[arin-ppml] Policy Proposal: Whois Integrity Policy Proposal

heather skanks heather.skanks at gmail.com
Thu Aug 21 00:36:52 EDT 2008


My intention really is the integrity of whois data.  As an Internet service
provider that is part of the larger internet community, we want to know that
the records are accurate.  We depend on these records, and the actions we
take based on them can affect the community.  We'd like to avoid helping
someone use something they aren't authorized to, but that is made difficult
if we can not trust old records.  I truly believe a policy like this, is one
step toward making it more difficult to steal netblocks.  One step.. I
didn't say it was the absolute, or the end all way the prevent theft, just
that it raises the bar.

I considered proposing the same policy that was adopted in the APNIC
region.  The APNIC policy goes a step further and locked all "legacy"
resource records at once.  I intended the text I proposed as a compromise,
to ease into the process by requiring L/RSA when you went to update a
record.  I am beginning to think that was a mistake, and in order for this
to work that the policy should lock all legacy records or remove them
altogether.

I concede there are larger issues, ultimately ARIN is providing a service to
entities with which it has no formal arangement or agreement.  You can argue
the merits or demerits of the RSA and LRSA, but they are not relevent to the
text or intent of this policy.  (If you would like to argue the points of
the L/RSA, I encourage you to do so with ARIN staff and legal counsel, as
the policy development process has no mechanism to change either!) The RSA
and LRSA are the only mechanisms I know of for having a formal arrangement
with ARIN.  If there are other arrangements, or the possibility of others in
the future, the text can be modified to take that into account:

"To ensure the integrity of information in the ARIN WHOIS Database a
resource must be under an RSA (either legacy or traditional) or other
[formal/documented  legal/contract/agreement] with ARIN, in order to update
the WHOIS record."

I went through all of the emails.. I pulled out a few points/questions to
address:

> Which is it, the resource must be under an RSA, or the holder must be
> able to prove their right to the resource?  These are not the same
> thing

The LRSA contains a procedure for evaluating a legacy applicant's request to
sign the LRSA (See Section 3 of the LRSA).

.

> I do not think that this is an effort to make life difficult for legacy
holders (including my employer), but to
> prevent the theft of their address space. Heather, can you clarify? (Seems
that Verizon Business was
> involved in one to the cases I mentioned...not as a hijacker, of course.)
It is not my intention to make anyone's life difficult - in fact quite the
opposite.  I would like to make everyone more at ease and comfortable with
the records in the whois database.  I cringe when I see route change
requests for old netblocks that have not been updated.  I would love to see
a technical solution implemented- such a solution would still have this
underlying problem.  I don't know what incident the poster was referring to
wrt VZB - but as I previously mentioned, we are concerned about this, we do
not want to be an accessory to a hijacking.  Two recent and public
incidents, (that did not involve VZB in any way) were covered in this
article:
http://voices.washingtonpost.com/securityfix/2008/04/a_case_of_network_identity_the_1.html

> If you really want to reduce spam, go after those people and leave the
legacy holders alone who AREN'T
> spamming but just happen to have not signed an RSA.
Reduction of spam is not my primary goal, I'm not even sure I see the
correlation. Most providers can tell which of their customers is routing a
netblock and can work their customer support contacts for spam - besides
most spam is sourced from legit but compromised hosts these days.

 --Heather


On Mon, Aug 18, 2008 at 10:38 AM, Member Services <info at arin.net> wrote:

> ARIN received the following policy proposal. In accordance with the ARIN
> Internet Resource Policy Evaluation Process, the proposal is being
> posted to the ARIN Public Policy Mailing List (PPML) and being placed on
> ARIN's website.
>
> The ARIN Advisory Council (AC) will review this proposal at their next
> regularly scheduled meeting. The AC may decide to:
>
>     1. Accept the proposal as written. If the AC accepts the proposal,
> it will be posted as a formal policy proposal to PPML and it will be
> presented at a Public Policy Meeting.
>
>     2. Not accept the proposal. If the AC does not accept the proposal,
> the AC will explain their decision via the PPML. If a proposal is not
> accepted, then the author may elect to use the petition process to
> advance their proposal. If the author elects not to petition or the
> petition fails, then the proposal will be closed.
>
> The AC will assign shepherds in the near future. ARIN will provide the
> names of the shepherds to the community via the PPML.
>
> In the meantime, the AC invites everyone to comment on this proposal on
> the PPML, particularly their support or non-support and the reasoning
> behind their opinion. Such participation contributes to a thorough
> vetting and provides important guidance to the AC in their deliberations.
>
> The ARIN Internet Resource Policy Evaluation Process can be found at:
> http://www.arin.net/policy/irpep.html
>
> Mailing list subscription information can be found at:
> http://www.arin.net/mailing_lists/
>
> Regards,
>
> Member Services
> American Registry for Internet Numbers (ARIN)
>
>
> ## * ##
>
> Policy Proposal Name:  Whois Integrity Policy Proposal
>
> Author: Heather Schiller
>
> Proposal Version: 1
>
> Submission Date:  August 15, 2008
>
> Policy statement:
>
> To ensure the integrity of information in the ARIN WHOIS Database a
> resource must be under an RSA (either legacy or traditional) in order to
> update the WHOIS record.  ARIN will not update historical information in
> the ARIN Whois Database until the resource holder can prove the
> organization's right to the resource.
>
>
> Rationale:
>
> ARIN currently maintains WHOIS and in-addr.arpa delegation records in a
> best-effort fashion.  In many cases ARIN does not have a formal
> agreement with the legacy resource holders.  Legacy records are
> frequently out of date and have become an increasingly popular target
> for hijackers.  Having up to date contact information and a formal
> relationship with legacy record holders would assist ARIN and ISP's in
> ensuring these records are maintained accurately.  A similar policy was
> successfully adopted in the APNIC region.
> (http://www.apnic.net/policy/proposals/prop-018-v001.html)
>
> Timetable for implementation:
>
> Within sixty (60) days of approval - with notification to current POC
> email addresses listed on historical assignments, or as soon as
> reasonable for ARIN staff.
>
>
>
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20080821/1031ec0e/attachment-0001.html>


More information about the ARIN-PPML mailing list