ARIN-PPML Message

[arin-ppml] Draft Policy ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors - Revised Problem Statement and Policy Text

Revised text for ARIN-2013-6 is below and can be found at:

https://www.arin.net/policy/proposals/2013_6.html

The AC will evaluate the discussion in order to assess the conformance
of this draft policy with ARIN's Principles of Internet Number Resource
Policy as stated in the PDP. Specifically, these principles are:

  * Enabling Fair and Impartial Number Resource Administration

  * Technically Sound

  * Supported by the Community

The ARIN Policy Development Process (PDP) can be found at:

https://www.arin.net/policy/pdp.html


Draft Policies and Proposals under discussion can be found at:

https://www.arin.net/policy/proposals/index.html

Regards,


Communications and Member Services
American Registry for Internet Numbers (ARIN)


## * ##

Draft Policy ARIN-2013-6 Allocation of IPv4 and IPv6 Address Space to
Out-of-region Requestors - Revised Text (V2)

Date: 4 September 2013

Problem Statement:
ARIN number resources should be used primarily in the ARIN region, for
ARIN region organizations. There is currently no explicit policy guiding
staff in this area, this proposal seeks to correct that.

Policy Statement:
Create new policy Section X.

X. Resource Justification within ARIN Region
Organizations requesting Internet number resources from ARIN must
provide proof that they (1) are an active business entity legally
operating within the ARIN service region, and (2) are operating a
network located within the ARIN service region. In addition to meeting
all other applicable policy requirements, a plurality of resources
requested from ARIN must be justified by technical infrastructure and
customers located within the ARIN service region, and any located
outside the region must be interconnected to the ARIN service region.
The same technical infrastructure or customers cannot be used to justify
resources in more than one RIR.
###

Authors Comments:

Although we represent law enforcement, and have brought forth this issue
based upon our concerns and experience from a law enforcement
perspective, this is a problem in which the entire ARIN community has a
stake.

As reported at the last meeting in Barbados, ARIN staff is having
difficulty verifying organizations out-of-region. In many of the cases,
particularly in VPS (Virtual Private Service), the only information
received on these organizations by ARIN is a customer name and IP
address. This information cannot be properly verified by ARIN. Accuracy
of registration data is critical to not only law enforcement, but the
greater ARIN community as it relates to abuse contact and complaints. In
fact, most issues facing law enforcement are also shared by legitimate
companies attempting, for instance, to identify an organization that has
hijacked their IP address space.

The expedited depletion of IPv4 address space in the ARIN region
certainly seems to negatively impact those organizations currently
operating in the region that may need to return to ARIN for additional
IPv4 address space. While law enforcement¹s concern is that criminal
organizations outside of the ARIN region can easily and quickly request
large blocks of IPv4 address space from ARIN, organizations that are not
truly global organizations, but specific national companies from the
RIPE and APNIC regions, also have this capability which is detrimental
to true ARIN region organizations.

This policy proposal is re-enforcing practices the ARIN staff currently
employs to ensure that ARIN IP space is used for and by companies that
are legitimate and have a legitimate presence in the ARIN region. This
policy will assist in defining clear criteria that will be helpful to
ARIN staff and the community.

The primary role of RIRs is to manage and distribute public Internet
address space within their respective regions. The problem brought forth
here clearly undermines the current RIR model; if any organization can
acquire IP address space from any region, what then is the purpose of
the geographical breakdown of the five RIRs?

Advisory Council Comments:

The term "Internet number resources" or more simply "resources" should
be used instead of "IP Blocks" to more accurately reflect the totality
of the Registry. This implies both IPv4 and IPv6, as well as ASNs.
While Internet registries are organized on a regional basis, policy must
recognize that many networks, services and operations are trans-regional
and it would be burdensome and impractical to attempt to strictly
enforce territorially exclusive allocations. Therefore, policy should
seek to balance the regional structure of address allocation with
flexibility of service provision, by ensuring that ARIN¹s resources are
primarily aligned with the ARIN service region but facilitate
flexibility and efficiency of use by applicants from any region.
There are concerns that out of region organizations should be able to
request resources for use within the ARIN service region. The proposed
text accommodates this issue by requiring only proof that an
organization is "legally operating within the ARIN Service Region". This
includes business entities formed in the region, or other business
entities with legal branch offices within the region. So, as long as an
out of region organization is "legally operating within the ARIN Service
Region" they can request resources from ARIN.

Current operational practice is to require an organization be formed
within the ARIN service region. However, if this were applied by all the
RIRs, a global network would be required to have a minimum of five
subsidiaries, one formed in each of the five RIR regions, this seems
overly burdensome. Good resource policy should consider the consequences
of all RIRs adopting the same policy.

Previous discussions of the topic indicated that it is difficult to
enforce and undesirable for many in the community to dictate where
resources are to be used once they are allocated. A strategy to deal
with this is to focus the policy on the technical infrastructure and
customers used to justify the requested number resources from ARIN, as
opposed to where resources are actually used once allocated. This is a
subtle but important distinction.

While resources received from ARIN may be used outside the ARIN region,
a common technical infrastructure must interconnect the use of these
resources to the ARIN region. This provides a necessary nexus with the
ARIN service region for such out of region use. Therefore, if a discrete
network is operating within another region, not interconnected to the
ARIN region, then resources for that discrete network should be
requested from that region's RIR.

A concern was raised that this policy shouldn't limit or interfere with
outbound inter-RIR transfers. If we focus on what justifies a request
for resources from ARIN, outbound inter-RIR transfers shouldn't be
affected, as they are clearly based on the receiving RIR's policies.

 From previous discussions of the topic, "double dipping" should not be
allowed, that is using the same technical infrastructure or customers to
justify resources from ARIN and another RIR at the same time.
The legal jurisdiction an organization is formed in doesn¹t necessarily
reflect the jurisdictions in which it operates, or even that it operates
a network in a jurisdiction. This implies that we should have both
technical and legal requirements regarding operating within the ARIN
service region in order to receive resources.

The original text used the term "majority", seeming to describe a
"simple," "absolute" or "overall" majority, which means greater than
50%. Many organizations don't have greater than 50% of their users or
customers in any one region. A "plurality", "relative majority",
"largest of", or more specifically "more than any other RIR's service
region" seems to be the intended and appropriate meaning of the term
"majority" in this context. Let's clarify that intent by using the term
"plurality".

The intent is not to require an organization to have an overall
plurality of its technical infrastructure and customers within the ARIN
service region. Rather, it is to ensure that the plurality of currently
requested resources is justified from within the ARIN region. If an
organization¹s primary, or largest, demand for resources is in another
region then the organization should request resources from that region's
RIR.
--

## * ##

## * ##


Draft Policy ARIN-2013-6
Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors

Date: 25 June 2013

Problem Statement:

ARIN number resources should be used primarily in the ARIN region, for
ARIN region organizations. There is currently no explicit policy guiding
staff in this area, this proposal seeks to correct that.

Policy Statement:

Any entity (individual or organization) requesting ARIN issued IP blocks
must provide ARIN with proof of an established legal presence in the
designated ARIN region, and have a majority of their technical
infrastructure and customers in the designated ARIN region. This
requirement applies to both IPv4 and IPv6 address space.

Comments:

The proposal originator said, "Although we represent law enforcement,
and have brought forth this issue based upon our concerns and experience
from a law enforcement perspective, this is a problem in which the
entire ARIN community has a stake".

As reported at the last meeting in Barbados, ARIN staff is having
difficulty verifying organizations out-of-region. In many of the cases,
particularly in VPS (Virtual Private Service), the only information
received on these organizations by ARIN is a customer name and IP
address. This information cannot be properly verified by ARIN. Accuracy
of registration data is critical to not only law enforcement, but the
greater ARIN community as it relates to abuse contact and complaints. In
fact, most issues facing law enforcement are also shared by legitimate
companies attempting, for instance, to identify an organization that has
hijacked their IP address space.

The expedited depletion of IPv4 address space in the ARIN region
certainly seems to negatively impact those organizations currently
operating in the region that may need to return to ARIN for additional
IPv4 address space. While law enforcementÂ’s concern is that criminal
organizations outside of the ARIN region can easily and quickly request
large blocks of IPv4 address space from ARIN, organizations that are not
truly global organizations, but specific national companies from the
RIPE and APNIC regions, also have this capability which is detrimental
to true ARIN region organizations.

This policy proposal is re-enforcing practices the ARIN staff currently
employs to ensure that ARIN IP space is used for and by companies that
are legitimate and have a legitimate presence in the ARIN region. This
policy will assist in defining clear criteria that will be helpful to
ARIN staff and the community.

The primary role of RIRÂ’s is to manage and distribute public Internet
address space within their respective regions. The problem brought forth
here clearly undermines the current RIR model; if any organization can
acquire IP address space from any region, what then is the purpose of
the geographical breakdown of the five RIRs?


Draft Policy ARIN-2013-6
Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors

Date: 25 June 2013

Problem Statement:

ARIN number resources should be used primarily in the ARIN region, for 
ARIN region organizations. There is currently no explicit policy guiding 
staff in this area, this proposal seeks to correct that.

Policy Statement:

Any entity (individual or organization) requesting ARIN issued IP blocks 
must provide ARIN with proof of an established legal presence in the 
designated ARIN region, and have a majority of their technical 
infrastructure and customers in the designated ARIN region. This 
requirement applies to both IPv4 and IPv6 address space.

Comments:

The proposal originator said, "Although we represent law enforcement, 
and have brought forth this issue based upon our concerns and experience 
from a law enforcement perspective, this is a problem in which the 
entire ARIN community has a stake".

As reported at the last meeting in Barbados, ARIN staff is having 
difficulty verifying organizations out-of-region. In many of the cases, 
particularly in VPS (Virtual Private Service), the only information 
received on these organizations by ARIN is a customer name and IP 
address. This information cannot be properly verified by ARIN. Accuracy 
of registration data is critical to not only law enforcement, but the 
greater ARIN community as it relates to abuse contact and complaints. In 
fact, most issues facing law enforcement are also shared by legitimate 
companies attempting, for instance, to identify an organization that has 
hijacked their IP address space.

The expedited depletion of IPv4 address space in the ARIN region 
certainly seems to negatively impact those organizations currently 
operating in the region that may need to return to ARIN for additional 
IPv4 address space. While law enforcement’s concern is that criminal 
organizations outside of the ARIN region can easily and quickly request 
large blocks of IPv4 address space from ARIN, organizations that are not 
truly global organizations, but specific national companies from the 
RIPE and APNIC regions, also have this capability which is detrimental 
to true ARIN region organizations.

This policy proposal is re-enforcing practices the ARIN staff currently 
employs to ensure that ARIN IP space is used for and by companies that 
are legitimate and have a legitimate presence in the ARIN region. This 
policy will assist in defining clear criteria that will be helpful to 
ARIN staff and the community.

The primary role of RIR’s is to manage and distribute public Internet 
address space within their respective regions. The problem brought forth 
here clearly undermines the current RIR model; if any organization can 
acquire IP address space from any region, what then is the purpose of 
the geographical breakdown of the five RIRs?