other comments on Re: [ppml] Directory Services - Take 2

Edward Lewis Ed.Lewis at neustar.biz
Fri Jun 10 10:53:16 EDT 2005

At 17:32 -0400 6/9/05, Leo Bicknell wrote:
>Now that things have been quiet for a while, a resend to see if we can
>spark some discussion on directory services....
>In a message written on Mon, May 09, 2005 at 04:07:42PM -0400, Leo 
>Bicknell wrote:
>>  Below is my directory services proposal, take two.  Based on feedback
>>  from the last meeting, I have removed the option of displaying SWIP
>>  information, and also updated several minor terms which were confusing
>>  from feedback on the mailing list.  I'd like to get some discussion
>>  going so this can be ready for the next ARIN meeting.
>>  Also, at the end of this message I included a context diff to call
>>  out the changes.
>>  $Author: bicknell $ - $Date: 2005/05/09 20:06:30 $ - $Revision: 1.4 $
>>  Replace all of section three with the following rewrite.
>>  3 Directory Services
>>    3.1 ARIN Directory Services Databases
>>       The ARIN Public Information Database (APID) is a collection
>>       of information created and collected by ARIN during the due
>>       course of business which the ARIN membership has deemed public
>>       information and decided to publish.
>>       The ARIN Confidential Information Database (ACID) is a collection
>>       of information created and collected by ARIN during the due course
>>       of business which the ARIN membership has deemed is confidential
>>       information that should be kept under a strict privacy policy.

"a strict privacy policy" - this is too ambiguous.  E.g., a policy of 
making everything public can be strictly enforced.  Either there 
should be a reference to ARIN's privacy policy here or the policy 
should be expressed.

I'm not prepared to dictate a policy, but I am guessing that the 
policy for ACID would be one of no disclosure to third parties except 
law enforcement under authorization.  Such data will be encrypted 
when stored in or enroute to an off-site archive facility.  Etc.

>>    3.2 Directory Information Made Public
>>       ARIN shall publish verified contact information and the
>>       resource(s) allocated (including identification for that
>>       allocation, like date of allocation or other information
>>       identified by ARIN) in the APID for all resources delegated
>>       by ARIN.  In addition, all reassignment information as defined
>>       by section will be included in the APID.

"Delegated" - is that the same as "allocated?"  (Either this is a 
comment to use consistent language or a request to define a new term.)

What about the history of resources, space that has been returned or reclaimed?

Does this apply to pre-ARIN collected data?

>>       ARIN shall insure all contact information in the APID is
>>       verified from time to time and is correct to the best of ARIN's
>>       ability.  ARIN staff shall maintain verification criteria and
>>       post it on the ARIN web site.

The first word "ARIN" - does that equate to "ARIN staff" (which is 
also in the paragraph) in all instances?  I.e., when referring to 
"ARIN membership" is that always explicit?

>>       3.2.1 Non-Responsive Contacts
>>         If ARIN is unable to verify contact information via the normal
>>         verification procedure ARIN shall attempt to notify the parent
>>         of the resource to have the information updated.  If there is
>>         no parent, or if the data is not corrected in a reasonable
>>         amount of time the resource shall be SUSPENDED.

I've asked this before, but what does "SUSPENDED" mean?  I ask this 
particularly because the word is capitalized as if it has a special 

I assume this does not apply to resources allocated "prior to ARIN" 
that appear in ARIN's WHOIS.

>>         Once the resource is suspended ARIN shall make one more
>>         request of all contacts listed with the resource and the
>>         parent resource (if available), and if no response is received
>>         in a reasonable amount of time the resource shall be reclaimed
>>         (APID records removed, DNS delegations removed, the space
>>         returned to the free pool).
>>         Third parties may report the inability to make contact with
>>         a party via information in the APID.  In this case ARIN shall
>>         attempt the contact verification procedure for that contact
>>         immediately.  If a response is received, ARIN should document
>>         that a problem occurred, and the response from the resource
>>         holder.  Resource holders who fail to respond to third parties
>>         more than 4 times per month for three months may have their
>>         resources reclaimed at the discretion of ARIN staff.

It sounds like ARIN (staff) ought to document that a problem occurred 
regardless of whether a response is received or not.  I.e., "ARIN 
should document that a problem occurred, attempt the contact 
verification procedure, and if a response is received, document the 

>>         If a third party submits reports of the inability to make contact
>>         that are subsequently disproven, ARIN may choose to ignore reports
>>         from specific companies, people, e-mail addresses, or any other
>>         classification means as appropriate.
>>         The ARIN staff shall publish the time thresholds and procedural
>>         details to implement this policy on the ARIN web site.
>>         If a resource is reclaimed under no circumstances shall the
>>         holder of that resource be entitled to a refund of any fees.

When reading this proposal, there are times when I feel that it lacks 
detail and there are times when I think it has too much detail. 
Section 3.2.1 seems to be overly detailed - specifying too much of a 
process for verifying contact information.

Wouldn't it be sufficient to say that -

ARIN (staff) will implement procedures to check and maintain the 
currency of contact information in APID and ACID.  ARIN will also 
respond to third party reports of non-functioning contact 
information.  The procedures will be publicly documented on the ARIN 
web site and available for review during public policy meetings.

Resources with non-functioning contact information may be subject to 
reclamation (I assume that is described somewhere) with no refund of 
any fees paid to ARIN.

>>    3.3 Data Distribution
>>       3.3.1 Methods of Access
>>         ARIN shall publish the APID in the following methods using
>>         industry standard practices:
>>             - Via the WHOIS protocol.
>>             - Via a query form accessible via the HTTP protocol.
>>             - Via FTP to users who complete the bulk data form.
>>             - Via CDROM to users who complete the bulk data form.
>>             - Via the RWHOIS protocol.

I would like to see IRIS added, at least on the roadmap to be added. 
I would also give a minor plug to the effort to stamp out RWHOIS.

Again, this seems like too much detail - specifying protocols and not 
the service.  OTOH, I can see why the detail is important, so I'm not 
sure I'd argue to drop this list.

>>         All users of the APID must agree to the ARIN AUP.  ARIN staff
>>         may make the APID available via other methods as conveniant.
>> Outside Sources
>>         ARIN may refer a query to a outside source (for instance via
>>         RWHOIS or HTTP redirect).  Outside sources must:

s/ a / an /

>>         1 Have an AUP deemed compatible with the ARIN AUP by ARIN staff.
>>         2 Support the applications in section 3.3.1.

applications or transports?

>>         3 Prohibit the applications in section 3.3.2.

I don't see any applications in 3.3.2.

>>         4 Meet the requirements in section 3.3.3.

What confuses me is that between this and 3.3.3 - is this a 
requirement that anyone holding data ARIN refers to has to meet the 
same standard for ARIN's servers?  It would seem to me that this 
doesn't belong in the policy about APID/ACID but in the policy 
regarding the responsibilities of a resource holder.

>>       3.3.2 Acceptable Usage Policy
>>         All data provided shall be subject to an AUP.  The AUP shall
>>         be written by ARIN staff and legal and posted on the ARIN website.
>>         ARIN may require a signed copy of the AUP before providing
>>         bulk data.
>>       3.3.3 Requirements for Internet Accessible Services
>>         For any method of access which is provided in real time via the
>>         Internet the following requirements must be met:
>>  	 * The distributed information service must be operational
>>  	   24 hours a day, 7 days a week to both the general public
>>  	   and ARIN staff.  The service is allowed reasonable
>>  	   downtime for server maintenance according to generally
>>  	   accepted community standards.

What is the "distributed information service?"  Is that ARIN's 
servers or the servers run by resource holders?

How does this apply to the distribution of CDROMs (or other fixed media)?

>>  	 * The distributed information service must allow public
>>  	   access to reassignment information. The service may
>>  	   restrict the number of queries allowed per time interval
>>  	   from a host or subnet to defend against DDOS attacks,
>>  	   remote mirroring attempts, and other nefarious acts.
>>           * The distributed information service must return current
>>             information.
>>    3.4 Distribution of the ARIN Public Information Database
>>        3.4.1 Supported Uses
>>          ARIN shall make the APID available for the following uses
>>          (supported uses):
>>            1 ARIN's use in implementing ARIN policies and other
>>              business.
>>            2 Community verification, allowing members of the community
>>              to confirm the proper users of the various resources ARIN
>>              controls.
>>            3 Statistic gathering by ARIN and third parties on resource
>>              utilization.
>>            4 As a contact database to facilitate communication with the
>>              person or entity responsible for a particular resource.
>>        3.4.2 Prohibited Uses
>>          ARIN prohibits the use of the APID for the following uses:
>>            1 Sending any unsolicited commercial correspondence advertising
>>              a product or service to any address (physical or electronic)
>>              listed in the APID.
>>            2 Using data in the APID to facilitate violating any state,
>>              federal, or local law.
>>        3.4.3 Other Uses
>>          ARIN shall allow all non-prohibited uses of the APID, however
>>          unless those uses are listed as a supported use the data set
>>          may be changed in such a way as to render them ineffective,
>>          or they may be blocked outright as deemed necessary by ARIN
>>          staff.  Users of applications not listed who are concerned
>>          that they are supported should introduce a proposal to add
>>          their application to the supported list.
>>    3.5 Distribution of the ARIN Confidential Information Database
>>      ARIN Staff shall use industry standard procedures to prevent
>>      the distribution of any data in the ARIN Confidential Information
>>      Database.

This talks about "prevention" but not allowed access.  I would think 
that allowed access to this ought to be explained - legal access, 
formats in which  data will be disseminated, requirements for 
protection enroute, requirements for destruction when done.

>>    3.6 Implementation Details
>>      ARIN Staff shall document all implementation specific details for
>>      directory services in a single document available on the web site.
>>      The document must contain, but is not limited to:
>>        - Database field definitions.
>>        - Update procedures.
>>        - Templates.
>>        - Points of contact.
>>        - Copies of the AUP.
>>        - Verification procedures.
>>    3.7 [Routing Registry] Copy Verbatim from the existing 3.4.
>>  Section Replace with:
>>    All reassignment information for current blocks shall be submitted to
>>    ARIN prior to submitting a request for a new allocation.

Edward Lewis                                                +1-571-434-5468

If you knew what I was thinking, you'd understand what I was saying.

More information about the ARIN-PPML mailing list