[arin-ppml] Draft Policy ARIN-2019-18: LIR/ISP Re-Assignment to Non-Connected Networks - Clarifying Language

Owen DeLong owen at delong.com
Sun Nov 3 23:47:10 EST 2019

> On Nov 3, 2019, at 13:22 , Jim <mysidia at gmail.com> wrote:
> On Fri, Nov 1, 2019 at 5:17 PM Scott Leibrand <scottleibrand at gmail.com> wrote:
> [snip]> actually want ARIN to try to enforce. IMO the current policy
> requiring only a VPN
>> tunnel or unused switch port as a fig leaf to allow address leasing is untenable [...]
> Perhaps IP leasing should be allowed,  But  all consideration must be
> declared to ARIN,  and 50% of all revenue from any lease or transfer with
> consideration must be paid to ARIN specifically  to be dedicated to funding
> enforcement and fraud prevention efforts.  ^_`
> These "Fig leafs" for address leasing sound like basically fraud.
> If there's a fig leaf,  that's used to  conceal a lack of valid justification
> under existent policy with intended purpose as merely a device to
> circumvent the policy language;  its a form of fraud.

The “fig leafs” are artificial connectivity for an essentially non-connected network.
This does not necessarily mean that the utilization/need would not be valid under
ARIN policy, merely that they wish to get the addresses from party A while getting
connectivity (if any) from party B and that for whatever reason, either party A does
not wish to sell the addresses or the lessee wishes to lease rather than buy them.

Ignoring the purely fraudulent or abusive cases (which abound), let’s consider if
there’s a policy mechanism to address these cases which would be legitimate
except that current ARIN policy forces an artificial connectivity requirement into
the transaction.

> At least in theory;
> that ought to be rejected in most cases --  just b/c there might be some
> allowable applications for IP space that involve VPNs, Etc;  does not
> mean that arbitrarily creating a VPN, etc,  for IP address association
> is not fraud.

Rejected by whom at what stage of what process?

I run a completely legitimate network. It’s entirely valid under ARIN policy and
I am using PI space. I originate a /23, a /24, and a /48 to my upstream transit
providers. My only connectivity to those upstream transit providers is via
tunnels. In one case, the tunnel is within my ASN and I lease a router at the
other end of the tunnel for connecting to the ISP (a VM running VyOS).

In another case, the tunnels are directly to my ISPs routers.

The tunnels run over traditional residential ISP circuits and the internet in
order to reach my upstream ISPs.

Is there some reason you feel this should be a violation of ARIN policy? (currently,
it is not).

Is there some reason you feel it should be a violation of ARIN policy if I were to
get some addresses from either or both of my upstream ISPs (not the residential
ones providing transport services for the tunnels over IP)? (currently, it is not).

If your answer to the above two questions is “no”, then I have trouble seeing
why we should not consider a legitimate network who wishes to lease addresses
from one of the providers and terminate his connectivity with one or more other
providers should not be considered equally legitimate. If you feel otherwise,
then please explain the distinction.

> At the end of the day,  any applicant can design some technical
> concoction which artificially requires IP addresses.

Yes, but that’s not what we are talking about here. In reality, what we are
talking about is seeing if there is a way to remove an artificial concocted
policy requirement without opening up major abuse potential.

> I believe ARIN staff ought to be able to investigate applications for IP
> space and  consider based on surrounding facts and circumstances —

When the applicant is applying to ARIN for transfer or for allocation or
assignment, they can. When the applicant is engaged in a private transaction
with a third party that is never reported to ARIN, what mechanism is going
to make ARIN aware of the transaction and/or the need to investigate?
What policy will enable them to do so? Why would a party leasing the
address space with no contractual relationship with ARIN cooperate with
such an investigation?

> Whether there is adequate proof that something looking like a
> VPN or Switch port  "Fig leaf"  has  a well-established reason for
> existing with a purpose of providing primary or at least equal network
> connectivity to other methods of connectivity commercially available to
> that service.

Or, perhaps instead, we recognize that fig leafs are silly and we look for ways
to stop requiring them in situations where they don’t make sense without creating
major avenue for abuse (of ARIN policy).


More information about the ARIN-PPML mailing list