ARIN XIV Public Policy Meeting Minutes, Day 1 - 20 October 2004 [Archived]

Call to Order and Announcements

Speakers: John Curran, ARIN Chairman of the Board of Trustees;

Ray Plzak, ARIN President & CEO

Presentation (Read-only): PDF

John Curran opened the meeting and welcomed those in attendance. He then introduced Ray Plzak.

Ray began the first day of the ARIN XIV Public Policy Meeting at 09:00 EDT. He welcomed all those in attendance and made the following announcements:

• Thank you ARIN XIV sponsors - America Online and Time Warner Cable.
• ARIN XIV registrants represent 24 U.S. states, 5 Canadian provinces, and 12 countries. NANOG 32, held back-to-back with ARIN XIV, had approximately 600 attendees, with around 95 of them also attending ARIN XIV.
• 73 first-time ARIN attendees.

Ray introduced those present from the ARIN Board of Trustees, the ARIN Advisory Council, and the ICANN ASO Address Council. He also acknowledged those RIR colleagues in attendance. He introduced ARIN’s directors and described a change in ARIN’s internal organizational structure with the creation of a separate Director of Operations position. Previously, Richard Jimmerson had fulfilled the duties of this position as well as matters involving external relations. Currently, Richard is Director of External Relations, while Nate Davis is Director of Operations.

Ray ended his announcements with an overview of the meeting agenda and the printed materials given to each attendee.

John Curran then made an announcement regarding remote participation and provided details on the webcast of the Public Policy Meeting via RealNetworks by Merit and multicast provided by the University of Oregon, the third such live video broadcast of an ARIN meeting. John went on to discuss a new opportunity for remote participation, allowing individuals not in attendance to submit questions and comments to a moderator for inclusion in the discussion during question and answer periods.

Comments from remote participants included in the discussion are integrated into these meeting minutes.

At the beginning of the meeting there were approximately 130 people in attendance.

John Curran, as Chairman of the Board, moderated discussions throughout the day.

Internet Number Resource Status Report

Presenter: Leslie Nobile, ARIN Director of Registration Services

Presentation (Read-only): PDF

Leslie presented a joint RIR report on the current status of all IPv4, IPv6, and Autonomous System number resources as of September 30, 2004. This report is updated several times per year by the NRO and provides up-to-date statistics on rates of IPv4, IPv6, and AS number consumption.

Regional Policy Updates

Speaker: Einar Bohlin, ARIN Policy Analyst

Presentation (Read-only): PDF

Einar presented a summary of policy developments and discussions at the other RIRs. Common policy issues among the regions include:

• IANA policy proposal for allocation of IPv6 address space to the RIRs
• Changes in IPv6 policy within RIR regions
• Privacy of WHOIS data

RIR Updates

AFRINIC

Presenter: Adiel Akplogan, AFRINIC CEO

Presentation (Read-only): PDF

Adiel presented a report on recent activities in the AFRINIC region, including a look at its region and the environment in which it will operate and a summary of the activities leading to its current status. His report included updates on its transition to a fully recognized RIR, its organizational setup, outreach efforts, staffing, policy development, upcoming activities, and meetings.

Highlights:

• Project Manager appointed to CEO in May
• Offices setup in Pretoria and Mauritius; first staff hired.
• New website unveiled at http://www.afrinic.net.
• Started a transition plan with the 3 RIRs currently serving the continent.
• Held first AFRINIC meeting; included adoption of policies and election of new Board to replace interim Board.
• Established Board Working Groups and Committees.
• Participated in RIPE NCC and ARIN regional meetings in Africa.
• Sent to ICANN an AFRINIC Activities report letter written jointly with the NRO.
• Co-evaluation of resource requests between AFRINIC and RIRs began on September 1, 2004. So far, 100 requests from RIPE region, 7 from ARIN region, and 1 from APNIC region.
• The ICANN board, during its special meeting on September 30, 2004, granted AFRINIC provisional recognition as the fifth Regional Internet Registry.

Comments:

• After Adiel’s presentation, Ray Plzak spoke about the difficulty of tasks accomplished so far and led those in attendance in applause for AFRINIC’s efforts to date. He also called attention to the NRO’s work with AFRINIC, and noted that this has been a long partnership, starting with each RIR providing help and assistance, and now highlighted by coordinated activities within the NRO. This change to a coordinated effort has proven to be more effective and easier for AFRINIC to deal with. Ray noted that the NRO Executive Council has appointed a single overall coordinator of the activities of the RIRs related to AFRINIC. This position is filled by ARIN’s Director of External Relations, Richard Jimmerson. Ray added that everyone was looking forward to AFRINIC’s final recognition as an RIR sometime next year.

APNIC

Presenter: Son Tran, APNIC Resource Services Manager

Presentation (Read-only): PDF

Son presented a report on activities in the APNIC region. His report included membership statistics, current services and activities, policy updates, and future APNIC meetings.

Highlights:

• ERX transfers nearly complete.
• MyAPNIC version 1.4 release at the end of September; over 60% of APNIC’s members have signed up for the members-only web portal.
• Over 30 training courses held throughout the region so far in 2004.
• Completed 3rd member and stakeholder survey.
• Implemented 4 policies in September 2004; will implement 2 policies in December 2004; 4 policies gained consensus at APNIC 18.
• APNIC 19 will be held in Kyoto, Japan February 16-25, 2005.

Comments:

• Bill Darte, of the ARIN AC, asked what APNIC’s experience in the recovery of unused space was, including the definition of “unused,” and what processes were being followed. Son replied that the policy in question had yet to be implemented, but that APNIC would be looking for space that had not been used in at least 3 years. Upon identification of such space, the appropriate contacts would be sent a notice asking if they want to continue to use it or if they’d like to return it. If no response is made after repeated contacts, the addresses would be put in a temporary pool for one year before being used for new allocations.

LACNIC

Presented during the Members Meeting.

RIPE NCC

Presenter: Axel Pawlik, RIPE NCC Managing Director

Presentation (Read-only): PDF

Axel presented a report on activities in the RIPE NCC region. His report included updates on policy, registration services, membership, training, and RIR coordination.

Highlights:

• Continued trend to very large IPv6 requests within RIPE region; necessitated creating understanding with IANA.
• Began co-evaluation of requests within future AFRINIC region.
• Working towards early prototype of CRISP.
• Fifth and sixth anycast k root servers deployed, and have begun implementation of IPv6 with k root server in Amsterdam.
• On course for 65 training courses in 2004.
• Held regional meetings in Moscow (June) and Nairobi (July). Will continue into 2005, but format likely to change.
• Redesign of website complete.
• During last General Meeting, membership approved changes to charging scheme, reduction of fees.
• In 2005, RIPE will experiment with only two meetings per year, working group and meeting format changes.
• RIPE currently serving as secretariat of ASO, RIRs, and NRO. LACNIC will take over these duties next year.
• RIPE 50 will take place in Stockholm, Sweden, May 2-6, 2005.

Number Resource Organization (NRO) Update

Presenter: Ray Plzak, ARIN CEO

Presentation (Read-only): PDF

Ray began by providing a background of why the NRO was formed, an overview of its structure, and details of its recent activities.

Highlights:

• The NRO is comprised of an Executive Council, a Numbers Council, and a Secretariat. The Secretariat role is filled on a revolving yearly schedule by one of the RIRs.
• Support for the Executive Council is provided by Communications and Engineering Coordination groups.
• The NRO has three main activity areas: ICANN support, engineering coordination, and outreach.
• RIR coordination within the NRO has paid off in benefits in a number of areas, including providing assistance to AFRINIC, engineering development related to ERX, and the Executive Council providing better communication between RIRs.
• Information about the NRO can be found on its website at http://www.nro.net.

Questions/Responses/Clarifications:

• Mark McFadden, current Chair of the ASO AC, asked Ray if he would like to also mention the NRO funding provided to the ITU. Ray responded that funding was not provided to the ITU. The NRO did provide funding assistance to the operation of the Secretariat of the Working Group on Internet Governance (WGIG), which is part of the World Summit on the Information Society (WSIS). Ray added that the WSIS would be discussed later in the agenda.

ICANN Address Supporting Organization Address Council (ASO AC) Update

Speaker: Louis Lee, ASO AC Member

Presentation (Read-only): PDF

Louis began his presentation by expressing thanks to ARIN for its support of ASO AC activities. He provided an explanation of how the ASO fits into the structure of ICANN, an overview of its duties and activities, and a listing of its members.

Highlights:

• ASO AC reviews global Internet resource policies that apply across RIR regions, and provides recommendations to the ICANN Board.
• While three members of the ASO AC are elected from each RIR region, it does not represent the RIRs directly.
• ASO General Assembly was held in May 2004 in Amsterdam. It featured discussions about the ASO MoU, the NRO, and a presentation from Doug Barton, General Manager of IANA, on the functions of IANA and how it interacts with the RIRs. Complete minutes are available at http://www.aso.icann.org/.
• Currently an election underway within the ARIN region to fill the seat of Eric Decker, whose term expires at the end of this year.

Questions/Responses/Clarifications:

• An audience member asked for clarification on point 5 of the slide titled “Agenda September AC meeting,” and its reference to a Global Policy Document. Louis responded that this referred to Global Addressing Policy ASO-001-2, dealing with allocation of IPv4 address space by IANA to the RIRs. He added that this has been approved in all RIR regions, endorsed and submitted by the NRO, and the ASO AC will now pass it along to the ICANN Board for approval. A policy related to how IANA allocates IPv6 to the RIRs is currently under discussion within the RIR regions, and ICANN encourages all who are interested to participate.

Internet Corporation For Assigned Names and Numbers (ICANN) Presentation

Presenter: Dr. Paul Twomey, ICANN CEO

Presentation (Read-only): PDF

Paul’s presentation on ICANN focused on the challenges of international technical coordination, ICANN’s achievements since its meeting in Rome, and its ongoing work.

Highlights:

• Idea of “Internet Governance” is really about international technical coordination, founded on the basis of bottom-up direction from the communities involved.
• ICANN’s At-Large Committee is in the process of bringing in representatives of consumers from around the world to better reflect the balance of supply and demand for Internet resources.
• ICANN is pleased to be signing the ASO MoU tomorrow. We need to be pragmatic about implementation, particularly related to processes, and learn from experiences ahead.
• AFRINIC was given provisional recognition in September, and ICANN is committed to playing its role in helping it to become a fully operational RIR.
• In July, ICANN moved to put IPv6 glue in the root, which is a significant milestone. The request to do this came from the ccTLD managers, and then the Root Server System Advisory Committee reviewed it and provided technical recommendations which were implemented after public consultation with the community.
• Formation of the country code Name Support Organization (ccNSO) is complete and it has over 40 members.
• Looking at the final procedures for designating the subsequent .net registry. The procedures have been posted and the RFP will be posted soon. The process should be completed by July 1, 2005.
• The Governmental Advisory Committee (GAC) now has 100 country members and 5 inter-governmental organizations as observers. There has been increased participation from Africa and South Asia.
• ICANN is in the final stages for completing an MoU with the U.S. Department of Commerce and is ahead of schedule on all of the objectives of the MoU. Part of this includes contingency planning for technical and business failures of ICANN to ensure core and necessary functions are carried out.
• ICANN has created an ombudsman position to provide an avenue of review for ICANN decisions.

Questions/Responses/Clarifications:

• A question was raised about the scope of contingency planning. Paul replied that this applied only to ICANN, and not to the registries or their members and customers.

ASO AC Election Process

Speaker: Megan Kruse, ARIN Communication Specialist

Presentation (Read-only): PDF

Megan provided information on the election process of the ARIN region’s representative to the ASO AC for a three-year term to fill the seat currently held by Eric Decker. She provided a listing of the candidates, and noted the biographies and statements of support for the candidates are available on ARIN’s website, as well as a hard copy in the folder given to meeting attendees. She concluded her presentation with an explanation of the two methods of voting available; ARIN General Members in good standing have been able to vote online for the past week, and all attendees of ARIN XIV can vote at http://onsite.arin.net . Each individual is only allowed one vote.

ASO AC Candidate
Ray Plzak introduced the candidates for the ASO AC, displaying the candidate’s statement describing their activities within the ARIN region. Candidates present at the meeting were given an opportunity to speak.

• Sherrod DeGrippo - not present, biography presented
• Sanford George - present, introduced himself and offered a statement on his qualifications
• Kyle Hamilton - not present, biography presented
• Martin Hannigan - present, introduced himself and offered a statement on his qualifications
• Thomas Simes - not present, biography presented

For each candidate, Ray highlighted the URL to more detailed biographical information and statements of support and asked that the meeting attendees review this information before voting.

Number Resource Policy Manual (NRPM)

Speaker: Einar Bohlin, ARIN Policy Analyst

Presentation (Read-only): PDF

Einar provided information on the reasons behind the creation of a single document for ARIN policy, and presented background information on how the document was created, reviewed, and published.

The NRPM is available on the ARIN website at http://www.arin.net/policy/.

Highlights:

• Existing policies were compiled into a single document which is numbered and indexed in order to provide better accountability, change tracking, and usability to the community.
• Document was compiled by ARIN staff and was subsequently reviewed by the Advisory Council. It was then presented to the Board of Trustees for approval. After receiving approval from the Board, ARIN staff published the document on the ARIN website on October 15, 2004.
• As part of the NRPM, a change log has been included to track policy updates. A complete copy of the document will be archived with each change to provide an historical reference.

General Comments:

• Bill Darte, of the ARIN AC, commended Einar and the ARIN staff for a job well done.
• Ray Plzak concluded the presentation by encouraging everyone to read this document, and to compare it to the previous policy statements. He went on to add that feedback of an editorial nature was welcome and also thanked Einar for his good work.

Internet Resource Policy Evaluation Process (IRPEP)

Speaker: Einar Bohlin, ARIN Policy Analyst

Presentation (Read-only): PDF

Einar began his presentation with a list of policy development principles reflected in ARIN’s policy development process. He provided an overview of the policy development cycle, and pointed out the milestones and potential paths between a proposal being submitted and staff implementation. Recent additions include staff implementation and legal analysis prior to discussion at the ARIN meetings.

General Comments:

• Scott Bradner, Secretary of the Board, pointed out in clarification that in addition to the Board’s ability to ratify a policy, it may also evaluate a policy proposal relative to ARIN’s liability or for clarity and send it back to the Advisory Council.

Report from Policy Proposal BoF

Presenter: Einar Bohlin, ARIN Policy Analyst

Presentation (Read-only): PDF

Einar presented a summary of discussions at the ARIN XIV Policy Proposal BoF. No new policy proposals were discussed, but one presenter announced that an idea for a proposal brought forward at the previous BoF was not worth pursuing after additional research. Other topics of discussion included ARIN’s policy evaluation process, the harmonization of policies among the RIRs, and the roles of the RIRs and the ASO AC as related to “global” policy.

A Comprehensive Proposal for WHOIS Data

Presenter: Leo Bicknell

Presentation (Read-only): PDF

Leo began his presentation by clarifying that this proposal is his own work and was not done on behalf of the ARIN Advisory Council. He explained that previous versions of this proposal had been included in the ARIN newsletter, and that current copies were available in the materials given to ARIN XIV attendees. The proposal was written before the creation and implementation of the NRPM, so the specific proposed language has not yet been modified to fit into this document, but that work would be completed later. He added that this is not yet a policy proposal, but the purpose of this presentation was to solicit feedback in order to move forward with a proposal for the next meeting.

Highlights:

• The problem this attempts to address is that in relation to WHOIS, many policies have been proposed, but because of the scope of the issues involved, they have usually failed as each proposal did not fully address all of the issues. This proposal aims to combine many of the suggested proposals and some additional ideas to cohesively address how WHOIS at ARIN is used.
• The objectives of this proposal are a balancing of the needs of WHOIS stakeholders, a focus on data of “high value,” and the inclusion of an enforcement option and detailed definitions.
• Feedback so far has been very limited.

General Comments:

• As things have changed over the years, the definition of the purpose and scope of WHOIS needs to be addressed before many of the other ideas outlined in this proposal. For example, the question of purpose is two-fold. One is to allow people to find the holder of a particular set of IP addresses. The second is an open auditing mechanism to make sure that ARIN doesn’t show any favoritism to any ISP. If this is true, it needs to be added and expressly stated that this is the purpose of WHOIS. There needs to be a balance for privacy concerns, but by defining the purpose, it really helps to define the scope of WHOIS. In addition, the CRISP protocol is coming, and any policy needs to address that as well. We need to break this down into little chunks, so that they can be dealt with and the ramifications of one change be reflected in others. We need to focus on the public database portion, and not the private information ARIN holds internally. The NRO should take a look at this in terms of consistent policies across all RIRs.
• If membership is going to define what is public and private information, then it’s a possibility that these definitions could change from year to year. So there needs to be some recognition that information that was handed over as being confidential isn’t later reclassified as being publicly available.
• I used WHOIS primarily until six months ago. I got away from it as it was too difficult to keep information up to date on WHOIS via SWIPs. Keeping up to date with my company’s customers is difficult enough without having to then update the information they have displayed in WHOIS. I would approach ARIN to change a downstream’s contact information, but would be told I couldn’t because I wasn’t the primary person and that I couldn’t change another company’s information. Our company is now doing RWhois with all of our regular reassignments and the only thing that goes through WHOIS is the allocation part of our assignment. However, I do think it is important to have that information in there, and that downstreams be the first to deal with abuse complaints pertaining to their block. Putting the responsibility on the ISP would be a costly burden for smaller providers, as we simply don’t have the funds to create an abuse department big enough to handle all that. If someone can’t contact one of our downstreams, I have no problem with us handling those issues. However, 95% percent of the issues seem to be handled just fine by our downstreams.
• In terms of the balance of the use of WHOIS against privacy laws in the U.S., Canada, and other countries, I believe at some point we’ll come to the least common denominator, which for a lot of people is unacceptable, despite the legal requirements. In thinking about this, it would probably help for those that think they need this data to give some thought that in doing this with an organization that spans multiple countries and jurisdictions while not breaking any laws, you may not get everything you want.
• We need to be cognizant when discussing private information if we’re talking about residential private use or business applications.

Statements For and Against:

• The proposal needs to address the procedures for enforcement and reclamation, taking into consideration payment history and how far apart in time the contact attempts are made.
• The efforts with the NRPM notwithstanding, there are still a lot of various WHOIS policies and nothing there to coalesce them into one. I think Leo has done a great job of putting together a framework we can use. In regards to dealing with these in small chunks or one big one, I believe a number of the issues can be dealt with together, and breaking them apart would just cause more problems than it solves. The issue of WHOIS and CRISP can be dealt with independently of this proposal, though the issue of reclamation is a big enough issue that it may need to be considered separately. I also agree that ARIN customers should be able to specify which of their customers’ data is going to appear in the public database. Overall, I think this is something we really ought to look into moving forward.
• I think it’s a good idea to have a unified policy, though I also agree that the inclusion of an enforcement option may make this too difficult to pass, and that maybe enforcement should be addressed by a separate policy. I also support the idea of the upstreams determining what data is public.
• This proposal looks like the first one that comes close to being compatible with Canadian law. I think the fact that it allows those who have received allocations from ARIN to choose to publish or not publish their reallocations would allow Canadian ISPs to pass that decision down to their customers and that would encourage Canadians to participate in this.
• Remote participant statement: I appreciate Leo’s hard work in preparing this document. What I see in this proposal is a separation of public and private data, with the majority of data going into the private part, which would only be available under strict conditions, such as not making the data public. I see this as a big problem for being able to use ARIN WHOIS data, and I believe it should not be so. We should have a majority of the information public in a way that is similar to how it is now, and we should keep the requirements for larger customers.
• I think this is a really good proposal; it’s forward looking, and while there seem to be a lot of smaller issues that will spark conversation, overall I like it and think it is definitely worthy of going forward.
• Leo’s done a great job of writing a good proposal that will get us closer to where we should be.

Questions/Responses/Clarifications:

• In response to issues brought up about the reclamation of space, Leo added that he could only come up with two ways to provide some sort of enforcement mechanism. The first was reclamation, and the second was a monetary fine. He asked that if anyone could come up with any additional mechanism or had feedback on either one of these approaches, he would like to hear it.
• Leo was asked if he had talked to ARIN Counsel about potential legal issues if information was no longer publicly available. He responded that he had only discussed the issue in general terms with ARIN Counsel and that it was mostly in regard to whether ARIN was willing to implement some sort of enforcement option from a legal standpoint. When this is a formal policy proposal, it will undergo legal review, as do all proposals.
• Leo asked that in terms of privacy laws, since we’d already heard about Canada’s, if there was anyone from AFRINIC or that region who had comments on how this would apply there. Gregory Massel, of DataPro in South Africa, responded that there is privacy legislation being drafted at the moment, but that he was unsure if current legislation addressed this. He added that the indications, from input provided and the draft work being done on the new legislation, are that it won’t be legal to publish information like this without the clients specifically saying they agree to it. Adiel Akplogan, AFRINIC CEO, added that the AFRINIC region is very particular in that there are many different countries with different laws and most at this time don’t have clear policy on private information being public. For the moment, AFRINIC is putting only public information online until we have clear consensus from our community.
• Lee Howard, Board of Trustees, as a point of clarification in response to an earlier statement about public and private databases, added that ARIN already has public and private databases. The Business department has a separate database from the Registration Services department, and so obviously that will need to continue for business and security reasons.

Policy Discussion Introduction

Speaker: Ray Plzak, ARIN CEO

As a preface to the forthcoming policy discussions, Ray made a few statements regarding Internet number resource policy at ARIN.

Highlights:

• ARIN staff does not make policy, propose policy, or participate in policy development discussions.
• As part of its role in implementing the policies the community creates, a staff impact analysis has been added to the policy development process to provide information to the community about each proposal.
• While the presenters of policy proposals at this meeting may be members of the Advisory Council, they are not necessarily the proposal authors. The presenters will indicate those policies where the source is actually ARIN staff. This is part of a process ARIN has started where policies that have been in effect for a period of time are analyzed for confusion, financial impact, and other operational issues. In other words, this is a post-implementation analysis. Information gleaned from this analysis is passed to the AC with suggestions on which areas may need to be addressed. The AC was in no way obligated to act on these recommendations. However, the AC did decide to take up the recommendations, and two of the proposals up for discussion at this meeting are the result of that post-implementation analysis.

Policy Proposal 2004-6: Privacy of Reassignment Information

Introduction: Einar Bohlin, ARIN Policy Analyst

Presentation (Read-only): PDF

• Template submitted - August 19, 2004
• Posted to PPML - September 9, 2004
• Staff impact analysis - October 4, 2004
• Legal review - October 7, 2004
• PPML Summary:
  • Discussion on PPML consisted of two posts against the proposal.

Presenter: Sanford George, ARIN AC

Sanford, on behalf of the ARIN AC, read the policy. This policy is similar to one that was implemented in the APNIC region in September, and that was part of the incentive to put this before the AC for consideration and discussion at this meeting.

General Comments:

• We need to separate the requirements for residential customers and business application customers, as the effects are different for each group. Residential customer privacy is fine, but when talking about businesses that will use their addresses for a business application, they need to be responsive to abuse complaints or it puts an unfair burden on the upstream. This can also lead to businesses selling “privacy” as a service. In fact, even though this hasn’t been passed yet, my company has already been approached by a large ISP to get IPs, but on the condition that it does “not want any trace of these IPs being used on our Internet service.” After we replied that under current policy it does have to be shown, the company said that it didn’t and that another company had already said it would do it. This kind of behavior would negatively affect small ISPs who can’t afford to increase investments in their abuse departments.
• Steve Ryan, ARIN Counsel, remarked that from a legal standpoint, removing the question of is this a good or bad policy, the allowance of choice in listing the information would allow upstreams to report information in a way that is consistent with any applicable local laws. Allowing the ability to choose is always consistent with law, regardless of jurisdiction.
• There is a similar policy in South Africa called the Electronic Communications and Transactions Act. Businesses doing online transactions that comply with parts of the act, even though it is not compulsory, are accorded a greater status in that they seem to be protecting customers. One of the suggestions in the act is that businesses give customers a choice as to whether their information is made public.
• Until we have a definition of scope and purpose for WHOIS, we’re going to get nowhere, because we’re all getting confused on what’s allowed and what’s not.
• Contacts should not be listed in WHOIS unless they are ready, willing, and able to be responsive to communications related to the operation of that address space.

Statements For and Against:

• I’m against this policy if it allows big retail customers to hide their information.
• Speaking from the perspective of someone with a Canadian ISP, this policy goes a long way towards protecting the information we are required to. It also gives us the ability to choose what information to make public, and I see that as a positive.
• I believe this policy goes too far and that it should perhaps be combined with the existing 2003-3 policy, 2004-7, and Leo’s proposal and synthesize something that would address all of this in regards to WHOIS. Otherwise we’ll just be chasing our tails with these individual, very specific proposals where one replaces the other and then is itself replaced and so on.
• I’m against the idea of hiding commercial data.

Questions/Responses/Clarifications:

• Can ARIN’s Counsel comment on whether the implementation of this proposal would relieve ARIN of any liability or other issues involving compliance with laws that exist in ARIN’s jurisdictions? Steve Ryan, ARIN Counsel, responded that he was unable to provide an answer at this time about Canadian ISPs and the possibility that current ARIN practices put them in non-compliance with Canadian law. If necessary, he added, he would consult with experts on Canadian law in respect to this issue.
• Can any individuals from Canadian ISPs provide a non-legal opinion on how current policy might go against Canadian law? Matt Pounsett, of the .CA Registry, replied that it was his opinion that since the Canadian privacy law has only been in effect since January, and its effects are still being determined, many Canadian ISPs might be in violation. He continued that he thought this proposal was a step in the right direction, but was not sure that upstream ISPs had any right to their customer’s personal information, so it still might not address all issues.
• How will this proposal integrate into current residential customer privacy policy? Specifically, will this require that information that is currently able to be hidden be given to ARIN and upstreams, or will it be possible to say this non-public information is also still restricted? It seems that it could be interpreted either way. Ray Plzak responded that the default would be for information not to be publicly displayed, though information would still be required to be given to ARIN to support an ISP’s utilization information. This is saying that just because you give utilization information, via SWIP for example, that does not necessarily mean it’s going to be displayed. Approximately 95 percent of the information in WHOIS is there because of utilization reporting requirements.
• For this proposal, what definition is being used for reassignment? Is it referring to SWIP, RWhois, simple reassignments, or all of the above? How will we denote what is public or private information? Einar Bohlin replied that it would apply to all reassignments, including SWIPs and those listed on a RWhois server.
• What is the argument in favor of hiding information about commercial entities? I can understand the value to individuals, but I can’t see the compelling reason to even consider this on the commercial side. An attendee replied with an example of a government embassy that might not want to draw attention to the fact that they are using certain addresses for security reasons. While not a commercial entity, it is an example. Another attendee offered the examples of a telecommuter and an apartment complex providing Internet access to its residents.
• Remote participant statement: On Canadian privacy policies, I understand that they only apply to individuals, not companies. If that is so, does it mean privacy only applies to POCs and not to organization data?
• How does this policy apply to existing data that’s in the database? Will ARIN keep a record of what information was submitted under specific policies and use that to determine what future WHOIS information it publishes? John Curran replied that, as it’s written, the proposal is not specific in a distinction between current or future information.
• In the ARIN staff impact analysis, was the issue of legacy space holders choosing to become members solely to make their information private considered? Einar Bohlin responded that the issue was not considered.

Polling of Consensus:

Question: Approve of Policy Proposal 2004-6?
Yes? 7 No? 20

Policy Proposal 2004-7: Residential Customer Privacy Policy

Introduction: Einar Bohlin, ARIN Policy Analyst

Presentation (Read-only): PDF

• Template submitted - August 20, 2004
• Posted to PPML - September 9, 2004
• Staff impact analysis - October 4, 2004
• Legal review - October 7, 2004
• PPML Summary:
  • Discussion before Oct. 19 on PPML consisted of two posts in favor of the proposal. Since yesterday, there were 16 additional posts with discussion about residential versus business customers. In addition, there was a suggestion that instead of classifying by usage, a prefix size should be used, for example small nets would display little information, and /24s and higher would display full information.

Presenter: Bill Darte, ARIN AC

Bill, on behalf of the ARIN AC, presented the policy and noted that this was a refinement on existing policy proposals. He added that there had been some discussion on PPML about what the exact limit should be in terms of prefix length, so the questions are: (1) should a differentiation be required, and (2) does there need to be a definition of what exactly is considered residential?

General Comments:

• Since current policy deals with both IPv4 and IPv6, it should be understood that this will establish different policies between the protocols.
• Let’s stop arguing over one or two addresses and craft policies that have a lifetime beyond a year or two. I think using address count is the wrong basic approach because addresses are an infinite resource in the v6 world, so you can’t use them as a limit there.
• This proposal does not have a good definition of what is a business and what’s not.
• The question of the definition of “business” and the size of the allocation are both orthogonal.

Statements For and Against:

• I think 128 addresses is excessive for residential usage, and the limit should be about half that, but I support the policy in general and support the idea of a specific demarcation. I would however like to see a smaller size.
• This proposal seems to be aimed at protecting us from nasty people trying to mask their identities, and I don’t see how the number of addresses being used actually coincides with that. We need to determine if this is trying to protect individuals or protect us from nasty organizations. If it’s trying to protect us, the number of addresses is irrelevant. There are much better ways to protect us, and I suggest there are much better checks that can be put in place. Perhaps not by ARIN, but by the ISPs themselves.
• ARIN should not dictate the relationship between an ISP and its customers.

Questions/Responses/Clarifications:

• Can I see a show of hands in the audience of anyone that works for a company that sells what they call residential service that would allow a user to get more than 128 IP addresses? There was a small response from the audience.
• Is there a reason the policy only applies to IPv4? It was noted that it only covers the language in 4.2.3.7.6 in the NRPM, even though the language covering IPv6 (6.5.5.1) is identical except for the heading. John Curran responded that since it was written without a reference to a limit for IPv6, it can only apply to IPv4. In addition, setting a limit for IPv6 would require a bit of work, as the number of addresses that will potentially be used on a residential connection with IPv6 is quite different. The purpose of this proposal is really to prevent businesses from taking advantage of the private customer label.

End of Discussion:

John Curran, as moderator, judged that there was not consensus to take a formal sense of the room and that the AC would take the feedback provided today to determine how to move forward.

Open Microphone

Moderator: John Curran

John Curran opened an Open Microphone session for comments.

Comments:

• I’d be interested in how other organizations are dealing with the plethora of blacklist operators and the blatant marking of large blocks of IP address space as abusive when only one or two IP addresses within the range are the source of abuse. This has become a horrendous problem for my company, in that a year ago we were spending a couple hours a week dealing with it, and now its 80 hours a week. It’s very difficult balancing between trying to serve our customers and dealing with the blacklists causing e-mail and other traffic to be blocked.
  • Our company had this issue a couple of years ago and our solution was to be proactive and in some cases actually turn down revenue. We now research every customer that comes in that seems likely to send out spam, and if they have a history of it, we do not put them on our network. Some of the blacklists are relentless, and even after an issue has been addressed, they refuse to take the range off the lists. We tell our customers that if they are going to filter using information from organizations like that, it’s their own problem, and we refer them to blacklists that are responsible and update their information.
  • We have the same set of problems, just like every other large ISP, and apparently we have a bad reputation for hosting spam. Regardless of what we do to address abuse, we still get blacklisted. So the way we address it is by telling customers you have three options: tell the downstream that is filtering your traffic to whitelist you, tell them not to use a blacklist, and then as a last resort we can renumber them, but that’s a huge burden both for the customer and us. We’re not permitted by our legal group to interact at all with the blacklist folks, so all we’re really able to do is tell customers we’re sorry and we can’t do anything about it. It’s absolutely pointless to try and fight with the blacklists.
  • I work for a large ISP that at some time in the past actually had a very tight association with one of the blacklists. The feeling that seems to be common to many of the blacklist operators is that they need to draw more attention to the problem, which leads them to doing things like blocking whole /16s. The good and bad part of that on both sides of the issue is people stop paying attention to them. As soon as they start killing off large lots of legitimate space they become ignored. So the problem is self-resolving now, we see as many people stop using blacklists as people complaining about being on them.
  • Speaking as an organization that probably receives more spam than any other place in the world, spam is a big problem and you might think about some strategies. I’m not sure if you’re having problems with consumer or business customers, or if you divide your addressing between dial-up and business customers. Some of these blacklists are blocking large swaths of address space without caring that there’s a very small amount within that address space causing issues. Perhaps you need to think about some separation of how your address ranges are used.
  • How the blacklists operate may not seem like an ARIN-related issue, but it really is one in that it impacts the utilization of our overall address space, and thus causes problems when we go back to ARIN to get more address space. We’re very careful about removing an entry from WHOIS until we’ve really cleaned that block up because we do not want to show utilization, but is that falsely representing the use of that block?
  • I don’t think ARIN should address spam blockers or spam. It’s the same as routability - it’s just not ARIN’s problem, even though it might be a problem for ARIN members.
  • It may help to bring this issue up in other forums if you recast it in the abstract and talk about it in terms of people announcing ranges that were part of previous unallocated space, and people were filtering it. It’s the same problem, but doesn’t have the same emotions tied to it as spam.
• What happens when ARIN reclaims address space and the violator continues to route it? ARIN can say not to route it, but there is no enforcement. John Curran responded that there are ways to verify if a block has been allocated, so people can make a decision on whether to accept that route. However, it would be nice to have comments from the ISP community on that.
  • What we do for our network is when space gets reclaimed, and sometimes we have to do it forcibly, we pull it down to a box and announce it from our lab network, thus causing problems for whomever was using it. Though that’s a different situation than ARIN reclaiming space.
  • It would be useful for ARIN to provide routing information for all unallocated blocks so that ISPs could simply blackhole anything that is advertised by ARIN to be unallocated.
  • As a former network engineer, my general experience is that if you as an organization give an allocation and find that you have routability problems, it can usually be addressed by calling three or four NOCs and telling them they’re not accepting your announcement or there is a conflicting one. The NOCs will usually verify using ARIN’s records and accept the proper announcement. So if ARIN reclaims something and then gives it to someone else, there is a available recourse, even if it might be a burden on the new allocation recipient and not ARIN.

Address Supporting Organization (ASO) Memorandum of Understanding (MoU)

Speaker: Ray Plzak, ARIN CEO

Presentation (Read-only): PDF

Ray announced that the ASO MoU between ICANN and the NRO would be signed during the second day of the Public Policy Meeting at 9:00 AM EDT. He provided a short background of events leading up to this, and described how the NRO would be the basis of the new Address Council. In concluding his remarks, he noted this new MoU was not cut in stone, and it will be a living document that may need to be adjusted as all parties gain experience.

Paul Twomey, from the floor, added an explanation of the steps that will be taken after the signing, starting with the ICANN Board posting it for public comment. After the comment period, the ICANN Board will consider it for ratification, along with any necessary amendments to the bylaws.

Closing Announcements

Ray Plzak reminded attendees that the ARIN RSD Help Desk was open until 5:30 PM EDT and that the Learning Center/Terminal Room would be open until 6:00 PM EDT. He also encouraged all attendees to complete the meeting survey available on ARIN’s website and to vote in the ASO AC election which will close at 5:00 PM. Ray again expressed thanks to the meeting sponsors: America Online and Time Warner Cable. He reminded the audience about the ARIN social that evening and that the meeting tomorrow would begin at 9:00 AM EDT.

Meeting Adjournment

The meeting was adjourned at 16:59 EDT.

Sponsors