[ARIN-consult] NEW Consultation: Available Methods of Reporting Network Sub-Delegation Information

Thu Oct 12 17:18:09 EDT 2017

> On Oct 12, 2017, at 1:33 PM, Andrew Dul <andrew.dul at quark.net> wrote:
> 
> I'm writing to support the sunsetting of the rwhois protocol as a method for ARIN members to document reallocation and reassignment records.  
> 
> That doesn't mean this year or next year, but I believe we should set a timeline for deprecating this protocol.  Perhaps a date of 2022 would be reasonable.  (Yes, some organizations will not do the work despite the 4 years of time to do it, but a shorter time frame would also be unacceptable to some)
> 
> I have seen those who have posted on this consultation noting that "rwhois works and isn't broken so don't fix it."  While I will agree that it is "technically" not broken, I believe that it is operationally broken.  
> 
> These are some of the reasons why I believe we should move on to something better.  Any by better, I mean moving to records stored in the ARIN database (SWIP) or RDAP.
> 
> -Rwhois doesn't support encryption or data-integrity during transport

Neither does WHOIS for records stored in the ARIN database (SWIP), so why should ISPs face an increased burden here if you are not also planning to eliminate whois?

> -There is no automatic referral, so when most people query ARIN whois they don't know there is potentially another more specific record and even if they are aware, how to do rwhois is not "easy" for many users.  Yes its easy for engineers and some operators, but there are many users of "whois" data for whom this is a barrier too high.  Could we invest in lots of training for rwhois, yes, but we will always be behind on this as long as its not a click away for most users.

That’s a client implementation problem… There’s no reason clients couldn’t automatically follow referrals. The reality is that very few people actually use genuine rwhois clients (some of which will automatically follow referrals) and instead use a whois client (which works, but doesn’t do automatic referrals as you noted).

> -As was noted in the most recent ARIN meeting, law enforcement agencies use whois data as a source for their investigations and other work, and having accurate records available on a timely basis is very important to them.  I don't believe that rwhois data is as accessible and available as data in the ARIN database.

That depends on the provider implementing the RWHOIS server. In many (most?) cases, I think it is equally available.

> -RDAP was designed with referral in mind from the ground up, so that you get all the records no matter where they are located with a single query.  

This is also true with RWHOIS if you use an appropriate RWHOIS client. The difference is that RDAP is not backwards compatible with your WHOIS client, so it simply breaks unless you have an RDAP client.

> -ARIN (in possible collaboration with other RIRS) should develop an RDAP package for those who like to host their own,  distributed database.  The new package should support bulk retrieval of records to assist in data collection and analysis.  (Also it was noted in the most recent ARIN meeting that there are differences today in how the different RIRs are reporting fields/data via RDAP.  It would be good for the RIRs in collaboration with each other and other organizations that want to run RDAP servers for IP number resources to work to create a standard met of fields which are required for IP number resource records, along with other optional fields for additional data) 

RIPE’s WHOIS and RDAP is so thoroughly integrated to their IRR that you can’t manage their whois without dealing with the hassles and syntactic pedantry of RPSL. I would not consider inflicting this on the rest of the world to be an improvement.

> It has been noted casually that there are many rwhois servers which are down or aren't available.  I believe this also contributes to this data set being operationally unavailable.  

I’d argue that ISPs depending on RWHOIS to meet their ARIN obligations who have servers that are down or unavailable are not in compliance with their RSA obligations and these issues should be addressed on a case by case basis. If you have specific examples, report them to ARIN for investigation.

Owen