<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Cuerpo en alfa";
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.m-4787022214495879955m-7421705351070862885m-6957213731093441082m-8907735655722735596m2637472130810333746gmail-m5498879303841031385apple-tab-span
{mso-style-name:m_-4787022214495879955m_-7421705351070862885m_-6957213731093441082m_-8907735655722735596m_2637472130810333746gmail-m_5498879303841031385apple-tab-span;}
span.EstiloCorreo19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=ES-TRAD style='font-size:12.0pt;mso-fareast-language:EN-US'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>I’ve the same self-contradictory feelings, if I can say that way, as David indicated.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 13/7/19 19:20, "ARIN-PPML en nombre de John Curran" <<a href="mailto:arin-ppml-bounces@arin.net">arin-ppml-bounces@arin.net</a> en nombre de <a href="mailto:jcurran@arin.net">jcurran@arin.net</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>On 13 Jul 2019, at 1:53 AM, David Farmer <<a href="mailto:farmer@umn.edu">farmer@umn.edu</a>> wrote:<o:p></o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>On Fri, Jul 12, 2019 at 12:14 PM John Curran <<a href="mailto:jcurran@arin.net" target="_blank">jcurran@arin.net</a>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>The problem with that reasoning is that the registrants "use of ARIN’s registration services" generally continues just fine… i.e. they can receive additional resources, update their number resources entries, etc. Thus, ARIN would likely face challenges in attempting to assert violation of the Prohibited Conduct clause on such a basis. <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>If the community really wishes that those participating in the ARIN registry commit to specific routing behavior, then such an obligation should be made quite explicit in the RSA.<o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>I think the same logic would apply to ARIN's Whois service as well. If Whois were interfered with and taken offline in some way, registrants "use of ARIN’s registration services" generally continues just fine too, i.e. the service that really matters the uniqueness of the resources are unaffected. I think the same applies to RPKI, if the RPKI repository were interfered with or was unavailable for whatever reason the Internet should keep working just fine.<o:p></o:p></span></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>David - <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>You are incorrect - if a party managed to interfere with ARIN’s registry services (including the publication of information via Whois) on a large scale, it would be relatively straightforward to show them to be in violation of the prohibited conduct clause. <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>For example, if the route hijacking was for the IP address blocks that ARIN uses for providing services to the community, then that would indeed qualify as prohibited conduct. <o:p></o:p></p></div><div><div><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'><o:p> </o:p></span></p></div></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>Using the standard you provide above, it seems to me, the Prohibited Conduct clause is useless and would never apply to anything meaningful.<o:p></o:p></span></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>The clause reads (in part): "In using any of the Services, Holder shall not: (i) disrupt or interfere with the security or use of any of the Services; …”<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><br>If you engage in a significant disruption of ARIN’s services, then it applies. For example, if we had a horrible coding/security flaw such that a specific Whois query shutdown our services, I can understand someone doing it once or twice to confirm before reporting it to ARIN. However, doing such a query every 5 minutes to disrupt our operations would be a fine example of "prohibited conduct”. <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>So I ask, what kind of disruption or interference would the Prohibited Conduct clause actually apply too? How are they different than routing behavior? And why don't they need to be made equally explicit then? (I don't need or expect an exhaustive list, but a couple of examples would be instructive)<o:p></o:p></span></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>See above - the key element is disruption of ARIN’s services. We don’t consider invoking prohibited conduct clause against a resource holder simply because they interfered with someone’s access to ARIN’s services – such a reading could support ARIN seeking remedies against ISPs who had any form of service outage, and that is definitely not the intent. <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>While I agree that this is perfect valid reading, the rest of that paragraph “</span><span lang=EN-US style='font-size:12.0pt'>(ii) violate any applicable laws, statutes, rules, or regulations; or (iii) assist any third party in engaging in any activity prohibited by any Service Terms”, looks to me that should be also “read” to have a complete interpretation.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Further to that, i</span><span lang=EN-US style='font-size:12.0pt'>n section 2, Conditions of service, “(2) </span><span lang=EN-US style='font-size:12.0pt'>The right to use the Included Number Resources within the ARIN database;”, could be amended to clarify that it is an exclusive right “The exclusive right to use …”. Because that's the intend, right ?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Resources, are provided to the members for their own use or the use (authorized) of their customers. It doesn’t make sense at all to have unique registration if there is not such exclusivity.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>We can do that by means of an RSA amendment, or according to section 5, using a policy.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>One more consideration, that may be different in the US/Canada law (or other countries covered by ARIN, and that’s why it makes sense to make it explicit). In Spain, there is a clear rule, even if is not in explicitly stated in the bylaws, of any membership organization: Members can’t act against other members in the scope of the membership rights.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Is that the same in US/Canada ? Or should we add an explicit text, if not already in the bylaws, in the RSA or policies, to state that?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>This way, non-accidental violation of other members rights (regarding to unique and exclusive registration and use of the resources) will be clearly declared as prohibited conduct.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US><o:p> </o:p></span></p></div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>For example – "Address Holder agrees to only announce routing for its own address blocks, or those address blocks for which it has obtained permission of the registrant as listed in the Internet Number Registry System.” <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>It is unclear if such an obligation should exist, and I would advise the community to very carefully consider the implications that would result. <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>(If there were a consultation that showed significant support, then the Board of Trustees could consider recommending such an RSA change – note that the latest version of the RSA provides that ARIN may only modify the RSA in response to a specific change in the law, or after ratification by Member vote… i.e. adding such an obligation would require recommendation of the Board followed by an affirmative ballot of the ARIN Membership.) <o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'><o:p> </o:p></span></p></div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>Personly, I'd be fine with that.<o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>If the community wanted it, and the obligation was plainly identified in the RSA, then I’d be fine with it as well. However, that’s quite different that creating very specific obligations on how parties do their routing thru aggressive reading of the overall prohibited conduct clause in the RSA. <o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>I definitively think we should have that consultation. Authors of prop-266 never wanted to create routing rules. The goal has always been to make sure that the unique resources use right are recognized and defended.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>I will also be fine if ARIN community decides as part of that, not to take actions, just to declare that there has been a violation, so the victims can use that outside ARIN in a legal claim. I think this will be very useful in courts. Now, there is nothing that courts can “look at”, because RSA and policies, don’t have a clear wording.<o:p></o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:9.0pt;font-family:Helvetica'><o:p> </o:p></span></p></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'>However, you seem to be saying that, ARIN and the other RIRs can do nothing to enforce the uniqueness of resources in the context of the Internet? <o:p></o:p></span></p></div></div></blockquote><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>ARIN is a Internet number registry – we administer the registry on behalf of the community; we don’t control or administer the Internet routing system. <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>I think we all agree on that, but as said before, only registration of resources without a clear declaration that they are meant for the exclusive use of the resource-holder or its authorized parties, is not congruent.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>Jordi<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'>@jordipalet<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>/John<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:35.4pt'>John Curran<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>President and CEO<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>American Registry for Internet Numbers<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div></div><p class=MsoNormal style='margin-left:35.4pt'><br>_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact info@arin.net if you experience any issues. <o:p></o:p></p></div><br>**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
http://www.theipv6company.com<br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</body></html>