[arin-ppml] IPv4 Transfer Policy Change to Keep Whois Accurate

Jimmy Hess mysidia at gmail.com
Thu May 12 03:25:26 EDT 2011

On Wed, May 11, 2011 at 8:03 PM, Mike Burns <mike at nationwideinc.com> wrote:
> I have personally seen many asset sale agreements which included legacy IP
> addresses which were completed without notifying ARIN, as there is still no
> requirement for legacy holders to do that. I have seen asset sale agreements
> which include ARIN accounts and passwords among the listed assets. The

Any attempt to sell an ARIN account username / ARIN passwords would (hopefully)
be a violation of the ARIN Online terms of use,  and result in
termination of the validity of
the account.

> addresses change control, but whois still shows the original registrant.
> When it comes time to route the addresses, if the network operator questions
> the situation, I have seen them accept the asset sales agreements as
> acceptable proof of routing authority. And the addresses allocated to entity

It is little different than use of a forged LOA, really.
The network operator will typically take _anything_  that looks like
plausible documentation.
If the document is forged or otherwise invalid, the responsibility is
now on the customer's head,
and the network operator can plead ignorance.

The network operator may very well be pulling those routes right back
out, however,
when the hijacking is found/reported.

This is not a problem with addressing policy; it's a weakness of the
routing system,
and certified resources / RPKI  could eventually offer a solution.

> A are now in control of entity B, with bogus whois data. This is the kind of
> eventuality which I believe motivated the APNIC community to place the
> stewardship role of uniqueness above the stewardship role of needs-based
> transfers. Obviously I am asserting these things without documentary proof.

Bogus WHOIS data doesn't just haunt ARIN.
It actually has a possibility to hurt any organization whose resources
are listed
with bogus data.

There may be some spammers who would love the idea of not having valid contacts

But legitimate organizations would usually like some certainty that
they have the
IP addresses,  they are on record as having the IP addresses, they are under
proper agreement,  and they won't incur a disruption or loss of number
impacting their business  as a result of not doing things right and
having mucked up records.


More information about the ARIN-PPML mailing list