But it doesn't answer the basic questions. How do you tell the difference between a legitimate change and an illegitmate change? If ARIN makes it extremely difficult to update registry records, the records will get even more out of date. On the other hand if ARIN makes it too easy to update registry records, the wrong people can make unauthorized changes.
That's a good question, Sean. However there is another way. ARIN and the other RIRs need to stop publishing the whois directories as they stand today. There is no good reason for publishing most of the information that they do publish. All of this garbage information clogs up the system and makes it easier for spammers and outlaws to hide. The Internet is no longer a collegial project where we can request that all people with a directory on an ARPANET host who is capable of passing traffic across the ARPANET should be registered in the whois directory. (Ref RFC 812) In fact, we haven't done this for at least 10 years. We already have a two-tiered system in place where the bulk of users with directories on an Internet-connected system capable of initiating Internet traffic are only registered with their service provider. Only network operators are expected to register in the whois directory. I think that it is time to tighten up on these requirements even further. The published whois directory should only contain the up-to-date contact information of people responsible for enforcing network AUPs and rooting out network abuse. If an organization is allocated or assigned IP space from their upstream then their info should not be published in the whois directory unless they agree to be directly responsible for AUPs and abuse mitigation. This contact information should be checked more than once per year (twice yearly or quarterly) and if it becomes stale, then it should be immediately updated to indicate that it is stale. The incorrect phone numbers and email domains should be removed from the published directory. If there is an upstream then the address contact info should revert to the upstream since it is not possible for a non-contactible entity to be responsible for AUP enforcement and abuse mitigation. In the case of address blocks allocated directly by a registry, this means they must virtually disappear from the whois. The only information left will be "Previously allocated, no current contact info". In one fell swoop, this will enable people to block just about every possible source of spam. If anyone is actually still using their addresses, this will also bring them out of the woodwork to update their contact info and get with the program. There will be zero impact on anyone who gets their addresses from an upstream since the contact info will revert to the upstream until such time as the upstream fomrally delegates the abuse handling responsibility to the customer by submitting correct contact info. Of course, none of this will happen unless network operators stop chasing symptoms and start thinking more deeply about the roots of the problem. One of these roots is the lack of a web of accountability for IP address space. --Michael Dillon