[arin-ppml] Draft Policy 2010-10 (Global Proposal):GlobalPolicy for IPv4 Allocations by the IANA Post Exhaustion- Last Call (textrevised)

[Stephen Sprunk]

On 06 Nov 2010 04:08, Owen DeLong wrote:
> On Nov 5, 2010, at 9:25 AM, Stephen Sprunk wrote:
>> On 05 Nov 2010 01:56, Owen DeLong wrote:
>>> On Nov 4, 2010, at 9:06 PM, Stephen Sprunk wrote:
>>>> On 02 Nov 2010 22:30, Ted Mittelstaedt wrote:
>>>>> Ultimately the goal should be to take legacy resources away that
>>>>> are either being hoarded, or are abandoned.
>>>> "Hoarded" is a loaded term, and it's difficult to prove someone's
>>>> doing it.  "Justified" is easily determined, though, since we
>>>> _already_ have dozens of pages of policy describing exactly what
>>>> that means.
>>> What we don't have is any form of agreement by the legacy holders
>>> that the ARIN definition of justified applies to them.
>>
>> OTOH, absent an LRSA, there is no formal agreement that it doesn't.
>>
>
> Uh, generally it's pretty hard to claim that a contract is binding on
> an opt-out basis.
>
> I can't just make up a contract and then say you are subject to it's
> terms just because you don't have a contract that says otherwise.

A homeless shelter is quite certainly free to dictate people wear shoes
in order to get a free meal.

>>> Non-signatories to the LRSA are, thus, in an uncertain area.
>>> Signatories of the LRSA are clearly protected from current and
>>> future ARIN policies in this regard.
>>
>> Yes, that's an excellent carrot for folks to sign the LRSA.  We
>> disagree only about the stick.
>>
>> I don't like using sticks, but eventually we're going to run out of
>> folks that are interested in the carrot.
>>
>
> So? I really don't see the problem with leaving them alone to do their
> own thing. I'd rather see them join the community, but, I simply don't
> see any valid argument for attempting to do so by force.

There are several problems.  The most relevant to this discussion is
that, without regular contact (e.g. via annual dues), it is difficult to
keep information in WHOIS current and it's much easier for fraudsters to
steal resources.

>> I was willing to accept granting special privileges to _all_ legacy
>> holders prior to the LRSA being made available; now that it is,
>> though, I'm reluctant to accept continuing to grant those same
>> special privileges to those who do not sign.
>>
> First, I don't agree with your use of the term "special privileges".

You don't think that being exempt from revocation or having limits on
fee increases (or no fees at all, if one doesn't sign an LRSA) qualify
as "special privileges"?  How does someone with an RSA get those terms?

> Second, I really don't think legacy holders are a major problem and I
> don't see the point in pursuing them with pitchforks and torches just
> because they choose not to join the ARIN community.

I don't think pitchforks and torches are necessary, but I do think _at
minimum_ ARIN owes the community some due diligence to make sure WHOIS
is correct.

>>> I think that involuntary reclamation of legacy resources or
>>> "termination of services" to legacy holders is contrary to ARIN's
>>> best interests.
>>
>> I disagree.
>>
>
> And you are free to do so.
>
> Care to back that up with what ARIN possibly gains by doing so other
> than litigation expenses?

First, a stick would get more legacy holders to sign the LRSA--or
perhaps even an RSA.  Second, I believe a significant amount of
abandoned or unused resources would be discovered and reclaimed.  Both
outcomes benefit the community.

>>> I think that going beyond "termination of services" to the step of
>>> placing resources back into the free pool and issuing them to other
>>> organizations would be outright counter-productive for all concerned
>>> (except in the case of clear abandonment).
>>
>> It depends on the legal explanation of exactly what it is ARIN does.
>>  At the end of the day, the "resources" that ARIN "issues" to
>> registrants are merely entries in WHOIS and rDNS.  ARIN cannot
>> actually issue numbers to (or take them away from) registrants
>> because numbers themselves cannot be owned, leased, etc.
>>
>
> Yep.

If you can agree to that explanation, I don't see how you can continue
to hold the position that you do.

>> I do not see a significant difference between removing a non-paying
>> registrant's entries from WHOIS/rDNS and replacing them with a paying
>> registrant's entries that happen to have the same or similar
>> numbers.  And, frankly, if we don't do the latter, what's the point
>> in the former?  Marking a bunch of space as "permanently unavailable"
>> accomplishes little.
>>
>
> It makes it easy to filter it out so it doesn't get hijacked.

Okay, that's of benefit.

> Besides who said anything about permanently unavailable. The space is
> either held by an organization or it isn't.  If we can't findthe
> organization, we record that fact and make it visible. Eventually,
> either we find out for sure that the organization is defunct, or, we
> find out that they do still exist. In the former case, resources can
> be reclaimed. In the latter case, they cannot.

Based on John Curran's recent messages, it is very difficult and
time-consuming to reliably determine that a company is defunct.  Given
ARIN's demonstrated unwillingness to take on work that policy doesn't
explicitly require them to take, the likely result is that space would
forever be "temporarily" unavailable.

> I'm just saying we shouldn't reclaim resources until we are certain
> that the organization no longer exists.

In contrast, I think we should reclaim resources if we cannot, after a
reasonable amount of effort, determine the registrant still exists _and_
either is still using those resources or is willing to sign an LRSA.

>>> There is no document anywhere that I know of which gives ARIN any
>>> such authority to revoke legacy resources based on current ARIN
>>> policy where it differs from the policies in effect under which the
>>> legacy resources were issued.
>>
>> I forget the original Latin, but there's a famous legal principle
>> that "what is not illegal must be legal".
>
> It is illegal to enforce terms of a contract against a non-signatory.

Yes, but I don't see the relevance of that statement.

>> ARIN can add or remove any WHOIS/rDNS entry it wishes unless
>> restricted by policy or by a contract, i.e. an RSA or LRSA.  IOW,
>> since non-LRSA legacy holders have no contract restricting what ARIN
>> does, they have no (legal) standing to complain if ARIN decides to
>> stop providing them unpaid, uncontracted registry services--just like
>> a homeless person has no (legal) standing to complain if a shelter
>> decides to stop giving them free meals.  That's purely a moral issue.
>>
>
> That's an interesting theory, but, I doubt that as the successor
> registry to registries that granted the registrations to organizations
> on very different terms with no contract stating that the terms could
> be subsequently changed without agreement, ARIN would actually have as
> good a standing as you
> claim in that situation.

ARIN only inherited an obligation to provide services gratis and in
perpetuity if its predecessors actually contracted with registrants to
do so _and_ ARIN is their legal successor in interest.  I'm fairly sure
the latter is true, but I'm almost certain the former is not.

A contract is only valid if there is an exchange of "consideration"
(usually goods or services in one direction and money in the other).  If
I promise you a free meal tomorrow but fail to provide one, you _cannot_
sue me for breach of contract because you paid no "consideration" for my
promise and therefore it was not a valid contract.

>>>> One can address most of those by having other processes that add to
>>>> the same list of resources to be reviewed.  For instance, one might
>>>> consider a resource not appearing in the DFZ to be a sign of
>>>> probable non-compliance which triggers a review.  Or resources
>>>> which have not been updated in the last N years.  Or not having
>>>> valid rDNS servers.  If the review concludes they're valid, the
>>>> registrant has 24 months before they have to worry about being
>>>> hassled again.
>>> There are specific policies allowing for non-connected networks and
>>> always have been. Why would the fact that a resource does not appear
>>> in one particular view (or even several views) of the DFZ be
>>> considered a sign of probable non-compliance? As to update cycle,
>>> some organizations are actually extremely stable. ... When did
>>> maintaining valid rDNS become a requirement even for a non-legacy
>>> holder? I can't find that requirement anywhere in the NRPM.
>>
>> Those are merely possible reasons to put someone into the review
>> queue.  If it turns out their use is justified (or close to it), no
>> action will be taken against them and they're exempt from another
>> without-cause review for 24 months.
>>
>> This is _precisely_ why I put that clause in 2007-14: to clarify that
>> ARIN could review resources that _appeared_ to be unjustified without
>> needing a priori proof of such.  The remainder of 2007-14 is there to
>> make sure that, when ARIN makes use of this power, the registrant is
>> protected.  I believe that ARIN has _always_ had this power, but the
>> response to an ACSP suggestion of mine indicated that ARIN was
>> uncomfortable wielding that power without explicit policy supporting it.
>>
>
> I'm saying that going after all or even some random number of
> resources on that basis is a dubious set of selection criteria at best
> and seems rather arbitrary to me.

If I see an elderly lady down the street from me tending her garden
every day for years, but then a few days go by without any sign of her
and there's an awful smell coming from her house, it's not unreasonable
for the police to enter and check to make sure she's still alive.  If it
turns out she's fine, no harm was done.

>>>> Yes, a sufficiently cagey registrant may be able to avoid all of
>>>> our heuristics, but most won't even try to.  It's reasonable to
>>>> lose a battle to a skilled and dedicated opponent; it's absolutely
>>>> indefensible to surrender a battle when your opponent doesn't even
>>>> show up, which is where we are right now.  Let's fix the latter
>>>> problem before we worry about the former.
>>> When did this shift from stewardship to seeking battles with legacy
>>> holders? That certainly was not my intent in NRPM 12.
>>
>> It's a metaphor.
>
> It doesn't sound like one. It sounds like an attempt to go after
> legacy holders just because they didn't sign the LRSA. I don't think
> that's right.

Regardless of how you may have interpreted, it was a metaphor.

And, for the record, I'd like to see LRSA signatories reviewed as well. 
We can't revoke their space, but it's useful for the community to
understand exactly what it is we're sanctioning so that we can decide if
it's a good idea to continue offering the LRSA.

>>> What reasons do you have for actively seeking to reclaim legacy
>>> resources that are not abandoned ... ?
>>
>> Primarily, it is the moral obligation we have to the _entire
>> community_ to act as stewards in an impartial manner, and IMHO that
>> overrides any moral obligation we have to individual
>> registrants--particularly ones that refuse to participate in the
>> community or take advantage of the (exceedingly generous, IMHO) terms
>> that the LRSA offers.
>
> I think that mis-characterizes the situation. Legacy holders received
> their resources under a different set of terms from predecessor
> registries. ARIN, if it doesn't want to be the successor registry and
> wants to terminate its services to legacy holders is welcome to do so.
> In that case, ARIN should identify a successor registry to transfer
> the stewardship of those resources to.

I'd be happy for ARIN to be rid of the legacy mess if anyone were
willing to operate a viable successor registry.  However, who is going
to do that when none of its registrants will be paying for the services
they receive?

> This theory that ARIN is somehow entitled as the successor registry to
> retroactively change the terms under which legacy resources were
> issued without the consent of the recipients really strikes me as
> being quite odd.

That's exactly what happened with domain names and with the other RIRs
that inherited legacy numbers.  ARIN has been far more generous to
legacy registrants, but IMHO now that we have the LRSA, it's time for
the honeymoon to end.

>> Also, I am concerned about the complaints (and potential legal
>> action) ARIN will face if we start actively reclaiming non-legacy
>> resources but do not attempt to reclaim (non-LRSA) legacy resources.
>>  Worse, showing irresponsibility here may justify attempts by others
>> to impose governmental (i.e. ITU) interference or end community-based
>> governance entirely.
>>
>
> I think it's pretty easy to show that those resources were issued by
> predecessor registries under different terms and conditions.

IMHO, that is irrelevant.

S

-- 
Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20101106/b9fdc57c/attachment.p7s>