[arin-ppml] Draft Policy ARIN-2016-8: Removal of Indirect POC Validation Requirement

[Ted Mittelstaedt]

David,

For starters, the ICANN organization DOES do email validation of POCs on
DOMAIN NAMES and, there are far more domain names on the Internet than
there are number resources you are responsible for

They seem to manage it, you should be able to also.  Perhaps you might
ask them how they are doing it.

Secondly, when this objection came up in 2008 several suggestions were
made to how ARIN could save time on doing this.  It was also pointed out
that the policy is sufficiently vague on what validation actually
constituted that ARIN had the flexibility to use automated systems.

As far as I see it, ARIN can write a program that emails
every POC in the database - and if the emails bounce, then the
program marks the POC as bogus.  Then when ARIN goes to approve or
disapprove number resources it is the requesting org's problem to
clean up those POCs and make sure they are valid, in order to get
their utilization up to the approved level sine ARIN can then assume
that any bogus POC means the reallocation isn't valid.

This was explained to you in 2008.  There was no need to start making
phone calls and other such rubbish to the indirect holders.   You do not
need to be spending the amount of time you are claiming that you are 
spending on this.   Your insistence on doing that to me means you just 
are looking to manufacture a reason to get rid of the requirement.

There's plenty of experience in the community, you could have easily 
come to us over the last 8 years and said that there's problems in
how you were validating and we would have suggested ways to reduce the
workload.

Instead you have chosen to interpret the validation requirement in the
most labor-intensive manner possible, which of course is going to create 
a problem, then claim that because there's a problem you have to get rid 
of the validation requirement.  There appears to be no interest on your 
part in working within the validation requirement to implement it in a 
way that would retain the value of it and not cause an undue burden. 
Surgically, with a scalpel, as I said, not destroy the requirement with 
a cannon.

The claim that this just affects reassignment resources ignores the fact 
that the entire reason the whois database exists is because it is
recognized that the value of it is being able to go to the actual users 
of the IP addresses when problems happen.

Today more than ever we need identification on the Internet.  There are 
so many many ways that criminals today on the Internet can hide and do 
damage to others.  Removing the requirement for validation of indirect 
POCs is moving in the opposite direction.  As the Hostmaster your job is 
to administer this requirement in good faith - you should be recognizing 
for example that indirect POCs are of less value and thus should not 
consume as much time in validation as direct POCs and you should be 
pushing some of the work of validation of them on to the ISPs who issued 
the SWIPS since it's their own customers - not administer it in bad 
faith and look for ways to justify it's removal.

I will ask you this - consider the 55Mph speed limit - if the policing 
organizations in the country all ticketed EVERY MOTORIST OUT THERE who 
violated it - just how many seconds do you think that the voters in the 
country would continue to permit that law to survive?  That law is 
deliberately enforced in an arbitrary manner - you need to look on the 
POC validation in the same way and use some common sense in enforcement.

Ted

On 12/21/2016 9:39 AM, David R Huberman wrote:
> Hello,
>
> 1) As far as I can tell from the archives, the last time the ARIN public
> policy community formally reviewed the POC Validation policy was in 2008.
>
> 2) In the intervening 8 years, staff have reported to the community at
> numerous junctures that the workload associated with POC validation of
> indirectly-registered resources is a larger proportion of their time
> spent than perhaps the community may want it to be. Or put a different
> way, ARIN has repeatedly informed the community that they're spending a
> whole heck of a lot of time on it.
>
> 3) ARIN continues to run as a 501(c)(6) not-for-profit. And it is
> important that all stakeholders continually re-evaluate how we want our
> limited resources used.
>
> As a direct result of the above, the draft policy proposal aims to focus
> staff on the following types of number resource regisration records:
>
> - direct allocations
> - direct assignments
> - AS numbers
> - reallocations (which are generally designed to be used by ISPs to
> reallocate to other ISPs, who then reassign further downstream)
>
> The draft policy accomplishes this by removing POC validation attempts
> at a single class of resources:
>
> - reassignments
>
> Historically, reassignments were most often /29s. Often assigned by a
> DSL provider or a CableCo or the like, there was a stated pecuniary
> value in the upstream listing downstream POCs to cut down on abuse
> calls/emails. (Indeed, many ISPs had a formal policy of only reassigning
> blocks to customers after POC information had been obtained, because
> they felt it would reduce the volume of work on their abuse desks.)
>
> Bottom line:
>
> If the staff spent the same amount of time it does today on working with
> direct registrants (and reallocated registrants) on POC validation, as
> it does today working on /29 SWIP reassignment POCs who don't know who
> ARIN is, I assert the overall value of the data in Whois would be
> increased for the internet community. Hence this proposal.
>
> David
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.