On Fri, Apr 24, 2009 at 01:12:42PM +0100, Michael Dillon wrote:
I think that many company officers will ask to see the results of an audit before they sign this document, and they will want the audit to be performed by qualified CPAs. Are your IPv4 records in good enough shape that an accountant will sign off on them?
My boss (who is an officer of the company within the meaning of the term in the new ARIN requirement) will attest to my employer's next IP assignment (we're an end user with PI space) request to ARIN on nothing but my say-so that it is accurate. He's not a network guy, has no good way of verifying the data himself and won't require some external entity to come audit the request. He might ask me a few questions before signing, but that will be it. If he didn't trust me, he'd have replaced me a long time ago. (For the record, yes, my records are good enough that an accountant would likely sign off on them. But that won't be necessary.) Of course, I haven't been submitting fraudulent requests to ARIN and don't plan to start, so I'm not the target of ARIN's new policy anyway. There are many things the new policy won't stop. It won't stop fraudulent requests where the officer of the company is knowingly in the loop of the fraud (this would include small organizations where the entire network engineering staff is the VP of Enginering). It won't stop fraudulent requests where the requestors are willing to lie to company executives (except in what I expect are relatively rare cases where the executives independantly verify the data before signing off on it). It *will* stop fraudulent requests where the requests are being made by engineers who are (a) willing to lie to ARIN, but (b) not willing to lie to their boss and boss's boss (through however many levels it takes to get to an officer who meets ARIN's requirements). I suspect that's a non-trivial amount of the fraud that is going on. ARIN can't fire anyone. Managers typically don't like to be lied to and might very well fire an engineer caught lying ... many people won't take that sort of chance with their job. (Sure, some will tell their boss the truth and then ask him to lie to ARIN, and some officers will go along with that -- I covered that possibility the previous paragraph -- but no where near all will.) Many of the attacks here against ARIN's policy are centered on the fact that it isn't perfect and there are still lots of ways for fraud to happen. All of those attacks are valid, but they ignore the fact that the policy probably was't intended to stop all fraud, just reduce fraud. I have no data, but my gut tells me it will reduce some fraud. I have no idea how much. -- Brett