[arin-ppml] ARIN-PPML Digest, Vol 100, Issue 2

Frank Bulk frnkblk at iname.com
Sun Oct 6 00:42:35 EDT 2013


If 2013-6 were passed then those who might abuse ARIN's policies for
nefarious means might use other RIRs, possibly (likely?) less cooperative in
sharing ownership information than ARIN, which is HQ'ed in the U.S.  I don't
see how 2013-6 helps U.S. LEA's with the identification of netblock owners
because it's just going to drive the bad guys away from using ARIN and to
use other RIRs.

 

Second, I don't believe a US LEA has more or less authority to track or
subpoena the actual traffic, or go after nefarious activity, if they're
using non-ARIN address space within the US.  A corollary, I don't think if
the bad guys used ARIN-assigned address space outside the U.S. that a U.S.
LEA will have a greater advantage than if the bad guys used non-ARIN
assigned space outside the U.S.

 

Honestly, I don't see how 2013-6 aids U.S. LEA in tracking down or taking
down the bad guys.

 

Frank

 

From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
Behalf Of nathalie coupet
Sent: Saturday, October 05, 2013 4:05 PM
To: arin-ppml at arin.net
Cc: jcurran at arin.net
Subject: Re: [arin-ppml] ARIN-PPML Digest, Vol 100, Issue 2

 

Hello John,

 

As far as law enforcement agencies are concerned, the problem is not so much
a question of depletion of the IPv4 pool but of traceability back to the
attacker in case of misuse of the Internet, such as for MitMA or DDoS (many
attackers of US websites being located in the APNIC/Middle East Regions).
The problem is even more acute for IPv6 addresses, since blocks allocated
are larger than those for IPv4.   

Maybe ARIN's policy should be consistent regarding the allocation of both
IPv4 and IPv6 addresses requesting that stakeholders have sufficient
attachment to the region prior to receiving IP addresses from ARIN. 

If we do not take into consideration security concerns into our own hands
and decide for ourselves what we tolerate and what we don't, others will
enact rules and procedures that might end up affecting the organization in a
way that could really detrimental to business. 

 

 

Nathalie Coupet
ARIN Member

 

  _____  

From: "arin-ppml-request at arin.net <mailto:arin-ppml-request at arin.net> "
<arin-ppml-request at arin.net <mailto:arin-ppml-request at arin.net> >
To: arin-ppml at arin.net <mailto:arin-ppml at arin.net>  
Sent: Friday, October 4, 2013 7:32 PM
Subject: ARIN-PPML Digest, Vol 100, Issue 2


Send ARIN-PPML mailing list submissions to
    arin-ppml at arin.net <mailto:arin-ppml at arin.net> 

To subscribe or unsubscribe via the World Wide Web, visit
    http://lists.arin.net/mailman/listinfo/arin-ppml
or, via email, send a message with subject or body 'help' to
    arin-ppml-request at arin.net <mailto:arin-ppml-request at arin.net> 

You can reach the person managing the list at
    arin-ppml-owner at arin.net <mailto:arin-ppml-owner at arin.net> 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-PPML digest..."


Today's Topics:

  1. Re: Draft Policy ARIN-2013-6: Allocation of IPv4 and IPv6
      Address Space to Out-of-region Requestors - Revised (John Curran)
  2. Out-of-region overreaction? (Frank Bulk)
  3. Re: Out-of-region overreaction? (Scott Leibrand)
  4. Re: Out-of-region overreaction? (Jimmy Hess)


----------------------------------------------------------------------

Message: 1
Date: Fri, 4 Oct 2013 19:55:59 +0000
From: John Curran <jcurran at arin.net <mailto:jcurran at arin.net> >
To: Gary Buhrmaster <gary.buhrmaster at gmail.com
<mailto:gary.buhrmaster at gmail.com> >
Cc: "arin-ppml at arin.net <mailto:arin-ppml at arin.net> " <arin-ppml at arin.net
<mailto:arin-ppml at arin.net> >
Subject: Re: [arin-ppml] Draft Policy ARIN-2013-6: Allocation of IPv4
    and IPv6 Address Space to Out-of-region Requestors - Revised
Message-ID: <42C9B415-75DB-4AB7-955F-BD84AB9C64EC at arin.net
<mailto:42C9B415-75DB-4AB7-955F-BD84AB9C64EC at arin.net> >
Content-Type: text/plain; charset="us-ascii"

Gary -

Since June 2013, there have been 52 requests that would not have 
been approved under the new policy because these organizations 
had only some equipment in a data center in the ARIN region, but 
either all or most of their technical infrastructure outside of the region
and most or all of their customers outside of the ARIN region.  

Total amount of space issued to these 52 organizations:  9,672 /24s,
(which is a bit more than a /11 in total) and nearly all organizations were
based in the APNIC region.

FYI,
/John

John Curran
President and CEO
ARIN

> On Sep 27, 2013, at 11:37 PM, John Curran <jcurran at arin.net
<mailto:jcurran at arin.net> > wrote:
> 
>> On Sep 26, 2013, at 3:06 PM, Gary Buhrmaster <gary.buhrmaster at gmail.com
<mailto:gary.buhrmaster at gmail.com> > wrote:
>> 
>>> On Thu, Sep 26, 2013 at 6:21 PM, John Curran <jcurran at arin.net
<mailto:jcurran at arin.net> > wrote:
>>> ...
>>> That is correct (and reflects current practice handling resource
requests.)
>> 
>> John,
>> 
>> I support the policy, but I do have a few questions that
>> would help finalize my thinking (that I do not recall seeing
>> asked or answered).  I understand that any answers are
>> going to be more WAGs than facts, and you may not
>> have the information or ability to provide the answers,
>> but any answers would help me (and perhaps others)
>> recognize the implications of such a change (if any)?
>> I'll accept as many additional caveats you want to add
>> to any response.
>> 
>> * If this policy was in place for (say) the last year, what
>> is the order of magnitude of number of requests that
>> would have been referred to another RIR (1, 10, 100, 1000)?
>> 
>> * If this policy was in place for (say) the last year, can
>> you break down the requests by the RIR that the
>> requester appeared to be have their plurality?
>> 
>> * If this policy was in place for (say) the last year, what
>> is the order of magnitude of the IPv4 numbers that
>> would not have been issued by ARIN (/24 ... /8)?
> 
> Gary - 
> 
>  We're looking into your concerns, and will see whether we
>  can provide any insights/WAGs can be provided regarding 
>  the potential impact of the policy (as compared to past
>  requests.)
> 
> Thanks for the thought-provoking questions!
> /John
> 
> John Curran
> President and CEO
> ARIN
> 
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net
<mailto:ARIN-PPML at arin.net> ).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net <mailto:info at arin.net>  if you experience any
issues.


------------------------------

Message: 2
Date: Fri, 4 Oct 2013 15:31:32 -0500
From: "Frank Bulk" <frnkblk at iname.com <mailto:frnkblk at iname.com> >
To: <arin-ppml at arin.net <mailto:arin-ppml at arin.net> >
Subject: [arin-ppml] Out-of-region overreaction?
Message-ID: <00ef01cec140$b6ccb5e0$246621a0$@iname.com
<mailto:00ef01cec140$b6ccb5e0$246621a0$@iname.com> >
Content-Type: text/plain;    charset="iso-8859-1"

I was requesting some ISP IPv6 space and the kindly ARIN staff posted this
in their response:

    Please reply and verify that you will be using 
    the requested number resources within the ARIN region 
    and announcing all routing prefixes of the requested 
    space from within the ARIN region. In accordance with 
    section 2.2 of the NRPM, ARIN issues number resources 
    only for use within its region. ARIN is therefore only 
    able to provide for your in-region numbering needs.?

I'm familiar with the concern about out-of-region folk taking advantage of
ARIN's current IPv4 supply, but I have a few concerns about the wording of
the staff communication.

a) It's been my understanding thus far that if I'm an ISP that provides
service in multiple places around the world that I may divide my allocation
into smaller prefixes and advertise those to area peers.  It seems ARIN
staff would preclude me from doing any of that.  "All" is a pretty strong
word, and if ARIN really believes it, a lot of violators could be found.  

b) It seems that Section 2.2 of the NRPM is being misapplied.  
    2.2. Regional Internet Registry (RIR)

    Regional Internet Registries (RIRs) are established and
    authorized by respective regional communities, and 
    recognized by the IANA to serve and represent large 
    geographical regions. The primary role of RIRs is to 
    manage and distribute public Internet address space 
    within their respective regions.

While ARIN does issue numbers within its region, section 2.2 does not say
"only for use".  If an "only" had be applied, I would suggest that it's
"only manage and distribute".

If I could be so bold, I'd suggest ARIN to use language something along
these lines in their communications:

    Please reply and verify that you will be using 
    the requested number resources primarily within the 
    ARIN region and announcing the majority of routing prefixes
    of the requested space from within the ARIN region. 
    In accordance with section 2.2 of the NRPM, ARIN issues 
    number resources within its region. 

Frank



------------------------------

Message: 3
Date: Fri, 4 Oct 2013 14:42:50 -0700
From: Scott Leibrand <scottleibrand at gmail.com
<mailto:scottleibrand at gmail.com> >
To: Frank Bulk <frnkblk at iname.com <mailto:frnkblk at iname.com> >
Cc: ARIN-PPML List <arin-ppml at arin.net <mailto:arin-ppml at arin.net> >
Subject: Re: [arin-ppml] Out-of-region overreaction?
Message-ID:
    <CAGkMwz4cOch2v8M6HBw4-2N4x_QG9X5dYu8arehow1+86y9OXw at mail.gmail.com
<mailto:86y9OXw at mail.gmail.com> >
Content-Type: text/plain; charset="iso-8859-1"

Agreed.  IMO this is *not* was intended by current policy, *particularly*
IPv6 policy.  If you get a /32, there's no reason you shouldn't be able to
use it globally.

Thanks for bringing this up.  I think we're going to have a lively
discussion next week in Phoenix.  :-)

-Scott


On Fri, Oct 4, 2013 at 1:31 PM, Frank Bulk <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

> I was requesting some ISP IPv6 space and the kindly ARIN staff posted this
> in their response:
>
>        Please reply and verify that you will be using
>        the requested number resources within the ARIN region
>        and announcing all routing prefixes of the requested
>        space from within the ARIN region. In accordance with
>        section 2.2 of the NRPM, ARIN issues number resources
>        only for use within its region. ARIN is therefore only
>        able to provide for your in-region numbering needs.
>
> I'm familiar with the concern about out-of-region folk taking advantage of
> ARIN's current IPv4 supply, but I have a few concerns about the wording of
> the staff communication.
>
> a) It's been my understanding thus far that if I'm an ISP that provides
> service in multiple places around the world that I may divide my
allocation
> into smaller prefixes and advertise those to area peers.  It seems ARIN
> staff would preclude me from doing any of that.  "All" is a pretty strong
> word, and if ARIN really believes it, a lot of violators could be found.
>
> b) It seems that Section 2.2 of the NRPM is being misapplied.
>        2.2. Regional Internet Registry (RIR)
>
>        Regional Internet Registries (RIRs) are established and
>        authorized by respective regional communities, and
>        recognized by the IANA to serve and represent large
>        geographical regions. The primary role of RIRs is to
>        manage and distribute public Internet address space
>        within their respective regions.
>
> While ARIN does issue numbers within its region, section 2.2 does not say
> "only for use".  If an "only" had be applied, I would suggest that it's
> "only manage and distribute".
>
> If I could be so bold, I'd suggest ARIN to use language something along
> these lines in their communications:
>
>        Please reply and verify that you will be using
>        the requested number resources primarily within the
>        ARIN region and announcing the majority of routing prefixes
>        of the requested space from within the ARIN region.
>        In accordance with section 2.2 of the NRPM, ARIN issues
>        number resources within its region.
>
> Frank
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net
<mailto:ARIN-PPML at arin.net> ).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net <mailto:info at arin.net>  if you experience any
issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.arin.net/pipermail/arin-ppml/attachments/20131004/54de2c60/att
achment-0001.html>

------------------------------

Message: 4
Date: Fri, 4 Oct 2013 18:25:16 -0500
From: Jimmy Hess <mysidia at gmail.com <mailto:mysidia at gmail.com> >
To: Frank Bulk <frnkblk at iname.com <mailto:frnkblk at iname.com> >
Cc: "arin-ppml at arin.net <mailto:arin-ppml at arin.net> " <arin-ppml at arin.net
<mailto:arin-ppml at arin.net> >
Subject: Re: [arin-ppml] Out-of-region overreaction?
Message-ID:
    <CAAAwwbXKQ6z47bkUtLKMZ0BK3qubpELFE=pkYdxU2DedJ4bhBg at mail.gmail.com
<mailto:pkYdxU2DedJ4bhBg at mail.gmail.com> >
Content-Type: text/plain; charset="iso-8859-1"

On Fri, Oct 4, 2013 at 3:31 PM, Frank Bulk <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

>
> I'm familiar with the concern about out-of-region folk taking advantage of
> ARIN's current IPv4 supply, but I have a few concerns about the wording of
> the staff communication.
>
> a) It's been my understanding thus far that if I'm an ISP that provides
> service in multiple places around the world that I may divide my
allocation
> into smaller prefixes and advertise those to area peers.  It seems ARIN
>

No.    You  can subdelegate portions of your allocation to customers.
Your upstreams are not going to necessarily let you pick apart your
allocation
and advertise every /29;    Although  ARIN staff should have no objections
to this,
if your upstreams will allow it,  and you show that to be the case.

If you are chopping up your block; you do not need a big allocation from
ARIN, though,
of sufficient size for all your regions.  It only makes sense if you
intend to keep your block _whole_;
and advertise a single block in multiple regions.

If you intend to chop up your blocks anyways;  then a sensible thing to do
is to obtain  multiple blocks instead -- from the appropriate regions
where they will be used.



> staff would preclude me from doing any of that.  "All" is a pretty strong
> word, and if ARIN really believes it, a lot of violators could be found.
>

Routing is out of scope of ARIN policy in the first place;  you have an
option of
not advertising your allocation at all.    You are allowed to have a
privately interconnected network
that spans regions.

ARIN staff can reject your verification justification for the allocation;
if you don't show you have an intention
to use a significant amount of resources in the ARIN region

While ARIN does issue numbers within its region, section 2.2 does not say
> "only for use".  If an "only" had be applied, I would suggest that it's
> "only manage and distribute".
>

Policy does not say "only for use";  however there is not policy
specifically encouraging ARIN to recognize use outside of the ARIN region.

It is not sufficient for use to merely be "allowed";  ARIN has to have
procedures
for validating and auditing the use.

It is possible, that you may be allowed to use out of region, but not be
able to
cite your  out of region networks requirements  as justification for
obtaining
a larger block  than  if your out-of-region usage  did not exist at all,

or it may not be accepted as current use to satisfy utilization requirement
for a future allocation.


> If I could be so bold, I'd suggest ARIN to use language something along
> these lines in their communications:
>
>        Please reply and verify that you will be using
>        the requested number resources primarily within the
>        ARIN region and announcing the majority of routing prefixes
>        of the requested space from within the ARIN region.
>        In accordance with section 2.2 of the NRPM, ARIN issues
>        number resources within its region.
>
>
This is very similar to  the original quote of what they had said.......



> Frank
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.arin.net/pipermail/arin-ppml/attachments/20131004/7e771055/att
achment.html>

------------------------------

_______________________________________________
ARIN-PPML mailing list
ARIN-PPML at arin.net <mailto:ARIN-PPML at arin.net> 
http://lists.arin.net/mailman/listinfo/arin-ppml

End of ARIN-PPML Digest, Vol 100, Issue 2
*****************************************



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20131005/db352b83/attachment.htm>


More information about the ARIN-PPML mailing list