[arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate

Owen DeLong owen at delong.com
Sat May 21 19:13:54 EDT 2011


On May 21, 2011, at 7:01 AM, Mike Burns wrote:

>  
> Hi Owen,
>  
> Forgive the topposting,but we are on the merry-go-round again.

Indeed.

>  
> I am basing my interpretation of the law on the words of the head of ARIN, which you seem to dismiss, even though he made those statements under oath to a judge.

You are basing your interpretation on a subset of the words of the head of ARIN and ignoring details of the
subsequent rulings where the judge dictated that Kremen was not exempt from the requirement to sign an RSA
and was not exempt from the ARIN process. I believe that Mr. Plzak (who I will note subsequently stepped
down as CEO) erred in his statements in that case and that error was subsequently corrected.

> And on my reading of the MS/Nortel deal, in which I see an exclusive right to transfer, which plainly means ARIN cannot affect that transfer right.

No, that is not what it means. It means that no one else has the right to enact the transfer, but, it does not mean
that the transfer cannot be subject to ARIN policy, as, indeed, if you examine the ruling it was, in fact, contingent
on M$ signing an LRSA and certain other conditions related to ARIN policy.

> Your interpretation has become hoary with age, it was the same thing you were writing years ago.

It was right then and it is right now. I don't see how consistency in this belief is a bad thing.
Though I do appreciate the introduction of a new word to my vocabulary, I actually had to
look up hoary. I think that I am more likely to be considered hoary (and I don't think I
am particularly aged at a mere 44 years old) than my views here.

>  
> You continue to believe that ARIN will charge into the fray on its white horse and reclaim these legacy addresses.

I continue to believe that ARIN will work diligently to carry out the policies set by the community.
The CEO has said as much.

I believe that the NRPM makes it clear that other than as permitted in section 8, ARIN considers
IP number resources non-transferrable. As such, I expect transfers not registered with ARIN
to become the subject of NRPM 12 audits which will result in one of several possible outcomes:

	+	ARIN works with the recipient and/or the originator to complete and register the transfer
		under NRPM 8.

	+	ARIN works with the recipient and the originator to update the POCs and get the
		addresses restored to the original registrant.

	+	ARIN reclaims the addresses which were held by an earlier and now defunct
		organization to the detriment of the recipient who is under the misapprehension
		that the addresses were transferred to them outside of policy.

> Why?

Because it has happened in the past and is consistent with ARIN policy.

> When have they ever done this?

I am not privvy to specific examples, but, there is quite a bit of space listed in the revoked
and reclaimed pools by ARIN staff in their statistics which would indicate that it has, indeed,
happened.

> I wouldn't be relying on section 12, it is poorly written and does not give ARIN the right to review and revoke for utilization, and ARIN policies do not apply to legacy holders who got their addresses before ARIN came into existence. The real power lies in section

NRPM 12 does not extend or contract ARIN policy. It places limits on ARIN's ability to conduct
audits too frequently, and, provides a framework under which those audits can be conducted
by staff. Some LRSA signatories are exempt from usage-based review. Other than that, I don't
see how you can claim NRPM 12 prevents ARIN from reviewing and reclaiming for utilization.

I have repeatedly agreed with you that ARIN policies likely cannot be enforced against the original
legacy registrant who got their addresses before ARIN came into existence. Even if they could
(and I am not sure that they cannot), I would not advocate such. That has never been my claim
and is a misrepresentation of what I have said.

What I have said, consistently, is that someone other than the original registrant who believes
that they are able to receive a transfer of legacy resources without working through NRPM 8
to effect the transfer is mistaken. Even in the early days, addresses were issued to a specific
organization for a specific purpose and were not transferable except by acquisition and/or
merger which also involved the transfer of the underlying network infrastructure.

ARIN, as the successor in interest for the registry function provided by those earlier registries
does maintain the ability to enforce those terms and administer the address space
accordingly.

> 8 of the RSA, which legacy holders for the most part have not signed, and thus ARIN has no legal rights.
> Sure, they control Whois registration, and that is what I have heard John Curran say.
> And sure, if you define a transfer as a WHois update, then ARIN controls transfers.

There are three things that ARIN controls which can have an impact here:

	1.	Whois
	2.	rDNS
	3.	The ability to issue the numbers to another party and register them
		in (1) and (2) above.


>  
> But ARIN cannot legally stop a sale of legacy addresses to another party, if you believe that, then just keep watching as that continues to never happen, and as these legal transactions continue to the detriment of WHois.

True, but, they are not required to recognize that sale and there is no legal
basis for preventing ARIN from removing the registration for the legacy
holder once that legacy holder is defunct or no longer using the addresses
in accordance with their original terms of issue.

Once that happens, ARIN is free to issue those addresses to another party
and register them accordingly in whois and rDNS, leaving the third party
who thinks they bought the addresses in a rather tenuous position at best.

>  
> Neither  you nor I am a lawyer, so it is fair to discount our interpretations, but in the article I mentioned, a real lawyer was quoted as agreeing with my interpretation.
> Do you have any lawyer who holds with your interpretation?

I believe so, but, I will leave it to him if he wants to speak up on the matter.
I know he reads PPML.

Owen

>  
> Regards,
> Mike
>  
> PS THanks for the info on the prior discussion, I will snoop around the archives for 2008 to see if anything there is enlightening.
>  
>  
>  
>  
>  
> ----- Original Message -----
> From: Owen DeLong
> To: Mike Burns
> Cc: Tom Vest ; Chris Engel ; arin-ppml at arin.net
> 
>  
> No, this is an incorrect understanding of the ruling. The Plzak declaration is also
> not the final word on the subject. The exclusive right to transfer means that nobody
> else has the right to transfer them. It does not mean that they can be transfered
> regardless of policy or that ARIN must recognize a transfer outside of policy in the
> ARIN database.
>  
>  
> Legacy addresses were issued to a particular party for a particular purpose. Upon the end
> of that purpose or that party, they should be returned and are no longer legacy addresses.
> In the case of a transfer to a successor in interest through acquisition or merger, in some
> cases, the legacy status has been preserved, but, this is rare. In most cases, the receiving
> organization has been required to sign an ARIN standard RSA.
> 
> It works this way... Legacy status is the intersection of the holder and the resources which
> were registered together by a registry preceding the RIR system. Once either of those
> conditions ceases, the resources are no longer in legacy status (in most cases).
> 
> ARIN has an obligation to continue providing services to records with legacy status so long
> as that legacy status remains under the original terms of issue.
> 
> ARIN has the right to reclaim addresses from defunct legacy organizations.
>  
>  
>  
> 
>> Given this, legal legacy transfers can occur where the purchased amount may not meet ARIN's need requirement.
> 
> Not true. At least not if they want to be recognized by ARIN and have the transfer registered
> in whois.
> 
>> If the buyer cannot meet the requirement, he will not register the addresses, although I have argued he will likely want the addresses registered to reflect his ownership of their rights.
> 
> The unregistered addresses become subject to reclamation since they are no longer in
> use by the original organization under the original terms of issue.
> 
>> But if there is no needs requirement, the disincentive is removed, the registration takes place, and the buyer signs an RSA.
> 
> Ah, so you are once again confusing incentive with removal of disincentive. I can see how, to a limited extent, this
> might provide less of a disincentive for the recipient of a transfer from a legacy holder to register the transfer, but,
> I don't see how this is anything other than redundant to your point 1.
> 
>> My proposal also reduces the disincentive to sign the RSA, as it removes the utilization requirement and frees the buyer to resell the addresses to anybody, with or without need. (Unless that buyer already has transferred a /12 equivalent).
> 
> Yes, by neutering the RSA, you have removed some disincentives to sign it. However, I don't see neutering the RSA
> as a net positive in that regard. The community put section 12 into policy for a reason.
> 
>> So I believe the net effect of the proposal is to make the RSA more attractive, and reduce the disincentive for registration of legacy transfers which do not meet the needs test.
> 
> There is no such thing as a legacy transfer. There is a transfer of resources from a legacy holder, but, absent an
> awkward situation involving litigation these will almost always result in the space being handled as non-legacy
> if the transfer is recognized by ARIN.
> 
>> 
>> Remember, these are the intentions of the proposal, although I know you disagree with my legal interpretation, and thus the effect.
>> 
> 
> Yes... Your legal interpretation being contrary to statements made by ARIN counsel and John Curran, I
> am inclined to believe that it is not correct and therefore the effect of your proposal differs from your
> claimed effects.
> 
>> 
>>> 3. Provides for explicit protections against review audits for RSA holders after one year, bringing RSA rights more in accord with LRSA rights.
>> 
>>> Uh, yeah, I don't see that as a good thing. Quite the opposite. However, I do agree that it is an intended
>>> consequence of the proposal.
>> 
>>>> 4. Reduces transaction costs for transferers
>> 
>>> I believe it will actually increase them.
>> 
>> The intent of the proposal is that transactional costs related to the needs analysis can be avoided. These may be large or small. I suppose you mean the prices will be higher due to speculation, though.
>> 
> 
> Yes, I believe that the net price of the transaction will increase substantially. Further, the cost of
> needs analysis is built into the ARIN transfer fee which I do not think will change significantly
> as a result of this proposal. So, no price reduction and likely price increase. Doesn't look like
> a savings to me.
> 
>>>> 5. Reduces ARIN costs for needs analyses
>> 
>>> Agreed, but, not necessarily something I see as a beneficial aspect.
>> 
>> 
>>>> 6. Aligns ARIN policy with most possible interpretations of the legal rights of legacy holders
>> 
>>> No, aligns ARIN policy with one possible interpretation of the legal rights of legacy holders.
>>> IMHO, not even the most probable one.
>> 
>> See "exclusive right to transfer" and the Plzak declaration that ARIN has no authority over legacy addresses.
>> Would it be fair to say "Aligns ARIN policy with legal interpretation most friendly to legacy holders?"
>> My point being this alignment presents the lowest risk toARIN of being sued for tortious interference in a contract.
>> 
> 
> You have already been told multiple times that your interpretation of the words "exclusive right to transfer"
> is not correct. The Plzack declaration was substantially modified by later rulings in the Kremen case.
> 
>>>> 7. Imposes a yearly limit on needs-free transactions intended to prevent cornering.
>> 
>>> Yes, but, this limit is effectively a no-op because anyone can create multiple entities needed
>>> to accomplish enough /12 transfers to meet their desires.
>> 
>> I trust ARIN staff to detect these with the same diligence applied to needs tests and section 12 reviews.
>> 
> 
> It doesn't matter. If they are different organizations, ARIN can't claim that they aren't different organizations
> for policy purpose just because it's clear that they were created for the purpose of doing an end-run on
> the policy. ARIN must interpret the policy as written, even if that interpretation appears absurd, as in
> the case of the single aggregate clause in the transfer policy.
> 
>>> 
>>>> And likewise we have fairly addressed these issues.
>>> 
>> 
>>> To some extent.
>> 
>>>> Without considering (any more) the merits of those prior discussions, I would like to invite the consideration of any other potential benefits or consequences which we have not discussed.
>>>> I am cognizant that this is proposal is a significant departure, and that the discussion of similar policy in APNIC consumed several years.
>> 
>>> As it did here prior to being rejected here and accepted there.
>> 
>> I didn't know there had also been prior discussion here about this (or fairly similar) policy. Do you rember about when so I can search the archives?
>> 
> 
> In the early stages of 2008-2, there was discussion of a transfer policy without needs basis, at least among the AC before
> we formulated 2008-2. I believe it was rejected by the community pretty much out of hand fairly early in the discussion
> either at open policy hours and/or at the public policy meetings, but, it may have just been within the AC. After three
> years and a whole lot of policy work, I have to admit my memory on exactly when and where a given discussion took
> place is somewhat fuzzy.
> 
>>>> I think we have covered pretty much all the bases in our relatively short but active discussion period, but I agree with Tom that we really should stretch our minds to consider all the potential pitfalls.
>>>> So did we miss anything, or is there anything left to be said on the topics arrayed above? Any large loopholes or gotchas? Risks or threats we haven't considered?
>> 
>>> One I think worth exploring is that given the recent staff interpretation of the term RSA in policy,
>>> the requirement for RSA in the proposal may be insufficiently specific to express community
>>> intent.
>> 
>> I agree, though my intention was that it was the RSA, not an LRSA, but the RSA modified by my proposal.
>> 
> 
> Understood, but, staff has made it quite clear that they will not interpret the policy as
> written in that manner.
> 
> Unfortunately, I am not sure that we can actually influence the choice of RSA through policy.
> I'm hoping that a public clarification of this issue will be forthcoming soon.
> 
>>>> Maybe the increased/decreased exposure of ARIN to lawsuits?
>> 
>>> I think this would not significantly impact the legal exposure. We are as likely to get sued
>>> by someone unable to obtain resources in the market on the basis that we failed to properly
>>> regulate need in the market as we are to get sued by someone opposed to our attempts
>>> to regulate need, IMHO.
>> 
>> I can't see any legal right to sue ARIN if the community decides to drop the needs policy, but I am not a lawyer.
> 
> This is the united States. Anyone can sue anyone for just about anything.
> 
>> I wonder if anybody has sued APNIC on that basis?
> 
> Entirely different legal system(s).
> 
>> Maybe the ARIN legal staff can comment on that.
>> But I can sure see somebody suing ARIN if ARIN re-issues their address to another allocant.
> 
> ARIN wouldn't do that. What ARIN might do is issue addresses they have been hijacking to
> another registrant, but, the point of policy is that it does not protect hijackers from this. If you
> want the protections of guaranteed uniqueness, you have to play by the rules. If you do
> an unregistered transfer, then, you aren't a registrant, you are a squatter at best and a
> hijacker at worst.
> 
>> If ARIN's legal interpretation is that they can revoke legacy addresses if they are not utilized, for example, that leads to their reissuance, and legal trouble.
> 
> If they are still held by the original organization, generally ARIN will not do this. If they are being used
> by an unregistered organization for an unregistered purpose, ARIN will probably first try to contact
> the original organization to verify the intent. If a transfer was intended, ARIN would probably first attempt to work
> with that organization to see if an 8.2 or 8.3 transfer could be made to fit the situation somehow. If they
> cannot, or, the party using the addresses is unwilling to cooperate in that process, then, I have no
> problem with ARIN reclaiming the addresses and I think that is the correct course of action.
> 
>> If ARIN's legal interpretation is that legacy addresses are outside its authority, that risk is minimalized.
> 
> So long as they are held by the original legacy registrant or their successor in interest, I believe ARIN
> will continue to provide registration services to them. There is a difference between not reclaiming them
> and believing that they are outside of ARIN authority, however.
>> 
> 
> Owen
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20110521/c398b5f9/attachment.htm>


More information about the ARIN-PPML mailing list