[arin-ppml] Policy Proposal: Whois Integrity Policy Proposal

Leo Bicknell bicknell at ufp.org
Wed Aug 20 16:02:45 EDT 2008 

In a message written on Wed, Aug 20, 2008 at 12:47:44PM -0600, Eric Westbrook wrote:
>    I originally entered this conversation, perhaps naively, actually
>    expecting the debate to be about the proposal's stated purpose. It's
>    clearly not.  In fact, I haven't once heard even speculation that it's
>    an actual problem.   No hard numbers of fraud occurrences, no damage
>    figures, not even any guesses. So it would seem that, as posed, this
>    proposal is either a solution in search of a problem, or a trojan
>    horse for RSA mandating.

Unfortunately there is a lack of hard numbers.  There have been a
number of groups that have tried to track hijacked netblocks over
the years, entering "hijacked netblocks" in google will find plenty.

ARIN does much of its work on them behind closed doors, and for
good reason.  ARIN actually tries to get criminal and civil prosecution
of the fraudsters.  More than a few ISP folks will tell you in the
halls about cases where a customer came to them with a funny looking
block, they referred it to ARIN and soon after that person no longer
had the block.  I believe many of these are from hijacking.

ARIN has stood up in several meetings when asked about hijackings
and has always said the same thing, far more attempts are made to
hijack legacy space than ARIN assigned space; and the primary reason
is the contact information for the legacy space was either never
fully filled out in the first place, or points all to sources that
are now gone.

People have in fact registered lapsed domains because they can then
send e-mail from the address in whois, I believe in one case they
even got the phone company to assign them an old phone number (it
wasn't in use anymore, so they could just request it).  Most
importantly, if it has become fallow there is no one to notice
someone else announcing the space!

While I don't have a hard number (x blocks were hijacked last year),
and I can't tell you the economic impact (how much did it cost arin?
for that matter, how much does it cost the net as a whole if spammer
gets to use a hijacked block for 3 months?) I believe both are
significant enough we should do something about it.

A contract is about "I do something for you, you do something for
me." ARIN is taking the time and effort to verify paperwork in this
case, and vouch to the rest of the world, via whois, that you are
the proper holder of the resource in question.  That you have a
right to use the unique integers, and no one else does.  I believe
anyone who derives that benefit should have both a contract, and
pay the cost recovery portion of that service at a minimum.

I said "a contract" because to me it does not have to be the current
RSA or LRSA.  It could be a different kind of contract; but at the
minimum it has to state the rights and obligations on both sides.
Part of the reason we are in this mess is because early on someone
decided not to write some of this stuff down.  Courts hate oral/implied
contracts.  They want to see there was a meeting of the minds, and
writing it down is the best way.  In this case I think the LRSA meets
all of my requirements, but that does not mean some other contract
couldn't meet it as well.

I'm also open to the idea that there are other ways to solve this
problem.  This proposal to me does not need to be the end all be
all.

>    That said, it does seem to me that some proposal, perhaps one as
>    simple as requiring use of the existing digital certificate
>    facilities, to improve whois integrity would probably have noteworthy
>    merit.  I do see a new proposal on the list regarding whois
>    authentication.  It seems to depend on this one, so I believe it's
>    moot.

The question I would ask then is if such a propsoal should be required?
If only 10% of the legacy holders opted to get a digital certificate
that's good, but it leaves 90% of the problem.  Can, and/or should ARIN
mandate upgraded security, such as digital certificates?

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080820/c2ce1dfa/attachment.sig>

More information about the ARIN-PPML mailing list