below the draft policy is the ARIN staff
> and legal assessment, followed by the text that was submitted by the AC.
> Note that the AC revised the draft policy text after they received the
> assessment from staff.
>
> Draft Policy ARIN-2011-7 is below and can be found at:
> https://www.arin.net/policy/proposals/2011_7.html
>
> You are encouraged to discuss Draft Policy 2011-7 on the PPML prior to
> the October Public Policy Meeting. Both the discussion on the list and
> at the meeting will be used by the ARIN Advisory Council to determine
> the community consensus for adopting this as policy.
>
> The ARIN Policy Development Process can be found at:
> https://www.arin.net/policy/pdp.html
>
> Draft Policies and Proposals under discussion can be found at:
> https://www.arin.net/policy/proposals/index.html
>
> Regards,
>
> Member Services
> American Registry for Internet Numbers (ARIN)
>
>
> ## * ##
>
>
> Draft Policy ARIN-2011-7
> Compliance Requirement
>
> Date/version: 24 May 2011
>
> Policy statement:
>
> Resource Review
> Update the following NRPM Sections:
>
> 12.4 - Update to:
> Organizations found by ARIN to be out of compliance with current ARIN
> policy shall be required to update reassignment information or return
> resources as needed to bring them into (or reasonably close to) 
> compliance
>
> 1. The degree to which an organization may remain out of compliance
> shall be based on the reasonable judgment of the ARIN staff and shall
> balance all facts known, including the organization's utilization rate,
> available address pool, and other factors as appropriate so as to avoid
> forcing returns which will result in near-term additional requests or
> unnecessary route de-aggregation.
>
> 2. To the extent possible, entire blocks should be returned. Partial
> address blocks shall be returned in such a way that the portion retained
> will comprise a single aggregate block.
>
> (leave 12.5 as is)
>
> 12.6 - Update to:
> Except in cases of fraud, an organization shall be given a minimum of
> thirty (30) days to respond. If an organization does not respond within
> those thirty (30) days, ARIN may cease providing reverse DNS services to
> that organization. If progress of resource returns or record corrections
> is not visible within sixty (60) days after correspondence with ARIN
> began, ARIN will cease providing reverse DNS services for the resources
> in question. At any time after ninety (90) days have passed, ARIN may
> initiate resource revocation as allowed
> in paragraph 12.5. ARIN shall negotiate a longer term with the
> organization if ARIN believes the organization is working in good faith
> to substantially restore compliance and has a valid need for additional
> time to renumber out of the affected blocks.
>
>
> Rationale:
>
> This version addresses several staff and legal concerns with the
> original text of this policy by clarifying the language and making it
> more concrete.
>
> To date the community has not documented or firmly established use of an
> effective enforcement mechanism. This policy will support current policy
> and compel those who are allocated ARIN resources to maintain the proper
> WHOIS records in accordance with ARIN NRPM. While it is recognized this
> is not an absolute solution to ensure compliance, it is the best method
> under current ARIN policies.
>
> Timetable for implementation: Immediate
>
>
> #####
>
>
> This is an assessment of the proposal as originally submitted by the AC.
> The AC subsequently revised the proposal/draft policy text (see current
> version above).
>
> STAFF ASSESSMENT
>
> Proposal: Compliance Requirement (ARIN-prop-126)
> Policy Version (Date): 11 January 2011
> Date of Assessment: 28 January 2011
>
> 1. Proposal Summary (Staff Understanding)
>
> This policy requires ARIN staff to not only identify customers who are
> out of compliance with policy, but to withhold services for those who
> fail to come into compliance within a designated time. Staff is to
> contact customers who are out of compliance with policy and give them 30
> days to respond to our contact and to demonstrate they've begun to take
> corrective measures within 60 days. If either of these criteria is not
> met, the policy instructs staff to cease providing reverse DNS services
> to the customer or to begin reclamation efforts.
>
> 2. Comments
> A. ARIN Staff Comments
>
> • The policy says either "take away reverse" or "reclaim the numbers".
> It would be helpful to staff if there was clear guidance as to when
> revocation was to be used over reverse dns removal. Without clear
> guidance, staff would implement this in such a way that reverse dns
> removal would be used as the first step of the enforcement, and
> revocation of the resource as the final step when an organization is
> unable to come into compliance within a defined time period.
> • The term “materially out of compliance” is not well defined anywhere
> within this policy. Without additional criteria, staff will continue to
> interpret this term somewhat liberally, and to apply it at our
> discretion using our best judgment and consideration of existing
> factors. Only those organizations that we deem to be significantly in
> violation of existing policy will be flagged for further review and 
> audit.
>
> B. ARIN General Counsel
>
> This policy has significant legal implications. It needs to be
> carefully edited to remove unnecessary ambiguities that might require
> enforcement when it should be discretionary and to avoid giving those
> “enforced against” arguments that will require case-by-case adjudication.
>
> For example, the first line of the policy at 12.4 uses “materiality” as
> a standard. I strongly recommend against such a standard, as anyone who
> is treated adversely will argue their “noncompliance” is “not material.”
> If lack of compliance is the issue, it must be “black or white” as a
> review matter to protect against such drafting problems. If you believe
> noncompliance with a limited number of policies is a better approach,
> you can define such a set rather than overall compliance.
>
> Second, the “requested or required” (emphasis added) language is
> conceptually quite different – one is “a request,” the other “a
> command.” They must be separated if an escalation from “requested” to
> “required” is intended.
>
> Third, a similar drafting problem appears in 12.6 where “fraud” (a bad
> and intentional thing) is equated to “violations of policy” which could
> be trivial and not intended.
>
> Overall, if the policy was enacted as is, the risk of legal issues being
> thrust upon ARIN is unattractive and unwise. Counsel respectfully
> suggests a thorough rewrite of the draft to remove these and other
> issues of concern.
>
> 3. Resource Impact
>
> This policy would have moderate resource impact from an implementation
> aspect. It is estimated that implementation could occur within 6 - 9
> months after ratification by the ARIN Board of Trustees.
>
> The implementation of this policy will require new software tools to
> track these newly defined deadlines. Additionally, there will likely be
> a significant increase in time and workload for the RS team as the
> potential for a significant increase in resource audits due to
> non-compliance with IPv6 reassignment requirements is great. This may
> even require additional personnel, although it is too early to tell
> right now.
>
> The following would be needed in order to implement:
> • Updated guidelines and website documentation
> • Staff training
> • Software tools would need to be developed to track the 30 and 60-day
> deadlines.
>
> 4. Proposal Text
>
> ARIN-prop-126
>
> Policy statement:
> Resource Review
> Update the following NRPM Sections:
> 12.4 Update to:
> Organizations found by ARIN to be materially out of compliance with
> current ARIN policy shall be requested or required to return resources
> or update reassignment information as needed to bring them into (or
> reasonably close to) compliance.
> 12.5 Update to:
> If the organization does not voluntarily return resources or update
> reassignment information as requested, ARIN will cease providing reverse
> DNS services and/or revoke any resources issued by ARIN as required to
> bring the organization into overall compliance. ARIN shall follow the
> same guidelines for revocation that are required for voluntary return in
> the previous paragraph.
> 12.6 Update to:
> Except in cases of fraud, or violations of policy, an organization shall
> be given a minimum (30) days to respond. Progress of record(s)
> correction(s) must be visible within (60) days after correspondence with
> ARIN began or ARIN will start proceeding with removal of DNS services
> and/or resources issued by ARIN. ARIN shall negotiate a longer term
> with the organization if ARIN believes the organization is working in
> good faith to substantially restore compliance and has a valid need for
> additional time to renumber out of the affected blocks.
> Rationale:
> To date the community has not documented or firmly established use of an
> effective enforcement mechanism. This policy will support current
> policy and compel those who are allocated ARIN resources to maintain the
> proper WHOIS records in accordance with ARIN NRPM. While it is
> recognized this is not an absolute solution to ensure compliance, it is
> the best method under current ARIN policies.
>
>
>
>
>
>
>