Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

Hi,

Just to let everybody know that a petition was started in order to try to enable a policy discussion about "BGP Hijacking is an ARIN Policy Violation".

If you would like to read the proposal, it is available at:
https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

Discussions are already ongoing at RIPE and LACNIC.

Best Regards,
Carlos

(sorry for the duplicates, if you also receive arin-ppml@arin.net)

Hey Carlos,Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? What were the arguments in favor of rejecting the proposal? This seems like an interesting idea to me, and one that I can’t immediately come up with any arguments against from my own perspective. There’s probably some room for discussing and tuning specifics, but ultimately the concept seems reasonable to me. What am I missing here?

Thanks,
Matt

[snip]

Can you (or someone else on the list, perhaps even someone who was involved
in voting this down) provide some more details as to why it was rejected?
What were the arguments in favor of rejecting the proposal? This seems
like an interesting idea to me, and one that I can't immediately come up
with any arguments against from my own perspective. There's probably some
room for discussing and tuning specifics, but ultimately the concept seems
reasonable to me. What am I missing here?

Speaking solely for myself, it would be reasonable to start
any discussion based upon the on-record rationales for its
rejection. As such I would direct interested parties to the
Draft Advisory Council Meeting minutes from April 10
https://www.arin.net/about/welcome/ac/meetings/2019_0410/

and most specifically on that page
"16. ARIN-Prop-266: BGP Hijacking is an ARIN Policy Violation"

Cheers,

Joe

      Hi,

      Just to let everybody know that a petition was started in order to try
      to enable a policy discussion about "BGP Hijacking is an ARIN Policy
      Violation".

      If you would like to read the proposal, it is available at:
      https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

      Discussions are already ongoing at RIPE and LACNIC.

      Best Regards,
      Carlos

Hey Carlos,Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more
details as to why it was rejected? What were the arguments in favor of rejecting the proposal? This seems like an interesting
idea to me, and one that I can't immediately come up with any arguments against from my own perspective. There's probably some
room for discussing and tuning specifics, but ultimately the concept seems reasonable to me. What am I missing here?

Hi,

Sure...

https://www.arin.net/about/welcome/ac/meetings/2019_0410
(Meeting of the ARIN Advisory Council - 10 April 2019)

You can also find the RIPE and LACNIC URLs here:
+ https://www.ripe.net/participate/policies/proposals/2019-03
+ https://politicas.lacnic.net/politicas/detail/id/LAC-2019-5?language=en

Best Regards,
Carlos

Hi Matt,

As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn’t decide how they’re allowed to be routed. ISPs do that.

I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.

I personally think it’s for worse. I oppose the proposal itself. I’d just as soon ARIN not act as a gatekeeper to BGP and certain don’t want to see it expand that role.

Regards,
Bill Herrin

A couple of things spring to mind here now that I’ve given this a few more minutes’ thought. I agree with your reasoning as to why it makes sense for this to be considered in scope for ARIN.

As far as expanding roles goes… Over the past few decades, we’ve all watched as the internet became less and less “wild wild west” and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily today. It may be the case that this problem will be “solved” in some way by someone, but that “someone” may end up being a less engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of one which may be ultimately less democratic and more problematic?

One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by Carlos, but I prepend Bill’s ASN to my announcement, how does Carlos know that I’m the bad actor and not Bill? Having good communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn’t always happen. When we talk about leveraging ARIN’s authority or potentially applying penalties of any sort to bad behavior, we have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or innocent third party.

Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a “pool of worldwide experts” despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is “hijacking” address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN’s region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being “hijacked” by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that’s a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation.

Ultimately, I don’t think I can support a proposal this vague, either. For something like this I think we need a lot more objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the concept may seem to us on the outset.

Take care,
Matt

Hi,
(please see inline)

(...)

As far as expanding roles goes... Over the past few decades, we've all watched as the internet became less and less "wild wild
west" and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations
and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily
today. It may be the case that this problem will be "solved" in some way by someone, but that "someone" may end up being a less
engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet
governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the
question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of
one which may be ultimately less democratic and more problematic?

Good point. The same goes for RIPE NCC, LACNIC, AFRINIC and APNIC...

One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement
being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by
Carlos, but I prepend Bill's ASN to my announcement, how does Carlos know that I'm the bad actor and not Bill? Having good
communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn't
always happen. When we talk about leveraging ARIN's authority or potentially applying penalties of any sort to bad behavior, we
have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or
innocent third party.

There are various sources of public routing data. But yes, sharing more routing views will increase the capacity to look at cases...

An uninvolved innocent third party should be able to show it was uninvolved (either by pointing out to public routing data, or by providing their own routing views if needed...)

In any case, if there is reasonable doubt, a case should always be dismissed.

Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with
regard to. Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite being a proposal submitted
to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is "hijacking"
address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN's region, would this be an issue for
ARIN to consider? What if ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN and which is not
located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require
inter-RIR cooperation on enforcement, and that's a very large can of worms. Not one that is impossible to overcome, but likely
one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation.

Yes, this needs to be in place in every RIR to maximize efectiveness.

The idea of a "pool of worldwide experts" was to allow any RIR to use people from the same (larger) pool.

Ultimately, I don't think I can support a proposal this vague, either. For something like this I think we need a lot more
objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid
vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the
concept may seem to us on the outset.

Your comment in pretty much inline with some comments opposing version 1.0 in RIPE. Hopefully version 2.0 will be published next week. And it's a bit more "extensive" regarding details... :slight_smile:

Regards,
Carlos

A couple of things spring to mind here now that I’ve given this a few more minutes’ thought. I agree with your reasoning as to why it makes sense for this to be considered in scope for ARIN.

As far as expanding roles goes… Over the past few decades, we’ve all watched as the internet became less and less “wild wild west” and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily today. It may be the case that this problem will be “solved” in some way by someone, but that “someone” may end up being a less engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of one which may be ultimately less democratic and more problematic?

Exactly, one of our thoughts (as co-authors) is: if we do nothing, some other governmental bodies will take care of it, even courts, taking irrational judgments.

One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by Carlos, but I prepend Bill’s ASN to my announcement, how does Carlos know that I’m the bad actor and not Bill? Having good communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn’t always happen. When we talk about leveraging ARIN’s authority or potentially applying penalties of any sort to bad behavior, we have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or innocent third party.

The proposal is “guarantor”, or at least that’s our intent. Is not ARIN taking the decision, is the community by means of experts. We have improved it in the v2 that will be posted in a matter of days in RIPE, but we can’t improve it in ARIN because simply discussing it is not allowed by the AC decision.

One thing to clarify, is that the policy is basically saying something that is written in all the RIRs documents: “if you get resources from us, you have the exclusive right to use them or your authorized customers”.

Now if another ARIN member is misusing your resources (not by an operational mistake, but repeatedly), ARIN is not going to do anything about it?

In any membership association, members are bound to the rules (policies in the case of RIRs), and members can’t act against the rights of OTHER members. If you don’t follow the rules, you can get a warning, or even lose your membership. If you go to courts because you lost your membership, courts will confirm “you have not followed the rules, so the association has the right to get you out”.

Is not a problem or ARIN becoming the “routing police”. This has been completely misunderstood by the AC. Is about ARIN making sure that the rights of the members are respected by other members.

And again, it must be clear that it is intentional, not a mistake, not fat fingers.

Without clear rules, other members can do whatever they want with resources allocated to another member.

Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a “pool of worldwide experts” despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is “hijacking” address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN’s region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being “hijacked” by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that’s a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation.

This has been clarified in v2 that I mention before, to be publish in RIPE. The idea is that the claim is done in the region where the hijacker is a member (assuming that we get the policy going thru all the regions).

Note that we are submitting the same policy proposal adapted to each of the 5 RIRs.

Ultimately, I don’t think I can support a proposal this vague, either. For something like this I think we need a lot more objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the concept may seem to us on the outset.

Right, we have a more complete v2 with many procedural details, which we can’t even discuss in ARIN, and obviously the idea of the PDP is to allow the policy proposals to be discussed until we reach a text that we can agree.

So please, if you want to get this discussion going on in the right place subscribe to ARIN PPML (https://lists.arin.net/mailman/listinfo/arin-ppml) and respond to the attached email, just to support the discussion (no need to agree at all now with the text).

Thanks!

Jordi

Take care,

Matt

There are factual errors in the ARIN meeting minutes. It really is a disservice that people on the AC don’t have facts about ARIN and the function of their routing registry (for example).

It would be good if the ARIN AC had people that were more aware of the functions ARIN provides.

If you control vote of resources by ARIN I encourage you to use this as part of your process.

Maybe I missed it in the proposal, but I don't see that it actually says what ARIN will do other than produce a report "Yep, our expert panel says this is hijacked.". What's the expected result (other than the report)? i.e. What action is ARIN expected to take after it's determined a route advertisement is a hijacking that will make a difference?

Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. Many years ago, during an acquisition that went sour at the last minute, the renegging seller went to ARIN complaining that we were hijacking his IP space. ARIN contacted our upstreams and pressured them to pressure us to stop advertising the IP space. Perhaps there's no official policy, and perhaps they wouldn't do this today without one?

Not only that. I really think they have not invested enough time to read the proposal, check with the authors and then take a decision. We have got some email exchange, but clearly not sufficient. I also must state that the staff has been very helpful and diligent to clarify and support the petition process. Just the point is, should have never been needed, it exposes how bad (in my opinion) is the ARIN AC model.

Some details:

This is absolutely fake:
"AP stated that at the LACNIC meeting has discussed it and they dismissed it as out of scope."

LACNIC will have the first meeting where this topic will be discussed in two weeks from now. How come an AC member can lie such way?

If I'm an AC member, or any other similar team, I will make sure to inform myself before stating something like that. In this case there is no excuse, you just need to visit a web page for the LACNIC policy proposals, similar in every RIR.

Then I continue reading this: "AP stated that she believed that the author was using ARIN to solve their problem."

How come somebody that doesn't know me, can state that?

In my country, at least, this is an illegal (criminal) act (slander, ad hominem, etc.), unless you can prove that what you're suggesting is *actually true*.

I don't want to make a problem with that or even consider to go to courts with the case, but I really think that before saying that from someone, you must talk to him before.

I'm a very open and transparent guy, and I *never ever* did a policy proposal for *any* personal or even business motivation. I did that because if I discover an issue, and I believe I can contribute to resolve it and it will be good for the community, I just go for it. Even in several occasions my own proposal has been ***against*** my personal point of view and when I presented those policies I *clearly* stated that (for example when I was presenting policy proposals in all the 5 RIRs for IPv6 PI and I can find the videos if somebody doubt what I'm saying).

And by the way, I'm not new on this. A month ago, during the IETF meeting in Prague, somebody asked me how many proposals I've submitted to all the RIRs (since my first one around 2003 or so). I didn't know, no idea at all, so I decided to count them, and then I discovered that I authored over 75 (a few of them with other co-authors). And this isn't including an average of 3-4 versions of each one, or many other documents in IETF (and the "n" number of versions of each one as well).

I do this at the cost of my own personal pocket for traveling to the RIR meetings, I contribute as much as I can with tutorials, workshops, presentations, all kind of documents, articles, sharing my *own* time. So, reading that is really exasperating and frustrating.

And just to be clear, let me state that I don't have anything against anyone in the AC or ARIN. In fact, I've been always convinced that the AC model for the PDP in ARIN is a bad one, and this is demonstrating that. Authors and comminity lose the control on a policy proposal at some point (and in this case is even rejected before starting).

Speaking in general, even if a proposal don't reach consensus, I'm sure any open discussion is always very productive and can bring new ideas, or new approaches to the problem.

In the Internet RIRs system, I don't think we need a kind of "representative democracy". The community is able to use, in any of the 5 RIRs, a very simple process to work on achieving (or not) consensus in policy proposals: a mailing list.

Regards,
Jordi

El 26/4/19 22:35, "NANOG en nombre de Jared Mauch" <nanog-bounces@nanog.org en nombre de jared@puck.nether.net> escribió:

    There are factual errors in the ARIN meeting minutes. It really is a disservice that people on the AC don’t have facts about ARIN and the function of their routing registry (for example).
    
    It would be good if the ARIN AC had people that were more aware of the functions ARIN provides.
    
    If you control vote of resources by ARIN I encourage you to use this as part of your process.

I would argue that action without an explicit official policy that outlines the circumstances under which what action is taken is just asking for awkward situations to arise.

  • Matt

The intent is to clearly state that this is a violation of the policies.

The membership documents/bylaws or the RSA, your account may be closed. I looked at it when adapting the policy from RIPE to ARIN, don't have this information right in my mind, but I'm sure it was there.

Otherwise, if needed another policy should state something like "if you keep violating policies" this and that may happen. This should be something generic for *any* policy violation not in general. We have this in RIPE and LACNIC, and I'm also convinced that in APNIC and AFRINIC (still working on those versions).

Regards,
Jordi

El 26/4/19 23:41, "NANOG en nombre de Jon Lewis" <nanog-bounces@nanog.org en nombre de jlewis@lewis.org> escribió:

    > Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected?
    >
    >
    > Hi Matt,
    >
    > As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn't
    > decide how they're allowed to be routed. ISPs do that.
    >
    > I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the
    > routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.
    >
    > I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that
    > role.
    
    Maybe I missed it in the proposal, but I don't see that it actually says
    what ARIN will do other than produce a report "Yep, our expert panel says
    this is hijacked.". What's the expected result (other than the report)?
    i.e. What action is ARIN expected to take after it's determined a route
    advertisement is a hijacking that will make a difference?
    
    Anecdotally, ARIN has, in the past, gotten involved in this sort of thing.
    Many years ago, during an acquisition that went sour at the last minute,
    the renegging seller went to ARIN complaining that we were hijacking his
    IP space. ARIN contacted our upstreams and pressured them to pressure us
    to stop advertising the IP space. Perhaps there's no official policy, and
    perhaps they wouldn't do this today without one?

By the way, even if ARIN (or the community) decides to do *nothing* in case of a policy violation, clearly the victim will have a better situation to defend the case in courts, and not rely in the judgement of inexperienced folks that will know nothing about what is an Internet Resource, BGP, etc., etc.

Regards,
Jordi

El 27/4/19 0:03, "NANOG en nombre de JORDI PALET MARTINEZ via NANOG" <nanog-bounces@nanog.org en nombre de nanog@nanog.org> escribió:

    The intent is to clearly state that this is a violation of the policies.
    
    The membership documents/bylaws or the RSA, your account may be closed. I looked at it when adapting the policy from RIPE to ARIN, don't have this information right in my mind, but I'm sure it was there.
    
    Otherwise, if needed another policy should state something like "if you keep violating policies" this and that may happen. This should be something generic for *any* policy violation not in general. We have this in RIPE and LACNIC, and I'm also convinced that in APNIC and AFRINIC (still working on those versions).
    
    Regards,
    Jordi
     
    El 26/4/19 23:41, "NANOG en nombre de Jon Lewis" <nanog-bounces@nanog.org en nombre de jlewis@lewis.org> escribió:
    
        > Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected?
        >
        >
        > Hi Matt,
        >
        > As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn't
        > decide how they're allowed to be routed. ISPs do that.
        >
        > I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the
        > routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.
        >
        > I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that
        > role.
        
        Maybe I missed it in the proposal, but I don't see that it actually says
        what ARIN will do other than produce a report "Yep, our expert panel says
        this is hijacked.". What's the expected result (other than the report)?
        i.e. What action is ARIN expected to take after it's determined a route
        advertisement is a hijacking that will make a difference?
        
        Anecdotally, ARIN has, in the past, gotten involved in this sort of thing.
        Many years ago, during an acquisition that went sour at the last minute,
        the renegging seller went to ARIN complaining that we were hijacking his
        IP space. ARIN contacted our upstreams and pressured them to pressure us
        to stop advertising the IP space. Perhaps there's no official policy, and
        perhaps they wouldn't do this today without one?

Not swip'ing your IPs is also a violation of the agreement, but until you go back to ARIN for more IPs (opps, they're out), that's not an issue. I see this policy as pointless as written because it doesn't say that ARIN will take any action other than publishing an opinion. I think you're also assuming there's a pool of experts standing by willing to investigate every alleged hijacking (for free?). Maybe there are. If there aren't, or once they get tired of investigating allegations, what then?

A policy proposal typically is not perfect when submitted.

However, not having the discussion, doesn't allow to improve it and maybe then, reach consensus.

It may happen that the end of the discussion is, instead of a group of experts, we need something different, or may be a compensation for them is needed, or instead of a complex policy we need a simple one, in the line of:
"The resources are allocated for the exclusive use of the recipient. Consequently, other members can't use them (unless authorized by the legitimate resource-holder) and not following this rule is a policy violation".

El 27/4/19 0:08, "Jon Lewis" <jlewis@lewis.org> escribió:

    > The intent is to clearly state that this is a violation of the policies.
    >
    > The membership documents/bylaws or the RSA, your account may be closed.
    > I looked at it when adapting the policy from RIPE to ARIN, don't have
    > this information right in my mind, but I'm sure it was there.
    >
    > Otherwise, if needed another policy should state something like "if you
    > keep violating policies" this and that may happen. This should be
    > something generic for *any* policy violation not in general. We have
    > this in RIPE and LACNIC, and I'm also convinced that in APNIC and
    > AFRINIC (still working on those versions).
    
    Not swip'ing your IPs is also a violation of the agreement, but until you
    go back to ARIN for more IPs (opps, they're out), that's not an issue. I
    see this policy as pointless as written because it doesn't say that ARIN
    will take any action other than publishing an opinion. I think you're
    also assuming there's a pool of experts standing by willing to investigate
    every alleged hijacking (for free?). Maybe there are. If there aren't,
    or once they get tired of investigating allegations, what then?

Tough question! If the author’s petition succeeds so he’s not cut off at the knees by the Advisory Council’s out-of-scope ruling, I’ll look forward to hearing how he answers.

Regards,
Bill Herrin

RSA (https://www.arin.net/about/corporate/agreements/rsa.pdf) clearly state that the services are subject to the terms and conditions stated in the policy manual.

There is explicit text in case of lack of payment. Not so clear what to do if there is a policy violation, but it looks like at a minimum, you will not get further services neither further resources.

Bylaws (https://www.arin.net/about/corporate/bylaws/#bylaws-of-american-registry-for-internet-numbers-ltd) don’t explicitly talk about the obligations of members. This may be related to US law, that you don’t need to explicitly say that behavior against other members is forbidden. In some countries, it is evident that if a member of an association is not following the rules (policies) or is acting against the rights of other members, it can be expelled.

As I said before, we may need another policy proposal to stated what to do.

Why a different policy proposal? Because the same policy section must be related to other policy violations (may be with warnings in case of policy violations and resource recovery only in extreme cases or repetitive misbehavior – this is the case in RIPE), if that’s not clear already in the bylaws, US laws, or RSA.

For me, it is obvious that an association MUST protect members about any misbehavior of other members.

Regards,

Jordi

I’m not going to go in depth on the above comments. I’ve received at least one off-list inquiry and I’ll also assume no explicit malice here, but as you point out, it doesn’t smell tide fresh :slight_smile:

The linked AC minutes page does say "These minutes are DRAFT. They have been reviewed by the ARIN Advisory Council prior to posting. These minutes will remain draft until they are reviewed and approved by the ARIN Advisory Council at their next regularly scheduled meeting.”

I have pointed out another area that I consider suspect off-list, I will set a calendar item to watch for new minutes to see if they are approved with revisions. Hopefully there’s misunderstandings here, but I’m also not confident as much of the conversation seems to have a disjoint with operational realities. (This isn’t anything new with ARIN btw, they’ve long been concerned about interacting with systems that are operational as doing that may mean staffing for on call or other functions).

I’m hoping to see some updates/corrections to the text, so taking a snapshot may be useful to watch for the corrections to the draft minutes.

I’m also debating if I spend the weekend with family or pinging everyone I know on the AC (which is more than one) about these issues. Either way, I’ll pick this up “soon” on my side.

I do consider that abuse of ARIN allocated resources (coke/pepsi for numbering or other integers for AS4_PATH) something that ARIN can efforts to enforce revocation in the case of violation of the RSA.

- Jared

I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.

Speaking only for myself and not as a representative of the ARIN AC…

I believe this is a distortion of the realities of the situation and of the history.

ARIN actually led the charge to lengthen the maximum IPv6 prefix accepted by ISPs (from /32 all the way to /48).

ARIN prefix size limits have almost always been equal to or longer than those accepted by a majority of providers on the internet and in almost all cases where those limits changed, ARIN changed first, with providers changing as a result of the pressure that created.

As to how those were decided within the ARIN process, please note that it was community consensus that drove those changes (and resisted them in the earlier days). Nonetheless, the reason for having those limits had to do with how ARIN was managing the resources on behalf of the community. Any impact or lack thereof on the routing table was a secondary effect. The policy was in scope because it affected how ARIN managed the registry.

The current proposal doesn’t actually affect any action ARIN takes in managing the registry. It attempts to expand the scope of ARIN’s mission to include some vague form of policing routing. It doesn’t provide any real information about how this new mission should be accomplished, nor does it take into account the fact that since ARIN controls only a small handful of routers, it has little to no ability to make any decisive or useful action in this regard. It seems to assume that those hijacking resources are ARIN members (or at least ARIN resource holders who signed an RSA subjecting them to ARIN policy).

It is utterly untested waters as to whether ARIN has any ability to take any action against a party that hasn’t got a contract with ARIN for violating the rights of a party that does have a contract with ARIN. To be useful, this policy would, IMHO, need to somehow empower ARIN to do that. I am not a lawyer, but I doubt such empowerment can come from anything short of regulation, thus certainly out of scope of ARIN policy.

I agree with Bill that such empowerment would not be a good thing anyway, so it’s not like I want to see that regulation come about, but until it does, I don’t see an in-scope effect from this proposal.

Owen