[ppml] Industry self regulation (was IP address theft?)

Tue Apr 29 12:03:35 EDT 2003

-------------------------------------------------------

>I maintain that this is unrealistic..... IANA and RIRs have NO power.

IANA and the RIRs do have power. They don't have police power but they do 
have power and if they were serious in exercising that power then some 
things could be accomplished.

>Is there an world-wide ISP industry organization that scales to the level 
of
>representation needed to enter into agreements with RIRs or would this 
idea
>fail under the sheer weight of trying to work out individual agreements 
with
>hundreds of ISPs?

There is no such organization and the regulatory nightmare of trying to 
create one is too horrible to think about.

I suggest that ARIN should focus on wielding the power that it does have 
rather than trying to create yet another ICANN-like organization. The RIRs 
have the power to publish an authoritative directory identifying all of 
the IPv4 address space that they have allocated and which organizations 
have received the allocation. This power is strengthened when the data is 
kept accurate, is complete and is made easily and widely available. The 
power is weakened when the data is inaccurate, incomplete and not easy for 
non-insiders to get access to.

In the current state of affairs, ARIN has a whois database filled with 
inaccurate, incomplete and just plain useless data. In addition, there is 
no easy way for anyone to get access to this data other than for casual 
manual queries. I do not consider the whois system or the web gateway to 
be "easy access" because they are hard to plug into an application such as 
a firewall management system. The two main flaws are that the protocols 
used are obscure, i.e. not mainstream, and that the data must be parsed by 
the recipient application and is not in an inherently parseable format. 
LDAP would fix both of these "easy access" flaws which is why I promote 
its use. However the first problem of dirty data requires much more than a 
technical solution. It requires some leadership inside ARIN's AC and BoT.

Why go to the effort of cleaning the data and publishing it in a directory 
using mainstream protocols? Because then people will begin to *USE* the 
data and will begin to consider ARIN as an authoritative source to 
identify who is responsible for any given block of IP address space. 
Stewardship is not just something that ARIN does. It is also something 
that ARIN delegates; and we, the public, have the right to know which 
organizations have stewardship responsibility over which blocks of IP 
space. When the database is dirty, inaccurate and incomplete then our 
trust in the data is eroded and ARIN has failed in its stewardship 
responsibility.

--Michael Dillon