[arin-ppml] Comments on Draft Policy 2010-3

Joe St Sauver joe at oregon.uoregon.edu
Thu Mar 18 14:24:53 EDT 2010 

Chris Engel <cengel at sponsordirect.com> commented:

#It has been pointed out to me  previously that such use would be a 
#violation of WHOIS acceptable use policy....but I have yet to hear or 
#see a single actual example of enforcement of that policy upon a
#violator...can anyone point me toward one? Nor do I see how, under
#current usage (anonymous lookup for anyone) such a policy COULD
#practicaly be enforced. 

Zone files obviously have far different contents than whois servers,
but the topic of access policy enforcement came up during recent 
ICANN Zone File Access Advisory Group discussions (e.g., see my post 
at http://mm.icann.org/pipermail/zfa-ag/2010-January/000069.html )

Since authentication and access control requirements drive a major part 
of the complexity underlying zone file data access provisioning, 

-- IF authentication and access control *isn't* serving any demonstrably
   useful purpose (e.g., usage isn't somehow being closely monitored, and 
   users with "unacceptable" usage aren't having their access revoked),

-- THEN copies of zone files could potentially simply be rolled out onto 
   an FTP server or web server (like any other data file) rather than 
   requiring users to first "jump through the hoops" of applying for 
   access, being granted access, and then using personalized credentials 
   to actually retrieve copies of the zone files.

I think it is unlikely that this would actually ever happen, but this
issue of unenforced policies driving potentially unscalable complexity
is a real one that the community should be paying attention to. 

With respect to anonymous access to whois servers, I believe the only 
policy enforcement mechanisms I've seen discussed or deployed for 
traditional whois server access has been query rate limiting (or 
out-and-out access blocking) on an IP-by-IP basis, a strategy of 
limited eficacy in an era where addresses are assigned by DHCP with 
short lease times (and the use of proxy anonymization services is
common). 

The situation for web based whois is somewhat more flexible, and 
deployment of cookies and/or captchas to (somewhat) limit automated 
access are the primary additional (albeit imperfect) "protections" 
used in an effort to track and improve the security of that access 
channel.

#For other purposes...it's not like you wouldn't be able to find out
#which address block a particular IP address belonged to for the purposes
#of filtering the block.... 

When it comes to managing abuse, the issue is not mapping an indvidual IP 
to its encompassing network block -- I agree that this would continue to
be possible under draft policy 2010-3.

Unfortunately the abuse management issue is actually a three step process:

-- mapping an individual IP to the ultimately responsible *entity*
   (the end user/customer), AND

-- identifying the full set of *additional* network resources that 
   abusive entity may *also* control ("generalizing reputation"), AND 
   then

-- applying appropriate sanctions (whether technical in nature, such
   as blocklisting applicable network ranges, or administrative in
   nature (civil suits or criminal enforcement, etc.)). 

The second and third steps become difficult to accomplish without
the ability to successfully complete the first step.

#(like they'd list thier legitimate contact info in WHOIS anyway)....

The dismal state of whois accuracy (for domains) is well known, and has 
been confirmed by things like the recent ICANN whois accuracy study 
(still open for public comments, BTW, through April 15th, see
http://www.icann.org/en/announcements/announcement-3-15feb10-en.htm ).

If you'd like to see stronger verification of domain whois point of 
contact information, I would urge you to express that comment to ICANN
during the comment period.

With respect to *IP* whois point of contact validity, given the adoption 
by ARIN of 2008-7 ( https://www.arin.net/policy/proposals/2008_7.html ) 
one might hope that the quality and validity of ARIN IP whois point of 
contact data might improve over time, however the results listed at
https://www.arin.net/resources/request/whois_cleanup.html (an effort
listed as "complete" on that page) aren't very encouraging:

   29,929 point of contact confirmation notices sent
   1,854  bounced messages
   1,192  responses received

That is, 1,192/29,929*100=3.9% of all points of contact have been 
validated at this point. 

That leaves a substantial volume of IP whois point of contact addresses 
in an uncertain/unknown status, addresses which are unlikely to be 
reliably usable for critical operational notifications or other
appropriate purposes. 

As IPv4 exhaustion increases the value of number assets, I hope 
additional organizational attention can be devoted to insuring that 
more than 3.9% of IP whois point of contact data is correct/usable.

Regards,

Joe St Sauver, Ph.D.

Disclaimer: the opinions express do not necessarily reflect the opinion 
of any other organization or entity.

More information about the ARIN-PPML mailing list