ARIN-PPML Message

[arin-ppml] Policy Proposal: Annual WHOIS POC Validation

ARIN received the following policy proposal. In accordance with the ARIN
Internet Resource Policy Evaluation Process, the proposal is being
posted to the ARIN Public Policy Mailing List (PPML) and being placed on
ARIN's website.

The ARIN Advisory Council (AC) will review this proposal at their next
regularly scheduled meeting. The AC may decide to:

   1. Accept the proposal as written. If the AC accepts the proposal,
it will be posted as a formal policy proposal to PPML and it will be
presented at a Public Policy Meeting.

   2. Postpone their decision regarding the proposal until the next
regularly scheduled AC meeting in order to work with the author. The AC
will work with the author to clarify, combine or divide the proposal. At
their following meeting the AC will accept or not accept the proposal.

   3. Not accept the proposal. If the AC does not accept the proposal,
the AC will explain their decision via the PPML. If a proposal is not
accepted, then the author may elect to use the petition process to
advance their proposal. If the author elects not to petition or the
petition fails, then the proposal will be closed.

The AC will assign shepherds in the near future. ARIN will provide the
names of the shepherds to the community via the PPML.

In the meantime, the AC invites everyone to comment on this proposal on
the PPML, particularly their support or non-support and the reasoning
behind their opinion. Such participation contributes to a thorough
vetting and provides important guidance to the AC in their deliberations.

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Mailing list subscription information can be found at:
http://www.arin.net/mailing_lists/

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Policy Proposal Name: Annual WHOIS POC Validation

Author: Chris Grundemann

Proposal Version: 1

Submission Date: 21-Aug-2008

Proposal type: new

Policy term: permanent

Policy statement:

ARIN will conduct POC validation annually.  This validation will
employ an automated system which will send a message to every separate
email address in the whois directory.  The message sent will request
that the receiver verify that they are in fact the POC in question by
replying to the email in a manner which will satisfy the automated
systems requirements.  The email message will also include information
and instructions for reporting suspected fraud.  If a valid response
is not received within 14 days, every instance of the unresponsive
email address will be replaced with "REFUSED RESPONSE" in the whois
directory.

The list of POCs with this marking will be reviewed by ARIN staff and
manual contact attempts (telephone, postal mail) can be made at their
discretion.  After a minimum of three manual contact attempts have
been made, with at least one to each physical address and telephone
number provided and a minimum of three calendar months have passed
from the third qualifying attempt; the POC record should be locked or
deleted.  The decision of whether to lock or delete the account should
be made on a case by case basis.

Following this validation each year, a list of address blocks with
zero valid POCs should be made easily available to the community.
Accurate annual records should be kept with regard to the total number
of POCs, the number of POCs marked with "REFUSED RESPONSE," the number
of locked POCs and the number of deleted POCs in addition to any other
data that ARIN staff believes is appropriate to record with regard to
this validation process.  These records should be available to the
public on request.

Rationale:

The intention of this proposal is to ensure valid whois POC
information with an annual validation process.  It further aims to
mitigate any risk that it creates in so doing.

One of the most important resources when dealing with abuse (including
hijacking, spam, ddos, etc) is whois.  ARIN's whois data is only
useful if it is known to be valid.  The current NRPM does not address
this in a manner which ensures up to date POC contact information in
all cases.  The focus is on valid email addresses because this is the
contact method of choice for most in the Internet community when
dealing with abuse or hijacking issues.  POC information that can not
be confirmed can be judged as not valid.

A netblock with no valid POC presents a target to hijackers.  Once POC
info is marked or tagged as invalid (like this policy proposes), it
becomes possible for potential hijackers to locate such netblocks by
searching the whois database.  As a defense against such hijacking
attempts, this policy proposes that the information be presented in
full to the entire community.  This should do at least one of two
things; bring the netblock to the attention of whomever is responsible
for it and/or allow other network operators to understand the
potential risk and take appropriate action to mitigate.

Timetable for implementation: The first validation should take place
within one calendar year of the policy being accepted.