Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Owen DeLong <owen () delong com>]

> The proposal is “guarantor”, or at least that’s our intent. Is not ARIN taking the decision, is the community by 
> means of experts. We have improved it in the v2 that will be posted in a matter of days in RIPE, but we can’t improve 
> it in ARIN because simply discussing it is not allowed by the AC decision.

This isn’t entirely correct as I understand it.

Any policy or potential policy can be discussed on PPML even if it is not actually on the Advisory Council Docket.

You are certainly free to discuss the proposal as well as the petition there.
 
> Now if another ARIN member is misusing your resources (not by an operational mistake, but repeatedly), ARIN is not 
> going to do anything about it?

Do you honestly believe that hijackings are being committed by ARIN members or even ARIN resource holders that have 
signed RSAs with ARIN?

> Is not a problem or ARIN becoming the “routing police”. This has been completely misunderstood by the AC. Is about 
> ARIN making sure that the rights of the members are respected by other members.

Please provide some evidence that this has happened. My understanding is that the intentional repetitive hijackings to 
which you refer are almost always (possibly always)  committed by people using not only fraudulent address space, but 
also fraudulent ASNs.

> Without clear rules, other members can do whatever they want with resources allocated to another member.

I’m pretty certain that’s already clear from the RSA…

Section 2 of RSA version 12.0 / LRSA Version 4.0 covers this reasonably well:

2. CONDITIONS OF SERVICE

(a) Compliance. In receiving or using any of the Services, Holder must comply with the Service Terms.

(b) Provision of Services and Rights. Subject to Holder’s on-going compliance with its obligations under the Service 
Terms, including, without limitation, the payment of the fees (as set forth in Section 4), ARIN shall (i) provide the 
Services to Holder in accordance with the Service Terms and (ii) grant to Holder the following specified rights:

(1) The exclusive right to be the registrant of the Included Number Resources within the ARIN database;

(2) The right to use the Included Number Resources within the ARIN database; and

(3) The right to transfer the registration of the Included Number Resources pursuant to the Policies.

Holder acknowledges that other registrants with ARIN have rights that intersect or otherwise impact Holder’s rights 
and/or use of the Included Number Resources, including, but not limited to, other registrants benefiting from 
visibility into the public portions of registrations of the Included Number Resources as further described in the 
Policies. 

(c) redacted — not relevant here and long
(d) Prohibited Conduct By Holder. In using any of the Services, Holder shall not: (i) disrupt or interfere with the 
security or use of any of the Services; (ii) violate any applicable laws, statutes, rules, or regulations; or (iii) 
assist any third party in engaging in any activity prohibited by any Service Terms.


What does the policy proposal offer in terms of rules that aren’t already enshrined in the above text?

Your claim is that without clear rules, there is a problem. I claim we have clear rules that go as far as your policy 
and that the problem isn’t RIR members in general anyway, but bad actors who are generally NOT RIR members.
  
> Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such 
> policy with regard to.  Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite 
> being a proposal submitted to an RIR which is explicitly not worldwide in scope.  For example, if a network with an 
> ASN assigned by ARIN is "hijacking" address space that is allocated by APNIC (or any other RIR) to an entity outside 
> of ARIN's region, would this be an issue for ARIN to consider?  What if ARIN-registered address space is being 
> "hijacked" by an entity with a RIPE ASN and which is not located within ARIN territory?  I suspect that for this 
> proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and 
> that's a very large can of worms.  Not one that is impossible to overcome, but likely one which will require several 
> years of scrutiny, discussion, and negotiation prior to any real world implementation.  
>  
> This has been clarified in v2 that I mention before, to be publish in RIPE. The idea is that the claim is done in the 
> region where the hijacker is a member (assuming that we get the policy going thru all the regions).

And also assuming that the hijacker is a member of any RIR at all… A dubious claim, IMHO.

> Right, we have a more complete v2 with many procedural details, which we can’t even discuss in ARIN, and obviously 
> the idea of the PDP is to allow the policy proposals to be discussed until we reach a text that we can agree.

To the best of my knowledge, you are free to discuss any policy or potential policy in the ARIN region regardless of AC 
action on any particular proposal.

To be clear, the AC’s action does not preclude discussion (to the best of my knowledge). The decision made by the AC 
was not to accept it on to the AC docket as a draft policy because as written it was out of scope. (See official 
announcement from AC and ARIN staff for a more nuanced and detailed description). This does not preclude discussing 
further work on the subject on PPML and it does not preclude submission of a different proposal that addresses a 
problem within ARIN’s scope.

> So please, if you want to get this discussion going on in the right place subscribe to ARIN PPML 
> (https://lists.arin.net/mailman/listinfo/arin-ppml <https://lists.arin.net/mailman/listinfo/arin-ppml>) and respond 
> to the attached email, just to support the discussion (no need to agree at all now with the text).

That’s not actually what the current petition will do.

I quote from the ARIN Policy Development Process:
2.1. Petition against Abandonment, Delay, or Rejection due to Scope

The Advisory Council’s decision to abandon a Policy Proposal, Draft Policy or Recommended Draft Policy may be 
petitioned.

Petitions may be initiated within the 5 days following the announcement date of an Advisory Council abandonment of a 
specific Policy Proposal or any Draft Policy. For sake of clarity, the “announcement date” of an action shall be the 
publication date of the action in the ARIN AC draft minutes. Additionally, Policy Proposals that have not been accepted 
as a Draft Policy after 60 days may also be petitioned to Draft Policy status at anytime.

For a Policy Proposal that has been rejected due to being out of scope of the PDP, a successful petition will refer the 
question of whether the Policy Proposal is in scope to the ARIN Board of Trustees for consideration.

For all other petitions against abandonment or delay, a successful petition will result in the Draft Policy being 
placed back on the Advisory Council docket under control of the petitioner and scheduled for public policy consultation 
at the next PPM. After the public consultation, control returns to the Advisory Council and subsequently may be revised 
or abandoned per the normal Policy Development Process.

Emphasis of the third paragraph is mine since it is the relevant section to this discussion.

Thus, your petition, as I understand the above text is to get the board to make a ruling on whether or not the proposal 
is within scope of the ARIN Policy Development Process.

Owen