[ppml] IPv6 assignment - proposal for change to nrpm

Stephen Sprunk stephen at sprunk.org
Wed Oct 31 17:10:29 EDT 2007

Thus spake "Ted Mittelstaedt" <tedm at ipinc.net>
>>>>I've seen plenty of horrifying examples, though NDAs prevent me
>>>>from naming names.
>>> Please don't say stuff like that, it is just a bunch of straw men.
>>> We do not sign NDAs with any customers we do service work
>>> for, (none have asked)
>>Lucky you.  I'm under NDA to that (past) employer, and that
>>employer is under NDA to those customers; my NDA bound me to
>>their NDAs.  I've asked, and I'm not even allowed to say who those
>>customers are, and certainly not details of their internal networks.
>>Even on my own, I've never done consulting work for any company
>>that _didn't_ demand an NDA, nor have I been employed by a
>>company that didn't since I was worked retail as a teenager.
> Any contract that obligates you to conceal something illegal is
> unenforceable.

If I had been aware of someone committing a crime, I would have contacted 
the appropriate law enforcement agency.  AFAIK, no laws were broken.  There 
was no fraud, for example, since they never represented that their 
utilization _was_ efficient to anyone -- and it so obviously wasn't that 
nobody would even attempt to claim such.

>>For that matter, a substantial fraction of legacy assignments are
>>to defense contractors, who have parts of their network that are
>>not only under NDA but classified.  ARIN can't get details about
>>those networks, since AFAIK they have no staff with the appropriate
>>clearances, and no court can order disclosure.  Even employees
>>in the "white" parts of those companies often have no clue what
>>the "black" parts look like.
> That is a different deal.  However, those classifications only hold true
> in the US.  If I am not a US citizen and I live outside the US I can talk
> publically about any US DoD classified things I feel like.

The only non-citizens outside the US which _should_ be able to get such 
information in the first place will be under similar laws from their own 
government.  If anyone else obtained DoD classified information, someone 
with a clearance illegally gave it to them and they'll likely end up in a 
deep, dark hole.  Depending on how sensitive the information is, the USG may 
perform a "rendition" and bring the unauthorized person to US soil for 
detention.  In case you missed it, in the 80s Congress asserted worldwide 
jurisdiction and enforcement of its laws -- including over non-US citizens 
on non-US soil.  Since victims don't usually get trials or press coverage, 
we have no clue how often it happens.

>>> A holder like SBC Global who is under RSA is arguably violating
>>> their contract with ARIN by assigning an overage of IP addresses
>>> to customers that the customers aren't asking for, in an effort to
>>> hoard IPs.
>>That's a matter for ARIN's counsel and/or staff, not us.
> ARIN's policy is set by us, we elect ARIN officers, this is definitely
> a matter for us.

No, it is not.  If you are unhappy with the actions of ARIN's board and 
you're a member, you can vote for different candidates.  That's where your 
control ends.  Only ARIN's employees and counsel are privvy to information 
given to ARIN under NDA -- even the BoT isn't due to potential conflicts of 

> It's no different than any other representative government.

ARIN is certainly not a government but rather a Virginia non-stock 

> I think your probably not that familiar with how these sorts of
> organizations operate?  Openness rules the roost.

Openness of process and policy, yes, but not of implementation necessarily. 
Try getting someone else's tax records or individual census records less 
than 70 years old.  Some things are beyond FOIA's reach for a reason.

>>For that matter, since the details are almost assuredly under NDA,
>>we have no clue if staff has reviewed the practice and whether or
>>not they've found it acceptable for reasons we're not privvy to.
> ARIN is required to abide by it's policies which call for, what is it,
> 100% utilization?

Per, each customer must meet 80% utilization; there is no 
indication if that's to be assessed per assignment or somehow averaged 
across all assignments to a given customer.

Per, an LIR has to have "efficiently" utilized all prior allocations 
and at least 80% of the most recent one.  Since there's no explicit 
definition given for "efficient", let's say that means "100% assigned". 
However, those assignments only need to be 80% utilized themselves.

For end users getting direct assignments, 4.3.3 says they must be able to 
reach 50% utilization within a year, and 4.3.6 says 80% of all previous 
assignments, if any.

> In other words, ARIN staff has no ability to give a group, whether
> under NDA or not, a special exemption from the utilization
> requirements unless such exemption is spelled out in policy.

The wording in the policy is intentionally loose so that staff can make a 
reasonable assessment of the records they're given.  It's entirely possible 
that there is technical justification showing that a /30 is not possible in 
the case you described.  I can't imagine what it may be, but SBCGlobal must 
have a reason for doing it that way since it's unusual, and staff will 
review that reason when they come back for more space -- if they haven't 

> Which gets back to the original thrust of my response - the devil
> is in the details.  What is your definition of 100% utilization?
> Mine certainly isn't an empty /8.

I'm unaware of any "empty" /8s, though it's common belief that many are 
poorly utilized.  I'm personally aware of plenty of "empty" /24s and a few 
"mostly empty" /16s.  All are legacy.

I've also heard someone claim they were aware of one or more non-legacy 
allocations which were originally justified but the company went under and 
one of the employees/owners kept paying the bill so they could retain the 
block (perhaps "empty" today) for future purposes.  That does appear to be 
an RSA violation, but I don't know who the alleged offenders were/are; I 
can't even recall who made the claim.

> I know you are certain in what you have seen.  You must understand
> that me saying what you have seen has to be considered mythical,
> does not mean I personally disbelieve you have seen this.  I am
> just saying nobody can do anything about these since we don't know
> who the abusers are.

_We_ don't know, except for the "abusers" hiding among us.  ARIN staff may 
know or, failing that, have the power to ask for that information, which 
they will most likely only get under NDA.  All we can do is tell them (a) to 
go do it and (b) what they should do if/when they get the information (or 
don't).  We might be able to deduce some of what they find from the end 
results, but we might not; either way we have to trust they're doing what 
policy and the BoT tells them to do.

>>> By the time the law of diminishing returns acts on a reclamation
>>> effort, the wasteful holders still out there who have so far ignored
>>> the nice pleas aren't going to respond to anything other than
>>> a threat.
>>If they have ignored the "nice pleas", of course they won't respond
>>to anything other than a threat.  That doesn't mean we need to
>>start working out what that threat may eventually be, or if we'll even
>>use one, before we see how well the "nice pleas" work.
> It doesen't mean we shouldn't work out that threat now, either.

The threat (to non-legacy folks) is clearly stated in section 8 of the RSA: 
"If ARIN determines that the number resources or any other Services are not 
being used in compliance with this Agreement, the Policies, or the purposes 
for which they are intended, ARIN may: (i) revoke the number resources, (ii) 
cease providing the Services to Applicant, and/or (iii) terminate this 
Agreement. "

The LRSA's threat is a bit weaker, since it's only to stop providing 
services that ARIN is providing to legacy holders anyways even if they 
haven't signed the LRSA.

The only threat remaining to discuss, then, is what (if anything) ARIN might 
do to folks that haven't signed either the RSA or the LRSA.

>>OTOH, I bet we could recover 64k /24s for less in legal fees than
>>a single /8; the folks with /8s have hundreds of lawyers each at
>>their disposal with nothing better to do than sue annoyances like
>>ARIN out of existance.
> Throwing hundreds of lawyers on a lawsuit does not change the
> basic dispute or conflict.

No, but it may change the outcome if you can bankrupt the other party 
through legal costs or business distruptions before the case is settled. 
Many lawsuits are filed _knowing_ the plaintiff would lose on merit, and 
many defendants that would win end up settling because it's cheaper.

> That's why Erin Brockabitch won, and why there's tons of other
> David vs Goliath court cases out there.  The only thing that
> helps is the quality of the lawyer you use, and ARIN has enough
> money to hire lawyers that are every bit as good as the best
> lawyers the other side has.

ARIN, with annual revenues of a few million and a small operating reserve, 
would be unlikely withstand a determined legal assault by a dozen companies 
that each rake in billions per month.

>>And if we go after one, the rest will counterattack to prevent a
>>precedent being established that they don't like.
> "the rest" aren't going to spend a nickle on counterattacking.  It's
> like the old saw that they came for this guy and I didn't speak up,
> they came for that guy and I didn't speak up, they came for this
> other guy and I didn't speak up, now they are coming for me, darn,
> I should have spoke up.

Counterexample: Novell's actions related to SCO v. IBM.


Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking 

More information about the ARIN-PPML mailing list