ARIN-prop-239: UPDATE TO NPRM 3.6: Annual Whois POC Validation [Archived]

Date: 03/09/2017

Proposal Originator: Cathy Aronson

Problem Statement:

The ARIN public access WHOIS directory service is used by the general public and organizations charged with the protection of the public, for a wide variety of purposes, including:
• Assuring the security and reliability of the network by identifying points of contact for IP number resource for network operators, ISPs, and certified computer incident response teams;
• Assisting businesses, consumer groups, medical and healthcare organizations, and other organizations in combating abuse;
• Assisting organizations responsible for the safety of the general public in finding information about potential offenders using IP number resources so that the organizations are able to comply with national, civil and criminal due process laws and to provide justice for victims; and
• Ensuring IP number resource holders worldwide are properly registered, so individuals, consumers and the public are empowered to resolve abusive practices that impact safety and security.

Organizations charged with the protection of the public, including consumer protection, civil safety and law enforcement, utilize the ARIN public access WHOIS directory in their investigations. From a public safety perspective, the failure to have accurate ARIN public access WHOIS information can present the following challenges:
• Ability of public safety and law enforcement agencies to rapidly identify IP number resources used in on-going abusive activities;
• Wasted network operator resources spent on responding to potentially misdirected legal requests; and
• Domain name and IP number resources hijacking, resulting in the potential use of those domain names and IP number resources for criminal activity.

As the amount of criminal activity enabled by the Internet continues to grow globally, users whose IP number resources are abused (for example, by spamming, IP address spoofing, DDOS attacks, etc.) need to be able to obtain redress. For organizations tasked with protecting the general public, one of the most important registration records in the ARIN public access WHOIS directory is that of the last ISP in the chain of network operators providing connectivity. To ensure the accuracy of the WHOIS directory and to facilitate timely/effective response to abusive and criminal activity, the ARIN public access WHOIS directory must be up-to-date and map IP number resources to the correct network provider. Privacy, safety and security are all equally important outcomes, and depend, to a large extent, on the accuracy of the ARIN public access WHOIS directory.

The problem of potentially inaccurate information is most acute with registrations that were given out prior to the formation of ARIN. These registrations, often termed “legacy” are held by thousands of entities that do not have updated and verified points of contact that are able to be found in the public access WHOIS directory. Many of the original points of contact were removed, and replaced with placeholder records that do not provide any value. This inaccurate information leaves victims and responders without the means of proper redress.

Lastly, current ARIN practices do not allow organizations that have been merged or acquired to update their point of contact records without having to enter into a contractual relationship with ARIN. This causes many organizations to not go through the process of updating even their point of contact records.

Policy statement:

Current text:

3.6 Annual Whois POC Validation

3.6.1 Method of Annual Verification

During ARIN’s annual Whois POC validation, an email will be sent to every POC in the Whois database. Each POC will have a maximum of 60 days to respond with an affirmative that their Whois contact information is correct and complete. Unresponsive POC email addresses shall be marked as such in the database. If ARIN staff deems a POC to be completely and permanently abandoned or otherwise illegitimate, the POC record shall be marked invalid. ARIN will maintain, and make readily available to the community, a current list of number resources with no valid POC; this data will be subject to the current bulk Whois policy.

Proposed revised text:

3.6 Annual Validation of ARIN’s Public Access WHOIS Point of Contact Data

3.6.1 Annual POC Verification

ARIN will perform an annual verification of point of contact data each year on the date the POC was registered, beginning on January 1 each year using the procedure provided in 3.6.4.

3.6.2 Specified Public WHOIS Points of Contact for Verification

Each of the following Points of Contact are to be verified annually and will be referred to as Points of Contact throughout this policy:

• Admin
• Tech
• NOC
• Abuse

3.6.3 Organizations Covered by this Policy

This policy applies to every Organization that holds a direct assignment, direct allocation, AS number or reallocation from ARIN. This includes but is not limited to upstream ISPs and downstream ISP customers (as defined by NRPM 2.5 and 2.6), but not reassignments made to downstream customers or end user customers.

3.6.4 Procedure to Increase Valid Legacy Point of Contact Participation

To encourage Organizations that are deemed to be “legacy” (ones that predated the existence of ARIN and do not have a contractual relationship with ARIN), legacy resource holders shall be able to update the points of contact for the Organization without entering into a contractual relationship with ARIN.

3.6.5 ARIN Staff Procedure for Verification

Email notification will be sent to each of the Points of Contact in section 3.6.2 on an annual basis. Each Point of Contact will have up to sixty (60) days from the date of the notification in which to respond with confirmation as to the public WHOIS contact data or to submit data to correct and complete it. Validation can occur via the ARIN Online account, or, alternatively, by clicking the validation link in the email notification. After the sixty (60) day period, non-responsive Point of Contact records will be marked as “non-responsive” in the public WHOIS directory.

3.6.7 Non-Responsive Point of Contact Records

After an additional ninety (90) days after the Point of Contact record has been marked as “non-responsive”, ARIN’s staff after through research and analysis, will mark those non validated, abandoned or otherwise illegitimate POC records “invalid”. Records marked “invalid” will be taken out of the reverse DNS and their associated resources will be removed from the public WHOIS, thereby disabling reverse DNS. ARIN will make available the necessary resources to ensure enforcement of this policy.

Comments:

a. Timetable for implementation: to be based upon discussions with ARIN’s staff.
b. Anything else