ARIN-PPML Message

[arin-ppml] SWIPs & IPv6

On Dec 7, 2009, at 9:14 AM, Chris Engel wrote:

>
> In the security world, the principle of "least privilege" is a well  
> established best practice. That is, granting the minimum level of  
> access/functionality/data in order to achieve a given task. I do not  
> believe it is an unreasonable position to hold forth that ARIN  
> should adhere to that best practice in regards to requirements for  
> WHOIS.
>
It is.  WHOIS is not a security oriented service.

WHOIS is a public disclosure service, intended to as part of an open  
public records process around IP number
resource policy, distribution, etc.

It makes little more sense to apply "least privilege" to whois than it  
would to apply it to property ownership records
or other public records.

> So let me put forth the question.... What is the legitimate NEED for  
> publicly accessible WHOIS lookup that can be accessed anonymously  
> and that has no gate-keeping functionality inherent to it?
>
It doesn't necessarily have to be anonymous, but, it should be  
publicly accessible.

> The one LEGITIMATE case that I've heard put forth is that a  
> particular IP block is causing problems for another network by  
> misdirecting traffic to it or directing unwanted traffic to it. The  
> idea being that if the affected networks can lookup the contact  
> information for the IP block that is causing the problem and they  
> can inform them of the issue so it can be resolved (assuming that  
> the owner of the IP block is cooperative). Since the problem is  
> ongoing, timeliness of contact is an issue and placing barriers to  
> obtain that contact would be an unacceptable negative. I can see the  
> legitimacy of that claim. However, in that case, can anyone tell me  
> why you would need anything OTHER then a technical contact phone  
> number & e-mail ???
>
In the event that the contact is uncooperative, the postal address  
gives you a starting point for legal service.

> Note that this is far less information then what is currently  
> collected and published through SWIPS/WHOIS.
>
Um, not really... The additional data (other than the resource data  
itself) is the postal address and the
name of the person or role (both of which I think are legitimate and  
useful as well).

> How would knowing the legal name of the block-holder help you  
> resolve that issue?? If they've already provided you with a contact  
> e-mail and phone number ?? How would knowing their physical street  
> address help? Does anyone contend that sending snail mail is more  
> TIMELY then making a phone call or sending an e-mail? I don't even  
> see that knowing the real name of the technical contact would  
> help...if you had their e-mail & phone #.
>
I content that snail mail addresses are needed for the next step if  
they are uncooperative, as is the legal name of the
block holder.

Further, there is a public disclosure interest in knowing who is  
holding non-trivial amounts of IP number resources.

This is one of the reasons that the database contains Technical _AND_  
Administrative contacts.  The administrative
contact is, at least theoretically, there because there are legitimate  
non-technical reasons to contact a network.
Abuse is not the only use case for WHOIS, just one of them.

> Furthermore, I would posit that in MANY cases it actually makes more  
> sense for an organization to list their ISP's NOC in that contact  
> section. The ISP may not be authorized to take action to solve the  
> problem (outside of their function in dealing with actual abuse) but  
> they are FAR more likely to have a help desk that is monitored  
> 24/7/365 then most small/medium organizations. Furthermore the  
> organization MAY be willing to provide their ISP (or other trusted  
> agent) with an escalation and emergency contact list which might  
> include contact information (including home & private cell phone  
> numbers) that they would generally NOT be comfortable with  
> publishing publicly.
>
It might for the abuse use case, but, for the public disclosure  
interest, it is useful to know who actually holds the block,
not which provider.

> Can anyone put forward a case why the general public would  
> legitimately NEED any information beyond technical contact & e-mail?  
> If so I would like to hear it.
>
Because IP number resources are a public resource administered by the  
RIRs in trust for the public.


Owen