[arin-ppml] Draft Policy 2008-7: Identify Invalid WHOIS POC's

Ted Mittelstaedt tedm at ipinc.net
Wed Mar 25 20:51:11 EDT 2009 

 

> -----Original Message-----
> From: Lee Dilkie [mailto:Lee at dilkie.com] 
> Sent: Wednesday, March 25, 2009 4:03 PM
> To: Ted Mittelstaedt
> Cc: 'ARIN PPML'
> Subject: Re: [arin-ppml] Draft Policy 2008-7: Identify 
> Invalid WHOIS POC's
> 
> Hi Ted,
> 
> 
> Ted Mittelstaedt wrote:
> > That is NOT what the policy proposal states.  Please re-read it.
> >
> > Nowhere in the policy proposal is ARIN staff directed to make a 
> > determination if a POC is completely and permanently abandoned or 
> > otherwise illegitimate AS A RESULT of a failure of the POC 
> to respond 
> > to e-mail.
> >
> > Instead, the directive to ARIN staff to determine if a POC is 
> > completely and permanently abandoned or otherwise illegitimate is 
> > open-ended.  The policy directs ARIN staff to make this 
> determination 
> > on an annual basis, period.  The policy also directs ARIN staff to 
> > mark unresponsive POC e-mail addresses in the WHOIS database on an 
> > annual basis.
> >
> > The proposal was CAREFULLY crafted to SPECIFICALY NOT REQUIRE ARIN 
> > staff to make a validity determination based on the results 
> of e-mail.
> >
> > Obviously, since both of these are annual validations (ie:
> > POC validation and e-mail validation) there's synergy in doing them 
> > together at the same time - which is why the policy covers 
> them both.  
> > But you will see that the tie-in is not mandated if you re-read the 
> > policy.  (it may be strongly implied depending on your 
> interpretation 
> > of the policy proposal, of course.  My interpretation is that it IS 
> > strongly implied.  But, a lawyer would almost certainly 
> tell you that 
> > implied policy has no legal validity.)
> >
> >   
> >> ..
> >
> > Specifying contact methods in the policy proposal was tried 
> the last 
> > time this was introduced and it was widely objected by the list 
> > membership as unnecessary interference between policy and 
> operations.
> >
> > Lee, it seems one group on the list objects to the policy 
> as being too 
> > narrow, and another group objects to it as being not narrow 
> enough.  
> > (the group your in)  However, the group objecting to it being too 
> > narrow was making objections to things that were actually 
> present in 
> > that proposal.  Your group that's objecting to it as being 
> not narrow 
> > enough, are objecting to things that your reading into the policy, 
> > that technically aren't actually there.
> >
> > Ted
> >   
> 
> If you read my original email on the subject you'll see that 
> I proposed to simply directly staff to establish the validity 
> of a POC. period.
> Drop the email thing. Staff will obviously use email as a 
> first resort and escalate beyond that but why specify email 
> in the policy?

Because part of the policy is to update WHOIS with more
accurate data as to the validity of a POC e-mail address.

> (in other words, I'm in the other group, the 
> "too narrow")
> 
> But I still don't get the "why" of this. This seems to be a 
> lot of work(and money) and somewhat risky if a false positive 
> (false invalid) occurs. What's the purpose?
> 


Many IPv4 resources are tied up
not because they are advertised in dfz, but simply because there
are POC's that are tied to those resources.

You do understand that legacy resource holders
have NO onus on them to maintain accurate POC entries in WHOIS,
right?  If they haven't signed a legacy RSA - but there's
still a POC handle in WHOIS - that IPv4 resource is tied up
and unavailable for reassignment.

And it's probably VERY likely that some resources under RSA are
containing bogus WHOIS entries as well.  Large companies frequently
will have accounting departments who will pay bills year after year
and never bother to check if the service they are paying for is
still in use.

Currently we simply do NOT know if the amount of unused, stale-POC
legacy resources plus abandonded, stale-POC-but-still-paid-for
RSA numbering resources constitutes a significant pool of IPv4.

When IPv4 runout happens, there's going to be a number of governments
who will want to know if ARIN has IPv4 hidden away - it's just not
going to be acceptable to say "well, we might have some but we
don't know because we have been too lazy to bother pruning our
database"

This is why the proposal directs ARIN to report on this after grooming,
and to update WHOIS with email validity data.

Keep in mind that if you have a bogus entry in WHOIS that NON-email
verification is going to take several months.  They will have to make
a phone call and if the phone # is wrong they will have to send a
certified letter and if that is not responded to they probably will
have to send a second certified letter, if that is ignored they will
have to check dfz and see if any prefixes tied to the POC are being
advertised, then check with the advertiser to have them tell them
who is doing the advertising, then check with that group and ask
why they are advertising a prefix that doesn't belong to them per
the POC data.  If that entity starts arguing with ARIN that they
own the prefix, ARIN will demand supporting docs that will take time
to produce, etc. etc.

It might easily take upwards of a year before some of the legacy
prefixes that are currently being advertised, that have bogus POC
data on them, are verified by ARIN staff and POC data is then updated.
And, this is just the stuff that is NOT criminal.

In cases where it IS criminal, ie: where a spammer is hijacking an
abandoned IPv4 prefix they just found, then you can imagine that entity will
fight a war of delaying and stalling tactics with ARIN which will
push it out even longer.

SO what we will end up with this policy is the following:

a report from ARIN that lists the reclaimed prefixes, and the ones
"in dispute" ie: the ones where verification is pending.  Those will
be visible in WHOIS by the existence of a "bogus e-mail" mark on
the e-mail data in the POC.  We will know that a certain percentage
of the "verification pending" ones will turn out to be reclaimed,
and so based on that we will be able to make a pretty accurate estimate
of how much stale IPv4 is tied up in WHOIS.

And, once we know the amount of stale assignments in WHOIS, it is then
possible to judge the viability of all of the various "IPv4 reclamation"
schemes and see if it's worth spending money on them.

Why have ARIN spend a huge amount of time and effort and money trying
to reclaim IPv4 if it turns out that after we groom WHOIS that only
a small fraction of IPv4 allocations are bogus?  Conversely, if we find
that, say 50% of assigned IPv4 is abandonded or unverifable, then
we know that Ipv4 runout will be many years away.


Ted

More information about the ARIN-PPML mailing list