Recommended Draft Policy ARIN-2014-1: Out of Region Use [Archived]

Status: Abandoned

Tracking Information

Discussion Tracking

Mailing List:

Formal introduction on PPML on 29 January 2014

Origin - ARIN-prop-192

Draft Policy - 29 January 2014

Revised - 28 March 2014

Revised with staff assessment - 19 September 2014

Revised - 21 October 2014

Recommended Draft Policy - 24 December 2014

AC reaffirmed as Recommended Draft Policy - 24 March 2014

Revised legal assessment - 9 April 2015

Abandoned by the AC - 27 April 2015

Public Policy Mailing List

ARIN Public Policy Meeting:

ARIN PPC At NANOG 60

ARIN 33

ARIN PPC at NANOG 61

ARIN PPC at NANOG 62

ARIN 34
ARIN PPC at NANOG 63

ARIN 35

ARIN Advisory Council:

AC Shepherds:
Milton Mueller, Tina Morris

• 24 January 2014

• 20 February 2014

• 20 March 2014

• 16 April 2014

• 15 May 2014

• 19 June 2014

• 17 July 2014

• 28 August 2014

• 18 September 2014

• 10 October 2014

• 20 November 2014

• 18 December 2014

• 23 January 2015

• 19 February 2015

• 19 March 2015

• 15 April 2015

ARIN Board of Trustees:

Revisions:

Previous version(s)

Implementation:

Recommended Draft Policy ARIN-2014-1
Out of Region Use

Date: 24 December 2014

AC’s assessment of conformance with the Principles of Internet Number Resource Policy:

This proposal enables fair and impartial number resource administration by clearing up a significant ambiguity in policy and practice. This proposal is technically sound, as no technical issues are raised by permitting a single network operator to use resources from one RIR in any region. This proposal is supported by the community. Permitting out of region use allows operators with facilities spanning more than one region to obtain resources in the most direct and convenient way, and to utilize their numbers more flexibly and efficiently. The concerns of law enforcement and staff raised by the first staff and legal assessment have been mitigated by the latest amendments.

Problem statement:

Current policy neither clearly forbids nor clearly permits out or region use of ARIN registered resources. This has created confusion and controversy within the ARIN community for some time. Earlier work on this issue has explored several options to restrict or otherwise limit out of region use. None of these options have gained consensus within the community. The next logical option is a proposal that clearly permits out of region use while addressing some of the concerns expressed about unlimited openness to out of region use.

Policy statement:

Create new Section X:

ARIN registered resources may be used outside the ARIN service region. Out of region use of IPv4, IPv6, or ASNs are valid justification for additional number resources if the applicant is currently using at least the equivalent of a /22 of IPv4, /44 of IPv6, or 1 ASN within the ARIN service region, respectively.

The services and facilities used to justify the need for ARIN resources that will be used out of region cannot also be used to justify resource requests from another RIR. When a request for resources from ARIN is justified by need located within another RIR’s service region, the officer of the applicant must attest that the same services and facilities have not been used as the basis for a resource request in the other region(s). ARIN reserves the right to request a listing of all the applicant’s number holdings in the region(s) of proposed use, but this should happen only when there are significant reasons to suspect duplicate requests.

Comments:

a. Timetable for implementation: Immediate

b. Anything else

Current policy is ambiguous on the issue of out of region use of ARIN registered resources. The only guidance on the issue in current policy is Section 2.2, which defines the the role of RIRs as “to manage and distribute public Internet address space within their respective regions.” Some in the community believe this means out of region use should be prevented or restricted, while others believe this is only intended to focus efforts within the region and not define where resources may be used.

Previous policy proposals have explored restricting or otherwise limiting out of region use, but none have gained consensus within the ARIN community. Several standards for restricting out of region use were explored, but all of them were perceived as interfering with the legitimate operations of multi- or trans-regional networks.

The requirement to have a minimal level of resources deployed in the region (/44 for IPv6, /22 for IPv4, 1 ASN) is an attempt to respond to law enforcement and some community concerns. An absolute threshold ensures that those applying for ARIN resources are actually operating in the region and not simply a shell company, but it avoids the known pitfalls of trying to use percentages of the organization’s overall holdings to do that. The use of officer attestation and the possibility of an audit is an attempt to prevent duplicate requests without requiring burdensome reporting requirements.

In summary, this proposal ensures that trans-regional organizations or service providers operating within the ARIN region may receive all the resources they need from ARIN if they wish to do so. This change is particularly important for IPv6. Requiring organizations get IPv6 resources from multiple RIRs will result in additional unique non-aggregatable prefixes within the IPv6 route table.

ARIN STAFF ASSESSMENT

Date of Revised Assessment: 15 January 2015

1. Summary (Staff Understanding)

This policy would allow out of region use of ARIN issued resources as long as the requesting organization is presently an ARIN registry customer and currently using the equivalent of a /22 IPv4 block, or a /44 IPv6 block, or an ASN on infrastructure physically located within the ARIN region. An officer attestation would be required to verify that the resource request is not a duplicate of one made to another RIR.

2. Comments

A. ARIN Staff Comments

• There are registrants in the ARIN region, such as end-users, who are not necessarily ARIN members. The policy text has been updated to omit references to ‘Member’, and is understood to refer to organizations with an existing customer relationship & agreement with ARIN.

• Current ARIN policy requires organizations to show a justified need for resources to be used specifically within the ARIN region in order to receive number resources from ARIN. If the draft policy were adopted, ARIN number resources could be requested for use in another region.

• When processing resource requests for use in another region under this policy, ARIN staff would include any address space registered through another RIR and currently used (or available to be used) within that region in its evaluation of the organization’s justified need based on current ARIN policy.

• This policy adds a new requirement that staff review utilization outside of the ARIN region, which will require additional time, and could delay the review and processing of requests of this type as well as other request types that ARIN currently handles.

• This policy would be placed in the NRPM as “2.17 Out of Region Use”.

[The following is an updated legal assessment of 2014-1]

B. ARIN General Counsel - Legal Assessment

19 March 2015

Counsel has significant and material legal concerns about this policy. Counsel recognizes and supports the issuance of resources to entities in the ARIN region that need number resources that will be used in both this region and in the remainder of the world. ARIN currently issues resources for these needs based on a needs based allocation methodology.

However, this proposed policy removes the requirement that there be any meaningful need for those resources in the ARIN service region, and allows all of the need to be outside the ARIN service region. This creates new legal challenges for ARIN which are identified below:

First, ARIN is governed by ICANN ICP-2, which calls for establishment of a single RIR to serve each region. It further notes that multiple RIRs serving in single region is likely to lead to difficulty for co-ordination and co-operation between the RIRs as well as confusion for the community within the region. The implication of that governance structure is that each RIR can and should serve its service region. This policy would allow entities with no real connection to the ARIN’s service region to obtain, for example, increasingly scarce IPv4 resources from ARIN and related registry services. This policy would result in ARIN effectively providing registry services to other regions, and thus appears on its face to be inconsistent with ICP-2. ARIN has obligations to follow the global policy in ICP2, or seek changes in it.

Second, if the policy were adopted, ARIN could arguably become subject to the jurisdiction and laws passed by governments outside our service region. This may lead to ARIN being a litigant in courts of nations outside its service region and subject to their requirements and judgments. ARIN will need to accept greater legal expenditures and risks, as well as potentially larger costs in order to take this greater scope into consideration in ARIN’s registry activities on an ongoing basis.

Third, the policy fails to recognize that ARIN is not likely to able to perform the function contemplated in the policy with certain countries, and related public or private entities. See as examples under US law: Cuba, Iran and North Korea. The policy could benefit from a specific carve out that ARIN may meet its obligations under the laws of governments in its service region, even if such requests would otherwise comply with ARIN policy. For those who assert that this requirement to conform to law is implicit and does not need to be stated in policy, it is important the community is under notice of this limit. This issue has not been an issue for ARIN prior to this proposed policy.

Fourth, ARIN may be subject to significantly greater political oversight by national governments in its service region that will wish to evaluate why ARIN alone of the 5 RIRs is assuming a duty to service all of the world’s community. It may be argued by governments in ARIN’s region that this is a potential breach of ARIN’s fiduciary obligations to its own region, and to examine whether it is consistent with ARIN’s non-profit status and other corporate documents.

Fifth and finally, counsel is concerned that the policy will lead to an increase in fraudulent applications from out of region requestors, and issuance of resources to those who fraudulently file, since ARIN is not as well positioned to successfully discover such fraud by out of region requestors.

[Legal Assessment in the staff assessment dated 15 January 2015]

B. ARIN General Counsel - Legal Assessment

[15 January 2015]

Counsel supports the issuance of resources to entities in the ARIN region that need number resources that will be used in this region and in the remainder of the world. ARIN currently issues resources for these needs based on a needs based allocation methodology. This proposed revised policy now requires that there be /22 of deployed IPv4 resources in the ARIN service region, and once that installation exists it allows all of the recipients’ needs outside the ARIN service region to be met by ARIN. The requirement of a meaningful physical presence of the recipient in the service region was absent from the prior version, and is an improvement. (The draft policy does not explicitly spell out that the recipient must have an actual physical presence, as well as a corporate legal entity, in the ARIN region, but implies the requirement indirectly by stating that the requester must presently be using resources in the ARIN region and thus already comply with ARIN’s existing requirements.

The single remaining aspect that continues to create legal and policy concern is that the policy as written and interpreted calls for ARIN to allocate resources solely for use out of the ARIN service region. By definition, those resources should be obtained from the RIR(s) in the service region(s) where the need exists. Counsel would strongly prefer that the policy require that there be a requirement that some of the resources being allocated be needed in the ARIN region. Such a modest limit would be consistent with ICP-2; it would be consistent with ARIN’s stewardship responsibility to allocate the waning pool of IPv4 number resources, and will still meet the needs of ARIN based multinational entities who need resources across the globe.

This draft policy is inconsistent with ICP2. ARIN is governed by ICANN ICP-2, which calls for establishment of a single RIR to serve each region. ICP2 further notes that multiple RIRs serving in a single region is likely to lead to difficulty for co-ordination and co-operation between the RIRs as well as confusion for the community within the region. The implication of that governance structure is that each RIR can and should serve primarily its service region. Adoption of this policy will result in ARIN effectively providing significant registry services to ARIN qualified recipients in other RIR regions, and such a change should not be undertaken lightly but instead only after the framework provided in ICP-2 is updated (based on global discussion and consent) - to proceed otherwise would undermines ICP-2 and encourages parties to set aside its principles in an uncoordinated manner, risking in the very “confusion for the community” that ICP-2 helps deter at present.

ARIN cannot perform business functions contemplated in the policy with certain countries, and related public or private entities, such as relationships to Cuba, Iran and North Korea under U.S. law. This has not historically been an issue for ARIN prior to this proposed policy. It may be necessary to require ARIN’s implementation of this policy to require a certification that none of the resources will be deployed contrary to U.S., Canada or Caribbean nations law in this respect. If the draft policy is adopted and ARIN provides resources to qualifying entities for use outside of the region, it is essential that the present requirement for dispute resolution via arbitration at a location in ARIN’s service region as currently required in the RSA be maintained to assist in reducing the risk of ARIN becoming subject to the venue, jurisdiction and laws of legal forums outside the ARIN service region.

3. Resource Impact

This policy would have significant resource impact from an implementation aspect. It is estimated that implementation would occur within 5-6 months after ratification by the ARIN Board of Trustees. The following would be needed in order to implement:

• Updated guidelines and internal procedures
• Staff training
• Additional time to review resource requests for out of region use as out of region utilization would now need to be included in the analysis of these requests
• Engineering efforts to handle out of region business rules may be substantial.

4. Policy Statement
   Proposal/Draft Policy Text Assessed
   Draft Policy ARIN-2014-1 Out of Region Use
   Create new Section X:

ARIN registered resources may be used outside the ARIN service region. Out of region use of IPv4, IPv6, or ASNs are valid justification for additional number resources if the applicant is currently using at least the equivalent of a /22 of IPv4, /44 of IPv6, or 1 ASN within the ARIN service region, respectively.

The services and facilities used to justify the need for ARIN resources
that will be used out of region cannot also be used to justify resource
requests from another RIR. When a request for resources from ARIN is justified by need located within another RIR’s service region, the
officer of the applicant must attest that the same services and
facilities have not been used as the basis for a resource request in the other region(s). ARIN reserves the right to request a listing of all the applicant’s number holdings in the region(s) of proposed use, but this should happen only when there are significant reasons to suspect
duplicate requests.

EARLIER ARIN STAFF ASSESSMENT

Date of Assessment: 22 October 2014 to 13 November 2014
2014-1 “Out of Region Use”

1. Summary (Staff Understanding)

This policy would allow out of region use of ARIN issued resources as long as the requesting organization is an ARIN member in good standing and currently using at least a /22, or a /44, or 1 ASN within the ARIN region.

2. Comments

A. ARIN Staff Comments

• There are registrants in the ARIN region, such as end-users, who are not necessarily ARIN members. As written, this policy would not be available to an organization that is not currently a member of ARIN, due to the use of “ARIN member in good standing” in the policy text. Unless the intention is specifically to require ARIN membership, the policy text should simply reference “a registrant currently using at least the equivalent of a /22 of IPv4, or a /44 of IPv6 in the region.”

• Staff would apply ARIN policy to all out of region requests to include asking for utilization details of resources registered in another RIR’s database if the ARIN resources are being requested for use in that region.

• This policy adds a new requirement that staff review utilization outside of the ARIN region, which will require additional time, and could delay the review and processing of requests of this type as well as other request types that ARIN currently handles.

B. ARIN General Counsel - Legal Assessment

This policy has been improved from counsel’s perspective since the last version was reviewed at ARIN 34 in Baltimore.

Counsel recognizes and supports the issuance of resources to entities in the ARIN region that need number resources that will be used in both this region and in the remainder of the world. ARIN currently issues resources for these needs based on a needs based allocation methodology. This proposed revised policy now requires that there be /22 of deployed resources in the ARIN service region, and once that installation exists it allows all of the recipients’ needs outside the ARIN service region to be met by ARIN. This is a substantial improvement from a legal perspective as it requires a “meaningful” or “material” physical presence of the recipient in the service region that was absent from the prior version. This meets a core objective answering my prior concern about the lack of such a requirement.

This policy still represents a type of exception to ICP2, despite the helpful added requirement of the recipients /22 presence in region. ARIN is governed by ICANN ICP-2, which calls for establishment of a single RIR to serve each region. ICP2 further notes that multiple RIRs serving in a single region is likely to lead to difficulty for co-ordination and co-operation between the RIRs as well as confusion for the community within the region. The implication of that governance structure is that each RIR can and should serve its service region. This revised policy still allows entities with /22 technological connections to the ARIN’s service region to obtain increasingly scarce IPv4 resources from ARIN and related registry services for needs outside the ARIN regions. This policy still will result in ARIN effectively providing significant registry services to ARIN qualified recipients operating in other RIR regions.

If the draft policy is adopted and ARIN provides resources to qualifying entities for use outside of the region, it is essential that the present requirement for dispute resolution via arbitration at a location in ARIN’s service region as currently required in the RSA be maintained to assist in reducing the risk of ARIN becoming subject to the venue, jurisdiction and laws of legal forums outside the ARIN service region.

ARIN cannot perform business functions contemplated in the policy with certain countries, and related public or private entities, such as relationships to Cuba, Iran and North Korea under U.S. law. This has not historically been an issue for ARIN prior to this proposed policy. The new requirement to spell out that the recipient must maintain an actual physical presence, as well as a corporate legal entity in the ARIN region, reduces, but does not entirely eliminate this concern. It may be necessary to require ARIN’s implementation of this policy to require a certification that none of the resources will be deployed contrary to U.S., Canada or Caribbean nations law in this respect.

3. Resource Impact

This policy would have significant resource impact from an implementation aspect. It is estimated that implementation would occur within 5-6 months after ratification by the ARIN Board of Trustees. The following would be needed in order to implement:

• Updated guidelines and internal procedures
• Staff training
• Engineering efforts to handle out of region business rules may be substantial.

4. Proposal/Draft Policy Text Assessed
   Draft Policy ARIN-2014-1 Out of Region Use
   Date: 21 October 2014
   Problem statement:
   Current policy neither clearly forbids nor clearly permits out or region use of ARIN registered resources. This has created confusion and controversy within the ARIN community for some time. Earlier work on this issue has explored several options to restrict or otherwise limit out of region use. None of these options have gained consensus within the community. The next logical option is a proposal that clearly permits out of region use while addressing some of the concerns expressed about unlimited openness to out of region use.

Policy statement:
Create new Section X:
ARIN registered resources may be used outside the ARIN service region. Out of region use of IPv4, IPv6, or ASNs are valid justification for additional number resources if the applicant is an ARIN member in good standing and is currently using at least the equivalent of a /22 of IPv4, or a /44 of IPv6, or 1 ASN within the ARIN service region, respectively.
The services and facilities used to justify the need for ARIN resources that will be used out of region cannot also be used to justify resource requests from another RIR. When a request for resources from ARIN is justified by need located within another RIR’s service region, an officer of the applicant must attest that the same services and facilities have not been used as the basis for a resource request in the other region(s). ARIN reserves the right to request a listing of all the applicant’s number holdings in the region(s) of proposed use, but this should happen only when there are significant reasons to suspect duplicate requests.

Comments:
a. Timetable for implementation: Immediate
b. Anything else
Current policy is ambiguous on the issue of out of region use of ARIN registered resources. The only guidance on the issue in current policy is Section 2.2, which defines the the role of RIRs as “to manage and distribute public Internet address space within their respective regions.” Some in the community believe this means out of region use should be prevented or restricted, while others believe this is only intended to focus efforts within the region and not define where resources may be used.
Previous policy proposals have explored restricting or otherwise limiting out of region use, but none have gained consensus within the ARIN community. Several standards for restricting out of region use were explored, but all of them were perceived as interfering with the legitimate operations of multi- or trans-regional networks.
The requirement to have a minimal level of resources deployed in the region (/44 for IPv6, /22 for IPv4, 1 ASN) is an attempt to respond to law enforcement and some community concerns. An absolute threshold ensures that those applying for ARIN resources are actually operating in the region and not simply a shell company, but it avoids the known pitfalls of trying to use percentages of the organization’s overall holdings to do that. The use of officer attestation and the possibility of an audit is an attempt to prevent duplicate requests without requiring burdensome reporting requirements.
In summary, this proposal ensures that trans-regional organizations or service providers operating within the ARIN region may receive all the resources they need from ARIN if they wish to do so. This change is particularly important for IPv6. Requiring organizations get IPv6 resources from multiple RIRs will result in additional unique non-aggregatable prefixes within the IPv6 route table.