Having just spent two and a half days at an ARIN Public Policy Meeting, ARIN 39, I’d like to share some of my impressions of the meeting and the state of address policy in the region served by ARIN.
It’s clear that ARIN has largely undertaken its mission with careful and considered distinction. It has achieved much of what is efficiently achievable in a consensus-driven, open process and left what is overly contentious, or too enmeshed in the vagaries of history to even attempt to unravel. What this means is that these days, ARIN meetings are generally not filled with high drama and fraught contentious debate, and this latest meeting was no exception.
In terms of policy, the meeting largely dealt with matters that were obvious or could be seen as “precise” clarifications of existing policies. However, there was one point where I thought that there was some level of disconnect, and that concerns the contents of the ARIN number registry.
Managing and curating whois database policies
Over the years, ARIN and its predecessors have made some 50,000 allocations of IP addresses and/or Autonomous System Numbers; these entities and the resources they currently hold, are listed in the ARIN registry. However, that’s not all that you can find in this registry.
For many years, it has been a requirement to submit to ARIN the details of certain address sub-assignments made by recipients of ARIN addresses. ARIN’s database holds more than 600,000 records that list addresses and points of contact (PoCs).
It is unclear to what extent this secondary set of records of sub-assignments is complete, or even whether it was accurate at any point in time. Such records were evidently reviewed at those times when the original address holder requested additional addresses and revised their sub-assignment records as part of the ARIN review of address use. But at other times the level of attention paid to the completeness and currency of these sub-assignment records was somewhat variable.
It was evident in the policy discussion at this meeting that a number of agencies, generally associated with aspects of law enforcement (LEAs), would like to see more attention paid to this registry. Two policy proposals – Draft Policy ARIN-2016-8: Removal of Indirect POC Validation Requirement and Draft Policy ARIN-2017-3: Update to NRPM 3.6: Annual Whois POC Validation – essentially proposed to task ARIN with some level of continual activity that would monitor the accuracy of all of these records in the database.
It’s certainly the case that almost all forms of criminal and extreme behaviours are “cyber crimes” of one form or another, and relating traces of online criminal or extremist behaviour to the identities of individuals is a natural desire by these LEAs.
Why is accurate #Whois data so important? #ARIN39 pic.twitter.com/FwvZmrPdlP
— ARIN (@TeamARIN) April 3, 2017
The analogous reference in the days of telephony was a ‘reverse phone book’ where a phone number could be traced to a subscriber. If this was possible for the telephone network, why can’t we do this for the Internet? After all, everyone who generates an online transaction uses an IP address. Why can’t we publish some form of ‘Internet Reverse Phone Book’ listing all IP addresses with end entities?
It was evident from the discussion at ARIN 39 that some LEAs are interested to see this happen, and in the case of North America, they are keen to see ARIN take a leading role in facilitating this. And this registry of some 600,000 IP address holders is thought to be a really good place to start. This policy proposal is advocating that ARIN regularly audit all these PoCs and ensure that they are accurate.
That is all well and good, but there are some additional aspects to consider here. In the US alone, there are estimated to be some 282 million individual users of the Internet. Which subset of this rather significant set of users is listed in the ARIN database as a PoC for an IP address?
Obviously, there are a massive number of assigned IP addresses where no PoC exists in ARIN’s registry. These sub-assignment records are not records that were created by ARIN and are not curated by ARIN. Indeed, it is probably the case that for many of these listed entities they are unaware that they are listed in this database.
It does seem a little far-fetched to compel ARIN to contact a set of folk that have no relationship – and potentially no knowledge of ARIN – and start a conversation about the accuracy of the contact information that ARIN holds.
The obvious weakness of this database, in terms of its level of comprehensive coverage of attribution of effective end user assignment of IP addresses, is probably as much to do with the architecture of today’s Internet as it is to do with any failings in attempting to keep these sub-assignment records up to date. Many retail access providers use either dynamic address assignment pools in those cases where public IP addresses are assigned to end users, or, more commonly these days, the use of public addresses is completely automated by virtue of carrier grade NAT deployments. In the latter case, not only is the address dynamically assigned, but it is likely to be shared over many customers, possibly up to tens of thousands of customers in a large CGN pool.
The overall numbers of today’s Internet point to the scope of address sharing. Current estimates indicate that the Internet is populated by between 12 to 14 billion attached devices, which use an estimated 1.5 to 2 billion IP addresses. Obviously, not every endpoint has its own unique IP address.
Maybe it’s time to walk away from phone books and from the concept that there is some underlying persistence in the association of individual IP addresses and connected end point devices.
It’s certainly reasonable for a registry such as ARIN, or any of the other four Regional Internet Registries, to work diligently to ensure that the data in their registry that relates to address assignments directly made by the registry is complete and accurate at all times. But it is perhaps not so reasonable to compel these same registries to create a public repository of sub-assignment of addresses and the related record keeping of dynamic address assignments by service providers.
The registry has little in the way of effective inducement or enforcement abilities to ensure that any such records are complete, current or accurate. And partial data sets of dubious provenance are often less valuable than having no data in the first place.
What might help here is for ARIN to very clearly mark all data that relates to address assignments made by them, and ensure they actively curate such data, even to the extent of being able to query the ARIN-only entries for address records. As for the other 600,000 or so entries, maybe the case can be made that no data at all is better than incomplete bad data!
Address transfer policies
In policy discussions, the long-standing debate over address transfer policies was raised.
- Draft Policy ARIN-2017-1: Clarify Slow Start for Transfers
- Recommended Draft Policy ARIN-2016-9: Streamline Merger & Acquisition Transfers
- Recommended Draft Policy ARIN-2016-3: Alternative simplified criteria for justifying small IPv4 transfers
In ARIN, there continues to be a school of thought that strongly believes that a recipient of an address transfer needs to be able to meet some “demonstrated need” criteria before the transfer will be recorded in ARIN’s registry.
There is also a school of thought that strongly believes that the imposition of policies that prevent the registration of address transfers does not prevent the transfer, but instead disconnects the registry from the “ground truth” of the network itself, demeaning the utility of the registry as a common reference source relating to the current disposition of addresses.
There is no commonly acceptable resolution to this debate that has emerged so far, and certainly not at ARIN 39! Instead, we are seeing some policy proposals tinkering with the very fine level details surrounding the handling of address transfers. No doubt this topic will be revisited at future ARIN meetings.
As is usual, ARIN 39 was a well-organised meeting, fulfilling ARIN’s undertaking to support an open and transparent policy development process.
The meeting was also well supported for both local and remote participants and the efforts to ensure that all participants were well briefed on the matters under consideration were nothing short of exemplary. For this both ARIN, and participants at these public address policy meetings, deserve plaudits in undertaking an important and at times difficult task with friendliness and a common desire to seek a working consensus wherever and whenever that’s achievable.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Thank for posting this most excellent blog entry!
You are certainly correct that much of the discussion at the recent ARIN meeting focused on Whois data accuracy matters, but it’s probably worth clarifying one point you made – “The analogous reference in the days of telephony was a ‘reverse phone book’ where a phone number could be traced to a subscriber. If this was possible for the telephone network, why can’t we do this for the Internet? After all, everyone who generates an online transaction uses an IP address. Why can’t we publish some form of ‘Internet Reverse Phone Book’ listing all IP addresses with end entities?”
To be clear, the LEA interest in ARIN Draft Policy 2017-3 is not aimed at end entities, but instead predominantly aims to improve the accuracy of the Whois registry records which lead to the ISP at the edge of the network serving that end-entity. This is a fairly important distinction, and called out explicitly in the problem statement: “For organizations tasked with protecting the general public, one of the most important registration records in the ARIN public access WHOIS directory is that of the last ISP in the chain of network operators providing connectivity.”
It will be up to the community to determine the merits of the draft policy, but reliable identification of the serving ISP would allow LEA entities to utilize traditional lawful process with the serving ISP on the first attempt, rather than having iterate to find to the correct ISP. In addition to improving timeliness of public safety efforts, the ability to know the appropriate jurisdiction can actually improve the privacy rights of those involved.
This minor clarification aside, I’d like to thank you for your wonderful summary of the ARIN 39 meeting, as well as for your fine presentation on Addressing 2016!
When we talk about “improving the accuracy of the Whois registry records” the considerations typically include the thornier issue of completeness in the larger domain of “accuracy”.
As a researcher who has been a consumer of the published RIR data, I have been trying to distinguish between:
– what the RIRs’ registries, KNOW, primarily because the RIR actually DID it some time in the past and they have been diligent in keeping track of the current state of the party they originally dealt with. I am a keen advocate of even digitally signing such data using an RIR key to attest that “yes, that was us and we stand by it”
– what the RIRs are told by others. They have no solid basis to understand whether it was true at the time, and less of an idea if it true now. Presumably, these parties told the RIR this data in order to get more addresses and in many cases these same parties have no intrinsic interest in keeping this information up to date, particularly as it concerns third parties, if there is no further ongoing relationship or further number allocations or assignments from the registry.
The problem in my research endeavours is that often the RIRs report on this aggregate data in response to queries without making a very clear distinction between what they know and what they were told.
In this article I was attempting to highlight the issues behind efforts to “improve” the data relating to what the RIR was told, given that the RIR not told everything, then or now, the RIR has no idea why they were told, and the RIR appears to be pretty sure that many of the entities being talked about have no idea that they are described in these databases in any case! The question in my mind upon reflecting on this debate is whether it’s appropriate to serve up data items where its status is unknown and even unknowable in a strict sense, and whether it’s the best option to represent the data in the same cloak of assumed verisimilitude as the RIRs provide data that describes a prior action (where the RIR has a far better idea of its provenance and a far better position of being to represent the data as being the truth).
I am not attempting to brush aside the very real observation that there is a problem out there in every national jurisdiction over Internet accountability. There is a pressing and entirely understandable need for ISPs to be more responsive to LEAs over information requests to assist them in reliably mapping digital logs to the identity of subscribers as part of their investigations. I’d like to think we all get that these days. But ultimately doesn’t this becomes 200 or so national jurisdictional matters within each national regime? The significant expenditure of continual effort required to keep up to date records in this space have few natural market-related incentives, and in that situation compliance ultimately becomes a national regulatory measure rather than a voluntary optional exercise.
All RIRs work at the common behest of their regional communities – there are few sticks in their work that permits the RIRs enforce behaviours at this level. There are the softer “carrots” that extol the common benefits acting according to commonly adopted conventions. When we as a community look at these needs from LEAs, I can understand that we would all like to ensure that we help and not hinder their efforts. But the debate at the ARIN Open Policy meeting highlighted to me one important aspect of this, namely that the registries should be mindful of their limitations. The registry is in a good position to publish as reliable and authentic the information that the registry is certain about, predominately because the registry actually did it! I think a certain level of caution is called for when providing data that is more indirect in nature.
Your comment has prompted me to wonder if the RIRs should start thinking about opening up more on the background of how and why their registries have items in their database. A bit like a Land Title document that contains a series of transactions affixed to the description of the land that lists the dates and entities who previously had an interest in this plot of land and the nature of the transaction that resulted in a change of title owner, and the identity of the agency who affixed each entry to the title document. If the registry cannot attest to an unshakable and well-founded conviction that all the data served up is totally and completely true (and they certainly cannot do that!) then perhaps the registry could show the background, or the provenance, of the data, and thereby assist the querier to make their own decision as to its reliability and trustworthiness of the data they are being served.
In reference to the draft policy in question. I don’t believe we, the RIRs, are being asked “to be more responsive to LEAs over information requests to assist them in reliably mapping digital logs to the identity of subscribers as part of their investigations”, but instead to provide the most reliable information we can regarding the edge ISP associated with a given IP address block (which one might argue is an function that is inherent to our role as the Internet number registry.)
The ISP address blocks vs subscriber info is a fairly important distinction, and when properly scoped involves far less data and makes consideration of the proposed task much more viable.
Ultimately, the merits of any policy change need to be decided by the community but it is worth noting that when law enforcement parties reliably determine the ISP and jurisdiction associated with an address block, then that actually enables them to directly engage with ISPs and the appropriate legal system in a manner that is not only more responsive to LEA needs, but also more sensitive to the privacy rights of the subscriber. This is one of the reasons that consideration of the draft policy is a non-trivial matter, as its implications for the Internet community likely to be rather complicated.