> On Mar 23, 2023, at 05:41, IPXO Press via SIG-policy > <[email protected]> wrote: > > Dear APNIC community, > > In a recently held meeting of APNIC in conjunction with APRICOT, the critical > discussions were centered on the APNIC policy that does not accept IP leasing > and has a questionable understanding of its necessity. >
I think that the necessity of leasing is questionable, personally. While I don’t personally have a problem with leasing (independent of connectivity services) and think that it probably makes sense to permit leasing of IPv4 addresses independent of connectivity services, I do not think one can claim it is actually necessary. It is certainly profitable for certain organizations and likely provides some benefit to other organizations where the large capital outlay to obtain a block of IPv4 addresses would be challenging (or worse). However, at the end of the day, at best, leasing is yet another way to rearrange the IPv4 deck chairs on the Titanic Internet. > APNIC allocates and assigns resources based on need, thus, prop-148 states > ‘leasing is not allowed’ nor does it form a basis for further need. > Additionally, it was noted during the meeting that any allocated IP addresses > must be returned to APNIC if the LIR/ISP holding them ceases to provide > internet connectivity services. The policy also stipulates that justification > is needed for delegating addresses to customers. > This is almost a perfectly reasonable policy, IMHO. It may not be the best policy in the current circumstances. However, I think it is important (if such is to become policy) to distinguish between leasing with connectivity services (pretty much the standard practice for provider-assigned and/or provider-allocated and/or provider-aggregated spec for several decades) and leasing independent of connectivity services (e.g. services provided by Cloud Innovation/Larus, IPXO, et.al.). I believe that prop 148 seeks to clarify that the latter is against policy (which it already is, if one reads existing APNIC policy carefully, but if that is the policy intent of the community, then with some tweaks prop-148 would more clearly express that intent). If, on the other hand, the community seeks to now permit this form of leasing, then a different policy proposal is needed which clarifies that intent. > In today’s rapidly evolving and cross-dimensional business environment, we, > IPXO LLC, an all-in-one Internet Protocol platform, believe such policies are > not aligned with current reality and business practices and should be > addressed. We have a firm position that IP leasing should become a global > market standard and provide reasoning to support this point of view. > Your firm position wouldn’t have anything to do with the fact that your business model depends on being legitimized through such a policy change in order to be generally acceptable within the region, would it? Full disclosure, while I’m trying to present a neutral and accurate representation of both sides of this argument, I do routinely provide consulting services to organizations engaged in IPv4 address leasing independent of connectivity services. > Differences among the RIRs > > IP leasing typically involves temporarily allowing a client to use an IP > address for a defined period of time, in exchange for a rental fee, without > transferring ownership or rights to the IP address. Interestingly, the > legitimacy of leasing is viewed differently across various RIRs. > By your definition above, IP address leasing (v4 and v6) is permitted by ALL RIRs. However, the part you leave out is that your specific business involves providing such leases without providing associated connectivity services to deliver packets to the leased addresses. I believe it is exclusively this particular Form of leasing which is controversial and is the issue being addressed here. We should be careful to avoid using the generic term leasing as a short hand for this particular form of addresss leasing because it would be easy to create policy with dramatic unintended consequences were we to create a restrictive policy around leasing which did not take into account the fact that traditional leasing (bundled with connectivity) is still leasing, regardless of the particular accounting details (whether it’s a separate per address or per block charge or whether it’s simply part of the connectivity bill). > <snip (history and purpose of RIR differences> > > Justification process in question > > > Out of the five global RIRs, the RIPE NCC could be considered the most > progressive because it is in step with current industry developments and > practices. For example, it has eliminated the justification process for > transferring IPv4 address space. In other words, if you purchase IP resources > from the RIPE NCC, you are not required to demonstrate your need or your > intended plan for using these resources. > Progressive is one term one could use. Other terms that come to mind are permissive, laisez faire, and a number of less charitable terms I will not repeat here. I would not hold RIPE-NCC up as the shining example of how policy should be modified in the rest of the world. I’ll also note that RIPE’s relaxed “who cares?” policy attitude is generally limited to IPv4 and mostly does not extend to ASNs or IPv6 number resources which are still registered on a needs basis even in the RIPE region. > However, it’s important to note that justification is still necessary if > you’re on a waiting list to receive an IP address allocation. But if a > company is buying IP space from another party, then there’s no need for that. > > > When a company requires IP addresses and has already justified spending money > on purchasing them, what additional justification do they need to provide for > the transfer of ownership? After all, if the enterprise has already > determined a legitimate business need for the addresses and is willing to pay > for them, it seems reasonable that this would be sufficient enough for the > RIR to approve the transfer. > Most of the policies regarding needs testing for transferred resources are intended to prevent or limit speculative transactions intended to distort the market and artificially raise prices to legitimate users of the addresses. Given the limited (and ever smaller) amount of IPv4 space currently available, it is not hard to imagine a scenario where a company could make the decision that it makes sense to bet on the price increasing rapidly over some period of time. Said company could improve the odds by purchasing as much address space as possible and then selling it slowly (a la OPEC) to keep the prices artificially high. This would increase fragmentation in the routing table as well as creating a burdensome hardship on other organizations while offering no benefit to anyone other than the company engaged in the speculation. I will also note that APNIC was actually the first RIR to attempt to abandon needs testing on transferred resources. They rolled that policy back during the efforts to build an inter-RIR transfer structure in the relatively early days of specified transfers. This was, in part, due to pressures from the ARIN region which specified that transfers would only be permitted to/from RIRs which had a compatible needs-based policy. But all of this is a digression from the topic at hand… Leasing without Connectivity. (Perhaps we need to construct a shorthand for this to permit a specific term that is less verbose). I propose Connectivity Independent Leasing (CIL) and will use that in the rest of this message. > IPv4 addresses in an evolving market > > As policies were developed alongside the emergence of RIRs, each RIR has the > ability to respond to changes in the market, since the community is actively > involved in solving address policy issues based on evolving business needs > and opportunities. > > The ever-evolving internet market has seen a shift towards IPv4 addresses in > some ways resembling a commodity. Despite APNIC policy requirements, there > does not seem to be a rush to return unallocated IP addresses. Keeping > accurate records should be the focus rather than dictating a ‘good’ or ‘bad’ > business use of the resources. > To some extent, this is a self-fulfilling prophecy… RIPE-NCC adopted a more permissive policy, so organizations (that have the option) that want a more permissive policy have gravitated towards APNIC. Further, the moment the RIRs created any permission to put a monetary value on number resources, it virtually guaranteed that the number of free, voluntary returns would dwindle. Despite this fact, there are still relatively significant returns continuing to occur on a daily basis. Keeping accurate records is certainly vital, but what does it mean to have an accurate record? IMHO, an accurate record means that the RIR data clearly shows who the legitimate registrant of the block is. Presumably that entity has the business relationship with the RIR and pays any associated annual (or other) fees associated with said number resources. Assignment of those rights is a contractual matter and the RIR has (IMHO) reasonable rights to control how and when such assignments of rights are permitted under the contract (just as a landlord has the right to control or even prohibit subletting). An assignment of rights effectuated outside of the contractual agreement between the rights holder and the RIR does not mean that the RIR records are inaccurate, it means that the rights holder has conducted business in bad faith and has violated their agreement with the RIR. NOTE: I am not making any value judgments here of what subletting policies any RIR should or should not adopt, but I am pointing out that the “people will do this anyway, so accuracy dictates that we should eliminate policy” argument doesn’t go very far to convince me of anything. > When looking at the structure of RIRs, they are the authorities of the > registration databases of IP address resources. From this perspective, RIRs > should limit themselves to managing registration and allow the market to > determine how and to whom IP resources are allocated. Registering these > resources should remain paramount to a stable and secure RIR system. > RIRs are also community based organizations that provide a forum to allow the stakeholders to involve themselves in decisions of how the registry should be run. RIRs are not bodies independent of their members, they are bodies made up of their members and of their community members. In this way, RIRs were established with the intent of providing a certain form of industry and market self-regulation. As such, no, managing registration should not be the limit of the mandate of RIRs unless there is consensus among the RIR’s community to eliminate other regulation and controls of the registry processes. I do not favor such a broad, sweeping change to the current RIR management of the registry system. > Although it is essential to consider security measures to prevent IP address > hijacking, the reality is that IPv4 addresses are being treated as valuable > assets that can be transferred within the market. Therefore, it is necessary > to strike a balance between ensuring security and proper registration and > allowing the market to evolve as it has over the past decades. > Proper registration is just that… Registration of the address rights holder according to RIR policies. Therefore, unless an RIR is violating its own policies, proper registration is occurring. The transfer of rights outside of the RIR policies is most likely a contract violation and an act of bad faith on the part of the registered rights holder (unless it is being done without the knowledge of the rights holder, in which Case, it’s hijacking pure and simple). > Risks and benefits of leasing I think you mean risks and benefits of CIL and will proceed on that assumption. > > When considering the risks and benefits of IP leasing, it is important to be > aware of potential risks such as abuse observability, rDNS record validation, > ASN blocklists, dubious/malicious actors, and IP hijacking. > These are not at risk so long as transfers are recorded per RIR policy. Again, transfers outside of policy are only a risk in so far as either a hijacking or a contract violation by the registered rights holder. As such, I do not find these risks persuasive in this argument. IMHO, these risks are neither amplified nor reduced by general leasing as practiced today and CIL done properly is no different. > However, if these risks are properly attended to and, where possible, > mitigated, we believe that they are heavily outweighed by the many benefits > of leasing, including instant provisioning, no CAPEX requirement, more > accurate WHOIS information, making use of legacy space, RPKI adoption, > availability of more IPv4 addresses in a more constricted market, and > ultimately extra revenue for all parties involved. > I’m not sure that instant provisioning is necessarily a benefit to the community as a whole, though I do understand that it is desirable for some. (Abuse of various forms is especially fond of rapid provisioning). As noted above, this will not improve the accuracy of WHOIS. It will merely broaden the nature of transactions which can be recorded in whois. Transactions occurring outside of policy do not make whois inaccurate, they make the transaction invalid. > IP leasing creates a new opportunity for IP sharing and incentive building > for IP holders. However, it is essential to consider proper and diligent KYC > processes and abuse observability to prevent misuse. RIRs have the option of > IP allocation that could be developed further by combining functions related > to RPKI and delegation. A more coordinated technical approach is needed > within the RIRs to ensure greater flexibility in the use of IP space. > In theory, the RIR capabilities with RPKI (if fully deployed) would already prevent such illegitimate transactions from occurring. The problem is that at best, RPKI is an incomplete solution. Further, since it is likely that IPv4 will be long since retired from the backbone of the internet well before it becomes safe to reject RPKI unknowns (due to the very large number of networks that have not (or will not) implement RPKI). > Automating IP address provisioning and extending RPKI capabilities can lead > to a more accurate WHOIS, acknowledging that IP leasing is a tool that > requires further development. Establishing an ecosystem that meets common > abuse observability standards and proactively prevents abuse is also > significant. While abuse observability is not complex, there is a lack of > specific understanding and possibly basic knowledge on how to avoid it. > Automating IP address provisioning removes critical human checks and balances from the system and not only doesn’t improve WHOIS accuracy, it degrades abuse observability and increases the likelihood of fraud and abuse. I would argue that there is too much knowledge floating around about how to avoid abuse observability and that the abusers have become quite good at it for the most part. Snowshoe spamming is one such example, and automated and high speed provisioning can only increase this form of abuse. Even if we are to allow CIL as a valid mechanism under RIR policy, IMHO, it should be done in such a way as to safeguard against instant and/or automated provisioning and with sufficient oversight and consequences to resource holders acting in bad faith as to provide strong anti-abuse incentives. I actually do favor CIL under very limited circumstances, but I thoroughly oppose automated and/or instant provisioning or the elimination of the majority of the existing policy body. > IP lease as an ecosystem > > To effectively lease IP space, it is crucial to understand the participants > in the ecosystem. It would be beneficial to promote standard practices to > ensure that good actors are distinguished from bad actors. > Sure… The problem is that bad actors have become pretty good at another technology, known as a “disguise”. Bad actors are generally willing to say whatever fraudulent thing gets them through the process as long as they don’t have to put too much skin into the game that is at risk fi they are caught/discovered. > For example, IPXO, an all-in-one Internet Protocol platform, conducts > business risk profiling to identify trends based on a company’s internet > presence, aiming to combat IP abuse and prioritize customer quality. IPXO > also has other processes that help prevent misuse and halt it as soon as it > occurs. > How, exactly, does this affect a new completely unknown company attempting to utilize your platform? If you aren’t rejecting new companies, then all the rest is largely irrelevant as the ≤$100 cost of creating a Delaware corporation and ≤€10/month cost of a BGP-capable virtual host in the RIPE region already make it pretty easy for abusers to look like legitimate organizations without much effort. > RIPE NCC is at the forefront of this development among the RIRs. RIPE NCC > emphasizes the importance of maintaining a well-kept registry and ecosystem, > regardless of how the IP addresses are being used. > RIPE NCC is the shining example of why RIRs should not be in a rush too eliminate policy in favor of economics and how unregulated capitalism leads to unmitigatable problems. While I personally believe that CIL is generally something that should probably be permitted, I think a cautious and well regulated approach to it is warranted and that the RIPE laisez faire approach is not to be emulated, lest we multiply the problems already seen in the RIPE region. > Given the limited availability of IPv4 addresses, viewing IP leasing as a > valid justification for obtaining additional resources may be worthwhile. > Optimizing their usage instead of leaving them unused also encourages the > development of new automation solutions and more accurate WHOIS records if > the community adopts and supports standard practices. Furthermore, promoting > the adoption of IP leasing practices could help improve the functionality of > IPv4 in the internet ecosystem as we slowly move towards IPv6. > The real solution to IPv4 scarcity is, of course, accelerating the transition to IPv6. At this point, a relatively small number of content laggards are preventing eyeball networks from deprecating IPv4. A somewhat larger number of eyeball networks are currently forcing content providers to maintain IPv4, but as most of the major eyeball providers are already providing IPv6 capabilities to their customers, the time is approaching when content providers will be able to abandon customers of those remaining eyeball networks that haven’t managed to get on the bandwagon. That said, it does make sense, IMHO, to have some level of CIL available as a mechanism for entities that are not well capitalized to obtain addresses. OTOH, there needs to be some mechanism that limits the rent seeking behavior of those holding addresses for lease, such that it is not allowed to distort the purchase market and does not artificially raise the price of IPv4 resources to the detriment of said entities. Owen
_______________________________________________ SIG-policy - https://mailman.apnic.net/[email protected]/ To unsubscribe send an email to [email protected]
