[arin-ppml] Draft Policy 2010-10 (Global Proposal):GlobalPolicy for IPv4 Allocations by the IANA Post Exhaustion- Last Call (textrevised)

Owen DeLong owen at delong.com
Fri Nov 5 02:56:42 EDT 2010 

On Nov 4, 2010, at 9:06 PM, Stephen Sprunk wrote:

> On 02 Nov 2010 22:30, Ted Mittelstaedt wrote:
>> On 11/2/2010 5:38 PM, Bill Darte wrote:
>>> Never, in my memory, has the debate over recovery of legacy addresses
>>> been given more than superficial treatment.
>>> 
>> 
>> I think that this is because ultimately the goal isn't to take legacy
>> resources away that are IN USE.
> 
> IMHO, that depends on the degree of non-compliance.  I've worked with
> dozens of orgs with legacy space, and not a single one of them could
> even come close to justifying their space _that was in use_.
> 
> However, I don't see any point in targeting orgs using their space
> inefficiently until we've dealt with all the ones (and I really do mean
> every last one that can be found) not using their space _at all_.
> 
IMHO, targeting legacy holders for non-compliance with today's
ARIN policies is dubious at best. I agree we should seek to actively
reclaim abandoned resources (resources where the ORG no
longer exists). I think we should possibly reach out and request that
ORGs no longer using their legacy resources voluntarily return
them.

Legacy holders received their resources under very different
requirements with very different expectations. While ARIN is the
successor registry of record, legacy holders (other than LRSA
signatories) have no agreement with ARIN and never agreed
to be bound by the ARIN policy process. I think attempting to
take such resources is an almost certain path to very costly
litigation with a very uncertain outcome. There are better things
for ARIN to do with their legal budget, IMHO.

>> Ultimately the goal should be to take legacy resources away that are
>> either being hoarded, or are abandoned.
> 
> "Hoarded" is a loaded term, and it's difficult to prove someone's doing
> it.  "Justified" is easily determined, though, since we _already_ have
> dozens of pages of policy describing exactly what that means.
> 
What we don't have is any form of agreement by the legacy holders
that the ARIN definition of justified applies to them. Non-signatories
to the LRSA are, thus, in an uncertain area. Signatories of the LRSA
are clearly protected from current and future ARIN policies in this
regard.

>>> Seems that the typical statements that stop debate is that such a
>>> course would be prohibitively expensive from a legal point of view
>> 
>> Rubbish.  If ARIN takes over an abandoned Legacy resource then since
>> it is abandoned, the original org that had it cannot suffer damages,
>> and since it hasn't suffered damages, it has no standing to sue in court.
>> 
>> The problem is that since the original Legacy holder did NOT ever sign
>> an agreement with ARIN then ARIN has no contractual justification to
>> take over an abandoned Legacy assignment even if they know it's unused,
> 
> AFAICT, if the registrant does not have a contract (i.e. RSA or LRSA)
> with ARIN for registry services, ARIN has no obligation to continue
> providing them, especially for free.  There are many who feel ARIN has a
> _moral_ obligation to do so, but that's not a matter for the courts.
> 
I agree that ARIN has a moral obligation to legacy holders.

I am uncertain about what legal obligations ARIN has to legacy holders.

I think that involuntary reclamation of legacy resources or "termination of
services" to legacy holders is contrary to ARIN's best interests. I think that
going beyond "termination of services" to the step of placing resources
back into the free pool and issuing them to other organizations would
be outright counter-productive for all concerned (except in the case of
clear abandonment).

>> because so far the community has not given ARIN permission to do this
>> via policy in the NRPM.
> 
> That all depends on how one interprets NRPM 12.8.
> 
> IMHO, ARIN _already_ had the power to apply policy to legacy space or
> revoke it entirely, and therefore NRPM 12 actually _limits_ how ARIN may
> do so, as it does for non-legacy resources.
> 
Where did this power come from? For non-legacy holders, it comes from
the RSA which is a binding contract between the resource holder and ARIN
which entitles ARIN to revoke resources according to the NRPM.

There is no document anywhere that I know of which gives ARIN any
such authority to revoke legacy resources based on current ARIN policy
where it differs from the policies in effect under which the legacy resources
were issued.

>> Right now, Legacy netblocks that are attached to POCs that ARIN
>> determines are non-respondent, can ultimately be freed up.  All ARIN
>> has to do is determine a POC is abandoned and when ALL POCs that are
>> on a particular Legacy block change to abandoned status, then the
>> resource is, (in my opinion) effectively freed, and (in my opinion)
>> ARIN should move it back into the free pool of assignable IPv4
> 
> Wrong.  ARIN would need to follow the procedure in NRPM 12, which
> governs _all_ reclamation activities.
> 

> However, if all the POCs are unresponsive, then presumably they will not
> respond with justification as required in 12.1, they will not
> voluntarily return the resource(s) as required in 12.4, and eventually
> ARIN can revoke the resource(s) under 12.5.
> 
Presumably the later stages of POC validation would include the notices
required under 12.1 such that by the time the POCs were marked invalid,
we would have at least completed the 12.4 waiting period as well, thus
making 12.5 effective pretty much as described above.

>> 
>> But that does not answer the Legacy space that is unused, yet still
>> has a respondent POC on it.  Or Legacy space that the master block
>> has an abandoned POC but has active POC's that are in SWIPS that
>> were filed on parts of it.
> 
> One can address most of those by having other processes that add to the
> same list of resources to be reviewed.  For instance, one might consider
> a resource not appearing in the DFZ to be a sign of probable
> non-compliance which triggers a review.  Or resources which have not
> been updated in the last N years.  Or not having valid rDNS servers.  If
> the review concludes they're valid, the registrant has 24 months before
> they have to worry about being hassled again.
> 
There are specific policies allowing for non-connected networks and always
have been. Why would the fact that a resource does not appear in one
particular view (or even several views) of the DFZ be considered a sign
of probable non-compliance? As to update cycle, some organizations
are actually extremely stable.

What value of N would you propose? 5? 10? 15?

When did maintaining valid rDNS become a requirement even for a non-
legacy holder? I can't find that requirement anywhere in the NRPM.

> Yes, a sufficiently cagey registrant may be able to avoid all of our
> heuristics, but most won't even try to.  It's reasonable to lose a
> battle to a skilled and dedicated opponent; it's absolutely indefensible
> to surrender a battle when your opponent doesn't even show up, which is
> where we are right now.  Let's fix the latter problem before we worry
> about the former.
> 
When did this shift from stewardship to seeking battles with legacy
holders? That certainly was not my intent in NRPM 12.

>> And on top of that, not too long ago I thought the AC stated they
>> would no longer entertain drafts of policy changes that dealt entirely
>> with IPv4.  So please don't duck behind this "if you think you have a
>> better method then make a proposal" bullcrap.
> 
> Most of the problems with legacy IPv4 blocks also apply to legacy ASNs,
> so proposals along these lines need to say "resources" anyway.
> 
The AC did not make such a statement. The statement made was that
we felt further policies for IPv4 resources were likely moot and the
AC would probably abandon such policies absent a clear need for
the policy.

In my personal opinion, making this statement was ill-advised on the
part of the AC and I am on record as a dissenting vote. One of the
reasons for my dissent was the probability of the statement being
misconstrued in this manner.

>> There are too many people now in the ARIN community that just want to
>> bury IPv4 and really aren't interested in mining possibly usable IPv4
>> from Legacy resources.  They want to believe if we just ignore it we
>> can leave IPv4 behind in a few years and switch everything to IPv6 and
>> they won't believe this isn't going to happen right away until it just
>> doesn't happen right away.  Maybe they are right.  I just hope that if
>> they are not, that they start mining.
> 
> I don't think that "mining" IPv4 blocks for reclamation will have any
> meaningful effect on runout, but I still think it's worthwhile for
> several other reasons.
> 
I understand the "other reasons" for reclamation of abandoned resources.
They're a good target for abuse. What reasons do you have for actively
seeking to reclaim legacy resources that are not abandoned just because
you feel like ARIN can enforce current policy against organizations that
have no contractual relationship with ARIN and have never consented
to the current policy process?

Owen

More information about the ARIN-PPML mailing list