[arin-ppml] Policy Proposal: Annual WHOIS POC Validation - Revised

Chris Grundemann cgrundemann at gmail.com
Fri Oct 3 14:49:51 EDT 2008 

<Summary of changes in Version 2>

"...is not received within 's/14 days/the responce period/', every..."
Lets ARIN staff adjust the period year to year, based on the number of
false positives from the years before.

--

"...instance of the unresponsive email address will be
's/replaced/marked/' with..."
Allows the email address to remain in the database.  The policy leaves
implementation up to ARIN staff but I envision something similar to
John Santos' suggestion: "No response (was:
<original_e-mail_address>)"

--

"...with 's/"REFUSED RESPONSE"/"NO RESPONSE"/' in the whois directory."
Better reflects that a lack of response, not necessarily refusal, is
the trigger.

--

"Expected transmission dates and sender email addresses will
be published as widely and be as readily available as is reasonable and
practical."
This was added to help assist conscientious recipients in whitelisting
the messages (thanks to Eric Westbrook for the wording).

</changelog>

Thanks to everyone who commented on and critiqued the first version.

~Chris


On Fri, Oct 3, 2008 at 12:16 PM, Member Services <info at arin.net> wrote:
> The author submitted a revised version of the proposal.
>
> The ARIN Advisory Council (AC) will review this proposal at their next
> regularly scheduled meeting. The AC may decide to:
>
>     1. Accept the proposal as written. If the AC accepts the proposal,
> it will be posted as a formal policy proposal to PPML and it will be
> presented at a Public Policy Meeting.
>
>     2. Postpone their decision regarding the proposal until the next
> regularly scheduled AC meeting in order to work with the author. The AC
> will work with the author to clarify, combine or divide the proposal. At
> their following meeting the AC will accept or not accept the proposal.
>
>     3. Not accept the proposal. If the AC does not accept the proposal,
> the AC will explain their decision via the PPML. If a proposal is not
> accepted, then the author may elect to use the petition process to
> advance their proposal. If the author elects not to petition or the
> petition fails, then the proposal will be closed.
>
> In the meantime, the AC invites everyone to comment on this proposal on
> the PPML, particularly their support or non-support and the reasoning
> behind their opinion. Such participation contributes to a thorough
> vetting and provides important guidance to the AC in their deliberations.
>
> The ARIN Internet Resource Policy Evaluation Process can be found at:
> http://www.arin.net/policy/irpep.html
>
> Mailing list subscription information can be found at:
> http://www.arin.net/mailing_lists/
>
> Regards,
>
> Member Services
> American Registry for Internet Numbers (ARIN)
>
> ## * ##
>
> Policy Proposal Name: Annual WHOIS POC Validation
>
> Author: Chris Grundemann
>
> Proposal Version: 2
>
> Submission Date: 2 October 2008
>
> Proposal type: new
>
> Policy term: permanent
>
> Policy statement:
>
> ARIN will conduct POC validation annually.  This validation will
> employ an automated system which will send a message to every separate
> email address in the whois directory.  The message sent will request
> that the receiver verify that they are in fact the POC in question by
> replying to the email in a manner which will satisfy the automated
> systems requirements.  The email message will also include information
> and instructions for reporting suspected fraud.  If a valid response
> is not received within the response period, every instance of the
> unresponsive
> email address will be marked with "NO RESPONSE" in the whois
> directory.  Expected transmission dates and sender email addresses will
> be published as widely and be as readily available as is reasonable and
> practical.
>
> The list of POCs with this marking will be reviewed by ARIN staff and
> manual contact attempts (telephone, postal mail) can be made at their
> discretion.  After a minimum of three manual contact attempts have
> been made, with at least one to each physical address and telephone
> number provided and a minimum of three calendar months have passed
> from the third qualifying attempt; the POC record should be locked or
> deleted.  The decision of whether to lock or delete the account should
> be made on a case by case basis.
>
> Following this validation each year, a list of address blocks with
> zero valid POCs should be made easily available to the community.
> Accurate annual records should be kept with regard to the total number
> of POCs, the number of POCs marked with "REFUSED RESPONSE," the number
> of locked POCs and the number of deleted POCs in addition to any other
> data that ARIN staff believes is appropriate to record with regard to
> this validation process.  These records should be available to the
> public on request.
>
> Rationale:
>
> The intention of this proposal is to ensure valid whois POC
> information with an annual validation process.  It further aims to
> mitigate any risk that it creates in so doing.
>
> One of the most important resources when dealing with abuse (including
> hijacking, spam, ddos, etc) is whois.  ARIN's whois data is only
> useful if it is known to be valid.  The current NRPM does not address
> this in a manner which ensures up to date POC contact information in
> all cases.  The focus is on valid email addresses because this is the
> contact method of choice for most in the Internet community when
> dealing with abuse or hijacking issues.  POC information that can not
> be confirmed can be judged as not valid.
>
> A netblock with no valid POC presents a target to hijackers.  Once POC
> info is marked or tagged as invalid (like this policy proposes), it
> becomes possible for potential hijackers to locate such netblocks by
> searching the whois database.  As a defense against such hijacking
> attempts, this policy proposes that the information be presented in
> full to the entire community.  This should do at least one of two
> things; bring the netblock to the attention of whomever is responsible
> for it and/or allow other network operators to understand the
> potential risk and take appropriate action to mitigate.
>
> Timetable for implementation: The first validation should take place
> within one calendar year of the policy being accepted.
>
>
>
>
>
>
>
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>



-- 
Chris Grundemann
www.linkedin.com/in/cgrundemann

More information about the ARIN-PPML mailing list