Very early this morning I submitted my first policy proposal to ARIN. There has recently been a lot of conversation on the ppml about whois data integrity. One of the policies proposed in this line was “whois POC e-mail cleanup” by Ted Mittelstaedt. I was in total agreement with the general purpose of Ted’s proposal but I have some issues with the specific execution. This (along with some outside encouragement) led me to propose a competing policy of my own, addressing the differences I have with Ted’s original proposal. The text of my proposal and rationale for policy “Annual WHOIS POC Validation” is below.
ARIN will conduct POC validation annually. This validation will employ an automated system which will send a message to every separate email address in the whois directory. The message sent will request that the receiver verify that they are in fact the POC in question by replying to the email in a manner which will satisfy the automated systems requirements. The email message will also include information and instructions for reporting suspected fraud. If a valid response is not received within 14 days, every instance of the unresponsive email address will be replaced with “REFUSED RESPONSE” in the whois directory.
The list of POCs with this marking will be reviewed by ARIN staff and manual contact attempts (telephone, postal mail) can be made at their discretion. After a minimum of three manual contact attempts have been made, with at least one to each physical address and telephone number provided and a minimum of three calendar months have passed from the third qualifying attempt; the POC record should be locked or deleted. The decision of whether to lock or delete the account should be made on a case by case basis.
Following this validation each year, a list of address blocks with zero valid POCs should be made easily available to the community. Accurate annual records should be kept with regard to the total number of POCs, the number of POCs marked with “REFUSED RESPONSE,” the number of locked POCs and the number of deleted POCs in addition to any other data that ARIN staff believes is appropriate to record with regard to this validation process. These records should be available to the
public on request.
The intention of this proposal is to ensure valid whois POC information with an annual validation process. It further aims to mitigate any risk that it creates in so doing. One of the most important resources when dealing with abuse (including hijacking, spam, ddos, etc) is whois. ARIN’s whois data is only useful if it is known to be valid. The current NRPM does not address this in a manner which ensures up to date POC contact information in all cases. The focus is on valid email addresses because this is the contact method of choice for most in the Internet community when dealing with abuse or hijacking issues. POC information that can not be confirmed can be judged as not valid.
A netblock with no valid POC presents a target to hijackers. Once POC info is marked or tagged as invalid (like this policy proposes), it becomes possible for potential hijackers to locate such netblocks by searching the whois database. As a defense against such hijacking attempts, this policy proposes that the information be presented in full to the entire community. This should do at least one of two things; bring the netblock to the attention of whomever is responsible for it and/or allow other network operators to understand the potential risk and take appropriate action to mitigate.
UPDATE 9-Mar-2009: This policy proposal is moving forward.
UPDATE 3-SEP-2009: Policy 2008-7 has been adopted by the ARIN Board of Trustees!
UPDATE 7-June-2010: Annual POC validation has been implemented!