[arin-ppml] 2011-1 dissent Was: Re: ARIN-2011-1: ARINInter-RIRTransfers - Last Call

William Herrin bill at herrin.us
Mon Oct 24 17:42:03 EDT 2011

On Sat, Oct 22, 2011 at 1:16 AM, John Curran <jcurran at arin.net> wrote:
> On Oct 21, 2011, at 8:44 PM, William Herrin wrote:
>> So to summarize: I would find it difficult to be a repeat offender,
>> but as long as I dot my i's cross my t's and content myself with just
>> one grab, draft policy 2011-1 as presently written would enable me to
>> buy a Lexus by raiding the free pool and more or less immediately
>> selling the results out-region... to someone with no access to a free
>> pool operating under a much more permissive needs-based justification
>> than ARIN requires. And with little risk: at worst really just the
>> loss of the $4500 allocation fee.
>If you follow through on using the assigned resources as
>specified on the request, then no resource fraud would be

Just in case there's anyone entertaining the idea that, "This isn't a
concern because no one with 50,000 smartphone customers would risk our
wrath," here's an alternate play that's strictly fly-by-night.

Stand up 16 legal entities, 1 each named after nearby public parks.
Install a solar-powered wifi hotspot at each park and backhaul them
(wirelessly of course) to two additional entities designed to be
BGP-speaking backhauls. I'm such a nice guy, I'll even make the park
wifi free to park patrons. While it's running anyway; reliability
isn't my priority.

For this modest investment, each of the 16 entities is now multihomed
and, as each park could easily host 150 wifi clients, can justify a
/24. Acquire addresses from the ARIN free pool and configure them on
the equipment. Drive around and make sure each site logs enough users
at least once to justify the full /24. I now hold 16 /24's and
documentation which fulfills my justified use obligation.

Sell them outregion to an entity that can't get /24's locally and
meets it's local RIR's nominal needs-based justification. Initiate
specified recipient transfers per 2011-1.

Upon completion of the transfer (including the ARIN audits in which
the documentation shows fulfillment of all the use justification thus
no fraud) tear down the wifi hotspots and terminate the organizations
created for them.

Stand up 16 more legal entities, named after a set of shopping mall
food courts. Rinse and repeat.

At $5/address this is not practical, but if addresses go for $20 each
this grosses $82k on an investment around $40k with a 3ish month
turnaround. So, double your money in three months with a by-the-book
raid on the ARIN free pool. And I'm sure this could be refined further
to either cut the cost or increase the block size from /24 so that
even at $5/address you could come out ahead.

> Note also that this potential
> concern exists in the existing NRPM 8.3 policy with respect
> to in-region transfers.

Without draft 2011-1 it does me limited good to acquire these
addresses. Any transferee will be in the ARIN region where they have
the same access I do to the remaining free pool and have to meet the
same justified use criteria that I do in order to receive addresses
either from the free pool or from me. I present the transferee no
value as a middleman.

Note that the board recognized the related-legal-entities issue a few
years ago, but IIRC they abandoned their attempt to address it,
possibly for lack of a usable legal framework. No joy to be found down
that blind alley and I imagine the prevailing view was that with a
strong needs justification applied independently to each legal entity
there was relatively little damage that could be done.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the ARIN-PPML mailing list