[arin-ppml] Draft Policy 2012-3: ASN Transfers

[Tom Vest]

On Apr 2, 2012, at 2:09 PM, Martin Hannigan wrote:

> On Sat, Mar 31, 2012 at 2:48 PM, Tom Vest <tvest at eyeconomics.com> wrote:
> 
> On Mar 26, 2012, at 3:51 PM, Martin Hannigan wrote:
> 
> > On Sat, Mar 24, 2012 at 12:03 AM, Matthew Kaufman <matthew at matthew.at> wrote:
> >> On 3/23/2012 8:18 PM, Owen DeLong wrote:
> >>>
> >>> On Mar 23, 2012, at 5:26 PM, Matthew Kaufman wrote:
> >>>
> >>>> On 3/16/2012 2:23 PM, Tom Vest wrote:
> >>>>>
> >>>>> The knowledge that route (a) was originated by AS (x) is only meaningful
> >>>>> insofar as one has some set of high-confidence beliefs/expectations about AS
> >>>>> (x). However, if AS (x) can change hands at will, henceforth no such
> >>>>> confidence will be possible for the overwhelming majority if not all ASes.
> >>>>
> >>>> I would point out that this fact is *already* true, as ASNs are
> >>>> transferred through merger and acquisition all the time, and have been for
> >>>> over a decade.
> >>>>
> >>>> I don't see anyone proposing a policy where an entity is required to
> >>>> return (and have permanently marked as unavailable) their ASN when ownership
> >>>> changes... I see, for instance, that AS 1 and AS 701 are still out there,
> >>>> despite the above happening several times, and yet nothing terrible has
> >>>> happened as a result.
> >>>>
> >>> I don't see acquiring the reputation of a network when acquiring the
> >>> entire network as being all that likely to be harmful.
> >>
> >>
> >> What makes you think that ASNs acquired through M&A transfer always come
> >> with "the entire network"?
> >>
> >>
> >>
> >>>  At the time of acquisition, the network is still behaving according to
> >>> its reputation and what is done will cause necessary modifications to that
> >>> reputation as time goes by.
> >>
> >>
> >> Yes. Perhaps immediately, as the new owners are of course entirely different
> >> people with likely different motivations. The network might immediately have
> >> vastly different traffic patterns. Etc.
> >>
> >>
> >>>
> >>> On the other hand, I can see tremendous potential for mischief when
> >>> acquiring an AS Number on the open market without having to take on the
> >>> operation of said network as part of the package.
> >>
> >>
> >> No different than the current situation. You simply make more money for the
> >> lawyers when you require that it use the M&A transfer process.
> >>
> >>
> >>> I think these are very different scenarios.
> >>>
> >>> Again, I think we're seeing enough problems created by allowing transfers
> >>> with IPv4 addresses
> >>
> >>
> >> Really? What problems are those? From where I sit, I've seen none.
> >>
> >> And are those any different than the problems that already existed with
> >> transfers of IPv4 addresses via M&A transfer?
> >
> >
> > I've said similar things in this thread and I'll simply add +1.
> >
> > What we seem to be talking about here, at least from the counter
> > argument perspective, is a desire to regulate business process instead
> > of providing a technically sound and useful mechanism to enable ASN
> > transfers.  As someone involved in peering with literally hundreds of
> > networks, I'm not convinced that there is a risk that I need to be so
> > concerned about that I would want to disallow ASN transfers,
> > especially without a single real life incident that is compelling
> > enough to warrant a change in thought.
> >
> > Adopting this policy will allow ARIN to "get out of the way" and
> > legitimize what's already transpiring on a regular basis.  This is a
> > good thing.
> >
> >
> > Best,
> >
> > -M<
> 
> [ clip ]
>  
> 
> If adopted, an ASN transfer proposal like the one under discussion would inevitably contribute to the accelerated erosion of that third-party authentication mechanism that (almost) everyone has to rely on.
> 
> I'm still not sure exactly what third party authentication scheme you are talking about. 

The existing shared/standardized third-party authentication scheme for ASNs that I'm talking about is the RIRs.
Whenever someone submits a request for a new AS to one the RIRs, they're probably not going to very happy with the result unless they also provide credible, complete, and verifiable contact information about themselves along with that request -- with "credible," "complete," and "verifiable" all having some canonical meaning that is applied consistently to all requesters (and which is ultimately made accessible consistently, as necessary for operational purposes, via whois). The RIR honors such requests IFF those criteria, and in some cases other requirements (e.g., needs benchmarking, multihoming, et al.) are satisfied. Thus, under the current process, no ASN that has not been "authenticated" is issued -- or to put it another way, every ASN that is issued under the current system has been authenticated, or "authentically associated" with some consistent, standardized reckoning of who/what the requesting entity is.
 
>  As a thought experiment, I urge you to consider how you might feel if you *were not* actively "involved in peering with literally hundreds of networks," and *could not* rely on [NETWORK] unique private capabilities as a complete substitute for the identification/authentication mechanisms that are embodied in current AS distribution policies.
> 
> 
> No change. Transferring ASN's is at least innocuous as transferring v4 prefixes with regards to stewardship.

Do you really believe that? Can you route a prefix without (somebody's) ASN? Can you exercise direct management authority over interconnection and inter-domain traffic exchange relations that (at least potentially) can have transitive/global consequences without your own AS? 

To the (limited) extent that I agree with you, the strongest implication would be that *both* IPv4 prefix transfers *and* ASN transfers represent grave medium/long-term threats to Internet security and stability -- threats that I remain convinced that we won't have to live very long to regret. However, the truth is that opening the floodgates to "naked" ASN transfers would be exponentially more dangerous than the already-approved IPv4 transfer mechanisms -- and adding AS transfers *on top of* an as-yet untested and unproven IPv4 marketplace would be profoundly foolhardy.

Speaking for myself only, 

TV 


> Best,
> 
> -M<