Important New Requirement for IPv4 Requests

Actually, being a CTO of a company, I know that my CEO signs things ALL the
time based just on my say so. I don't see how signing a document for ARIN
would land them in court, further if he were to go to court, he'd simply say
that he relied on the opinions of his technical staff since he does not have
the experience or expertise to evaluate it's validity. And as history shows,
this is an acceptable answer, it happens all the time in the case of
financial filings that others produce for the CEO to sign.

It didn't work very well for the CEOs of Worldcom, Enron and Tyco,

I think that many company officers will ask to see the results of an audit
before they sign this document, and they will want the audit to be performed
by qualified CPAs. Are your IPv4 records in good enough shape that an
accountant will sign off on them?

--Michael Dillon

My boss (who is an officer of the company within the meaning of the
term in the new ARIN requirement) will attest to my employer's next IP
assignment (we're an end user with PI space) request to ARIN on nothing
but my say-so that it is accurate. He's not a network guy, has no good
way of verifying the data himself and won't require some external
entity to come audit the request. He might ask me a few questions
before signing, but that will be it. If he didn't trust me, he'd have
replaced me a long time ago. (For the record, yes, my records are good
enough that an accountant would likely sign off on them. But that
won't be necessary.)

Of course, I haven't been submitting fraudulent requests to ARIN and
don't plan to start, so I'm not the target of ARIN's new policy anyway.

There are many things the new policy won't stop. It won't stop
fraudulent requests where the officer of the company is knowingly in
the loop of the fraud (this would include small organizations where the
entire network engineering staff is the VP of Enginering). It won't
stop fraudulent requests where the requestors are willing to lie to
company executives (except in what I expect are relatively rare cases
where the executives independantly verify the data before signing off
on it).

It *will* stop fraudulent requests where the requests are being made by
engineers who are (a) willing to lie to ARIN, but (b) not willing to
lie to their boss and boss's boss (through however many levels it takes
to get to an officer who meets ARIN's requirements). I suspect that's
a non-trivial amount of the fraud that is going on. ARIN can't fire
anyone. Managers typically don't like to be lied to and might very
well fire an engineer caught lying ... many people won't take that sort
of chance with their job. (Sure, some will tell their boss the truth
and then ask him to lie to ARIN, and some officers will go along with
that -- I covered that possibility the previous paragraph -- but no
where near all will.)

Many of the attacks here against ARIN's policy are centered on the fact
that it isn't perfect and there are still lots of ways for fraud to
happen. All of those attacks are valid, but they ignore the fact that
the policy probably was't intended to stop all fraud, just reduce
fraud. I have no data, but my gut tells me it will reduce some fraud.
I have no idea how much.

     -- Brett

I can assure you that based on my own experiences in very large
companies that I'd have few issues complying with this new
requirement. I like the idea and honestly, ARIN is damned if they do
(see this pretty inane thread) and damned if they don't (wait until
RIR exhaustion 'day' comes and goes and watch the conspiracy theories
as to why ARIN didn't 'do more').