ARIN-PPML Message

[arin-ppml] Draft Policy ARIN-2011-7: Compliance Requirement - revised

Draft Policy ARIN-2011-7
ARIN Inter-RIR Transfers

ARIN-2011-7 has been revised. This draft policy is open for discussion
on this mailing list and will be on the agenda at the upcoming ARIN
Public Policy Meeting in Philedelphia.

ARIN-2011-7 is below and can be found at:
https://www.arin.net/policy/proposals/2011_7.html

Following the text is an ARIN staff assessment of an earlier version of 
the draft policy. The current version "...addresses remaining legal 
concerns with specific wording."

Regards,

Communications and Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Draft Policy ARIN-2011-7
Compliance Requirement

Date: 22 September 2011

Policy statement:

Resource Review
Update the following NRPM Sections:

12.4 - Update to:
Organizations found by ARIN to be out of compliance with current ARIN 
policy shall be required to update reassignment information or return 
resources as needed to bring them into (or reasonably close to) compliance.

   1. The degree to which an organization may remain out of compliance 
shall be based on the reasonable judgment of the ARIN staff and shall 
balance all facts known, including the organization's utilization rate, 
available address pool, and other factors as appropriate so as to avoid 
forcing returns which will result in near-term additional requests or 
unnecessary route de-aggregation.

   2. To the extent possible, entire blocks should be returned. Partial 
address blocks shall be returned in such a way that the portion retained 
will comprise a single aggregate block.

(leave 12.5 as is)

12.6 - Update to:
Except in cases of fraud when immediate action can be taken, an 
organization shall be given a minimum of thirty (30) days to respond. If 
an organization fails to respond within thirty (30) days, ARIN may cease 
providing reverse DNS services to that organization. If progress of 
resource returns or record corrections has not occurred within sixty 
(60) days after ARIN initiated contact, ARIN shall cease providing 
reverse DNS services for the resources in question. At any time ninety 
(90) days after initial ARIN contact, ARIN may initiate resource 
revocation as allowed in paragraph 12.5. ARIN may permit a longer period 
of time to come into compliance, if ARIN believes the organization is 
working in good faith to restore compliance with policy and has a valid 
need for additional time to comply, including but not limited to 
renumbering out of the affected blocks.


Rationale:

This version addresses remaining legal concerns with specific wording.

An earlier version addressed several staff and legal concerns with the 
original text of this policy by clarifying the language and making it 
more concrete.

To date the community has not documented or firmly established use of an 
effective enforcement mechanism. This policy will support current policy 
and compel those who are allocated ARIN resources to maintain the proper 
WHOIS records in accordance with ARIN NRPM. While it is recognized this 
is not an absolute solution to ensure compliance, it is the best method 
under current ARIN policies.

Timetable for implementation: Immediate


#####


ARIN Staff Assessment

Draft Policy: 2011-7 Compliance Requirement

1.  Proposal Summary (Staff Understanding)

This policy requires ARIN staff to not only identify customers who are 
out of compliance with policy, but to withhold services for those who 
fail to come into compliance within a designated time.  Staff is to 
contact customers who are out of compliance with policy and give them 30 
days to respond to our contact and to demonstrate they've begun to take 
corrective measures within 60 days. If either of these criteria is not 
met, the policy instructs staff to cease providing reverse DNS services 
to the customer or to begin reclamation efforts.

2. Comments

A. ARIN Staff Comments

•	The proposal updates the 12.4 language to allow folks to update 
SWIP/RWhois records as a way of becoming compliant with policy.

•	The policy says either "take away reverse" or "reclaim the numbers". 
It would be helpful to staff if there was clear guidance as to when 
revocation was to be used over reverse dns removal.
o	Without clear guidance, staff would implement this in such a way that 
reverse dns removal would be used as the first step of the enforcement, 
and revocation of the resource as the final step when an organization is 
unable to come into compliance within a defined time period.

•	The term “out of compliance” is not well defined anywhere within this 
policy.  Without additional criteria, staff will continue to interpret 
this term somewhat liberally, and to apply it at our discretion using 
our best judgment and consideration of existing factors.  Only those 
organizations that we deem to be significantly in violation of existing 
policy will be flagged for further review and audit.

•	Removing an organization’s reverse DNS may negatively impact their 
business.


B. ARIN General Counsel –

This policy has significant legal implications, as it requires ARIN to 
withdraw services that may impact innocent and bona fide third parties 
utilizing the resources. Many drafting concerns in earlier versions of 
the policy have been ameliorated or fixed. However some may remain. I 
have some specific suggestions to fix the current draft of 12. 6: 
suggested deletions can be seen by bracketing, additions in caps.   The 
entire policy might benefit from similar close review.

  '12.6 - Update to:
Except in cases of fraud WHEN IMMEDIATE ACTION CAN 
BE TAKEN, an organization shall be given a minimum of thirty (30) days 
to respond. If an organization FAILS TO [does not] respond within 
[those] thirty (30) days, ARIN may cease providing reverse DNS services 
to that organization. If progress of resource returns or record 
corrections HAS NOT OCCURRED [is not visible] within sixty (60) days 
after [correspondence with] ARIN INITIATED CONTACT [began] , ARIN SHALL 
[will] cease providing reverse DNS services for the resources in 
question.  At any time [after] ninety (90) days AFTER INITIAL ARIN 
CONTACT [have passed], ARIN may initiate resource revocation as allowed 
in paragraph 12.5.  ARIN MAY [shall negotiate] PERMIT a longer [ term] 
PERIOD OF TIME TO COME INTO COMPLIANCE,  [with the organization] if ARIN 
believes the organization is working in good faith to [substantially] 
restore compliance WITH POLICY and has a valid need for additional time 
to COMPLY, INCLUDING BUT NOT LIMITED TO RENUMBERING out of the affected 
blocks.'


3. Resource Impact

This policy would have moderate resource impact from an implementation 
aspect.  It is estimated that implementation could occur within 6 – 9 
months after ratification by the ARIN Board of Trustees.

The implementation of this policy will require new software tools to 
track these newly defined deadlines.  Additionally, there will likely be 
a significant increase in time and workload for the RS team as the 
potential for a significant increase in resource audits due to 
non-compliance with IPv6 reassignment requirements is great. This may 
even require additional personnel, although it is too early to tell 
right now.

The following would be needed in order to implement:
• Updated guidelines and website documentation
• Staff training
• Software tools would need to be developed to track the 30 and 60-day 
deadlines.

4. Proposal Text

Draft Policy ARIN-2011-7
Compliance Requirement

Date/version: 24 May 2011

Policy statement:

Resource Review
Update the following NRPM Sections:

12.4 - Update to:
Organizations found by ARIN to be out of compliance with current ARIN 
policy shall be required to update reassignment information or return 
resources as needed to bring them into (or reasonably close to) compliance

1. The degree to which an organization may remain out of compliance 
shall be based on the reasonable judgment of the ARIN staff and shall 
balance all facts known, including the organization's utilization rate, 
available address pool, and other factors as appropriate so as to avoid 
forcing returns which will result in near-term additional requests or 
unnecessary route de-aggregation.

2. To the extent possible, entire blocks should be returned. Partial 
address blocks shall be returned in such a way that the portion retained 
will comprise a single aggregate block.
(leave 12.5 as is)

12.6 - Update to:
Except in cases of fraud, an organization shall be given a minimum of 
thirty (30) days to respond. If an organization does not respond within 
those thirty (30) days, ARIN may cease providing reverse DNS services to 
that organization. If progress of resource returns or record corrections 
is not visible within sixty (60) days after correspondence with ARIN 
began, ARIN will cease providing reverse DNS services for the resources 
in question. At any time after ninety (90) days have passed, ARIN may 
initiate resource revocation as allowed in paragraph 12.5. ARIN shall 
negotiate a longer term with the organization if ARIN believes the 
organization is working in good faith to substantially restore 
compliance and has a valid need for additional time to renumber out of 
the affected blocks.

Rationale:

This version addresses several staff and legal concerns with the 
original text of this policy by clarifying the language and making it 
more concrete.

To date the community has not documented or firmly established use of an 
effective enforcement mechanism. This policy will support current policy 
and compel those who are allocated ARIN resources to maintain the proper 
WHOIS records in accordance with ARIN NRPM. While it is recognized this 
is not an absolute solution to ensure compliance, it is the best method 
under current ARIN policies.
Timetable for implementation: Immediate