[arin-ppml] Audits

Ronald F. Guilmette rfg at tristatelogic.com
Sat Nov 6 21:30:33 EDT 2010

In message <AANLkTimbrLX1LhQ4+ymb3tbqKm92Rzj=w-ceiZfmKmBE at mail.gmail.com>,  
William Herrin <bill at herrin.us> wrote:

>At some point within the next 24 months I think it very likely that
>this community will ask ARIN to aggressively recover unused space.
>This will likely include some sort of mechanism for recovering space
>whose registrants can't be contacted or won't confirm the resources'
>continued use.  I think it would be very helpful to have some legal
>guidance from ARIN counsel as to the least risky approaches to doing
>so before that policy gets drafted.

I want to do two things, and I'll try to do them as briefly as I can.

First, strange as it may sound, I want to come to the defense of John
Curran just a bit.

I just want to say that I also dislike that idea that was floated of
using LinkedIn as a research tool, e.g. for helping to find bits of
defunctness.  And I also am somewhat incredulous that it was even
suggested.  Let me explain...

In the first instance, I loath _any_ proprietary solution to anything.
I would dislike the notion of ARIN using LinkedIn for the exact same
reasons I would dislike the U.S. General Services Administration
"standardizing" on Microsoft Word.  Not only is it in some sense improper,
but it's also dangerous.  What if the proprietary solution and/or the
company behind it either evaporates or decides to treble its prices

But more to the point, it is just a technically impactical suggestion
from the get go.

I have had some successes of late finding hijacked IP blocks, but in
general, everything... every tool and process I have used to do that
is automated, and it has to be, because its a big world out there.

ARIN can't buy enough humans to sit and tap-tap-tap at www.linkedin.com
all day, looking for several hundred thousand POCs.  It's just not a
viable way to approach a problem at this scale.

OK, so now that I got that out of the way...

The second thing I wanted to do was to float a few trial balloons of my
own for possible approaches to this overall problem.

First, as I've said, anything that people ask ARIN to do has to be scalable
to (at least) a couple of hundred thousand instances.  Manual approaches
just won't do.

So anyway, there are four possible ways of contacing any POC, e-mail, phone
(voice), FAX, and snail-mail.

Although I don't know for sure... and John C. can fill in the blanks here...
I suspect that ARIN right now is trying to contact POCs only via e-mail...
in a mostly or entirely automated fashion.

In a nutshell, I believe that all four methods of contact can be both (a)
automated and also (b) outsourced, where appropriate.

I also believe that all four methods should be tried, in an automated
fashion, repeatedly, over a period of time, until such time as evidence
of life is obtained for some given POC.  Evidence of life would be
be obtained by including a magic cookie of some kind and asking the
recipient to type it into www.arin.net if he/she is in fact the contact
we're looking for.  (I also believe that all of this need not be and
should not be prohibitively expensive, especially if parts of it are
outsourced to companies that specialize in these sorts of things.)

I also believe that if in fact all four contact methods are tried (in
an automated fashion, as per the above) repeatedly, three times over
a 90 day period, spacing the attempt at 30 day intervals, and if no
sign of life is received, then the POC should thereafter be marked as
defunct, and that any number resource allocations for which all POCs
are currently marked defunct should be yanked from the data base
forthwith and returned to the (ARIN) free pool.

I also believe that some of these contact messages wll undoubtedly end
up being wrongly directed (e.g. due to changes of address) into the
hands of frivolous people who have nothing better to do and who will
type in the magic cookie, even though they have no connection to the
actual POC.  To eliminate this possibility effectively, I believe that
the proof of life should be mandated to include a fully refundable
$10 charge, payable via check, money order, or credit card... said
charge to be fully refunded by ARIN promptly upon reciept (again,
hopefully in a totally automated fashion).

This trivial refundable one-time charge scheme should effectively shake
out all instances of non-POCs who are just playing pranks, and also,
importantly, should shake out all instances of actual dead companies
that just happen to still have living POCs, but ones that themselves
are not really entitled to claim the dead organization's old number
resources.  (There's a big difference between merely SAYING that you
are the successor in interest of Acme Widgets, Inc., i.e. when you
actually aren't, and putting that on your credit card.  Even dimwits
who would not normally think of the former as being serious ``fraud''
will, I think, be given pause when they consider perpetrating unambiguous
criminal wire fraud which involves money changing hands, even if only
a small amount.)

In my opinion, any bellyaches or complaints about this trivially small,
fully refundable charge would be, at best disingenuous.  Can anyone
seriously complain about something that only costs them a bit of time
and maybe, at worst (if they have no access to a computer?) a postage

And its not like I'm the first one to think of a "refundable charge"
scheme like this.  Many online businesses have been using exactly such
a scheme for years now, with great success and few complaints.  It has
come time, I believe, for ARIN to adopt proven, industry-tested technical
solutions for well understood problems, e.g. separating the real from
the pranksters (and/or from the dead).

Lastly, and probably most controversially, it is my personal feeling that
that all of the above should be applied even-handedly, across the board,
for both non-legacy and legacy allocations and POCs.  But I understand
that others are likely to feel differently, and I think the scheme I
have described would still have substantial merit even if only applied
to a subset of ARIN region allocations, e.g. just the non-legacy stuff.

I suspect that if the above scheme were put into practice, within 90
days as much as 40% of all ARIN region allocated IP space would be

I don't know how much that would be, but it would be a lot.

And no, I do not see any of this as creating _any_ sorts of new legal
liability for ARIN.  In fact I will go further and say that I suspect
that most of the people who postulate publically about such possibilities
have themselves never set foot inside of a courtroom.

(Judges are not idiots, and they don't like people making work for them
unnecessarily, e.g. by filing court cases when they could just as easly...
or perhaps even more easily... worked out the problem amicably, without
any help from the judicial system.  So all _theoretical_ liability that
might, in theory, accrue from the above scheme can be eliminated trivially,
simply by adding to all of the above a community directive to ARIN that
if anybody ever shows up, very late, after their suff has already been
reclaimed, and says that they are mad and they want their stuff back,
ARIN should bend over backwards to give them some fresh new replacement
stuff that will do just as well... and a special small reserve pool should
be set aside and held by ARIN against exactly such rare and highly unlikely
possibilities.  If anybody _still_ wants to sue, even after being given
equal-sized replacement stuff, then they are just going to look like
assholes in court, _and_ they would have to demonstrated that they were
somehow harmed by being given a shiny new /18 to replace the /18 they
are bitching about... the one that got reclaimed.  And as long as ARIN
does reasonble due diligence... e.g. checking for emptyness and/or non-
routedness...  before it reclaims anything, then the whiner is going to
have a tough time selling his theory of ``harm'' in court, because there
isn't any.)


More information about the ARIN-PPML mailing list