[rpd] Policy Compliance Dashboard - AFPUB-2020-GEN-001-DRAFT01

[JORDI PALET MARTINEZ]

Thanks Gaby!

 

As I just mention in a previous email, we need to understand that even if we all believe that a proposal is “perfect” this is never true, but the PDP is there precisely to keep improving and adapt to changes.

 

Also, some proposals take time to implement, this is one of them (it will be needed to be implemented in phases, with different “sets” of automation levels). And during the implementation, the staff and the community will be able to report “guys we overlooked this and that, let’s improve it”. But we need a starting point!

 

I can tell you an history about a recent policy that I proposed in APNIC and reached consensus a couple of years ago (on the first version!). This is equivalent to the AFRINIC proposal “Abuse Contact Policy Update”. Together with the policy (not as part of the policy text), I provided an example of a validation procedure. The staff didn’t followed my approach which was developed to avoid “click on a link which can be pishing, or whatever, so a security issue”. Guess what? In the yesterday meeting, after the policy has been implemented and it proved that 87.5% of the abuse-c contacts were right (amazing!), the staff reported complains from some members about “click the link” … of course, it should not be neccesary to update the policy, it is rather and internal procedure to be improved by the staff. However this history confirms that policies aren’t perfect and always can be improved and you know, the advantage is that in this specific case, the AFRINIC version for that proposal is version 6, which has been edited according to discussions in all the other RIRs. So yes, we are late with that policy, but the text is taking advantage on the implementations on other regions, and still I’m sure is not perfect! We can always improve based on experience!

 

If you want to read all the details, here is the video from APNIC, and my email to resolve it:

https://www.youtube.com/watch?v=8_NnXDA6P24&t=1424s

https://mailman.apnic.net/mailing-lists/sig-policy/archive/current/msg00004.html

 

 

Regards,

Jordi

@jordipalet

 

 

 

El 10/9/20 16:38, "Gaby Giner" <gabyginernetwork at gmail.com> escribió:

 

Hi Jordi and Sylvain,

 

Thank you for enlightening me on my concerns about this policy. I did have my reservations about this policy because I thought it would be redundant, but upon your explanation and further examination of the links Sylvain has provided, you are merely strengthening the current system and not creating double sets of rules that could create confusion. 

 

As I have said, I find it admirable that your policy will provide an automated alert if ever a member has violated the rules AFRINIC has set in place. This would lessen the instances where a member could claim ignorance or forgetfulness when they violate policies.

 

As for the prescriptiveness of the policy, what I meant was that I agree with Gregoire when he said "less prescriptive to avoid undue interpretations", because I do believe that even for any other policy, too much prescriptiveness is stifling and rather dictatorial. As for my evaluation of the policy (unless I missed other implications), you have already answered the prescriptiveness issue via your previous email.


Sincerely, Gabrielle.

 

 

On Wed, Sep 9, 2020 at 6:52 PM JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> wrote:

Hi Gaby,

 

As I just responded in a previous email, the actual RSA is too loose, and at the same time too strict. If the staff decides to apply it to the letter, they have the right to do so, an unvoluntary mistake will mean your account is cancel and resources recovered. I don’t think this could happen easily, but we need to make sure it doesn’t happen.

 

AFRINIC need also to offer services that help the members, and that includes ensuring that they follow the policy changes and get alerted if something is not going well for a member. We all know how busy we are with daily operations, and yes, following the policy process is your obligation but setting automated tools that alert when you missed something is the right way to see if a member is a good guy and just did a mistake (we all can do it), or it is persistently acting “bad”.

 

The proposal is precisely setting better limits for that to work correctly in both directions, guiding the staff to ensure the do the right thing with bad members and protecting the good members, which the tools to save cost, as much as possible, with automation.

 

There is not clash created by this proposal is just reinforcing what we have and clearly stating how to behave on each direction.

 

If you can suggest alternative text, on what do you think is too much prescriptive, we will be happy to consider it, of course.

 

Regards,

Jordi

@jordipalet

 

 

 

El 27/8/20 15:39, "Gaby Giner" <gabyginernetwork at gmail.com> escribió:

 

Dear Jordi,

 

I think that you have created a policy to police those who are in flagrante delicto with their violations, and it is admirable. However, I have to support strengthening our current system instead of creating another set of rules that are essentially, at its core, identical to what the AFRINIC board is doing/should be doing. You have responded to this criticism by saying that many members are not following PDP at all, and that this dashboard automates notification in case of violations. 

 

Why not give this power to the staff or board itself? As Mike has said, the board currently does not have an operational capacity or role, and it is the current role of the staff to do this. Instead of creating another whole set of rules, we can just add to the current and working one. Furthermore, creating another entire set of policies for this might be problematic down the line because it may clash with the original guidelines or other related documents. Instead of having ONE governing system where AFRINIC’s board and staff are monitoring violations, we would have two different policies/procedures that could be conflicting and honestly confusing.

 

Additionally, I support Gregoire when he said that this policy needs to be less prescriptive when it comes to interpretations. Flexibility for AFRINIC, especially in exceptionable conditions is essential because we can never predict with a 100% accuracy what can happen in the future. 

 

Thank you.

_______________________________________________ RPD mailing list RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd 


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200911/55e890ce/attachment-0001.html>