Recommended Draft Policy ARIN-2017-3: Update to NRPM 3.6: Annual Whois POC Validation [Archived]

OUT OF DATE?

Here in the Vault, information is published in its final form and then not changed or updated. As a result, some content, specifically links to other pages and other references, may be out-of-date or no longer available.

Status: Implemented

Tracking Information

Discussion Tracking

Mailing List:

Formal introduction on PPML on 21 March 2017

Origin - ARIN-prop-239
Draft Policy -21 March 2017
Recommended - 20 February 2018
Last Call - 23 April 2018
Moved to Board for Review - 22 May 2018
Adopted - 24 May 2018
Implemented - 24 July 2018

Public Policy Mailing List

ARIN Public Policy Meeting:

ARIN Advisory Council:

AC Shepherds:
Amy Potter, Alyssa Moore

ARIN Board of Trustees:

Revisions:

Revised - 06 September 2017
Revised - 14 November 2017

Implementation:

24 July 2018

Version Date: 20 February 2018

AC Assessment of Conformance with the Principles of Internet Number Resource Policy:

This proposal is technically sound and enables fair and impartial number policy as it encourages more accurate Whois data collection by restricting organizations without at least one validated Admin or Tech POC from using ARIN Online services outside of payment and contact update functionalities.

Problem Statement:

Many of the Point of Contacts listed in ARIN’s public Whois database contain out-of-date and inaccurate contact information.

Policy statement:

Current Text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

During ARIN’s annual Whois POC validation, an email will be sent to every POC in the Whois database. Each POC will have a maximum of 60 days to respond with an affirmative that their Whois contact information is correct and complete. Unresponsive POC email addresses shall be marked as such in the database. If ARIN staff deems a POC to be completely and permanently abandoned or otherwise illegitimate, the POC record shall be marked invalid. ARIN will maintain, and make readily available to the community, a current list of number resources with no valid POC; this data will be subject to the current bulk Whois policy.

Proposed Revised Text:

3.6 Annual Validation of ARIN’s Public Whois Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of specific Points of Contact registered in the public Whois using the criteria and procedures outlined in sections 3.6.2, 3.6.3, and 3.6.4.

3.6.2 Specified Public Whois Points of Contact for Verification
Each of the following Points of Contact are to be verified annually, and will be referred to as Point of Contact or POC throughout this policy, and should be understood to be both organization and resource POCs:

Admin
Tech
NOC
Abuse

3.6.3 Organizations Covered by this Policy

This policy applies to every Organization that has a direct assignment, direct allocation, or AS number from ARIN (or one of its predecessor registries) or a reallocation from an upstream ISP. This includes but is not limited to upstream ISPs and their downstream ISP customers (as defined by NRPM 2.5 and 2.6), but not reassignments made to their downstream end user customers.

3.6.4 Procedure for Verification

An annual email notification will be sent to each of the Points of Contact outlined in section 3.6.2 on an annual basis. Each Point of Contact will have up to sixty (60) days from the date of the notification in which to respond with an affirmative that their Whois contact information is correct and complete or to submit new data to correct and complete it. If after careful analysis, ARIN staff deems a POC to be completely and permanently abandoned or otherwise illegitimate, the POC record shall be marked invalid in Whois.

3.6.5 Non-Responsive Point of Contact Records

An invalid POC is restricted to payment and contact update functionality within ARIN Online. As a result, an organization without any valid POCs will be unable to access further functionalities within ARIN Online until at least one Admin or Tech POC validates that their information is accurate or modifies a POC to contain accurate information.

Comments:

Timetable for implementation: to be based upon discussions with ARIN’s staff.

##########

Earlier Version

##########

Version Date: 14 November 2017

Problem Statement:

Many of the Point of Contacts listed in ARIN’s public Whois database contain out-of-date and inaccurate contact information.

Policy Statement:

Current Text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

Proposed Revised Text:

3.6 Annual Validation of ARIN’s Public Whois Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of specific Points of Contact registered in the public Whois using the criteria and procedures outlined in sections 3.6.2, 3.6.3, and 3.6.4.

3.6.2 Specified Public Whois Points of Contact for Verification

Each of the following Points of Contact are to be verified annually, and will be referred to as Point of Contact or POC throughout this policy, and should be understood to be both organization and resource POCs:

Admin
- Tech
- NOC
- Abuse

3.6.3 Organizations Covered by this Policy

3.6.4 Procedure for Verification

3.6.5 Non-Responsive Point of Contact Records

Once a non-responsive POC has been marked invalid in the public Whois, any organization lacking a validated Admin or Tech POC will be unable to access the full suite of functionality within ARIN Online until the invalid POC(s) have either validated that their information is accurate or modified their POC to contain up-to-date information.

Comments:

Timetable for implementation: to be based upon discussions with ARIN’s staff.

##########

ARIN STAFF & LEGAL ASSESSMENT

Draft Policy ARIN-2017-03

Update to NPRM 3.6: Annual Whois POC Validation

https://arin.net/policy/proposals/2017_3.html

Date of Assessment: 3 January 2018

1. Summary (Staff Understanding)

Draft Policy 2017-03 establishes the specific Whois Points of Contact (POCs) that are required to be verified annually. It further identifies which organizations are covered by this policy according to the type of resources that it holds i.e. direct assignments, direct allocations, AS numbers from ARIN (or one of its predecessor registries) or a reallocation from an upstream ISP. It specifically excludes reassignments made to downstream end user customers. DP 2017-03 defines the procedure to be followed to ensure the above specified POCs are verified through an email notification on an annual basis. It instructs ARIN staff to marked POC records deemed completely and permanently abandoned or otherwise illegitimate as invalid in Whois. It also directs action to be taken if an ADMIN or TECH POC has been marked invalid.

2. Comments

A. ARIN Staff Comments

* 3.6.2 Specified Public Whois Points of Contact for Verification: Lists the 4 types of POCs that must be verified annually. This is very clear.

* 3.6.3 Organizations Covered by this Policy: Clearly states qualifications for an Organization’s POCs to require annual verification as well as those that do not require it. This is clear.

* 3.6.4 Procedure for Verification: Describes the steps in the verification process. This is clear.

* 3.6.5 Non-Responsive Point of Contact Records: This section is unclear regarding the scope of the impact to an organization having non-responsive POCs, as the phrase “any organization lacking a validated Admin or Tech POC will be unable to access the full suite of functionality” fails to specify the allowed/prohibited functionality for organizations lacking a valid contact. Absent further clarification, ARIN staff will interpret this to mean that an organization without at least one validated Admin or Tech POC will only be able to access payment and contact update functionality within ARIN Online, regardless of the contact used for access. For organizations that have at least one valid Admin or Tech contact, the organization will be able to access full functionality of ARIN Online, even if access is via one of its other non-responsive POCs. If instead the desired policy outcome is that only a validated Admin or Tech POC may access full ARIN Online functionality, then the policy text should be clarified to that effect.

* The proposed policy does not impact ARIN’s ability to provide ongoing registry services for number resources, only the ability of impacted organizations to make changes to their number resources and related services.

* This policy could be implemented as written.

B. ARIN General Counsel – Legal Assessment

* There are no material legal issues regarding this proposal.

3. Resource Impact

Implementation of this policy would have minimal resource impact. It is estimated that implementation could occur within 3 months after ratification by the ARIN Board of Trustees. The following would be needed in order to implement:

* Updated guidelines and internal procedures

* Staff training

* Minimal engineering work

4 . Proposal / Draft Policy Text Assessed

Draft Policy ARIN-2017-3: Update to NPRM 3.6: Annual Whois POC Validation

Version Date: 14 November 2017

Problem Statement:

Many of the Point of Contacts listed in ARIN’s public Whois database contain out-of-date and inaccurate contact information.

Policy Statement:

Current Text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

Proposed Revised Text:

3.6 Annual Validation of ARIN’s Public Whois Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of specific Points of Contact registered in the public Whois using the criteria and procedures outlined in sections 3.6.2, 3.6.3, and 3.6.4.

3.6.2 Specified Public Whois Points of Contact for Verification

Admin
- Tech
- NOC
- Abuse

3.6.3 Organizations Covered by this Policy

3.6.4 Procedure for Verification

3.6.5 Non-Responsive Point of Contact Records

Comments:

Timetable for implementation: to be based upon discussions with ARIN’s staff.

##########

Earlier Version

##########

Version Date: 06 September 2017

Problem Statement:

The ARIN public access WHOIS directory service is used by the general public and organizations charged with the protection of the public, for a wide variety of purposes, including:

• Assuring the security and reliability of the network by identifying points of contact for IP number resource for network operators, ISPs, and certified computer incident response teams;

• Assisting businesses, consumer groups, medical and healthcare organizations, and other organizations in combating abuse;

• Assisting organizations responsible for the safety of the general public in finding information about potential offenders using IP number resources so that the organizations are able to comply with national, civil and criminal due process laws and to provide justice for victims; and

• Ensuring IP number resource holders worldwide are properly registered, so individuals, consumers and the public are empowered to resolve abusive practices that impact safety and security.

Organizations charged with the protection of the public, including consumer protection, civil safety and law enforcement, utilize the ARIN public access WHOIS directory in their investigations. From a public safety perspective, the failure to have accurate ARIN public access WHOIS information can present the following challenges:

• Ability of public safety and law enforcement agencies to rapidly identify IP number resources used in on-going abusive activities;

• Wasted network operator resources spent on responding to potentially misdirected legal requests; and

• Domain name and IP number resources hijacking, resulting in the potential use of those domain names and IP number resources for criminal activity.

As the amount of criminal activity enabled by the Internet continues to grow globally, users whose IP number resources are abused (for example, by spamming, IP address spoofing, DDOS attacks, etc.) need to be able to obtain redress. For organizations tasked with protecting the general public, one of the most important registration records in the ARIN public access WHOIS directory is that of the last ISP in the chain of network operators providing connectivity. To ensure the accuracy of the WHOIS directory and to facilitate timely/effective response to abusive and criminal activity, the ARIN public access WHOIS directory must be up-to-date and map IP number resources to the correct network provider. Privacy, safety and security are all equally important outcomes, and depend, to a large extent, on the accuracy of the ARIN public access WHOIS directory.

The problem of potentially inaccurate information is most acute with registrations that were given out prior to the formation of ARIN. These registrations, often termed “legacy” are held by thousands of entities that do not have updated and verified points of contact that are able to be found in the public access WHOIS directory. Many of the original points of contact were removed, and replaced with placeholder records that do not provide any value. This inaccurate information leaves victims and responders without the means of proper redress.

Policy statement:

Current text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

Proposed revised text:

3.6 Annual Validation of ARIN’s Public Access WHOIS Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of point of contact data each year on the date the POC was registered, beginning on January 1 each year using the procedure provided in 3.6.4.

3.6.2 Specified Public WHOIS Points of Contact for Verification

Each of the following Points of Contact are to be verified annually and will be referred to as Points of Contact throughout this policy:

Admin
Tech
NOC
Abuse

3.6.3 Organizations Covered by this Policy

This policy applies to every Organization that holds a direct assignment, direct allocation, AS number or reallocation from ARIN. This includes but is not limited to upstream ISPs and downstream ISP customers (as defined by NRPM 2.5 and 2.6), but not reassignments made to downstream customers or end user customers.

3.6.4 ARIN Staff Procedure for Verification

Email notification will be sent to each of the Points of Contact in section 3.6.2 on an annual basis. Each Point of Contact will have up to sixty (60) days from the date of the notification in which to respond with confirmation as to the public WHOIS contact data or to submit data to correct and complete it. Validation can occur via the ARIN Online account, or, alternatively, by clicking the validation link in the email notification. After the sixty (60) day period, non-responsive Point of Contact records will be marked as “non-responsive” in the public WHOIS directory.

3.6.5 Non-Responsive Point of Contact Records

After an additional ninety (90) days after the Point of Contact record has been marked as “non-responsive”, ARIN’s staff after through research and analysis, will mark those non validated, abandoned or otherwise illegitimate POC records “invalid”. Organizations lacking a valid Tech or Admin POC will lose access to their ARIN Online account until a Tech or Admin POC has been validated.

Comments:

a. Timetable for implementation: to be based upon discussions with ARIN’s staff.
b. Anything else

##########

Earlier Version

##########

Version Date: 21 March 2017

Problem Statement:

The ARIN public access WHOIS directory service is used by the general public and organizations charged with the protection of the public, for a wide variety of purposes, including:

Assuring the security and reliability of the network by identifying points of contact for IP number resource for network operators, ISPs, and certified computer incident response teams;
Assisting businesses, consumer groups, medical and healthcare organizations, and other organizations in combating abuse;
Assisting organizations responsible for the safety of the general public in finding information about potential offenders using IP number resources so that the organizations are able to comply with national, civil and criminal due process laws and to provide justice for victims; and
Ensuring IP number resource holders worldwide are properly registered, so individuals, consumers and the public are empowered to resolve abusive practices that impact safety and security.

Ability of public safety and law enforcement agencies to rapidly identify IP number resources used in on-going abusive activities;
Wasted network operator resources spent on responding to potentially misdirected legal requests; and
Domain name and IP number resources hijacking, resulting in the potential use of those domain names and IP number resources for criminal activity.

Lastly, current ARIN practices do not allow organizations that have been merged or acquired to update their point of contact records without having to enter into a contractual relationship with ARIN. This causes many organizations to not go through the process of updating even their point of contact records.

Policy statement:

Current text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

Proposed revised text:

3.6 Annual Validation of ARIN’s Public Access WHOIS Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of point of contact data each year on the date the POC was registered, beginning on January 1 each year using the procedure provided in 3.6.4.

3.6.2 Specified Public WHOIS Points of Contact for Verification

Each of the following Points of Contact are to be verified annually and will be referred to as Points of Contact throughout this policy:

Admin
Tech
NOC
Abuse

3.6.3 Organizations Covered by this Policy

3.6.4 Procedure to Increase Valid Legacy Point of Contact Participation

To encourage Organizations that are deemed to be “legacy” (ones that predated the existence of ARIN and do not have a contractual relationship with ARIN), legacy resource holders shall be able to update the points of contact for the Organization without entering into a contractual relationship with ARIN.

3.6.5 ARIN Staff Procedure for Verification

3.6.7 Non-Responsive Point of Contact Records

After an additional ninety (90) days after the Point of Contact record has been marked as “non-responsive”, ARIN’s staff after through research and analysis, will mark those non validated, abandoned or otherwise illegitimate POC records “invalid”. Records marked “invalid” will be taken out of the reverse DNS and their associated resources will be removed from the public WHOIS, thereby disabling reverse DNS. ARIN will make available the necessary resources to ensure enforcement of this policy.

Comments:

a. Timetable for implementation: to be based upon discussions with ARIN’s staff.

b. Anything else