Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] AFPUB-2020-GEN-001-DRAFT01 - Policy Compliance Dashboard

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Wed Sep 30 21:01:35 UTC 2020


Below, in-line.



Regards,

Jordi

@jordipalet







El 30/9/20 22:26, "Ekaterina Kalugina" <kay.k.prof at gmail.com> escribió:



Dear JORDI, dear all,

Please see my comments in line:





On Wed, 30 Sep 2020, 13:43 JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> wrote:

Hi AK, Moses, all,



I will like you to reconsider your decision on this proposal, following CPM 3.5, on the grounds of my responses below, which have already been provided thru previous discussions and I don’t think any of those are valid-objections to the proposal.



See my points below, in-line.



Regards,

Jordi

@jordipalet

5. Policy Compliance Dashboard

The policy proposal seeks to provide a framework or a policy compliance dashboard be developed by AFRINIC and incorporated in myAFRINIC (and future member’s communication platforms). It will allow a periodic review of the policy compliance status of each member. It will also enable members to receive automated notifications for any issue. Staff will receive repeated warnings of lack of compliance or severe violations enshrined in the CPM. However, there are several oppositions to this proposal, such as:

a. This policy seems to be redundant of the status quo as violations are already checked and processed by the human staff.



That's the key human vs. automation. Human verification is costly and inefficient if it can be automated.



Yes, I agree that generally automation is more efficient. However, in our case we must ask ourselves whether it will be more efficient in the case of AFRINIC. I understand that through this policy notifications will be automated but who will be reviewing the compliance status of each member? This work will still be done by the staff. So the question here is would the resources invested in this policy be worth a few automated emails?



Nobody – that’s the automation. Only in case of lack of compliance will be reported to staff. So the staff will only review those cases.



In addition, it is much easier to dismiss automated emails than those coming from a real human being. There is no guarantee that these alerts won't be simply disregarded.



No difference. If and operator is failing in something both the operator and the staff get the alert. The automation can even include an automated “time-out to respond” re-alert so if the operator doesn’t respond within that deadline (and even the automation can re-check if the problem has been resolved then clear the alert to the staff), only then report to the staff. All those are  implementations details to be decided by the staff, we shouldn’t enter into  that, unless they do a terrible job (then we could come back with more details, hopefully not).





b. There is already an existing system of guidelines on keeping track of the violations of members.



The RSA and bylaws have generic provisions. There is nothing against the power of the community to make those more clearly stated. Furthermore this will protect the members against a mistake, which according to the legal bindings today, can call for an immediate resource reclamation.



I am wondering whether there are already precedents of such issue. As far as I understand staff notifies the resource holder in case there are any violations. So how would this policy make a difference?



Right now, the staff need to follow manually. Note the difference. The staff can check one (or a few) member compliance at a time. Automation can do all in few hours. Clearly this is unfair (one or a few) vs the others.





c. The policy is not binding and does not enforce members actually to follow the rules and not violate policies.



All the policies are binding for all the members. This is clearly stated in the legal documents.



Yet, there is no mechanism to ensure that members will actuality check the dashboard.



Again, that why the alerts are sent by email. If you ignore them, that’s a different issue. You will be also ignoring manual emails from staff.





d. Ignorance could be a convenient excuse for violations because one could claim that they never got notified about their violations.



On the other way around, this is the actual status quo. This policy ensures that ignorance can’t be used as an excuse, because it will send alerts and show them also in the member account GUI.



e. There is no comprehensive system on how the board should take proper actions once members violate policies, nor does it give guidelines based on the severity of the violations.



This is on purpose. There are different severity levels, and this even may depend on circumstances, so it is up to the operational details of the implementation, to better detail it, which can be done in consultancy with the community. If the community think the staff is not doing that correctly, then a new proposal can be submitted, but with this proposal we have a starting point at least. Trying to agree on if making a mistake on this or that part of the CPM is more or less severe than doing 3 times wrong this or that, will be and endless discussion and too operational.



This is interesting because when discussing resource transfer policy you stated, and I quote:

"Now, regarding the point on “we can get this policy working” and then resolve the issues with another proposal … I will love to believe in that, but I’m every day more and more convinced that this will not happen. If we don’t get it right (or almost right on the first shot), we will not agree in 1 year to resolve it."



When it comes to your own policy you are open to passing it and then amending it later as necessary. But when it concerns the policy proposed by someone else, this is one of your main counter arguments. Doesn't this seem to be a little of a double standard?



No absolutely not. There is a difference that you didn’t mention. In the other case we are changing the actual policy to go backwards. In this case is to move forward. Also, I trust the staff will do it right *this is always* my starting point and it should be that way. And finally, even if difficult, I’m sure we can agree easily if the staff present us a very well developed plan and we just say yes or not (may be provide some suggestions), vs  just discussing ourselves (endless discussion).



Also, I understand your point on giving AFRINIC staff the freedom to decide the severity of each violation. However, I think if we were to ever pass this policy it AT LEAST has to include a set guidelines for the appropriate procedure that is to be followed by the board when such violations occur. Otherwise we could be stuck in a situation where violations take place, and no one is really sure what to do about it. And since the decision making process of the community can take months, I fail to see how this is in any way effective or efficient.



Well, how do you think the staff is doing now? By being silent on that, we allow the staff to keep doing the same way. If they believe that a single mistake is fine, even 2 or 3 times the same mistake, but not 10. I’m just fine with their decision *unless* it proves that is a non-sense and creating troubles. At the time being, I’ve not seen that.





f. This policy takes away resources that could be used for more beneficial pursuits to AFRINIC for something existing in the system.



On the other way around. It is clear that automation *saves* resources. The policy doesn’t state *how* or *when* it should be implemented, and it is just fine that the staff defines what parts of the CPM are implemented when and in what order, depending on the availability of the human resources unless the board decides that this is key and should be implemented faster.



Again, without a thorough cost benefit analysis, any claims of whether or not this would save AFRINIC resources in the long term are completely groundless. However, it IS obvious that in the short term implementating this policy will be a great financial burden.



I’ve said this before. This is something that the staff should said. There are dozens of ways to implement this, even using students, etc. I’ve seen that already before in RIRs. However, the *cost* of a proposal implementation is not (because there are many choices as well), a valid objection because this is *the work of the board* in order to ratify a proposal. If the cost/benefit balance is against the membership, then the board could say so and return the proposal to the table.





g. It an administrative process, and this should be left to staff

Is not. The community has the right to ensure that the policy compliance is monitored in a way that, because it is automated, doesn’t make a difference in how much time the staff has to do that manually and then do it faster for some resource holders than others. Automation makes it quick (no difference among resource holders), human means you do it for each resource holder “when you can”. Trying to make this in a way that is fair for all members by humans, will mean having almost as many staff human resources for each “validation” pass as resource holders. It will also mean that you do a reduced number of “passes” per year, while automation means you can do it every week or month.

In my view, maintaining policy compliance is a purely operational issue that is outside the scope of the PDP. The policies should only focus on HOW the resources are distributed and not on whether or not members follow these policies.



The point is that the community is empowered to decide what they want to do or not and it has been proven by the millions of IPv4 addresses hijacked, that the previous manual checks were not sufficient. So the community has the right to ensure that something better is done.



I understand where you are coming from in regards to proposing this policy. But I really think it requires way more assessment, review, and discussion to determine if it is really necessary and whether or not it is actually in the scope of the PDP.



Best,



Ekaterina



Chairs Decision: NO rough Consensus


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200930/ec5dcaca/attachment-0001.html>


More information about the RPD mailing list