Draft Policy ARIN-2017-3: Update to NPRM 3.6: Annual Whois POC Validation
ARIN
info at arin.net
Tue Mar 21 13:36:20 EDT 2017
On 16 March 2017, the ARIN Advisory Council (AC) accepted
"ARIN-prop-239: Update to NPRM 3.6: Annual Whois POC Validation" as a
Draft Policy.
Draft Policy text is below and can be found at:
https://www.arin.net/policy/proposals/2017_3.html
You are encouraged to discuss all Draft Policies on PPML. The AC will
evaluate the discussion in order to assess the conformance of this draft
policy with ARIN's Principles of Internet number resource policy as
stated in the Policy Development Process (PDP). Specifically, these
principles are:
* Enabling Fair and Impartial Number Resource Administration
* Technically Sound
* Supported by the Community
The PDP can be found at:
https://www.arin.net/policy/pdp.html
Draft Policies and Proposals under discussion can be found at:
https://www.arin.net/policy/proposals/index.html
Regards,
Sean Hopkins
Policy Analyst
American Registry for Internet Numbers (ARIN)
Draft Policy ARIN-2017-3: Update to NPRM 3.6: Annual Whois POC Validation
Date: 21 March 2017
Problem Statement:
The ARIN public access WHOIS directory service is used by the general
public and organizations charged with the protection of the public, for
a wide variety of purposes, including:
• Assuring the security and reliability of the network by identifying
points of contact for IP number resource for network operators, ISPs,
and certified computer incident response teams;
• Assisting businesses, consumer groups, medical and healthcare
organizations, and other organizations in combating abuse;
• Assisting organizations responsible for the safety of the general
public in finding information about potential offenders using IP number
resources so that the organizations are able to comply with national,
civil and criminal due process laws and to provide justice for victims; and
• Ensuring IP number resource holders worldwide are properly registered,
so individuals, consumers and the public are empowered to resolve
abusive practices that impact safety and security.
Organizations charged with the protection of the public, including
consumer protection, civil safety and law enforcement, utilize the ARIN
public access WHOIS directory in their investigations. From a public
safety perspective, the failure to have accurate ARIN public access
WHOIS information can present the following challenges:
• Ability of public safety and law enforcement agencies to rapidly
identify IP number resources used in on-going abusive activities;
• Wasted network operator resources spent on responding to potentially
misdirected legal requests; and
• Domain name and IP number resources hijacking, resulting in the
potential use of those domain names and IP number resources for criminal
activity.
As the amount of criminal activity enabled by the Internet continues to
grow globally, users whose IP number resources are abused (for example,
by spamming, IP address spoofing, DDOS attacks, etc.) need to be able to
obtain redress. For organizations tasked with protecting the general
public, one of the most important registration records in the ARIN
public access WHOIS directory is that of the last ISP in the chain of
network operators providing connectivity. To ensure the accuracy of the
WHOIS directory and to facilitate timely/effective response to abusive
and criminal activity, the ARIN public access WHOIS directory must be
up-to-date and map IP number resources to the correct network provider.
Privacy, safety and security are all equally important outcomes, and
depend, to a large extent, on the accuracy of the ARIN public access
WHOIS directory.
The problem of potentially inaccurate information is most acute with
registrations that were given out prior to the formation of ARIN. These
registrations, often termed "legacy" are held by thousands of entities
that do not have updated and verified points of contact that are able to
be found in the public access WHOIS directory. Many of the original
points of contact were removed, and replaced with placeholder records
that do not provide any value. This inaccurate information leaves
victims and responders without the means of proper redress.
Lastly, current ARIN practices do not allow organizations that have been
merged or acquired to update their point of contact records without
having to enter into a contractual relationship with ARIN. This causes
many organizations to not go through the process of updating even their
point of contact records.
Policy statement:
Current text:
3.6 Annual Whois POC Validation
3.6.1 Method of Annual Verification
During ARIN's annual Whois POC validation, an email will be sent to
every POC in the Whois database. Each POC will have a maximum of 60 days
to respond with an affirmative that their Whois contact information is
correct and complete. Unresponsive POC email addresses shall be marked
as such in the database. If ARIN staff deems a POC to be completely and
permanently abandoned or otherwise illegitimate, the POC record shall be
marked invalid. ARIN will maintain, and make readily available to the
community, a current list of number resources with no valid POC; this
data will be subject to the current bulk Whois policy.
Proposed revised text:
3.6 Annual Validation of ARIN's Public Access WHOIS Point of Contact Data
3.6.1 Annual POC Verification
ARIN will perform an annual verification of point of contact data each
year on the date the POC was registered, beginning on January 1 each
year using the procedure provided in 3.6.4.
3.6.2 Specified Public WHOIS Points of Contact for Verification
Each of the following Points of Contact are to be verified annually and
will be referred to as Points of Contact throughout this policy:
- Admin
- Tech
- NOC
- Abuse
3.6.3 Organizations Covered by this Policy
This policy applies to every Organization that holds a direct
assignment, direct allocation, AS number or reallocation from ARIN. This
includes but is not limited to upstream ISPs and downstream ISP
customers (as defined by NRPM 2.5 and 2.6), but not reassignments made
to downstream customers or end user customers.
3.6.4 Procedure to Increase Valid Legacy Point of Contact Participation
To encourage Organizations that are deemed to be "legacy" (ones that
predated the existence of ARIN and do not have a contractual
relationship with ARIN), legacy resource holders shall be able to update
the points of contact for the Organization without entering into a
contractual relationship with ARIN.
3.6.5 ARIN Staff Procedure for Verification
Email notification will be sent to each of the Points of Contact in
section 3.6.2 on an annual basis. Each Point of Contact will have up to
sixty (60) days from the date of the notification in which to respond
with confirmation as to the public WHOIS contact data or to submit data
to correct and complete it. Validation can occur via the ARIN Online
account, or, alternatively, by clicking the validation link in the email
notification. After the sixty (60) day period, non-responsive Point of
Contact records will be marked as "non-responsive" in the public WHOIS
directory.
3.6.7 Non-Responsive Point of Contact Records
After an additional ninety (90) days after the Point of Contact record
has been marked as "non-responsive", ARIN's staff after through research
and analysis, will mark those non validated, abandoned or otherwise
illegitimate POC records "invalid". Records marked "invalid" will be
taken out of the reverse DNS and their associated resources will be
removed from the public WHOIS, thereby disabling reverse DNS. ARIN will
make available the necessary resources to ensure enforcement of this policy.
Comments:
Timetable for implementation: to be based upon discussions with ARIN's
staff.
More information about the Info
mailing list