[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Thu May 2 03:55:35 EDT 2019

Hi Owen,

I think that the comparison with a property is not good, so I'm top posting to make it simple.

ARIN is providing a registration service for unique and exclusive rights for resources, following a membership organization model.

Let's take another similar "association membership model". Please, note that I'm not a lawyer and my reading from US laws may be different as what we have in Spain.

Let's suppose it is a sports club and you can request that at some time in the week, the tennis court is allocated to member A, at another time to B, and another time to X. Member X decides to ignore that allocation and uses the court. Even more, X is doing from time to time the same with the allocation to member B, and many others. This is clearly against the rules *and* repeatedly against the rights of other association members.

The association clearly can tell X, we don't want you to be anymore a member. You've done this not just by mistake, it was a repetitive action in violation of our rules and not respecting other members rights.

You can find other examples, such a shared property. You have a right to use a property for a week, and if another member is usurping that right for other members "time", they don't follow the rules.

One more example, in Spain there have been many cases of pick-pockets that the public transport authority (and confirmed by courts if they complain), has denied using the public transport, just because they have been caught once and again.

A more extreme example. You can have a property, let's say your home, and there are some common areas (for example a garden, a small summer swimming pool, etc.). You are a member of the neigbourhood, that of course has rules about how the garden and swiming pool can be used. If you act against those rules, or act against the rights of other neighbours, you can get cancelled your rights to use those common areas. Even more, in an extreme case, a judge will even tell you (this is not a theory, there have been many cases), you can't anymore use your home: find another one, and you can rent this to someone else, because you demonstrated that you don't know how to follow the rules.

In all those cases, the membership organization has the right to state (according to the bylaws), what are the rules. If the rules are accepted by the members, they must be followed and respected.

I think it is obvious that the RIRs provide the unique and exclusive rights to members. I thinkk it is obvious *even* if we don't have such explicit rule, that a member can't act against those unique and exclusive rights granted to other members.

Our policies are there, some times, to state in an explicit way, what it may be considered obvious. This is what our policy proposal is tryint to do.

A resource hijack, is violating other member rights, and is also violating the rules about how the resources should be *correctly* registered, even if this hijack is violating the rules only during a few minutes or hours, it is still violating the rules.

There is some wording in the RSA that talks about some relevant aspects to this discussion (coping only some of the text):
(1) The exclusive right to be the registrant of the Included Number Resources within the ARIN database;
(2) The right to use the Included Number Resources within the ARIN database;

However, I'm mising a more clear "unique and exlusive right to use" in 2.

(d) Prohibited Conduct By Holder. In using any of the Services, Holder shall not: (i) disrupt or interfere with the security or use of any of the Services; (ii) violate any applicable laws, statutes, rules, or regulations; or (iii) assist any third party in engaging in any activity prohibited by any Service Terms.

Policies can increase that wording and make it more obvious and facilitate both the organization and the members to take actions if those are not accidental and if they become repetitive.

I believe bylaws are not clear on this, but it may be because it is clearly illegal to act against the membership rights of other members, so you don't need to re-state it in bylaws, but making it clear in policies it is definitively a good thing.

Policies are easier to adapt to the community needs, by means of the PDP, which may change with the time, evolution of protocols, etc. While the bylaws and RSA aren't so easy to modify, but they clearly state that the policies are part of the rules to be followed by members.


El 2/5/19 8:59, "ARIN-PPML en nombre de Owen DeLong" <arin-ppml-bounces at arin.net en nombre de owen at delong.com> escribió:

    > On May 1, 2019, at 18:08 , Fernando Frediani <fhfrediani at gmail.com> wrote:
    > On 01/05/2019 17:17, Joe Provo wrote:
    >> "Distribution function" is indeed merely agreeing that the data
    >> recorded in the registry is accurate. There's no dibursement of
    >> anything. When we bought our house and land, the registry of
    >> deeds was similar only involved in verifying that the transfer
    >> from the previous holders to us was a valid contract within the
    >> scope of its operations (the state in which we live). When a
    >> neighbor was doing a construction project and we had to go block
    >> their heavy equipment, the registrar of deeds sure didn't come
    >> and settle the dispute. We went down, got the county map and
    >> they agreed. if they hadn't, law enforcement and courts would
    >> have been the next step.
    >> This, like all Internet analogies, is poor; my thrust is that rfg's
    >> is worse. To parallel ARIN with a transportation agency's "line
    >> drawing" and officials embued with law enforcement is wildly off
    >> track.
    > That's not that same thing unfortunately. Your house and land belong to you until you sell it, the resources the RIR assign to people **never** belong to them, they are not a property. Instead they remain under their responsibility and they may unassigned if misused or for other reasons.
    The following is strictly my opinion. It may well deviate from the legal theories under which the RIRs currently operate.
    The county can revoke your deed if you don’t pay your property taxes.
    ARIN can revoke your registration if you don’t pay your ARIN fees.
    The county can revoke your deed if they find that it was recorded under fraudulent pretense.
    ARIN can revoke your resources if they find  your registration was obtained under fraudulent pretense.
    The only difference is in what is being registered/recorded by the different registries. The property registry in the various counties registers property.
    ARIN registers numbers to guarantee uniqueness among cooperating parties.
    As has been repeatedly stated in this debate, ARIN has no control or authority over non-cooperating parties that have not signed a contract with ARIN.
    An entity which has no contract with the RIRs really can use any integers they want in any way they want to the extent that others are willing to accept that use.
    If someone wants to claim as a public address and route it on the internet, the RIRs cannot do anything to stop them unless it violates an RIR contract that said entity is a party to.
    If they can find enough ISPs willing to route that on their behalf, then de facto, that address range will be theirs and it really doesn’t matter what the RIRs have to say about it.
    The internet works because the vast majority of networks choose to cooperate with the RIR system and work within the system to preserve uniqueness.
    There’s no law that prevents this from becoming balkanized and disintegrating into competing non-unique uses of address space. I hope that doesn’t happen and fortunately, there’s enough financial interest in the process to make sure the majority of ISPs continue to not want it as well.
    Nonetheless, it is important to understand just how fragile this ecosystem actually is and just how limited the power of the RIRs actually is.
    You are receiving this message because you are subscribed to
    the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
    Unsubscribe or manage your mailing list subscription at:
    Please contact info at arin.net if you experience any issues.

IPv4 is over
Are you ready for the new Internet ?
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

More information about the ARIN-PPML mailing list