ARIN-PPML Message

[arin-ppml] Update: 2014-1 Out of Region Use

Based on the discussion at the PPC in Atlanta (link below), the 
following changes are proposed.

https://www.arin.net/participate/meetings/reports/ppc_nanog60/webcast/2014-1.mov 


There is a summary of the changes and a red-lined version of the policy 
text with new and deleted text highlighted following the complete Draft 
Policy.

----

Draft Policy ARIN-2014-1
Out of Region Use

Date: 28 March 2014

Problem statement:

Current policy neither clearly forbids nor clearly permits out or region 
use of ARIN registered resources. This has created confusion and 
controversy within the ARIN community for some time. Earlier work on 
this issue has explored several options to restrict or otherwise limit 
out of region use. None of these options have gained consensus within 
the community. The next logical option is to discuss a proposal that 
clearly permits out of region use without limits, beyond those already 
existing in policy.

Permitting out of region use, however, poses issues that have to be 
addressed by policy and adjustments to operational practice. Out of 
region use needs a clear definition and any operational practices based 
on that definition must not be unnecessarily burdensome. It is 
significantly more difficult and costly for ARIN Staff to independently 
verify the justification and utilization of resources that are 
reassigned or otherwise used outside of the ARIN service region. There 
needs to be recognition of this difference in policy and associated 
operational practices, especially the cost differential when there is 
more than an incidental amount of out of region use.

Policy statement:

Create new Section X;

X. Out of Region Use

ARIN registered resources may be used outside the ARIN service region 
and such use is valid justification for new or additional resources. 
Resources are considered to be used outside the region if the user or 
customer service address or the technical infrastructure address, such 
as the point of presence (POP), data center, or other similar location, 
are outside the ARIN service region.

There is a general presumption that requesting resources from ARIN for 
use within another RIR's service region duplicates any resources held by 
the organization with that other RIR.  Therefore, the organization 
should, not hold any resources with the other RIR, or demonstrate that 
all such resources held are utilized based on ARIN policy requirements, 
or provide an operational justification clarifying how the resources 
from ARIN will not duplicate any underutilized resources held with the 
other RIR.

Only the utilization rate of ARIN registered resources or immediate need 
may be use to determine a valid request size beyond the applicable 
minimum allocation size.  The utilization rate of resources received 
from another RIR is not applicable in determining a valid request size.

X.1 Verification of Out of Region Use

The utilization of all ARIN registered resources must be verified when 
evaluating a request for additional resources or during a resource 
review, including any resources used outside the ARIN service region. 
All ARIN registered resources used outside the region must be verified 
to no less than an equivalent standard as resources used within the ARIN 
region. To this end ARIN, in its sole discretion, may engage independent 
external entities to assist it in the verification of information 
related to any resources used outside the region.

X.2 Reporting Resources Held with other RIRs

Except to the extent that incidental use, multi-instance use, or the 
critical infrastructure criteria described below apply, when out of 
region need is used to justify a request for resources from ARIN; The 
requesting organization will also report to ARIN the utilization status, 
based on applicable ARIN policy, of all resources it holds with the RIRs 
who's service regions the need justifying a request to ARIN is within, 
and any additional supporting documentation requested by ARIN regarding 
these reported resource.

X.3 Incidental Use

Out of region use of ARIN registered resources by an organization that 
totals less than an equivalent of a /20 of IPv4, a /36 of IPv6, and two 
(2) ASNs within each of the other RIR's service regions are considered 
incidental use and as such are accounted for as if used within the ARIN 
service region.

X.4 Multi-Instance Use

Any resources used simultaneously in multiple locations, such as an 
anycast prefix or ASN, are considered as used within the ARIN service 
region, provided at least one instance is located within the region, 
regardless of how many other instances are located outside the region.

X.5 Critical Infrastructure

Resources justified through ARIN critical infrastructure policies are 
accounted for as if used within the ARIN service region, regardless of 
their actual location of use.

Comments:
a. Timetable for implementation: Immediate

b. Anything else

Current policy is ambiguous on the issue of out of region use of ARIN 
registered resources. The only guidance on the issue in current policy 
is in Section 2.2, that defines the term RIR; "... The primary role of 
RIRs is to manage and distribute public Internet address space within 
their respective regions." Some in the community believe this means out 
of region use should be at least limited or restricted while others 
believe this is only intended to focus efforts within the region and not 
define where resources may be used.

Several other policy proposals have explored restricting or otherwise 
limiting out of region use. None of these proposals gained consensus 
within the ARIN community. During the latest of these proposals, 
ARIN-2013-6, several standards were explored, a majority of use within 
region, a plurality of use within region, and some discussion of a 
minimum of 20 percent use within region. It was felt that each of these 
standards would interfered, to one extent or another, with the 
legitimate operations of multi- or trans-regional networks.

Section 2.2 tells us, the primary purpose of the RIRs are to manage and 
distribute resources within their regions. None the less, there have 
always been networks that don't neatly fit within the regions created by 
the RIR system. These legitimate trans-regional networks are operated by 
international businesses or global service providers, many of which are 
based within the ARIN region. Prior to IPv4 run-out, many of these 
trans-regional networks requested resources from ARIN for use both 
inside or outside the region, as long as the requests were justified by 
need.

As a result of IPv4 run-out, many in the community want to restrict out 
of region use to prevent ARIN resources from going to networks without a 
real technical presence in the ARIN region. However, any attempt to 
limit or restrict such out of region use inevitably will affect these 
legitimate trans-regional networks. Further, even the most restrictive 
regional use requirements will not significantly prolong the 
availability of IPv4 resources within the ARIN region. Therefore, 
attempting to restrict or limit out of region use of resources, even if 
it were for IPv4 only, is ineffective, inefficient, and overly 
burdensome to important elements of the global Internet.

The major concept behind this proposal is to allow out of region use 
without any limits, other than those already in policy, but bring an 
economic and reporting factors to play on the issue. It requires ARIN to 
verify out of region use of ARIN registered resources to no less than an 
equivalent standard as in region use, and enables ARIN to engage 
external entities to assist in this verification. It is expected ARIN 
will have agreements with all such external entities to ensure the 
confidentiality of all supporting documentation is preserved.

ARIN engaging external entities to assist in verification of out of 
region use is mostly an ARIN business issue, and not primarily a policy 
issue. However, today there is a general assumption that such 
verification for in region use is done almost exclusively in house at 
ARIN. Making this issue clear in policy follows a principle of least 
surprise, as the use of such external entities is likely to be 
frequently necessary to verify out of region use, especially in parts of 
the world where English is not the primary language. Or put another way, 
use of an external entity when verifying out of region use is more 
likely to be the rule rather than an exception.

When resources are requested for out of region use an organization also 
needs to report the utilization status of all resources it holds with 
the RIRs for the regions that the requested need is within.  This is to 
ensure there are not underutilized resources held with another RIR that 
would contradict the justified need for resources from ARIN.

There are additional expenses and complexity involved in verifying out 
of region use, as a result of language and logistical barriers that the 
regionality of the RIR system was originally conceived to mitigate.
In addition, evaluating the reported information about resources held 
with other RIRs, needed to ensure ARIN resources are not duplicating 
resources held with outer RIRs, increase staff's burden related to out 
of region use. Furthermore, section 2.2 is clear that providing 
resources for out of region use is, at best, only a secondary role for 
ARIN. As a result, out of region use should not significantly burden the 
primary role of providing resources for use within the region. These 
factors justify a recommendation to the Board of Trusties to create a 
separate fee structure for out of region use, creating the 
aforementioned economic factor.

This economic factor and the recommendation for a separate fee 
structure, are again mostly ARIN business issues, and not part of policy 
in general. However, this is one of those instances where policies and 
fees are intertwined.

It seems reasonable that this economic factor should be applied only to 
those that make substantial use of ARIN registered resources outside the 
region, and not to those that primarily use resources within the region. 
This proposal defines incidental out of region use, to ensure that 
trivial, insignificant or otherwise incidental use are exempt from the 
discussed economic factor, the reporting of resources help with other 
RIRs as well, and are accounted for as if used within the region.

Some amount of out of region use should be considered normal even for a 
network primarily based within the ARIN region. For example, numbering a 
global backbone that provides global access necessary for in region 
customers. Also, the other RIRs have minimum requirements to justify an 
initial allocation or assignment, similar to ARIN. These and other 
examples and issues, justify allowing some minimal amount of out of 
region use to be accounted for as if it were in region use. The 
currently proposed policy statement, X.3, defines incidental use in 
terms of an absolute thresholds for each type of resource.

Another option would be a percentage based threshold, say 20%. However, 
a percentage based threshold has the disadvantage that even a minimal 
change in usage can cause the ratio between in region and out of region 
use to change, potentially causing an oscillation around this threshold. 
This creates significant uncertainty for organizations as to if the 
discussed economic factor will apply to them, or not. Where as once an 
absolute threshold has been crossed by a significant amount, it is 
highly unlikely that any additional changes in usage will cause an 
oscillation around the threshold, providing much more certainty for most 
organizations.

Additionally, the proposal deals with a couple special cases in X.4 and 
X.5. Due to the relatively small resource impact and high importance to 
overall Internet stability; resources for critical infrastructure are 
accounted for as if used within the region. Anycast prefixes, and other 
resources used simultaneously in multiple locations, are considered as 
used outside the region only when they are exclusively used outside the 
region. Or put another way, as long as at least one instance is located 
within the region, they are considered used within the region, 
regardless of how many other instances are located outside the region. 
Both of these special cases have an overall positive impact on the 
Internet and should not be discouraged in anyway by this policy, lumping 
them in with general out of region use could be a disservice to the 
Internet and unnecessarily burdensome.

The intent of allowing an operational justification to clarify how 
resources received from ARIN will not duplicate any underutilized 
resources held with another RIR is to account for situations like; It 
may be necessary to use resources from another RIR to meet legal or 
regulatory requirements, or prevailing operational expectations, in some 
economies around the world. In such cases it is justified to also 
receive minimal resources from another RIR for use only in those 
economies. And using resources received from ARIN for the rest of a 
global network.

In summary, this proposal ensures that global organizations or global 
service providers base within the ARIN region may receive resources to 
operate their global network solely from ARIN, if they wish to do so. As 
long as the utilization of the out of region resources are verified to 
no less than an equivalent standard as in region resources and any 
additional reporting requirements are also meet. This is particularly 
important for IPv6; requiring organizations get IPv6 resources from 
multiple RIRs, or even making it appear that they should, will result in 
additional unique non-aggregatable prefixes within the IPv6 route table, 
rather than minimizing them, which one of the policy objectives for IPv6.

Finally, a separate but somewhat related issue; regardless of where ARIN 
registered resources are used, inside or outside of the ARIN service 
region, organizations must first qualify to receive resources from ARIN. 
ARIN's current operational practice is that an organization must be 
formed within the ARIN service region in order to qualify to receive any 
resources from ARIN. The issue of who should be eligible to receive 
resources was commingled with out of region use in ARIN-2013-6. It was 
felt these issues should be considered separately. Therefore, the issue 
of who should be eligible to receive resources is purposefully not dealt 
with by this proposal, and if any changes are necessary there should be 
separate policy proposals to deal with this issue independently.

----

Summary of Changes;

- Clarified out of region use is valid justification for both *new* or 
additional resources.

- Eliminated "user or customer billing address" from definition for out 
of region use, and change the items left to sentence from, instead of 
list form.

- Added that there is a general presumption that requesting resources 
from ARIN for use within another RIR's service region duplicates any 
resources held by the organization with that other RIR.

- Made it clear that only the utilization rate of ARIN resources or 
immediate need are used to determine the valid request size.

- New sections X.2 "Reporting Resources Held with other RIRs," this new 
section is intended to have organizations report the utilization of 
their resources, based on ARIN Policy, for the other RIRs where they are 
requesting ARIN resources for.  Except to the extent incidental use, 
multi-instance use, or critical infrastructure clauses apply.

- Changed incidental use to be on a per other RIR region basis to 
simplify the determination of if the Reporting Resources Held with other 
RIRs applies.

- Changed multi-instance use to use "at least one instance is located 
within the region" language.

- Updated the comments section to account for the above changes.

----

Here is an annotated version of the policy text
_
Deleted Text_
New Text
Retained Text

X. Out of Region Use

ARIN registered resources may be used outside the ARIN service region 
and such use is valid justification for new or additional resources. 
Resources are considered to be used outside the region if _any of the 
following are located outside the region. A. The user or customer 
billing address B._ the user or customer service address or _C._ the 
technical infrastructure address, such as the point of presence (POP), 
data center, or other similar location, are outside the ARIN service region.

There is a general presumption that requesting resources from ARIN for 
use within another RIR's service region duplicates any resources held by 
the organization with that other RIR.  Therefore, the organization 
should, not hold any resources with the other RIR, or demonstrate that 
all such resources held are utilized based on ARIN policy requirements, 
or provide an operational justification clarifying how the resources 
from ARIN will not duplicate any underutilized resources held with the 
other RIR.

Only the utilization rate of ARIN registered resources or immediate need 
may be use to determine a valid request size beyond the applicable 
minimum allocation size.  The utilization rate of resources received 
from another RIR is not applicable in determining a valid request size.

X.1 Verification of Out of Region Use

The utilization of all ARIN registered resources must be verified when 
evaluating a request for additional resources or during a resource 
review, including any resources used outside the ARIN service region. 
All ARIN registered resources used outside the region must be verified 
to no less than an equivalent standard as resources used within the ARIN 
region. To this end ARIN, in its sole discretion, may engage independent 
external entities to assist it in the verification of information 
related to any resources used outside the region.

X.2 Reporting Resources Held with other RIRs

Except to the extent that incidental use, multi-instance use, or the 
critical infrastructure criteria described below apply, when out of 
region need is used to justify a request for resources from ARIN; The 
requesting organization will also report to ARIN the utilization status, 
based on applicable ARIN policy, of all resources it holds with the RIRs 
who's service regions the need justifying a request to ARIN is within, 
and any additional supporting documentation requested by ARIN regarding 
these reported resource.

X._2_3 Incidental Use

Out of region use of ARIN registered resources by an organization that 
totals less than an equivalent of a /20 of IPv4, a /36 of IPv6, and two 
(2) _10 _ASNs within each of the other RIR's service regions are 
considered incidental use and as such are accounted for as if used 
within the ARIN service region.

X.4 Multi-Instance Use

Any resources used simultaneously in multiple locations, such as an 
anycast prefix or ASN, are _accounted for as used outside the region, 
only if they are exclusively used outside the region._considered as used 
within the ARIN service region, provided at least one instance is 
located within the region, regardless of how many other instances are 
located outside the region.

X._3_5 Critical Infrastructure

Resources justified through ARIN critical infrastructure policies are 
accounted for as if used within the ARIN service region, regardless of 
their actual location of use.



-- 
================================================
David Farmer               Email: farmer at umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.arin.net/pipermail/arin-ppml/attachments/20140328/a24f1f8e/attachment-0001.html>