[arin-ppml] ARIN validation of authorized contacts

John Curran jcurran at arin.net
Thu Mar 31 08:15:50 EDT 2011 

On Mar 31, 2011, at 7:34 AM, George, Wes E [NTK] wrote:

> That is, how do you prove to ARIN that:
> a) you are who you say you are

George - We seek government-issued identification for this purpose.

> b) that you are actually an agent for the company you are purportedly representing 
> c) that you are authorized to request changes on behalf of said company.

These are addressed by requiring officer attestation for requests:
<https://www.arin.net/resources/agreements/officer_attest.html>

> The situation where someone poses as an agent of a company (especially one that has let their records/domains lapse) in an effort to 
> acquire their address space in a way that looks semi-legitimate (by updating the ARIN records) is mainly an annoyance right now, 
> because ARIN usually works rapidly with the proper owners (if exist) to restore the correct contact info.
> 
> However, my sense is that as long as the bills get paid and nothing triggers the "spidey sense" of ARIN staff, *accuracy* of records 
> is less important than simply having *valid* (reachable) POC records. As we look at the SIDR origin validation implementation, where 
> ARIN would be providing Resource Certificates for the rightful owner to originate an announcement of a given block of addresses, I 
> think this becomes more than just an annoyance.

We will only provide certificates to the address holder per the ARIN Whois 
database.

> The expectation is that other announcements that do not have that authority will be 
> either rejected or treated with lower priority than the validated announcement in the routing table. But this system is only as good 
> as the underlying verification to provide the delegation in the first place. If it's easily gamed, then the veracity of the 
> information is suspect and the entire implementation is of limited value as an input to a routing policy decision, not to mention the 
> fact that it opens legitimate resource holders up to exactly the type of attack this is trying to prevent.

Agreed.  We'd welcome any suggestions on improvements to these processes;
as they are operational in nature, I'd recommend making them via the ARIN 
Consultation and Suggestion Process <http://www.arin.net/acsp/index.html>
or at the open mike session at the ARIN Public meeting.

Thanks!
/John

John Curran
President and CEO
ARIN

More information about the ARIN-PPML mailing list