[arin-ppml] Draft Policy 2008-7: Identify Invalid WHOIS POC’s

Chris Grundemann cgrundemann at gmail.com
Mon Mar 30 15:54:29 EDT 2009 

On Mon, Mar 23, 2009 at 13:05, Member Services <info at arin.net> wrote:
> SUBJECT: Draft Policy 2008-7: Identify Invalid WHOIS POC’s
>
> Draft Policy 2008-7
> Identify Invalid WHOIS POC’s
>
> The following draft policy text is being posted for feedback and
> discussion on the Public Policy Mailing List (PPML).
>
> After the October 2008 Public Policy Meeting the ARIN Advisory Council
> (AC) decided that 2008-7 required more work. The text below was
> developed by the AC with help from the proposal originators. The AC was
> required to submit text to ARIN for staff and legal assessment prior to
> selecting it as a draft policy. The assessment, along with the text that
> was assessed, is located below the draft policy.
>
> On 20 March 2009 the ARIN Advisory Council (AC) selected Draft Policy
> 2008-7: Identify Invalid WHOIS POC’s (formally known as WHOIS Integrity
> Policy Proposal) for adoption discussion on the PPML and at the upcoming
> Public Policy Meeting.
>
> Draft Policy 2008-7 is below and can be found at:
> https://www.arin.net/policy/proposals/2008_7.html
>
> We encourage you to discuss Draft Policy 2008-7 on PPML prior to the
> ARIN XXIII Public Policy Meeting. Both the discussion on the PPML and at
> the Public Policy Meeting will be used by the ARIN Advisory Council to
> determine the community consensus regarding adopting this as policy.
>
> The ARIN Policy Development Process can be found at:
> https://www.arin.net/policy/pdp.html
>
> All of the Draft Policies under discussion can be found at:
> https://www.arin.net/policy/proposals/index.html
>
> Regards,
>
> Member Services
> American Registry for Internet Numbers (ARIN)
>
>
> ## * ##
>
>
> Draft Policy 2008-7
> Identify Invalid WHOIS POC’s
>
> Date: 23 March 2009
>
> Policy Statement:
>
> During ARINs annual WHOIS POC validation, an e-mail will be sent to
> every POC in the WHOIS database. Each POC will have a maximum of 60 days
> to respond with an affirmative that their WHOIS contact information is
> correct and complete. Unresponsive POC email addresses shall be marked
> as such in the database. If ARIN staff deems a POC to be completely and
> permanently abandoned or otherwise illegitimate, the record shall be
> deleted. ARIN will maintain, and make readily available to the
> community, a current list of address-blocks with no valid POC; this data
> will be subject to the current bulk WHOIS policy.
>
> Timetable for implementation: Immediate
>
>
> #####
>
> ARIN Staff Assessment
>
> 2008-7
>
> Title:  Identify Invalid WHOIS POC's (formerly known as WHOIS Integrity
> Policy Proposal)
>
> Revision Submitted: 07 March 2008
>
> 2nd Revision Submitted: 12 Feb 2009
>
> Date of Assessment:  24 Feb 2009
>
> The assessment of this text includes comments from ARIN staff and the
> ARIN General Counsel. It contains analysis of procedural, legal, and
> resource concerns regarding the implementation of this text as it is
> currently stated. Any changes to the language may necessitate further
> analysis by staff and Counsel.
>
> I.  Understanding
>
> ARIN staff understands that this will institute an annual
> re-registration of all POCs registered in WHOIS.  POCs who do not
> respond within 60 days will be marked in the database as "un-responsive"
> and if staff deems them to be invalid for any reason, may remove them
> from WHOIS.  In addition, staff will maintain a list of all address
> blocks with no valid POCs and will make this data available to any
> organization using the bulk whois policy criteria.
>
> II.  Issues and Concerns
>
>  A.  ARIN Staff Comments:
>
>    * Resource records marked as “unresponsive” or those with no POCs at
>      all could become the targets of hijackers who, in the past have
>      tended to look for address blocks that contain obsolete or stale data.

This is exactly why I (and I believe the other authors of this
proposed policy) wanted the discloser to be required.  Hijackers, like
spammers, phishers and other criminals spend their time finding this
kind of data -- the idea of this portion of this policy is to give
everyone the data that we can assume hijackers (probably) already
have.  This public disclosure of netblocks with out any valid POCs
will hopefully encourage the rightful holders of those blocks to
update their POC info and if not, it at least allows the rest of the
community to be mindful of such blocks.

>    *  An annual re-registration of all POCs (~223,000 currently) will
>      likely result in a vast increase in workload, particularly with
>      the follow up work and research involved when a POC does not reply
>      within 60 days.  This could result in a slow down in registration
>      response and processing times.

This proposal does not require a "re-registration of all POCs"
annually.  It requires an email validation of all POCs annually and
that POCs which do not respond to email have their record marked as
such -- this is meant to be an entirely automated process.  The policy
then grants ARIN staff the discretion to do follow up work and
research on POCs; it does not require that ARIN follow up on every (or
even any) unresponsive POC every year -- it is meant to allow staff to
follow up where they can/need and give them authority to lock or
remove POCs that are found to be completely illegitimate (those that
don't respond to repeated and various contact attempts, etc).

>    * This policy refers to the Bulk Whois policy rather than stating
>      the actual criteria under which an organization will be allowed to
>      request the list of all address blocks with no valid POCs.  It
>      would be better policy text to state the specific criteria,
>      including the requirement to sign an AUP, within this policy itself.
>

"ARIN will maintain, and make readily available to the community, a
current list of address-blocks with no valid POC; this data will be
subject to the current bulk WHOIS policy."

My understanding of this text is that the list of address blocks with
no valid POCs should be available to anyone interested in it.    We
chose to reference the Bulk WHOIS policy instead of re-stating it here
so as to maintain a central policy regarding WHOIS data.  It seems to
me that when we get away from this and start repeating things we open
the door for conflicting policy down the road when one area is updated
but another repetitive area is not...   Beyond that, we again tried to
leave operational details to staff.

~Chris

>
>
>  B.  ARIN General Counsel
>
>    * It is possible those delisted will threaten or file litigation to
>      be relisted. However, a properly promulgated policy does not pose
>      antirust or other legal concerns.
>
>
>
> III. Resource Impact
>
> The resource impact of implementing this policy is viewed as
> significant. Barring any unforeseen resource requirements, it is
> estimated that this policy could take up to 18 person months to fully
> implement from the date of ratification of the policy by the ARIN Board
> of Trustees.  It may require the following:
>
>    * Staff training
>    * Development of new internal process and procedures and
>      modification to existing ones
>    * Creation of an automated system to track notifications, updates,
>      and current status of the POC notification. Provide allowances for
>      manual intervention and follow-up by staff.  Engineering estimates
>      that it could take up to 18 person months for the creation and
>      implementation of this system. In addition, this could impact
>      ARIN’s current project deployment schedule.
>    * Increased workload could result in the need for additional staff
>
>
>
> Text assessed:
>
> 2008-7: Identify Invalid WHOIS POC's (formally known as WHOIS Integrity
> Policy Proposal)
>
> Revised text is as follows:
>
> During ARINs annual WHOIS POC validation, an e-mail will be sent to
> every POC in the WHOIS database. Each POC will have a maximum of 60 days
> to respond with an affirmative that their WHOIS contact information is
> correct and complete. Unresponsive POC email addresses shall be marked
> as such in the database. If ARIN staff deems a POC to be completely and
> permanently abandoned or otherwise illegitimate, the record shall be
> deleted. ARIN will maintain, and make readily available to the
> community, a current list of address-blocks with no valid POC; this data
> will be subject to the current bulk WHOIS policy.
>
>
>
>
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>

-- 
Chris Grundemann
weblog.chrisgrundemann.com

More information about the ARIN-PPML mailing list