[arin-ppml] Draft Policy ARIN-2011-7: Compliance Requirement - revised
ARIN
info at arin.net
Wed Feb 22 17:51:36 EST 2012
Draft Policy ARIN-2011-7
Compliance Requirement
ARIN-2011-7 has been revised. This draft policy is open for discussion
on this mailing list and will be on the agenda at the upcoming ARIN
Public Policy Meeting in Vancouver.
ARIN-2011-7 is below and can be found at:
https://www.arin.net/policy/proposals/2011_7.html
Following the text is an ARIN staff assessment.
Regards,
Communications and Member Services
American Registry for Internet Numbers (ARIN)
## * ##
Draft Policy ARIN-2011-7
Compliance Requirement
Version: 5
Date: 22 February 2012
Policy statement:
In section 12.4, replace:
Organizations found by ARIN to be materially out of compliance with
current ARIN policy shall be requested or required to return resources
as needed to bring them into (or reasonably close to) compliance.
With:
Organizations found by ARIN to be out of compliance with current ARIN
policy shall be required to update reassignment information or return
resources as needed to bring them into (or reasonably close to) compliance.
(Leave paragraph 12.4.a. and 12.4.b. unchanged)
Replace section 12.5 with:
Except in cases of fraud when immediate action can be taken, an
organization shall be given thirty (30) days to respond. If an
organization fails to respond within thirty (30) days, ARIN may cease
providing reverse DNS services to that organization. If progress of
resource returns or record corrections has not occurred within sixty
(60) days after ARIN initiated contact, ARIN shall cease providing
reverse DNS services for the resources in question. ARIN shall negotiate
a longer term with the organization if ARIN believes the organization is
working in good faith to restore compliance and has a valid need for
additional time.
Replace section 12.6 with:
At any time ninety (90) days after initial ARIN contact, ARIN may
initiate the revocation of any resources issued by ARIN as required to
bring the organization into overall compliance. Except in cases of
fraud, or violations of policy, an organization shall be given a minimum
of six months to effect a return. ARIN shall negotiate a longer term
with the organization if ARIN believes the organization is working in
good faith to restore compliance and has a valid need for additional
time to renumber out of the affected blocks. ARIN shall follow the same
guidelines for revocation that are required for voluntary return in
paragraph 12.4.b. above.
Rationale:
Version 5 further addresses PPML and AC feedback since the last PPM.
Version 4 addresses all feedback received at the ARIN PPM in
Philadelphia. Mostly small textual changes - does re-introduce the 6
month window for resource revocations (it now remains in section 12.6).
Version 3 addresses remaining legal concerns with specific wording.
Version 2 addresses several staff and legal concerns with the original
text of this policy by clarifying the language and making it more concrete.
To date the community has not documented or firmly established use of an
effective enforcement mechanism. This policy will support current policy
and compel those who are allocated ARIN resources to maintain the proper
WHOIS records in accordance with ARIN NRPM. While it is recognized this
is not an absolute solution to ensure compliance, it is the best method
under current ARIN policies.
Timetable for implementation: Immediate
#####
ARIN STAFF & LEGAL ASSESSMENT
Draft Policy: 2011-7 Compliance Requirement
Date of Assessment: 15 Feb 2012
1. Proposal Summary (Staff Understanding)
This proposal requires ARIN staff to identify customers who are out of
compliance with policy, and to eventually withhold services for those
who fail to come into compliance within a designated time. Staff is to
contact customers who are out of compliance with policy and give them 30
days to respond to our contact and to demonstrate they've begun to take
corrective measures within 60 days. If either of these criteria is not
met, the policy instructs staff to cease providing reverse DNS services
to the customer or to begin reclamation efforts after 90 days.
2. Comments
A. ARIN Staff Comments
• The term “out of compliance” is not well defined anywhere within this
policy. Without additional criteria, staff will continue to interpret
this term somewhat liberally, and to apply it at our discretion using
our best judgment and consideration of existing factors. Only those
organizations that we deem to be significantly in violation of existing
policy will be flagged for further review and audit.
• Removing an organization’s reverse DNS and/or reclaiming their IP
number resources will be likely to have a negative impact on their
ability to conduct business.
B. ARIN General Counsel –
This policy has significant legal implications, as it requires ARIN to
withdraw services that may impact innocent and bona fide third parties
utilizing the resources. Any revocation made pursuant to this revised
policy could result in litigation.
3. Resource Impact
This policy would have moderate resource impact from an implementation
aspect. It is estimated that implementation could occur within 6 – 9
months after ratification by the ARIN Board of Trustees.
The implementation of this policy will require new software tools to
track these newly defined deadlines. Additionally, there will likely be
a significant increase in time and workload for the RS team as the
potential for a significant increase in resource audits due to
non-compliance with IPv6 reassignment requirements is great. This may
even require additional personnel, although it is too early to tell
right now.
The following would be needed in order to implement:
• Updated guidelines and website documentation
• Staff training
• Software tools would need to be developed to track the 30 and 60-day
deadlines.
4. Proposal Text
Draft Policy ARIN-2011-7
Compliance Requirement
Policy statement:
In section 12.4, replace:
Organizations found by ARIN to be materially out of compliance with
current ARIN policy shall be requested or required to return resources
as needed to bring them into (or reasonably close to) compliance.
With:
Organizations found by ARIN to be out of compliance with current ARIN
policy shall be required to update reassignment information or return
resources as needed to bring them into (or reasonably close to)
compliance.
(Leave paragraph 12.4.a. and 12.4.b. unchanged)
Replace section 12.5 with:
Except in cases of fraud when immediate action can be taken, an
organization shall be given thirty (30) days to respond. If an
organization fails to respond within thirty (30) days, ARIN may cease
providing reverse DNS services to that organization. If progress of
resource returns or record corrections has not occurred within sixty
(60) days after ARIN initiated contact, ARIN shall cease providing
reverse DNS services for the resources in question. ARIN shall
negotiate a longer term with the organization if ARIN believes the
organization is working in good faith to restore compliance and has a
valid need for additional time.
Replace section 12.6 with:
At any time ninety (90) days after initial ARIN contact, ARIN may
initiate the revocation of any resources issued by ARIN as required to
bring the organization into overall compliance. Except in cases of
fraud, or violations of policy, an organization shall be given a
minimum of six months to effect a return. ARIN shall negotiate a
longer term with the organization if ARIN believes the organization is
working in good faith to restore compliance and has a valid need for
additional time to renumber out of the affected blocks. ARIN shall
follow the same guidelines for revocation that are required for
voluntary return in paragraph 12.4.b. above.
More information about the ARIN-PPML
mailing list