Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Last Call for "AFPUB-2016-GEN-001-DRAFT-04 - Internet Number Resources Review by AFRINIC"

David Hilario d.hilario at laruscloudservice.net
Thu Jun 29 06:57:29 UTC 2017 

On 29 June 2017 at 07:43, ALAIN AINA <aalain at trstech.net> wrote:
>
>> On 25 Jun 2017, at 17:57, David Hilario <d.hilario at laruscloudservice.net> wrote:
>>
>> Hi Arnaud,
>>
>> AFRINIC Ltd being put in direct danger of legal actions and financial
>> claims from its members is still a possibility regardless of how we
>> look at the situation,
>
>
> As in every contractual relationship, dispute and litigation are unavoidable and mechanisms to handle them are provided in the agreement.
> So yes, there is possibility for litigation.
>
> Every action and decision made by AFRINIC related to the management and allocation of the INRs create all kind of possibilities. IPv4 exhaustion, IPv4 transfer, manipulation of legacy ressources etc… create new possibilities.
>
> Inaction from AFRINIC is also source of possibilities.
>
> AFRINIC does the right things and can stand  to prove and defend it anywhere.
>

Due diligence is always to be applied, that is true for any actions one take.
But by forcing a danger upon AFRINIC Ltd, due diligence disappears,
that is why there are objects to the de-registration part of this
policy proposal.

>
>> this will continue to be the case for as long
>> as the proposal threatens to de-register resources..
>
>
> de-registration of ressources  is not new and has not been brought by this policy proposal. see URL
>
> https://www.nro.net/about-the-nro/rir-governance-matrix/#deregistration
>
> This proposal creates no new risk.

The other RIRs have de-registration procedure, yes.
I do not know much about LACNIC, but for ARIN, APNIC and RIPE NCC they
only de-register resources from closed members and fraudulent
registrations (fraudulent as in fake companies and documentation),
they do not de-register resources from active members.

Their Audit policies are not aimed at de-registration, but at
maintaining an accurate registry, they do this by making sure the
contacts details are up to date and providing education of their
members on latest policy development tools and features.

For a member to reach the stage of de-registration at the RIPE NCC,
they would need to first reach the closure of their membership by not
paying their membership fees, being unreachable for X amount of months
and so on, which then would lead to a long and slow de-registration
process.
That whole process is extremely difficult to reach as long as you are
legitimately registered as a company and in operation.

They have very different approach and create little to no risk for those RIRs.

>>
>> This is the reason why an objections were raised, it is even part of
>> the reasoning in staff assessment as a very real possibility, I don't
>> believe we can simply close our eyes on this one and just act as if it
>> isn't there.
>
>
> They  have been taken very seriously and addressed
>

The list of outstanding issues mentioned in the past days is still quite large.
Many issues were just brushed off instead of being addressed and
changed in the policy text, in the last few days various ones were
brought up again, here is a quick summary, I may have missed a few
more:

Opposition: De-registration of allocation:
Reasoning: Can lead to legal compensation claims
Reasoning: irreversible punishment to LIRs for policy violations while
alternatives are possible.

Opposition: cost to Membership
Reasoning: cost in staff of legal battle will lead to the membership
cost to be raised.
Reasoning: cost in man hours to the member being audited

Opposition: Confidentiality issues with AFRINIC:
Reasoning: What documents, to which extent should a network disclose
their confidential information to AFRINIC?

Opposition: Arbitration process:
Reasoning: Who selects the Arbiters?
Reasoning: How do they get selected?

Opposition: Confidentiality issue with Arbiters:
Reasoning: What degree of information will be passed on to the Arbiters?

Opposition: Targeted audits:
Reasoning: Why some categories and not all?

Opposition: Subjective wording:
Reasoning: "better use" is subjective and doesn't provide clear guidance.

Opposition: legal feedback:
Reasoning: Lengthy legal feedback from AFRINIC, unclear if the stance
has changed after Authors feedback to the list.

All these points and more were raised from the beginning and are still there.

>>
>> RSA is "only" a legal document between a member and AFRINIC LTD,
>
>
>
> It is what you call “only” legal document that make it possible for you to raise the possibilities you mentioned above.
>
>

RSA is the legal document to enable having a membership to finance the
AFRINIC secretariat as AFRINIC Ltd.
The members are there to finance this through their fees, so that
AFRINIC can can continue to act as a a secretariat for the community.
This enables us to make use of the mailing list and other services
financed by the members.

>> it
>> contains some resources related guidelines, but as we have seen with
>> the transfer policy it is not above AFRINIC policies.
>
>
> RSA set the services conditions, including the obligation to comply to all policies define through the PDP.
>

Yes, anyone who becomes a member agrees that they will follow the
policies, it does not contradicts that we should not use the RSA to
validate policies, the Policies should stand on their own ground.


> 6 (c)
> Acknowledges that it will at all times comply with the policies developed and approved by the members of AFRINIC, in Public Policy Meetings, relating to the use of services applied to:
> (i) IP Address Space Numbering Resources (IPv4 and IPv6);
> (ii) ASN resources;
> (iii)reverse DNS management;
> (iv)other related services as agreed by the community
>
>
>
>> The policies are above the RSA when it comes to resource management
>> and distribution, RSA gets invalidated by any policy contradicting it,
>
>
> Policy does not invalidate RSA as 6.d, i and ii of the RSA clearly states that its subject to all policies…
>
> 6(d) Acknowledges:
> (i) that  this  agreement  shall  at  all  times  be  subjected  to  policies  adopted  and  to  be  adopted  by the AFRINIC Internet Community;
> (ii) that this agreement shall at all times be subjected to such global policies, adopted and to be adopted by all RIRs, which have first been approved by the AFRINIC Internet Community through its policy development process;
>
>

Policies are by definition above the RSA, this is what the quoted text
says, so yes, anything mentioned in the RSA that is Internet resources
related automatically gets overridden by policies.

This is exactly what happened with the transfer policy, now we have an
RSA with text that is invalid as a new policy was approved and
directly contradicts the text in the RSA.

>
>> as such basing and defending a policy a policy proposal on the content
>> of the current RSA may be unwise, the policy needs to stand on its own
>> without having to refer to the RSA.
>
> Section 1.0 of the policy proposal is clear enough  about the problem being addressed and referred to RFC 7020 and respective allocation policies.
> Review are to be done based  on applicable policies.

I am not sure to what segment from the RFC it is referring to, but the
basic 3 goals of an RIR do not have much to support this policy
proposal, they are about distribution, aggregation and accuracy,
nothing about de-registration.

https://tools.ietf.org/html/rfc7020

I believe it is good to try to refer to RFCs and to align as much as
possible on them, but this document is an informational document
describing in broad lines what the RIRs do.

AFRINIC Policies can even be in conflict with RFCs, the two do not
have to always match, there has been many discussion around that very
topic, but this is getting very off topic.

> So if there is anything you are not comfortable with, propose a policy to amend the curent applicable policies.

I have nothing against reviews.
I mentioned it before, I believe all LIR should be contacted on
regular basis and they should be helped not threatened by the RIR,
approaching someone and threatening them is not a good basis of
maintaining good relationship.

But this is not a review policy, but a de-registration policy.

The threat to remove the very essential core elements of a company's
business is a serious one.
As it is today an LIR who for any reason has parts of their network
that are not 100% policy compliant will risk losing their whole
business, surely we can find better ways to enforce policies and can
avoid putting companies out of business through policies.


>
>
> —Alain



David Hilario

IP Manager

Larus Cloud Service Limited

p: +852 29888918  m: +359 89 764 1784
f: +852 29888068
a: Flat B5, 11/F, TML Tower, No.3 Hoi Shing Road, Tsuen Wan, HKSAR
w: laruscloudservice.net
e: d.hilario at laruscloudservice.net


>>
>>
>>
>> David Hilario
>>
>> IP Manager
>>
>> Larus Cloud Service Limited
>>
>> p: +852 29888918  m: +359 89 764 1784
>> f: +852 29888068
>> a: Flat B5, 11/F, TML Tower, No.3 Hoi Shing Road, Tsuen Wan, HKSAR
>> w: laruscloudservice.net
>> e: d.hilario at laruscloudservice.net
>>
>>
>> On 23 June 2017 at 19:33, Arnaud AMELINA <amelnaud at gmail.com> wrote:
>>> Hello Ashok, please find inside lines in red color, authors response to your
>>> concerns :
>>>
>>> 2017-06-19 1:34 GMT+00:00 Ashok Radhakissoon <ashok at afrinic.net>:
>>>>
>>>>
>>>>
>>>> To the Attention of the  Co -Chairs-PDWG
>>>>
>>>> I refer to the proposed" Internet Number Resources Review" policy and
>>>> specifically to my observations thereon from a legal perspective.( attached
>>>> here)
>>>> Indeed I made two assessments. The first was for the first version of the
>>>> said proposal
>>>
>>>
>>> Your first assessment is very inspiring and can be seen at
>>> https://afrinic.net/community/policy-development/policy-proposals/1947-internet-number-resources-review-by-afrinic#assessment
>>> It says:
>>>
>>>
>>> Legal:
>>>
>>>    The RSA is a community approved document and all members are bound by
>>> each and every clause thereof once they sign the agreement. It is a contract
>>> where both parties subscribe to clear obligations.
>>>    In application of the law of contract of Mauritius as found in Article
>>> 1134 of the Mauritius Civil Code Section 4, the RSA is already binding, as a
>>> result on all members who sign the agreement.
>>>    It is perfectly lawful , in terms of the application of the Mauritius
>>> Civil Code , for AFRINIC to act under the said section and reclaim resources
>>> from those members who/which fail an audit/review exercise.
>>>    The policy can do no more than allow AFRINIC to do what it is already
>>> doing in a clear and transparent manner on the basis of a community approved
>>> document
>>>
>>>
>>>>
>>>> and  the second was for the amended  versions thereof.
>>>
>>>
>>> It will be good if you could  point out the amendments and how they bring
>>> some potential risks
>>>
>>>>
>>>> Whilst my first observation rested on the contractual  aspect of the RSA
>>>> and the contractual obligation of members to comply thereto-See clause 4 of
>>>> the RSA. My second assessment was made from the perspective of the
>>>> implementation of the proposal.
>>>
>>>
>>> As there is no legal concerns about adopting a policy to implement
>>> contractual obligations set by the RSA and allocations/assignment policies,
>>> it sounds good to discuss implementation.
>>>
>>>>
>>>> As these assessments were submitted by AFRINIC to the authors in good time
>>>> before the face to face discussion thereon, I expected that they were to be
>>>> considered as a fourth version of the proposal was presented.
>>>
>>>
>>> Just for records: version 4 was submitted on April 11, Second staff and
>>> legal assessment  was  published on April 26
>>>
>>>>
>>>> To all intents and purposes, it is my humble opinion that the legal issues
>>>> were not addressed by the authors nor did you draw attention to them during
>>>> the face to face meeting.
>>>
>>>
>>> Authors responded to this second  assessment on the mailing list. See
>>> https://lists.afrinic.net/pipermail/rpd/2017/006889.html and spoke about
>>> them in the presentation made during the PPM
>>>
>>>>
>>>> I believed that since the assessments were part of the record for the
>>>> purposes of discussions and consideration, I did not draw the attention of
>>>> the working group to them.
>>>> I am now doing so.
>>>
>>>
>>> Thank you. We believe this give the working Group and yourself a single
>>> opportunity to progress and close this issues.
>>>
>>>>
>>>> I reiterate that the proposal, as submitted and later amended, would
>>>> expose AFRINIC to potential legal suits if the following issues which I have
>>>> raised in my assessment are not addressed.
>>>
>>>
>>> See below
>>>
>>>
>>>>
>>>> 1- The testing of data/facts/ evidence submitted( by third parties) to
>>>> staff  require the latter to verify  the veracity/admissibility/authenticity
>>>> thereof.If AFRINIC was to act on these, and they later reveal themselves to
>>>> be forged/untrue/inadmissible/, AFRINIC may potentially face civil suits at
>>>> the behest of members from whom resources would have been recovered and
>>>> which could have been prejudicial to them(members).
>>>
>>>
>>> You point to Third parties  with  “data/facts/evidence submitted by (third
>>> Parties) to staff.  You are then referring to section 13.3.2(b) below
>>>
>>>
>>> 13.3.2 Selected
>>> A member is selected because of an internal report or due to a lack of
>>> contact between the AFRINIC and the member.
>>> 13.3.3 Reported: Here, members are reviewed either because:
>>> a. They have requested the review themselves or;
>>> b. There has been a community complaint made against them that warrants
>>> investigation. Complaints shall be backed by evidence and AFRINIC staff
>>> shall evaluate the facts as appropriate to conduct the review. However, this
>>> review is not applicable to a member with the same resources portfolio on
>>> which a full review has been completed in the preceding 24 months.
>>>
>>>
>>> Staff shall evaluate the facts at their discretion just to know if the
>>> complaint is worth establishing a review. The decision to run a review in
>>> all cases fall under RSA and policies provisions.
>>>
>>> section 4 (iii) of RSA
>>>
>>> Further  acknowledges  that  AFRINIC  may  at  its  own  discretion  and
>>> for  good  cause  and
>>> common Interest of the stability of the Internet, investigate or cause to be
>>> investigated, the Applicant’s
>>> use of the services by the appropriate and competent authority(ies).
>>>
>>>
>>>>
>>>> I also referred to the problem of multi-jurisdictional sources of
>>>> evidence/facts etc
>>>
>>>
>>> No need for a legal document/evidence as explain above.
>>>
>>> But in case this would be needed, one could expect the company legal counsel
>>> to guide the organization as how it works by default.
>>>
>>> AFRINIC already deals with evidences/Facts from members and potential
>>> members when evaluating request for allocations and additional allocations.
>>>
>>>
>>>>
>>>> 2- The authors must pronounce themselves on whether members should have
>>>> recourse to sworn affidavits or go through the services of a commissioner of
>>>> oath or propose any other modus to enable the staff of AFRINIC to undertake
>>>> the testing exercise on the basis of reliable evidence, before embarking
>>>> upon a review process.
>>>
>>>
>>> RSA does not require sworn affidavit to provide information to staff
>>>
>>>>
>>>> 3-My remarks would apply for the two "classes" of review- complaints from
>>>> community- AFRINIC's own decision-
>>>
>>>
>>> this is addressed above
>>>
>>>>
>>>> 4- I have also not seen the stand of the authors regarding the fact as to
>>>> the "arbiration award" being unequivocal and my observation related to an
>>>> incompatibility with the Code of Civil Procedure of Mauritius.
>>>
>>>
>>> There seems to be some confusions and misunderstandings here. Below is again
>>> the text of the appeal procedure:
>>>
>>>
>>> 13.5 Appeal procedure
>>>
>>> The review shall be conducted in full transparency and neutrality.
>>>
>>> Reviewed members who are not satisfied have the right to appeal against the
>>> result.
>>>
>>> Appeals shall follow an arbitration process as defined by AFRINIC, which
>>> shall publish the process and the pool of arbitrators whom shall be
>>> knowledgeable volunteers from the community.  The outcome of the arbitration
>>> process is unequivocal.
>>>
>>>
>>> It is about an appeal against the result of the audit. Nothing more.  An
>>> appeal process as we do have for example in the section 3.5 of the CPM.
>>>
>>> The Arbitration process to be defined by AFRINIC “must” only cover appeals
>>> against the results of review and not appeal against actions taken by
>>> AFRINIC after a review.
>>>
>>> This must be separated from any dispute which may arise from action taken by
>>> AFRINIC as results of a review or other mechanisms which shall follow the
>>> Number Resource Dispute Resolution of AFRINIC as  shown  at this URL.
>>> https://www.nro.net/about-the-nro/rir-governance-matrix/#disputes
>>>
>>> So question is  “ is section 13 of the RSA incompatible with the Code of
>>> Civil procedure of Mauritius” ?.  But this discussion does not fall under
>>> this policy proposal
>>>
>>>
>>>
>>>>
>>>> 5- I also raised the issue of " hearing" the investigated party( a
>>>> requirement of the rules of natural justice) and expressly stated that the
>>>> proposal does not provide anything in this regard.
>>>
>>>
>>> Policies and RSA provide mechanisms for staff to conduct review of
>>> allocation/assignment requests and allocated resources usage. This policy
>>> proposal does not need to define any other mechanisms.
>>> Investigated party must collaborate and provide information required by
>>> AFRINIC.
>>>
>>> Afrinic does not conduct hearings with requesting members, so not required
>>>
>>>
>>>>
>>>> 6-The question of choice of jurisdiction  wherein the arbitration  be
>>>> held-Would it always be Mauritius ? This is the law that applies to the RSA.
>>>
>>>
>>> As stated above, the Arbitration this policy proposal refers to does not
>>> require jurisdiction.
>>>
>>> Choice of jurisdiction according to the RSA is Mauritius, and we expect this
>>> to apply to Number Resource Dispute Resolution as defined in the RSA
>>>
>>>
>>>>
>>>> In the light of the above ,may I request the Co-Chairs to consider same
>>>> and consequently decide, whether further discussions are required on this
>>>> proposal.
>>>
>>>
>>> Hope the above clarify  things and address your concerns
>>>
>>>
>>>>
>>>> I thank you for you kind consideration.
>>>> Ashok.B.Radhakissoon
>>>> Afrinic-Legal Adviser.
>>>>
>>>>
>>>
>>> Warm Regards
>>>
>>> Arnaud A. A. A.
>>> Active Community member ;)
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> RPD mailing list
>>>> RPD at afrinic.net
>>>> https://lists.afrinic.net/mailman/listinfo/rpd
>>>>
>>>
>>>
>>> _______________________________________________
>>> RPD mailing list
>>> RPD at afrinic.net
>>> https://lists.afrinic.net/mailman/listinfo/rpd
>>>
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>
>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd

More information about the RPD mailing list