Home / Blogs

Whois Scared?

Every time I witness another argument about changing the rules of the Whois system I marvel at how such an important core internet protocol could be so widely misunderstood. I don’t mean that the protocol’s technical details are not well understood—it’s a very simple device, easy to implement correctly and easy to use even for new users. I mean that the Whois system itself and its purpose in the Internet ecosystem is widely misunderstood. Everybody uses Whois and lots of people argue about Whois but precious few folks know why Whois exists in the first place.

Consider the Regional Internet Registry (RIR) system which is the registry responsible for Internet Protocol numbering resources such as IP version 4 and IP version 6 address blocks and autonomous system numbers. Those number resources that were assigned by the US government before the RIR system existed are called “legacy” resources, and these legacy resources are part of the current Whois registry. Sometimes an argument is heard that since some of these “legacy” resource holders are not members of any RIR and pay no fees, they do not deserve the privilege of being listed in Whois. Some opponents of this argument say that being listed in Whois is a right not a privilege. Both arguments miss the point, which is that correct registration information in Whois is an obligation by every registrant to the community, not a privilege and not a right.

The entire Internet community has a right to know who holds what address block and has a right to know how to contact that holder if there is an operational problem involving an address in that block. The Internet is a public system, nongovernmental but still governed, and the stewards of Internet resources must always look first to the public good even though their own internal elections and fees are limited to a membership. You can see this principle reinforced by the fact that policy development for Internet governance is done in public forums with full public participation not limited to regional residents or to a membership. The Internet public has a right to be heard on matters of policy, not just at ARIN (where I am serving my 7th year on the Board of Trustees, though I am writing here as an Internet citizen only—not speaking for ARIN or for my day job) but in all the RIRs (AfriNIC, APNIC, LACNIC, and RIPE).

During last week’s meeting of APNIC (Asia Pacific Network Information Center) I was moved to comment at the microphone during the public Policy SIG meeting on a proposal (#96) to reestablish the principle of demonstrated need for allocations out of the “last /8”. The “last /8” is the address block APNIC received from ICANN in Miami last month when the final five /8’s in ICANN’s inventory were allocated to the five regional Internet registries (RIRs). APNIC has special allocation rules for this /8, it won’t be handed out as “business as usual”, and one of the special rules is presently that the recipient does not have to show demonstrated need per the rules of RFC 2050. An RIR departing from RFC 2050 is a radical change since this RFC is the founding document of the RIR system as well as a restatement of the policies which governed the pre-RIR “legacy allocations” made up to that point by US government contractors IANA and InterNIC.

Proponents of policy proposal #96 said that the lack of a demonstrated need rule will make APNIC members ineligible for inter-RIR transfers if the source region is still requiring demonstrated need. During the transition from IP version 4 to IP version 6 it’s expected that some networks will convert before others and that the early ones will agree (possibly in exchange for payment) to transfer their network numbering resources to the later ones. In this way the debate about proposal #96 quickly turned into a proxy debate about transfers in general, and whether transfer recipients ought to have to show demonstrated need or not. Call me old fashioned (as many do) but to me a recipient of an address block who has no demonstrated need for it is simply a speculator and while the Internet community ought to be helping people build networks it has no reason to help speculators acquire rights for later sale (or rental) to people who build networks.

Several opponents to policy proposal #96 got up to the microphone and one of the oppositional themes that emerged was that APNIC was a registry and that a registry’s value to the Internet community is that it provides uniqueness and that if APNIC were to enforce “demonstrated need” on recipients then it would merely push such recipients off the books at great cost in the uniqueness and therefore the relevance of the APNIC registry. This got me out of my chair and over to the microphone.

“Don’t run scared,” I said. The network operators who search APNIC’s Whois registry may be doing so for reasons beyond the value of uniqueness. They may be counting on this registry to tell them not only who holds an address block but also what policies governed the receipt of that address block. If they know that the presence of an entry in APNIC’s Whois registry means that the address holder had to demonstrate need then they may trust the registry far more than if they know that anyone who does a private off books transfer and pays a filing fee can get themselves recorded as the holder of an address block. If network operators think that speculators who are not building networks can hold or control address allocation then they might stop trusting the registry altogether no matter how much uniqueness it still has.

In the end, policy proposal #96 was “sent back to the mailing list”, there to gather some kind of consensus whether in favour or in opposition. Perhaps that debate will stick to the merits of the proposal, but in the Policy SIG session during the Hong Kong APNIC meeting the real debate was about the value (and the valuers) of Whois and how policy ought to be shaped in order to make an effective transfer system for IP version 4 resources during the transition to IP version 6.

In the region where I make my home, the RIR (which is ARIN) has a transfer policy allowing private transfers of network resources to be recorded in the Whois registry, as long as the recipient is a signatory to a Registration Services Agreement (RSA) and can demonstrate an operational need for the address space within the next 12 months. This policy represents the ARIN community’s acknowledgement that IP version 4 (IPv4) addresses will soon be a scarce resource and there will naturally be a market of people willing to give up their rights to address blocks (“sellers”) and people willing to pay money to get address space (“buyers”). ARIN’s policies are determined by the community through an open and transparent public participation and consensus process, and the community’s expressed wishes in this case are that transfers should be recordable in order that the ARIN Whois registry can be correct and therefore useful. Note, though, ARIN is a creature of RFC 2050 and all address recipients whether by allocation or by transfer must demonstrate an operational need for the address block they are receiving. In other words speculators would not meet the terms of ARIN’s community driven consensus based policies.

Does this “demonstrated need” policy somehow outlaw private transfers? Not in law, no it does not. But ARIN would treat the use of an address block by someone who is not the registered holder of that address block as potentially fraudulent which could in some cases lead to address block reclamation and reassignment after a six month hold-down period. In effect, off books transfers are less attractive since the recipient would not be the registrant. In that sense the ARIN Whois registry offers confidence in both uniqueness and demonstrated need. The intent is to maximize both the utility and utilization of Internet address space, where utilization means building and growing and operating networks not hedging or leveraging or renting address resources.

In the ARIN region, the community’s expressed policy assumes that the Whois registry is valuable because of the policies that control it not just because it assures uniqueness. Which is why I said, in support of APNIC policy proposal #96, when I heard someone say that a registry should just record whatever people want it to record and should not dictate any policy at all, “don’t run scared.” These registries are valuable for reasons beyond simple uniqueness, and as long as these registries continue to support the community’s need to build networks, nobody needs to worry much about address block recipients who cannot demonstrate need, which is to say, about speculators.

By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under

Comments

Correction regarding APNIC policies Paul Wilson  –  Mar 2, 2011 12:06 PM

Paul,

I’m sorry to say, but with the greatest respect, that you are basing at least part of your argument on misunderstandings or misstatements of APNIC’s policies.

At APNIC the “last /8” block WILL be distributed according to demonstrated need, for as long as it lasts.  The applicable policy provides that each recipient will be allowed only one single allocation from that pool, of a maximum size of /22, and that they will have to justify that allocation. So while it is a “rationing” policy, it is not in conflict with RFC2050 or with any principle of “allocation according to demonstrated need”.

The APNIC policy from which I guess you intended to launch your argument is quite different, but it is related to transfers of (previously-allocated) address space, NOT to allocations made by APNIC itself.

Our transfer policy is active already, but it incorporates a change in practice which will occur when the “last /8” policy is activated. Before that event, transfers are registered by APNIC only where the recipient can demonstrate their need for addresses under APNIC’s normal justification policies.  Afterwards however, transfers will be registered by APNIC on consent of the source and recipient, but without requiring justification.  It is this latter provision, the removal of the justification requirement, which was the subject of proposal 096 last week.  Had that proposal been successful, the demonstrated need requirements would have been maintained after the start of last-/8 allocations.

I hope you can see that I am not commenting on the merits of the APNIC transfer policy, or on the proposal to continue the current assessment process. But in any case, considering that RFC2050, written as a BCP in 1996, assumes allocation from an abundant supply, and does not anticipate IPv4 exhaustion, I think we need to consider more carefully how it applies to these policies, if at all.

It will help if that discussion is based on the facts about the policies that we have in place, and I have to say this is not the first time I’ve seen APNIC’s policies misstated in ways which happen to be material to those discussions.

Thanks for an interesting article.

Paul Wilson
Director General
APNIC

Re: Correction regarding APNIC policies Paul Vixie  –  Mar 2, 2011 6:56 PM

Paul, thank you for correcting my error as to the nature of proposal #96. My jet lag must have been worse than I thought; I was going by my memory of what was presented in the room, whereas the online text (http://www.apnic.net/policy/proposals/prop-096) makes clear that the scope of proposal #96 is transfers not allocations and is not limited to the last /8 at all. Based on this correction to my understanding, I am in favour of APNIC policy proposal #96 as written. My basic argument in the article above is independent of policy #96 or any misunderstandings I may have had about it. To restate briefly, the entire Internet community creates IP resources for itself and then creates registries for those resources and then obligates registrants to use those registries. The community's purpose in doing this is not to enrich speculators but rather to ensure that the Internet can grow. Any policy which allows someone to hold IP resources for some purpose other than to build their own networks is antithetical to the goals of the community in putting the whole system in place or keeping it in place. Thousands of contributors have put tens of thousands of hours and many millions of dollars into creating this system and they didn't do it so that the resulting resources could be hedged or leased. We should think very carefully before we depart from the principles that got us here. In your reply you noted that RFC 2050 is a BCP document (best current practice) and that it's very old and that it was crafted during a time of abundance. I'd like to question both your statement and its implications. I don't think there ever was "abundance" since every IP address block takes up a "routing table slot" which is in effect a global micro-co-investment by all network operators. I have lived through several iterations of explosive routing table growth that overwhelmed the routers most operators were then using. RFC 2050's "Introduction" section begins with a discussion of router technology and the virtues of hierarchical (provider assigned) routing and of aggregation and then states: "In the event that routing or router technology develops to the point that adequate routing aggregation can be achieved by other means or that routers can deal with larger routing and more dynamic tables, it may be appropriate to review these constraints." I assert that this event has not yet occurred. The implications of your statement about RFC 2050's assumption of abundance could be that since IP version 4 address space is going to become scarce soon, different rules of resource allocation and transfer might now be necessary. I'd argue that if we ever had abundance and if we will shortly have scarcity, that requiring "demonstrated need" would be even more important in the future than it has been up until now. If the best thing a speculator can do for the value of their portfolio is to artificially increase scarcity or to subdivide into smaller lots or do short term leases or require profit sharing by operators, then those practices occur -- it's a matter of rational self interest. No matter what then appears in any registry, an operator who needs space for growth would have to question the virtue of respecting those registrations if the purpose of them appears to be speculative rather than operational. Furthermore, there is no basis in rational self interest for a speculator to take the size of the global routing table into account when deciding their strategy or making deals. The Internet community who set all this in motion has some overarching goals and none of those goals including acting in the service of resource speculators. The global operations community needs not only IP resources for their own networks but also confidence that the rest of the IP resources in the system are being allocated to operators who will use them. There is no conceivable community benefit to allowing someone to be entered into the Whois registry system for any reason other than demonstrated operational need.

Registration data and the Role of "Registries" David Conrad  –  Mar 4, 2011 5:26 AM

Paul,

As demonstrated by http://mailman.nanog.org/pipermail/nanog/2011-March/033962.html, the issue you started to raise regarding the administration of registration data (aka “Whois”) is an important one that has remained unresolved for pretty much as long as IP has existed. I believe registration data access and accuracy will become increasingly contentious as people, organizations, and governments become more fundamentally dependent on Internet technologies for all their day-to-day activities.  Indeed, the exhaustion of the IPv4 free pool and the introduction of new gTLDs will only increase demands for improved accuracy and comprehensiveness in (both name and address) registration data at the same time there are and will be increased concerns regarding privacy, appropriateness of access, etc. Fixing “Whois” is an important topic that really needs to be addressed, both for number registrations as well as name registrations.

However, your article proceeded to take a right turn and (perhaps inadvertently) demonstrate one of the reasons “Whois” will remain a problem: attempts to use registration data as a policy enforcement tool.  I believe this has significant risk: to paraphrase Leia Organa, “the more you tighten your grip,  the more address users will slip through your fingers.”  I’ll admit some confusion how you would square the idea “The entire Internet community has a right to know who holds what address block and has a right to know how to contact that holder if there is an operational problem involving an address in that block.” with ARIN’s declaration that “transfers” (even of address space allocated not under any registration service agreement or before ARIN even existed) outside the context of the RIRs is “fraudulent”, but I’m sure time will tell.

With regards to RFC 2050, as an author of that document, your (and other ARIN luminaries’) attempts to deify it have always amused me.  As Paul Wilson notes, RFC 2050 was a document that was written about the Internet as it existed in 1996 (and truth be told, RFC 2050 was outdated by the time it was published as an RFC).  Indeed, one of the reasons RFC 2050 became a BCP was because it explicitly documented then-current practice. It was the only way the IESG would let it through: there were many in the IETF who were afraid the RIRs would use RFC 2050 to try to control how people did business outside of technical requirements, a fear that appears to be being borne out.  You might also note that the title of that document specifies it is allocation guidelines and the text discusses only IPv4.  As the allocation of IPv4 is soon to no longer be an issue, I have argued in other venues that it is probably long past time to move RFC 2050 to historic.

How the RIR system is to evolve in the post-IPv4 free pool world is likely to be an important issue and should be discussed in an open, non-biased venue. Unfortunately, I have some skepticism this will actually happen before reality will intrude.

Deification of RFC 2050 Paul Vixie  –  Mar 22, 2011 6:35 AM

"the more you tighten your grip, the more address users will slip through your fingers."
It's not my grip or APNIC's grip or ARIN's grip. The Internet is a cooperative system and the cooperators have instituted a system of self governance and policy making that promotes the common interest.
I'll admit some confusion how you would square the idea "The entire Internet community has a right to know who holds what address block and has a right to know how to contact that holder if there is an operational problem involving an address in that block." with ARIN's declaration that "transfers" (even of address space allocated not under any registration service agreement or before ARIN even existed) outside the context of the RIRs is "fraudulent", but I'm sure time will tell.
I think that if somebody tries to trade in contracts for number resources and they want to do it without interference by policies made in the common interest then they could be acting non-cooperatively. Since you mention ARIN I will restate for the record that ARIN has always offered "legacy" registrants the full level of service they received from ARIN's predecessors at the same fee ("zero"). ARIN also offers a Legacy Registration Services Agreement (LRSA) to bring these allocations into a modern and contractual relationship. As you know, legacy holders otherwise lack an explicit statement of their rights.
With regards to RFC 2050, as an author of that document, your (and other ARIN luminaries') attempts to deify it have always amused me.
Let me again express my regret to you and the rest of the drafting team for having agreed to help and then flaking out. I think you guys did a stupendously wonderful job, and one of the things you got right was the explanation of the rights and responsibilities of address space holders. While IETF politics may have limited this RFC to "Best Current Practice" status rather than the more important sounding "Standards Track" status, there was universal consensus at that time -- including some people since deceased -- that the historical accounting was correct.
You might also note that the title of that document specifies it is allocation guidelines and the text discusses only IPv4.
The text of the document seems to me more important than its title, and the text definitely describes the qualifications for receiving resources and then tells allocators to be guided by those qualifications. Nobody at the time was thinking about other ways to receive number resources than by allocation, since the IPv4 pool was nowhere close to depletion and most of the IPv4 Internet's growth was yet to come. RFC 2050 also describes an IP address management framework and a section about reclamation for lack of need. It also specifically says that transfers require the same justification of need as new allocations.
As the allocation of IPv4 is soon to no longer be an issue, I have argued in other venues that it is probably long past time to move RFC 2050 to historic. ... How the RIR system is to evolve in the post-IPv4 free pool world is likely to be an important issue and should be discussed in an open, non-biased venue.
Before we could put RFC 2050 into Historic status it would have to be replaced, and I think the right place to do that is either the RIR Global Policy Process or back to the IETF. My expectation is that any such replacement document, in order to reach consensus in the cooperative Internet infrastructure community, would preserve the "needs based" allocation function. That's because cooperators don't generally build systems that can be used by non-cooperators to speculate in Internet number resources. To earn a place in the routing table of some distant network operator with whom I have no contract, I feel that I have to respect his or her right to set the policy by which they respects "my" allocations. That cooperative mesh of interdependent respect is a requirement no matter whether "my" allocations came to me directly from the central pool or indirectly through a transfer mechanism, and it's a requirement no matter whether the number resources are for IPv4 or IPv6.

Confirmation Bias David Conrad  –  Mar 22, 2011 11:55 PM

The Internet is a cooperative system and the cooperators have instituted a system of self governance and policy making that promotes the common interest.

I suspect the key word here is “cooperators”.  You’ll note this is a self-selecting set.  The risk ARIN (in particular) is running is to encourage an increasing number of network operators to opt out of this self-selecting set because the (relatively) small number of participants in ARIN politics no longer reflect the will/interests of the larger community.

ARIN has always offered “legacy” registrants the full level of service they received from ARIN’s predecessors at the same fee (“zero”).

Yes (I believe that was offered as a condition of ARIN being established, but I might be wrong), and the threat of ceasing to provide that service keeps re-occurring on RIR public policy discussion lists, e.g., just last month: ARIN-prop-133.  How are such policy proposals consistent with the topic you started to discuss?

ARIN also offers a Legacy Registration Services Agreement (LRSA) to bring these allocations into a modern and contractual relationship. As you know, legacy holders otherwise lack an explicit statement of their rights.

At the cost of explicitly agreeing to abide by ARIN’s terms and conditions and being bound by the whims of the (relatively) small number of folks who have the money/time/interest in following the mindnumbing RIR politics.  My suspicion is that the majority of legacy registrants have little interest in buying into the RIR system (why should they?), but you’d know better than I: how many (as a percentage of all legacy registrants) have entered into a “legacy RSA”?

Nobody at the time was thinking about other ways to receive number resources than by allocation, since the IPv4 pool was nowhere close to depletion and most of the IPv4 Internet’s growth was yet to come.

This sort of revisionism is unhelpful.  There were numerous discussions of alternative IPv4 allocation approaches, e.g., the PIARA BOF (which you attended) and RFC 1744, that occurred before RFC 2050 was published.  People were thinking about alternatives when 2050 was written, which is one of the reasons RFC 2050 was explicitly documenting then-current practice.  The Internet has evolved since then.

Before we could put RFC 2050 into Historic status it would have to be replaced, and I think the right place to do that is either the RIR Global Policy Process or back to the IETF.

The issue here is that I suspect the IETF would (rightfully, since it is (at best) an operational issue that has less than zero protocol engineering relevance) have no interest in jumping into this particular swamp again (in fact, as mentioned in the IESG preface to 2050, there was an attempt known as “Internet Registry Evolution” that did not move forward) and the “RIR Global Policy Process” has an obvious bias towards the status quo.  As I’m sure you’re aware, it is notoriously difficult to kill off bureaucracies once they’re entrenched.  The question you should really be asking is whether or not the actions of the RIRs, particularly ones that wildly distort the market for IPv4 addresses, are beneficial in attempting to reach the goal you started to discuss, namely ensuring the “Whois” database is accurate.  My suspicion is they won’t be.

The reality is that the vast majority of folks on the Internet neither know nor care about the RIRs and their policies.  What they care about is ‘connectivity’ (shorthand for the content they wish to gain access to/interact with). When the RIRs get in the way of folks obtaining that connectivity, say by pretending to be regulators and attempting to disallow an ISP from obtaining address space from whomsoever has it for whatever reason, I strongly suspect the RIRs will find themselves wondering where their customers/revenues went while the “Whois” database becomes even more fragmented and inaccurate than it is now.

I guess we’ll see.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API