Important New Requirement for IPv4 Requests [re "impacting revenue"]

• Previous message (by thread): Important New Requirement for IPv4 Requests [re "impacting revenue"]
• Next message (by thread): Important New Requirement for IPv4 Requests [re "impacting revenue"]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 24, 2009 at 01:12:42PM +0100, Michael Dillon wrote:
> 
> I think that many company officers will ask to see the results of an audit
> before they sign this document, and they will want the audit to be performed
> by qualified CPAs. Are your IPv4 records in good enough shape that an
> accountant will sign off on them?

My boss (who is an officer of the company within the meaning of the
term in the new ARIN requirement) will attest to my employer's next IP
assignment (we're an end user with PI space) request to ARIN on nothing
but my say-so that it is accurate.  He's not a network guy, has no good
way of verifying the data himself and won't require some external
entity to come audit the request.  He might ask me a few questions
before signing, but that will be it.  If he didn't trust me, he'd have
replaced me a long time ago.  (For the record, yes, my records are good
enough that an accountant would likely sign off on them.  But that
won't be necessary.)

Of course, I haven't been submitting fraudulent requests to ARIN and
don't plan to start, so I'm not the target of ARIN's new policy anyway.

There are many things the new policy won't stop.  It won't stop
fraudulent requests where the officer of the company is knowingly in
the loop of the fraud (this would include small organizations where the
entire network engineering staff is the VP of Enginering).  It won't
stop fraudulent requests where the requestors are willing to lie to
company executives (except in what I expect are relatively rare cases
where the executives independantly verify the data before signing off
on it).

It *will* stop fraudulent requests where the requests are being made by
engineers who are (a) willing to lie to ARIN, but (b) not willing to
lie to their boss and boss's boss (through however many levels it takes
to get to an officer who meets ARIN's requirements).  I suspect that's
a non-trivial amount of the fraud that is going on.  ARIN can't fire
anyone.  Managers typically don't like to be lied to and might very
well fire an engineer caught lying ... many people won't take that sort
of chance with their job.  (Sure, some will tell their boss the truth
and then ask him to lie to ARIN, and some officers will go along with
that -- I covered that possibility the previous paragraph -- but no
where near all will.)

Many of the attacks here against ARIN's policy are centered on the fact
that it isn't perfect and there are still lots of ways for fraud to
happen.  All of those attacks are valid, but they ignore the fact that
the policy probably was't intended to stop all fraud, just reduce
fraud.  I have no data, but my gut tells me it will reduce some fraud. 
I have no idea how much.

     -- Brett

• Previous message (by thread): Important New Requirement for IPv4 Requests [re "impacting revenue"]
• Next message (by thread): Important New Requirement for IPv4 Requests [re "impacting revenue"]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]