[arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate

Tom Vest tvest at eyeconomics.com
Fri May 13 12:04:39 EDT 2011


Hi Mike, 

Sorry I haven't had time to stay on top of this discussion -- hope you'll excuse my attempt to answer your last two messages addressed to me with this one reply...

On May 12, 2011, at 9:41 AM, Mike Burns wrote:

> Hi Tom, ditto on the detailed response!
> 
> Yes I am a stickler for procedural fairness, probably that is why I want so few procedures.
> No, I would not call myself a champion of transparency and public disclosure, though I value information in the market, so there is a tension there.

I would definitely agree that there is tension. In fact, upon further reflection it looks like both of today's response(s) are completely silent on the question of the independent operational value of a public-facing whois interface, as distinguished from the other, uniqueness preservation-related value associated with IP number registries -- the latter of which I tend to think of as residing in the the non-public back-end of the registry. 

On May 12, 2011, at 1:00 PM, you followed up with this:

> My whole goal is to increase accuracy in Whois, and I am not relying on any financial or price mechanism for that increase.
> 
> I have not argued that pricing will increase registration, I have argued that pricing will ensure productive use.


After puzzling over these statements for a while, it occurred to me that we may be using the same generic terms to describe things that actually have very little or nothing at all in common with each other, apart from that connection to common terms of reference. In order to clarify whether we are talking about the same thing  (or at least partially intersecting things), it would be helpful if you would respond to the following two questions:

What definition of "accuracy in Whois" do you have in mind in this context? Can you provide an example of the absolute minimum set of whois parameters and parameter values (e.g., specific whois contact details | degree of verifiability / fidelity of those details ) that would be consistent with your definition of "accuracy in Whois"?

And why exactly do are we placing such a high value on "accuracy in Whois" anyway? From your point of view, what are the requirements|purposes|uses of whois that justify the considerable investments in time and effort that are required to maintain Whois data quality at this level? 

Though it might seem like a simple question, the range of possible answers is vast. Would your own criteria for whois "accuracy" and "purpose" be satisfied, for example, by a number resource registry that maintains 100% accurate contact records sufficient for the purpose of registry fee collection, but nothing more than that -- and only shares those few details with duly authorized LEAa and individuals who have been explicitly granted access by individual registrants themselves? Alternately, would you agree that the provision of open/public access to basic operationally relevant contact information on all registry clients is also an essential and indivisible part of the role of  the number resource registry maintainer? Where would you come down between these two extremes?

> I don't see that my single policy proposal to lift needs analyses for transfers of already allocated addresses exhibits little concern for procedural fairness or transparency.
> On the contrary, it seeks to reconcile legacy and non-legacy status as a step towards procedural fairness, and it's underlying rationale is related deal transparency.
> My lifting the needs requirement, deals which would have been transacted "in the dark" due to that requirement would have more incentive to be registered publicly.

In my mind, needs-related eligibility criteria and association registry practices are closely connected to (1) the purposes of whois as well as (2) the definition of whois accuracy. They also help to (3) establish bounding conditions for registry and registrant obligations and requirements that IMO are beneficial to all parties.

1. I believe that the public-facing "whois" side of the registry service is absolutely integral to the function of the number registry. I believe this because the whois service (together with various other data resources, and a lot of effort) permits community members to engage in a limited form of "macro-prudential" oversight and coordination, without which it would be much harder to keep the Internet working. Whois is not sufficient by itself to support that "macro-prudential" capability, but the absence of a source of data like whois would be sufficient to make it impossible for anyone to know enough to meaningfully engage in such "big picture" activities. 

2. This understanding of the purpose of whois entails a a definition of "data quality" that is near the maximalist (or "RIR-esque") rather than the minimalist (or "DNS registrar-esque) end of the spectrum. Quality is defined by the three dimensions of completeness (which for infrastructure operators would include real names and physical/geographical as well as electronic contact information) + timeliness + accuracy/fidelity. 

3. As a matter of operation practice, Initial "needs assessments" play an important role in assuring that each new addition to the registry database meets the highest-applicable data quality standard. Subsequent assessments help to maintain the quality of registry data at relatively high levels over time, at least for one important segment of registry participants, i.e., growing networks. 

4. The needs tests are also important because they establish a technical basis for reciprocal exchanges of confidential information and assurances within one narrowly defined domain. Basically, the needs rule makes it possible for the registry to provide as a kind of proxy ratings service for the entire community, but strictly limits the scope of their inquiries to questions about ownership or beneficial access to hardware and other inputs that are required to use IP addresses *as they were designed to be used.* No doubt every IP address seeker would prefer to just get their addresses on a no-questions-asked basis, but that's not a sustainable option -- e.g., as soon as that address seeker gets what they want, they join the community of address users who all have a common interest in preserving the remaining address resources as long as possible, so they themselves could get more in the future if necessary.  So while total secrecy might be preferred, the best alternative that actually works is to disclose as little as possible, and only to a proxy agent like the registry that is bound to maintain confidentiality but also capable of credibly "signaling" to the broader community that it has a new member. Without something like a needs test to bracket these interactions, privacy claims of first-time address seekers might make it impossible for registries to provide this proxy assurance service, while the operational and privacy requirements of current address users might be at at perpetual risk if registry decided to unilaterally expand its disclosure or eligibility demands.  

5. Finally, by linking access to IP number resources directly to possession of  precisely the sort of costly assets and/or commitments that would be most at risk if the s/he operates in a reckless manner, the needs test also helps (on the margin) to cause or confirm that the incentives of the address user are very broadly consistent with the continued functioning of the Internet. 

In other words, the needs test provides some (weak but nontrivial) assurance that address users all have some "skin in the *Internet* game." That's what makes it possible to describe this otherwise fractious, aggressively competing, often mutually antagonistic bunch as a "community."  It's also what makes the needs test rule different from and IMO much more effective than reliance the price mechanism, which can only assure that address buyers have "skin in some kind of game," with no constraint on the choice of game other than the address owner's expectation of profit. Of course they might coincidentally prefer the same game that actual network operators are engaged in, but there are lots of other possibilities -- including many that would be antithetical to the purposes for which IP addresses were created (e.g., the artificial scarcity game, the competitive exclusion game, etc.).

[Note: For those who haven't already made the leap, the reasons outlined above also suggest that the needs test should continue to apply for IPv6 requests. While we may assume without consequence that the needs-based eligibility began as nothing more than a super-simple rule for managing scarcity (I actually reject that interpretation, but don't have time to debate about history), I believe that its utility to that end represents just a small part of how it has contributed to the overall security and stability of the Internet over the last two decades. I guess we'll soon find out enough...]

> So I don't get the inconsistency with previous observations which walked us through the forest.
> 
> Oh, I'm sorry, in rereading the paragraph I can see that you were probably responding to prior posts about private registries.
> So you feel that my support of the idea of private registries conflicts with my desire to eliminate needs tests for transfers?
> I find they are both consistent examples of attempts to remove restrictions on the operation of free markets.


> As far as the DNS private market goes, I don't see the problem with it.
> I haven't personally had or seen issues with non-uniqueness of domain names.
> There are more tools to find domain names, there are cottage industries related to the resale of domain names, there are more tlds, there are lifetime registrations, there are cheaper domains.
> To me, DNS seems to work, and I have been running production DNS servers since 1996.

> Are there specific problems with the DNS private market that you feel would be absent from a market with a single "public" registrar?
> I think that would be an instructive conversation to have on the matter of private registries, which has always been a sideline issue to me.

Hopefully my remarks above will make clear why I think that a DNS-style registry model would be not only inappropriate for IP numbers, but would quite likely represent a grave threat the continued existence of the Internet as an autonomous, effectively global-scope system under civilian control. The fact that DNS registrars currently enjoy the de facto luxury to compete on features like level of obfuscation of whois data and/or degree of indifference to blatantly deceptive registrant contact information is not an a viable model for IP registries -- in fact, it is an artifact of the existence of an alternative source of critical coordination-enabling information that is both closer and provides a (often vastly) more complete, accurate, and useful view of operational "ground truth," -- a.k.a. the present-day whois services provided by the RIRs.

If ever a day comes when the registration data quality standards for both domain and IP registries converge down to the current norm for DNS registries, I predict that none of us on this list would have to worry about the consequences for long (and also that none of us would have much say about registry policy or operations thereafter). 

> I do think that registry services will see some extra pressure, post-exhaust, and maintaining a registry of uniqueness and accessibility will be vital. Hence you haven't seen me arguing to hide information from whois, rather to have whois reflect the real users of the address space, if only to provide accurate points of contact for abuse notifications. I believe that my proposed changes to the ARIN policy would have the effect of cleaning up some old inaccurate whois data (the provision to hold addresses without fear of revokation) and making new registrations more likely through reducing transaction costs in the form of needs analyses.
> 
> I also hold that it would increase the supply in the transfer markets, creating a safe harbor for those who wish to sell addresses but who fear a utilization review. I believe this will bring down price, benefitting the community both through cheaper access and through the movement of address from under- or dis-use into productive use.
> 
> But I don't hold that creating private registries will increase registration rates.
> I hold that eliminating needs requirements will increase registration rates.

Increasing the coverage of registry data by radically shrinking both the scope of its usefulness and the share of community members who can use it for any purpose is not a tradeoff that makes sense to me. IMO it should be considered harmful.

Regards,
TV

> Regards,
> Mike
> 
> 
> 
> 
> 
> 
> ----- Original Message ----- From: "Tom Vest" <tvest at eyeconomics.com>
> To: "Mike Burns" <mike at nationwideinc.com>
> Cc: "McTim" <dogwallah at gmail.com>; "Owen DeLong" <owen at delong.com>; <arin-ppml at arin.net>
> Sent: Thursday, May 12, 2011 4:58 AM
> Subject: Re: [arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate
> 
> 
> Hi Mike,
> 
> Thanks for the very detailed response.
> Given the level of scrutiny that you've obviously devoted to this particular transfer transaction, and your repeated emphasis on what could be interpreted as gaps and inconsistencies in the accumulated public disclosures about this matter,  I am tempted to assume that you are either a real stickler for legalistic/rule-based/procedural fairness, or a determined champion of transparency and public disclosure -- or perhaps both (?).
> 
> And yet your policy proposals seem to exhibit very little of those concerns about procedural fairness and transparency -- but quite a bit of the same sort of fairy tale qualities that you disparage in the official account of the Nortel/Microsoft transfer justification. To paraphrase George Berkeley, if a tree falls in the woods but no one's around to hear it (and/or to witness whether it harms any other trees on the way down), do we still believe that it makes a sound? Or would be better to infer from the silence that trees in the forest have become immune to the laws of gravity, or perhaps that falling trees now spontaneously sublimate into gas as soon as they start tilting, thus making both sound and harm impossible? If we put enough distance between ourselves and the forest so that no sound can ever be heard, does that grant us the license to be indifferent as to which of these is (more) true -- or to take any position that appeals to us, regardless of its (in)consistency with previous observations?
> The same questions come up in the real world. For example, what does the generally low quality of domain-related whois data that is commonly observed in the competitive market for DNS registrar services say about the notion that the price mechanism alone is sufficient to sustain whois meaningful registry/whois participation? [1]. What can be inferred from a situation in which a 100% voluntary (and until very recently, 100% free) registry dedicated to much pricier assets still only attracts participation at levels that would be fatal to an IP number resource registry? HM Land Registry in the UK, for example, just passed the 70% national participation milestone (though participation in some rural counties remains below 50% ) after only 150+ years of membership promotion efforts) [2]. What, if anything, do you think that we can take away from the experiences of other private registries like these? Why should we assume that the private decision making calculus of future transfer market participants will favor registration/disclosure over nondisclosure at rates that are 2-3x higher than observed participation levels in other private registries?
> 
> For the record, I agree with you that the next few years are certain to test the current registry/whois system more severely than it has ever been tested in the past. I also believe that that system will continue to represent the best and only means at "our" (individual and/or collective) disposal, both for exercising "macro-prudential" judgment in private/commercial matters, and for serving as informed co-participants in "macro-prudential" coordination and oversight activities -- a.k.a. "industry self-governance." These functions are doubly critical in industries like the ours (which in this sense would include banking/finance) that are highly dependent on the consistency (or at least predictability) of transitive commercial interactions. As long as the "typical" inter-domain packet exchange must traverse 3~4 or more separate business entities in order to be completed, there is no reason to believe that "counterparty scrutiny" (or peer-mediated / "market discipline") alone will be sufficient to keep this industry afloat -- no matter how we reinforce those bilateral levers with (ironclad contracts | secure protocols | interpersonal relationships | faith in the rationality of markets).
> 
> The banking industry learned that lesson the hard way not so long ago -- or at least I'd like to think that parts of it did, even if there hasn't been any obvious change in the pace or direction of financial activity migration away from the "light" of reciprocal disclosure and limited transparency, and into the "shadows" where nobody knows nothing. Regardless, I think that *we* should take advantage of the opportunity to learn from this episode, even if bankers themselves don't. Considering that Internet industry members still enjoy the kind of operational autonomy and freedom of private action that US banks once had -- until their own self-governance mechanisms stopped working (and the Fed took over, c. 1907), the stakes on the line during the next few years really couldn't be higher...
> 
> TV, speaking form myself alone
> 
> On May 11, 2011, at 5:12 PM, Mike Burns wrote:
> 
>> Hi Tom and welcome to this particular discussion,
>> 
>> The current legal realities I referenced are the implications of the public information associated with the MS/Nortel deal.
>> 
>> In this forum I have argued that the public bankruptcy documents reveal that the addresses transferred from Nortel to MS were not originally allocated to Nortel, but represented some accumulation of addresses allocated to Nortel's "predecessors in interest" who were Nortel acquisitions from the 1990s.
>> 
>> I argued that MS and Nortel negotiated  a deal to sell all the addresses in that accretion, although the public documents reveal that Microsoft was able to bid on an amount smaller than the entire lot.
>> 
>> After the original asset sale agreement between MS and Nortel was negotiated, ARIN became aware of the transaction, and after some negotiations with the parties at interest, and some changes to the MS/Nortel asset agreement, made a press release claiming that the transfer could proceed under existing ARIN policy.
>> 
>> ARIN later revealed the policy utilized to be NRPM 8.3, which requires four things which may or may not have actually happened:
>> 
>> 1. Addresses are supposed to be issued back to ARIN and then reissued to the recipient, Microsoft, and the bankruptcy docs did not reveal this happened in any way.
>> 2. Address are supposed to be transferred as a single aggregate, but if the addresses were an assortment of netblocks from prior Nortel acquisitions, this could not have happened.
>> 3. Recipients were required to sign an RSA, MS signed a modified LRSA.
>> 4. Finally, the requirement at issue here, a needs analysis had to be completed by ARIN, which magically showed that MS qualified for exactly the amount already bid for and negotiated the sale of.
>> 
>> If they had needed fewer addresses, they could have bid for less than the full pool.
>> If they needed more addresses, they should have received an additional ARIN allocation.
>> Paraphrasing Goldilocks, the random allocation of addresses to long-ago Nortel acquisitions was "just right."
>> 
>> My reading of the bankruptcy documents leads me to the conclusion that the bankruptcy judge found that Nortel had the exclusive right to transfer the addresses, even though the judge had not been informed of any ex-post-facto NRPM 8.2 transfer from the original registrants to Nortel. To me, this means he was convinced that ARIN had no rights over transferring the addresses, although ARIN has rights over reflecting that transfer in Whois.  This is consistent with a declaration by the head of ARIN at the time in the Kremen case where he stated that ARIN has no authority over legacy addresses.
>> 
>> My argument is that the apparent success of RIR stewardship (although I claim many of the allocated and unrouted addresses represent failures here) over the last two decades is laudable and represents an obvious requirement in the stewardship of free pool resources, but is unnecessary in a post-exhaust age where the price of addresses will ensure efficient use.
>> 
>> I also argue that in the post-exhaust age, conflicts over claims to address rights will likely increase, putting more pressure on Whois to accurately represent reality.
>> 
>> Regards,
>> Mike Burns
>> 
>> 
>> 
>> 
>> 
>> 
>> ----- Original Message ----- From: "Tom Vest" <tvest at eyeconomics.com>
>> To: "Mike Burns" <mike at nationwideinc.com>
>> Cc: "McTim" <dogwallah at gmail.com>; "Owen DeLong" <owen at delong.com>; <arin-ppml at arin.net>
>> Sent: Wednesday, May 11, 2011 4:34 PM
>> Subject: Re: [arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate
>> 
>> 
>> Hi Mike,
>> 
>> While it may or may not be true that your perspective on this question is consonant with that of "the APNIC community," elements within said community have been championing the same broad policy changes that you're advocating here now since the early 1990s. Thus it would seem that the views that you associate yourself with here couldn't possible have anything to do with "current legal realities" -- unless perhaps by "current" you mean something like "twentieth century."
>> 
>> Given that historical fact -- and the apparent success of the RIR stewardship mission over the intervening two decades of possible nonconformity with legal reality  -- on what basis could you legitimately claim that abandoning time-tested registry practices that have been integral to maintaining whois accuracy to date represents the best, or perhaps the only way to maintain whois accuracy in the future?
>> 
>> Alternately, if you actually had in mind some other, more recent legal developments -- which by definition could not have any causal relation to policy arguments that predated them by 10-15 years -- a clarification of exactly what those changes in legal reality are would be much appreciated.
>> 
>> Thanks,
>> 
>> TV
>> 
>> 
>> On May 11, 2011, at 3:13 PM, Mike Burns wrote:
>> 
>>> Hi Owen and McTim,
>>> 
>>> I, along with the APNIC community, could make the claim that you are abandoning the stewardship role in maintaining Whois accuracy, and sacrificing that stewardship role on the altar of an ARIN needs policy developed for the purposes of  free pool allocations that does not comply with current legal realities.
>>> 
>>> But charges of abandoning stewardship are inflammatory, and I hope we can keep to actual discussions of the implications of my proposal without casting aspersions.
>>> 
>>> Let's agree that we all seek the highest standards of stewardship, but disagree on how those standards should be applied.
>>> 
>>> I think I could characterize your opposition better by saying that you believe the danger of hoarding and speculation outweigh the risk to whois accuracy.
>>> Would that be an accurate statement, if not your exclusive objection to the proposal?
>>> 
>>> Regards,
>>> Mike
>>> 
>>> 
>>> 
>>> ----- Original Message ----- From: "McTim" <dogwallah at gmail.com>
>>> To: "Owen DeLong" <owen at delong.com>
>>> Cc: "Mike Burns" <mike at nationwideinc.com>; <arin-ppml at arin.net>
>>> Sent: Wednesday, May 11, 2011 2:53 PM
>>> Subject: Re: [arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate
>>> 
>>> 
>>> On Wed, May 11, 2011 at 9:09 PM, Owen DeLong <owen at delong.com> wrote:
>>>> I oppose the policy as written.
>>> 
>>> +1
>>> 
>>> 
>>>> Abandoning our stewardship role for the sake of making it more likely
>>>> people will register their misappropriation of community resources is
>>>> like legalizing bank robbery in the hopes that the thieves will pay
>>>> income tax on their ill gotten gains.
>>> 
>>> ;-)
>>> 
>>> -- 
>>> Cheers,
>>> 
>>> McTim
>>> "A name indicates what we seek. An address indicates where it is. A
>>> route indicates how we get there." Jon Postel
>>> _______________________________________________
>>> PPML
>>> You are receiving this message because you are subscribed to
>>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-ppml
>>> Please contact info at arin.net if you experience any issues.
>> 
> 




More information about the ARIN-PPML mailing list