[arin-ppml] Draft Policy 2008-7: Identify Invalid WHOIS POC’s

Chris Grundemann cgrundemann at gmail.com
Thu Apr 2 13:39:28 EDT 2009 

Even if we accept your "partial and rough" assumptions, the final
number is almost meaningless with out a proper frame of reference.  In
this case I think the proper complimentary question is; what is the
cost of not doing anything - or in other words, what is the cost of
having bad POC data in WHOIS?

The first part of that question is:  How much time is spent per org
per year tracking down contact information for number resources
because the POC email is invalid?  Based on conversations with folks
who deal with abuse issues day to day, it is my understanding that
somewhere in the range of 40% to 50% of POC email address data is
currently worthless (no response).  When that is the case, these folks
must search for other methods of contact to reach the org in question.
 I don't have hard numbers on how many abuse contacts are made each
year but if OrgX has 4 POCs (and it does take them 5 minutes to reply
to an ARIN contact request), then a single 20 minute search for
another orgs contact info makes it worthwhile to get all POC data
validated.

The second part of that initial question is:  How many hijackings (or
other abuses) will be prevented, mitigated or shortened by having
valid POC data in WHOIS (and having a list of unmanaged space to
filter against)?  This one is even harder to put a solid number on but
I have to assume it is quite large.

There may also be a third cost benefit under this policy:  I
understand that ARIN staff currently spends a non-marginal amount of
time tracking down billing POCs year to year.  If timed correctly,
this POC email validation procedure could cut down on that
considerably by insuring that ARIN has at least a valid email address
to start with.

Finally, uncovering number resources that are currently abandoned is
of great benefit to the community and leads to the further benefit
that if and when anyone ever comes to ARIN with questions about
address utilization, ARIN will have better supporting information for
their answer.  "Yes, we _have_ verified that someone is using all that
space..."

~Chris


On Thu, Apr 2, 2009 at 09:36, William Herrin <bill at herrin.us> wrote:
> On Thu, Apr 2, 2009 at 9:51 AM, Member Services <info at arin.net> wrote:
>> Draft Policy 2008-7
>> Identify Invalid WHOIS POC’s
>
> Here's a very partial and very rough cost estimate on implementing
> this proposal:
>
> Let's assume it takes me 5 minutes to scan the email, recognize that
> its the annual game of tag, find the instructions in the message,
> follow the instructions to certify my POC record is still valid and
> then get my mind back in the game for what I was working on before the
> interruption.
>
> 5 minutes per contact * 223,000 POCs / 60 minutes per hour = 18,600 man-hours.
>
> Most of your POCs earn between $30 and $70 per hour with a median
> around $50. That's just what it costs for someone in North America who
> is competent to perform deep technical work of this nature. Time value
> to a company is typically 3 times or more what an employee is paid.
> So, figure that those typically hours "cost" the organizations $150
> each.
>
> $150 per hour * 18,600 hours per year = $2,800,000 per year.
>
> Regards,
> Bill Herrin
>
>
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

>

-- 
Chris Grundemann
weblog.chrisgrundemann.com

More information about the ARIN-PPML mailing list