[arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate

[Owen DeLong]

Sent from my iPad

On May 23, 2011, at 14:09, "Mike Burns" <mike at nationwideinc.com> wrote:

> Hi John,
> 
>> In 2006, ARIN CEO's Ray Plzak said the following in his statement on the Kremen matter:
> 
> 'Like other “legacy” address holder’s issued resources before ARIN began,
>  ARIN has never had an agreement with UUNET that would give it authority
>  over those specific resources.'
> 
>> I am certain that Ray believed those words to be true and accurate at the time
>> he stated them.  I will point out that he was referring specifically to lack of an
>> agreement with that particular legacy holder
> 
> No, John, he explicitly said "Like other legacy address holders".
> 

Point being a lack of agreements with the legacy holders themselves, separate
from agreements that do exist with IANA/ICANN, etc.

> 
>> that would provide the ability to
>> unilaterally implement the court's order, and also note that he goes on to state
>> furthermore that sub-allocations had been made out of those blocks to other
>> parties uncertain to ARIN.
> 
> Yes, ARIN was basically saying that a subset of addresses Kremen was claiming "ownership" of  were legacy addresses.
> And in that context, ARIN was saying to the judge, "We have no authority over legacy addresses."
> 

Most definitely NOT what ARIN was saying to the judge or what was reflected
in the final rulings.

> 
>> Based on his statements, you've determined that "ARIN head Plzak declared
>> that ARIN does not control legacy addresses."    That's your prerogative, but
>> it looks to me to be a rather creative generalization of his points.
> 
> It looks to me like precisely what he was saying when you parse his statement to get rid of extraneous information:
> 
> "ARIN has never had an agreement that would give it authority over legacy addresses."
> 
> Do you quibble with my parsing?

I'll let John speak for himself as to whether or not he quibbles, but, I most certainly do.

"ARIN has never had an agreement with particular legacy holders that give them clear
authority over the conduct of the legacy holders with respect to the addresses." would
probably be accurate. However, ARIN also has no agreement with particular legacy
holders that would give those legacy holders authority over the content of the ARIN
databases, either. In the interests of good stewardship and smooth reliable functioning
of the internet, ARIN maintains services for legacy holders free of charge within the
bounds of ARIN policy. Legacy holders that feel this gives them a blanket exemption
from policy and/or the ability to force changes to the ARIN database(s) outside of policy
are mistaken. The don't have any contract that would allow that.

> 
>> Unlike Ray, I was at ARIN's inception.  I am also the President and CEO of ARIN
>> today, and I have stated for the record that ARIN does not control what IP addresses
>> people choose to use in their routers, but we definitely and with full authority control
>> the entries in the ARIN Whois DB and that those entries shall be maintained in
>> accordance with law and the policies developed by the community.
> 
>> Feel free to keep this more current statement  in mind when developing policies
>> for this region as it will help reduce your confusion greatly.
> 
>> Thanks!
>> /John
> 
> John, whenever confronted with this question, you resort to boilerplate language relating to control over Whois.
> Which is a red herring. So I will try to pin you down, to reduce everybody's confusion.
> 

It really isn't.

> If I was allocated legacy space and never signed an LRSA, would it be illegal for me to sell those addresses to Company A?
> If Company A tried to route those addresses, would that be illegal?
> 

As John has stated, ARIN is not a regulatory authority and does not control what people
put into their routers. However, it would be against ARIN policy for company A to sell those
addresses to you unless it was done in line with section 8 of the NRPM. Were ARIN to
become aware of the unrecognized transfer, I believe their correct action would be
(and John, please chime in here if you believe I have anything wrong about what
would likely happen here):

	1.	Contact the original legacy holder and confirm that they are no
		longer using the resources and have transferred them to the
		current user.

			Comfirmed: Continue to step 2.
			Denied: Reclaim (if no longer in use) or maintain existing record
				and make sure original holder is aware of the problem with
				the hijacker.

	2.	Contact the current user and attempt to resolve the matter and
		complete the transfer under NRPM 8.
			User works with ARIN and complies: Continue to step 3.
			User refuses or doesn't qualify: Go to step 4.

	3.	Complete updating of whois/rDNS and move on. Exit process.

	4.	Attempt to work with user to come to agreement on the portion
		of resources that can be reclaimed and bring the other resources
		in line with policy and work out an RSA.
			User works with ARIN and complies: Go to step 3.
			User refuses: Reclaim all affected resources and return
				them to the free pool.

> Please answer without relating to Whois. I realize that Whois would not be updated to reflect the sale, that is the whole point of my proposal.
> I am not asking about "transfers", okay? I am asking about sales.

ARIN has no involvement in sales of number resources or number resource
registrations, whether or not the resulting transfer is recognized under
NRPM 8, so, the question is malformed.

ARIN's role is limited to recognizing the transfer of number resource
registration as per NRPM 8 (or refusing to do so).

Further, ARIN has a role where they should reclaim resources they become aware
have been abandoned by the legitimate registrant unless ARIN can identify a valid
successor in interest (NRPM 8.2) or a recipient that otherwise qualifies under
the provisions of NRPM 8.3.

> I'm not asking whether you could allocate those addresses to somebody else and have Whois reflect the new allocation.
> I'm not asking whether a string of numbers has any value.
> I'm not claiming ARIN can tell anybody what numbers to configure into their routers.
> I'm not looking for a flip answer like "It would not be illegal for me to sell you the address 192.168.1.1, either."

Whether or not you consider that flip, that is the real answer.

> 
> I'm asking if it is illegal to sell legacy addresses without notifying ARIN, as this goes directly to the rationale for my proposal.

It's not illegal to sell non-legacy addresses without notifying ARIN. The legacy or non-legacy
or RFC-1918 or non-RFC-1918 status is irrelevant to the issue.

OTOH, selling integers is sort of questionable and I doubt that anyone thinks they are
actually purchasing the integers, but, rather at best the ability to register those integers
for uniqueness in an internet registry or at worst, some form of right to use those
integers on the internet.

In the case of the former, selling them outside of policy is arguably fraud since the registry
will not recognize such a right sold outside of policy. In the case of the latter, it might be
considered fraud, since nobody really has the power to universally grant or revoke such
a right, but, rather it is up to the individual operators of each router in the various networks
that make up the internet to make that particular determination for themselves.

> In the real world, if it is not illegal, and if it provides incentives to buyer and to seller, these tranactions WILL happen.

Ah, but, doesn't that also depend on the disincentives that may or may not also be present?

Would you not agree that selling numbers themselves (selling integers) is rather silly?
How can one actually claim to own the number 5? What, exactly, would ownership
of the number 5 (or the number 4.4.4.5 or any other number sequence) mean?
I think the idea of number ownership is, at best, a legal fiction.

Would you not agree that the best case you could possibly make for your proposal would
be if there was the ability to sell some form of exclusive right to use the particular integers
for addressing on the internet?

However, for that to be what is sold, wouldn't the seller have to possess such a right to
begin with? Who, exactly would have granted that right to them? How does that right
extend to control over what other people do with their routers and by what authority?
Isn't the right to use a set of addresses on any particular network subject to and by
the permission of the owner of that individual network? Isn't the right to use a set
of IPv4 addresses globally across the internet subject to and by permission of the
owners of each and every individual network that makes up the internet? As such,
wouldn't it be, in the real world, impossible to create, produce, possess, or maintain
such a right absent a multilateral agreement signed by each and every network operator
on the entire internet (or at least all of the ones with active ASNs present in the
superset of all known BGP  tables)?

So, I think I have established that an exclusive right to use numbers is also a legal fiction,
which leaves us only with the idea of the exclusive registration of a particular set of
numbers within an internet registry.

John has been using the "ARIN Whois Database" as shorthand, really, for the complete
set of registration services provided by ARIN in uniquely registering the association of
a particular unique set of number resources with a particular unique organization
identified in the database.

ARIN manages its database according to policies set by the community, as has been
stated by John several times.

It turns out that a lot of ISPs (those ones you'd have to build agreements with to create
an exclusive right to use), happen to use the ARIN registration database as a source
of authoritative information about legitimacy of coordinated use of number resources.

> And still in the real world, if the addresses continue to be usable after the sale, these sales WILL happen, and Whois accuracy will be lost.
> 

And here is the crux of the matter. Will the addresses continue to be usable?

What would prevent ARIN from registering them to someone else after removing
the records for the original holder who clearly abandoned them from the database
per ARIN policy?

What will ensure that ISPs remain willing to route those addresses to the purchaser
outside of policy vs. the third party now registered in the RIR database?

Do you not believe that this uncertainty would actually serve as a disincentive
to these sales? Again, I think you need to make it clear what, exactly, you think
is being sold in the real world in these instances of sales that you propose.


Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20110523/5b460d11/attachment.htm>