[arin-ppml] support for 2014-1 (out of region use)

[David Huberman]

Hiya Steven,

You asked:

> So are you concluding, that by honoring the router must be within ARIN region rule - but tunneling the traffic to another region, they are complying with the letter but breaking the spirit of the rule?

Yes.  I like uniform rule sets, and if we're going to have RIRs, then we should have RIRs.  While we have RIRs, the rules should apply to everyone.  What makes this worse is it's very hard for staff to tell the difference between a legitimate network operator who just needs IPs for their huge customer base, and a scammer who claims a huge customer base but is just using trickery to get blocks from ARIN to profit off of.  If the scammers were small in IP use, I wouldn't care so much.  But they're not.  They're taking /12s and then turning around to big companies and saying, "Here, buy this from me!".


> Is the reason why you care when others appear not to care (as you pointed out) that you are worried that ARIN will run out of ipv4 faster if this keeps happening?  (Do you think this is an issue on ipv6 as well?)

I don't care about run-out so much because the transfer market neatly takes care of that.  Need space right now?  Go see Peter Thimmesch or Sandra Brown or Mike Burns or the hedgies at Kalorama.

I care about the rules being followed and the scammers being stopped.  I was at ARIN for 10 years.  It's hard to turn off my "anti-fraud" attitude.  

This situation creates artificial scarcity.  AT&T is going to get one less /12 because of it.  Akamai or a cableco or whatever other large consumer of addresses at ARIN is going to get one less allocation.  Because we're quickly giving away what's left to a mix of scammers and networks whose customers are wholly extra-ARIN.  Idealistically, I rail against that.


> Finally since the routers are physically  located in the ARIN region, is there an organization such as a data center or Internet provider, etc. that might be benefitting financially or otherwise - having the owner of these routers as a customer or similar 
> beneficial relationship?

Yes, I think so.  If the Asian provider buys racks in XYZ datacenter, then the facility and all inter-networking services the company buys in the datacenter all benefit from this.  It's good for them.  A policy change that disallowed these companies to qualify for space from ARIN would negatively effect these DCs.

/david



Sent from my iPhone

> On Feb 10, 2014, at 4:32 PM, "David Huberman" <David.Huberman at microsoft.com> wrote:
>
> Hello Milton,
>
>> While couched as opposition your post agrees with the problem statement that "Earlier work on this issue has
>> explored several options to restrict or otherwise limit out of region use. None of these options have gained
>> consensus within the community." So there is no basis for opposition there.
>
> Correct.
>
>> I would conclude, however, that you do _not_ agree with the problem statement that "Current policy neither
>> clearly forbids nor clearly permits out of region use of ARIN registered resources." You seem to believe that it
>> is already permitted, which makes the proposal a no-op. Is that right?
>
> Not quite.
>
> The truth of the matter is that ARIN has operated for a very long time under a rule discussed many times between the RIRs' RS staff:
>
> "The block must be routed from equipment within the RIR's region".
>
> Often times that's just anchoring the least specific.   It was a very solid rule which gave international backbone operators the flexibility to use the RIR they wanted for their needs, because they anchored routes everywhere.
>
> If a content provider doesn't run an international backbone, and that content provider has its customers and equipment in, say, Malaysia, then they would generally be unable to obtain space from ARIN.  The answer from ARIN for such a request would be, "No - got see APNIC or a local IR".
>
> What changed was a year or two ago, some companies got pretty clever.  They actually moved their routers to datacenters on the NA west coast, and used layer 2 tunneling to get everything back to the Asian east coast. All of their customers are in Asia, and they only have a shell company set up in California for the purposes of receiving space from ARIN.
>
> The problem was compounded by two factors:
> 1) Some of these content providers were really, really large. China, for example, is a really big place.  So the IP needs were larger than all but 1 or 2 ARIN customers.
> 2) Some of these requests were fraudulent.  Provide fraud when dealing with operations from a wholly different culture has proven to be exceedingly difficult and, honestly, beyond ARIN's considerable expertise.
>
> This was the point at which the staff started bringing this to the PDP fora.  It started in 2011 in Philadelphia, more serious alarms were raised in Arizona, and those alarms continue today.
>
> The community has been consistently deaf to these concerns.  Responses range from:
> - I don't care; RIRs should just give space to operators who need them (region-agnostic)
> to
> - I don't care; I can't wait for IPv4 to run out.
>
> To some of us, these responses were disappointing.  I can appreciate the argument that the "Regional" part of Regional Internet Registries may now be past is usefulness.  But the argument has been very hard for me to swallow because there's just so much bad faith requesting going on, and it's almost all from extra-ARIN regions.
>
> This is what staff has been trying to tell you (the PP community), and this is what you (the PP community) seem to say, "so what?" to.
>
> [snip]
>
>> Your second argument is that the staff already has all the tools it needs to do what is in section X.1.
>> This is not something the staff report said to us in its assessment, however, so I would discount that.
>
> You can discount it, but I respectfully say I'm right :)  I did do this, on the front lines, for 10 years, and Leslie and I developed ALL of the fraud protocols.
>
>> You main argument, therefore is that "out-of-region requestors [are] abusing the policies" and  "we need to
>> draft text that significantly and materially helps ARIN staff fight fraud from out-of-region requestors."
>> Apparently you think the authorization to engage external entities to help with verification does not
>> address that. Can you explain why?
>
> I feel like I have in my first response.  X.1 is no-op because nothing changes.  Staff already can and do conduct
> these types of activities when investigating fraud.  They may not have "engaged outside entities" to help with
> investigation, but they've always had that purview (that is, with parties who would be under attorney-client
> privilege).
>
> Best regards,
> David
>
> David R Huberman
> Microsoft Corporation
> Senior IT/OPS Program Manager (GFS)
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.