[ppml] Proposal: make Abuse Handle *REQUIRED* for AS Registration

Lawrence Baldwin baldwinL at mynetwatchman.com
Thu Jul 24 11:24:49 EDT 2003


>	why do you think that these contacts would be kept any more
>	current/correct than the already -REQUIRED- contacts, e.g.

>	root and postmaster contacts/accounts are -REQUIRED-
>	so why not use those instead?

>	your presumption that adding more required email role accounts
>	will make things safer does not appear to me to be well grounded.

You are absolutely right, requiring abuse handles to be *specified* is just
one component of changes that are sorely needed.

I also believe that ALL specified email addresses, whether for Tech or Abuse
handles MUST be *verified* by means of an acknowledgement email (this is
standard procedures for most web registration systems...why not for ARIN?)

AND (as jlewis suggests) contact emails should be re-validated (via email
acknowledgement) periodically...e.g. once per quarter.

I am less excited about the validation process as I expect there is no way
to enforce any *consequence* of failing to keep a valid email in your
handles.
If there are no consquences, then there is no incentive and sadly that just
means it will ultimately go stale.  Its a very sad day when a 1MM user ISP
(he who shall not be named) has an AS Tech handle who left the company 5
YEARS ago!

However, it is very easy to enforce this requirement during the registration
process...bottom-line, if you don't provide a abuse and tech contact AND
both mailboxes are validated via acknowledgement email ... you don't get
your assignment...simple as that.

If there is some way to create consequences of not keeping this info up to
date I'm all for that...within reason.

IMHO, the inability to identify and contact the responsible party for a
given network is a very serious security vulnerability.

I don't pretend to have all the answers, and I expect this process will
never approach perfection, however, if there are some simple and practical
things we can do to *improve* the process, by all means.  I expect that
focusing on AS contact info first would be a vast improvement as it provides
a very straightforward backtracing process.  I currently *try* to identify
appropriate abuse contacts for over 240,000 domains...I'd guess that only
50-60% of them are correct.  I'd MUCH rather invest my time trying to
identify/validate contacts for the < 30,000 AS #'s that are out there.
Still not trivial, but an order of magnitude easier.

I detect about 4 compromised hosts per MINUTE, sending over 5,000 security
notices/day...plus another 10,000-15,000 secondary notices/day ... I would
be very happy if I had some degree of confidence that these notices were
actually being received and read by someone.  An added bonus would be if
they cared. ;)

Lawrence Baldwin
myNetWatchman.com




More information about the ARIN-PPML mailing list