[arin-ppml] 2011-1 dissent Was: Re: ARIN-2011-1:ARINInter-RIRTransfers - Last Call

Mike Burns mike at nationwideinc.com
Mon Oct 24 18:43:46 EDT 2011

Hi Bill,

We are talking about very public information here.

ARIN will know who the applicant was, what the blocks were, when they were 
applied for, why they were requested, when they were sold, and to whom they 
were sold.

How many times could you rinse/repeat this cycle before the activity became 
so evident that ARIN refused to authorize the transfer, and instead 
attempted reclamation due to fraud?

If there is something in the RSA which speaks to a declared intention of the 
applicant, engaging in the behavior you describe would display another 
intention entirely, and would rise to a level of fraud such that Section 12 
could be employed.

If these are shell entities, then you have to add the cost of creating and 
maintaining the shells, and most importantly, the risk cost of engaging in 
fraudulent contracts.

Since the transfers are done in the open, it wouldn't be too hard to spot 
patterns of abuse such as you describe, in fact ARIN would have a community 
of watch dogs with access to these transactions.

I agree that the Inter Regional transfer policy creates the motivations 
which would prompt such behavior, but we would be facing the same 
motivations here in less than five years anyway.

I agree that protections against fraud in obtaining addresses from the free 
pool will become increasingly important, and if there was some work in the 
past related to detecting related-legal-entities, it would be prudent to 
revisit that subject.

Bill, what would you think about preventing those who receive addresses from 
the free pool from selling addresses for some timeframe commencing at the 
time of their last allocation?

I believe a year's prohibition would crimp many of these kind of plans, but 
maybe it should be a shorter or longer time period?

I think that as addresses gain monetary value, analyzing the scammability of 
policies is vital.



Just in case there's anyone entertaining the idea that, "This isn't a
concern because no one with 50,000 smartphone customers would risk our
wrath," here's an alternate play that's strictly fly-by-night.

Stand up 16 legal entities, 1 each named after nearby public parks.
Install a solar-powered wifi hotspot at each park and backhaul them
(wirelessly of course) to two additional entities designed to be
BGP-speaking backhauls. I'm such a nice guy, I'll even make the park
wifi free to park patrons. While it's running anyway; reliability
isn't my priority.

For this modest investment, each of the 16 entities is now multihomed
and, as each park could easily host 150 wifi clients, can justify a
/24. Acquire addresses from the ARIN free pool and configure them on
the equipment. Drive around and make sure each site logs enough users
at least once to justify the full /24. I now hold 16 /24's and
documentation which fulfills my justified use obligation.

Sell them outregion to an entity that can't get /24's locally and
meets it's local RIR's nominal needs-based justification. Initiate
specified recipient transfers per 2011-1.

Upon completion of the transfer (including the ARIN audits in which
the documentation shows fulfillment of all the use justification thus
no fraud) tear down the wifi hotspots and terminate the organizations
created for them.

Stand up 16 more legal entities, named after a set of shopping mall
food courts. Rinse and repeat.

At $5/address this is not practical, but if addresses go for $20 each
this grosses $82k on an investment around $40k with a 3ish month
turnaround. So, double your money in three months with a by-the-book
raid on the ARIN free pool. And I'm sure this could be refined further
to either cut the cost or increase the block size from /24 so that
even at $5/address you could come out ahead.

> Note also that this potential
> concern exists in the existing NRPM 8.3 policy with respect
> to in-region transfers.

Without draft 2011-1 it does me limited good to acquire these
addresses. Any transferee will be in the ARIN region where they have
the same access I do to the remaining free pool and have to meet the
same justified use criteria that I do in order to receive addresses
either from the free pool or from me. I present the transferee no
value as a middleman.

Note that the board recognized the related-legal-entities issue a few
years ago, but IIRC they abandoned their attempt to address it,
possibly for lack of a usable legal framework. No joy to be found down
that blind alley and I imagine the prevailing view was that with a
strong needs justification applied independently to each legal entity
there was relatively little damage that could be done.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
Please contact info at arin.net if you experience any issues. 

More information about the ARIN-PPML mailing list