Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Policy Compliance Dashboard - AFPUB-2020-GEN-001-DRAFT01

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Mon Sep 14 07:31:18 UTC 2020


Hi Ibeanusi,



I don’t want to repeat myself in the same arguments, so very short. This proposal is doing what you ask for “strengthening and improving the actual systems”. The policy is clear: nobody needs to check the dashboard, it is just a way to visualize it, but note the only one, because automated alerts are generated.



Exceptionalities are required, otherwise, what you do it a country suddenly can’t pay the bills because a pandemic or war? According to the RSA, the resources will then be recovered, and this can’t be reverted. Do you want to add pain to that country closing down the Internet? The board is taking those decisions according to this proposal, is the right thing to do.



Everything should be automated as much as possible, but this doesn't mean that the relevant actions in case of continuous policy violations are also automated. They need to be considered by humans, not automation. So, what the policy solves is the “verification” part.



Regards,

Jordi

@jordipalet







El 13/9/20 17:38, "Ibeanusi Elvis" <ibeanusielvis at gmail.com> escribió:



Hello,



Concerning this proposal on Policy Compliance Dashboard, I concur to the ideology that instead of reinventing or conjuring up a new policy, strengthening and improving on what is already in existence and functional is a better and affordable alternative. Likewise, there are no guarantees that this policy compliance dashboard will be checked regularly. In addition, the provision of exceptionalities can become a loophole that members can utilize to justify their issues of non-compliance with the AFRINIC policies especially in the African region where instability of government seems to be a recurrent issue with some countries.



Also, exceptionalities like civil wars and pandemic are unpredictable. Similarly, if everything should be automated as much as possible, why will there be an initiation of an exhaustive investigation on the lack of compliance when the automation is supposed to handle it. Strengthening the staff to carry out this exhaustive investigation from the get go is better. I propose we modify and reinforce the functional system than waste resources, time and unnecessary workforce on making an automated model of what we have.



Best regards,

Ibeanusi Elvis .C.



On Sun, Sep 13, 2020 at 5:39 PM JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> wrote:

Hi Greg,



We shall remember that the impact analysis is the initial interpretation from the staff, not necessarily the correct one. Sometimes, it becomes clear once the policy is presented and reach consensus, either thru new versions if there are unrefuted objections, or via editorial changes or just clarifications.



In this specific case, the proposal is not saying anything about “Any new policy proposals that will be proposed shall also indicate clearly any elements of non-compliance that shall then be incorporated in the dashboard”, because this is NOT needed.



If any text in the CPM says “you can’t do x” and you to otherwise, clearly there is a policy violation. The proposed policy indicates to the staff “please, whenever possible, try to automate that x is automatically verified”. The text is NOT saying at all “every policy should state what needs to go into the dashboard”. This is left to the operational decisions of the staff, so NO, there is no list to maintain also because in section 2, we have this “The dashboard automation will need to be accommodated along CPM evolves thru the PDP, in order to display new details.”



I hope all that is clearer?



Regards,

Jordi

@jordipalet







El 12/9/20 22:13, "Gregoire EHOUMI" <gregoire.ehoumi at yahoo.fr> escribió:



Hi Jordi,


As you can see in the staff analysis, I quote “ Any new policy proposals that will be proposed shall also indicate clearly any elements of non-compliance that shall then be incorporated in the dashboard.”

The “such as” list in Section 3(2) Policy Compliance Dashboard, become a list to maintain.

What I meant by “policy context evolution over time” is to not try to prescribe the non-compliance scenario the dashboard shall apply to as the context evolves.
Non-compliance shall follow application policies and RSA


Thanks,
--Greg





-------- Original message --------

From: JORDI PALET MARTINEZ via RPD <rpd at afrinic.net>

Date: 2020-09-09 6:43 a.m. (GMT-05:00)

To: rpd at afrinic.net

Subject: Re: [rpd] Policy Compliance Dashboard - AFPUB-2020-GEN-001-DRAFT01



Hi Gregoire,



Let’s see the analysis impact to understand if it is too much prescriptive, I don’t think so.



Policies always have impact on operations, this is normal. We don’t want to define up to the last letter of the procedures, just goals, and I think the actual text of the proposal is doing well on that direction, and at the same time protecting the community against bad practices or to restrictive interpretations of the staff of the RSA. Remember that according the RSA, if you fail, even by mistake, you lose. This is not right, it must be, in general, a persistent failure to comply with policies.



I don’t understand your last point “allow the compliance to apply to policy context evolution over time”. I think this is precisely what we are doing with the actual text. May be there is something that needs to be reworded to make it more clear?



Regards,

Jordi







El 27/8/20 6:04, "Gregoire EHOUMI" <gregoire.ehoumi at yahoo.fr> escribió:



Thanks Jordi for the responses.



Let not miss the essences of my comments which are :



- let staff do what fall under operation



- be less prescriptive to avoid interpretations and give AFRINIC the flexibility to take necessary actions when appropriate



- allow the compliance to apply to policy context evolution over time.





—Greg





On Aug 26, 2020, at 5:00 PM, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> wrote:



Hi Gregoire,



Sorry, totally missed this email. I could not find it in my inbox, don’t know the reason …



Tks for your inputs and see my responses below, in-line as [Jordi].



Regards,

Jordi

@jordipalet







El 26/8/20 22:11, "gregoire.ehoumi" <gregoire.ehoumi at yahoo.fr> escribió:



Hello Jordi and co-authors,



See my email below, in case you missed it.



Best regards,

— Greg



On Aug 12, 2020, at 3:32 PM, Gregoire EHOUMI via RPD <rpd at afrinic.net> wrote:



Jordi and team,

Thanks for putting together this proposal. Review of usage of distributed resources is an important instrument to assess how we collectively assume the responsibilities associated to the right to use the numbers. It also helps assess effectiveness of our policies and ease their evolution.

Below are few questions to help clarify some aspects and improve the proposal.

1- ######
Section 2 Summary of how this proposal addresses the problem

“Considering the exhaustion of IPv4, recovered/returned IPv4 resources are placed at the end of the actual pool. However, other resources are quarantined for a period of 2 years. This way, the staff can take measures to ensure that all the resources are as clean as possible, before being allocated/assigned again.”
#####
why no provision for quarantine and clean of v4?

[Jordi] We have no more IPv4 resources. If we set a quarantine period in the policy, it will be mandatory and people willing to receive them need to wait, or we need to send a policy proposal to change it again. At the moment there is already an internal procedure that does that. The internal procedure could be modified if needed. The policy text needs more time to achieve the same. Why you want to quarantine resources that may be “clean” or “needed even if not 100% clean”?


2- ######
Section 3(2) Policy Compliance Dashboard

“Contractual obligations (such as status of payments or documents).
Lack of response from the member.
Unused or unannounced resources (where mandatory).
Unavailable or outdated Whois information.
Lack of maintenance of the reverse delegation.
Forbidden sub-assignments (from PI assignments).
Unauthorized transfers.
Tracking of repeated and/or continued policy violations.”
######

How is list on compliance measures evolved? Is it that every new policy specify dashboard impact and what to measure in order to assess compliance?

[Jordi] The list is “such as”, so just examples of what we believe are the starting points. But the dashboard proposal sets only the framework, so the staff can do the same with every possible CPM/RSA aspect that can be automated.


3- ######
3(3) Notifications

“The dashboard will automatically send notifications of the status of compliance to members, after each review or dashboard update. “
######
With what periodicity are members reviewed?

[Jordi] Being automated, the idea is that it is “continuously run”. It is difficult to set specific periodicity, because it may take just hours to check “again” if resources are announced (an example), vs another different “test” that may need weeks to re-check the status of all the members. There may be operational decisions, such as “even if we can test this every week, do we really need to do at that speed” (AFRINIC DC bandwidth, members bandwidth, computational and power resources, etc.).


4- ######
3(4) Lack of Compliance

“AFRINIC will be able to initiate a more exhaustive investigation and take further actions, according to the RSA, when there is evidence suggesting that there is a lack of compliance. “
######

This should not overrule Afrinic right to investigate and take action under RSA at anytime

[Jordi] And is not the case. RSA is *on top* of CPM when relates to member obligations. However, the CPM can reinforce the compliance with the RSA.


5- ######
3(5) Service Withholding, Revocation or Member Closure

“Unauthorized transfers, lack of payment or document fraud, once confirmed, will be cause of the revocation of the services and member closure. “
######

Are these the only conditions for revocation? What about other provisions in RSA eg fraud, misrepresentation, abuse or other acts contrary to RSA etc?

[Jordi] As said above. RSA is *on top*. This is not changing the RSA. We, considered that those are key aspects that should be protected by the community (via the CPM) in case the RSA is not doing that already.


6- ######

“f. All other provisions specified in the RSA and Bylaws will apply.”

######
Why other provisions only? Should be all provisions apply as Afrinic should not loose any of its powers in RSA and bylaws

[Jordi] This is an informative/clarifying text, we could even omit it and the result is the same. Even if we don’t say that, when a member signs the RSA, is being obligated by the bylaws, and the RSA, and *anything* indicated in those documents. Those “other documents”, can changed over the time, as that is a board/membership decision and the CPM is not affected by that. If we have an explicit mention of other document in the policy, it may become “broken” if “other documents” change.


7- ######
3(9) Use of Recovered or Returned Resources

“IPv4 resources will be incorporated at the “end” of the pool in force at the time of the recovery or return, for use in the order in which they have been added to that pool. “
######

Why treating v4 resources differently and prescribing a queuing policy? Is this not better to leave to staff to manage?

[Jordi] As said before, this leaves to the staff to manage it, but I think, it is obvious that it should be re-used, as they are recovered (you recover, clean if needed, quarantine if needed, put them back into the appropriate pool). See the mention of RFC7020 which allows that staff to adapt this if needed.


8- ######
“The IPv6 and ASN resources will be incorporated into their respective pools, after 2 years of their recovery or return. “
######

Why 2 years quarantine for v6 and a queuing policy for v4?

[Jordi] Because there is no lack of ASN and IPv6 resources. So, it is the easier way to handle it. However see the mention of RFC7020 section 2, that allows the staff …


9- ######
section 3(6)..
"When the revocation of resources involves essential strategic infrastructure that is necessary for the operation of the Internet in the region, or in exceptional situations such as natural disasters or political instability, the AFRINIC Board may extend the resource revocation period"
######

What is the definition of “essential strategic infrastructure” ? How long may the board extend the revocation period? And what actions the parties must take during this period?

As for the exceptional situations, can we leave them to be handled by staff as they deal with in normal operation?

[Jordi] I understand that those strategic infrastructures are well defined (ccTLDs, IXPs, etc.). We believe that is better not to try to redefine it, and leave to the board. Otherwise we enter into a discussion nightmare about how much time, what is strategic and what not, etc. In every exceptional situation, because it is exceptional, need to be considered by the board. The staff will suggest the board what to do, but it should be up to the membership representation (the board) to formally decide on that.


HTH

- Greg





-------- Original message --------

From: JORDI PALET MARTINEZ via RPD <rpd at afrinic.net>

Date: 2020-08-05 5:58 a.m. (GMT-05:00)

To: rpd at afrinic.net

Subject: [rpd] Policy Compliance Dashboard - AFPUB-2020-GEN-001-DRAFT01



Hi all,

I will like to know if anyone has any inputs for the proposal "Policy Compliance Dashboard" (Draft1) - AFPUB-2020-GEN-001-DRAFT01.

https://www.afrinic.net/policy/proposals/2020-gen-001-d1#proposal

It will be also good to get at least, a draft impact analysis from the staff. Even if it is not a complete/formal one it will be fine, just the key points/issues that they want to consider, if any.

It is not nice to get issues presented the same day that we should reach consensus, when we have the opportunity, several weeks ahead, to resolve them!

Those inputs, could be used to improve this version if we get them during this week or early next one, so we have an updated version to be presented in the on-line PPM.

So please, provide your comments.

Tks!

Regards,
Jordi
@jordipalet





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.




_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200914/07d58d8f/attachment-0001.html>


More information about the RPD mailing list