[arin-ppml] Board Rejects "ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation” Due to Scope

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Sat Jul 13 14:23:17 EDT 2019



I’ve the same self-contradictory feelings, if I can say that way, as David indicated.



El 13/7/19 19:20, "ARIN-PPML en nombre de John Curran" <arin-ppml-bounces at arin.net en nombre de jcurran at arin.net> escribió:


On 13 Jul 2019, at 1:53 AM, David Farmer <farmer at umn.edu> wrote:


On Fri, Jul 12, 2019 at 12:14 PM John Curran <jcurran at arin.net> wrote:

The problem with that reasoning is that the registrants "use of ARIN’s registration services" generally continues just fine…  i.e. they can receive additional resources, update their number resources entries, etc.  Thus, ARIN would likely face challenges in attempting to assert violation of the Prohibited Conduct clause on such a basis. 

If the community really wishes that those participating in the ARIN registry commit to specific routing behavior, then such an obligation should be made quite explicit in the RSA.


I think the same logic would apply to ARIN's Whois service as well. If Whois were interfered with and taken offline in some way, registrants "use of ARIN’s registration services" generally continues just fine too, i.e. the service that really matters the uniqueness of the resources are unaffected. I think the same applies to RPKI, if the RPKI repository were interfered with or was unavailable for whatever reason the Internet should keep working just fine.


David - 


You are incorrect - if a party managed to interfere with ARIN’s registry services (including the publication of information via Whois) on a large scale, it would be relatively straightforward to show them to be in violation of the prohibited conduct clause. 


For example, if the route hijacking was for the IP address blocks that ARIN uses for providing services to the community, then that would indeed qualify as prohibited conduct. 


Using the standard you provide above, it seems to me, the Prohibited Conduct clause is useless and would never apply to anything meaningful.


The clause reads (in part):  "In using any of the Services, Holder shall not: (i) disrupt or interfere with the security or use of any of the Services; …”

If you engage in a significant disruption of ARIN’s services, then it applies.  For example, if we had a horrible coding/security flaw such that a specific Whois query shutdown our services, I can understand someone doing it once or twice to confirm before reporting it to ARIN.  However, doing such a query every 5 minutes to disrupt our operations would be a fine example of "prohibited conduct”.  


So I ask, what kind of disruption or interference would the Prohibited Conduct clause actually apply too? How are they different than routing behavior? And why don't they need to be made equally explicit then?  (I don't need or expect an exhaustive list, but a couple of examples would be instructive)


See above - the key element is disruption of ARIN’s services.   We don’t consider invoking prohibited conduct clause against a resource holder simply because they interfered with someone’s access to ARIN’s services – such a reading could support ARIN seeking remedies against ISPs who had any form of service outage, and that is definitely not the intent. 


While I agree that this is perfect valid reading, the rest of that paragraph “(ii) violate any applicable laws, statutes, rules, or regulations; or (iii) assist any third party in engaging in any activity prohibited by any Service Terms”, looks to me that should be also “read” to have a complete interpretation.


Further to that, in section 2, Conditions of service, “(2) The right to use the Included Number Resources within the ARIN database;”, could be amended to clarify that it is an exclusive right “The exclusive right to use …”. Because that's the intend, right ?


Resources, are provided to the members for their own use or the use (authorized) of their customers. It doesn’t make sense at all to have unique registration if there is not such exclusivity.


We can do that by means of an RSA amendment, or according to section 5, using a policy.


One more consideration, that may be different in the US/Canada law (or other countries covered by ARIN, and that’s why it makes sense to make it explicit). In Spain, there is a clear rule, even if is not in explicitly stated in the bylaws, of any membership organization: Members can’t act against other members in the scope of the membership rights.


Is that the same in US/Canada ? Or should we add an explicit text, if not already in the bylaws, in the RSA or policies, to state that?


This way, non-accidental violation of other members rights (regarding to unique and exclusive registration and use of the resources) will be clearly declared as prohibited conduct.


For example –  "Address Holder agrees to only announce routing for its own address blocks, or those address blocks for which it has obtained permission of the registrant as listed in the Internet Number Registry System.” 


It is unclear if such an obligation should exist, and I would advise the community to very carefully consider the implications that would result. 


(If there were a consultation that showed significant support, then the Board of Trustees could consider recommending such an RSA change – note that the latest version of the RSA provides that ARIN may only modify the RSA in response to a specific change in the law, or after ratification by Member vote… i.e. adding such an obligation would require recommendation of the Board followed by an affirmative ballot of the ARIN Membership.)  


Personly, I'd be fine with that.


If the community wanted it, and the obligation was plainly identified in the RSA, then I’d be fine with it as well.   However, that’s quite different that creating very specific obligations on how parties do their routing thru aggressive reading of the overall prohibited conduct clause in the RSA. 


I definitively think we should have that consultation. Authors of prop-266 never wanted to create routing rules. The goal has always been to make sure that the unique resources use right are recognized and defended.


I will also be fine if ARIN community decides as part of that, not to take actions, just to declare that there has been a violation, so the victims can use that outside ARIN in a legal claim. I think this will be very useful in courts. Now, there is nothing that courts can “look at”, because RSA and policies, don’t have a clear wording.


However, you seem to be saying that, ARIN and the other RIRs can do nothing to enforce the uniqueness of resources in the context of the Internet? 


ARIN is a Internet number registry – we administer the registry on behalf of the community; we don’t control or administer the Internet routing system. 


I think we all agree on that, but as said before, only registration of resources without a clear declaration that they are meant for the exclusive use of the resource-holder or its authorized parties, is not congruent.










John Curran

President and CEO

American Registry for Internet Numbers



_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML at arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact info at arin.net if you experience any issues. 

IPv4 is over
Are you ready for the new Internet ?
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190713/9abb3f2c/attachment-0001.htm>

More information about the ARIN-PPML mailing list