[arin-ppml] Draft Policy ARIN-2011-7: Compliance Requirement - revised
ARIN
info at arin.net
Thu Sep 22 14:29:32 EDT 2011
Draft Policy ARIN-2011-7
ARIN Inter-RIR Transfers
ARIN-2011-7 has been revised. This draft policy is open for discussion
on this mailing list and will be on the agenda at the upcoming ARIN
Public Policy Meeting in Philedelphia.
ARIN-2011-7 is below and can be found at:
https://www.arin.net/policy/proposals/2011_7.html
Following the text is an ARIN staff assessment of an earlier version of
the draft policy. The current version "...addresses remaining legal
concerns with specific wording."
Regards,
Communications and Member Services
American Registry for Internet Numbers (ARIN)
## * ##
Draft Policy ARIN-2011-7
Compliance Requirement
Date: 22 September 2011
Policy statement:
Resource Review
Update the following NRPM Sections:
12.4 - Update to:
Organizations found by ARIN to be out of compliance with current ARIN
policy shall be required to update reassignment information or return
resources as needed to bring them into (or reasonably close to) compliance.
1. The degree to which an organization may remain out of compliance
shall be based on the reasonable judgment of the ARIN staff and shall
balance all facts known, including the organization's utilization rate,
available address pool, and other factors as appropriate so as to avoid
forcing returns which will result in near-term additional requests or
unnecessary route de-aggregation.
2. To the extent possible, entire blocks should be returned. Partial
address blocks shall be returned in such a way that the portion retained
will comprise a single aggregate block.
(leave 12.5 as is)
12.6 - Update to:
Except in cases of fraud when immediate action can be taken, an
organization shall be given a minimum of thirty (30) days to respond. If
an organization fails to respond within thirty (30) days, ARIN may cease
providing reverse DNS services to that organization. If progress of
resource returns or record corrections has not occurred within sixty
(60) days after ARIN initiated contact, ARIN shall cease providing
reverse DNS services for the resources in question. At any time ninety
(90) days after initial ARIN contact, ARIN may initiate resource
revocation as allowed in paragraph 12.5. ARIN may permit a longer period
of time to come into compliance, if ARIN believes the organization is
working in good faith to restore compliance with policy and has a valid
need for additional time to comply, including but not limited to
renumbering out of the affected blocks.
Rationale:
This version addresses remaining legal concerns with specific wording.
An earlier version addressed several staff and legal concerns with the
original text of this policy by clarifying the language and making it
more concrete.
To date the community has not documented or firmly established use of an
effective enforcement mechanism. This policy will support current policy
and compel those who are allocated ARIN resources to maintain the proper
WHOIS records in accordance with ARIN NRPM. While it is recognized this
is not an absolute solution to ensure compliance, it is the best method
under current ARIN policies.
Timetable for implementation: Immediate
#####
ARIN Staff Assessment
Draft Policy: 2011-7 Compliance Requirement
1. Proposal Summary (Staff Understanding)
This policy requires ARIN staff to not only identify customers who are
out of compliance with policy, but to withhold services for those who
fail to come into compliance within a designated time. Staff is to
contact customers who are out of compliance with policy and give them 30
days to respond to our contact and to demonstrate they've begun to take
corrective measures within 60 days. If either of these criteria is not
met, the policy instructs staff to cease providing reverse DNS services
to the customer or to begin reclamation efforts.
2. Comments
A. ARIN Staff Comments
• The proposal updates the 12.4 language to allow folks to update
SWIP/RWhois records as a way of becoming compliant with policy.
• The policy says either "take away reverse" or "reclaim the numbers".
It would be helpful to staff if there was clear guidance as to when
revocation was to be used over reverse dns removal.
o Without clear guidance, staff would implement this in such a way that
reverse dns removal would be used as the first step of the enforcement,
and revocation of the resource as the final step when an organization is
unable to come into compliance within a defined time period.
• The term “out of compliance” is not well defined anywhere within this
policy. Without additional criteria, staff will continue to interpret
this term somewhat liberally, and to apply it at our discretion using
our best judgment and consideration of existing factors. Only those
organizations that we deem to be significantly in violation of existing
policy will be flagged for further review and audit.
• Removing an organization’s reverse DNS may negatively impact their
business.
B. ARIN General Counsel –
This policy has significant legal implications, as it requires ARIN to
withdraw services that may impact innocent and bona fide third parties
utilizing the resources. Many drafting concerns in earlier versions of
the policy have been ameliorated or fixed. However some may remain. I
have some specific suggestions to fix the current draft of 12. 6:
suggested deletions can be seen by bracketing, additions in caps. The
entire policy might benefit from similar close review.
'12.6 - Update to:
Except in cases of fraud WHEN IMMEDIATE ACTION CAN
BE TAKEN, an organization shall be given a minimum of thirty (30) days
to respond. If an organization FAILS TO [does not] respond within
[those] thirty (30) days, ARIN may cease providing reverse DNS services
to that organization. If progress of resource returns or record
corrections HAS NOT OCCURRED [is not visible] within sixty (60) days
after [correspondence with] ARIN INITIATED CONTACT [began] , ARIN SHALL
[will] cease providing reverse DNS services for the resources in
question. At any time [after] ninety (90) days AFTER INITIAL ARIN
CONTACT [have passed], ARIN may initiate resource revocation as allowed
in paragraph 12.5. ARIN MAY [shall negotiate] PERMIT a longer [ term]
PERIOD OF TIME TO COME INTO COMPLIANCE, [with the organization] if ARIN
believes the organization is working in good faith to [substantially]
restore compliance WITH POLICY and has a valid need for additional time
to COMPLY, INCLUDING BUT NOT LIMITED TO RENUMBERING out of the affected
blocks.'
3. Resource Impact
This policy would have moderate resource impact from an implementation
aspect. It is estimated that implementation could occur within 6 – 9
months after ratification by the ARIN Board of Trustees.
The implementation of this policy will require new software tools to
track these newly defined deadlines. Additionally, there will likely be
a significant increase in time and workload for the RS team as the
potential for a significant increase in resource audits due to
non-compliance with IPv6 reassignment requirements is great. This may
even require additional personnel, although it is too early to tell
right now.
The following would be needed in order to implement:
• Updated guidelines and website documentation
• Staff training
• Software tools would need to be developed to track the 30 and 60-day
deadlines.
4. Proposal Text
Draft Policy ARIN-2011-7
Compliance Requirement
Date/version: 24 May 2011
Policy statement:
Resource Review
Update the following NRPM Sections:
12.4 - Update to:
Organizations found by ARIN to be out of compliance with current ARIN
policy shall be required to update reassignment information or return
resources as needed to bring them into (or reasonably close to) compliance
1. The degree to which an organization may remain out of compliance
shall be based on the reasonable judgment of the ARIN staff and shall
balance all facts known, including the organization's utilization rate,
available address pool, and other factors as appropriate so as to avoid
forcing returns which will result in near-term additional requests or
unnecessary route de-aggregation.
2. To the extent possible, entire blocks should be returned. Partial
address blocks shall be returned in such a way that the portion retained
will comprise a single aggregate block.
(leave 12.5 as is)
12.6 - Update to:
Except in cases of fraud, an organization shall be given a minimum of
thirty (30) days to respond. If an organization does not respond within
those thirty (30) days, ARIN may cease providing reverse DNS services to
that organization. If progress of resource returns or record corrections
is not visible within sixty (60) days after correspondence with ARIN
began, ARIN will cease providing reverse DNS services for the resources
in question. At any time after ninety (90) days have passed, ARIN may
initiate resource revocation as allowed in paragraph 12.5. ARIN shall
negotiate a longer term with the organization if ARIN believes the
organization is working in good faith to substantially restore
compliance and has a valid need for additional time to renumber out of
the affected blocks.
Rationale:
This version addresses several staff and legal concerns with the
original text of this policy by clarifying the language and making it
more concrete.
To date the community has not documented or firmly established use of an
effective enforcement mechanism. This policy will support current policy
and compel those who are allocated ARIN resources to maintain the proper
WHOIS records in accordance with ARIN NRPM. While it is recognized this
is not an absolute solution to ensure compliance, it is the best method
under current ARIN policies.
Timetable for implementation: Immediate
More information about the ARIN-PPML
mailing list