[arin-ppml] Draft Policy ARIN-2016-8: Removal of Indirect POC Validation Requirement

William Herrin bill at herrin.us
Tue Dec 20 18:46:05 EST 2016 

> There are over 600,000 POCs registered in Whois that are only associated
> with indirect assignments (reassignments) and indirect allocations
> (reallocations). NRPM 3.6 requires ARIN to contact all 600,000+ of these
> every year to validate the POC information. This is problematic for a few
> reasons:
>
> 1) ARIN does not have a business relationships with these POCs. By
> conducting POC validation via email, ARIN is sending Unsolicited Commercial
> Emails.

How do you figure? The RSA makes reassignments subordinate to the
service provider's contract with ARIN. The individual address holders
are essentially participants in that contract through their service
contract with their Internet provider.

> Further, because of NRPM 3.6.1, ARIN cannot offer an opt-out
> mechanism.

Just as domain name registrants may not opt out of ICANN's annual
validation request. Somehow they're not spamming.


> Finally, ARIN's resultant listing on anti-spam lists causes
> unacceptable damage to ARIN's ability to conduct ordinary business over
> email

ARIN's POC validation email starts off like this:

"Hello,

ARIN (American Registry for Internet Numbers) is a non-profit Internet
number registry.

You are receiving this message because either:

* your Internet Service Provider (ISP) registered you as a Point of
Contact (POC) in ARIN's public database

  OR

* you have obtained IP addresses and/or Autonomous System Numbers
(ASNs) directly from ARIN

We are asking that you verify your POC information below as part of
ARIN's annual validation process:"


So yeah, that smells like spam even though it isn't. I think you'd do
better rewriting the message and the program which generates it.

First, the data tells you whether any associated assignment is direct
from ARIN or not. Make the message say which is which.

Second, you know which assignments are associated with this POC. The
recipient may not have a clue what an Internet number registry is but
they probably remember buying a VPS with IP address 1.2.3.4 or getting
a /28 from their DSL provider.

Third, take a lesson from journalism's Inverted Pyramid format: put
the most important thing first!

In other words, make it look more like:

"Hello,

As the Internet IP address registrant of [sample three CIDR blocks],
etc. your Internet service provider is required to and requires you to
maintain a reachable public point of contact with the American
Registry for Internet Numbers (ARIN). This contact is used by law
enforcement and other organizations which might need to reach you
about computer hacking, copyright infringement or related problems.

ARIN is the non-profit organization responsible for managing Internet
addresses within North America. ARIN periodically confirms that points
of contact for the Internet addresses it manages are valid.

If you are not the address registrant of [sample three CIDR blocks],
we apologize for sending this message in error. You need read no
further nor take any action. [Service provider name] will be informed
that the point of contact is unreachable in violation of their ARIN
contract and will take appropriate action.

[Service provider name] has entered the following point of contact
information in ARIN's database on your behalf:

[POC Record]

If this is correct, please click here to confirm [it's 2017, no need
to parse an email response and it just increases potentially confusing
verbiage].

If there is a problem with your point of contact information or you
would like to know more about ARIN and Internet number registry
system, please click here.
"

Clicking on either link confirms that the POC is reachable.

Also, does ARIN send an email when the record is first SWIPed? An
out-of-the-blue email months after you got a VPS server which happened
to have IP addresses could indeed be surprising.


> 2) ARIN has previously reported that POC validation to reassignments causes
> tremendous work for the staff. It receives many angry phone calls and emails
> about the POC validation process.

Sounds suspiciously like a communication problem.

Regards,
Bill Herrin


-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>

More information about the ARIN-PPML mailing list