[arin-ppml] SWIPs & IPv6
On Mon, Dec 7, 2009 at 11:14 AM, Chris Engel <cengel at sponsordirect.com> wrote:
Publication of the address and multiple contacts provides a last
resort if all other contact info is outdated and useless; it
provides enough information to write a letter. Mailing address might
also be used for less-urgent requests, or notices, such as
ones of a legal nature.
It also allows you to follow-up an e-mail conversation with a
verifiable written record to all contacts (via certified mail),
which might be required in some circumstances.
> In the security world, the principle of "least privilege" is a well established best practice. That is, granting the minimum level of access/functionality/data in order to achieve a given task. I do not believe it is an unreasonable position to hold forth that ARIN should adhere to that best practice in regards to requirements for WHOIS.
Least privilege is not always the right answer, sometimes trying to
follow least privilege can result in an even less secure practice,
than implementing the practices people would expect.
It's not reasonable that ARIN should restrict public information
simply to pursue idealogical goals such as "least privilege"; ARIN's
best practice and core principle is good stewardship -- not least
"Least privilege" not a well-established best practice; it's a
general guiding principle.
Least privilege is not either definable nor possible to enforce, as
such it's not a practice that ANYONE actually implements.
Least privilege is impossible because we do not know a-priori what
all legitimate uses of the information are,
and we cannot know in advance the valid times when it will be called
up. Least privilege would insist
that attempting to use WHOIS on an IP would always return access
denied, until the very moment you _needed_
the information at that very moment, for a legitimate purpose.
If WHOIS followed least privilege, you would have to call ARIN, prove
you have a legitimate need to lookup that record,
by sending them logs or proof of abuse, or other documents proving
the need. After they thoroughly verified your need,
they would then tell you which WHOIS fields you can request to see,
and then, upon the request (with paperwork properly filed and
approved, fees paid, etc),
you would have 1 hour to perform a lookup that record one time
from an IP address you specified.
If it only takes you 5 minutes to lookup the record, then Least
Privilege was violated, since you were given 45 minutes you didn't
In addition, you could only request the item of contact information
you are using. If you plan to e-mail the contact, you don't get the
If you later need the phone number, you will have to prove the e-mail
contact didn't work, and start the request all over again (more fees,
wait 24 hours, etc)
Actually, wait, no, that also violates least privilege: You don't
see an e-mail address or phone number, _ever_.
ARIN provides you a web form for sending an e-mail to a contact
whose name you will not be told.
Any attempt to reveal your own name or address in the e-mail will be
censored, by blanking out that portion of the email.
If you need to call them, ARIN proxies your call to the contact,
so you never see the contact's phone number.
An operator listens in and bleeps out any attempt by either side to
reveal contact information (which could compromise their own
Also, since you don't need the privilege of hearing their real voice,
ARIN uses technology to disguise both callers' voices from each
and filters any background noise that might reveal details about
If you need to send them a physical mail, you address it to ARIN
c/o the recipient's POC handle, and ARIN forwards the text of
after removing return address, and analysing its contents to make sure
you didn't accidentally reveal your identity.
If you need to go visit them physically, you pay ARIN to send a van,
in which you are escorted blindfolded, restrained to the
address by armed guards. After you are done talking with the
contact (both of you are blindfolded for the conversation),
you are escorted back to your place of business.
These methods respect least privilege and are "best practice" in
> So let me put forth the question.... What is the legitimate NEED for publicly accessible WHOIS lookup that can be accessed anonymously and that has no gate-keeping functionality inherent to it?
The WHOIS specification has no gate-keeping functionality inherent to it.
But I expect ARIN could implement gate-keeping functionality on its
WHOIS servers, for example, by rate limiting the
amount of different records that can be viewed by a single IP address
within a certain amount of time to a "reasonable" number