[ARIN-Suggestions] One New Suggestion Received

[ARIN]

One new suggestion has been received (2026.4). You may find the new suggestion and link in full below. 


Regards, 

American Registry for Internet Numbers (ARIN)

-----
ACSP Suggestion 2026.4: Fix API permission checks on NET
https://www.arin.net/participate/community/acsp/suggestions/2026/2026-04/

Author: Richard Laager

If there are multiple ways to do the same thing, they should require the same permissions. They should not be inconsistent.

Steps to reproduce:

1. Perform a Detailed Reassignment out of one of your NETs to another ORG.
2. Try to GET that NET by handle using your API key.

Expected results: The GET succeeds.

Actual results: The GET is rejected for lack of permission. Only an API key of the “another ORG” can GET the NET.

Additional discussion:

- I created the NET in the first place. If I created it, surely I should be able to GET it (assuming nothing else has changed in the state of the world).
- I can DELETE the NET. If I can DELETE something, surely I should be able to GET it.
- I can GET the NET if I ask using the start and end IP address (via a mostSpecificNet call), but I cannot GET it by its handle.
- Anyone, without authentication, can view the same information using the WHOIS protocol, by handle or by IP address. This is equivalent to a GET.
- Accordingly, the correct permission check for a GET on a NET is “return True”.
- Similarly, if I can DELETE and then recreate something, I should be able to modify it using a PUT. So the PUT permission check should also allow those with access to the parent NET to PUT a (direct) child NET (since they could otherwise DELETE and recreate it with the same effect).

Value to Community:

The NRPM requires documenting reassignments. ARIN discontinued the email interface in favor of the API. Having a correctly working API is useful.

Status: Confirmed