[arin-ppml] Draft Policy ARIN-2017-3: Update to NPRM 3.6: Annual Whois POC Validation

[ARIN]

On 16 March 2017, the ARIN Advisory Council (AC) accepted 
"ARIN-prop-239: Update to NPRM 3.6: Annual Whois POC Validation" as a 
Draft Policy.

Draft Policy text is below and can be found at:
https://www.arin.net/policy/proposals/2017_3.html

You are encouraged to discuss all Draft Policies on PPML. The AC will 
evaluate the discussion in order to assess the conformance of this draft 
policy with ARIN's Principles of Internet number resource policy as 
stated in the Policy Development Process (PDP). Specifically, these 
principles are:

* Enabling Fair and Impartial Number Resource Administration
* Technically Sound
* Supported by the Community

The PDP can be found at:
https://www.arin.net/policy/pdp.html

Draft Policies and Proposals under discussion can be found at:
https://www.arin.net/policy/proposals/index.html

Regards,

Sean Hopkins
Policy Analyst
American Registry for Internet Numbers (ARIN)



Draft Policy ARIN-2017-3: Update to NPRM 3.6: Annual Whois POC Validation

Date: 21 March 2017

Problem Statement:

The ARIN public access WHOIS directory service is used by the general 
public and organizations charged with the protection of the public, for 
a wide variety of purposes, including:

• Assuring the security and reliability of the network by identifying 
points of contact for IP number resource for network operators, ISPs, 
and certified computer incident response teams;

• Assisting businesses, consumer groups, medical and healthcare 
organizations, and other organizations in combating abuse;

• Assisting organizations responsible for the safety of the general 
public in finding information about potential offenders using IP number 
resources so that the organizations are able to comply with national, 
civil and criminal due process laws and to provide justice for victims; and

• Ensuring IP number resource holders worldwide are properly registered, 
so individuals, consumers and the public are empowered to resolve 
abusive practices that impact safety and security.

Organizations charged with the protection of the public, including 
consumer protection, civil safety and law enforcement, utilize the ARIN 
public access WHOIS directory in their investigations. From a public 
safety perspective, the failure to have accurate ARIN public access 
WHOIS information can present the following challenges:

• Ability of public safety and law enforcement agencies to rapidly 
identify IP number resources used in on-going abusive activities;

• Wasted network operator resources spent on responding to potentially 
misdirected legal requests; and

• Domain name and IP number resources hijacking, resulting in the 
potential use of those domain names and IP number resources for criminal 
activity.

As the amount of criminal activity enabled by the Internet continues to 
grow globally, users whose IP number resources are abused (for example, 
by spamming, IP address spoofing, DDOS attacks, etc.) need to be able to 
obtain redress. For organizations tasked with protecting the general 
public, one of the most important registration records in the ARIN 
public access WHOIS directory is that of the last ISP in the chain of 
network operators providing connectivity. To ensure the accuracy of the 
WHOIS directory and to facilitate timely/effective response to abusive 
and criminal activity, the ARIN public access WHOIS directory must be 
up-to-date and map IP number resources to the correct network provider. 
Privacy, safety and security are all equally important outcomes, and 
depend, to a large extent, on the accuracy of the ARIN public access 
WHOIS directory.

The problem of potentially inaccurate information is most acute with 
registrations that were given out prior to the formation of ARIN. These 
registrations, often termed "legacy" are held by thousands of entities 
that do not have updated and verified points of contact that are able to 
be found in the public access WHOIS directory. Many of the original 
points of contact were removed, and replaced with placeholder records 
that do not provide any value. This inaccurate information leaves 
victims and responders without the means of proper redress.

Lastly, current ARIN practices do not allow organizations that have been 
merged or acquired to update their point of contact records without 
having to enter into a contractual relationship with ARIN. This causes 
many organizations to not go through the process of updating even their 
point of contact records.

Policy statement:

Current text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

During ARIN's annual Whois POC validation, an email will be sent to 
every POC in the Whois database. Each POC will have a maximum of 60 days 
to respond with an affirmative that their Whois contact information is 
correct and complete. Unresponsive POC email addresses shall be marked 
as such in the database. If ARIN staff deems a POC to be completely and 
permanently abandoned or otherwise illegitimate, the POC record shall be 
marked invalid. ARIN will maintain, and make readily available to the 
community, a current list of number resources with no valid POC; this 
data will be subject to the current bulk Whois policy.

Proposed revised text:

3.6 Annual Validation of ARIN's Public Access WHOIS Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of point of contact data each 
year on the date the POC was registered, beginning on January 1 each 
year using the procedure provided in 3.6.4.

3.6.2 Specified Public WHOIS Points of Contact for Verification

Each of the following Points of Contact are to be verified annually and 
will be referred to as Points of Contact throughout this policy:
- Admin
- Tech
- NOC
- Abuse

3.6.3 Organizations Covered by this Policy

This policy applies to every Organization that holds a direct 
assignment, direct allocation, AS number or reallocation from ARIN. This 
includes but is not limited to upstream ISPs and downstream ISP 
customers (as defined by NRPM 2.5 and 2.6), but not reassignments made 
to downstream customers or end user customers.

3.6.4 Procedure to Increase Valid Legacy Point of Contact Participation

To encourage Organizations that are deemed to be "legacy" (ones that 
predated the existence of ARIN and do not have a contractual 
relationship with ARIN), legacy resource holders shall be able to update 
the points of contact for the Organization without entering into a 
contractual relationship with ARIN.

3.6.5 ARIN Staff Procedure for Verification

Email notification will be sent to each of the Points of Contact in 
section 3.6.2 on an annual basis. Each Point of Contact will have up to 
sixty (60) days from the date of the notification in which to respond 
with confirmation as to the public WHOIS contact data or to submit data 
to correct and complete it. Validation can occur via the ARIN Online 
account, or, alternatively, by clicking the validation link in the email 
notification. After the sixty (60) day period, non-responsive Point of 
Contact records will be marked as "non-responsive" in the public WHOIS 
directory.

3.6.7 Non-Responsive Point of Contact Records

After an additional ninety (90) days after the Point of Contact record 
has been marked as "non-responsive", ARIN's staff after through research 
and analysis, will mark those non validated, abandoned or otherwise 
illegitimate POC records "invalid". Records marked "invalid" will be 
taken out of the reverse DNS and their associated resources will be 
removed from the public WHOIS, thereby disabling reverse DNS. ARIN will 
make available the necessary resources to ensure enforcement of this policy.

Comments:

Timetable for implementation: to be based upon discussions with ARIN's 
staff.