ARIN-PPML Message

[arin-ppml] Draft Policy ARIN-2011-7: Compliance Requirement - revised

Draft Policy ARIN-2011-7
Compliance Requirement

ARIN-2011-7 has been revised. This draft policy is open for discussion
on this mailing list and will be on the agenda at the upcoming ARIN
Public Policy Meeting in Vancouver.

ARIN-2011-7 is below and can be found at:
https://www.arin.net/policy/proposals/2011_7.html

Following the text is an ARIN staff assessment.

Regards,

Communications and Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Draft Policy ARIN-2011-7
Compliance Requirement

Version: 5

Date: 22 February 2012

Policy statement:

In section 12.4, replace:

Organizations found by ARIN to be materially out of compliance with 
current ARIN policy shall be requested or required to return resources 
as needed to bring them into (or reasonably close to) compliance.

With:

Organizations found by ARIN to be out of compliance with current ARIN 
policy shall be required to update reassignment information or return 
resources as needed to bring them into (or reasonably close to) compliance.

(Leave paragraph 12.4.a. and 12.4.b. unchanged)

Replace section 12.5 with:

Except in cases of fraud when immediate action can be taken, an 
organization shall be given thirty (30) days to respond. If an 
organization fails to respond within thirty (30) days, ARIN may cease 
providing reverse DNS services to that organization. If progress of 
resource returns or record corrections has not occurred within sixty 
(60) days after ARIN initiated contact, ARIN shall cease providing 
reverse DNS services for the resources in question. ARIN shall negotiate 
a longer term with the organization if ARIN believes the organization is 
working in good faith to restore compliance and has a valid need for 
additional time.

Replace section 12.6 with:

At any time ninety (90) days after initial ARIN contact, ARIN may 
initiate the revocation of any resources issued by ARIN as required to 
bring the organization into overall compliance. Except in cases of 
fraud, or violations of policy, an organization shall be given a minimum 
of six months to effect a return. ARIN shall negotiate a longer term 
with the organization if ARIN believes the organization is working in 
good faith to restore compliance and has a valid need for additional 
time to renumber out of the affected blocks. ARIN shall follow the same 
guidelines for revocation that are required for voluntary return in 
paragraph 12.4.b. above.

Rationale:

Version 5 further addresses PPML and AC feedback since the last PPM.

Version 4 addresses all feedback received at the ARIN PPM in 
Philadelphia. Mostly small textual changes - does re-introduce the 6 
month window for resource revocations (it now remains in section 12.6).

Version 3 addresses remaining legal concerns with specific wording.

Version 2 addresses several staff and legal concerns with the original 
text of this policy by clarifying the language and making it more concrete.

To date the community has not documented or firmly established use of an 
effective enforcement mechanism. This policy will support current policy 
and compel those who are allocated ARIN resources to maintain the proper 
WHOIS records in accordance with ARIN NRPM. While it is recognized this 
is not an absolute solution to ensure compliance, it is the best method 
under current ARIN policies.

Timetable for implementation: Immediate



#####


ARIN STAFF & LEGAL ASSESSMENT

Draft Policy:  2011-7 Compliance Requirement
Date of Assessment: 15 Feb 2012
1.  Proposal Summary (Staff Understanding)

This proposal requires ARIN staff to identify customers who are out of 
compliance with policy, and to eventually withhold services for those 
who fail to come into compliance within a designated time.  Staff is to 
contact customers who are out of compliance with policy and give them 30 
days to respond to our contact and to demonstrate they've begun to take 
corrective measures within 60 days. If either of these criteria is not 
met, the policy instructs staff to cease providing reverse DNS services 
to the customer or to begin reclamation efforts after 90 days.

2. Comments

A. ARIN Staff Comments

•	The term “out of compliance” is not well defined anywhere within this 
policy.  Without additional criteria, staff will continue to interpret 
this term somewhat liberally, and to apply it at our discretion using 
our best judgment and consideration of existing factors.  Only those 
organizations that we deem to be significantly in violation of existing 
policy will be flagged for further review and audit.

•	Removing an organization’s reverse DNS and/or reclaiming their IP 
number resources will be likely to have a negative impact on their 
ability to conduct business.


B. ARIN General Counsel –
This policy has significant legal implications, as it requires ARIN to 
withdraw services that may impact innocent and bona fide third parties 
utilizing the resources.  Any revocation made pursuant to this revised 
policy could result in litigation.


3. Resource Impact

This policy would have moderate resource impact from an implementation 
aspect.  It is estimated that implementation could occur within 6 – 9 
months after ratification by the ARIN Board of Trustees.

The implementation of this policy will require new software tools to 
track these newly defined deadlines.  Additionally, there will likely be 
a significant increase in time and workload for the RS team as the 
potential for a significant increase in resource audits due to 
non-compliance with IPv6 reassignment requirements is great. This may 
even require additional personnel, although it is too early to tell 
right now.

The following would be needed in order to implement:
• Updated guidelines and website documentation
• Staff training
• Software tools would need to be developed to track the 30 and 60-day 
deadlines.

4. Proposal Text
Draft Policy ARIN-2011-7
Compliance Requirement
Policy statement:
In section 12.4, replace:
Organizations found by ARIN to be materially out of compliance with
current ARIN policy shall be requested or required to return resources
as needed to bring them into (or reasonably close to) compliance.
       With:
  Organizations found by ARIN to be out of compliance with current ARIN
policy shall be required to update reassignment information or return
resources as needed to bring them into (or reasonably close to)
compliance.
       (Leave paragraph 12.4.a. and 12.4.b. unchanged)
       Replace section 12.5 with:
  Except in cases of fraud when immediate action can be taken, an
organization shall be given thirty (30) days to respond. If an
organization fails to respond within thirty (30) days, ARIN may cease
providing reverse DNS services to that organization. If progress of
resource returns or record corrections has not occurred within sixty
(60) days after ARIN initiated contact, ARIN shall cease providing
reverse DNS services for the resources in question. ARIN shall
negotiate a longer term with the organization if ARIN believes the
organization is working in good faith to restore compliance and has a
valid need for additional time.
       Replace section 12.6 with:
  At any time ninety (90) days after initial ARIN contact, ARIN may
initiate the revocation of any resources issued by ARIN as required to
bring the organization into overall compliance. Except in cases of
fraud, or violations of policy, an organization shall be given a
minimum of six months to effect a return. ARIN shall negotiate a
longer term with the organization if ARIN believes the organization is
working in good faith to restore compliance and has a valid need for
additional time to renumber out of the affected blocks. ARIN shall
follow the same guidelines for revocation that are required for
voluntary return in paragraph 12.4.b. above.