[arin-ppml] New Version of ARIN-prop-126: Compliance Requirement

Martin Hannigan hannigan at gmail.com
Wed Feb 16 11:53:25 EST 2011

On Wed, Feb 16, 2011 at 10:34 AM, Chris Grundemann
<cgrundemann at gmail.com> wrote:
> Hail PPML!
> I am the primary AC shepherd for ARIN-prop-126: Compliance Requirement
> and I would like to hear your comments and feedback on this new
> version of the proposal (included below). If the community is happy
> with this text; I will take the necessary steps as shepherd to advance
> it to the next stage of the process, which would be getting the AC to
> promote it to a draft policy (https://www.arin.net/policy/pdp.html).
> One thing to note: This proposal updates existing policy and as such
> not all of the text is new or a change. Please review the current
> policy language when evaluating this proposal:
> https://www.arin.net/policy/nrpm.html#twelve.
> Thanks in advance for your input!
> Cheers,
> ~Chris
> ####
> ARIN-prop-126: Compliance Requirement
> Proposal Originator: Marla Azinger
> Proposal Version: 2
> Date: 16 February 2011
> Proposal type: new
> Policy term: permanent
> Policy statement:
> Resource Review
> Update the following NRPM Sections:
> 12.4 - Update to: Organizations found by ARIN to be out of compliance
> with current ARIN policy shall be required to update reassignment
> information or return resources as needed to bring them into (or
> reasonably close to) compliance.
> 1. The degree to which an organization may remain out of compliance
> shall be based on the reasonable judgment of the ARIN staff and shall
> balance all facts known, including the organization's utilization
> rate, available address pool, and other factors as appropriate so as
> to avoid forcing returns which will result in near-term additional
> requests or unnecessary route de-aggregation.
> 2. To the extent possible, entire blocks should be returned. Partial
> address blocks shall be returned in such a way that the portion
> retained will comprise a single aggregate block.
> (leave 12.5 as is)
> 12.6 - Update to: Except in cases of fraud, an organization shall be
> given a minimum of thirty (30) days to respond. If an organization
> does not respond within those thirty (30) days, ARIN may cease

So they can take up to a minimum of thirty days to respond, and if
they exceed the minimum they get the hammer dropped on them? You mean

> providing reverse DNS services to that organization. If progress of
> resource returns or record corrections is not visible within sixty
> (60) days after correspondence with ARIN began, ARIN will cease
> providing reverse DNS services for the resources in question. At any
> time after ninety (90) days have passed, ARIN may initiate resource
> revocation as allowed in paragraph 12.5. ARIN shall negotiate a longer
> term with the organization if ARIN believes the organization is
> working in good faith to substantially restore compliance and has a
> valid need for additional time to renumber out of the affected blocks.

It's expensive and complex to respond to section 12 audits. This
increases that expense for member orgs. It gives the Corporation too
much leeway to do harm to its members, more than the substantial
amount that we already allow through "discretion". Discretion also
results in unpredictability. Policy should be as predictable as
possible. That "discretion" could result in significant litigation and
additional potentially unnecessary legal expenses. [2]

These audits take time and people. Some of these audits also "appear"
to be being conducted with what might be questionable[1] "probable
cause" as a result of tip-line like  fraud reporting activity. A
majority of the fraud reports seem to be false positives. Revocation
is the ultimate hammer and ARIN already has that power.

Not in favor of this proposal. Section 12 is already ripe for abuse.
ARIN should never shut off reverse unless a network is revoked since
the possible collateral damage is too high and will likely cause
problems for many others depending upon who gets crunked with this
proposal. I would support a cap on answer-days to the path of
revocation, but this proposal appears to be overkill based on the
current data points that we have demonstrating a real problem (none).



1. https://www.arin.net/resources/fraud/results/third_quarter_2010.html

2.  https://www.arin.net/about_us/corp_docs/budget.html

 In 2010, ARIN budgeted .5M for legal expenses. ARIN has recently
suggested that some proposals may interfere with fee reductions for
members. The 2011 budget is not posted and I have no idea what that
number will be or what the corporation thinks performance to that
number will be).

More information about the ARIN-PPML mailing list