[arin-ppml] ARIN validation of authorized contacts
John Curran
jcurran at arin.net
Thu Mar 31 08:15:50 EDT 2011
On Mar 31, 2011, at 7:34 AM, George, Wes E [NTK] wrote:
> That is, how do you prove to ARIN that:
> a) you are who you say you are
George - We seek government-issued identification for this purpose.
> b) that you are actually an agent for the company you are purportedly representing
> c) that you are authorized to request changes on behalf of said company.
These are addressed by requiring officer attestation for requests:
<https://www.arin.net/resources/agreements/officer_attest.html>
> The situation where someone poses as an agent of a company (especially one that has let their records/domains lapse) in an effort to
> acquire their address space in a way that looks semi-legitimate (by updating the ARIN records) is mainly an annoyance right now,
> because ARIN usually works rapidly with the proper owners (if exist) to restore the correct contact info.
>
> However, my sense is that as long as the bills get paid and nothing triggers the "spidey sense" of ARIN staff, *accuracy* of records
> is less important than simply having *valid* (reachable) POC records. As we look at the SIDR origin validation implementation, where
> ARIN would be providing Resource Certificates for the rightful owner to originate an announcement of a given block of addresses, I
> think this becomes more than just an annoyance.
We will only provide certificates to the address holder per the ARIN Whois
database.
> The expectation is that other announcements that do not have that authority will be
> either rejected or treated with lower priority than the validated announcement in the routing table. But this system is only as good
> as the underlying verification to provide the delegation in the first place. If it's easily gamed, then the veracity of the
> information is suspect and the entire implementation is of limited value as an input to a routing policy decision, not to mention the
> fact that it opens legitimate resource holders up to exactly the type of attack this is trying to prevent.
Agreed. We'd welcome any suggestions on improvements to these processes;
as they are operational in nature, I'd recommend making them via the ARIN
Consultation and Suggestion Process <http://www.arin.net/acsp/index.html>
or at the open mike session at the ARIN Public meeting.
Thanks!
/John
John Curran
President and CEO
ARIN
More information about the ARIN-PPML
mailing list