[ppml] Policy Proposal: Authentication of Legacy Resources

Edward Lewis Ed.Lewis at neustar.biz
Tue Jul 10 09:37:32 EDT 2007


At 13:04 -0800 7/9/07, Andrew Dul wrote:

Thanks for the reply, it gives me a different perspective on this.

>While I agree that we shouldn't be taking away information, the fact that
>approx. 50% of the legacy records have not been updated since ARIN's
>inception tells me that more needs to be done to make sure that the records
>are updated as best as possible.   This policy is an attempt to conduct an
>outreach to legacy resource holders with some consequences for not taking
>any action.

My first reaction is to then being the legacy DNS delegations under 
the Lame Delegation policy (2005-1 and 2002-1).  That's just to get 
rid of stale and misleading information regarding delegations from 
the DNS.  Realizing that there isn't guaranteed to be a 1:1 
correlation between the untouched legacy registrations and lame or 
broken DNS delegations (I'm sure there will be examples that break 
that "stereotype" in both directions) this is one way to clean up any 
in-network mess being caused.

It would be interesting to note the correlation of Lame/Broken 
delegation rates to the kind of delegation (legacy or ARIN).

>By setting a sunset time line for Legacy reverse DNS records we hopefully can
>accomplish two goals.  1. Formalize the relationship between the ARIN and
>active legacy address holders.  2. Start the process of marking address space
>that is no-longer in active use.   The goal here is not reclamation but
>rather updating the database with accurate information from Legacy holders
>and continuing that relationship long-term.

I have strong objection to #2.  In as much as "ARIN does not dictate 
routing policy" how does one detect that a number resource is 
"no-longer in active use?"  The purpose of ARIN is uniqueness, not 
routability.  After first coming to my personal conclusion that there 
is no reliable way to decide whether a number resource is in use 
(e.g., it could be used in a network between two apartments in NYC 
air-gapped from the rest of the world).

As far as #1, I don't think that it is appropriate to use the 
sunsetting of a service as a motivation to get the other side to 
agree to a formal relationship.  (I suppose this is done in business, 
my cable company recently moved a PBS station from analog cable to 
digital cable and presumably to charge more, about $20/month, to see 
the shows I was already paying for.)


>There are a lot of reasons that have been discussed.  I'll just name some
>that I have heard, there are probably others.
>
>- Legitimize & confirm legacy holders right to use space they were assigned
>- Remove ambiguity about the status of legacy holder's address space

I agree that the above two are good and worthy goals, I'd include 
this in any documentation about this effort (whether this remains a 
policy, is shunted through the consultation and suggestion thing, or 
is taken as a board matter.

>- Create a relationship with legacy holders, including a yearly "touch-point"
>   to help insure that records are up-to-date

This sounds credible, but touch-point sounds like money changing 
hands.  Then again, I'm sounding cynical based on troll-induced 
threads that the RIRs are only after money and power.

>- ARIN currently provides services to legacy holders for "free", as ARIN is
>   a cost-recovery non-profit, some believe that all address space holders
>   should share in the costs of providing these services.

This I disagree with.  "Address space holders" (I don't mean to be 
pedantic but to keep us disciplined - "Number resource holders") 
aren't the only ones benefiting from ARIN's services.  Many rely on 
the DNS and WhoIs that are not holders of resources, although you can 
argue that the holding of a resource is made "valuable" because of 
the role ARIN and the other RIR's have.

If we tie the cost-recovery burden to holding number resources, then 
how is this different from charging rent?  Okay, beside the target of 
0% profit and a say in the determination of the overall costs of 
operating ARIN (via membership approval of budget items).  It would 
be nice of the burden of operating ARIN is adequately shared, but 
that probably won't happen.  We'll remain in a state where certain 
interests will fund ARIN because the interests have a greater need 
for ARIN to be.

>Preventing the in-addr DNS queries from returning answers is an
>interesting concept, and not one that I have considered.  If people think
>this is a better method than removing the delegations to motivate legacy
>holders to create a formal agreement with ARIN, I'd be open to modifying
>the policy.  My initial concern with this approach would be that this
>approach could be more operationally difficult to deal with.  It is pretty
>easy to understand why a query returns no records if there isn't a valid set
>of NS records for a zone.  If your query was answered or not depending on
>the source of your query, that could be hard to troubleshoot and understand
>for the operational community.

Whether what I had suggested is appropriate or not for ARIN, this is 
a model used in other industries in which operational data sharing 
benefits a segment.  The attitude is that consumers of the data band 
together and try to learn all they can about the "universe."  Data in 
is free, data out costs.

But that model is not going to be easy to retrofit into the public 
Internet.  So, perhaps I'm just wasting bits.

>The best reason I have seen is that it legitimizes an organizations right
>to use specific IP address resources.  There is no ambiguity or risk that
>the resources could be reused, reissued, or records otherwise invalidated.

Isn't having gotten the legacy resource enough of a justification? 
It's legitimate.  It's ARIN's responsibility that no other uses the 
same space - if ARIN allocated me a resource that was allocated as a 
legacy, ARIN has done me wrong and the legacy holder wrong.

>I agree that creating barriers in general is not a good idea.  I would
>certainly like to see ARIN do an outreach specifically to legacy holders.  My
>attempt with this policy was to create an incentive (loss of current in-addr
>service) to encourage the establishing of a formal relationship and the
>ongoing relationship that would help keep the records as up-to-date.
>In addition I see additional incentives in affirming an organizations right
>to use number resources granted prior to the formation of ARIN.

Where I am losing the faith is that I believe that legacy holders 
already have full legitimacy and rights to the resource.  They paid 
their dues by playing the role of an early adopter.  But their 
benefit ends with their own (personal or single organizational) use 
of the IPv4 space, this privilege does not extend to IPv6 nor 
transferrable to another entity.  I am not sure whether it is the 
resource that is special or the allocation (i.e., that which ends 
when the resource is released) that is special.  I don't think that a 
legacy resource should be touched in anyway by ARIN policy, not 
renewal, not reviewable, not reclaimable, not part of the usage 
calculation.  Perhaps I'd agree with extending the IPv6 fee wavier to 
legacy holders, not just to whom it is available to now (as an 
incentive to join up).

There are other incentives I'd hold out for legacy holders, such as 
cryptographic protection for the legacy space (records and 
certification).  But I don't think we have the right to expect that 
they *should* join in.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.



More information about the ARIN-PPML mailing list