You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

RIPE NCC Services Working Group

Threaded
Collapse

[ncc-services-wg] policy compliance dashboard

User Image

Jordi Palet Martinez

2020-05-13 11:41:05 CET

After my comment in the Addressing Policy meeting, I decided to go ahead with this email, maybe it can a provocation for some inputs in the open mic ...

Note that this text is from my AFRINIC proposal (to make it quick now), so disregard parts that may not correctly matches the RIPE NCC situation and may be some of the things are already done here.

Text:

*****

"The Policy Compliance Dashboard” shows to each member its status of policy compliance, collected by means of a periodical review, automated as much as possible. The dashboard will show all possible details to match the policies and RSA, such as:

* Contractual obligations (such as status of payments or documents).
* Lack of response from the member.
* Unused or unannounced resources (where mandatory).
* Unavailable or outdated Whois information.
* Lack of maintenance of the reverse delegation.
* Forbidden sub-assignments (from PI assignments).
* Unauthorized transfers.
* Tracking of repeated and/or continued policy violations. 

The dashboard automation will need to be accommodated along policies evolves thru the PDP, in order to display new details.

The dashboard will automatically send notifications of the status of compliance to members, after each review or dashboard update. 

Reminders will be periodically sent in case of any lack of compliance. In this case, warnings will be also sent to the staff.

*****

I've also the feeling that it may be more appropriate for Services WG, so copied as well.

Any thoughts?

Regards,
Jordi
@jordipalet
 
 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





User Image

Nick Hilliard

2020-05-13 12:00:52 CET

[cc trimmed]

JORDI PALET MARTINEZ via ncc-services-wg wrote on 13/05/2020 10:41:
> "The Policy Compliance Dashboard” shows to each member its status of
> policy compliance, collected by means of a periodical review,
> automated as much as possible. The dashboard will show all possible
> details to match the policies and RSA, such as:

Why does this need to be a policy?  This is an operational 
implementation thing, not a strategic direction issue.

Nick

User Image

Jordi Palet Martinez

2020-05-13 12:09:35 CET

Hi Nick,

That's why I'm asking.

In other regions the proposal have more text, that it is already done in some other ways in other RIPE policies, so here I'm asking if this is done already, and if not, if RIPE NCC is considering it, or they want us to state if a policy suggesting that a dash-board or equivalent is needed.

Regards,
Jordi
@jordipalet
 
 

El 13/5/20 12:00, "Nick Hilliard" <nick _at_ netability _dot_ ie> escribió:

    [cc trimmed]

    JORDI PALET MARTINEZ via ncc-services-wg wrote on 13/05/2020 10:41:
    > "The Policy Compliance Dashboard” shows to each member its status of
    > policy compliance, collected by means of a periodical review,
    > automated as much as possible. The dashboard will show all possible
    > details to match the policies and RSA, such as:

    Why does this need to be a policy?  This is an operational 
    implementation thing, not a strategic direction issue.

    Nick



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Jim Reid

2020-05-13 12:35:51 CET


> On 13 May 2020, at 10:41, JORDI PALET MARTINEZ via address-policy-wg <address-policy-wg _at_ ripe _dot_ net> wrote:
> 
> "The Policy Compliance Dashboard” shows to each member its status of policy compliance, collected by means of a periodical review, automated as much as possible. The dashboard will show all possible details to match the policies and RSA, such as:
> 
> * Contractual obligations (such as status of payments or documents).
> * Lack of response from the member.
> ...
> * Tracking of repeated and/or continued policy violations. 

If an LIR is seriously delinquent in the ways listed above, what’s the point of putting that info in this proposed dashboard? The member won’t be paying attention to it, just like they’ve been ignoring the NCC’s invoices and requests for information.

It’s not clear to me that this proposed dashboard is useful. What problem is it solving? Where’s the use case(s)?

You’ve said the proposed policy compliance review would be automated as much as possible. But some aspects will involve making subjective judgments that cannot be automated - ie assessments of outdate whois info or lack of maintenance of the reverse delegation. We’d probably need the DNS WG to come up with some definitions or maybe a policy on lack of maintenance of reverse delegations.

Once there’s more clarity on this idea, I think it should be considered by the NCC Services WG. It appears to be a service thing. It doesn’t seem to be a policy matter at all and is therefore inappropriate for the AP WG.


User Image

Nick Hilliard

2020-05-13 12:37:06 CET

JORDI PALET MARTINEZ via ncc-services-wg wrote on 13/05/2020 11:09:
> In other regions the proposal have more text, that it is already done
> in some other ways in other RIPE policies, so here I'm asking if this
> is done already, and if not, if RIPE NCC is considering it, or they
> want us to state if a policy suggesting that a dash-board or
> equivalent is needed.
A policy is not a good way of handling this because it means that the 
RIPE NCC is bound by the terms of the policy.  If something needs to 
change, then the policy needs to change, so changes can potentially take 
months and are extremely heavyweight.

There's no requirement to burden the NCC with this level of bureaucratic 
overkill.

There are lots of ways to skin a cat.

Nick

Jim Reid

2020-05-13 12:46:33 CET


> On 13 May 2020, at 11:09, JORDI PALET MARTINEZ via ncc-services-wg <ncc-services-wg _at_ ripe _dot_ net> wrote:
> 
> I'm asking if this is done already, and if not, if RIPE NCC is considering it, or they want us to state if a policy suggesting that a dash-board or equivalent is needed.

I’m even more confused and struggling to understand how this is relevant to the AP WG. Could you please explain?

First of all, this dashboard thing is an operational service matter. Please clarify why you think it needs to be a policy issue.

Next, if you wanted to know if the NCC is considering this dashboard idea, you could simply have asked them. Or raised the matter in the NCC Services WG. Have you done either of those things? If so, what was the response?


User Image

Jordi Palet Martinez

2020-05-13 22:42:43 CET

Hi Jim,


El 13/5/20 12:35, "Jim Reid" <jim _at_ rfc1035 _dot_ com> escribió:



    > On 13 May 2020, at 10:41, JORDI PALET MARTINEZ via address-policy-wg <address-policy-wg _at_ ripe _dot_ net> wrote:
    > 
    > "The Policy Compliance Dashboard” shows to each member its status of policy compliance, collected by means of a periodical review, automated as much as possible. The dashboard will show all possible details to match the policies and RSA, such as:
    > 
    > * Contractual obligations (such as status of payments or documents).
    > * Lack of response from the member.
    > ...
    > * Tracking of repeated and/or continued policy violations. 

    If an LIR is seriously delinquent in the ways listed above, what’s the point of putting that info in this proposed dashboard? The member won’t be paying attention to it, just like they’ve been ignoring the NCC’s invoices and requests for information.

[Jordi] I've clearly explained in my email that it was basically a copy and paste from another RIR proposal, where they are missing things that in RIPE we have solved already. Thinks need to be read in context to make sense, and I think it makes sense to openly discuss ideas before coming into proposal, right?

    It’s not clear to me that this proposed dashboard is useful. What problem is it solving? Where’s the use case(s)?

    You’ve said the proposed policy compliance review would be automated as much as possible. But some aspects will involve making subjective judgments that cannot be automated - ie assessments of outdate whois info or lack of maintenance of the reverse delegation. We’d probably need the DNS WG to come up with some definitions or maybe a policy on lack of maintenance of reverse delegations.

[Jordi] There are many LIRs and end users that don't follow policies evolutions. If this can be automated, they will get a notification. Probably RIPE NCC is doing many of those things, I stated that.

    Once there’s more clarity on this idea, I think it should be considered by the NCC Services WG. It appears to be a service thing. It doesn’t seem to be a policy matter at all and is therefore inappropriate for the AP WG.

[Jordi] 

Responding also to your other/Nick email:

I’m even more confused and struggling to understand how this is relevant to the AP WG. Could you please explain?

[Jordi] Context. Marco presented this policy proposal from another RIR, I've explained it quickly and mention that I will email about it. In my email I also indicated that in my opinion is a services WG thing. My bad!, yes, I'm the first guy in the world that cross posted, in this case so to ensure where to follow the discussion.

First of all, this dashboard thing is an operational service matter. Please clarify why you think it needs to be a policy issue.

Next, if you wanted to know if the NCC is considering this dashboard idea, you could simply have asked them. Or raised the matter in the NCC Services WG. Have you done either of those things? If so, what was the response?

[Jordi] I can talk in private with the NCC about this, but I prefer to chat in the WG, as the NCC is also participating there. I think it is a matter of transparency. They can tell us, we already do part of this, we could do the rest, or not interested, or whatever.




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Jim Reid

2020-05-14 11:54:42 CET


> On 13 May 2020, at 21:42, JORDI PALET MARTINEZ via ncc-services-wg <ncc-services-wg _at_ ripe _dot_ net> wrote:
> 
> I've clearly explained in my email that it was basically a copy and paste from another RIR proposal, where they are missing things that in RIPE we have solved already. Thinks need to be read in context to make sense, and I think it makes sense to openly discuss ideas before coming into proposal, right?

This clarification helps a lot Jordi. Thanks.

However it doesn’t help in a good way from your PoV. If I understand you correctly, you’re promoting a policy proposal from another RIR which solves a problem we don’t have in RIPE because it’s already been fixed. Is that correct? If so, this doesn’t seem to be a sensible way to proceed or make policy.

If we are to openly discuss this idea any further, I think you need to start with a clear problem statement. What is it that you think needs fixing and how does this proposal from another RIR do that? It may well fix their problem(s). I don’t know or care about that. I’d like to know what RIPE problem(s) it fixes.



User Image

Jordi Palet Martinez

2020-05-14 15:38:59 CET

Hi Jim, Michele, Carlos,

(responding all in a single email)

What I'm saying is that not neccesarily *all* the bits in the other RIR proposal make sense here, but others may do. Many details may be already done by the RIPE NCC, others may be not.

So the key idea is that when you enter your LIR portal, you can see a dhasboard your "policy compliance" status. Also, that when the tool detects something failing (in your case), automatically send you a notification.

If you don't follow policy proposal development (many resource holders don't do), when a policy proposal changes an existing policy or there is a new policy and you many not be fulfilling that, at some point (when the NCC has the time to implement the policy and the automated verification), and in some cases, an automated verification will be automatically done and if there is any failure, you will get an alert.

A bit longer explanation, but may be now is clearer?

If a resource holder doesn't care, this is not "this" problem ... RSA issue, right?

And yes, regarding the ARC question, this could be also implemented in such way that if something can't be automated, for example, requires filling in some data, the LIR can do and the dashboard, will "re-calculate" if it is correct or whatever. Of course we don't want to enter (as much as we can avoid) in procedural details. If some cases, it can create a ticket to the ARC team or whatever, if can't be done also in that semi-automated way.

Regards,
Jordi
@jordipalet
 
 

El 14/5/20 11:54, "Jim Reid" <jim _at_ rfc1035 _dot_ com> escribió:



    > On 13 May 2020, at 21:42, JORDI PALET MARTINEZ via ncc-services-wg <ncc-services-wg _at_ ripe _dot_ net> wrote:
    > 
    > I've clearly explained in my email that it was basically a copy and paste from another RIR proposal, where they are missing things that in RIPE we have solved already. Thinks need to be read in context to make sense, and I think it makes sense to openly discuss ideas before coming into proposal, right?

    This clarification helps a lot Jordi. Thanks.

    However it doesn’t help in a good way from your PoV. If I understand you correctly, you’re promoting a policy proposal from another RIR which solves a problem we don’t have in RIPE because it’s already been fixed. Is that correct? If so, this doesn’t seem to be a sensible way to proceed or make policy.

    If we are to openly discuss this idea any further, I think you need to start with a clear problem statement. What is it that you think needs fixing and how does this proposal from another RIR do that? It may well fix their problem(s). I don’t know or care about that. I’d like to know what RIPE problem(s) it fixes.





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.





Jim Reid

2020-05-14 15:52:39 CET


> On 14 May 2020, at 14:38, JORDI PALET MARTINEZ via ncc-services-wg <ncc-services-wg _at_ ripe _dot_ net> wrote:
> 
> A bit longer explanation, but may be now is clearer?

Not to me Jordi  - sorry. You’ve explained what this dashboard thing will do and how it might be used. You’ve not explained what problem this solves or why it’s needed. Can you please provide a problem statement?

It’s also not clear how much of an issue “policy non-compliance” is in the RIPE service region or if the NCC’s current methods of dealing with that are defective/too costly/inefficient/whatever. Some cost/benefit analysis would be appreciated.

FWIW I still don’t see the point. Good LIRs will keep their house in order with or without this dashboard - though it may help them a little. The dashboard will do nothing for the bad LIRs who in all likelihood never login to the LIR portal.


User Image

Carlos Friacas

2020-05-14 22:56:38 CET

Hi,

If this was the db-wg, this could potentially be just a new NWI. :-)

If the problem statement is clear enough (and the fact many or most 
resource holders don't really follow-up on policy changes is a good 
kickstarter for me) this could be useful to have inside the LIR 
Portal -- provided only the RIR and the LIR itself has access to it.

I don't see this as something that would improve the status of LIRs that 
don't care, but something that may help the Registration Services.
And the "don't care" bit doesn't need to be linear. At some point, some 
of the LIRs will want to check if their compliance is 100%.

I'm also not sure if a new policy proposal is needed for this, if this is 
simply a tool, or a concept, we (ncc-services-wg) might request the NCC to 
consider building. We might also want to build on the experience of other 
RIRs, and even try to get a hold of "how much would it cost" to add this 
tool here too.

Regards,
Carlos




On Thu, 14 May 2020, JORDI PALET MARTINEZ via ncc-services-wg wrote:

> Hi Jim, Michele, Carlos,
>
> (responding all in a single email)
>
> What I'm saying is that not neccesarily *all* the bits in the other RIR proposal make sense here, but others may do. Many details may be already done by the RIPE NCC, others may be not.
>
> So the key idea is that when you enter your LIR portal, you can see a dhasboard your "policy compliance" status. Also, that when the tool detects something failing (in your case), automatically send you a notification.
>
> If you don't follow policy proposal development (many resource holders don't do), when a policy proposal changes an existing policy or there is a new policy and you many not be fulfilling that, at some point (when the NCC has the time to implement the policy and the automated verification), and in some cases, an automated verification will be automatically done and if there is any failure, you will get an alert.
>
> A bit longer explanation, but may be now is clearer?
>
> If a resource holder doesn't care, this is not "this" problem ... RSA issue, right?
>
> And yes, regarding the ARC question, this could be also implemented in such way that if something can't be automated, for example, requires filling in some data, the LIR can do and the dashboard, will "re-calculate" if it is correct or whatever. Of course we don't want to enter (as much as we can avoid) in procedural details. If some cases, it can create a ticket to the ARC team or whatever, if can't be done also in that semi-automated way.
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> El 14/5/20 11:54, "Jim Reid" <jim _at_ rfc1035 _dot_ com> escribió:
>
>
>
>    > On 13 May 2020, at 21:42, JORDI PALET MARTINEZ via ncc-services-wg <ncc-services-wg _at_ ripe _dot_ net> wrote:
>    >
>    > I've clearly explained in my email that it was basically a copy and paste from another RIR proposal, where they are missing things that in RIPE we have solved already. Thinks need to be read in context to make sense, and I think it makes sense to openly discuss ideas before coming into proposal, right?
>
>    This clarification helps a lot Jordi. Thanks.
>
>    However it doesn?t help in a good way from your PoV. If I understand you correctly, you?re promoting a policy proposal from another RIR which solves a problem we don?t have in RIPE because it?s already been fixed. Is that correct? If so, this doesn?t seem to be a sensible way to proceed or make policy.
>
>    If we are to openly discuss this idea any further, I think you need to start with a clear problem statement. What is it that you think needs fixing and how does this proposal from another RIR do that? It may well fix their problem(s). I don?t know or care about that. I?d like to know what RIPE problem(s) it fixes.
>
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>
>
>