RIPE NCC Consistency and Auditing Activity

John Crain
Paula Caslav

Document ID: ripe-170
Date: 1 December 1997

Abstract

This document describes the concept of the Consistency and Auditing Activity of the RIPE NCC in general and the procedures involved in particular.

Table of Contents

1. Introduction

At the 1996 Contributors Committee Meeting, it was agreed that the RIPE NCC should increase its efforts to actively check the quality and validity of registry data. This should also include the production of statistics on address space usage. In order to ensure a fair address space distribution, the RIPE NCC will regularly check that assignment guidelines are applied equally. See the RIPE NCC Contributors Committee 1996 Annual Meeting and the RIPE NCC Activities and Expenditure 1997 for more information. Some of this activity is separated from the other registration activities because it needs to be defined and executed somewhat independently from the day-to-day processing of requests. Of course consistency checking and auditing will still be performed within other activities.

2. Goals

The goal of this activity is to promote consistent and fair application of assignment criteria with regard to conservation and registration of address space and aggregation of routing information. This activity will also help to identify parts of the procedures themselves that cause problems. These observations will be reported back to the RIPE Local IR working group for further investigation and improvement of the procedures.

To verify that Local Internet Registries are applying the assignment criteria correctly and to aid them in operating within the criteria, the RIPE NCC has started this activity on auditing and consistency checking.

3. Previous Practice

Previously, the RIPE NCC primarily checked how Registries follow procedures in the course of making a new allocation to a Registry. The RIPE NCC also followed up on external complaints about Registries. However, until recently, there have not been enough resources to devote to these activities on a full time basis. Auditing and consistency checking has primarily been done on a time-permitting basis.

4. New Auditing Procedures

4.1. Principles

The global assignment policies agreed upon by IANA and the RIPE community, as described in the document "European Internet Registry Policies and Procedures", will be used as criteria to evaluate the Registry's assignment decisions.

When performing an audit a member of the RIPE NCC Registration Services staff will be looking at the following information:

Database Consistency

1. Is the information stored in the RIPE database concerning the assignments within Registry's allocation correct (separate up-to-date entries pointing to all individual customer assignments)?

2. Is it stored in the correct manner (are nic-handles used, are admin-c's located on-site, no overlapping entries, etc.)?

Assignment Criteria

1. Were all requests above the Registry's Assignment Window sent to the RIPE NCC for approval?

2. Is proper documentation regarding the request and the assignment gathered and archived by the Local Internet Registry?

(Note: For a request that is within a Registry's Assignment Window, it is not necessary to have an entire European IP Address Space Request Form , however some similar format with all the information necessary to evaluate the request should be available. The information should show what kind of organisation is using the addresses, what their network looks like (an addressing plan ) and their current address space usage.

3. Have the correct assignment policies been followed? The documentation will be checked for the following:

• The completeness of provided documentation.

• The use of classless assignments.

• The efficiency of IP usage (25% usage immediately and 50% usage in year 1).

When the data about the assignments is produced, the requests are evaluated as to their compliance with the procedures and policies in force at the time of the assignment.

4.2. Types of Audits

The External Auditing will be carried out on two levels.

4.2.1. Routine Auditing by Hostmasters

With every request for a new allocation, the usage of previous allocations are monitored. RIPE NCC Hostmasters will ask for documentation on several sample requests (usually three) and check the basis for the assignment decisions of the LIRs. This is important to align assignment criteria and to make sure LIRs gather the necessary set of information.

As the Local Internet Registries should be keeping documentation of all IP assignment requests available (see European Internet Registry Policies and Procedures) this should be a formality under normal circumstances. Only where the LIR has failed to archive such requests may this create problems and delay the allocation process.

If a delay is likely and the LIR urgently needs additional address space to serve customers, the RIPE NCC may decide to allocate a small range of address space to the LIR so that they can continue business during the audit procedure.

4.2.2. Special Auditing by the Team

This type of auditing by the Consistency Checking and Auditing Team will be started according to one of three situations:

A. At the request of the Registration Services Department

If, during the course of normal Registration Services work (for example during an "allocation check"), a Hostmaster has difficulty obtaining satisfactory answers from an LIR, the audit can be passed on to the Consistency Checking and Auditing Team. Also, if procedural errors are discovered, the Hostmaster can transfer the request to the Consistency Checking and Auditing Team or continue the audit under its supervision.

B. As reaction to an external complaint

The Consistency Checking and Auditing Team will handle external complaints about non-compliance with policies and procedures. It will investigate these complaints and try to ascertain if they have any validity before approaching the Registry against which the complaint has been lodged. Complaints that do not have some form of corroborative evidence, either given by the complainant or discovered during research, will not be pursued.

To ensure confidentiality, the identity of the complainant will be kept unless written permission is given for disclosure. All information about the Registry being audited will also remain confidential and the outcome of the audit will not be disclosed.

C. Pro-active Audits of LIRs with little contact

The Consistency Checking and Auditing Team will audit LIRs that have little contact with RIPE NCC. Falling under this category are some Registries that need minimal coordination with the RIPE NCC, due perhaps to the nature of their business and their Assignment Window. It is useful to audit these LIRs from time to time to ensure that they are aware of the latest policies and procedures.

4.3. Methodology

The auditing of LIRs will be performed in such a way that Registries following guidelines and procedures will have as little disturbance to their business as possible. Impartiality, quality and confidentiality will be of highest priority. The <hostmaster@ripe.net> role mailbox will be used for all auditing-related discussions with Registries. The <ncc@ripe.net> role mailbox can be used by a non-registry for initial contact about auditing-related issues.

Most correspondence should be sent via e-mail. However, documentation (such as a topology map) only accessible in hardcopy can be sent by fax. All documentation and discourse will be logged and archived using the RIPE NCC Ticket Tracking System. Details are explained in the document "RIPE NCC Request Tracking and Ticketing".

4.4. Corrective Measures

Any LIR that is audited, for whatever reason, will be given ample opportunity to show that they are following the correct procedures. The Consistency Checking and Auditing Team will first attempt to discuss the problem with the Registry involved and explain the correct procedures and policies. If the discussion fails, or if serious failings are shown, further action will be taken. This action can take various forms, including the lowering of the Registry's Assignment Window.

If an Assignment Window is lowered it will then be raised in the normal manner, not necessarily directly to the original level. A major part of the activity will be in helping the Registries to understand and follow the correct policies and procedures. Lowering a Registry's Assignment Window is meant to help them get better acquainted with current policies by receiving more feedback from the RIPE NCC on their requests.

At times, it will be necessary for the Consistency Checking and Auditing Team to withhold allocating a new block to a Registry that is being audited, or to make a small temporary allocation and allocate the rest of the block later, when certain conditions have been met. Making a small temporary allocation will allow the RIPE NCC to better monitor the assignments made by the Registry.

If a Local IR consistently violates the policies established by IANA or the RIPE community, in spite of multiple warnings and other corrective measures, then it may be closed by the RIPE NCC (see Section 6.6.1 of the document "European Internet Registry Policies and Procedures").

5. Reporting

In order to get a better overview of the needs of the Registries, the RIPE NCC will keep statistics on the results of the audits. These statistics, which will include the type of complaints and problems found, will be made public. The statistics will only show the types of problems and the solutions taken. They will not mention any Registry by name. The information will also be used to help the RIPE NCC to adapt their information dissemination to suit the needs of Registries. This would be useful in enriching and updating the contents of the LIR Training Course and in improving the documentation available to Local Internet Registries.

6. Appeals

A formal appeal procedure will be developed in early 1998. Until that time, any complaints about the procedures of the Consistency Checking and Auditing Team should be taken up with the Quality Assurance Manager, and if an agreement is not reached, it will be taken to the senior Management of the RIPE NCC. If an agreement is also not reached at that level, the issue can be taken to the IANA for arbitration.