Policy Compliance Dashboard (Draft1 | Expired)
- Last Modified on -
Details
ID: |
AFPUB-2020-GEN-001-DRAFT01 |
Date Submitted: |
17th February 2020 |
Author: |
|
Version: |
1.0 |
Status |
Expired |
Amends: |
CPM (new section) |
Proposal
1. Summary of the problem being addressed by this proposal
The AFRINIC RSA mandates members to comply with the AFRINIC policies developed via the PDP.
Section 4.c of the RSA states the irrevocable commitment of the member for using the services for the purpose for which it was requested and in full unreserved compliance with AFRINIC policies.
This is of key importance, because a member not following the policies may be impacted in the evaluation of future requests by AFRINIC, the revocation of the services or even the closure of the member (section 4.b.iii).
Just to be clear, “services” are defined in the RSA, under section 1.c, and those include number resources, among others. So, the impact for a member that is not following the PDP process and CPM changes, maybe of catastrophic business consequences.
The PDP is continuously updating the CPM, and it is obvious that some members may not be following, up to date, all the details and possible impact in their services/resources, while the RSA states that AFRINIC, at its own discretion, can investigate the use of the services.
Consequently, members should be protected against this situation, in a simple manner that allows them to know their up to date policy compliance, get alerts about the lack of compliance and consequently react to address those.
At the same time, the RSA doesn’t state a specific procedure to resolve the situation with members, and facilitate them the actual compliance, neither if they should get a specific time or opportunities to resolve the situation, in a fair way to all the members, instead of taking irreversible decisions at the first occasion of any policy violation.
There should be always equal opportunities for any member to correct mistakes before reaching a fatal point.
2. Summary of how this proposal addresses the problem
This proposal provides the framework for a “Policy Compliance Dashboard”, to be developed by AFRINIC, and incorporated to MyAFRINIC (and future members communications platforms).
This will allow periodically review of the policy compliance status of each member, as much automated as possible, so they can receive automated notifications of any issue. Warnings will be also sent to the staff, and only in cases of a continued and repeated lack of compliance, or severe violation of certain aspects of the CPM, AFRINIC will be able to take further actions according to the RSA.
Considering the exhaustion of IPv4, recovered/returned IPv4 resources are placed at the end of the actual pool. However, other resources are quarantined for a period of 2 years. This way, the staff can take measures to ensure that all the resources are as clean as possible, before being allocated/assigned again.
3. Proposal
Adding a new section in the CPM, numbered as best fits according to the staff criteria, as follows:
1. Policy Compliance |
AFRINIC services are provided to members under the umbrella of the RSA mandate, which in turn ask for compliance with policies. Those policies are documented in the CPM, which is continuously updated by the PDP. |
2. Policy Compliance Dashboard |
AFRINIC “Policy Compliance Dashboard” shows to each member its status of policy compliance, collected by means of a periodical review, automated as much as possible. The dashboard will show all possible details to match the CPM and RSA, such as:
The dashboard automation will need to be accommodated along CPM evolves thru the PDP, in order to display new details. |
3. Notifications |
The dashboard will automatically send notifications of the status of compliance to members, after each review or dashboard update. Reminders will be periodically sent in case of any lack of compliance. In this case, warnings will be also sent to the staff. |
4. Lack of Compliance |
AFRINIC will be able to initiate a more exhaustive investigation and take further actions, according to the RSA, when there is evidence suggesting that there is a lack of compliance. It will not be considered lack of compliance when the policy violation has been caused by a third party, without the knowledge of the member, and if it is evident that there is no collusion or negligence on its part. |
5. Service Withholding, Revocation or Member Closure |
Unauthorized transfers, lack of payment or document fraud, once confirmed, will be cause of the revocation of the services and member closure. Repeated and/or continued policy violations once confirmed, may be cause of service withholding and resource revocation. Towards that, AFRINIC will take the following steps:
|
6. Exceptionalities | When the revocation of resources involves essential strategic infrastructure that is necessary for the operation of the Internet in the region, or in exceptional situations such as natural disasters or political instability, the AFRINIC Board may extend the resource revocation period, with prior assessment by the Staff, once such an exceptional situation is detected. |
7. Resource Return |
Resource recipients may return the resources to AFRINIC, in full or in part, at any time. If all the resources are returned, all the other provisions specified in the RSA and Bylaws will apply. |
8. Resource Publication | AFRINIC will publicly list the resources that have been recovered or returned, so that routing filters can be adjusted. |
9. Use of Recovered or Returned Resources |
IPv4 resources will be incorporated at the “end” of the pool in force at the time of the recovery or return, for use in the order in which they have been added to that pool. The IPv6 and ASN resources will be incorporated into their respective pools, after 2 years of their recovery or return. However, AFRINIC may use these resources differently, in the application of best practices, to optimize compliance with the provisions of section 2 of RFC7020. For example, if 16-bit ASNs are recovered or returned. |
4. References
- https://afrinic.net/membership/agreements
- https://afrinic.net/ast/pdf/services/afrinic-rsa-en-201801.pdf
Similar policies or procedures, for the same/similar purposes, also exist in the other regions.
- APNIC: https://www.apnic.net/community/policy/resources#4.2.-Closure-and-recovery
- ARIN: https://www.arin.net/participate/policy/nrpm/#12-resource-review
- LACNIC: An equivalent proposal reached consensus (pending implementation): https://politicas.lacnic.net/politicas/detail/id/LAC-2019-9?language=en
- RIPE NCC: https://www.ripe.net/publications/docs/ripe-694 || https://www.ripe.net/publications/docs/ripe-716
Revision History
Revision History
Date | Details |
17th February 2020 |
Version 1: AFPUB-2020-GEN-001-DRAFT01 Initial Draft Posted to rpd |
AFRINIC Policy Impact Assessment
AFRINIC Staff Assessment
Date of Assessment | Relevant to Proposal |
---|---|
Aug 2020 | AFPUB-2020-GEN-001-DRAFT01 |
1. Staff Interpretation & Understanding of the proposal
This policy proposal introduces the framework AFRINIC “Policy Compliance Dashboard” that shall be implemented on the myafrinic member portal so that each resource member is shown its status in regard to compliance with the resource policies documented in the AFRINIC CPM.
The scope of the proposal includes both the CPM and RSA violations. AFRINIC shall label the dashboard Policy and Contractual Compliance Dashboard on MyAFRINIC to avoid any misinterpretations.
The status of policy compliance of each member shall be automated as much as possible and collected by means of a periodical(and automated) review.
The dashboard automation will also accommodate any changes that are made to the CPM, in terms of updates to currently implemented policies or new policies through the AFRINIC Policy Development Process. Any new policy proposals that will be proposed shall also indicate clearly any elements of non-compliance that shall then be incorporated in the dashboard.
The dashboard shall be configured to send notifications after each dashboard review or update, as well as reminders of their non-compliance to the contacts of the AFRINIC Resource Members. AFRINIC staff shall also receive non-compliance notifications for deeper investigations follow-up with the Resource members. For this to work, all non-compliance related features need to be clearly defined and explicitly programmed in the dashboard.
Any policy breaches shall be handled by AFRINIC in accordance with the Registration Services Agreement.
As per the proposal, Unauthorized transfers, lack of payment, or document fraud, once confirmed, will result in the revocation of the services and member closure.
For other cases of confirmed Repeated and/or continued policy violations, the proposal mentions a series of actions that shall be undertaken by AFRINIC staff and that revocation of the resources shall be the last resort. There is a period of 3 months for a member to regularise any identified non-compliance, within which a gradual disabling of certain services (RDNS) shall begin after one month has elapsed. Reinstatement shall happen upon contact by a member.
The AFRINIC Board shall be consulted when non-compliance resulted from extenuating occurrences in order to grant an exception.
Reporting shall be done by publishing the list of recovered and returned resources for various use cases like routing filters.
IPv6 and ASN Resources recovered through this exercise are to be quarantined for 2 years while IPv4 shall go at the end of the queue to be issued as a last resort.
The policy proposal allows for members to return resources - the current established practice is that AFRINIC accepts voluntary resource returns from its members.
In regard to resource publication, "AFRINIC will publicly list the resources that have been recovered or returned, so that routing filters can be adjusted", this is interpreted as recovered and returned resources shall be deregistered from the AFRINIC whois database to allow for an automatic adjustment of routing filters.
IPv4 resources will be incorporated at the “end” of the pool in force at the time of the recovery or return, for use in the order in which they have been added to that pool. This means that if the proposal reaches consensus, for resources that will be reclaimed under this policy, the current practice of quarantine for 12 months before being made available will change.
The IPv6 and ASN resources will be incorporated into their respective pools, after 2 years of their recovery or return, hence an update in the quarantine period of returned/reclaimed resources will be made by AFRINIC.
Benefit to Members
Members not subscribed to the rpd mailing list and informed about the resource policies evolutions in the CPM that impact them will be able to get a summary of their degree of compliance by consulting the dashboard on the myafrinic portal.
Benefit to AFRINIC
AFRINIC would also periodically review members' the dashboards and where cases of repeated violation (lack of compliance), or severe violation of certain aspects of the CPM, AFRINIC should be able to take further actions as per the RSA.
2. AFRINIC Staff Comments & Recommendations
A. In the absence of a dashboard on myafrinic, some policy conditions have been incorporated into the daily operations. Such conditions include:
- Member must be in good standing in order to be accorded service support
- Demonstrate 90% utilisation of all IPv4 resources before additional IPv4 resources can be approved
- No reverse delegation if no IP usage is registered in the WHOIS database
- Lame delegation notifications
Currently. lack of payment already is handled through the closure process where resources are revoked and accounts closed.
B. The problem statement mentions that the "At the same time, the RSA doesn’t state a specific procedure to resolve the situation with members, and facilitate them the actual compliance, neither if they should get a specific time or opportunities to resolve the situation, in a fair way to all the members, instead of taking irreversible decisions at the first occasion of any policy violation."
Currently, AFRINIC uses the Section 11 Termination by AFRINIC clause to give the members the opportunity to remedy any breaches (policy or RSA).
(iii) AFRINIC shall have the right to terminate this Agreement upon giving The Applicant written notice of its intention and inviting the latter to show cause why such action shall not be taken against it or to take remedial measures to cure any breach particularised in the said notice.
(iv) The Applicant will have a period of 30 days during which it shall communicate the grounds on which it relies to prevent the termination of this agreement by AFRINIC.
(v) Where AFRINIC’s notice of termination is based on a breach of the present agreement committed by The Applicant, the latter shall provide evidence of the remedial action(s) taken to cure the breach.
(vi) Where AFRINIC considers in its own discretion that the grounds put forward by The Applicant or the remedial actions taken are satisfactory the termination process will be stopped forthwith.
In practice, no irreversible decision is taken on the first occasion of a policy violation or RSA breach.
C. The scope of the proposal includes both the CPM and RSA violations. It is recommended that the scope be classified into two categories:-
1. Policy non-compliance covering
- Unused or unannounced resources (where mandatory).
- Unavailable or outdated Whois information.
- Lack of maintenance of the reverse delegation.
- Forbidden sub-assignments (from PI assignments).
- Tracking of repeated and/or continued policy violations.
- any non-compliance in future ratified policies
2. Contractual non-compliance
- Contractual obligations (such as status of payments or documents).
- Lack of response from the member.
- Unauthorised transfers.
- Submission of fraudulent documents(should the member be closed as a result), same records shall be kept on the member's account on the member portal
3. AFRINIC Staff Clarification Requests
Section 5 states 'In all other cases, two months after the resources are published, AFRINIC will proceed to delete the NS records pointing to the authoritative nameservers of the resources involved. This information may be recovered once the organization reestablishes contact with AFRINIC.' AFRINIC interprets this statement as follows:-
Two months after the resources are published, AFRINIC will back up and then remove the domain objects linked to the resources from its whois database. Once the member re-establishes contact and resolves its non-compliance issues, the domain objects will be registered in the AFRINIC whois database.
Tracking of repeated and/or continued policy violations. - For consistency, policy authors may propose a threshold that mandates action and also clarify when and how the counters get reset.
AFRINIC shall publish resources under breach for a maximum of 3 months, where would the publishing ideally happen:
- as WHOIS remark/comments in the inet(6)num objects?
- Publicly accessible webpage?
The policy proposal mentions a quarantine period of 2 years for ASN/IPv6. The quarantine period is currently 12 months and AFRINIC staff suggests that the quarantine period would best be left as an operational decision rather than have it specifically stated in the policy, as some factors may arise requiring urgent review of such a time frame.
4. Impact on Registry Functions
4.1 Procedures
- New sub-process/procedure to be developed for the overall non-compliance workflow
- Resource Members follow-up in regard to persistent non-compliance
4.2 WHOIS
No impact(to be confirmed after clarifications from authors)
4.3 MyAFRINIC
1. Software development for the dashboard will be required.
AFRINIC currently has automated tools that track some of the policy non-compliances such as status of payment, lack of reverse DNS, however, these tools are not integrated to provide a consolidated dashboard. There will need to also integrate some other policies conditions on the dashboard. The coding should also enable automated locking of services on the members portal. The full scope of the dashboard by the authors include the below items:
- Contractual obligations (such as status of payments or documents).
- Lack of response from the member.
- Unused or unannounced resources (where mandatory).
- Unavailable or outdated Whois information.
- Lack of maintenance of the reverse delegation.
- Forbidden sub-assignments (from PI assignments).
- Unauthorised transfers.
- Tracking of repeated and/or continued policy violations.
2. Notifications in case of lack of compliance
Automatic notifications to members after each dashboard update
Reminders to be sent to members periodically
Warnings to be sent to ticketing queues.
4.4 Netsuite
None
4.5 Impact on staffing/human resources
The implementation of the policy proposal will require the significant deployment of human resources from Member Services for the purpose of specification drafting and software testing, implementation of the workflow in its day to day operations as well as handling the expected number of queries that will arise through tickets from the resource members. Recruitment of additional staff to handle the workload and respect the Service level commitment will be envisaged.
The Applications Unit team would also require additional resources to implement the dashboard as resources for the next 6 months are tied up with the re-write of myafrinic member portal and other service-related technical projects.
5.0 Implementation
5.1 Timeline
AFRINIC will implement this policy if it reaches consensus 6 months after MyAFRINIC v2 has been deployed.