[arin-ppml] Draft Policy ARIN-2019-2: Waiting List Block Size Restriction

Ronald F. Guilmette rfg at tristatelogic.com
Wed Feb 27 20:48:59 EST 2019

In message <CAN-Dau2V1AVqHV7TwBEd9LZifv61e=b5Jqaq7euLt34qooL0wA at mail.gmail.com>
David Farmer <farmer at umn.edu> wrote:

>The proposed /22 limit seems reasonable and should be effective in limiting
>the financial incentives to profiteer.

I could show you direct evidence from the RIPE region which, if you saw
it, would quite certainly demonstrate to you beyond any doubt that
merely limiting allocations to /22 blocks has little if any effect on
those seeking to game the system.  In fact, I could show you evidence
of -two- entirely separate operations that have been plundering the
remaining RIPE IPv4 space, basically one /22 at a time, for some
significant time now, and where each of these two operations has already
amassed its own colossal amount of IPv4 space in exactly this manner.
(We are *not* talking about a few dozen /22 blocks here.  We are talking
about two sets, each of which is in the low hundreds.)

I would have publicized these operations and their allocations already,
but I've been working on a lot of things, some of which have been even
rather more urgent, like my pursuit of the two groups of bad actors who
have been sending out those annoying bitcoin "sextortion" spams, and,
on December 13th, 2018, those bitcoin extortion bomb threats.

Anyway, this topic brings me back to something else I wanted to mention
here anyway.  Once again I'll get back up on my soapbox, for whatever
little good it will do, and continue my longstanding, ongoing, and
generalized rant about transparency.

What's the point of limiting each organization that applies to some RIR
to just a small /22 allocation as long neither the RIRs themselves nor
anybody else for that matter has any real idea who is actually behind
any of these applicant entities?

As the two european operations I've aluded to above have quite successfully
proven, it is both cheap and easy to acquite essentially unlimited numbers
of essentially fictitious but properly regitered corporate entities, *and*
to then use each of those to make seprate requests for IPv4 space.  This
isn't a hypthetical problem.  It's been ongoing for some time already, at
least in the RIPE region, and at a gigantic scale, and at least with respect
to two entirely separate operations that I personally am already aware of.
(There may perhaps be even more such operations out there that I personally
just haven't had the pleasure of bumping into yet.)

Exactly such forests of essntially annonmous, unattributable and completely
unaccountable corporate shell companies have, of course, bedeviled all
those who work to thwart money laundering.   And such sets of shell companies
have been at the center of innumerable money laundering cases for a long long
time now.  So in that sense, at least, the use of groups of shell companies
to disguise what's really going on is really nothing new.  What is at least
somewhat new... and arguably entirely predictable... is the use of sets of
shell companies to aquire, by hook or by crook, what little remains of the
highly valuable IPv4 address space.

So, how does this occur, how does it all work, and what if anything can be
done to stop it?

Not surprisingly, it all comes back to transparency, or rather, to the
abundant lack thereof.

Just the other day, someone pointed me at a segment of the the current
(2013?) standardized ICANN accreditation agreement that they make all of
their domain name registrars sign.  I don't know if the specific part of
that standard agreement that I was looking at was added in response to
the incident, some years ago, when ICANN had egg all over their collective
faces... because they had allowed the notorious Scott Richter to become
an accredited domain name registar... or if this part of the current
standard ICANN registrar contract was put in as a reaction to something
else, but anyway, these days each and every entity that wants to become
an ICANN accredited domain name registrar has to divulge to ICANN that
entity's "beneficial owners" all the way down to the 5% level.  So in
theory, at least, ICANN knows about all cases where someone actually
owns two or more "separate" domain name registrars.

Well, that's true in theory anyway.  It's not immediately clear, to me
at least, that the "owners" that ICANN demands be (confidentially)
identified can or cannot themselves be shell companies.  If they can be,
then this whole exercise is really just an elaborate charade on ICANN's
part... a fig leaf covering up a fig leaf.  And being jaded as I am,
I am inclined to think that that is indeed most probably the case, and
that this was all worked out in a way so that really, any crook or conman
that comes along can still become an ICANN Accredited registrar (and
ICANN can still derive the revenue therefrom) except that now, there is a
tiny bit more paperwork involved, and a tiny additional fee, specifically
the one to cover the creation of the shell company.  But conveniently,
the *next time* somebody figures out that ICANN has made some new crook
into an accredited registrar, ICANN has plausible deniability and can just
say, with an almost straight face, "Gee!  We didn't know!  As far as we
knew it was this shell company that we made into an accredited registrar!
And we are shocked to find that there's gambling going on here!"

So, to bring this back on point, if anybody in ARIN-land actually and
seriously gives a rat's patootie about eliminating this kind of game
playing, wherein numerous shell companies are used, in effect, as straw
buyers to accumulate IPv4 address space, then  there is one, and only one
Right Answer.  ARIN would need to have every privately held entity
which receives a direct allocation divulge all of its actual "natural
person" owners, at least down to some pencentage level.  Ideally, that
information would then be made public, so that in addition to any
vetting that ARIN staff might do, various enterprising independent
investigators could also check to see if some guy whose company just
got a /22 also happend to have a brother-in-law, or a chef, or a
favorite chello player who also just happned to get his own /22 block
at around the same time.

The Brits, having been under intense pressure to clean up the colossal
mess that was Russian money laundering into the City of London banks,
by way of a few zillion anonymously held UK shell companies, recently
got off their asses and actually legisslated that enough was finally
enough, and now, if you go to the UK's CompaniesHouse web site, for each
active UK company registered there, you can look and see who the natural
person beneficial owners are, at least down to the 25% level.  And starting
at the end of next year (2020) these new transparency rules will also
come into effect even for the traditional secrecy, money laundering, and
tax havens of the various British Overseas Territories, e.g. Caman Islands,
British Virgin Islands, and so forth.

The tide is slowly but surely shifting away from dodgy secrecy and various
old corpoate secrecy rules, in many jurisdictions, including many which
have for so long allowed crime, fraud, and  malfeasance to flourish in
many of the dark corners of this planet.  Even Switzerland has been
forced to give up information about U.S. tax cheats to the U.S. Department
of Justice.

Withe respect to this growing trend towards transparency in the service
of honesty and fair dealing, I respectfully suggest that ARIN should
either lead, follow or get out of the way.  I don't think it would do
for ARIN or the various other RIRs to be the last places on earth to
actively provide aid, comfort and shelter to crooks hiding behind
unattributable shell companies, and ideed, as the examples I've seen
in the RIPE region prove, beyond a reasonable doubt, shell companies
have been used and are being used to slowly but surely drain away what
little remains of the IPv4 address space, to the benefit of a very select
few.  Those few have had no apparent trouble whatsoever in figuring out
how to trivially game the present system.

Transparency woukld solve all that, of course, but given that 99.9% of
ARINs constituients are corporations which are themselves, rightly or
wrongly, deathly afraid of even the mere suggestion that they should
ever be required to divulge anything at all, I must face that fact that
the ARIN community isn't at all likely to adopt any new transparency
measures anytime soon.  But given present circumstances I felt compelled
to offer these observations anyway.  My only hope is that someday, perhaps
10 or 20 years from now, someone will look back at this post in the archives
and judge me prescient.


P.S.  Most infuriatingly, the kind of transparency about beneficial owner-
ship of the kind I've described above really only has applicability to that
subset of ARIN's constituents that are NOT publicly traded companies.
By definition, ownership of publicly traded companies is, by and large,
already a matter of public record, and thus, no new, additional, or
special disclosures are needed from any of them.  And quite certainly,
if we were to add up the current market valuations of all of these already
public ARIN constituent public companies, their gross value would be
counted in the trillions of dollars and would utterly dwarf the combined
value of all of the privately owned ARIN constituent companies.

So here we have a perfect example of the tail wagging the dog.  The smaller
privately held companies would (and will) undoubtedly scream and cry and
veto any proposal aimed greater transparency about beneficial ownership,
even though, by dollar denominated weight, they are vastly outnumbred by
the publicly traded ARIN constituent companies that have already grown
accustomed, years ago, to providing detailed ownership information to the
government, and by implication, to essentially everyone.  And yet it can
be easily predicted that these small fish, with the support of ARIN
management, will get their way, and thus, no actual swamp draining is
at all likely to occur in the forseeable future.

You heard it here first.

P.P.S.  If anyone wants to see corroborating evidence regarding my claims
above about illicit IPv4 address block allocation shenanigans within the
RIPE region, please contact me off list and I will provide that.  You'll
have to explicity acknowledge to me first however that you understand that
both of these situtations are ongoing investigations, and thus must not yet
be disturbed in any way.

More information about the ARIN-PPML mailing list