[arin-ppml] Draft Policy ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors - Revised Problem Statement and Policy Text

Milton L Mueller mueller at syr.edu
Mon Sep 16 22:51:25 EDT 2013

This policy took a winding path through the AC review process. In my view, the actual substantive policy proposed is mostly supportable, though we need to have a careful debate about the meaning of "plurality" and whether that is necessary or not. 

There are three other issues, none of which actually have to do with the policy, that I think need to be pointed out:

1. I have a problem with the Problem Statement. The first sentence asserts as an accepted policy something that is not really an accepted policy (ARIN number resources should be used primarily in the ARIN region, for ARIN region organizations). In other words, it assumes that we already have a policy on this, then in the second sentence, it says "there is currently no explicit policy guiding staff in this area." That's an obvious self-contradiction. I think the second statement is correct. Before I could favor moving this forward as a recommended policy, I would want to see the Problem Statement revised. 

2. The Authors' comments says:

> As reported at the last meeting in Barbados, ARIN staff is having 
> difficulty verifying organizations out-of-region.

This is not actually what they said. My recollection of the meeting was that they said they had noticed that they were getting a larger number of out of region requests, and they did not feel as if they had explicit policy guidance on how to handle these requests. Insofar as there are difficulties, te policy of ensuring that the applicant for resources is an active business entity legally operating in the ARIN region solves that problem. 

3. I consider the "law enforcement" rationale for this policy to be poorly thought-out and basically pointless. ARIN consists of ~ 20 jurisdictions and the other regions are composed of even more; thus, the idea that confining an RIR's address resource allocations to use within a region will ease the task of law enforcement strikes me as factually untrue, and obviously so. One might ease the task of law enforcement by requiring ALL number resources and ALL communication services to be territorially bound to a single legal jurisdiction - but this "cure" would be worse than the disease as it would fundamentally undermine the global nature of the internet. 

Moreover, keeping a "plurality" of use in region does NOT have anything to do with the accuracy of registration data. I also take issue, factually, with the assumption that internet criminality is facilitated or eased by registering addresses in one region rather than another. No one has provided a shred of evidence for this at any time in the process. Indeed, if a criminal operation wants to affect the North American region or the USA, the last thing it would want to do is register addresses in ARIN. Its criminal operations can reach North America without registering addresses here. 

So the bottom line is that this policy could have been a lot worse; I agree with almost all of the AC comments; I don't disagree with the Authors Comments so much as I think they completely miss their target and show signs of trying to use an inappropriate tool (address eligibility criteria) for a worthy goal (solving cybercrimes).  

> Problem Statement:
> ARIN number resources should be used primarily in the ARIN region, for 
> ARIN region organizations. There is currently no explicit policy 
> guiding staff in this area, this proposal seeks to correct that.
> Policy Statement:
> Create new policy Section X.
> X. Resource Justification within ARIN Region Organizations requesting 
> Internet number resources from ARIN must provide proof that they (1) 
> are an active business entity legally operating within the ARIN 
> service region, and (2) are operating a network located within the 
> ARIN service region. In addition to meeting all other applicable 
> policy requirements, a plurality of resources requested from ARIN must 
> be justified by technical infrastructure and customers located within 
> the ARIN service region, and any located outside the region must be 
> interconnected to the ARIN service region.
> The same technical infrastructure or customers cannot be used to 
> justify resources in more than one RIR.
> ###
> Authors Comments:
> Although we represent law enforcement, and have brought forth this 
> issue based upon our concerns and experience from a law enforcement 
> perspective, this is a problem in which the entire ARIN community has 
> a stake.
> As reported at the last meeting in Barbados, ARIN staff is having 
> difficulty verifying organizations out-of-region. In many of the 
> cases, particularly in VPS (Virtual Private Service), the only 
> information received on these organizations by ARIN is a customer name 
> and IP address. This information cannot be properly verified by ARIN. 
> Accuracy of registration data is critical to not only law enforcement, 
> but the greater ARIN community as it relates to abuse contact and 
> complaints. In fact, most issues facing law enforcement are also 
> shared by legitimate companies attempting, for instance, to identify 
> an organization that has hijacked their IP address space.
> The expedited depletion of IPv4 address space in the ARIN region 
> certainly seems to negatively impact those organizations currently 
> operating in the region that may need to return to ARIN for additional
> IPv4 address space. While law enforcement¹s concern is that criminal 
> organizations outside of the ARIN region can easily and quickly 
> request large blocks of IPv4 address space from ARIN, organizations 
> that are not truly global organizations, but specific national 
> companies from the RIPE and APNIC regions, also have this capability 
> which is detrimental to true ARIN region organizations.
> This policy proposal is re-enforcing practices the ARIN staff 
> currently employs to ensure that ARIN IP space is used for and by 
> companies that are legitimate and have a legitimate presence in the 
> ARIN region. This policy will assist in defining clear criteria that 
> will be helpful to ARIN staff and the community.
> The primary role of RIRs is to manage and distribute public Internet 
> address space within their respective regions. The problem brought 
> forth here clearly undermines the current RIR model; if any 
> organization can acquire IP address space from any region, what then 
> is the purpose of the geographical breakdown of the five RIRs?
> Advisory Council Comments:
> The term "Internet number resources" or more simply "resources" should 
> be used instead of "IP Blocks" to more accurately reflect the totality 
> of the Registry. This implies both IPv4 and IPv6, as well as ASNs.
> While Internet registries are organized on a regional basis, policy 
> must recognize that many networks, services and operations are 
> trans-regional and it would be burdensome and impractical to attempt 
> to strictly enforce territorially exclusive allocations. Therefore, 
> policy should seek to balance the regional structure of address 
> allocation with flexibility of service provision, by ensuring that 
> ARIN¹s resources are primarily aligned with the ARIN service region 
> but facilitate flexibility and efficiency of use by applicants from any region.
> There are concerns that out of region organizations should be able to 
> request resources for use within the ARIN service region. The proposed 
> text accommodates this issue by requiring only proof that an 
> organization is "legally operating within the ARIN Service Region". 
> This includes business entities formed in the region, or other 
> business entities with legal branch offices within the region. So, as 
> long as an out of region organization is "legally operating within the 
> ARIN Service Region" they can request resources from ARIN.
> Current operational practice is to require an organization be formed 
> within the ARIN service region. However, if this were applied by all 
> the RIRs, a global network would be required to have a minimum of five 
> subsidiaries, one formed in each of the five RIR regions, this seems 
> overly burdensome. Good resource policy should consider the 
> consequences of all RIRs adopting the same policy.
> Previous discussions of the topic indicated that it is difficult to 
> enforce and undesirable for many in the community to dictate where 
> resources are to be used once they are allocated. A strategy to deal 
> with this is to focus the policy on the technical infrastructure and 
> customers used to justify the requested number resources from ARIN, as 
> opposed to where resources are actually used once allocated. This is a 
> subtle but important distinction.
> While resources received from ARIN may be used outside the ARIN 
> region, a common technical infrastructure must interconnect the use of 
> these resources to the ARIN region. This provides a necessary nexus 
> with the ARIN service region for such out of region use. Therefore, if 
> a discrete network is operating within another region, not 
> interconnected to the ARIN region, then resources for that discrete 
> network should be requested from that region's RIR.
> A concern was raised that this policy shouldn't limit or interfere 
> with outbound inter-RIR transfers. If we focus on what justifies a 
> request for resources from ARIN, outbound inter-RIR transfers 
> shouldn't be affected, as they are clearly based on the receiving RIR's policies.
>  From previous discussions of the topic, "double dipping" should not 
> be allowed, that is using the same technical infrastructure or 
> customers to justify resources from ARIN and another RIR at the same time.
> The legal jurisdiction an organization is formed in doesn¹t 
> necessarily reflect the jurisdictions in which it operates, or even 
> that it operates a network in a jurisdiction. This implies that we 
> should have both technical and legal requirements regarding operating 
> within the ARIN service region in order to receive resources.
> The original text used the term "majority", seeming to describe a 
> "simple," "absolute" or "overall" majority, which means greater than 
> 50%. Many organizations don't have greater than 50% of their users or 
> customers in any one region. A "plurality", "relative majority", 
> "largest of", or more specifically "more than any other RIR's service 
> region" seems to be the intended and appropriate meaning of the term 
> "majority" in this context. Let's clarify that intent by using the 
> term "plurality".
> The intent is not to require an organization to have an overall 
> plurality of its technical infrastructure and customers within the 
> ARIN service region. Rather, it is to ensure that the plurality of 
> currently requested resources is justified from within the ARIN 
> region. If an organization¹s primary, or largest, demand for resources 
> is in another region then the organization should request resources 
> from that region's RIR.
> --
> ## * ##

David Farmer               Email: farmer at umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952 ================================================
You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
Please contact info at arin.net if you experience any issues.

More information about the ARIN-PPML mailing list