[arin-ppml] ARIN validation of authorized contacts

John Curran jcurran at arin.net
Thu Mar 31 09:14:44 EDT 2011 

On Mar 31, 2011, at 8:53 AM, George, Wes E [NTK] wrote:

> John - thanks for your response. A couple of comments below inline
> Wes
> 
> -----Original Message-----
> From: John Curran [mailto:jcurran at arin.net] 
> Sent: Thursday, March 31, 2011 8:16 AM
> Subject: Re: [arin-ppml] ARIN validation of authorized contacts
> 
> On Mar 31, 2011, at 7:34 AM, George, Wes E [NTK] wrote:
> 
>> That is, how do you prove to ARIN that:
>> a) you are who you say you are
> We seek government-issued identification for this purpose.
> 
> [WEG] How does that work if you're working entirely via email? Most of your customers don't exactly walk into your office. I don't
> remember being asked to provide any ID prior to being made the primary POC for an X-Large resource holder... I mean, in my case, one
> of the existing POCs added me, so in that sense, they vouched for my identity, but that could have just as easily been a compromised
> password that someone uses to update this information.

Absolutely. If you believe ARIN should add extra protections against such
an attack (comprised account password), either optionally for an account 
or for everyone, that is definitely something that should be discussed.

> These are addressed by requiring officer attestation for requests
> 
> [WEG] Sure, for new resource requests. What about changes being requested to whois data, POC records, reverse DNS delegation, etc?

For new resource requests, and sometimes related to reestablishment of 
authority over an address block when all contacts have become invalid.

> We will only provide certificates to the address holder per the ARIN Whois database.
> [WEG] Exactly my point. Unless you have a way of securing and vouching for the validity of those whois POC records, this is an
> attack vector. We had a subsidiary that we bought, and the address POC records had not been updated to point to our common address
> management team yet. In the meantime, a former employee of the subsidiary updated the records so that they now pointed to his new
> company, and so it looked like *we* were actually the ones using the addresses without authorization. They threatened us that they
> would start announcing the blocks within a few weeks until ARIN restored the correct address records. What happens if someone uses
> this to pull down a certification and doesn't warn the original owner first?

This would be considered an "internal controls" issue for most companies,
and not much different than buying a subsidiary but having them change the
building alarm codes to prevent access.  Cases like these are going to almost
always require legal documentation to straighten out, as ARIN can't know that
an employee is no longer authorized to make changes unless the organization
updates records promptly at ARIN.   If you've got a suggestion for how to 
better deal with this, definitely make it known.

> I will try to bring this up at open mic, but I wanted to start some discussion here among some who may have ideas on the security
> BCP that would be appropriate here.

Understood.
/John

John Curran
President and CEO
ARIN

More information about the ARIN-PPML mailing list