[arin-ppml] Draft Policy ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors - Revised
celestea at usc.edu
Fri Sep 27 20:24:02 EDT 2013
I agree with the intent of this proposal. However, a rewording of the proposed language would make this proposal more palatable, especially if it addresses the concerns raised by staff, advisory council, and legal reviews.
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of ARIN
Sent: Wednesday, September 25, 2013 7:59 AM
To: arin-ppml at arin.net
Subject: [arin-ppml] Draft Policy ARIN-2013-6: Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors - Revised
Revised text for ARIN-2013-6 is below and can be found at:
The AC will evaluate the discussion in order to assess the conformance of this draft policy with ARIN's Principles of Internet Number Resource Policy as stated in the PDP. Specifically, these principles are:
* Enabling Fair and Impartial Number Resource Administration
* Technically Sound
* Supported by the Community
The ARIN Policy Development Process (PDP) can be found at:
Draft Policies and Proposals under discussion can be found at:
Communications and Member Services
American Registry for Internet Numbers (ARIN)
## * ##
Draft Policy ARIN-2013-6
Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors
Date: 25 September 2013
ARIN number resources should be used primarily in the ARIN region, for ARIN region organizations. There is currently no explicit policy guiding staff in this area, this proposal seeks to correct that.
Create new policy Section X.
X. Resource Justification within ARIN Region
Organizations requesting Internet number resources from ARIN must provide proof that they (1) are an active business entity legally operating within the ARIN service region, and (2) are operating a network located within the ARIN service region. In addition to meeting all other applicable policy requirements, a plurality of new resources requested from ARIN must be justified by technical infrastructure or customers located within the ARIN service region, and any located outside the region must be interconnected to the ARIN service region.
The same technical infrastructure or customers cannot be used to justify resources in more than one RIR.
Although we represent law enforcement, and have brought forth this issue based upon our concerns and experience from a law enforcement perspective, this is a problem in which the entire ARIN community has a stake.
As reported at the last meeting in Barbados, ARIN staff is having difficulty verifying organizations out-of-region. In many of the cases, particularly in VPS (Virtual Private Service), the only information received on these organizations by ARIN is a customer name and IP address. This information cannot be properly verified by ARIN. Accuracy of registration data is critical to not only law enforcement, but the greater ARIN community as it relates to abuse contact and complaints. In fact, most issues facing law enforcement are also shared by legitimate companies attempting, for instance, to identify an organization that has hijacked their IP address space.
The expedited depletion of IPv4 address space in the ARIN region certainly seems to negatively impact those organizations currently operating in the region that may need to return to ARIN for additional
IPv4 address space. While law enforcement’s concern is that criminal organizations outside of the ARIN region can easily and quickly request large blocks of IPv4 address space from ARIN, organizations that are not truly global organizations, but specific national companies from the RIPE and APNIC regions, also have this capability which is detrimental to true ARIN region organizations.
This policy proposal is re-enforcing practices the ARIN staff currently employs to ensure that ARIN IP space is used for and by companies that are legitimate and have a legitimate presence in the ARIN region. This policy will assist in defining clear criteria that will be helpful to ARIN staff and the community.
The primary role of RIRs is to manage and distribute public Internet address space within their respective regions. The problem brought forth here clearly undermines the current RIR model; if any organization can acquire IP address space from any region, what then is the purpose of the geographical breakdown of the five RIRs?
Advisory Council Comments:
The term "Internet number resources" or more simply "resources" should be used instead of "IP Blocks" to more accurately reflect the totality of the Registry. This implies both IPv4 and IPv6, as well as ASNs.
While Internet registries are organized on a regional basis, policy must recognize that many networks, services and operations are trans-regional and it would be burdensome and impractical to attempt to strictly enforce territorially exclusive allocations. Therefore, policy should seek to balance the regional structure of address allocation with flexibility of service provision, by ensuring that ARIN's resources are primarily aligned with the ARIN service region but facilitate flexibility and efficiency of use by applicants from any region.
There are concerns that out of region organizations should be able to request resources for use within the ARIN service region. The proposed text accommodates this issue by requiring only proof that an organization is "legally operating within the ARIN Service Region". This includes business entities formed in the region, or other business entities with legal branch offices within the region. So, as long as an out of region organization is "legally operating within the ARIN Service Region" they can request resources from ARIN.
Current operational practice is to require an organization be formed within the ARIN service region. However, if this were applied by all the RIRs, a global network would be required to have a minimum of five subsidiaries, one formed in each of the five RIR regions, this seems overly burdensome. Good resource policy should consider the consequences of all RIRs adopting the same policy.
Previous discussions of the topic indicated that it is difficult to enforce and undesirable for many in the community to dictate where resources are to be used once they are allocated. A strategy to deal with this is to focus the policy on the technical infrastructure and customers used to justify the requested number resources from ARIN, as opposed to where resources are actually used once allocated. This is a subtle but important distinction.
While resources received from ARIN may be used outside the ARIN region, a common technical infrastructure must interconnect the use of these resources to the ARIN region. This provides a necessary nexus with the ARIN service region for such out of region use. Therefore, if a discrete network is operating within another region, not interconnected to the ARIN region, then resources for that discrete network should be requested from that region's RIR.
A concern was raised that this policy shouldn't limit or interfere with outbound inter-RIR transfers. If we focus on what justifies a request for resources from ARIN, outbound inter-RIR transfers shouldn't be affected, as they are clearly based on the receiving RIR's policies.
From previous discussions of the topic, "double dipping" should not be allowed, that is using the same technical infrastructure or customers to justify resources from ARIN and another RIR at the same time.
The legal jurisdiction an organization is formed in doesn't necessarily reflect the jurisdictions in which it operates, or even that it operates a network in a jurisdiction. This implies that we should have both technical and legal requirements regarding operating within the ARIN service region in order to receive resources.
This policy is not intended to have any retroactive effect. It should not be construed to effect or invalidate any assignment or allocation previously made by ARIN, one of its predecessor registries, or any ISP or other LIR, based on good faith application information. In particular direct assignments previously made to individuals are not invalidated by this policy. However, this policy is intended to disallow any new assignment or allocation made directly to an individual person, consistent with current operational practice.
The original text used the term "majority", seeming to describe a "simple," "absolute" or "overall" majority, which means greater than 50%. Many organizations don't have greater than 50% of their users or customers in any one region. A "plurality", "relative majority", "largest of", or more specifically "more than any other RIR's service region" seems to be the intended and appropriate meaning of the term "majority" in this context. Let's clarify that intent by using the term "plurality".
The intent is not to require an organization to have an overall plurality of its technical infrastructure and customers within the ARIN service region. Rather, it is to ensure that the plurality of currently requested resources is justified from within the ARIN region. If an organization¹s primary, or largest, demand for resources is in another region then the organization should request resources from that region's RIR, at least for the demand within that other RIR's region. Further, it is not intended to limit access to resources intended to be exclusively used within the ARIN region.
ARIN Staff and Legal Assessment of the earlier, 4 September 2013, version of the draft
DRAFT NUMBER AND NAME: Draft Policy ARIN-2013-6 Allocation of IPv4 and IPv6 Address Space to Out-of-region Requestors
DATE: 18 September 2013
1. Summary (Staff Understanding)
This policy would require requesters to provide proof of legal presence within the ARIN region and to demonstrate that a majority (or plurality) of their technical infrastructure and customers are within the ARIN region in order to qualify and receive IPv4 and IPv6 addresses.
A. ARIN Staff Comments
· This proposal would predominantly formalize ARIN's existing practice with respect to requiring the requestor to have a legal presence in the ARIN region and to operate a network in region. However, the proposal would also create new practice and processes via inclusion of the statement "a plurality of resources requested from ARIN must be justified by technical infrastructure and customers located within the ARIN service region, and any located outside the region must be interconnected to the ARIN service region."
· This could create a scenario where a network can't get IPv4/IPv6 addresses from any RIR. For example, suppose a large network operator from another region wants to establish a presence at a datacenter in Miami. That other regional registry may decline to issue IP addresses for use in the ARIN region, but the requester would also be unable to get IP addresses from ARIN since a majority of their technical infrastructure and customers are located outside the ARIN region.
· It's unclear how the location of hosted customers is defined. If a customer resides or operates outside of ARIN’s region, but leases a dedicated server in Los Angeles, is the customer considered to be within the ARIN region since the hardware they're controlling is within the ARIN region, or are they considered to be outside the region since they reside elsewhere? How about a colocation situation where a customer who resides out of region ships a server to Los Angeles? Does the presence of a customer's hardware in the region make them in-region?
· The phrase "a majority of their technical infrastructure and customers are within the ARIN region" could be read that technical infrastructure and customers should be evaluated together as one pool. That could be problematic. Consider a hosting provider whose technical infrastructure is 100% within the ARIN region. 5% of their customers are located within the ARIN region (assuming "resides within the ARIN region" constitutes in-region). Does that mean a majority of their technical infrastructure and customers are located within the region since when you consider them in total, the majority is in-region? If the intent is to require that the majority of both be in-region, the phrasing should be something like "a majority of both their technical infrastructure and customers" to indicate each item is being evaluated independently.
· Text says, "...and any located outside the region must be interconnected to the ARIN service region." This statement is unclear.
Is the intent that discrete networks overseas cannot obtain space from ARIN? (A discrete network meaning a different autonomous system number)
· There are potential implications with respect to IPv6 and proposed policy text; in particular, does the community want an organization to be able to get all space from one RIR when it comes to IPv6? If you are a multinational, and get a huge block from ARIN, and years from now your overseas division has grown and you need more space, you have to go another RIR serving that region?
· Staff notes that policy text would be inserted into NRPM section 2.2.
B. ARIN General Counsel - Legal Assessment
The current draft seeks to fill an important gap in ARIN’s policies; more specifically, policy guidance that clearly describes the degree to which a proposed recipient of number resources from ARIN has to have real installations and customers in the ARIN region.
From a legal standpoint, there are two possible spectrum points of policy to avoid: first, having inadequate policy guidance would leave policy implementation subject to a high degree of staff interpretation; and at the other end, adopting an overly prescriptive guidance or standard that fails to permit multinational business entities to obtain number resources that are needed both in the ARIN region and outside of the ARIN region from ARIN. Both extremes are unattractive for a standard setting organization such as ARIN.
In particular, the current text:
**** ‘plurality of resources requested from ARIN must be justified by technical infrastructure and customers located within the ARIN service region’ ****
should be carefully evaluated, as it sets the policy requirement of ‘plurality’ that may prove unnecessarily restrictive in some cases. A lower standard is recommended to avoid otherwise valid requesters for address resources from being precluded from obtaining number resources.
Note that policy language which provides for reasonable restrictions (e.g. requiring more than a fictitious or tenuous and limited presence for the recipient to receive the resources in this region and/or clear intention to make use of some of the resources within the region) can be adopted without creating serious legal risk.
3. Resource Impact
This policy would have minimal resource impact from an implementation aspect. It is estimated that implementation would occur within 3 months after ratification by the ARIN Board of Trustees. The following would be needed in order to implement:
A. Updated guidelines
B. Staff training
You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
Please contact info at arin.net if you experience any issues.
More information about the ARIN-PPML