[ppml] Revised Policy Proposal Resource Reclamation

Stephen Sprunk stephen at sprunk.org
Tue May 1 16:30:44 EDT 2007 

Thus spake <michael.dillon at bt.com>
>> of actual need).  I would think on any procedural violation the
>> right thing to do would be a "probation" period where the holder
>> can rectify the situation, and quite frankly, if they can't comply
>> with the documentation aspects I think all of their space should
>> be pulled.
>
> You started out right but then went astray just like the original
> authors. We are not police officers. We are not peacekeeping
> forces in a war zone. We are not high-school principals. We
> are not even the Internet's HR department.
>
> We are just a bunch of people who share fate through a shared
> resource which happens to be limited in nature. Language like
> "probation" is inappropriate for ARIN policy as is the attitudes
> that lead to including things like "all of their space should be
> pulled".

Agreed so far.

> Yes, it would be good for ARIN to have some powers to audit
> usage. But this is not the way to go about it.

ARIN _already_ has unlimited power to audit usage per the RSA.  This 
proposal is an attempt to specify how that power should be used instead of 
leaving it up to staff.  How is that a bad thing?

> First of all, any ARIN actions around auditing should start with
> the issue of records and reporting. I'm not suggesting that we
> go the way of NANPA with regular usage and runout reports,
> but that if we want ARIN to get involved in auditing usage, the
> first step is to *HELP* (not force) the orgs to do their own
> internal auditing and reporting. The first step is for ARIN to
> develop and publish some standards for recordkeeping.

Unfortunately, helping people and developing tools are not policy matters. 
Feel free to make suggestions to the Board; in fact, I believe that doing 
those things would make everyone's lives easier and, in the long term, save 
ARIN money.

> After that, perhaps the problems will go away. Or maybe not
> and we will need to go to the next step where ARIN can demand
> to review the said records and audit them for accuracy. You
> cannot audit records which do not exist and you cannot audit
> records which are in disarray.

The intent is that the same records would be used in a review that would be 
used in any request for an allocation or assignment today.  If you don't 
have them, then you shouldn't have been able to get those resources in the 
first place unless it was a long, long time ago and you've never asked for 
anything new since.

Except in cases where ARIN has cause to suspect fraud, they would trust that 
you're not lying (much), just as they do today.  I avoided using the term 
"audit" because that implies having to prove your records are correct (e.g. 
to the IRS).

> As for what is to be done when records are audited and found
> to be defficient, pulling *ALL* address space is the wrong thing.
> Such language has no place in ARIN policy. Possibly there is
> a place for pulling unjustified address space, but that *MUST*
> be done in a reasonable way with renumbering transition
> periods, etc.

The proposal at hand addresses those issues.

> In fact, after it is determined that an org cannot demonstrate
> technical justification for their existing address space, the
> right action for ARIN to take is dependent on the state of their
> recordkeeping. If bad records are the reason why they cannot
> demonstrate justification, then ARIN should start by ordering
> them to bring their records into order, and give them time and
> assistance to do so. Part of that assistance is the above-
> mentioned standards for recordkeeping. If the org has good
> enough records but just lack the justification, then ARIN
> should order a remediation plan.

That's effectively what the proposal does, though not in so many words.  The 
org has to produce records sufficient for ARIN to complete the review, and 
if they don't have them, they need to generate them.  If those records then 
show that the resources aren't justified, the remediation plan is either 
return or revocation, i.e. reclamation.

> This will also give the org ample time to deal with any issues
> surrounding renumbering, but it also allows the org to do
> things like acquire new customers and thus acquire the
> technical justification that they need. They could buy another
> ISP and renumber all their customers and give back the other
> ISP's addresses instead of their own.

The proposed grace period gives them time to renumber.  If they later happen 
to justify the resources before they're reclaimed, they could submit an 
application showing that and ARIN would logically reissue those resources 
back to them.

> ... I believe that ARIN's role here has to be in helping an org
> reach compliance, not in punishing an org or pulling the rug out
> from under them.

ARIN cannot help an org reach compliance.  ARIN could, however, help them 
prove they were in compliance.  There's a serious difference there.

> The fact is that for many years (and maybe still to this day) there
> has not been any accepted description of what constitutes
> technical justification for IPv4 address allocations/assignments.
> In the absence of a clear description, thousands of engineers
> and managers have built up networks and businesses thinking
> that they were following ARIN guidelines in good faith.

ARIN has policy on what justifies an allocation/assignment.  It has changed 
slowly over time, but not so much that someone still assuming rules from 
five years ago is likely to be in trouble today.  However, the rules _will_ 
change significantly in the future and reclamation will be unavoidable.  I 
think it's best to get people (including staff!) used to the idea of 
reviews, what documentation they'll need, etc. now while they're still 
highly likely to pass.

> You simply cannot turn 180 degrees and attack these people
> who have been acting in good faith.

That isn't the intent.

> This policy proposal is a bad, bad thing and I hope that it is
> withdrawn before it ever reaches the next ARIN meeting.
> Wordsmithing is not the answer. A completely different take on
> the issue is needed and we need to begin with the right attitudes.
> Remember, ARIN's charter includes education but does not
> include enforcement.

The charter requires stewardship.  We would be irresponsible stewards if we 
did not verify the need of people consuming a limited resource that others 
_can_ justify a need for.

Helping people document their justification would be nice, and I encourage 
the Board to budget money for developing tools to that end, but it's not 
enough -- and it's not policy.

> First, I believe that the majority of ISPs have addresses that they
> could reuse if they only knew where they are. Helping everyone
> find their internal wastage and inefficiency, will lead to smaller
> requests for new addresses.

See above.  Even the simple but highly popular idea of a web interface, 
which presumably would show all the resources an org has and what they're 
tagged for, would be a step in the right direction.  If the tools existed, 
we could force people to use them, but we can't use policy to create them 
out of thin air.

( In fact, a tool could be made to check compliance status; a review would 
merely consist of ARIN looking at the tool and, if the report wasn't 
positive, asking the org to make sure their data is up to date. )

> And the second way is that the publicity surrounding this effort
> will raise awareness of IPv4 exhaustion and drive people towards
> demanding IPv6 services.

I doubt it; by itself, reclamation will extend the life of v4 a few months, 
a year at the most.  However, I predict we're going to start making more 
significant policy changes (which _will_ get publicity) as we get closer to 
the wall, and we'll need some sort of reclamation mechanism for those 
policies to have any meaningful effect.

> Remember, everything that ARIN does surrounding IPv4
> exhaustion will attract great media attention. Choose your
> policy proposals wisely.

Just getting the media to understand that IPv4 exhaustion will happen in the 
next 5-10 years and what that means will be enough of a challenge.  Once 
they do start paying attention, it'll be too late to matter and/or they'll 
misreport everything anyways.  Remember Y2k?

I can already see headlines like "ARIN says only computers with Windows 
Vista will be allowed on the Internet" coming.

S

Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov

More information about the ARIN-PPML mailing list