Search RPD Archives
[rpd] Opposing the last call made on the review policy
owen at delong.com
Tue Dec 4 16:40:51 UTC 2018
> The review in the RSA does not allow for any random party to force AfriNIC to initiate such a costly and burdensome process against any particular member without probable cause to do so. The proposed policy does.
> Please can you clarify how the review exercise proposed by this policy will be costly and burdensome? Have you had a similar experience in your region or in what capacity was that statement made? Is there anything the Staff must have missed while assessing the implementation of this policy, perhaps you can throw more light?
It’s hard to do this without risking running afoul of antitrust regulations (citing specific examples of companies by name), but let me make an attempt…
Let’s consider a large multinational eyeball ISP with residential cable, DSL, and FTTH provisions in a dozen or more countries.
Said company likely has several million customers and as a consequence is holding more than a /10 worth of IPv4 addresses in aggregate. Because the company grew over time and through a combination of sales, mergers, and acquisitions, that IPv4 address space is not a single contiguous /10, but 50, 60, or more smaller blocks that add up to the equivalent of a /10.
Even if the company has excellent records, a full audit of their utilization will require several man hours in order to compile, format, validate, prepare, and deliver the data to AfriNIC. Then, the AfriNIC staff will have to review all of that data. In such a large pile of data, likely some accidental discrepancies will occur, not because of malice or malfeasance, but because humans make mistakes. Over time, errors accumulate through data entry, erroneous updates, stale data, etc. Those errors will require additional man hours to investigate and correct once identified. This cycle will likely repeat for multiple iterations.
At the end of it, you end up in a situation where AfriNIC and a company that has done nothing wrong have spent literally hundreds of man-hours over the course of 3-6 months only to come to the conclusion that nothing is wrong. Under the proposed policy, this process can be repeatedly triggered by outside accusation(s) without any real limits.
If this policy is implemented, it is an open invitation to commit resource denial of service attacks on large AfriNIC resource holders with virtually no cost and no accountability for the attacker.
I hope this clarifies my concern.
Admittedly, for smaller organizations, this might be less burdensome and less problematic, but the policy proposal makes no such distinction and lacks any safeguards to prevent such abuse.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPD