Internet Number Resources Review by AFRINIC (AFPUB-2016-GEN-001-DRAFT02)

Details

Ref. Name:
AFPUB-2016-GEN-001-DRAFT02
Status:
Under Discussion
Date:
09 August 2016
Author:
Amelina Arnaud
Ilunga Kabwika Serge
Jean-Baptiste Millogo
Wafa Dahmani
Obsoletes:
None
Amends:
None
Staff & Legal Assessment and Comments

Proposal

1) Summary of the Problem Being Addressed by this Policy Proposal

As Internet Number resources are finite, their allocation is based on the operational needs of end-users and Internet Services Providers, while avoiding stockpiling in accordance with RFC7020, IPv4 Allocation Policy (AFPUB-2005-V4- 001), IPv6 Allocation and assignment policy (AFPUB-2013-v6-001) and Policy for Autonomous System Numbers (ASN) Management in the AFRINIC region (AFPUB-2004-ASN-001).

Section 4 of the Registration Service Agreement (RSA) provides the framework for investigations of the usage of allocated Internet Number resources, defines members’ obligation to cooperate and the measures to be taken by AFRINIC in case of failure to comply.

The lack of such investigation or regular control can lead to inefficient usage of the Internet Number resources, to stockpiling and other types of abuses.

2.0 Summary of How this Proposal Addresses the Problem

In order to ensure efficient and appropriate use of resources, AFRINIC shall conduct regular reviews of resource utilization held by its members. This would allow recovery of any type of resource, where usage is not in compliance with the RSA. Those resources can be reallocated for better usage.

3.0 Proposal

3.1 The reviews shall be based on compliance with the terms outlined in the RSA and Allocation/Assignment Policies.

3.2 The reviews cover all allocated/Assigned resources, but priority goes to IPv4 and ASN mappable to two-octet ASN.

3.3 Classes of review: Members to be reviewed shall be selected according to the following classes:

3.3.1 Random: The member is chosen by AFRINIC at random between members of the following categories:

Medium and above
IPv6-only Large
EU-AS

3.3.2 Selected:

A member is selected because of an internal report or due to a lack of contact between the AFRINIC and the member.

3.3.3 Reported: Here, members are reviewed either because:

They have requested the review themselves or
there has been a community complaint made against them that warrants investigation.

3.4 In case of non-compliance and if evidence has been established in accordance with the non-exhaustive list below:

Unjustified lack of visibility of the resource on the global routing table.
Breach of AFRINIC policies.
Breach of the provisions of the registration service agreement or other legal agreements between the organization holding the resource and AFRINIC.
Evidence that an organisation is no more operating and its blocks have not been transferred.
Unauthorized transfers of resources.

AFRINIC shall initiate the resource recovery process.

AFRINIC shall attempt to contact the organisation and correct any discrepancy towards the RSA. If the situation cannot be rectified, AFRINIC shall publish the resources to be recovered for a period of three (3) months; during which the organisation may at any time, seek compliance. After this period, the resource shall be recovered and therefore the records of the previous holder of the recovered resource shall be removed from AFRINIC’s databases.

Any Internet Number Resources recovered under this policy may be assigned/allocated under existing Allocation and Assignment Policies.

3.5 Appeal procedure

The review shall be conducted in full transparency and neutrality. But if the result of the review does not appear to be fair, the reviewed members has the right to appeal against the result. Appeals shall follow an arbitration process as defined by AFRINIC, which shall publish the process and the pool of arbitrators who shall be knowledgeable volunteers from the community.

The outcome of the arbitration process is unequivocal

3.6 Compliance Report

AFRINIC shall publish an annual report describing the members which have been reviewed and their level of compliance.

3.7 Acknowledgement

The authors thank Mr Alain AINA for his contribution to the development of this Policy proposal.

4.0 Revision History

Revision History

Date	Details
21 Oct 2017	Version 5.0 Fifth Draft AFPUB-2016-GEN-001-DRAFT05 Added Paragraph C to 13.3.3 in consultation with the AFRINIC legal counsel. Rephrased Paragraph 13.5 to comply with AFRINIC staff assessment Rephrased Paragraph 13.6 to avoid ambiguity. Amended 13.4 (B) to provide for and align with transfer policies Changed co-authors list. Updated the Acknowledgement section.
11 Apr 2017	Version 4.0 Fourth Draft AFPUB-2016-GEN-001-DRAFT04 Update and Rephrasing of section 3.4 Update and Rephrasing of section 3.5 Update and Rephrasing of section 3.6
18 Nov 2016	Version 3.0 Third Draft AFPUB-2016-GEN-001-DRAFT03 Update of section 3.3.3 from discussions on the mailing list Update of section 3.7 (Acknowledgements) to thank the community for discussions and contributions
05 Aug 2016	Version 2.0 Second Draft AFPUB-2016-GEN-001-DRAFT02 Change on the policy’s name Addition of the Acknowledgement section Rephrasing of section 3.3.3
18 May 2016	Version 1.0 First Draft AFPUB-2016-GEN-001-DRAFT01 Posted on RPD list

5.0 References

https://tools.ietf.org/html/rfc7020

http://afrinic.net/en/services/rs/rsa

http://www.afrinic.net/library/policies/126-policy-ipv4-address-allocation-policies

http://www.afrinic.net/en/library/policies/122-afpub-2013-v6-001

http://www.afrinic.net/en/library/policies/124-afpub-2004-asn-001

Staff Assessment

Staff & Legal Assessment and Comments

Staff Comments:

The proposal appears to be enabling AFRINIC to “enforce” article 4(b) the Registration Services Agreement, a matter of procedure and process.
We already have the ability to enforce the RSA, and the RSA already includes a requirement for policy compliance.
We already have the ability, in terms of the RSA, to recover resources that are not being used for the purpose for which they were allocated/assigned.
AFRINIC already reviews or audits members when they request additional resources. We also have the ability to review at other times, but we do not regularly exercise such ability.
We see no problem in principle with allowing complaints to trigger a review, but we are concerned about the details.
It's not clear who decides whether a complaint "warrants investigation". We interpret this part of the proposal as giving AFRINIC staff the discretion to decide which complaints to investigate or not to investigate.
Each investigation will have a large impact on staff workload and is also likely to have a large impact on the organisation being investigated. We are especially concerned about the impact of unjustified complaints.
AFRINIC staff workload may be greatly increased by a large number of requests for review or audit. The requirement that the complaint "warrants investigation" may mitigate this issue, if staff have the ability to decide that certain complaints do not warrant investigation, but staff resources will nevertheless be expended on determining whether or not the complaint warrants investigation.
There is no policy requirement for visibility in the global routing table. AFRINIC will have no contractual basis for treating "lack of visibility of the resource on the global routing table" as a problem under this policy. We suggest that this proposal should focus on policy violations, and leave the issue of global routing visibility to some other proposal that might be introduced in future.
There is a reference to "unauthorised transfers". At present, all transfers (other than under mergers and acquisitions) are unauthorised. Even under possible future transfer policy, any "unauthorised transfer" would be in violation of such policy. Accordingly, we suggest that there is no need to treat unauthorised transfers differently from any other policy violation.
The requirement that "the records of the previous holder of the recovered resource shall be removed from AFRINIC databases" is in conflict with current practice that when a resource is returned or transferred, it remains possible to find out information about the previous holder of the resource.
The requirement that the review is conducted with "full transparency" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.
The requirement to publish a "compliance report" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.
There is a requirement for AFRINIC to create and document an appeal process and appoint a pool of arbitrators. Creating the process, including a public comment period and subsequent revisions, would probably take 3 to 6 months. Calling for volunteers and appointing them would probably take another 2 months.

Legal:

The RSA is a community approved document and all members are bound by each and every clause thereof once they sign the agreement. It is a contract where both parties subscribe to clear obligations.
In the application of the law of contract of Mauritius as found in Article 1134 of the Mauritius Civil Code Section 4, the RSA is already binding, as a result, on all members who sign the agreement.
It is perfectly lawful, in terms of the application of the Mauritius Civil Code, for AFRINIC to act under the said section and reclaim resources from those members who/which fail an audit/ review exercise.
The policy can do no more than allowing AFRINIC to do what it is already doing in a clear and transparent manner on the basis of a community approved document

Last Modified on - 18 October 2020