[arin-ppml] Board Rejects "ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation” Due to Scope

John Curran jcurran at arin.net
Sat Jul 13 13:12:31 EDT 2019 

On 13 Jul 2019, at 1:53 AM, David Farmer <farmer at umn.edu<mailto:farmer at umn.edu>> wrote:

On Fri, Jul 12, 2019 at 12:14 PM John Curran <jcurran at arin.net<mailto:jcurran at arin.net>> wrote:
The problem with that reasoning is that the registrants "use of ARIN’s registration services" generally continues just fine…  i.e. they can receive additional resources, update their number resources entries, etc.  Thus, ARIN would likely face challenges in attempting to assert violation of the Prohibited Conduct clause on such a basis.
If the community really wishes that those participating in the ARIN registry commit to specific routing behavior, then such an obligation should be made quite explicit in the RSA.

I think the same logic would apply to ARIN's Whois service as well. If Whois were interfered with and taken offline in some way, registrants "use of ARIN’s registration services" generally continues just fine too, i.e. the service that really matters the uniqueness of the resources are unaffected. I think the same applies to RPKI, if the RPKI repository were interfered with or was unavailable for whatever reason the Internet should keep working just fine.

David -

You are incorrect - if a party managed to interfere with ARIN’s registry services (including the publication of information via Whois) on a large scale, it would be relatively straightforward to show them to be in violation of the prohibited conduct clause.

For example, if the route hijacking was for the IP address blocks that ARIN uses for providing services to the community, then that would indeed qualify as prohibited conduct.

Using the standard you provide above, it seems to me, the Prohibited Conduct clause is useless and would never apply to anything meaningful.

The clause reads (in part):  "In using any of the Services, Holder shall not: (i) disrupt or interfere with the security or use of any of the Services; …”

If you engage in a significant disruption of ARIN’s services, then it applies.  For example, if we had a horrible coding/security flaw such that a specific Whois query shutdown our services, I can understand someone doing it once or twice to confirm before reporting it to ARIN.  However, doing such a query every 5 minutes to disrupt our operations would be a fine example of "prohibited conduct”.

So I ask, what kind of disruption or interference would the Prohibited Conduct clause actually apply too? How are they different than routing behavior? And why don't they need to be made equally explicit then?  (I don't need or expect an exhaustive list, but a couple of examples would be instructive)

See above - the key element is disruption of ARIN’s services.   We don’t consider invoking prohibited conduct clause against a resource holder simply because they interfered with someone’s access to ARIN’s services – such a reading could support ARIN seeking remedies against ISPs who had any form of service outage, and that is definitely not the intent.

For example –  "Address Holder agrees to only announce routing for its own address blocks, or those address blocks for which it has obtained permission of the registrant as listed in the Internet Number Registry System.”

It is unclear if such an obligation should exist, and I would advise the community to very carefully consider the implications that would result.

(If there were a consultation that showed significant support, then the Board of Trustees could consider recommending such an RSA change – note that the latest version of the RSA provides that ARIN may only modify the RSA in response to a specific change in the law, or after ratification by Member vote… i.e. adding such an obligation would require recommendation of the Board followed by an affirmative ballot of the ARIN Membership.)

Personly, I'd be fine with that.

If the community wanted it, and the obligation was plainly identified in the RSA, then I’d be fine with it as well.   However, that’s quite different that creating very specific obligations on how parties do their routing thru aggressive reading of the overall prohibited conduct clause in the RSA.

However, you seem to be saying that, ARIN and the other RIRs can do nothing to enforce the uniqueness of resources in the context of the Internet?

ARIN is a Internet number registry – we administer the registry on behalf of the community; we don’t control or administer the Internet routing system.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190713/4fede057/attachment.htm>

More information about the ARIN-PPML mailing list