[arin-ppml] Draft Policy 2012-3: ASN Transfers

Sat Mar 31 14:48:21 EDT 2012

On Mar 26, 2012, at 3:51 PM, Martin Hannigan wrote:

> On Sat, Mar 24, 2012 at 12:03 AM, Matthew Kaufman <matthew at matthew.at> wrote:
>> On 3/23/2012 8:18 PM, Owen DeLong wrote:
>>> 
>>> On Mar 23, 2012, at 5:26 PM, Matthew Kaufman wrote:
>>> 
>>>> On 3/16/2012 2:23 PM, Tom Vest wrote:
>>>>> 
>>>>> The knowledge that route (a) was originated by AS (x) is only meaningful
>>>>> insofar as one has some set of high-confidence beliefs/expectations about AS
>>>>> (x). However, if AS (x) can change hands at will, henceforth no such
>>>>> confidence will be possible for the overwhelming majority if not all ASes.
>>>> 
>>>> I would point out that this fact is *already* true, as ASNs are
>>>> transferred through merger and acquisition all the time, and have been for
>>>> over a decade.
>>>> 
>>>> I don't see anyone proposing a policy where an entity is required to
>>>> return (and have permanently marked as unavailable) their ASN when ownership
>>>> changes... I see, for instance, that AS 1 and AS 701 are still out there,
>>>> despite the above happening several times, and yet nothing terrible has
>>>> happened as a result.
>>>> 
>>> I don't see acquiring the reputation of a network when acquiring the
>>> entire network as being all that likely to be harmful.
>> 
>> 
>> What makes you think that ASNs acquired through M&A transfer always come
>> with "the entire network"?
>> 
>> 
>> 
>>>  At the time of acquisition, the network is still behaving according to
>>> its reputation and what is done will cause necessary modifications to that
>>> reputation as time goes by.
>> 
>> 
>> Yes. Perhaps immediately, as the new owners are of course entirely different
>> people with likely different motivations. The network might immediately have
>> vastly different traffic patterns. Etc.
>> 
>> 
>>> 
>>> On the other hand, I can see tremendous potential for mischief when
>>> acquiring an AS Number on the open market without having to take on the
>>> operation of said network as part of the package.
>> 
>> 
>> No different than the current situation. You simply make more money for the
>> lawyers when you require that it use the M&A transfer process.
>> 
>> 
>>> I think these are very different scenarios.
>>> 
>>> Again, I think we're seeing enough problems created by allowing transfers
>>> with IPv4 addresses
>> 
>> 
>> Really? What problems are those? From where I sit, I've seen none.
>> 
>> And are those any different than the problems that already existed with
>> transfers of IPv4 addresses via M&A transfer?
> 
> 
> I've said similar things in this thread and I'll simply add +1.
> 
> What we seem to be talking about here, at least from the counter
> argument perspective, is a desire to regulate business process instead
> of providing a technically sound and useful mechanism to enable ASN
> transfers.  As someone involved in peering with literally hundreds of
> networks, I'm not convinced that there is a risk that I need to be so
> concerned about that I would want to disallow ASN transfers,
> especially without a single real life incident that is compelling
> enough to warrant a change in thought.
> 
> Adopting this policy will allow ARIN to "get out of the way" and
> legitimize what's already transpiring on a regular basis.  This is a
> good thing.
> 
> 
> Best,
> 
> -M<

Hi Marty, 

As someone who has had similar peering responsibilities in the past, I was initially surprised by your statement.

But then I remembered all of the other unique advantages that you enjoy that would tend to reduce your own risks of operating in an environment of "unsecured" ASes (or ASes with private, commercial-only authentication), but which would do nothing to reduce those risks for anyone else. If every network operator had both bilateral contractual relations with thousands of other network operators spread across every continent, and also operated  the equivalent of their own private looking glasses and 24x7x365 active/passive network monitoring infrastructure within each of those thousands of locations, there probably wouldn't be a strong argument for any kind of standardized, "official" third-party mechanism for authenticating number resource recipients (like the RIRs) to exist at all. However, very few operators will ever possess such capabilities. And because of that, the official/standardized/public AS authentication function that is currently performed by the RIRs is going to continue to be critical to the general security of the operating environment for the foreseeable future -- unless perhaps you're willing to provide the global operator community with unrestricted access to all of your global monitoring infrastructure in perpetuity ;-)

If adopted, an ASN transfer proposal like the one under discussion would inevitably contribute to the accelerated erosion of that third-party authentication mechanism that (almost) everyone has to rely on.

As a thought experiment, I urge you to consider how you might feel if you *were not* actively "involved in peering with literally hundreds of networks," and *could not* rely on Akamai's unique private capabilities as a complete substitute for the identification/authentication mechanisms that are embodied in current AS distribution policies. 

Thanks, 

TV