Reply to Sean Donelan (was: Yet more hijacked space? - deru.net)

Tue May 6 09:20:24 UTC 2003

>But it doesn't answer the basic questions.  How do you tell the 
difference
>between a legitimate change and an illegitmate change?  If ARIN makes it
>extremely difficult to update registry records, the records will get even
>more out of date.  On the other hand if ARIN makes it too easy to update
>registry records, the wrong people can make unauthorized changes.

That's a good question, Sean. However there is another way. ARIN and the 
other RIRs need to stop publishing the whois directories as they stand 
today. There is no good reason for publishing most of the information that 
they do publish. 

All of this garbage information clogs up the system and makes it easier 
for spammers and outlaws to hide. The Internet is no longer a collegial 
project where we can request that all people with a directory on an 
ARPANET host who is capable of passing traffic across the ARPANET should 
be registered in the whois directory. (Ref RFC 812)

In fact, we haven't done this for at least 10 years. We already have a 
two-tiered system in place where the bulk of users with directories on an 
Internet-connected system capable of initiating Internet traffic are only 
registered with their service provider. Only network operators are 
expected to register in the whois directory.

I think that it is time to tighten up on these requirements even further. 
The published whois directory should only contain the up-to-date contact 
information of people responsible for enforcing network AUPs and rooting 
out network abuse. If an organization is allocated or assigned IP space 
from their upstream then their info should not be published in the whois 
directory unless they agree to be directly responsible for AUPs and abuse 
mitigation. This contact information should be checked more than once per 
year (twice yearly or quarterly) and if it becomes stale, then it should 
be immediately updated to indicate that it is stale. The incorrect phone 
numbers and email domains should be removed from the published directory. 
If there is an upstream then the address contact info should revert to the 
upstream since it is not possible for a non-contactible entity to be 
responsible for AUP enforcement and abuse mitigation.

In the case of address blocks allocated directly by a registry, this means 
they must virtually disappear from the whois. The only information left 
will be "Previously allocated, no current contact info".

In one fell swoop, this will enable people to block just about every 
possible source of spam. If anyone is actually still using their 
addresses, this will also bring them out of the woodwork to update their 
contact info and get with the program. There will be zero impact on anyone 
who gets their addresses from an upstream since the contact info will 
revert to the upstream until such time as the upstream fomrally delegates 
the abuse handling responsibility to the customer by submitting correct 
contact info.

Of course, none of this will happen unless network operators stop chasing 
symptoms and start thinking more deeply about the roots of the problem. 
One of these roots is the lack of a web of accountability for IP address 
space.

--Michael Dillon