[arin-ppml] Policy Proposal 2003-1: Required Performance of Abuse Contact

Matthew Petach mpetach at netflight.com
Fri Aug 29 17:33:06 EDT 2025 

On Fri, Aug 29, 2025 at 2:00 PM Shawn Bakhtiar <shashaness at gmail.com> wrote:

>
>
> On Aug 29, 2025, at 1:23 PM, Paul E McNary <pmcnary at cameron.net> wrote:
>
> I need more education before I comment further.
> How do you enforce if they are using a natted IP and your gateway is
> coming back as the abused address?
>
>
> I would argue if you are NATing for others, you are responsible for their
> behavior.
>
> As others have mentioned. ARIN is not LE (Law Enforcement), however, this
> does not mean it can't (and in fact it should) set policy. Once the policy
> is established, then we can use it as a basis for enforcement, this could
> come in the form of a civil law suite, etc...
>
> I can't go to courts and say hold someone to a standard that has not been
> set. I need the policy, in order to establish the bad behavior.
>


Hi Shawn,

We already have community policies that exist; for example, MANRS requires
that:

"Network operators should register and maintain NOC contact information for
each AS and netblock(s) that they are responsible for. This must include an
email address to which operational queries may be sent and expected to
reply within 72 hours, and a telephone number and dedicated abuse email
address (e.g. abuse-c) should also be provided. Networks are encouraged to
document their routing policies in an IRR, and additional information (e.g.
Looking Glass URL) in the appropriate field of their PeeringDB record is
welcome."

https://manrs.org/wp-content/uploads/2021/09/MANRS-Network-Operators-Actions-v2.5.2.pdf


I think what you're looking for is more than just policy, it's a legally
binding contract (in effect, a law) that every network operator agrees to
follow, or be liable in a court of law for contract violation.  That's a
much higher bar to try to reach.  :(

But if all you really want is "policy", there's policies out there that
already require network operators to maintain up to date contact
information.
Just point people at those policies, like MANRS.



>
> The difference in having this policy or not, is the difference on whether
> I can pursue damages. Without it, the courts will simply say, they have no
> obligation. With it the court can hold them to the obligation.
>
> ARIN would never even be involved, netizens would simply litigate through
> the civil courts.
>

If you're looking for courts to enforce policy, there's only one way to do
that, and that's to pass a law,
and once you talk about laws, you're talking about specific jurisdictions.

If you don't want to deal with passing legislation, then your other
recourse is to fall back on contract law, and
in that situation, ARIN has to be involved, as they would be the holder of
the contract that is being breached.

I think you need to slow down for a moment, and really think about what it
is you're asking for.

If you want something that is prosecuted in the civil courts, you're
talking about legislation, and at best,
you're going country by country to get it passed, with a lot of time and
headache, and no enforceability
across jurisdictional boundaries.

If you want something that *ARIN* can enforce, then the PPML is the right
place to start talking about it,
but you have to acknowledge that doing so brings costs with it in terms of
ARIN staff time and legal
engagement, and the way that would get paid for is by increasing the ARIN
service charges for everyone
that is an ARIN member.  And you're going to have to do a really good job
to convince us that raising ARINs
costs to monitor and enforce this is important enough for us to cough over
additional money each year to
support it.

How much are *you* willing to pay to have the new policies you're asking
for be monitored and
enforced?   $1000/year?    $5000/year?


>
> We are deploying IPv6 but it has taken years.
> We have equipment that monitor and shapes traffic and a hard attack going
> through our gateway our Upstream fiber provider blacklists an incoming
> abusing IP
>
> or shuts all of our network down inbound.
>
> But outbound natted addresses using dynamic DNS, I don't have any
> knowledge how to stop from internal except by high consumption.
> What other ways are there?
>
>
> Again, I don't want to conflate enforcement with policy. All I'm asking
> for here is a policy to be set (updated). I'm not asking ARIN to enforce
> it. The community will do it through the normal legal and enforcement
> channels. But we can't do that, when there is no policy to point to.
>


As the United States has discovered much to its chagrin, there is no
meaning to policy without an ability and willingness to enforce it.

Creating an entry in the NRPM that specifies a policy, but absolves ARIN
from having to enforce it is a waste of virtual ink.
No court of law is going to take action against a network for failing to
adhere to a section of the NRPM without a suit being
filed by a plaintiff that has standing.  And the NRPM is purely an
agreement between a network and ARIN; it has no binding
action between one network and a different network.  I cannot bring a
lawsuit against you for failing to adhere to the NRPM,
because you and I did not jointly sign that agreement; it was signed by you
and ARIN only.  The only party that could bring
a suit against you for failing to honor the agreement would be ARIN.  Thus,
in asking for policy to be written, you are
implicitly asking ARIN to also be the enforcer of the policy, and to
account for the costs involved in enforcing that policy.

If you ask for policy to be created without also appointing and authorizing
an enforcer, you have at best created a
community guideline; and much like BCP 38, the good people will implement
it, and the bad people will not, and there's
nothing the good people can do about the bad people who ignore it.  That's
pretty much where we are today.  You have
MANRS, which stipulates that networks should have contact addresses that
respond within 72 hours -- but with no
enforcement body identified, it's largely toothless.  I can't bring any
action against a network that doesn't adhere to
the MANRS requirements, because it's not a contract that has been breached,
nor is it a penal code that the state
will enforce.

If you're looking for a community guideline without enforcement, point them
at MANRS--that already exists.

If you want enforcement, the only party that can do the enforcing here is
ARIN.

Thanks!

Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20250829/7aad8676/attachment-0001.htm>

More information about the ARIN-PPML mailing list