[arin-ppml] New Version of ARIN-prop-126: Compliance Requirement

Scott Leibrand scottleibrand at gmail.com
Wed Apr 20 21:18:13 EDT 2011

On Wed, Feb 16, 2011 at 12:53 PM, Martin Hannigan <hannigan at gmail.com>wrote:

> On Wed, Feb 16, 2011 at 10:34 AM, Chris Grundemann
> <cgrundemann at gmail.com> wrote:
> > Policy statement:
> >
> > Resource Review
> > Update the following NRPM Sections:
> >
> > 12.4 - Update to: Organizations found by ARIN to be out of compliance
> > with current ARIN policy shall be required to update reassignment
> > information or return resources as needed to bring them into (or
> > reasonably close to) compliance.
> >
> > 1. The degree to which an organization may remain out of compliance
> > shall be based on the reasonable judgment of the ARIN staff and shall
> > balance all facts known, including the organization's utilization
> > rate, available address pool, and other factors as appropriate so as
> > to avoid forcing returns which will result in near-term additional
> > requests or unnecessary route de-aggregation.
> > 2. To the extent possible, entire blocks should be returned. Partial
> > address blocks shall be returned in such a way that the portion
> > retained will comprise a single aggregate block.
> >
> > (leave 12.5 as is)
> >
> > 12.6 - Update to: Except in cases of fraud, an organization shall be
> > given a minimum of thirty (30) days to respond. If an organization
> > does not respond within those thirty (30) days, ARIN may cease
> So they can take up to a minimum of thirty days to respond, and if
> they exceed the minimum they get the hammer dropped on them? You mean
> maximum?

The way I read that, ARIN must give them at least 30 days (the minimum).
 Under the proposed text, ARIN may give them up to 60 days (maximum) before
revoking rDNS.  As Bill expressed earlier, 'Such "zero tolerance" policies
have a history of making small problems big.'

> providing reverse DNS services to that organization. If progress of
> > resource returns or record corrections is not visible within sixty
> > (60) days after correspondence with ARIN began, ARIN will cease
> > providing reverse DNS services for the resources in question. At any
> > time after ninety (90) days have passed, ARIN may initiate resource
> > revocation as allowed in paragraph 12.5. ARIN shall negotiate a longer
> > term with the organization if ARIN believes the organization is
> > working in good faith to substantially restore compliance and has a
> > valid need for additional time to renumber out of the affected blocks.
> It's expensive and complex to respond to section 12 audits. This
> increases that expense for member orgs. It gives the Corporation too
> much leeway to do harm to its members, more than the substantial
> amount that we already allow through "discretion". Discretion also
> results in unpredictability. Policy should be as predictable as
> possible. That "discretion" could result in significant litigation and
> additional potentially unnecessary legal expenses. [2]

It doesn't appear to me that this policy changes the level of discretion
ARIN already enjoys in whether to start a section 12 audit.

> These audits take time and people. Some of these audits also "appear"
> to be being conducted with what might be questionable[1] "probable
> cause" as a result of tip-line like  fraud reporting activity. A
> majority of the fraud reports seem to be false positives. Revocation
> is the ultimate hammer and ARIN already has that power.
> Not in favor of this proposal. Section 12 is already ripe for abuse.
> ARIN should never shut off reverse unless a network is revoked since
> the possible collateral damage is too high and will likely cause
> problems for many others depending upon who gets crunked with this
> proposal. I would support a cap on answer-days to the path of
> revocation, but this proposal appears to be overkill based on the
> current data points that we have demonstrating a real problem (none).

As I understand it, the overall concern here is that currently 12.4 only
talks about returning resources to get back into compliance with policy.
 This policy would require that they "update reassignment information or
return resources as needed to bring them into (or reasonably close to)
compliance."  In my opinion, that is a good and necessary change to policy
to take into account that in the IPv6 world, people won't be coming back to
ARIN very often for space.  I'm undecided yet on whether ARIN should also be
revoking rDNS in order to enforce that.  I certainly wouldn't want to
require them to do so, but I think I'm OK with giving them the authority to
do so if they judge it to be the appropriate tool for the job...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20110420/3fb55822/attachment-0001.html>

More information about the ARIN-PPML mailing list