[arin-ppml] ARIN-2024-5 Rewrite of NRPM Section 4.4 Micro-Allocation - Community Questions

Wed Feb 26 19:30:33 EST 2025

On Wed, 2025-02-26 at 23:50 +0000, David Conrad wrote:
> Tyler,
> 
> I’ve been reluctant to comment on this thread, but I’m increasingly
> confused...
> 
> On Feb 26, 2025, at 2:47 PM, Tyler O'Meara via ARIN-PPML <arin-ppml at arin.net>
> wrote:
> > We should clarify that only the actual authoritative DNS servers qualify as
> > CII;
> 
> So, the load balancers, routers, switches, etc., that connect those servers
> don’t count? The remote database backends the authoritative servers depend on?
> The other backend and administrative systems, etc.?
> 
> > as such I propose we use the following language:
> > CII includes Internet Exchanges, IANA authorized authoritative Root DNS
> > servers,
> > TLD authoritative DNS servers, and critical services operated by ARIN and
> > IANA.
> 
> > Presumably we don't consider whatever vendor Verisign uses for their
> > corporate
> > email to be CII, for example.
> 
> 
Implicit in that statement (at least as I intended it) was to include anything
critical to the operation of the authoritative DNS servers. I'll note that the
current 4.4 text only allocates a /23 per gTLD, which suggests to me that the
authors of the current 4.4 intended those addresses to be used for the publicly
facing addresses of the authoritative DNS servers.

My proposed changes were meant to accomplish 2 things:
1) Acknowledge that many organizations that run CII also run/do non-CII things,
and that 4.4 space (in my opinion) should only be able to be used for the CII
things.
2) Acknowledge that many organizations that run CII have a great many service
providers for any host of non-CII purposes (I used the example of corporate
email in my prior email), and I likewise don't think that those service
providers should be able to use 4.4 space just because Verisign (or any other
CII operator) is their client.

For example, RIPE runs K-root, and to the extent they need IPv4 addresses in
order to run K-root in ARIN's service region, section 4.4 should (and does)
permit that. However, just because RIPE does one thing that qualifies as CII
does not mean that everything else they do should also qualify as CII; which a
literal reading of the proposed wording could suggest. That's all I'm trying to
protect against.
Admittedly, this is also a failing of the current 4.4 wording; but since we're
rewriting anyways I'd like to close that loophole if possible.

> 
> But you do consider the corporate email of ARIN and PTI/ICANN (which provides
> IANA services) CII?
> 

I'll note that I also amended the proposed text to say "critical services
operated by ARIN and IANA", leaving the judgement of what is a critical service
to ARIN staff, but implicitly acknowledging that there may be some things
ARIN/IANA do that are not critical to the functioning of the Internet.

> The definition of “CII” used here appears to be arbitrary. Perhaps it might
> help if you define what you think is CII and why ARIN and ICANN/PTI would fall
> under that definition whereas Verisign wouldn’t?
> 

I've never asserted that Verisign doesn't operate CII; in fact I've supported
broadening the current 4.4 definition to cover more of Verisign's activities
(which this draft policy does). All I'm trying to accomplish to match the letter
of the law (which currently states that any organization that runs CII can use
4.4 for any purpose) with the spirit of the law (that organizations that run CII
can use 4.4 to run CII, but not for other purposes).

> Regards,
> -drc
> 