[ppml] Policy Proposal 2004-4: Purpose and scope of ARIN Whois Directory

[Member Services]

ARIN welcomes feedback and discussion about the following policy 
proposal in the weeks leading to the ARIN Public Policy Meeting 
in Vancouver, Canada, scheduled for April 19-20, 2004.

According to the ARIN Internet Resource Policy Evaluation Process
the Advisory Council will evaluate policy proposals after the Public
Policy Meeting.  The feedback and discussion of policy proposals
on the Public Policy Mailing List will be included in the AC's
evaluation.

Subscription information for the ARIN Public Policy Mailing List is
available at http://www.arin.net/mailing_lists/index.html 

The ARIN Internet Resource Policy Evaluation Process is available at:
http://www.arin.net/policy/ipep.html

ARIN's Policy Proposal Archive is available at:
http://www.arin.net/policy/proposal_archive.html


Member Services 
American Registry for Internet Numbers (ARIN) 


### * ### 


Policy Proposal 2004-4: Purpose and scope of ARIN Whois directory

Author: Michael Dillon

Author's Organization: Radianz, Inc.

Policy term: permanent

Policy statement: 

1. ARIN shall maintain and publish a directory of contact information
   for the purposes of facilitating the operation of interconnected 
   IP networks. 

2. This directory will contain contact information for all organizations
   and individuals within the ARIN region who have received IP
   allocations or AS numbers directly from ARIN or its predecessors.

3. Organizations and individuals must guarantee to ARIN that contact 
   addresses published in the whois directory will reach a person who 
   is ready, willing and able to communicate regarding network
   operations and interconnect issues and who is able to act on that
   communication.

4. Any other organizations may elect to be listed in the whois
   directory as long as they make the guarantee detailed in item 3.

5. All contacts listed in the whois directory will be contacted 
   periodically and the directory will indicate information which may
   be stale if contact cannot be made promptly.

6. Additionally, the whois directory will contain, directly or
   indirectly, a record of all address blocks sub-allocated or
   assigned by the entities mentioned in item 3.

7. The records mentioned in item 6 will not identify the organization or
   individual receiving the address block or their exact location. These
   records will only indicate an organizational type, the nearest
   municipality providing postal service to the end user, state/province
   and country.

Rationale: 

ARIN doesn't really have a policy regarding whois. Most of what we have
today is adopted based on a long tradition that nobody understands 
anymore.

In looking back at historical sources it appears that whois was
originally set up so that ARPANET site managers could justify
their ARPANET connectivity funding by enumerating the people/projects
that were making use of the ARPANET.

Times have changed and tradition is no longer sufficient reason for
doing things.

This proposal attempts to put in place a simple statement of the
purpose and scope of a whois directory. It is my opinion that if we
cannot all agree on some sort of simple policy similar to what I am
proposing, then we probably should scrap the whois directory entirely.

Nothing in this policy should be construed to restrain ARIN staff's 
ability to maintain and use whatever databases they may need in the
performance of their duties including IP address allocation. This policy
only refers to the data which is made freely available to the public.

If this policy is adopted it will also alleviate concerns from the 
cable and DSL industry in regard to residential user privacy.

a) ARIN policy doesn't currently state that ARIN will maintain
   or publish a whois directory. This policy fixes that.

b) This proposal also explicitly states the purpose of the 
   whois directory as being targeted at internetworking and
   operational issues. It is not intended to help anti-spamming 
   collectives bypass the ISPs who are responsible for operating a
   network. In fact one of the goals is to make it harder for
   anti-spamming groups to attack end users. This whois policy would
   force them to report network abuse to the ISP employees who are
   responsible for finding and fixing network abuse issues.

c) The proposal does not recognize research as part of the scope of the
   whois directory, however items 6 and 7 do provide for data which
   allows some mapping and analysis of address usage and therefore
   the research community will not be left out in the cold.

d) This policy only directly puts a mandate on those organizations who
   have, or should have, an ARIN relationship to supply data. 

e) The policy also allows any responsible party to add their contact
   data to the ARIN database. However, this is done with their consent
   and by binding them to act responsibly, i.e. you can't list your
   organization and then ignore all abuse reports. The words "Ready,
   willing and able to communicate" are important here.

f) The ARIN staff are charged to keep the directory up to date and to 
   give us some indication when the contact process seems to be going
   awry. However, it refrains from giving detailed directions to the
   staff and relies on their prudence in setting out the timing and
   the process of this verification.

g) I interpret "facilitating the operation of interconnected IP
   networks" to include the provision of data that allows some mapping
   and statistical analysis of the address space. For that reason, some
   small amount of data is required to enumerate and distinguish
   sub-allocations and assignments.

h) This policy covers rwhois as well. ARIN is charged to maintain the 
   whois directory but can certainly delegate some of this task to
   rwhois users. And when the policy specifies that all address blocks
   must be represented in the directory it also allows for this
   information to be published indirectly, for instance, through
   rhwois. However the policy does not require rwhois technology
   since it is in such a sad state of repair. It also refrains from
   prescribing LDAP at this time ;-)
 
i) The classification system for organization types has been
   intentionally left unspecified. Obviously, it needs to include
   "individual" as a type but it could include NAICS sector codes,
   e.g. "NAICS 25" is the construction industry. It could also include
   NTEE codes for non-profits e.g. "NTEE H" is Medical research. And
   it could include some simple codes like "Company", "Non-Profit",
   "Education", "Government" for users who don't know about the
   various classification systems.

j) End users are truly anonymous, no name, no address, no zip/postal
   code.  In other words, people who are not involved in network
   operations are not identified in any way by the whois directory.

Timetable for implementation: 30 days after ratification