[ppml] Revised Policy Proposal Resource Reclamation

[michael.dillon at bt.com]

> of actual need).  I would think on any procedural violation the
> right thing to do would be a "probation" period where the holder
> can rectify the situation, and quite frankly, if they can't comply
> with the documentation aspects I think all of their space should
> be pulled.

You started out right but then went astray just like the original
authors. We are not police officers. We are not peacekeeping forces in a
war zone. We are not high-school principals. We are not even the
Internet's HR department.

We are just a bunch of people who share fate through a shared resource
which happens to be limited in nature. Language like "probation" is
inappropriate for ARIN policy as is the attitudes that lead to including
things like "all of their space should be pulled".

Yes, it would be good for ARIN to have some powers to audit usage. But
this is not the way to go about it.

First of all, any ARIN actions around auditing should start with the
issue of records and reporting. I'm not suggesting that we go the way of
NANPA with regular usage and runout reports, but that if we want ARIN to
get involved in auditing usage, the first step is to *HELP* (not force)
the orgs to do their own internal auditing and reporting. The first step
is for ARIN to develop and publish some standards for recordkeeping.

After that, perhaps the problems will go away. Or maybe not and we will
need to go to the next step where ARIN can demand to review the said
records and audit them for accuracy. You cannot audit records which do
not exist and you cannot audit records which are in disarray. Given the
number of telecom companies who struggle with keeping track of circuits,
where there is a monthly dollar penalty for bad recordkeeping, I don't
expect ARIN to find auditing very easy. If ARIN is going to audit, we
have to make sure it can be done relatively cheaply.

As for what is to be done when records are audited and found to be
defficient, pulling *ALL* address space is the wrong thing. Such
language has no place in ARIN policy. Possibly there is a place for
pulling unjustified address space, but that *MUST* be done in a
reasonable way with renumbering transition periods, etc.

In fact, after it is determined that an org cannot demonstrate technical
justification for their existing address space, the right action for
ARIN to take is dependent on the state of their recordkeeping. If bad
records are the reason why they cannot demonstrate justification, then
ARIN should start by ordering them to bring their records into order,
and give them time and assistance to do so. Part of that assistance is
the above-mentioned standards for recordkeeping. If the org has good
enough records but just lack the justification, then ARIN should order a
remediation plan. This will also give the org ample time to deal with
any issues surrounding renumbering, but it also allows the org to do
things like acquire new customers and thus acquire the technical
justification that they need. They could buy another ISP and renumber
all their customers and give back the other ISP's addresses instead of
their own. This is like when a court orders an accounting firm to run a
business's financial affairs rather than ordering a bankruptcy. I use
this analogy specifically because I believe that ARIN's role here has to
be in helping an org reach compliance, not in punishing an org or
pulling the rug out from under them.

The fact is that for many years (and maybe still to this day) there has
not been any accepted description of what constitutes technical
justification for IPv4 address allocations/assignments. In the absence
of a clear description, thousands of engineers and managers have built
up networks and businesses thinking that they were following ARIN
guidelines in good faith. 

You simply cannot turn 180 degrees and attack these people who have been
acting in good faith. If it means that we run into the brick wall of
IPv4 exhaustion, then so be it. That is the outcome that all of us
created by not acting sooner to clarify what technical justification
means. Staving off exhaustion for some orgs is not sufficient
justification for attacking other orgs who have been acting in good
faith, regardless of whose records are in good order and whose aren't.

This policy proposal is a bad, bad thing and I hope that it is withdrawn
before it ever reaches the next ARIN meeting. Wordsmithing is not the
answer. A completely different take on the issue is needed and we need
to begin with the right attitudes. Remember, ARIN's charter includes
education but does not include enforcement.

I believe that a serious effort to develop and publish standards for
recordkeeping as well as defining in great detail, what is technical
justification and what is not, will go a long way to reducing IPv4
address consumption without punitive policies. It will do this in two
ways. First, I believe that the majority of ISPs have addresses that
they could reuse if they only knew where they are. Helping everyone find
their internal wastage and inefficiency, will lead to smaller requests
for new addresses. How many of your customers with a /28 assignment are
actually running PAT on their gateways? And the second way is that the
publicity surrounding this effort will raise awareness of IPv4
exhaustion and drive people towards demanding IPv6 services.

Remember, everything that ARIN does surrounding IPv4 exhaustion will
attract great media attention. Choose your policy proposals wisely.

--Michael Dillon