[ppml] Proposed policy - Purpose and scope of ARIN Whois directory

[Member Services]

ARIN received the following policy proposal.  In accordance
with the ARIN Internet Resource Policy Evaluation Process the
proposal is being posted to the ARIN Public Policy Mailing List
and being placed on ARIN's website.

The ARIN Advisory Council will review the proposal and within
ten working days may decide to: 
1)  support the proposal as is, 
2)  work with the author to clarify, divide or combine one or more
    policy proposals, or 
3)  not support the policy proposal. 
 
If this proposal is accepted by the Advisory Council or successfully
petitioned it will be posted as a formal policy proposal to the Public
Policy Mailing List and it will be presented at the Public Policy
Meeting.  If the proposal is not supported by the AC and the author
elects not to petition or the petition fails, then the policy proposal
will be considered closed.

The ARIN Internet Resource Policy Evaluation Process is available at:
http://www.arin.net/policy/ipep.html

Mailing list subscription information is available at:
http://www.arin.net/mailing_lists/index.html

Member Services 
American Registry for Internet Numbers (ARIN) 


### * ### 


Policy Proposal Name: Purpose and scope of ARIN Whois directory

Author: Michael Dillon

Author's Organization: Radianz, Inc.

Policy term: permanent

Policy statement: 

1. ARIN shall maintain and publish a directory of contact information
   for the purposes of facilitating the operation of interconnected 
   IP networks. 

2. This directory will contain contact information for all organizations
   and individuals within the ARIN region who have received IP allocations
   or AS numbers directly from ARIN or its predecessors.

3. Organizations and individuals must guarantee to ARIN that contact 
   addresses published in the whois directory will reach a person who 
   is ready, willing and able to communicate regarding network operations 
   and interconnect issues and who is able to act on that communication.

4. Any other organizations may elect to be listed in the whois directory 
   as long as they make the guarantee detailed in item 3.

5. All contacts listed in the whois directory will be contacted 
   periodically and the directory will indicate information which may
   be stale if contact cannot be made promptly.

6. Additionally, the whois directory will contain, directly or indirectly,
   a record of all address blocks sub-allocated or assigned by the 
   entities mentioned in item 3.

7. The records mentioned in item 7 will not identify the organization or
   individual receiving the address block or their exact location. These
   records will only indicate an organizational type, the nearest
   municipality providing postal service to the end user, state/province
   and country.

Rationale: 

ARIN doesn't really have a policy regarding whois. Most of what we have
today is adopted based on a long tradition that nobody understands 
anymore.

In looking back at historical sources it appears that whois was originally
set up so that ARPANET site managers could justify their ARPANET 
connectivity funding by enumerating the people/projects that were making
use of the ARPANET.

Times have changed and tradition is no longer sufficient reason for doing 
things.

This proposal attempts to put in place a simple statement of the purpose 
and scope of a whois directory. It is my opinion that if we cannot all
agree on some sort of simple policy similar to what I am proposing, then
we probably should scrap the whois directory entirely.

Nothing in this policy should be construed to restrain ARIN staff's 
ability to maintain and use whatever databases they may need in the
performance of their duties including IP address allocation. This policy
only refers to the data which is made freely available to the public.

If this policy is adopted it will also alleviate concerns from the 
cable and DSL industry in regard to residential user privacy.

a) ARIN policy doesn't currently state that ARIN will maintain
   or publish a whois directory. This policy fixes that.

b) This proposal also explicitly states the purpose of the 
   whois directory as being targeted at internetworking and
   operational issues. It is not intended to help anti-spamming 
   collectives bypass the ISPs who are responsible for operating a
   network. In fact one of the goals is to make it harder for
   anti-spamming groups to attack end users. This whois policy would
   force them to report network abuse to the ISP employees who are
   responsible for finding and fixing network abuse issues.

c) The proposal does not recognize research as part of the scope of the
   whois directory, however items 6 and 7 do provide for data which
   allows some mapping and analysis of address usage and therefore
   the research community will not be left out in the cold.

d) This policy only directly puts a mandate on those organizations who
   have, or should have, an ARIN relationship to supply data. 

e) The policy also allows any responsible party to add their contact
   data to the ARIN database. However, this is done with their consent
   and by binding them to act responsibly, i.e. you can't list your
   organization and then ignore all abuse reports. The words "Ready,
   willing and able to communicate" are important here.

f) The ARIN staff are charged to keep the directory up to date and to 
   give us some indication when the contact process seems to be going
   awry. However, it refrains from giving detailed directions to the staff
   and relies on their prudence in setting out the timing and the process
   of this verification.

g) I interpret "facilitating the operation of interconnected IP
   networks" to include the provision of data that allows some mapping
   and statistical analysis of the address space. For that reason, some
   small amount of data is required to enumerate and distinguish
   sub-allocations and assignments.

h) This policy covers rwhois as well. ARIN is charged to maintain the 
   whois directory but can certainly delegate some of this task to
   rwhois users. And when the policy specifies that all address blocks
   must be represented in the directory it also allows for this
   information to be published indirectly, for instance, through
   rhwois. However the policy does not require rwhois technology
   since it is in such a sad state of repair. It also refrains from
   prescribing LDAP at this time ;-)
 
i) The classification system for organization types has been intentionally
   left unspecified. Obviously, it needs to include "individual" as a type
   but it could include NAICS sector codes, e.g. "NAICS 25" is the
   construction industry. It could also include NTEE codes for non-profits
   e.g. "NTEE H" is Medical research. And it could include some simple
   codes like "Company", "Non-Profit", "Education", "Government" for 
   users who don't know about the various classification systems.

j) End users are truly anonymous, no name, no address, no zip/postal code.
   In other words, people who are not involved in network operations are
   not identified in any way by the whois directory.

Timetable for implementation: 30 days after ratification