Hi George, all,

I just looked at the presentation that you have done earlier today and have 
some inputs about possible ways to improve it.

1. Slides 9-10
1.1. About receiving spam
The abuse mailbox should receive *all* the emails to be able to receive abuse 
reports about spam. If you filter emails that contain headers from spam, then 
you are ruining the purpose of the abuse-c. Clearly this could be improved, as 
an operational decision, by making some kind of automation, but in such way 
that ensures that only real spam is dropped. Note that the other RIRs are also 
using (at some point), validation links via the abuse-c email.

1.2. About clicking links
I provided an example procedure in the policy proposal to avoid this. I've 
copied this below my signature. See points 1-5. If that procedure is followed, 
I think it is obvious that you will avoid this problem. I missed to ensure 
during the previous implementation presentations, that you are following a 
procedure that avoids this problem. Of course, you can even avoid needing to 
send the validation link if you just say in the email with the code "you need 
to go to your MyAPNIC account to use this code" ... Maybe also an alternative 
is to use email certificates from APNIC.

2. Slide 11
2.1. About the validation cycle.
In more recent versions of this policy, in other RIRs, I have included specific 
text so APNIC can accommodate both, the validation periods and the cycle 
validation. The idea is that you can do a slow start (which seems not to be 
needed in the case of APNIC due to the 87% validation success - 
congratulations!), but you can also adjust the timing depending on the staff 
available to escalating the validation, or to move from 6 months to 1 year once 
the "99%" of the contacts are valid, and if needed, for example, the contacts 
get bad, move again to 6 months or even 3 months to get them again on track.

2.2. Deprecating IRT.
The policy proposal included in the ADDITIONAL INFORMATION section:
"a. Since this proposal is implemented, APNIC will publish the IRT also as 
abuse-c, in order to facilitate the search in whois, for the same information, 
regardless if looking for abuse-c or IRT. This is done in order to assimilate 
the IRT to the majority of the RIRs where it is abuse-c."

So clearly, the idea was that we move from the IRT to abuse-c, so to align as 
much as possible all the 5 RIRs (in ARIN is POC, and AFRINIC is also IRT, but 
there is a policy proposal like this one, an in fact there are only a 
ridiculous fraction of IRT objects because is not mandatory right now).

I've one question I've. What is the status of implementation at each NIR?

Now, regarding the points that I've commented above, I will be happy to get 
additional inputs and send a policy proposal in a few days. I don't think we 
should do anything about 1.1. 1.2 and 2.2 should be addressed as part of the 
operational procedure by the staff. We can address 2.1. Something else?

Now, a possible idea to improve this will be move the policy to make mandatory 
the use of XARF "eXtended Abuse Reporting Format" (RFC5965/RFC6692). There is 
already open source (and commercial tools) that allow it. This will resolve the 
problem 1.1 above and provide much better tools to the resource-holders to 
avoid manual monitoring as much as possible, automate the abuse processing, etc.

Can we get some inputs about if this is perceived as interesting by the 
community?

Maybe we can draft the policy proposal in such way that XARF can be optional at 
this stage, and later on, if there is a good adoption %, in 1-2 years, move to 
mandatory?

I will send a policy proposal to update this upon getting some inputs. I guess 
Aftab will be happy to join as well, and happy to get other people on-board!

Regards,
Jordi
@jordipalet
 
 c. Example of the validation procedure.

1) APNIC initiates the validation automatically, sending TWO consecutive emails 
to each of the mailboxes.

2) These emails will be sent containing plain text only.

3) The first email will contain the URL where the validation is to be performed 
("validation.apnic.net") and may contain information about the procedure, a 
brief summary of this policy, etc.

4) The second email will contain a unique alphanumeric validation code.

5) The person in charge of the each of the mailboxes must go to the URL and 
paste the code received in the second email in the form.

6) This URL must be designed in such a way that it prevents the use of an 
automated process (for example, "captcha"). In addition, it must contain a text 
that confirms that the person performing the validation understands the 
procedure and the policy, that they regularly monitor the mailboxes, that 
measures are taken to solve reported cases of abuse, and that the abuse report 
receives a response, with a "checkbox" that must be accepted in order to 
proceed.

7) The alphanumeric code will only be valid for a maximum of fifteen days.

8) If the code is not entered within that time, the system will mark the IRT as 
"temporarily invalid” and will send a reminder with another unique code and 
alert APNIC staff, so they can initiate a personalized follow-up with the LIR.

9) If no reply is received confirming that the situation has been corrected, 
after an additional period of three business days, the IRT will be permanently 
marked as "invalid".

10) Once the issue has been resolved, the validation process will be repeated 
automatically (items 1 to 7 above). If satisfactory, the IRT will be marked as 
"valid"; otherwise it will be considered in breach of the policy.




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.



*              sig-policy:  APNIC SIG on resource management policy           *
_______________________________________________
sig-policy mailing list
sig-policy@lists.apnic.net
https://mailman.apnic.net/mailman/listinfo/sig-policy

Reply via email to