Subject: Important New Requirement for IPv4 Requests
From: ARIN Registration Services <do-not-reply@arin.net>
Hello,
With the approaching depletion of the IPv4 address free pool, the
ARIN Board of Trustees has directed ARIN staff to take additional
steps to ensure the legitimacy of all IPv4 address space requests.
Beginning 18 May 2009, ARIN will require that all applications for
IPv4 address space include an attestation of accuracy from an officer
of the organization. For more information on this requirement, please
see:
Whenever a request for IPv4 resources is received, ARIN will ask in
its initial reply for the name and contact information of an officer
of the organization who will be able to attest to the validity of the
information provided to ARIN.
At the point a request is ready to be approved, ARIN will send a summary
of the request (via e-mail) to the officer with a cc: to the requesting
POC (Tech or Admin) and ask the officer to attest to the validity of the
information provided to ARIN. The summary will provide a brief overview
of the request and an explanation of the required attestation. ARIN will
include the original request template and any other relevant information
the requestor provided. Once ARIN receives the attestation from the
officer, the request can be approved. Attestation may also be provided
via fax or postal mail.
For further assistance, contact ARIN's Registration Services Help Desk
via e-mail to hostmaster@arin.net or telephone at +1.703.227.0660.
Let me see if I can understand this.
We're running out of IPv4 space.
Knowing that blatant lying about IP space justifications has been an
ongoing game in the community, ARIN has decided to "do something" about
it.
So now they're going to require an attestation. Which means that they
are going to require an "officer" to "attest" to the validity of the
information.
So the "officer," most likely not being a technical person, is going to
contact ... probably the same people who made the request, ask them if
they need the space. Right?
Easier to take back resources if an officer of the company lied regarding
their usage/need, no? Just a thought, although I am by no means an expert in
the field of contract law.
Subject: Important New Requirement for IPv4 Requests
From: ARIN Registration Services <do-not-reply@arin.net>
Hello,
With the approaching depletion of the IPv4 address free pool, the ARIN Board of Trustees has directed ARIN staff to take additional steps to ensure the legitimacy of all IPv4 address space requests. Beginning 18 May 2009, ARIN will require that all applications for IPv4 address space include an attestation of accuracy from an officer of the organization. For more information on this requirement, please see:
Whenever a request for IPv4 resources is received, ARIN will ask in its initial reply for the name and contact information of an officer of the organization who will be able to attest to the validity of the information provided to ARIN.
At the point a request is ready to be approved, ARIN will send a summary of the request (via e-mail) to the officer with a cc: to the requesting POC (Tech or Admin) and ask the officer to attest to the validity of the information provided to ARIN. The summary will provide a brief overview of the request and an explanation of the required attestation. ARIN will include the original request template and any other relevant information the requestor provided. Once ARIN receives the attestation from the officer, the request can be approved. Attestation may also be provided via fax or postal mail.
For further assistance, contact ARIN's Registration Services Help Desk via e-mail to hostmaster@arin.net or telephone at +1.703.227.0660.
Let me see if I can understand this.
We're running out of IPv4 space.
Knowing that blatant lying about IP space justifications has been an
ongoing game in the community, ARIN has decided to "do something" about
it.
So now they're going to require an attestation. Which means that they
are going to require an "officer" to "attest" to the validity of the
information.
So the "officer," most likely not being a technical person, is going to
contact ... probably the same people who made the request, ask them if
they need the space. Right?
And why would the answer be any different, now?
... JG
So I wonder if this applies to some of the players who have recently gotten a /19 for dubious purposes and are so large that an "officer" of the company may be 1500 miles away. It's a sad state of affairs. Are they going to hold the "officer" liable if the request is not legit?
Just a thought: A technical person might be very happy to lie to a toothless organization that holds no real sway over him or her, won't revoke the address space once granted, and for whom the benefit of lots of address space in which to play exceeds any potential pain from being caught, er, exaggerating their need for address space.
That same technical person might be less inclined to lie to a director of their company who asks: "Are you asking me to attest, publicly and perhaps legally, that this information is correct? If you're wrong and you make an ass of me, it's going to be yours that goes out the door."
Seems like a reasonable experiment to try, at least.
I don't believe I saw anywhere that these attestations were being made under penalty of perjury or any other method of civil punishment. Do they have to notarized?
What are the real benefits here, other then putting more people to work at ARIN and increase the workload of those who really do need new IP space.
- demonstration of routing of an IPv6 range/using IPv6 address space
- demonstration of services being offered over IPv6
- a plan to migrate customers to IPv6
- automatic allocation of IPv6 range instead of IPv4 for those who can't do so.
ie. No more IPv4 for you until you've shown IPv6 clue.
Then people can't just get away with driving into the brick wall of IPv4-allocation fail.
(Not sure if I'm serious about this suggestion, but it's there now).
I think this needlessly involves people who probably don't have a clue in an
area we may not really want them involved in. I can hear the conversation
now:
Officer: "Why do I have to sign this thing?"
Tech: "Well your graciousness. We are coming to the end of the available
address space and the gods at ARIN want to make you aware of that so you
might approve that request I made for new equipment to deploy IPv6 with."
Officer: "Huh? Do we need it?"
Tech: "Yes, we need the address space."
Officer: "And they're running out?"
Tech: "Well out of the v4 space which is what we use now but we can move to
v6 space and..."
Officer: "Hell, request 10x as much space! I'll sign anything as long as
we don't run out and have to spend money!"
For me, I request all the allocations and I'm also an officer of the company
so I'll just attest to my own stuff but I can see this would be a nightmare
in a larger company.
There was also an e-mail about outreach to the CEOs of all the companies
with resources. At my company the CEO will hand it to me without even
opening it. I assume that in many larger companies it "might" get glanced
at by the CEO or CEOs secretary before it gets shredded.
While I completely understand the reasons behind both initiatives I don't
think they'll have the desired effect.
This is exactly identical to having the CEO signed the quarterly statements. You are saying this is Right. The CEO couldn't do that accounting him/herself -- but they're going to ask more questions and be more cautious before putting their name on it.
I applaud this idea. I wish we had done it 10 years ago, but it's not too late to start. Before late than never.
If the effort that will go into administering this went instead
into reclaiming IPv4 space that's obviously hijacked and/or being
used by abusive operations, we'd all benefit.
There's a big difference between signing that the books are right (it
matters!) and filling out paperwork for ARIN. The first is one of his
primary duties as an officer of the company, the second won't even make his
secretary's "to do" list.
It appears that ARIN wants to raise the IP addressing space issue to the CxO
level -- if it was interested in honesty, ARIN would have required a
notarized statement by the person submitting the request. If ARIN really
wants to get the interest of CEOs, raise the price!
Oddly enough, someone proposed something very much along these lines at a couple of RIR meetings (see "IPv4 Soft Landing"), and in fact used the 'driving into a brick wall' analogy. Many of the folks who commented on that policy proposal felt it was inappropriate for RIRs to dictate business models (that is, if an ISP doesn't want to move to IPv6, it wouldn't be 'right' for an RIR to force them to). The proposer eventually gave up as the impedance mismatch between reality and the RIR policy making process became too great to observe without breaking into uncontrollable giggles.
That game has been going on for over a decade. I've seen it first hand as far back as '96. I've even seen multiple address allocations using the *exact* same email -- once or twice a year, not like they were 4 requests on the same day; they had been using that same "form email" for *YEARS* -- "(me) And they fall for it? (coworker) Every time."
As you point out, this will have zero effect. The COO ("officer") will either be clueless as to the fine details of the operation and rely on the information ("lies") from his managers and techies. Or, he's the one telling them to lie in the first place.
A notary signs only that the person in front of them has been checked to be who they say they are. That's authentication. A Notary cannot attest that what is on the document is valid.
A CxO signing that the request is valid is Authorization to speak for the company. Different spectrum.
I suspect at more than a few companies the "Net Admin" can get a
10 minute slot on the CTO's calendar....in 2042. In the wonderful
game of pass it up the food chain it probably looks something like
this:
Net-Admin: This IPv6 stuff is important, we should already be deploying
it full-tilt.
Manager: Some IPv6 testing should be reflected in next years budget.
Director: I hear IPv6 is the future, but customers just aren't
demanding it.
VP Network: Humm, maybe I should have read the Network World article on
IPv6 rather than the one on Google World Dominance.
CTO: *crickets*
I think this is a tool to cause everyone in that chain to have to
do a lot more communicating up and down, and I think that is a very
good thing at many companies, particularly large companies.
There is no silver bullet here. There is no one thing that can be done
that can make it all better. This is a small, but important step that
will be significant to some, but not all companies. To that end I'm
glad ARIN has taken it, and hope it is one of many steps that get us to
the destination.
If the effort that will go into administering this went instead
into reclaiming IPv4 space that's obviously hijacked and/or being
used by abusive operations, we'd all benefit.
I use comcast space for abusive operations. I believe they charge me $40
a month for the privilege.
Knowing that blatant lying about IP space justifications has been an
ongoing game in the community, ARIN has decided to "do something" about
it.
I don't draw that direct conclusion. Although it may sound like "we know you've been lying so we want to hear from your parents" this can be read more benignly as "we want to make sure your parents know what's going on."
And why would the answer be any different, now?
No, but now, if you (the engineer) have been telling non-technical management that there's a need to investigate IPv6 and management has been turning a deaf ear, you now have "backup" - a second source for management to get the message from that they ought to think about IPv6 plans.
PS - this is based upon lessons learned when I worked for a US fed agency. When the network folks said we needed $X thousand of dollars for 10BaseT deployment across the campus we were ignored. When each division asked each directorate and they asked the budget committee for what amounted to $X thousand to have the networks deploy 10BaseT (two years on), we got the job.