[arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate

[Mike Burns]

Hi Tom,

>What definition of "accuracy in Whois" do you have in mind in this context? 
>Can you provide an example of the absolute minimum set of whois parameters 
>and parameter values (e.g., specific whois contact details | >degree of 
>verifiability / fidelity of those details ) that would be consistent with 
>your definition of "accuracy in Whois"?

Whois has an underlying justification in the requirement for uniqueness of 
registration for each allocated netblock. I think Whois should list the 
current owner of the routing rights to the netblock and have valid contact 
information. If it had those things, I would consider it to be accurate.


>And why exactly do are we placing such a high value on "accuracy in Whois" 
>anyway? From your point of view, what are the requirements|purposes|uses of 
>whois that justify the considerable investments in time and >effort that 
>are required to maintain Whois data quality at this level?

It provides an element of routing authority that is used by network 
operators to decide whether their customer had the authority to route these 
addresses. It can also be used for abuse notification when the only 
information on the abuser is his ip address.

>Though it might seem like a simple question, the range of possible answers 
>is vast. Would your own criteria for whois "accuracy" and "purpose" be 
>satisfied, for example, by a number resource registry that maintains >100% 
>accurate contact records sufficient for the purpose of registry fee 
>collection, but nothing more than that -- and only shares those few details 
>with duly authorized LEAa and individuals who have been explicitly >granted 
>access by individual registrants themselves?

No, the registry or registries would also have to ensure uniqueness, not 
just accurate records for fee collection.

>Alternately, would you agree that the provision of open/public access to 
>basic operationally relevant contact information on all registry clients is 
>also an essential and indivisible part of the role of  the number resource 
>registry maintainer? Where would you come down between these two extremes?

On the side of uniqueness, which is a basic operational requirement of 
publicy routed IPv4 addresses, and public accessibility for the purposes of 
the network operators and abuse victims.


> I don't see that my single policy proposal to lift needs analyses for 
> transfers of already allocated addresses exhibits little concern for 
> procedural fairness or transparency.
> On the contrary, it seeks to reconcile legacy and non-legacy status as a 
> step towards procedural fairness, and it's underlying rationale is related 
> deal transparency.
> My lifting the needs requirement, deals which would have been transacted 
> "in the dark" due to that requirement would have more incentive to be 
> registered publicly.

>In my mind, needs-related eligibility criteria and association registry 
>practices are closely connected to (1) the purposes of whois as well as (2) 
>the definition of whois accuracy. They also help to (3) establish bounding 
> >conditions for registry and registrant obligations and requirements that 
>IMO are beneficial to all parties.

>1. I believe that the public-facing "whois" side of the registry service is 
>absolutely integral to the function of the number registry. I believe this 
>because the whois service (together with various other data resources, and 
> >a lot of effort) permits community members to engage in a limited form of 
>"macro-prudential" oversight and coordination, without which it would be 
>much harder to keep the Internet working. Whois is not sufficient by 
> >itself to support that "macro-prudential" capability, but the absence of a 
>source of data like whois would be sufficient to make it impossible for 
>anyone to know enough to meaningfully engage in such "big picture" 
> >activities.

OK, no problems there.


>2. This understanding of the purpose of whois entails a a definition of 
>"data quality" that is near the maximalist (or "RIR-esque") rather than the 
>minimalist (or "DNS registrar-esque) end of the spectrum. Quality is 
> >defined by the three dimensions of completeness (which for infrastructure 
>operators would include real names and physical/geographical as well as 
>electronic contact information) + timeliness + accuracy/fidelity.

OK, no problems there, although I resist comparing DNS registrar lapses to 
Whois lapses which I argue are caused by existing policy, instead of failure 
to apply policy in the DNS case.

>3. As a matter of operation practice, Initial "needs assessments" play an 
>important role in assuring that each new addition to the registry database 
>meets the highest-applicable data quality standard. Subsequent >assessments 
>help to maintain the quality of registry data at relatively high levels 
>over time, at least for one important segment of registry participants, 
>i.e., growing networks.

You get no argument from me on the needs assessments for free pool 
allocations, but I don't see the connection to registry effects for transfer 
recipients, which is the issue here.

>4. The needs tests are also important because they establish a technical 
>basis for reciprocal exchanges of confidential information and assurances 
>within one narrowly defined domain. Basically, the needs rule makes it 
> >possible for the registry to provide as a kind of proxy ratings service 
>for the entire community, but strictly limits the scope of their inquiries 
>to questions about ownership or beneficial access to hardware and other 
>i>nputs that are required to use IP addresses *as they were designed to be 
>used.* No doubt every IP address seeker would prefer to just get their 
>addresses on a no-questions-asked basis, but that's not a sustainable 
> >option -- e.g., as soon as that address seeker gets what they want, they 
>join the community of address users who all have a common interest in 
>preserving the remaining address resources as long as possible, so they 
> >themselves could get more in the future if necessary.  So while total 
>secrecy might be preferred, the best alternative that actually works is to 
>disclose as little as possible, and only to a proxy agent like the registry 
>that >is bound to maintain confidentiality but also capable of credibly 
>"signaling" to the broader community that it has a new member. Without 
>something like a needs test to bracket these interactions, privacy claims 
>of first->time address seekers might make it impossible for registries to 
>provide this proxy assurance service, while the operational and privacy 
>requirements of current address users might be at at perpetual risk if 
>registry >decided to unilaterally expand its disclosure or eligibility 
>demands.

Tom, I have no truck with the method of allocation from the free pool.

>5. Finally, by linking access to IP number resources directly to possession 
>of  precisely the sort of costly assets and/or commitments that would be 
>most at risk if the s/he operates in a reckless manner, the needs test 
> >also helps (on the margin) to cause or confirm that the incentives of the 
>address user are very broadly consistent with the continued functioning of 
>the Internet.

My argument is the price of the "costly assets"  will provide the incentive 
to use the addresses in a way that continues the function of the Internet, 
and not just on the margins.


>In other words, the needs test provides some (weak but nontrivial) 
>assurance that address users all have some "skin in the *Internet* game." 
>That's what makes it possible to describe this otherwise fractious, 
> >aggressively competing, often mutually antagonistic bunch as a 
>"community."  It's also what makes the needs test rule different from and 
>IMO much more effective than reliance the price mechanism, which can only 
> >assure that address buyers have "skin in some kind of game," with no 
>constraint on the choice of game other than the address owner's expectation 
>of profit. Of course they might coincidentally prefer the same game >that 
>actual network operators are engaged in, but there are lots of other 
>possibilities -- including many that would be antithetical to the purposes 
>for which IP addresses were created (e.g., the artificial scarcity game, 
> >the competitive exclusion game, etc.).

Everybody who uses the Internet will have skin in the game. The price of 
address space will be included in their price for access, included in the 
price they pay for items on Amazon, included in every transaction that 
utilizes the Internet. Users will have their say by voting directly with 
their dollars through each transaction. I am arguing that maintaining needs 
for transfers will drive transactions off the books, to the detriment of 
Whois and all who utilize that information. Free markets have history of 
bringing together competing and mutually antagonistic bunches of people and 
provide the framework for their productive interaction. The Silk Road lasted 
for


>[Note: For those who haven't already made the leap, the reasons outlined 
>above also suggest that the needs test should continue to apply for IPv6 
>requests. While we may assume without consequence that the >needs-based 
>eligibility began as nothing more than a super-simple rule for managing 
>scarcity (I actually reject that interpretation, but don't have time to 
>debate about history), I believe that its utility to that end >represents 
>just a small part of how it has contributed to the overall security and 
>stability of the Internet over the last two decades. I guess we'll soon 
>find out enough...]

I have argued many times that needs test is a proper constraint on the 
distribution of free pool addresses.


> So I don't get the inconsistency with previous observations which walked 
> us through the forest.
>
> Oh, I'm sorry, in rereading the paragraph I can see that you were probably 
> responding to prior posts about private registries.
> So you feel that my support of the idea of private registries conflicts 
> with my desire to eliminate needs tests for transfers?
> I find they are both consistent examples of attempts to remove 
> restrictions on the operation of free markets.


> As far as the DNS private market goes, I don't see the problem with it.
> I haven't personally had or seen issues with non-uniqueness of domain 
> names.
> There are more tools to find domain names, there are cottage industries 
> related to the resale of domain names, there are more tlds, there are 
> lifetime registrations, there are cheaper domains.
> To me, DNS seems to work, and I have been running production DNS servers 
> since 1996.

> Are there specific problems with the DNS private market that you feel 
> would be absent from a market with a single "public" registrar?
> I think that would be an instructive conversation to have on the matter of 
> private registries, which has always been a sideline issue to me.

>Hopefully my remarks above will make clear why I think that a DNS-style 
>registry model would be not only inappropriate for IP numbers, but would 
>quite likely represent a grave threat the continued existence of the 
> >Internet as an autonomous, effectively global-scope system under civilian 
>control. The fact that DNS registrars currently enjoy the de facto luxury 
>to compete on features like level of obfuscation of whois data and/or 
> >degree of indifference to blatantly deceptive registrant contact 
>information is not an a viable model for IP registries -- in fact, it is an 
>artifact of the existence of an alternative source of critical 
>coordination-enabling >information that is both closer and provides a 
>(often vastly) more complete, accurate, and useful view of operational 
>"ground truth," -- a.k.a. the present-day whois services provided by the 
>RIRs.

>If ever a day comes when the registration data quality standards for both 
>domain and IP registries converge down to the current norm for DNS 
>registries, I predict that none of us on this list would have to worry 
> >about the consequences for long (and also that none of us would have much 
>say about registry policy or operations thereafter).


I have not proposed anything like a DNS-style registry with this proposal, 
and I think the discussion of my proposal goes off the rails here.
Again, I think you are conflating the concept of private registries with 
this proposal to lift needs requirements for transfers.
My argument with the DNS analogy is that DNS registrars are answerable to 
ICANN to maintain accurate Whois.
The impact of needs analysis on the DNS market is not clear, this is an 
apples-to-oranges comparison that fails to inform.
I, personally, have the impression that DNS works, but that is a complete 
non-sequitur to this discussion.

But we agree that decay inWhois accuracy imperils the operation of the 
Internet?


>Increasing the coverage of registry data by radically shrinking both the 
>scope of its usefulness and the share of community members who can use it 
>for any purpose is not a tradeoff that makes sense to me. IMO it >should be 
>considered harmful.

>Regards,
>TV

How does removing needs requirements for transfers radically shrink the 
scope of the usefulness of registry data? To me that is an unsupported leap.
How does removing needs requirements for transfers radically shrink the 
share of community members who can use registry data?
Can you make the logical connection here without diversions into DNS private 
registries?
Or make the clear case where you feel there is something equivalent to 
needs-requirements in the DNS market that we can investigate to see how it 
affects registry accuracy?

Regards,
Mike