[arin-ppml] Audits

John Curran jcurran at arin.net
Sat Nov 6 12:18:52 EDT 2010


On Nov 6, 2010, at 11:12 AM, Leo Bicknell wrote:

> In a message written on Sat, Nov 06, 2010 at 09:29:30AM -0400, John Curran wrote:
>> We have similar issues with resources held by "defunct" organizations, 
>> since it can be very difficult to find the appropriate original legal 
>> entity that was assigned a legacy resource, and then even more challenging
>> to determine if they're actually defunct when there's no declaration of
>> same, given the chain of mergers, acquisitions, and divestitures that 
>> occurred in this the early days of this industry. 
> 
> While I agree it can be hard, in other cases it can be quite easy.
> 
> I can imagine a process like:
> 
> Check for netblocks in whois and were in route-views or the ris
> database but haven't been seen for at least 5 years.
> 
> Look up the POC's on the whois record in LinkedIn.  Verify they
> have that company name in their history.

I'm sorry: You are advocating that we use LinkedIn as a verification
step? A very high number of contacts will not have LinkedIN accounts, 
are we to then exclude them from consideration by this step? These 
may be the only useful contacts for the resource; how do we then 
proceed?

Given that anyone can put anything they want into their profile 
(check: http://www.linkedin.com/in/jcurran, you'll now see the entry 
that says I was your Boss at ufp.org till recently..), this won't 
stop anyone who actively is attempting to subvert the process, so 
I'm trying to understand its purpose. I agree it is an easy process, 
but it doesn't appear to be tied to any actually verifiable facts 
so far.

> Send them e-mail, asking them if the company is still around.
> 
> You might just get back an e-mail saying "Bob was the owner, shut
> it down in 2001,  you can contact him at 1-234-555-1212."  You call
> up Bob, he's willing to attest he was the owner and it is no longer
> around, and you reclaim.

Send listed contact Mr. John Smith an email, and Mr. Smith writes 
back and says: "Yep, the Company ABC is deceased (which I did list
in my LinkedIN profile and am a contact for); you should contact Bob 
who I think was the owner at 1-234-555-1212"... We call this supplied
number and then accept whatever the person claiming to be Bob then
tells us?  

Example:  Bob says: "No, it's still around.  We are actually using  
those numbers internally.  Please update the records to say "BobNet" 
which is our DBA name for Company ABC & here's my new email address"
Or do we only accept what Bob says if he claims the resources should
be returned?  

Note the liability to ARIN in either of the above cases in acting 
without clear legal documentation (not just attestation from "Bob")
is likely unacceptable, and doesn't improve the database integrity
but actually weakens it (not to mention the resource hijacking or 
potentially wrongful reclamation from an otherwise unreachable 
company which Mr. Smith or "Bob" are now seeking revenge against...)

> I cannot express how frustrated I am that ARIN seems totally unwilling
> to go after the low hanging fruit, or even fruit already dropped
> on the ground using the argument that they don't have a ladder to
> reach the fruit at the top of the tree.
> 
> Sometimes being a good steward takes effort.

We put a lot of effort into being a good steward, but that means 
actually trying to get the data correct and not just updated for 
the sake of updates. Please develop specific policies if you want 
us to relax our practices so that ARIN can know that we are indeed 
acting with clear community direction.

/John

John Curran
President and CEO
ARIN




More information about the ARIN-PPML mailing list