Re: Past policies versus present and future uses

[JORDI PALET MARTINEZ via NANOG <nanog () nanog org>]

Hi Matthew,

 

I’m not sure I’ve succeded to explain it in previous emails.

The requirement for the LACNIC policies about majority of usage *in the region* of the resources provided has been 
there for many years. I’m almost sure than since day 1, but will need to dig into older versions of the policy manual 
to check that.

The *text* was only using the work “mayoría”, but the interpretation when ensuring policy compliance, was following 
that definition of “mayoria”, which is more than 50%. My policy proposal, was “cleaning” and “clarifiying” text here 
and there. For example, there were some text that clearly apply to IPv4 and IPv6, and was only in the IPv4 section, 
etc. The policy proposal also did a lot of major changes for the recovery of uncompliant addressing space by ensuring 
that LACNIC setup periodic and automatic policy compliance checks.

So: the “>50%” was not a “change”, was just making explicit the actual practice, and during the discussion of the 
proposal, we made sure in the mailing list that everybody agree with that clarification of the *existing* 
interpretation. Nobody, absolutely nobody, objected or said “I don’t read it that way”. In fact, I asked if the people 
prefers to use some “other %”, or completely delete it or whatever.

I don’t have the exact details of the case that Ron discovered in Belize, because, of course, most of the details are 
under NDA between the resourse holder and LACNIC, private documents, etc., etc. So I’m not sure if “initially” the 
resource holder was really having the “majority” of the resources operated in Belize or some other place in the region 
and then they “forgot” that they need to follow the policy (as said, the policy has not changed in that sense). My 
guess is that they provided false information to LACNIC “yes we have the majority of the operation in the region”, and 
the RIR trusted the provided documents, but is only my guess.

I fully see your point, however *every ISP/LIR needs to follow the policies in every RIR where they have resources*. 
Policy changes may require changes in their operation, and if they don’t agree, *this is the reason* they MUST 
participate in policy discussions, to be able to defend their position.

This is *nothing new*! Is part of the job of the ISPs/LIRs, to ensure that they follow the policy discussions, the same 
way as citizens follow law development because changes in law (new taxes, etc.), can change their compliance with law. 
Is not about retroactivity, is about every one of us developing the “laws” and justify why something can’t be changed.

The solution to those that don’t want to follow (even if is part of their “job”) the policy development, is to have 
warnings when there is a policy change that affects them. In fact I’ve included that in a policy proposal in AFRINIC 
(https://www.afrinic.net/policy/proposals/2020-gen-001-d1?lang=en-GB#proposal), by means of a dash-board. This could be 
done also by other RIRs as part of their “operational” terms in the customers accounts (such in “mylacnic” in the case 
of LACNIC), etc., and in fact it was the main intent of my policy proposal.

As said, remember that this has been not changed, just added a clarification based on the existing understanding of the 
previuos text. LACNIC will not have provided to this resource-holder in 2013 the resources if they didn’t had indicated 
that the majority (over 50%) of those resrouces aren’t being operated in the region.

I found and older archived version of the policy manual from 2013 (in Spanish):

https://www.lacnic.net/innovaportal/file/543/1/manual-politicas-sp-2.0.pdf

In section 1.11, has exactly the same text:

“Los recursos de numeración de Internet bajo la custodia de LACNIC se deben distribuir a organizaciones legalmente 
establecidas en su región de servicio [COBERTURA] y para atender mayoritariamente redes y servicios que operan en dicha 
región.”

 

 

 

El 25/1/21 0:15, "Matthew Petach" <mpetach () netflight com> escribió:

 

 

 

On Sun, Jan 24, 2021 at 4:22 AM JORDI PALET MARTINEZ via NANOG <nanog () nanog org> wrote:

[...] 

So, you end up with 2-3 RIRs allocations, not 5. And the real situation is that 3 out of 5 RIRs communities, decided to 
be more relaxed on that requirement, so you don’t need actually more than 1 or may be 2 allocations. Of course, we are 
talking “in the past” because if we are referring to IPv4 addresses, you actually have a different problem trying to 
get them from the RIRs.

 

Hi Jordi,

 

I've adjusted the subject line to reflect the real thrust of this discussion.

 

You're right--if we're trying to get "new" allocations of IPv4 addresses, we've got bigger problems to solve.

 

But when it comes to IPv6 address blocks and ASNs, these questions are still very relevant.

 

And, going back to the original article that spawned the parent thread, the problem wasn't about companies requesting 
*new* blocks, it was about the usage of old, already granted blocks that were now being reclaimed.

 

Historically, ISPs have focused on ensuring their usage of IP space reflected the then-current requirements at the time 
the blocks were requested.  This action by Ron, well-intentioned as it is, raises a new challenge for ISPs:  network 
numbering decisions that were made in the past, which may have been done perfectly according to the guidelines in place 
at the time the blocks were assigned, may later on violate *newly added* requirements put in place by RIRs.  How many 
global networks allocate manpower and time cycles to potentially renumbering portions of their network each time a new 
policy is put in place at an RIR that makes previously-conforming addressing topologies no longer conforming?  
Historically, once addresses were granted by an RIR, and the exercise of ensuring all the requirements were met, and 
the addresses were in place, that was it; nobody went back every time a new policy was put in place and re-audited the 
network to ensure it was still in compliance, and did the work to bring it back into compliance if the new policy 
created violations, because the RIRs generally didn't go back to see if new policies had been retroactively applied to 
all member networks.

 

Ron's actions have now put every network on notice; it wasn't good enough to be in compliance at the time you obtained 
your address space, you MUST re-audit your network any time new policies are put into force by the RIR in a region in 
which you do business, or your address space may be revoked due to retroactive application of the new policy against 
addresses you have already put into use.

 

This is a bigger deal that I think many people on the list are first grasping.

 

We grow up accustomed to the notion that laws can't be applied retroactively.  If you smoked pot last year, before it 
was criminalized, they can't arrest you this year after a new law was passed for smoking it before the law was passed.  

 

In the DDoS-guard case, the address blocks in question seem to have been granted by LACNIC nearly a decade ago back in 
2013, under whatever policies were in force at the time.  But they're being revoked and reclaimed based on the policies 
that are in place *now*, nearly a decade later.

 

It sends a very clear message--it's not enough to be in compliance with policies at the time the addresses are granted. 
 New policies can and will be applied retroactively, so decisions you made in the past that were valid and legal, may 
now be invalid, and subject you to revocation.  It's bad enough when it's your own infrastructure that you have some 
control over that you may need to re-number; woe to you if you assign address blocks to *customers* in a manner that 
was valid under previous policy, but is no longer valid under new policies--you get to go back to your customers, and 
explain that *they* now have to redo their network addressing so that it is in compliance, in order for *you* to be in 
compliance with the new policies.  Otherwise, you can *all* end up losing your IP address blocks.

 

So--while I think Ron's actions were done with the best of intentions, I think the fallout from those actions should be 
sending a chill down the spine of every network operator who obtained address blocks under policies in place a decade 
ago that hasn't gone back and re-audited their network for compliance after ever subsequent policy decision.

 

What if one of *your* customers falls into Ron's spotlight; is the rest of your network still in compliance with every 
RIR policy passed in the years or decades since the addresses were allocated?  Are you at risk of having chunks of your 
IP space revoked?

 

I know this sets a precedent *I* find frightening.  If it isn't scaring you, either you don't run a network, or I 
suspect you haven't thought all the way through how it could impact your business at some unforeseen point in the 
future, when a future policy is passed.  :/

 

Thanks!

 

Matt

 

 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be 
for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, 
distribution or use of the contents of this information, even if partially, including attached files, is strictly 
prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any 
disclosure, copying, distribution or use of the contents of this information, even if partially, including attached 
files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to 
inform about this communication and delete it.