[arin-ppml] Draft Policy 2011-7 Compliance Requirement

Frank Bulk frnkblk at iname.com
Sat May 28 02:56:09 EDT 2011


In regard to ARIN counsel's discussion about "lack of compliance" -- ARIN
staff make that determination on new requests each and every day (i.e. the
request meets the policies or they don't).  It's not clear to me how
reviewing a current resource holder's compliancy requires "black and white",
or only to look at a subset of policies.  To be sure, a review does not
include the applicant's documentation, but that could be requested if what's
readily available is insufficient to verify compliancy.

I agree that words "fraud" and "materially" are loaded words and that by
itself requires that this proposal be re-written.

Frank

-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
Behalf Of ARIN
Sent: Tuesday, May 24, 2011 2:10 PM
To: arin-ppml at arin.net
Subject: [arin-ppml] Draft Policy 2011-7 Compliance Requirement

Draft Policy ARIN-2011-7
Compliance Requirement

On 19 May 2011 the ARIN Advisory Council (AC) selected "Returned
IPv4 Addresses" as a  draft policy for adoption discussion on the PPML
and at the Public Policy Meeting in San Juan, Puerto Rico in April.

The draft was developed by the AC from policy proposal "ARIN-prop-126
Compliance Requirement." Per the Policy Development Process the AC
submitted text to ARIN for a staff and legal assessment prior to its
selection as a draft policy. Below the draft policy is the ARIN staff
and legal assessment, followed by the text that was submitted by the AC.
Note that the AC revised the draft policy text after they received the
assessment from staff.

Draft Policy ARIN-2011-7 is below and can be found at:
https://www.arin.net/policy/proposals/2011_7.html

You are encouraged to discuss Draft Policy 2011-7 on the PPML prior to
the October Public Policy Meeting. Both the discussion on the list and
at the meeting will be used by the ARIN Advisory Council to determine
the community consensus for adopting this as policy.

The ARIN Policy Development Process can be found at:
https://www.arin.net/policy/pdp.html

Draft Policies and Proposals under discussion can be found at:
https://www.arin.net/policy/proposals/index.html

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Draft Policy ARIN-2011-7
Compliance Requirement

Date/version: 24 May 2011

Policy statement:

Resource Review
Update the following NRPM Sections:

12.4 - Update to:
Organizations found by ARIN to be out of compliance with current ARIN
policy shall be required to update reassignment information or return
resources as needed to bring them into (or reasonably close to) compliance

1. The degree to which an organization may remain out of compliance
shall be based on the reasonable judgment of the ARIN staff and shall
balance all facts known, including the organization's utilization rate,
available address pool, and other factors as appropriate so as to avoid
forcing returns which will result in near-term additional requests or
unnecessary route de-aggregation.

2. To the extent possible, entire blocks should be returned. Partial
address blocks shall be returned in such a way that the portion retained
will comprise a single aggregate block.

(leave 12.5 as is)

12.6 - Update to:
Except in cases of fraud, an organization shall be given a minimum of
thirty (30) days to respond. If an organization does not respond within
those thirty (30) days, ARIN may cease providing reverse DNS services to
that organization. If progress of resource returns or record corrections
is not visible within sixty (60) days after correspondence with ARIN
began, ARIN will cease providing reverse DNS services for the resources
in question. At any time after ninety (90) days have passed, ARIN may
initiate resource revocation as allowed
in paragraph 12.5. ARIN shall negotiate a longer term with the
organization if ARIN believes the organization is working in good faith
to substantially restore compliance and has a valid need for additional
time to renumber out of the affected blocks.


Rationale:

This version addresses several staff and legal concerns with the
original text of this policy by clarifying the language and making it
more concrete.

To date the community has not documented or firmly established use of an
effective enforcement mechanism. This policy will support current policy
and compel those who are allocated ARIN resources to maintain the proper
WHOIS records in accordance with ARIN NRPM. While it is recognized this
is not an absolute solution to ensure compliance, it is the best method
under current ARIN policies.

Timetable for implementation: Immediate


#####


This is an assessment of the proposal as originally submitted by the AC.
The AC subsequently revised the proposal/draft policy text (see current
version above).

STAFF ASSESSMENT

Proposal:  Compliance Requirement (ARIN-prop-126)
Policy Version (Date): 11 January 2011
Date of Assessment:  28 January 2011

   1. Proposal Summary (Staff Understanding)

This policy requires ARIN staff to not only identify customers who are
out of compliance with policy, but to withhold services for those who
fail to come into compliance within a designated time.  Staff is to
contact customers who are out of compliance with policy and give them 30
days to respond to our contact and to demonstrate they've begun to take
corrective measures within 60 days. If either of these criteria is not
met, the policy instructs staff to cease providing reverse DNS services
to the customer or to begin reclamation efforts.

   2. Comments
     A. ARIN Staff Comments

. The policy says either "take away reverse" or "reclaim the numbers".
It would be helpful to staff if there was clear guidance as to when
revocation was to be used over reverse dns removal.  Without clear
guidance, staff would implement this in such a way that reverse dns
removal would be used as the first step of the enforcement, and
revocation of the resource as the final step when an organization is
unable to come into compliance within a defined time period.
. The term "materially out of compliance" is not well defined anywhere
within this policy.  Without additional criteria, staff will continue to
interpret this term somewhat liberally, and to apply it at our
discretion using our best judgment and consideration of existing
factors.  Only those organizations that we deem to be significantly in
violation of existing policy will be flagged for further review and audit.

     B. ARIN General Counsel

This policy has significant legal implications.  It needs to be
carefully edited to remove unnecessary ambiguities that might require
enforcement when it should be discretionary and to avoid giving those
"enforced against" arguments that will require case-by-case adjudication.

For example, the first line of the policy at 12.4 uses "materiality" as
a standard.  I strongly recommend against such a standard, as anyone who
is treated adversely will argue their "noncompliance" is "not material."
  If lack of compliance is the issue, it must be "black or white" as a
review matter to protect against such drafting problems.  If you believe
noncompliance with a limited number of policies is a better approach,
you can define such a set rather than overall compliance.

Second, the "requested or required" (emphasis added) language is
conceptually quite different - one is "a request," the other "a
command."  They must be separated if an escalation from "requested" to
"required" is intended.

Third, a similar drafting problem appears in 12.6 where "fraud" (a bad
and intentional thing) is equated to "violations of policy" which could
be trivial and not intended.

Overall, if the policy was enacted as is, the risk of legal issues being
thrust upon ARIN is unattractive and unwise.  Counsel respectfully
suggests a thorough rewrite of the draft to remove these and other
issues of concern.

3. Resource Impact

This policy would have moderate resource impact from an implementation
aspect.  It is estimated that implementation could occur within 6 - 9
months after ratification by the ARIN Board of Trustees.

The implementation of this policy will require new software tools to
track these newly defined deadlines.  Additionally, there will likely be
a significant increase in time and workload for the RS team as the
potential for a significant increase in resource audits due to
non-compliance with IPv6 reassignment requirements is great. This may
even require additional personnel, although it is too early to tell
right now.

The following would be needed in order to implement:
. Updated guidelines and website documentation
. Staff training
. Software tools would need to be developed to track the 30 and 60-day
deadlines.

4. Proposal Text

ARIN-prop-126

Policy statement:
Resource Review
Update the following NRPM Sections:
12.4 Update to:
Organizations found by ARIN to be materially out of compliance with
current ARIN policy shall be requested or required to return resources
or update reassignment information as needed to bring them into (or
reasonably close to) compliance.
12.5 Update to:
If the organization does not voluntarily return resources or update
reassignment information as requested, ARIN will cease providing reverse
DNS services and/or revoke any resources issued by ARIN as required to
bring the organization into overall compliance. ARIN shall follow the
same guidelines for revocation that are required for voluntary return in
the previous paragraph.
12.6 Update to:
Except in cases of fraud, or violations of policy, an organization shall
be given a minimum (30) days to respond. Progress of record(s)
correction(s) must be visible within (60) days after correspondence with
ARIN began or ARIN will start proceeding with removal of DNS services
and/or resources issued by ARIN. ARIN shall negotiate a longer term
with the organization if ARIN believes the organization is working in
good faith to substantially restore compliance and has a valid need for
additional time to renumber out of the affected blocks.
Rationale:
To date the community has not documented or firmly established use of an
effective enforcement mechanism. This policy will support current
policy and compel those who are allocated ARIN resources to maintain the
proper WHOIS records in accordance with ARIN NRPM. While it is
recognized this is not an absolute solution to ensure compliance, it is
the best method under current ARIN policies.






_______________________________________________
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net if you experience any issues.




More information about the ARIN-PPML mailing list