Hi Jordi, Thanks for watching the presentation and for your comments.
Based on our recommendations, we are suggesting the following changes: ------------------------------------------------------------------------------------ Example of new validation procedure 1) APNIC initiates the validation automatically ONCE a year, sending ONE email to the 'abuse-mailbox' address. (We will consider deprecating the 'email' attribute so only one email address requires validation) 2) The email will be sent containing plain text only. 3) The email will contain the unique code required for the validation and may contain information about the procedure, a brief summary of this policy, etc. 4) The person in charge of the mailbox will be instructed to visit the APNIC website (eg. www.apnic.net/irt-validation) and paste the code received in their email. (MyAPNIC cannot be used since many abuse mailboxes are either customers of members or company staff who do not have MyAPNIC access). 5) The IRT validation page on the APNIC website will be designed in a way that it prevents the use of an automated process (for example, "CAPTCHA"). In addition, it will contain a text that confirms that the person performing the validation understands the procedure and the policy, that they regularly monitor the mailboxes, that measures are taken to solve reported cases of abuse, and that the abuse report receives a response, with a "checkbox" that must be accepted in order to proceed. 6) If the code is not entered within 15 days, the system will mark the IRT as "Invalid” in the APNIC Whois Database and an automatic reminder will be sent. If validation is still not completed after 30 days, MyAPNIC access will be restricted and APNIC staff will follow-up with the member using all contact methods available. 7) Once the validation has been resolved, the IRT will be marked as "Valid" and MyAPNIC access will be reinstated. ------------------------------------------------------------------------------------ From the Secretariat's point of view - the intention is to make minor tweaks to the existing process to simplify the validation and reduce burden that we are putting on members. Most of the changes can be made as operational procedure; however the current policy text specifies that validation occurs every 6 months, so we would need an amended proposal to change this timeframe. We want to keep this simple by using a fixed timeframe of once yearly as we are already starting to reach the goals that we have set out to achieve in this policy. Regarding the NIRs, they have reported the following statuses: - CNNIC is almost ready to implement - IDNIC have implemented but still tweaking - JPNIC is working with JPOPF on the implementation - TWNIC and VNNIC will implement by Q1 2021 We are currently in discussion with IRINN and KRNIC about their implementation plan. We would love to hear from the rest of the community about these changes and work together in amending this policy. Any questions or concerns, please let us know. Regards, _______________________________________________________ George Odagi Internet Resource Analyst/Policy Support, APNIC e: god...@apnic.net p: +61 7 3858 3188 f: +61 7 3858 3199 www.apnic.net _______________________________________________________ Join the conversation: https://blog.apnic.net/ On 10/9/20, 5:57 pm, "sig-policy-boun...@lists.apnic.net on behalf of JORDI PALET MARTINEZ" <sig-policy-boun...@lists.apnic.net on behalf of jordi.pa...@consulintel.es> wrote: Hi George, all, I just looked at the presentation that you have done earlier today and have some inputs about possible ways to improve it. 1. Slides 9-10 1.1. About receiving spam The abuse mailbox should receive *all* the emails to be able to receive abuse reports about spam. If you filter emails that contain headers from spam, then you are ruining the purpose of the abuse-c. Clearly this could be improved, as an operational decision, by making some kind of automation, but in such way that ensures that only real spam is dropped. Note that the other RIRs are also using (at some point), validation links via the abuse-c email. 1.2. About clicking links I provided an example procedure in the policy proposal to avoid this. I've copied this below my signature. See points 1-5. If that procedure is followed, I think it is obvious that you will avoid this problem. I missed to ensure during the previous implementation presentations, that you are following a procedure that avoids this problem. Of course, you can even avoid needing to send the validation link if you just say in the email with the code "you need to go to your MyAPNIC account to use this code" ... Maybe also an alternative is to use email certificates from APNIC. 2. Slide 11 2.1. About the validation cycle. In more recent versions of this policy, in other RIRs, I have included specific text so APNIC can accommodate both, the validation periods and the cycle validation. The idea is that you can do a slow start (which seems not to be needed in the case of APNIC due to the 87% validation success - congratulations!), but you can also adjust the timing depending on the staff available to escalating the validation, or to move from 6 months to 1 year once the "99%" of the contacts are valid, and if needed, for example, the contacts get bad, move again to 6 months or even 3 months to get them again on track. 2.2. Deprecating IRT. The policy proposal included in the ADDITIONAL INFORMATION section: "a. Since this proposal is implemented, APNIC will publish the IRT also as abuse-c, in order to facilitate the search in whois, for the same information, regardless if looking for abuse-c or IRT. This is done in order to assimilate the IRT to the majority of the RIRs where it is abuse-c." So clearly, the idea was that we move from the IRT to abuse-c, so to align as much as possible all the 5 RIRs (in ARIN is POC, and AFRINIC is also IRT, but there is a policy proposal like this one, an in fact there are only a ridiculous fraction of IRT objects because is not mandatory right now). I've one question I've. What is the status of implementation at each NIR? Now, regarding the points that I've commented above, I will be happy to get additional inputs and send a policy proposal in a few days. I don't think we should do anything about 1.1. 1.2 and 2.2 should be addressed as part of the operational procedure by the staff. We can address 2.1. Something else? Now, a possible idea to improve this will be move the policy to make mandatory the use of XARF "eXtended Abuse Reporting Format" (RFC5965/RFC6692). There is already open source (and commercial tools) that allow it. This will resolve the problem 1.1 above and provide much better tools to the resource-holders to avoid manual monitoring as much as possible, automate the abuse processing, etc. Can we get some inputs about if this is perceived as interesting by the community? Maybe we can draft the policy proposal in such way that XARF can be optional at this stage, and later on, if there is a good adoption %, in 1-2 years, move to mandatory? I will send a policy proposal to update this upon getting some inputs. I guess Aftab will be happy to join as well, and happy to get other people on-board! Regards, Jordi @jordipalet c. Example of the validation procedure. 1) APNIC initiates the validation automatically, sending TWO consecutive emails to each of the mailboxes. 2) These emails will be sent containing plain text only. 3) The first email will contain the URL where the validation is to be performed ("validation.apnic.net") and may contain information about the procedure, a brief summary of this policy, etc. 4) The second email will contain a unique alphanumeric validation code. 5) The person in charge of the each of the mailboxes must go to the URL and paste the code received in the second email in the form. 6) This URL must be designed in such a way that it prevents the use of an automated process (for example, "captcha"). In addition, it must contain a text that confirms that the person performing the validation understands the procedure and the policy, that they regularly monitor the mailboxes, that measures are taken to solve reported cases of abuse, and that the abuse report receives a response, with a "checkbox" that must be accepted in order to proceed. 7) The alphanumeric code will only be valid for a maximum of fifteen days. 8) If the code is not entered within that time, the system will mark the IRT as "temporarily invalid” and will send a reminder with another unique code and alert APNIC staff, so they can initiate a personalized follow-up with the LIR. 9) If no reply is received confirming that the situation has been corrected, after an additional period of three business days, the IRT will be permanently marked as "invalid". 10) Once the issue has been resolved, the validation process will be repeated automatically (items 1 to 7 above). If satisfactory, the IRT will be marked as "valid"; otherwise it will be considered in breach of the policy. ********************************************** IPv4 is over Are you ready for the new Internet ? https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.theipv6company.com%2F&data=02%7C01%7C%7C045169ef48104cb3480308d8555eff50%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637353214221906281&sdata=censQD3CYsV3sxKX5ycaMFQeLODlx5bp8ljbNwTq1Pk%3D&reserved=0 The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. * sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list sig-policy@lists.apnic.net https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.apnic.net%2Fmailman%2Flistinfo%2Fsig-policy&data=02%7C01%7C%7C045169ef48104cb3480308d8555eff50%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637353214221906281&sdata=wqi7AqwZTvKAsXfqGSPXST%2B6yrIi7XSO2dnhmDT%2BBTg%3D&reserved=0 * sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list sig-policy@lists.apnic.net https://mailman.apnic.net/mailman/listinfo/sig-policy
