[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Davey, George george at dmu.edu
Tue Apr 6 15:58:07 EDT 2010 

I am concerned about this policy and would like further information:

"unfettered access to contact information in the ARIN registry"

It is my understanding the ARIN database can be obtained on a periodic basis in its entirety so long as the reason can be justified, the user can be verified  and the usage does not allow bulk queries of the data.
Has this policy changed?

I was able to obtain a copy a few years back for my spam reporting software by signing several documents and proving my identity.







 
George Davey, B.S. MCSE
Network Administrator
3200 Grand Avenue
Des Moines, IA  50312
DESK 515.271.1544
FAX 515.271.7063
CELL 515.221.2500
George.Davey at dmu.edu
www.dmu.edu



-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Wes Young
Sent: Tuesday, April 06, 2010 1:35 PM
To: arin-ppml at arin.net
Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

On behalf of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), we submit these comments on ARIN Draft Policy 2010-3: Customer Confidentiality, herein referred to as "the Policy".

The mission of the REN-ISAC is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal U.S.  
ISAC community, and in other commercial, governmental, and private security information sharing relationships.

Among the activities conducted, REN-ISAC sends notifications to EDU abuse contacts regarding compromised or otherwise maliciously behaving machines. Hundreds of notifications are sent daily. Numerous commercial, non-commercial, and governmental organizations rely on REN- ISAC's performance in this role, in addition to the EDUs receiving the notifications.

Although the REN-ISAC develops and maintains its own contact database, unfettered access to contact information in the ARIN registry permits us to:

+ Identify new or existing institutions that have obtained or returned
allocated IP space within our scope of concern.

+ Identify a technical contact at an institution.

Should the Policy be implemented and adopted, it would hamper our ability to execute the mission. Implications would include:

+ Significantly increase lead-times and human interrupts required to
perform notifications regarding compromised and misbehaving machines.

+ Increase the difficulty of identifying a technical contact at the
organization that is in the best position to deal with a cyber security incident.

+ Add a layer of process that would either prevent or inhibit timely
event notification.

+ Add to the costs of performing notifications.

While we appreciate the need for a balance of privacy on the Internet, we don't believe that the Internet or its users would be well-served by confidential registrations at above a /x. The policy would prove to be a detriment to global cyber security. Ultimately it would equate to a reduced ability to deal with active criminal threat.

on behalf of the REN-ISAC,
--
Wes Young
Principal Security Engineer

More information about the ARIN-PPML mailing list