Hi George,
Tks for your response!
I think it is just ok, however I've a minor disagreement.
My idea is to amend the proposal so the validation is done every 6 months and
the timer for the initial validation is 15 days, BUT state that the secretariat
is able to adjust both timings according to circumstances, and inform the
community about the reasons.
This allows to, once almost 99% of the validations are ok, decide if we need to
make only one validation per year, but if after that validation the quality of
the contacts is going down, the secretariat can consider making it again every
6 or 8 months to readjust, etc. This will allow you to manage those timers,
without amending the proposal. Do you see my point?
(this is what I've done in other regions)
Regards,
Jordi
@jordipalet
El 16/9/20 9:44, "George Odagi" <god...@apnic.net> escribió:
Hi Jordi,
Thanks for watching the presentation and for your comments.
Based on our recommendations, we are suggesting the following changes:
------------------------------------------------------------------------------------
Example of new validation procedure
1) APNIC initiates the validation automatically ONCE a year, sending ONE
email to the 'abuse-mailbox' address.
(We will consider deprecating the 'email' attribute so only one email
address requires validation)
2) The email will be sent containing plain text only.
3) The email will contain the unique code required for the validation and
may contain information about the procedure, a brief summary of this policy,
etc.
4) The person in charge of the mailbox will be instructed to visit the
APNIC website (eg. www.apnic.net/irt-validation) and paste the code received in
their email. (MyAPNIC cannot be used since many abuse mailboxes are either
customers of members or company staff who do not have MyAPNIC access).
5) The IRT validation page on the APNIC website will be designed in a way
that it prevents the use of an automated process (for example, "CAPTCHA"). In
addition, it will contain a text that confirms that the person performing the
validation understands the procedure and the policy, that they regularly
monitor the mailboxes, that measures are taken to solve reported cases of
abuse, and that the abuse report receives a response, with a "checkbox" that
must be accepted in order to proceed.
6) If the code is not entered within 15 days, the system will mark the IRT
as "Invalid” in the APNIC Whois Database and an automatic reminder will be
sent. If validation is still not completed after 30 days, MyAPNIC access will
be restricted and APNIC staff will follow-up with the member using all contact
methods available.
7) Once the validation has been resolved, the IRT will be marked as "Valid"
and MyAPNIC access will be reinstated.
------------------------------------------------------------------------------------
From the Secretariat's point of view - the intention is to make minor
tweaks to the existing process to simplify the validation and reduce burden
that we are putting on members. Most of the changes can be made as operational
procedure; however the current policy text specifies that validation occurs
every 6 months, so we would need an amended proposal to change this timeframe.
We want to keep this simple by using a fixed timeframe of once yearly as we are
already starting to reach the goals that we have set out to achieve in this
policy.
Regarding the NIRs, they have reported the following statuses:
- CNNIC is almost ready to implement
- IDNIC have implemented but still tweaking
- JPNIC is working with JPOPF on the implementation
- TWNIC and VNNIC will implement by Q1 2021
We are currently in discussion with IRINN and KRNIC about their
implementation plan.
We would love to hear from the rest of the community about these changes
and work together in amending this policy.
Any questions or concerns, please let us know.
Regards,
_______________________________________________________
George Odagi
Internet Resource Analyst/Policy Support, APNIC
e: god...@apnic.net
p: +61 7 3858 3188
f: +61 7 3858 3199
www.apnic.net
_______________________________________________________
Join the conversation: https://blog.apnic.net/
On 10/9/20, 5:57 pm, "sig-policy-boun...@lists.apnic.net on behalf of
JORDI PALET MARTINEZ" <sig-policy-boun...@lists.apnic.net on behalf of
jordi.pa...@consulintel.es> wrote:
Hi George, all,
I just looked at the presentation that you have done earlier today and
have some inputs about possible ways to improve it.
1. Slides 9-10
1.1. About receiving spam
The abuse mailbox should receive *all* the emails to be able to receive
abuse reports about spam. If you filter emails that contain headers from spam,
then you are ruining the purpose of the abuse-c. Clearly this could be
improved, as an operational decision, by making some kind of automation, but in
such way that ensures that only real spam is dropped. Note that the other RIRs
are also using (at some point), validation links via the abuse-c email.
1.2. About clicking links
I provided an example procedure in the policy proposal to avoid this.
I've copied this below my signature. See points 1-5. If that procedure is
followed, I think it is obvious that you will avoid this problem. I missed to
ensure during the previous implementation presentations, that you are following
a procedure that avoids this problem. Of course, you can even avoid needing to
send the validation link if you just say in the email with the code "you need
to go to your MyAPNIC account to use this code" ... Maybe also an alternative
is to use email certificates from APNIC.
2. Slide 11
2.1. About the validation cycle.
In more recent versions of this policy, in other RIRs, I have included
specific text so APNIC can accommodate both, the validation periods and the
cycle validation. The idea is that you can do a slow start (which seems not to
be needed in the case of APNIC due to the 87% validation success -
congratulations!), but you can also adjust the timing depending on the staff
available to escalating the validation, or to move from 6 months to 1 year once
the "99%" of the contacts are valid, and if needed, for example, the contacts
get bad, move again to 6 months or even 3 months to get them again on track.
2.2. Deprecating IRT.
The policy proposal included in the ADDITIONAL INFORMATION section:
"a. Since this proposal is implemented, APNIC will publish the IRT also
as abuse-c, in order to facilitate the search in whois, for the same
information, regardless if looking for abuse-c or IRT. This is done in order to
assimilate the IRT to the majority of the RIRs where it is abuse-c."
So clearly, the idea was that we move from the IRT to abuse-c, so to
align as much as possible all the 5 RIRs (in ARIN is POC, and AFRINIC is also
IRT, but there is a policy proposal like this one, an in fact there are only a
ridiculous fraction of IRT objects because is not mandatory right now).
I've one question I've. What is the status of implementation at each
NIR?
Now, regarding the points that I've commented above, I will be happy to
get additional inputs and send a policy proposal in a few days. I don't think
we should do anything about 1.1. 1.2 and 2.2 should be addressed as part of the
operational procedure by the staff. We can address 2.1. Something else?
Now, a possible idea to improve this will be move the policy to make
mandatory the use of XARF "eXtended Abuse Reporting Format" (RFC5965/RFC6692).
There is already open source (and commercial tools) that allow it. This will
resolve the problem 1.1 above and provide much better tools to the
resource-holders to avoid manual monitoring as much as possible, automate the
abuse processing, etc.
Can we get some inputs about if this is perceived as interesting by the
community?
Maybe we can draft the policy proposal in such way that XARF can be
optional at this stage, and later on, if there is a good adoption %, in 1-2
years, move to mandatory?
I will send a policy proposal to update this upon getting some inputs.
I guess Aftab will be happy to join as well, and happy to get other people
on-board!
Regards,
Jordi
@jordipalet
c. Example of the validation procedure.
1) APNIC initiates the validation automatically, sending TWO
consecutive emails to each of the mailboxes.
2) These emails will be sent containing plain text only.
3) The first email will contain the URL where the validation is to be
performed ("validation.apnic.net") and may contain information about the
procedure, a brief summary of this policy, etc.
4) The second email will contain a unique alphanumeric validation code.
5) The person in charge of the each of the mailboxes must go to the URL
and paste the code received in the second email in the form.
6) This URL must be designed in such a way that it prevents the use of
an automated process (for example, "captcha"). In addition, it must contain a
text that confirms that the person performing the validation understands the
procedure and the policy, that they regularly monitor the mailboxes, that
measures are taken to solve reported cases of abuse, and that the abuse report
receives a response, with a "checkbox" that must be accepted in order to
proceed.
7) The alphanumeric code will only be valid for a maximum of fifteen
days.
8) If the code is not entered within that time, the system will mark
the IRT as "temporarily invalid” and will send a reminder with another unique
code and alert APNIC staff, so they can initiate a personalized follow-up with
the LIR.
9) If no reply is received confirming that the situation has been
corrected, after an additional period of three business days, the IRT will be
permanently marked as "invalid".
10) Once the issue has been resolved, the validation process will be
repeated automatically (items 1 to 7 above). If satisfactory, the IRT will be
marked as "valid"; otherwise it will be considered in breach of the policy.
**********************************************
IPv4 is over
Are you ready for the new Internet ?
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.theipv6company.com%2F&data=02%7C01%7C%7C045169ef48104cb3480308d8555eff50%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637353214221906281&sdata=censQD3CYsV3sxKX5ycaMFQeLODlx5bp8ljbNwTq1Pk%3D&reserved=0
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the exclusive use of the
individual(s) named above and further non-explicilty authorized disclosure,
copying, distribution or use of the contents of this information, even if
partially, including attached files, is strictly prohibited and will be
considered a criminal offense. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, even if partially, including attached files, is strictly
prohibited, will be considered a criminal offense, so you must reply to the
original sender to inform about this communication and delete it.
* sig-policy: APNIC SIG on resource management policy
*
_______________________________________________
sig-policy mailing list
sig-policy@lists.apnic.net
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.apnic.net%2Fmailman%2Flistinfo%2Fsig-policy&data=02%7C01%7C%7C045169ef48104cb3480308d8555eff50%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637353214221906281&sdata=wqi7AqwZTvKAsXfqGSPXST%2B6yrIi7XSO2dnhmDT%2BBTg%3D&reserved=0
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the exclusive use of the
individual(s) named above and further non-explicilty authorized disclosure,
copying, distribution or use of the contents of this information, even if
partially, including attached files, is strictly prohibited and will be
considered a criminal offense. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, even if partially, including attached files, is strictly
prohibited, will be considered a criminal offense, so you must reply to the
original sender to inform about this communication and delete it.
* sig-policy: APNIC SIG on resource management policy *
_______________________________________________
sig-policy mailing list
sig-policy@lists.apnic.net
https://mailman.apnic.net/mailman/listinfo/sig-policy
