[arin-ppml] Policy Proposal: Annual WHOIS POC Validation

Divins, David dsd at servervault.com
Mon Aug 25 12:40:59 EDT 2008 

I am in support of this proposal.  I feel the operational issues are
best left to staff but I think the spirit of this is great!

-dsd

David Divins
Principal Engineer
ServerVault Corp.
(703) 652-5955

-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
Behalf Of Member Services
Sent: Monday, August 25, 2008 8:27 AM
To: arin-ppml at arin.net
Subject: [arin-ppml] Policy Proposal: Annual WHOIS POC Validation

ARIN received the following policy proposal. In accordance with the ARIN
Internet Resource Policy Evaluation Process, the proposal is being
posted to the ARIN Public Policy Mailing List (PPML) and being placed on
ARIN's website.

The ARIN Advisory Council (AC) will review this proposal at their next
regularly scheduled meeting. The AC may decide to:

   1. Accept the proposal as written. If the AC accepts the proposal, it
will be posted as a formal policy proposal to PPML and it will be
presented at a Public Policy Meeting.

   2. Postpone their decision regarding the proposal until the next
regularly scheduled AC meeting in order to work with the author. The AC
will work with the author to clarify, combine or divide the proposal. At
their following meeting the AC will accept or not accept the proposal.

   3. Not accept the proposal. If the AC does not accept the proposal,
the AC will explain their decision via the PPML. If a proposal is not
accepted, then the author may elect to use the petition process to
advance their proposal. If the author elects not to petition or the
petition fails, then the proposal will be closed.

The AC will assign shepherds in the near future. ARIN will provide the
names of the shepherds to the community via the PPML.

In the meantime, the AC invites everyone to comment on this proposal on
the PPML, particularly their support or non-support and the reasoning
behind their opinion. Such participation contributes to a thorough
vetting and provides important guidance to the AC in their
deliberations.

The ARIN Internet Resource Policy Evaluation Process can be found at:
http://www.arin.net/policy/irpep.html

Mailing list subscription information can be found at:
http://www.arin.net/mailing_lists/

Regards,

Member Services
American Registry for Internet Numbers (ARIN)


## * ##


Policy Proposal Name: Annual WHOIS POC Validation

Author: Chris Grundemann

Proposal Version: 1

Submission Date: 21-Aug-2008

Proposal type: new

Policy term: permanent

Policy statement:

ARIN will conduct POC validation annually.  This validation will employ
an automated system which will send a message to every separate email
address in the whois directory.  The message sent will request that the
receiver verify that they are in fact the POC in question by replying to
the email in a manner which will satisfy the automated systems
requirements.  The email message will also include information and
instructions for reporting suspected fraud.  If a valid response is not
received within 14 days, every instance of the unresponsive email
address will be replaced with "REFUSED RESPONSE" in the whois directory.

The list of POCs with this marking will be reviewed by ARIN staff and
manual contact attempts (telephone, postal mail) can be made at their
discretion.  After a minimum of three manual contact attempts have been
made, with at least one to each physical address and telephone number
provided and a minimum of three calendar months have passed from the
third qualifying attempt; the POC record should be locked or deleted.
The decision of whether to lock or delete the account should be made on
a case by case basis.

Following this validation each year, a list of address blocks with zero
valid POCs should be made easily available to the community.
Accurate annual records should be kept with regard to the total number
of POCs, the number of POCs marked with "REFUSED RESPONSE," the number
of locked POCs and the number of deleted POCs in addition to any other
data that ARIN staff believes is appropriate to record with regard to
this validation process.  These records should be available to the
public on request.

Rationale:

The intention of this proposal is to ensure valid whois POC information
with an annual validation process.  It further aims to mitigate any risk
that it creates in so doing.

One of the most important resources when dealing with abuse (including
hijacking, spam, ddos, etc) is whois.  ARIN's whois data is only useful
if it is known to be valid.  The current NRPM does not address this in a
manner which ensures up to date POC contact information in all cases.
The focus is on valid email addresses because this is the contact method
of choice for most in the Internet community when dealing with abuse or
hijacking issues.  POC information that can not be confirmed can be
judged as not valid.

A netblock with no valid POC presents a target to hijackers.  Once POC
info is marked or tagged as invalid (like this policy proposes), it
becomes possible for potential hijackers to locate such netblocks by
searching the whois database.  As a defense against such hijacking
attempts, this policy proposes that the information be presented in full
to the entire community.  This should do at least one of two things;
bring the netblock to the attention of whomever is responsible for it
and/or allow other network operators to understand the potential risk
and take appropriate action to mitigate.

Timetable for implementation: The first validation should take place
within one calendar year of the policy being accepted.
_______________________________________________
PPML
You are receiving this message because you are subscribed to the ARIN
Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net if you experience any issues.

More information about the ARIN-PPML mailing list