Reply to Sean Donelan (was: Yet more hijacked space? - deru.net)
Michael.Dillon at radianz.com
Michael.Dillon at radianz.com
Tue May 6 09:20:24 UTC 2003
>But it doesn't answer the basic questions. How do you tell the
>between a legitimate change and an illegitmate change? If ARIN makes it
>extremely difficult to update registry records, the records will get even
>more out of date. On the other hand if ARIN makes it too easy to update
>registry records, the wrong people can make unauthorized changes.
That's a good question, Sean. However there is another way. ARIN and the
other RIRs need to stop publishing the whois directories as they stand
today. There is no good reason for publishing most of the information that
they do publish.
All of this garbage information clogs up the system and makes it easier
for spammers and outlaws to hide. The Internet is no longer a collegial
project where we can request that all people with a directory on an
ARPANET host who is capable of passing traffic across the ARPANET should
be registered in the whois directory. (Ref RFC 812)
In fact, we haven't done this for at least 10 years. We already have a
two-tiered system in place where the bulk of users with directories on an
Internet-connected system capable of initiating Internet traffic are only
registered with their service provider. Only network operators are
expected to register in the whois directory.
I think that it is time to tighten up on these requirements even further.
The published whois directory should only contain the up-to-date contact
information of people responsible for enforcing network AUPs and rooting
out network abuse. If an organization is allocated or assigned IP space
from their upstream then their info should not be published in the whois
directory unless they agree to be directly responsible for AUPs and abuse
mitigation. This contact information should be checked more than once per
year (twice yearly or quarterly) and if it becomes stale, then it should
be immediately updated to indicate that it is stale. The incorrect phone
numbers and email domains should be removed from the published directory.
If there is an upstream then the address contact info should revert to the
upstream since it is not possible for a non-contactible entity to be
responsible for AUP enforcement and abuse mitigation.
In the case of address blocks allocated directly by a registry, this means
they must virtually disappear from the whois. The only information left
will be "Previously allocated, no current contact info".
In one fell swoop, this will enable people to block just about every
possible source of spam. If anyone is actually still using their
addresses, this will also bring them out of the woodwork to update their
contact info and get with the program. There will be zero impact on anyone
who gets their addresses from an upstream since the contact info will
revert to the upstream until such time as the upstream fomrally delegates
the abuse handling responsibility to the customer by submitting correct
Of course, none of this will happen unless network operators stop chasing
symptoms and start thinking more deeply about the roots of the problem.
One of these roots is the lack of a web of accountability for IP address
More information about the NANOG