[arin-ppml] Draft Policy 2010-10 (Global Proposal):GlobalPolicy for IPv4 Allocations by the IANA Post Exhaustion- Last Call (textrevised)

Owen DeLong owen at delong.com
Sat Nov 6 05:08:13 EDT 2010

On Nov 5, 2010, at 9:25 AM, Stephen Sprunk wrote:

> On 05 Nov 2010 01:56, Owen DeLong wrote:
>> On Nov 4, 2010, at 9:06 PM, Stephen Sprunk wrote:
>>> On 02 Nov 2010 22:30, Ted Mittelstaedt wrote:
>>>> I think that this is because ultimately the goal isn't to take
>>>> legacy resources away that are IN USE.
>>> IMHO, that depends on the degree of non-compliance.  I've worked with dozens of orgs with legacy space, and not a single one of them could even come close to justifying their space _that was in use_.
>>> However, I don't see any point in targeting orgs using their space inefficiently until we've dealt with all the ones (and I really do mean every last one that can be found) not using their space _at all_.
>> IMHO, targeting legacy holders for non-compliance with today's ARIN policies is dubious at best.
> I understand there are differences of opinion here; more on that below.
>> I agree we should seek to actively reclaim abandoned resources (resources where the ORG no longer exists). I think we should possibly reach out and request that ORGs no longer using their legacy resources voluntarily return them.
> I think we all agree on this much, which is why it seems a rather
> obvious first step.  Once this is underway, we can debate what (if
> anything) can/should be done about the other group.
>>>> Ultimately the goal should be to take legacy resources away that are either being hoarded, or are abandoned.
>>> "Hoarded" is a loaded term, and it's difficult to prove someone's doing it.  "Justified" is easily determined, though, since we _already_ have dozens of pages of policy describing exactly what that means.
>> What we don't have is any form of agreement by the legacy holders that the ARIN definition of justified applies to them.
> OTOH, absent an LRSA, there is no formal agreement that it doesn't.
Uh, generally it's pretty hard to claim that a contract is binding on an opt-out basis.

I can't just make up a contract and then say you are subject to it's terms just
because you don't have a contract that says otherwise.

>> Non-signatories to the LRSA are, thus, in an uncertain area. Signatories of the LRSA are clearly protected from current and future ARIN policies in this regard.
> Yes, that's an excellent carrot for folks to sign the LRSA.  We disagree
> only about the stick.
> I don't like using sticks, but eventually we're going to run out of
> folks that are interested in the carrot.
So? I really don't see the problem with leaving them alone to do their
own thing. I'd rather see them join the community, but, I simply don't
see any valid argument for attempting to do so by force.

>>>> Rubbish. If ARIN takes over an abandoned Legacy resource then since
>>>> it is abandoned, the original org that had it cannot suffer damages,
>>>> and since it hasn't suffered damages, it has no standing to sue in
>>>> court.
>>>> The problem is that since the original Legacy holder did NOT ever
>>>> sign an agreement with ARIN then ARIN has no contractual
>>>> justification to take over an abandoned Legacy assignment even if
>>>> they know it's unused,
>>> AFAICT, if the registrant does not have a contract (i.e. RSA or LRSA) with ARIN for registry services, ARIN has no obligation to continue providing them, especially for free.  There are many who feel ARIN has a _moral_ obligation to do so, but that's not a matter for the courts.
>> I agree that ARIN has a moral obligation to legacy holders.
> I agree ARIN has some sort of moral obligation to provide services, but
> that is in direct conflict with ARIN's charter to act as steward for the
> entire community.
Not really.

> I was willing to accept granting special privileges to _all_ legacy
> holders prior to the LRSA being made available; now that it is, though,
> I'm reluctant to accept continuing to grant those same special
> privileges to those who do not sign.
First, I don't agree with your use of the term "special privileges".

Second, I really don't think legacy holders are a major problem and
I don't see the point in pursuing them with pitchforks and torches
just because they choose not to join the ARIN community.

>> I am uncertain about what legal obligations ARIN has to legacy holders.
> We've been told in the past we should make policy we think is "right"
> for the community and let ARIN's counsel inform us if there are legal
> problems with our proposals.
> Counsel rarely participates in policy discussions prior to a formal
> proposal being on the table, so a bit of armchair lawyering is probably
> unavoidable, but it shouldn't dominate the discussion.
I hardly think a single sentence dominates a discussion.

>> I think that involuntary reclamation of legacy resources or "termination of services" to legacy holders is contrary to ARIN's best interests.
> I disagree.
And you are free to do so.

Care to back that up with what ARIN possibly gains by doing so other than
litigation expenses?

>> I think that going beyond "termination of services" to the step of placing resources back into the free pool and issuing them to other organizations would be outright counter-productive for all concerned (except in the case of clear abandonment).
> It depends on the legal explanation of exactly what it is ARIN does.  At
> the end of the day, the "resources" that ARIN "issues" to registrants
> are merely entries in WHOIS and rDNS.  ARIN cannot actually issue
> numbers to (or take them away from) registrants because numbers
> themselves cannot be owned, leased, etc.

> I do not see a significant difference between removing a non-paying
> registrant's entries from WHOIS/rDNS and replacing them with a paying
> registrant's entries that happen to have the same or similar numbers. 
> And, frankly, if we don't do the latter, what's the point in the
> former?  Marking a bunch of space as "permanently unavailable"
> accomplishes little.
It makes it easy to filter it out so it doesn't get hijacked.

Besides who said anything about permanently unavailable. The
space is either held by an organization or it isn't. If we can't find
the organization, we record that fact and make it visible. Eventually,
either we find out for sure that the organization is defunct, or, we
find out that they do still exist. In the former case, resources can
be reclaimed. In the latter case, they cannot.

I'm just saying we shouldn't reclaim resources until we are certain
that the organization no longer exists.

>>>> because so far the community has not given ARIN permission to do this via policy in the NRPM.
>>> That all depends on how one interprets NRPM 12.8.
>>> IMHO, ARIN _already_ had the power to apply policy to legacy space or revoke it entirely, and therefore NRPM 12 actually _limits_ how ARIN may do so, as it does for non-legacy resources.
>> Where did this power come from? For non-legacy holders, it comes from
>> the RSA which is a binding contract between the resource holder and ARIN
>> which entitles ARIN to revoke resources according to the NRPM.
>> There is no document anywhere that I know of which gives ARIN any such authority to revoke legacy resources based on current ARIN policy where it differs from the policies in effect under which the legacy resources were issued.
> I forget the original Latin, but there's a famous legal principle that
> "what is not illegal must be legal".
It is illegal to enforce terms of a contract against a non-signatory.

> ARIN can add or remove any WHOIS/rDNS entry it wishes unless restricted
> by policy or by a contract, i.e. an RSA or LRSA.  IOW, since non-LRSA
> legacy holders have no contract restricting what ARIN does, they have no
> (legal) standing to complain if ARIN decides to stop providing them
> unpaid, uncontracted registry services--just like a homeless person has
> no (legal) standing to complain if a shelter decides to stop giving them
> free meals.  That's purely a moral issue.
That's an interesting theory, but, I doubt that as the successor registry to
registries that granted the registrations to organizations on very different
terms with no contract stating that the terms could be subsequently changed
without agreement, ARIN would actually have as good a standing as you
claim in that situation.

>>> Wrong. ARIN would need to follow the procedure in NRPM 12, which
>>> governs _all_ reclamation activities.
>>> However, if all the POCs are unresponsive, then presumably they will
>>> not respond with justification as required in 12.1, they will not
>>> voluntarily return the resource(s) as required in 12.4, and
>>> eventually ARIN can revoke the resource(s) under 12.5.
>> Presumably the later stages of POC validation would include the notices
>> required under 12.1 such that by the time the POCs were marked invalid,
>> we would have at least completed the 12.4 waiting period as well, thus
>> making 12.5 effective pretty much as described above.
> That would be convenient.
I like to presume that staff is reasonably intelligent and generally tries to
be efficient. So far, that does seem to be the case.

>>> One can address most of those by having other processes that add to the same list of resources to be reviewed.  For instance, one might consider a resource not appearing in the DFZ to be a sign of probable non-compliance which triggers a review.  Or resources which have not been updated in the last N years.  Or not having valid rDNS servers.  If the review concludes they're valid, the registrant has 24 months before they have to worry about being hassled again.
>> There are specific policies allowing for non-connected networks and always have been. Why would the fact that a resource does not appear in one particular view (or even several views) of the DFZ be considered a sign of probable non-compliance? As to update cycle, some organizations
>> are actually extremely stable. ... When did maintaining valid rDNS become a requirement even for a non-legacy holder? I can't find that requirement anywhere in the NRPM.
> Those are merely possible reasons to put someone into the review queue. 
> If it turns out their use is justified (or close to it), no action will
> be taken against them and they're exempt from another without-cause
> review for 24 months.
> This is _precisely_ why I put that clause in 2007-14: to clarify that
> ARIN could review resources that _appeared_ to be unjustified without
> needing a priori proof of such.  The remainder of 2007-14 is there to
> make sure that, when ARIN makes use of this power, the registrant is
> protected.  I believe that ARIN has _always_ had this power, but the
> response to an ACSP suggestion of mine indicated that ARIN was
> uncomfortable wielding that power without explicit policy supporting it.
I'm saying that going after all or even some random number of
resources on that basis is a dubious set of selection criteria at
best and seems rather arbitrary to me.

>> What value of N would you propose? 5? 10? 15?
> I would propose N=15 to start with, reducing over time as this
> particular method ran out of folks to review.  I don't think it'd be
> wise to go below N=5.
>>> Yes, a sufficiently cagey registrant may be able to avoid all of our heuristics, but most won't even try to.  It's reasonable to lose a battle to a skilled and dedicated opponent; it's absolutely indefensible to surrender a battle when your opponent doesn't even show up, which is where we are right now.  Let's fix the latter problem before we worry about the former.
>> When did this shift from stewardship to seeking battles with legacy
>> holders? That certainly was not my intent in NRPM 12.
> It's a metaphor.
It doesn't sound like one. It sounds like an attempt to go after legacy
holders just because they didn't sign the LRSA. I don't think that's

>>> I don't think that "mining" IPv4 blocks for reclamation will have any
>>> meaningful effect on runout, but I still think it's worthwhile for
>>> several other reasons.
>> I understand the "other reasons" for reclamation of abandoned resources.
>> They're a good target for abuse.
> Agreed, and IMHO that's a good enough reason by itself.
I agree... in the case of abandoned resources. I don't agree if there
is any indication that the resources are not abandoned.

>> What reasons do you have for actively seeking to reclaim legacy resources that are not abandoned ... ?
> Primarily, it is the moral obligation we have to the _entire community_
> to act as stewards in an impartial manner, and IMHO that overrides any
> moral obligation we have to individual registrants--particularly ones
> that refuse to participate in the community or take advantage of the
> (exceedingly generous, IMHO) terms that the LRSA offers.
I think that mis-characterizes the situation. Legacy holders received
their resources under a different set of terms from predecessor registries.
ARIN, if it doesn't want to be the successor registry and wants to
terminate its services to legacy holders is welcome to do so. In that
case, ARIN should identify a successor registry to transfer the stewardship
of those resources to.

If ARIN wants to be the successor registry (which I think is generally
good for the community), then, ARIN should live up to the terms under
which the legacy resources were granted and should continue to provide
the services as agreed by the predecessor registry.

This theory that ARIN is somehow entitled as the successor registry
to retroactively change the terms under which legacy resources
were issued without the consent of the recipients really strikes me
as being quite odd.

> Also, I am concerned about the complaints (and potential legal action)
> ARIN will face if we start actively reclaiming non-legacy resources but
> do not attempt to reclaim (non-LRSA) legacy resources.  Worse, showing
> irresponsibility here may justify attempts by others to impose
> governmental (i.e. ITU) interference or end community-based governance
> entirely.
I think it's pretty easy to show that those resources were issued by
predecessor registries under different terms and conditions.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20101106/8bf2701f/attachment-0001.html>

More information about the ARIN-PPML mailing list