Details
Ref. Name: AFPUB-2016-GEN-001-DRAFT07 |
Version: 7.0 Status: Under Discussion |
Authors:
|
Date Submitted: 06 April 2019 |
Proposal
1.0 Summary of the Problem Being Addressed by this Policy Proposal
As Internet Number resources are finite, their allocation is based on the operational needs of end-users and Internet Services Providers, while avoiding stockpiling in accordance with RFC7020, the IPv4 Allocation Policy CPM 5.5, the IPv6 Allocation and assignment policy CPM 6.5 and the Policy for Autonomous System Numbers (ASN) Management in the AFRINIC region CPM 7.0.
Section 4 of the Registration Service Agreement (RSA) provides a framework for investigations of the usage of allocated Internet Number resources, defines members’ obligation to cooperate and the measures to be taken by AFRINIC in case of failure to comply. The lack of such investigation or regular control can lead to inefficient usage of the Internet Number resources, to stockpiling and other type of abuses.
2.0 Summary of How this Proposal Addresses the Problem
In order to ensure efficient and appropriate use of resources, AFRINIC shall conduct regular reviews of resource utilization held by its members. This would allow recovery of any type of resource, where usage is not in compliance with the RSA. Those resources can be reallocated for better usage.
3.0 Proposal
The policy proposal will modify the CPM by inserting a section 13 as follows:
13.0 Internet Number Resources Review Regular reviews of resource utilization are conducted by AFRINIC to ensure efficient and appropriate usage of resources. This allows for recovery of any type of resource where usage is not in compliance with the RSA; to allow such resources to be reallocated for better usage. 13.1 The reviews shall be based on compliance with the terms outlined in the RSA and Allocation/Assignment Policies. 13.2 The reviews cover all allocated/Assigned resources, but priority goes to IPv4 and ASN mappable to two-octet ASN. 13.3 Classes of review: Members to be reviewed shall be selected according to the following classes:
The member is chosen by AFRINIC at random between the membership. 13.3.2 Member is selected because of an internal report or due to a lack of contact between AFRINIC and the member. 13.3.3 Reported: Here, members are reviewed either because: A) They have requested the review themselves or B) There has been a community complaint made against them that warrants investigation. Complaints shall be backed by evidence and AFRINIC staff shall evaluate the facts as appropriate to conduct the review. However this review is not applicable to a member with the same resources portfolio on which a full review has been completed in the preceding 24 months. AFRINIC staff may, at its sole discretion, after having assessed the nature of the evidence found in the community complaint, require that such evidence be (i) submitted in the form of a sworn affidavit or (ii) declared to be true before a Commissioner of Oath. 13.4 In case of non-compliance and if evidence has been established in accordance with:
If the organization is cooperative and working in good faith to substantially restore compliance or has a valid need for additional time to renumber out of the affected blocks, AFRINIC shall negotiate a longer term. The acceptance level of compliance and duration of the longer term are at AFRINIC staff discretion. B) If the situation cannot be rectified and the member did not transfer the ressources to meet other AFRINIC-approved needs as per adopted policies AFRINIC shall publish the resources to be recovered for a period of three (3) months; during which the organization may at any time, seek compliance or transfer the ressources to other members After this period, the resource shall be recovered and therefore the records of the previous holder of the recovered resource shall be updated in AFRINIC’s databases. C) Any Internet Number Resources recovered under this policy may be assigned/allocated under existing Allocation and Assignment Policies.
Reviewed members who are not satisfied have the right to appeal against the result within the four weeks. Appeals shall follow an arbitration process as provided for in the Code de Procedure Civile (Code of Civil Procedure) of the Republic of Mauritius. AFRINIC may, on request from an aggrieved party, suggest a pool of arbitrators who shall be knowledgeable volunteers from the community.
AFRINIC shall publish an annual meaningful report describing review activities, in accordance with all applicable laws and regulations. |
5.0 Acknowledgements
The authors thank Ms Wafa Dahmani Zaafouri (now the AFRINIC GC Chair), Mr Serge ILUNGA (currently serving on the AFRINIC Board member) and Mr Alain P. Aina for their contributions in the development of this Policy proposal.
The authors also thank the community for the discussions and contributions.
Revision History
Date |
Details |
06 Apr 2019 |
Version 07
|
10 Apr 2018 |
Version 6.0
|
21 Oct 2017 |
Version 5.0
|
11 Apr 2017 |
Version 4.0
|
18 Nov 2016 |
Version 3.0
|
05 Aug 2016 |
Version 2.0
|
18 May 2016 |
Version 1.0
|
Staff Assessment
Proposal |
AFPUB-2016-GEN-001-DRAFT07 |
Title |
Internet Number Resources review by AFRINIC |
Proposal URL |
|
Assessed |
21 May 2019 |
1.0 Staff Understanding of the Proposal
- AFRINIC to conduct resource utilization reviews (audits) of IPv4, IPv6 and ASN resources randomly, periodically and/or triggered by a whistle-blower to ensure compliance with policy provisions and all terms of the AFRINIC RSA.
- Non-Compliant resources shall be recovered (and can be Reallocation guidelines have not been clearly stipulated in policy text , so AFRINIC shall apply the current guidelines for reclamation & reallocation). However, AFRINIC shall contact the member in breach to initiate efforts to work towards restoring compliance, which should last at least 6 months. If the member is cooperative and working in good faith to substantially restore compliance or has a valid need for additional time to renumber out of the affected blocks, AFRINIC shall negotiate a longer term. The acceptance level of compliance and duration of the longer term are at AFRINIC staff discretion. The 6-month period to restore compliance will not be given in cases of fraudulent resource acquisition or unlawful usage and abuse.
- A review on the same resources for the same member can only be once every two years (24 months) irrespective of nature of complaint.
- Complaints made against any member by a whistle-blower must be backed by evidence. AFRINIC may require that such evidence be submitted in the form of a sworn affidavit or declared to be true before a Commissioner of Oaths (of any jurisdiction - not necessarily Mauritius or country of originator of the complaint).
- Members not happy with the review result have the right to appeal within four weeks of completion of the review. Appeals shall follow an arbitration process as provided for in the 'Code de Procedure Civile (Code of Civil Procedure)' of the Republic of Mauritius. AFRINIC may, on request from an aggrieved party, suggest a pool of arbitrators who shall be knowledgeable volunteers from the community.
- A report of all review/audit activity conducted every year will be published on the website, contents of which must comply with the necessary and appropriate applicable laws and regulations (details at AFRINIC discretion)
- Specific staff interpretation/understanding of key proposed clauses:
- (13.3.1) Random : By Random Selection, we understand this to mean that equal weight will be given to each member regardless of their category and size. AFRINIC staff will use their discretion to establish a schedule of review for members.
- (13.3.2) : Member is selected because of an internal report or due to a lack of contact between AFRINIC and the member. We understand that this section covers cases where for example:-
- Internal reports reveal certain whois/business rule inconsistencies or non-compliance with policy and/or the RSA.
- AFRINIC has received bounces when sending members their annual invoices or other key correspondence.
- (13.3.3 A) : Member-Requested review: We understand that this section will cover a Resource Member initiating contact with AFRINIC and requesting that they be reviewed within the guidelines of this policy. The motivation of the Resource Member can be to ensure their degree of compliance with all AFRINIC policies that the resources they hold subject them to.
2.0 Staff Comments
- The RSA as written already provides for reviews/investigations/audits. Article 4(c)(iii) of the RSA, states: "The Applicant hereby irrevocably... further acknowledges that AFRINIC may at its own discretion and for good cause and common Interest of the stability of the Internet, investigate or cause to be investigated, the Applicant’s use of the services by the appropriate and competent authority(ies)" , further reinforced by articles 4(a) and (b).
- Under proposed 13.3.3(b), the text "There has been a community complaint made against them that warrants investigation":
- As per policy, AFRINIC shall evaluate the facts and determine whether a complaint warrants investigation.
- Is it mandatory for staff to conduct a review of the Resource Member when a community complaint has been received? Our understanding is that :-
- AFRINIC receives a community complaint against a Resource Member.
- AFRINIC staff assesses the complaint based on the evidence provided.
- AFRINIC staff may conclude that the complaint does not warrant that a review be initiated.
- In 13.5, authors should clarify if the arbitration process can be initiated by the member anytime during or (only) after the review is completed. There also needs to be a time limit around when the arbitration process must complete (for the arbitration team to produce their findings/report). The words "within the four weeks" could be reworded to indicate at what point the 4-week period starts.
- All review requests shall be handled First in, First Out (at staff discretion). A review request could take a very short time or a very long time depending on how readily all requested information has been provided, the class of review and quantity of resources under review. Although uncertain, there could be considerable overload on staff depending on the influx of review requests.
- On the clause: “The review shall be conducted in full transparency and neutrality” - Authors and the community need to understand that AFRINIC cannot disclose details of an ongoing audit/review to the public while doing the review - (if this is what authors meant by "transparency").
- On the Clause: “AFRINIC shall publish the resources to be recovered for a period of three (3) months; during which the organization may at any time, seek compliance” - AFRINIC will add “remarks” attributes to the concerned whois database objects. Information in the attributes will indicate that those objects are under audit. We think that this is sufficient to address the "publish" requirement in this clause
- Proposed 13.4 A states "AFRINIC shall attempt to contact the organization and correct any discrepancy towards the RSA. Except in cases of fraudulent resource acquisition or unlawful usage and abuse, the organization shall be given a minimum of six months to effect the return of the resources. If the organization is cooperative and working in good faith to substantially restore compliance or has a valid need for additional time to renumber out of the affected blocks, AFRINIC shall negotiate a longer term. The acceptance level of compliance and duration of the longer term are at AFRINIC staff discretion." We suggest re-wording to: AFRINIC shall attempt to contact the organization and correct any discrepancy towards the RSA. Except in cases of fraudulent resource acquisition or unlawful usage and abuse, the organization shall be given a minimum of six months to effect the return of the resources. Query: How much time shall those who fit “cases of fraudulent resource acquisition or unlawful usage and abuse” be given ?
- Proposed 13.4 states “ AFRNIC shall initiate the resource recovery process.” We request some clarifications from the authors as follows :-
- Does this mean that AFRINIC shall mandatorily reclaim all resources held by the Resource Member?
- It may happen that an AFRINIC Resource member has not completely registered the usage of its resources on the AFRINIC whois database. Shall they be informed that if they do not fix this, AFRINIC shall reclaim all the resources they hold?
- If a member requested for and qualified for a /16 IPv4 prefix in 2012, and the time of review, we note that they are only using a /20 worth of resources of that allocation, what shall AFRINIC do ? Reclaim the /16 or perhaps negotiate for a return of the resources (a change request as per RSA can easily cover such cases)
- The RSA, article 4(a), allows a member to notify AFRINIC of any changes to their usage. The RSA, article 6(d)(vii), requires a member to correct any breach. In draft-06 of the review proposal, section 13.4 seemed clear that the organisation would be given the opportunity to correct any breach, and that this could include notifying AFRINIC of any changes, consistent with RSA 4(a) and 6(d)(vii). However, in the current draft-07 of the review proposal , the text of section 13.4 has changed significantly, and it is no longer clear whether the organisation will have the ability to notify AFRINIC of any changes or to correct any breach. Staff recommends that the text should be clarified to ensure that members retain the right to correct any breach or notify AFRINIC of any changes to their usage, provided such usage is consistent with adopted policies.
3.0 Comments from Legal Counsel
Legal advisor expressed reservations about the publication of the resources which may be recovered over a period of three months. Since in the RSA AFRINIC has bound itself to comply with data protection and confidentiality laws, there is need to be cautious regarding the information published, as this could be seen to amount to a naming and shaming exercise.
4.0 Implementation
4.1 Timeline & Impact
The proposal will be implemented within the stipulated schedule in the PDP.
4.2 Implementation Requirements
Updates to internal processes as appropriate