Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] RPD : Prolicy proposal "Internet Number Resources review by AFRINIC" informations update

Owen DeLong owen at
Mon Apr 29 05:57:08 UTC 2019

> On Apr 28, 2019, at 14:54 , Arnaud AMELINA <amelnaud at> wrote:
> Owen,
> The "This policy is not needed", "but if you want it, address A,B,C " game continues. See inline

This policy is not needed. Someone asked me to specifically identify changes that would render it less harmful. I did so in an attempt to be cooperative.

I’d much prefer to abandon the proposal and end the game, but the authors seem determined to inflict something else on the community, so, as long as they force the community to have this albatross weighing down the policy development process, I will continue to work within the policy process to render it harmless (in case it somehow gains consensus despite such objection) and will continue to encourage its withdrawal.

> Le dim. 7 avr. 2019 à 17:53, Owen DeLong <owen at <mailto:owen at>> a écrit :
> This change is trivial and does not address the vast majority of issues raised with the previous version of the proposal.
> This new change addresses a new issue raised and agreed during the last meeting. Not all objections raised are adopted and lead to change to proposals. 

Sure, but until all of the objections raised are addressed with something beyond “we don’t care”, those objections can be sustained and will continue to block any legitimate declaration of consensus for the proposal.

> I hereby request that if the authors will not allow this proposal to expire as it should, that they at least provide a substantive update which addresses the majority of the issues raised to date:
> You seem to be expecting the expiration of the proposal and did not speak up when authors asked several times for comments and suggestions after Hammamet.
> So, why waste valuable time in responding to the points below?  People change their mind. You opposed after you supported. You may change again. Here you go.

Actually NONE of the objections I’ve raised recently are new. I’ve raised them repeatedly on prior versions of the proposal, so you really can’t claim that I failed to speak up in a timely manner. The fact that the authors have continued to ignore those issues doesn’t change the fact that I raised them some time ago.

I never supported most of the provisions in the current proposal. IIRC, I said that I would not strenuously object to the idea of a resource review when it was a much less onerous proposal with little potential for harm and some additional clarity to the process.

The current form of the proposal is more vague than the RSA and has great potential for harm that has been added since the last time I stated anything short of opposition to the proposal.
> 	+	Potential for abuse of the complaint process as a DOS attack on large organizations
> This was discussed intensively and remains at the stage of  potentiality not proven. 

Huh? How can one prove the behavior of a policy that has not been adopted?

However, with a very small amount of imagination and some basic mathematics, it’s pretty easy to understand the DOS vectors in this proposal…

1.	There’s no limit to the number of concurrent investigations AfriNIC can be forced to open against a company based on
	specious complaints.

2.	There’s no protection in the current proposal against specious complaints and AfriNIC staff is not given discretion to reject
	them. All staff is empowered to do is insist that the complaint be signed and in writing. After that, the policy requires them
	to fully investigate the complaint with all the overhead that implies for the organization being investigated.

3.	Since there’s no provision in the proposal for consolidating complaints or investigations, repetitive complaints against the
	same organization in rapid succession have the potential to be tremendously disruptive both to the organization in question
	and to AfriNIC.

4.	This is disproportionately impactful to larger organizations because the overhead of dealing with each such investigation
	grows somewhat exponentially with the size of the organization.
> 	+	The proposal is unnecessary as the useful portions are already enshrined in existing policy
> 		and the RSA.
> Hummmm ! Can you please point to these documents and sections ?

I’ve already pointed to the documents… They are the consolidated policy manual and the registration services agreement.

The policy manual provides several provisions about how number resources are allocated and to be used within the AfriNIC
region. These are distributed throughout the policy manual.

The ability for AfriNIC to verify compliance and to rescind resources in a case of fraudulent representations or other violations
of AfriNIC policy by the resource holder is enshrined in the RSA. Unfortunately, I’m having trouble finding the RSA on the
AfriNIC web site. Searches for RSA and Registration Services Agreement do not turn up the actual RSA for reasons passing
understanding (perhaps someone from staff will be kind enough to fix this).

I did finally find it following some links related to becoming a resource member here:

Relevant sections are:
	3. in its entirety
	7 in its entirety
	11.(d).(iii) et. seq.
	13 in its entirety

Of those, the most important and most directly related sections are:

	1.(b) (the power of AfriNIC to amend policies)
	2.(b) (accurate information required in application)
	2.(d) (requirement to keep supplied information current)
	2.(f) (requirement to provide relevant information online)
	2.(g) (requirement to maintain accurate contact information on file)
	3.(a) (applicant accepts subjugation to AfriNIC policies)
	3.(b) (applicant accepts subjugation to AfriNIC internal business process and policies)
	4.(b) (applicants obligation to cooperate)
		Specifically 4.(b).(ii) Applicants obligation to cooperate with AfriNIC investigation reviewing applicant’s utilization. (mis-spelled in the RSA as utiliSation, btw)
	 4.(c).(i) and (ii) (commitment to use services sold for purpose requested and commitment to full and unreserved compliance with policies, respectively)
	4.(c).(iii) AfriNIC’s right to investigate or cause to be investigated the applicant’s use of services by appropriate and competent authority(ies).
		— In this context, I believe AfriNIC itself constitutes an appropriate and competent authority.

There’s nothing useful in this policy that isn’t already provided for in the above referenced sections of the RSA and the existing number resource policies.

> 	+	Please also address the grammatical errors (e.g. “within the four weeks.”)
> Oh for sure...  Will be fixed. Thanks for pointing this out.
> 	+	The term “annual meaningful report” is not defined. Specifically, what constitutes “meaningful” in this context
> 		and, absent a clear definition, how is this decided by whom?
> This is left to staff to decide.  This point was also discussed intensively and have evolved from the  original proposal to the current text:

It needs to evolve further before it is useful policy language.
> --- initial text---
> 3.6 Compliance Report
> AFRINIC shall publish an annual report describing the members which have been reviewed and their level of compliance.
> --- 1st amendment---
> 13.6 Compliance Report
> AFRINIC shall publish an annual report describing review activities, in accordance with Mauritius Data Protection Act and NDA with members.
> ---Current text---
> 13.6 Compliance Report
> AFRINIC shall publish an annual meaningful report describing review activities, in accordance with all applicable laws and regulations.
> ----
> As you can see the consensus was to allow Staff to publish a comprehensive report which obey the laws and regulations.

Nope… There is no consensus. As I can see, the language has changed over time and the last attempt at consensus
was based on what you say above.

The word meaningful here is a no-op at best. It has not definition and therefore no effect.

Even if one wishes to retain it, the wording is awkward and should be changed to:

	AfriNIC shall publish a meaningful annual report describing review activities. This requirement does not request or
		extend authority to publish protected or private data or data which would otherwise be unlawful to publish.

Even then, the word meaningful should simply be defined or deleted.

> 	+	There is no provision for satisfactory outcome without a complete review by AfriNIC staff, even if it is
> 		obvious that there is no need for further action. This is unnecessarily costly to both AfriNIC and the
> 		organization being reviewed.
> The proposal does not tell Staff how and when to complete a review, as by default staff know what to do to conduct reviews. 

This is not true. The proposal, as written, mandates that if staff receives a complaint, they must conduct a review. It does not
place any limits on the number of reviews instantiated contemporaneously by the receipt of multiple complaints, nor does it
provide staff the discretion to combine such complaints with a review in progress.

The policy as written does not leave these issues to the staff… It is specific and it prevent staff from doing the right and
reasonable thing in these circumstances… Thus my calling it potentially harmful and a DOS vector.

> 	+	As written, in the reported case, AfriNIC staff cannot reject a review where the evidence supported
> 		does not justify one. They can insist upon a sworn submission of the complaint and evidence, but,
> 		the policy does not give the discretion to reject or ignore a specious sworn complaint. This is a
> 		clear path to abuse.
> Not true. 
> The current text was also a consensus of the WG discussion. Lawyers advised that the word 'Warrant' be used to guarantee that staff has full right to not trigger a review if the evidences do not justify one. See text below

The current text was not a consensus of the WG discussion as there has never been a consensus of the WG discussion on this proposal.

> ----
> B) There has been a community complaint made against them that warrants investigation. Complaints shall be backed by evidence and AFRINIC staff shall evaluate the facts as appropriate to conduct the review. However this review is not applicable to a member  with the same resources portfolio on which a full review has been completed in the preceding 24 months.
> AFRINIC staff may, at its sole discretion, after having assessed the nature of the evidence found in the community complaint, require that such evidence be (i) submitted in the form of a sworn affidavit or (ii) declared to be true before a Commissioner of Oath.

I suppose there is a legitimate argument that the initial phrase is vague enough to allow AfriNIC to reject a complaint until such time
as the complainant sues them for such refusal to act claiming that the complaint does warrant investigation. Personally, not the way
I want to see AfriNIC spending its legal budget trying to fend off an attempted DOS attack against either AfriNIC, a large resource
member, or both.

> ------
> 	+	The numbering of the paragraphs outside of the actual policy being coincident with the numbering
> 		of the paragraphs in the proposal should be eliminated. It should be clear and unambiguous which
> 		text is intended to be applied to the policy manual and which is metadata for the proposal.
> Some disorganisation occurred during the migration to the CPM's format. It will updated. Expect a new version of the proposal.


> 	+	The mechanism of priority in 13.2 and, indeed, the meaning of “priority is given” is undefined.
> Hmmmmm.  Do we really need to define " priority is given" ? Let's review the text again.
> ----
> 13.2 The reviews cover all allocated/Assigned resources, but priority goes to IPv4 and ASN mappable to two-octet ASN.
> -----

Yes… We do. Does priority is given mean that 80% of random audits are against IPv4 and ASN numbers ≤65535?
Does it mean 60%? Does it mean priority only in the case of a stack of complaint based reviews that exceed staff’s
ability to act?

It’s literally unclear to me what action to expect staff to take as a result of this directive.

> 	+	13.3.1 does not define the intended fraction of members to be reviewed in any given time period.
> 		Is AfriNIC expected to conduct 5 random reviews per year, or 500?
> This is left to staff to decide in the limit of  available resources (human and financial) as discussed and agreed.

So if AfriNIC decides to conduct one random review per year and call that sufficient, the authors are satisfied?

> 	+	The 24 month exemption in section 13.3.3 ignores the fact that “full review completed” is vague and
> 		opens multiple channels of abuse…
> 		-	What constitutes a full vs. partial review?
> 		-	In the case where AfriNIC has satisfied itself after reviewing 80% or even 90% of an organizations
> 			resources and AfriNIC terminates the review process, does that constitute completion of a full
> 			review, or, is such an organization subject to being put through the full process all over again
> 			within 24 months?
> 		-	Can additional complaints filed during a review trigger additional reviews contemporaneously?
> As one can see from the text below, the base idea is that an INR cannot be subject to review more than once in 24 months. Member's resources portfolio changes over time.  

That may be the intent, but it’s not the proposal.

> ----
> B) There has been a community complaint made against them that warrants investigation. Complaints shall be backed by evidence and AFRINIC staff shall evaluate the facts as appropriate to conduct the review. However this review is not applicable to a member  with the same resources portfolio on which a full review has been completed in the preceding 24 months.
> ------

The devil here is in the details.

The completion of a full review of a large organization is not unlikely to be 18 months ore more after said review started. Additional reviews can be triggered during that 18 months and the policy provides no discretion for staff to merge new complaints into the existing review.

There are multiple paths in the details of the existing text that could well put some large resource members into a permanent state of review.

> Most, if not all of these problems have been reported previously. It’s likely there are other problems remaining as well,
> but the above is based on a fresh review of the text below.
> I renew my call for the authors to recognize that this proposal at best causes more problems than it solves and lacks community consensus or any likelihood of achieving community consensus.
> At a minimum, I ask that the authors either withdraw the proposal or provide a substantial update which addresses each and every concern stated above.
> Owen
> On behalf of authors 
> Arnaud 

Thank you sincerely, Arnaud, for finally at least treating my objections as substantive and responding to them
in a manner that reflects a genuine honest effort to work within the process to develop the policy.

While I still do not agree with you that this policy is needed or should move forward, I do sincerely respect
your effort here and appreciate finally (after how many years) getting a response that does more than dismiss
my objections outright.

As men of good character, we are well within our rights and it is not uncommon for us to respectfully disagree
and legitimately draw different conclusions from the same facts and words. Such is likely the case here as all
of our ability to interpret same is colored by our life experiences.

I hope that going forward, other authors and supporters of this proposal can learn a lesson from you here and
begin treating the opposition with appropriate respect and attention to our objections.

I hope you will take the time to review the RSA and especially those most important clauses which I have
referenced to see that the entirety of useful action from this proposal is already enshrined in the RSA and 
staff has everything they need in order t begin random and/or complaint based investigations as it currently stands.

Since it is authors intent to leave to staff discretion the amount, frequency, and pace of such reviews, there’s
really nothing in this proposal that changes the current abilities or requirements under the RSA.


>> On Apr 6, 2019, at 8:12 AM, Arnaud AMELINA <amelnaud at <mailto:amelnaud at>> wrote:
>> Hi Ernest and Co-chairs,  
>> Please find below an update of our Policy proposal "Internet Number Resources Review by AFRINIC", for future discussions on the list. 
>> Regards 
>> ------------------------------------------------------------------------------- Begin ---------------------------------------------------------------------------------
>>     Name : Internet Number Resources Review by AFRINIC (Draft 7)
>>     Ref. Name: AFPUB-2016-GEN-001-DRAFT07
>>     Status: Under Discussion
>>     Date: 6 April 2019
>> Authors:
>>         (a) Amelina A. A. Arnaud | <arnaud.amelina at <mailto:arnaud.amelina at>> | AUF/TogoRER
>>         (b) Jean-Baptiste Millogo |<jean.millogo at <mailto:jean.millogo at>>| Orange Burkina 
>>         (c) Marcus ADOMEY  <madomey at <mailto:madomey at>>  | University of Ghana
>> 13.0 Summary of the Problem Being Addressed by this Policy Proposal
>> As Internet Number resources are finite, their allocation is based on the operational needs of end-users and Internet Services Providers, while avoiding stockpiling in accordance with RFC7020, IPv4 Allocation Policy CPM 5.5, IPv6 Allocation and assignment policy CPM 6.5 and Policy for Autonomous System Numbers (ASN) Management in the AFRINIC region CPM 7.0.Section 4 of the Registration Service Agreement (RSA) provides the framework for investigations of the usage of allocated Internet Number resources, defines members’ obligation to cooperate and the measures to be taken by AFRINIC in case of failure to comply. The lack of such investigation or regular control can lead to inefficient usage of the Internet Number resources, to stockpiling and other type of abuses.
>> 13.0.1 Summary of How this Proposal Addresses the Problem
>> In order to ensure efficient and appropriate use of resources, AFRINIC shall conduct regular reviews of resource utilization held by its members. This would allow recovery of any type of resource, where usage is not in compliance with the RSA. Those resources can be reallocated for better usage.
>> 13.0.2 Proposal
>> The policy proposal will modify the CPM as follows:
>> Insert a section 13 to the CPM as follows:
>> 13.0 Internet Number Resources Review
>> Regular reviews of resource utilization are conducted by AFRINIC to ensure efficient and appropriate usage of resources. This allows for recovery of any type of resource where usage is not in compliance with the RSA; to allow such resources to be reallocated for better usage.
>> 13.1 The reviews shall be based on compliance with the terms outlined in the RSA and Allocation/Assignment Policies.
>> 13.2 The reviews cover all allocated/Assigned resources, but priority goes to IPv4 and ASN mappable to two-octet ASN.
>> 13.3 Classes of review: Members to be reviewed shall be selected according to the following classes:
>> 13.3.1 Random
>> The member is chosen by AFRINIC at random between the membership.
>> 13.3.2 Selected
>>  Member is selected because of an internal report or due to a lack of contact between the AFRINIC and the member.
>> 13.3.3 Reported: Here, members are reviewed either because:
>> A) They have requested the review themselves or
>> B) There has been a community complaint made against them that warrants investigation. Complaints shall be backed by evidence and AFRINIC staff shall evaluate the facts as appropriate to conduct the review. However this review is not applicable to a member  with the same resources portfolio on which a full review has been completed in the preceding 24 months.
>>  AFRINIC staff may, at its sole discretion, after having assessed the nature of the evidence found in the community complaint, require that such evidence be (i) submitted in the form of a sworn affidavit or (ii) declared to be true before a Commissioner of Oath.
>> 13.4 In case of non-compliance and if evidence has been established in accordance with:
>> •    Breach of AFRINIC policies
>> •    Breach of the provisions of the registration service agreement or other legal agreements between the organization holding the resource and AFRINIC.
>> AFRNIC shall initiate the resource recovery process.
>> A) AFRINIC shall attempt to contact the organization and correct any discrepancy towards the RSA. Except in cases of fraudulent resource acquisition or  unlawful usage and abuse, the organization shall be given a minimum of six months to effect the return of the resources.
>> If the organization is cooperative and working in good faith to substantially restore compliance or has a valid need for additional time to renumber out of the affected blocks, AFRINIC shall negotiate a longer term.
>> The acceptance level of compliance and duration of the longer term are at AFRINIC staff discretion. 
>> B) If the situation cannot be rectified and the member did not transfer the ressources to meet other AFRINIC-approved needs as per adopted policies
>>  AFRINIC shall publish the resources to be recovered for a period of three (3) months; during which the organization may at any time, seek compliance or transfer the ressources to other members 
>>  After this period, the resource shall be recovered and therefore the records of the previous holder of the recovered resource shall be updated in AFRINIC’s databases.
>> C)  Any Internet Number Resources recovered under this policy may be assigned/allocated under existing Allocation and Assignment Policies.
>> 13.5 Appeal procedure
>> Reviewed members who are not satisfied have the right to appeal against the result within the four weeks. Appeals shall follow an arbitration process as provided for in the
>> Code de Procedure Civile (Code of Civil Procedure) of the Republic of Mauritius. AFRINIC may, on request from an aggrieved party, suggest a pool of arbitrators who shall be knowledgeable volunteers from the community.
>> 13.6 Compliance Report
>> AFRINIC shall publish an annual meaningful report describing review activities, in accordance with all applicable laws and regulations.
>> 13.7 Acknowledgements
>> The authors thank Ms Wafa Dahmani Zaafouri (become Afrinic GC Chair), Mr Serge ILUNGA (become Afrinic Board member)  and Mr Alain P. Aina for their  contributions  in the development of this Policy proposal.
>> The authors also thank the community for the discussions and contributions.
>> 4.0 Revision History
>> 18 May 2016
>>   Version 1.0
>> - First Draft AFPUB-2016-GEN-001-DRAFT01
>> - Posted on RPD list
>> 05 Aug 2016
>>   Version 2.0
>> - Second Draft AFPUB-2016-GEN-001-DRAFT02
>> - Change on the policy’s name
>> - Addition of the Acknowledgement section
>> - Rephrasing of section 3.3.3
>> 18 Nov 2016
>> Version 3.0
>> - Third Draft AFPUB-2016-GEN-001-DRAFT03
>> - Update of section 3.3.3 from discussions on mailing list
>> - Update of section 3.7 (Acknowledgements) to thank the community for discussions and contributions
>> 11 Apr 2017
>> Version 4.0 
>> - Fourth Draft AFPUB-2016-GEN-001-DRAFT04
>> - Update and Rephrasing of section 3.4
>> - Update and Rephrasing of section 3.5
>> - Update and Rephrasing of section 3.6
>> 21 Oct. 2107
>> Version 5.0 
>> - Fifth Draft AFPUB-2016-GEN-001-DRAFT05
>> - Adding the paragraphe C to 13.3.3. according to the legal counsel proposition
>> - Rephrasing the paragraphe 13.5 to comply with staff and legal assessment 
>> - Rephrasing the paragraphe 13.6 to comply with staff assessment and avoid any ambiguity 
>> - Changing the co-authors list
>> - Updating the Acknowledgement session
>> - Amending 13.4 (B) to  reflect the Transfer policies
>> 06 Apr. 2018
>> Version 6.0 
>> - Sixth Draft AFPUB-2016-GEN-001-DRAFT06
>> - Removing categorization between membership in random class section 13.3.1
>> 06 Apr. 2019
>> Version 07
>> - Seventh Draft AFPUB-2016-GEN-001-DRAFT07
>> - Modifying section 13.4 Paragraph A) to clarify the resources recovery process: set conditions  under which a member could be given longer term  to effect the return of the resources. 
>> ------------------------------------------------------------------------------- End ---------------------------------------------------------------------------------
>> AAAA./
>> Le mar. 3 avr. 2018 à 07:51, Ernest Byaruhanga <ernest at <mailto:ernest at>> a écrit :
>> Hi Arnaud,
>>> On 31 Mar 2018, at 18:41, Arnaud AMELINA <amelnaud at <mailto:amelnaud at>> wrote:
>>> Dear PDWG,
>>> As you can see through the Lagos PPM minutes [1],  all  pending legal concerns  have been addressed. Last suggestion  received abiut removing categories in section 13.3.1( make the random selection applies to all members)  was  accepted by working group and  will reflect  in the next version  to come.
>>> While awaiting the new version, please send any new comments, suggestions you may have on the proposal [2]
>>> [1] <>
>>> [2] <>
>> Please send the new version well ahead of the recommended CPM 3.4.2 deadline to allow reasonable time for staff's assessment of the updated proposal.
>> Regards,
>> Ernest.
>> _______________________________________________
>> RPD mailing list
>> RPD at <mailto:RPD at>
>> <>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the RPD mailing list