[arin-ppml] Draft Policy 2010-11: Required Resource Reviews

Owen DeLong owen at delong.com
Wed Oct 6 15:51:18 EDT 2010 

On Oct 6, 2010, at 11:57 AM, Alex Ryu wrote:

> I oppose this based on following thought.
> 
> 1) how can we differentiate /32 assignment for residential customers or /29 or large assignment? 
> A lot of cable modem or triple play ISP (start-up?) use /24 using Residential Privacy method per market. 
> /32 assignment is not obligated to report through SWIP or RWHOIS. 
> So the judgement for 25% is pretty much vague. 

Not at all... Since they wouldn't SWIP the space for the /32, /31, or /30 assignments, there's
no obfuscation of that space under residential customer privacy.

If 75% of their space is in residential /32s, infrastructure, etc. they still don't trigger.

A /24 for a market should _NOT_ be SWIP'd as residential privacy. It should be counted as
a market-serving DHCP range registered to the provider. So, if they're doing incorrect SWIPs
a resource review is legitimate.

> And mostly triple-play ISP or cable modem provider may be affected by this 25% triggers in most case.
> So it may be target for specific industry if this is mandated trigger. 

No, the trigger does not target them if they keep their records correctly.

> A lot of triple-play markets under RUS funding may be most of their customers are residential, and no business customers at all given that their market will be tier-3/4 rural area. 
> 
That still doesn't result in the trigger. Again, they shouldn't be SWIPing the space they use in the
manner you describe, so, it wouldn't affect the trigger.

> 
> 2) I don't see the any exception for repeated audit triggered by this policy if any ISP's business model is really residential ISP...
> If this policy is mandating the audit for triggered conditions without exceptions, they may be penalted unfairly under this policy. 

No. See me at the break and I will explain this to you in detail. It really does not afflict them in the
manner you are describing if they are keeping their records correctly.

Owen

> 
> Alex
> 
> 
> -----Original Message-----
> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of ARIN
> Sent: Wednesday, October 06, 2010 9:17 AM
> To: arin-ppml at arin.net
> Subject: Re: [arin-ppml] Draft Policy 2010-11: Required Resource Reviews
> 
> We have an update for the following:
>> B. ARIN General Counsel
>> 
>> Pending
> 
> Counsel found no significant legal issues with this draft policy.
> 
> Regards,
> 
> Communications and Member Services
> American Registry for Internet Numbers (ARIN)
> 
> 
> 
>> -----Original Message-----
> 
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
> 
>> Behalf Of Member Services
> 
>> Sent: Tuesday, July 20, 2010 2:12 PM
> 
>> To: arin-ppml at arin.net
> 
>> Subject: [arin-ppml] Draft Policy 2010-11: Required Resource Reviews
> 
>> 
> 
>> Draft Policy 2010-11
> 
>> Required Resource Reviews
> 
>> 
> 
>> On 15 July 2010 the ARIN Advisory Council (AC) selected "Required
> 
>> Resource Reviews" as a draft policy for adoption discussion on the PPML
> 
>> and at the Public Policy Meeting in Atlanta in October.
> 
>> 
> 
>> The draft was developed by the AC from policy proposal "117. Required
> 
>> Resource Reviews". Per the Policy Development Process the AC submitted
> 
>> text to ARIN for a staff and legal assessment prior to its selection as
> 
>> a draft policy. Below the draft policy is the ARIN staff and legal
> 
>> assessment, followed by the text that was submitted by the AC.
> 
>> 
> 
>> Draft Policy 2010-11 is below and can be found at:
> 
>> https://www.arin.net/policy/proposals/2010_11.html
> 
>> 
> 
>> You are encouraged to discuss Draft Policy 2010-11 on the PPML prior to
> 
>> the October Public Policy Meeting. Both the discussion on the list and
> 
>> at the meeting will be used by the ARIN Advisory Council to determine
> 
>> the community consensus for adopting this as policy.
> 
>> 
> 
>> The ARIN Policy Development Process can be found at:
> 
>> https://www.arin.net/policy/pdp.html
> 
>> 
> 
>> Draft Policies and Proposals under discussion can be found at:
> 
>> https://www.arin.net/policy/proposals/index.html
> 
>> 
> 
>> Regards,
> 
>> 
> 
>> Member Services
> 
>> American Registry for Internet Numbers (ARIN)
> 
>> 
> 
>> 
> 
>> ## * ##
> 
>> 
> 
>> 
> 
>> Draft Policy 2010-11
> 
>> Required Resource Reviews
> 
>> 
> 
>> Version/Date: 20 July 2010
> 
>> 
> 
>> Policy statement:
> 
>> 
> 
>> Replace the text "under sections 4-6" in section 12, paragraph 7 with
> 
>> "under paragraphs 12.4 through 12.6"
> 
>> 
> 
>> Add to section 12 the following text:
> 
>> 
> 
>> 10. Except as provided below, resource reviews are conducted at the
> 
>> discretion of the ARIN staff. In any of the circumstances mentioned
> 
>> below, a resource review must be initiated by ARIN staff:
> 
>> 
> 
>> a. Report or discovery of an acquisition, merger, transfer, trade or
> 
>> sale in which the infrastructure and customer base of a network move
> 
>> from one organization to another organization, but, the applicable IP
> 
>> resources are not transferred. In this case, the organization retaining
> 
>> the IP resources must be reviewed. The organization receiving the
> 
>> customers may also be reviewed at the discretion of the ARIN staff.
> 
>> 
> 
>> b. Upon receipt by ARIN of one or more credible reports of fraud or
> 
>> abuse of an IP address block. Abuse shall be defined as use of the
> 
>> block
> 
>> in violation of the RSA or other ARIN policies and shall not extend to
> 
>> include general reports of host conduct which are not within ARIN's
> 
>> scope.
> 
>> 
> 
>> c. In the case where an organization wishes to act as recipient of
> 
>> resources pursuant to a transfer under section 8.3, unless otherwise
> 
>> prohibited by paragraph 12.2(c).
> 
>> 
> 
>> d. An organization which submits a request for additional resources
> 
>> when
> 
>> more than 25% of their existing resources are obscured in SWIP or
> 
>> RWHOIS
> 
>> pursuant to section 4.2.3.7.6 (residential customer privacy).
> 
>> 
> 
>> e. Other than as specified in 12.10(c), paragraph 12.2(c) does not
> 
>> exempt organizations from the reviews required under section 12.10.
> 
>> 
> 
>> Rationale:
> 
>> 
> 
>> The first change is a minor correction which improves clarity and
> 
>> consistency of the original policy without changing the meaning.
> 
>> 
> 
>> The addition of 12.10 (a) through (e) serves to create a set of
> 
>> circumstances under which a resource review is required, rather than
> 
>> optional and entirely at ARIN staff discretion.
> 
>> 
> 
>> The majority of early comments on this proposal focused on 12.10 (e).
> 
>> Mostly it was confusion about the exact ramifications. This section
> 
>> will
> 
>> cause ARIN to maintain greater scrutiny only in cases where a given ISP
> 
>> issues more than 25% of their total space to residential customers who
> 
>> wish to remain anonymous and receive network blocks of /29 or larger.
> 
>> To
> 
>> the best of my knowledge, there are not currently any ISPs which meet
> 
>> this criteria. Additionally, it would only apply that scrutiny to IPv4,
> 
>> and will not carry forward into IPv6 residential assignments.
> 
>> 
> 
>> This policy should improve the compliance verification of ARIN policies
> 
>> and may result in the improved reclamation of under-utilized IP address
> 
>> space. It should also serve as a deterrent to certain address hoarding
> 
>> tactics which have come to light in recent history.
> 
>> 
> 
>> Timetable for implementation: Immediately upon ratification by the
> 
>> Board
> 
>> 
> 
>> 
> 
>> #####
> 
>> 
> 
>> 
> 
>> STAFF ASSESSMENT
> 
>> 
> 
>> Proposal: (117) Required Resource Reviews
> 
>> Proposal Version (Date): 07 July 2010
> 
>> Date of Assessment: 14 July 2010
> 
>> 
> 
>> 1. Proposal Summary (Staff Understanding)
> 
>> 
> 
>> This draft policy establishes new criteria to enact NRPM 12 resource
> 
>> reviews. It requires ARIN staff to initiate resource reviews when M&A
> 
>> activity occurs but IP addresses are not transferred to the acquirer;
> 
>> when fraud or abuse is reported to ARIN, either about a specific IP
> 
>> address range or about an OrgID; when any NRPM 8.3 transfer occurs; or
> 
>> when staff are reviewing an additional IP address request and find that
> 
>> more than a quarter of an OrgID's downstream SWIPs are covered under
> 
>> the
> 
>> Residential Customer Privacy policy.
> 
>> 
> 
>> 2. Comments
> 
>> 
> 
>> A. ARIN Staff Comments
> 
>> 
> 
>> * This proposal could cause ARIN staff to conduct resource reviews on
> 
>> a
> 
>> more frequent basis. Any prescription for prioritizing such reviews
> 
>> could delay other important registration activities from being
> 
>> processed
> 
>> in a timely manner.
> 
>> 
> 
>> B. ARIN General Counsel
> 
>> 
> 
>> Pending
> 
>> 
> 
>> 
> 
>> 3. Resource Impact
> 
>> 
> 
>> This policy would have moderate resource impact. It is estimated that
> 
>> implementation would occur within 6 months after ratification by the
> 
>> ARIN Board of Trustees. The following would be needed in order to
> 
>> implement:
> 
>> 
> 
>> * Resource reviews, audits, and fraud research require many man-hours.
> 
>> These new requirements to conduct audits on a much more regular basis
> 
>> could necessitate hiring and training additional registration staff.
> 
>> * Changes to current business practices
> 
>> * Staff training
> 
>> * Updated guidelines
> 
>> 
> 
>> 
> 
>> 4. Proposal Text
> 
>> 
> 
>> Policy statement:
> 
>> 
> 
>> Replace the text "under sections 4-6" in section 12, paragraph 7 with
> 
>> "under paragraphs 12.4 through 12.6"
> 
>> Add to section 12 the following text:
> 
>> 
> 
>> 10. Except as provided below, resource reviews are conducted at the
> 
>> discretion of the ARIN staff. In any of the circumstances mentioned
> 
>> below, a resource review must be initiated by ARIN staff:
> 
>> a. Report or discovery of an acquisition, merger, transfer, trade or
> 
>> sale in which the infrastructure and customer base of a network move
> 
>> from one organization to another organization, but, the applicable IP
> 
>> resources are not transferred. In this case, the organization retaining
> 
>> the IP resources must be reviewed. The organization receiving the
> 
>> customers may also be reviewed at the discretion of the ARIN staff.
> 
>> b. Upon receipt by ARIN of one or more credible reports of fraud or
> 
>> abuse of an IP address block. Abuse shall be defined as use of the
> 
>> block
> 
>> in violation of the RSA or other ARIN policies and shall not extend to
> 
>> include general reports of host conduct which are not within ARIN's
> 
>> scope.
> 
>> c. In the case where an organization wishes to act as recipient of
> 
>> resources pursuant to a transfer under section 8.3, unless otherwise
> 
>> prohibited by paragraph 12.2(c).
> 
>> d. An organization which submits a request for additional resources
> 
>> when more than 25% of their existing resources are obscured in SWIP or
> 
>> RWHOIS pursuant to section 4.2.3.7.6 (residential customer privacy).
> 
>> e. Other than as specified in 12.10(c), paragraph 12.2(c) does not
> 
>> exempt organizations from the reviews required under section 12.10.
> 
>> 
> 
>> Rationale:
> 
>> 
> 
>> The first change is a minor correction which improves clarity and
> 
>> consistency of the original policy without changing the meaning.
> 
>> The addition of 12.10 (a) through (e) serves to create a set of
> 
>> circumstances under which a resource review is required, rather than
> 
>> optional and entirely at ARIN staff discretion.
> 
>> 
> 
>> The majority of early comments on this proposal focused on 12.10 (e).
> 
>> Mostly it was confusion about the exact ramifications. This section
> 
>> will
> 
>> cause ARIN to maintain greater scrutiny only in cases where a given ISP
> 
>> issues more than 25% of their total space to residential customers who
> 
>> wish to remain anonymous and receive network blocks of /29 or larger.
> 
>> To
> 
>> the best of my knowledge, there are not currently any ISPs which meet
> 
>> this criteria. Additionally, it would only apply that scrutiny to IPv4,
> 
>> and will not carry forward into IPv6 residential assignments.
> 
>> 
> 
>> This policy should improve the compliance verification of ARIN policies
> 
>> and may result in the improved reclamation of under-utilized IP address
> 
>> space. It should also serve as a deterrent to certain address hoarding
> 
>> tactics which have come to light in recent history.
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> 
> 
>> _______________________________________________
> 
>> PPML
> 
>> You are receiving this message because you are subscribed to
> 
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> 
>> Unsubscribe or manage your mailing list subscription at:
> 
>> http://lists.arin.net/mailman/listinfo/arin-ppml
> 
>> Please contact info at arin.net if you experience any issues.
> 
> 
> 
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

More information about the ARIN-PPML mailing list