<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On May 16, 2019, at 01:25 , Noah <<a href="mailto:noah@neo.co.tz" class="">noah@neo.co.tz</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br class="Apple-interchange-newline"><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div dir="ltr" class="gmail_attr">On Thu, May 16, 2019 at 11:11 AM Owen DeLong <<a href="mailto:owen@delong.com" class="">owen@delong.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On May 16, 2019, at 00:53 , Noah <<a href="mailto:noah@neo.co.tz" target="_blank" class="">noah@neo.co.tz</a>> wrote:</div><br class="gmail-m_-6181883923348845342Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><br class=""></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 16, 2019 at 10:14 AM JORDI PALET MARTINEZ <<a href="mailto:jordi.palet@consulintel.es" target="_blank" class="">jordi.palet@consulintel.es</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div lang="ES" class=""><div class="gmail-m_-6181883923348845342gmail-m_-9089212464298194867WordSection1"><p class="MsoNormal"><span lang="EN-US" style="font-size: 12pt;" class="">And for that, a new policy was not needed.</span></p></div></div></blockquote></div><div class="gmail_quote"> </div><div class="gmail_quote">Ok, lets just "<b class="">assume</b>" that you don't need policy to address fraud. Then what is the purpose of section 12 of the ARIN (Number Resource Policy Manual) [1] ? <span class="Apple-converted-space"> </span><br class=""></div></div></div></div></div></div></div></div></blockquote><div class=""><br class=""></div>Section 12 was written to place limits on exactly what and how ARIN could conduct resource reviews against organizations in the ARIN region.</div><div class=""><br class=""></div><div class="">ARIN had virtually unlimited authority to do so prior to implementing section 12.</div><div class=""><br class=""></div><div class="">Notice that NRPM12 differs from the proposal under discussion here in a number of significant ways:</div><div class=""><br class=""></div><div class="">In no particular order, here are 5 of the most significant differences:</div><div class="">1.<span class="gmail-m_-6181883923348845342Apple-tab-span" style="white-space: pre-wrap;"> </span>The legal environment is very different</div><div class="">2.<span class="gmail-m_-6181883923348845342Apple-tab-span" style="white-space: pre-wrap;"> </span>The RSA is significantly different</div><div class="">3.<span class="gmail-m_-6181883923348845342Apple-tab-span" style="white-space: pre-wrap;"> </span>NRPM 12 does not require ARIN to make random audits</div><div class="">4.<span class="gmail-m_-6181883923348845342Apple-tab-span" style="white-space: pre-wrap;"> </span>NRPM 12 does not require ARIN to take action on complaints or to judge the voracity of complaints</div><div class=""><span class="gmail-m_-6181883923348845342Apple-tab-span" style="white-space: pre-wrap;"> </span>and go after organizations where ARIN cannot prove a lack of voracity.</div><div class="">5.<span class="gmail-m_-6181883923348845342Apple-tab-span" style="white-space: pre-wrap;"> </span>NRPM 12 gives ARIN staff significantly more discretion to be merciful in such reviews.</div></div></blockquote><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">Ooooh and If a member agreement is sufficient, then why is fraud addressed in ARIN number resource policy?</div></div></div></div></div></div></div></div></div></blockquote><div class=""><br class=""></div>It isn’t really. You are thinking that NRPM creates the authority for ARIN to audit. In reality, NRPM 12 was passed in order to limit ARIN’s authority and prevent abuse.</div><div class=""><br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">Well, in the ARIN NRPM section 12 subsection 2b.... I read below hence the whole debate around the fraud case which ARIN just won in the USA courts.<br class=""> <br class="">2.ARIN may conduct such reviews:<br class="">b. whenever ARIN has reason to believe that the resources were originally obtained<span class="Apple-converted-space"> </span><b class="">fraudulently</b><span class="Apple-converted-space"> </span>or in contravention of existing policy, or<br class=""></div></div></div></blockquote><div><br class=""></div>Yes… NRPM 12 was written to limit ARIN’s ability to conduct such an audit to specific circumstances. Notice that random audits are NOT one of the criteria permitted.</div><div><br class=""></div><div>We put NRPM 12 together specifically so that ARIN couldn’t engage in costly audits at random and to put other reasonable limitations on their ability to audit in a disruptive manner.</div><div><br class=""></div><div>So, viewing this in historical context and having some knowledge of the authors’ motivations:</div><div><br class=""></div><div><a href="https://www.arin.net/vault/policy/proposals/2007_14.html" class="">https://www.arin.net/vault/policy/proposals/2007_14.html</a></div><div><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">Draft Policy 2007-14<br class="">Resource Review Process<br class=""></p><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">Author: Owen DeLong, Stephen Sprunk</p></div><div><br class=""></div><div>I say again that the goal of the AfirNIC proposal under discussion and the goal of 2007-14 which created NRPM 12 in the ARIN region are quite different, arguably diametrically opposed.</div><div><br class=""></div><div>I quote from the rationale submitted with the policy proposal:</div><div><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div><blockquote type="cite" class=""><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">Rationale:</p></blockquote></div><div><blockquote type="cite" class=""><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">Under current policy and existing RSAs, ARIN has an unlimited authority to audit or review a resource holder's utilization for compliance at any time and no requirement to communicate the results of any such review to the resource holder.</p></blockquote></div><div><blockquote type="cite" class=""><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">This policy attempts to balance the needs of the community and the potential for abuse of process by ARIN in a way that better clarifies the purpose, scope, and capabilities of ARIN and codifies some appropriate protections for resource holders while still preserving the ability for ARIN to address cases of fraud and abuse on an expedited basis. </p></blockquote></div><div><blockquote type="cite" class=""><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">The intended nature of the review is to be no more invasive than what usually happens when an organization applies for additional resources. Additionally, paragraph 2c prevents ARIN from doing excessive without-cause reviews. </p></blockquote></div><div><blockquote type="cite" class=""><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class="">The authors believe that this update addresses the majority of the feedback received from the community to date and addresses most of the concerns expressed.</p></blockquote></div></blockquote><div><div class=""><p style="caret-color: rgb(34, 34, 34); color: rgb(34, 34, 34); font-family: "Open Sans", Helvetica, "Helvetica Neue", Arial; font-size: 16px;" class=""><br class=""></p></div></div><div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">And lastly, If I may ask, how would you compare the AfriNIC RSA against the ARIN RSA?</div></div></div></div></div></div></div></div></div></blockquote><div class=""><br class=""></div>I wouldn’t. They are quite different documents operating in very different legal traditions and legal environments. I will leave any such attempt at comparison to the lawyers. I have no interest in it.</div></div></blockquote><div class=""><br class=""></div><div class="">Yes we can leave it to the legal folk but I also agree that they are quite different with the ARIN RSA more defined in cases of fraud and non-compliance.<span class="Apple-converted-space"> </span><br class=""></div></div></div></blockquote><div><br class=""></div>Well, you are certainly free to suggest improvements to the AfriNIC RSA if you feel they are needed.</div><div><br class=""></div><div>Owen</div><div><br class=""></div></body></html>