Every time I witness another argument about changing the rules of the Whois system I marvel at how such an important core internet protocol could be so widely misunderstood. I don't mean that the protocol's technical details are not well understood — it's a very simple device, easy to implement correctly and easy to use even for new users. I mean that the Whois system itself and its purpose in the Internet ecosystem is widely misunderstood. Everybody uses Whois and lots of people argue about Whois but precious few folks know why Whois exists in the first place.
Consider the Regional Internet Registry (RIR) system which is the registry responsible for Internet Protocol numbering resources such as IP version 4 and IP version 6 address blocks and autonomous system numbers. Those number resources that were assigned by the US government before the RIR system existed are called "legacy" resources, and these legacy resources are part of the current Whois registry. Sometimes an argument is heard that since some of these "legacy" resource holders are not members of any RIR and pay no fees, they do not deserve the privilege of being listed in Whois. Some opponents of this argument say that being listed in Whois is a right not a privilege. Both arguments miss the point, which is that correct registration information in Whois is an obligation by every registrant to the community, not a privilege and not a right.
The entire Internet community has a right to know who holds what address block and has a right to know how to contact that holder if there is an operational problem involving an address in that block. The Internet is a public system, nongovernmental but still governed, and the stewards of Internet resources must always look first to the public good even though their own internal elections and fees are limited to a membership. You can see this principle reinforced by the fact that policy development for Internet governance is done in public forums with full public participation not limited to regional residents or to a membership. The Internet public has a right to be heard on matters of policy, not just at ARIN (where I am serving my 7th year on the Board of Trustees, though I am writing here as an Internet citizen only — not speaking for ARIN or for my day job) but in all the RIRs (AfriNIC, APNIC, LACNIC, and RIPE).
During last week's meeting of APNIC (Asia Pacific Network Information Center) I was moved to comment at the microphone during the public Policy SIG meeting on a proposal (#96) to reestablish the principle of demonstrated need for allocations out of the "last /8". The "last /8" is the address block APNIC received from ICANN in Miami last month when the final five /8's in ICANN's inventory were allocated to the five regional Internet registries (RIRs). APNIC has special allocation rules for this /8, it won't be handed out as "business as usual", and one of the special rules is presently that the recipient does not have to show demonstrated need per the rules of RFC 2050. An RIR departing from RFC 2050 is a radical change since this RFC is the founding document of the RIR system as well as a restatement of the policies which governed the pre-RIR "legacy allocations" made up to that point by US government contractors IANA and InterNIC.
Proponents of policy proposal #96 said that the lack of a demonstrated need rule will make APNIC members ineligible for inter-RIR transfers if the source region is still requiring demonstrated need. During the transition from IP version 4 to IP version 6 it's expected that some networks will convert before others and that the early ones will agree (possibly in exchange for payment) to transfer their network numbering resources to the later ones. In this way the debate about proposal #96 quickly turned into a proxy debate about transfers in general, and whether transfer recipients ought to have to show demonstrated need or not. Call me old fashioned (as many do) but to me a recipient of an address block who has no demonstrated need for it is simply a speculator and while the Internet community ought to be helping people build networks it has no reason to help speculators acquire rights for later sale (or rental) to people who build networks.
Several opponents to policy proposal #96 got up to the microphone and one of the oppositional themes that emerged was that APNIC was a registry and that a registry's value to the Internet community is that it provides uniqueness and that if APNIC were to enforce "demonstrated need" on recipients then it would merely push such recipients off the books at great cost in the uniqueness and therefore the relevance of the APNIC registry. This got me out of my chair and over to the microphone.
"Don't run scared," I said. The network operators who search APNIC's Whois registry may be doing so for reasons beyond the value of uniqueness. They may be counting on this registry to tell them not only who holds an address block but also what policies governed the receipt of that address block. If they know that the presence of an entry in APNIC's Whois registry means that the address holder had to demonstrate need then they may trust the registry far more than if they know that anyone who does a private off books transfer and pays a filing fee can get themselves recorded as the holder of an address block. If network operators think that speculators who are not building networks can hold or control address allocation then they might stop trusting the registry altogether no matter how much uniqueness it still has.
In the end, policy proposal #96 was "sent back to the mailing list", there to gather some kind of consensus whether in favour or in opposition. Perhaps that debate will stick to the merits of the proposal, but in the Policy SIG session during the Hong Kong APNIC meeting the real debate was about the value (and the valuers) of Whois and how policy ought to be shaped in order to make an effective transfer system for IP version 4 resources during the transition to IP version 6.
In the region where I make my home, the RIR (which is ARIN) has a transfer policy allowing private transfers of network resources to be recorded in the Whois registry, as long as the recipient is a signatory to a Registration Services Agreement (RSA) and can demonstrate an operational need for the address space within the next 12 months. This policy represents the ARIN community's acknowledgement that IP version 4 (IPv4) addresses will soon be a scarce resource and there will naturally be a market of people willing to give up their rights to address blocks ("sellers") and people willing to pay money to get address space ("buyers"). ARIN's policies are determined by the community through an open and transparent public participation and consensus process, and the community's expressed wishes in this case are that transfers should be recordable in order that the ARIN Whois registry can be correct and therefore useful. Note, though, ARIN is a creature of RFC 2050 and all address recipients whether by allocation or by transfer must demonstrate an operational need for the address block they are receiving. In other words speculators would not meet the terms of ARIN's community driven consensus based policies.
Does this "demonstrated need" policy somehow outlaw private transfers? Not in law, no it does not. But ARIN would treat the use of an address block by someone who is not the registered holder of that address block as potentially fraudulent which could in some cases lead to address block reclamation and reassignment after a six month hold-down period. In effect, off books transfers are less attractive since the recipient would not be the registrant. In that sense the ARIN Whois registry offers confidence in both uniqueness and demonstrated need. The intent is to maximize both the utility and utilization of Internet address space, where utilization means building and growing and operating networks not hedging or leveraging or renting address resources.
In the ARIN region, the community's expressed policy assumes that the Whois registry is valuable because of the policies that control it not just because it assures uniqueness. Which is why I said, in support of APNIC policy proposal #96, when I heard someone say that a registry should just record whatever people want it to record and should not dictate any policy at all, "don't run scared." These registries are valuable for reasons beyond simple uniqueness, and as long as these registries continue to support the community's need to build networks, nobody needs to worry much about address block recipients who cannot demonstrate need, which is to say, about speculators.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Neustar DDoS Protection
Minds + Machines