[ppml] Policy Proposal 2003-5: RWhois Server Use Requirements

[Michael.Dillon at radianz.com]

> But some of the ISP's who 
> have selected to use RWhois servers for their reassignment information 
> have not kept the servers operational 24x7, contents of the database up 
> to-date, or are restricting access only to ARIN staff. 

This may well be true but trying to fix it by creating a policy is like 
trying to fix a gangrenous wound by using a sledgehammer. You may have 
some impact but it will not result in a healthy solution.

The fact is that rwhois was a crude hack that should have only been 
temporary. There is only one source code implementation for an rwhois 
server and it is mostly undocumented. There is virtually no reason for 
anyone to spend time tinkering with an rwhois server once it is set up and 
running therefore there is no opportunity for people to develop expertise. 
As a result nobody trusts rwhois and that is one reason why it gets set up 
with ARIN-only access. Changing policy will not address the security 
issue.

Virtually no-one outside of ARIN and a few old-time ISP folks make use of 
rwhois. Therefore there is little incentive to set it up as a publicly 
accessible service and that also is not something that can be changed by 
policy. Policies won't create a public demand for rwhois.

On the other hand, there is a large and growing public demand for the type 
of information that is served up by rwhois. So there is good reason, 
outside of ARIN's need for data, to fix this situation.

As I have said in the past, the solution lies in migrating away from the 
obsolete rwhois protocol and server towards the IETF standard directory 
service protocol, namely LDAP. I know that the CRISP working group 
http://www.ietf.org/html.charters/crisp-charter.html is also looking at 
developping a new protocol, IRIS, but I tend to take the pragmatic view 
that we in the ARIN community should not be reinventing wheels when a 
perfectly suitable wheel already exists that we can use. 

The rwhois schema can easily be translated into an LDAP schema and I 
suggest that ARIN should do this and publish it. ARIN should also set up 
an LDAP server using openLDAP http://www.openldap.org and serve up a copy 
of the existing whois data through that server. This is not rocket science 
and can leverage most of the technical work that was done in converting to 
the new database structure. LDAP is just a protocol for providing public 
access to a set of defined data that is usually stored and managed using 
other technology.

ARIN should also accept LDAP v3 (referral LDAP) as a valid way for 
companies to supply addressing data as soon as they have published the 
LDAP/rwhois schema. And ARIN should also apply to the IANA for a port 
number assignment for LDAP used in this fashion so that we can easily 
transition by simply implementing an LDAP server on the same hardware as 
existing rwhois servers in a parallel fashion.

None of this stuff needs any public policy setting although I think it 
would be healthy for a public discussion so that ARIN can see broad 
support for bring ARIN's external technical infrastructure up to modern 
standards. This includes getting rid of email templates and implementing 
web-based forms to replace them.

--Michael Dillon