[arin-ppml] Petition Underway - Policy Proposal 95: CustomerConfidentiality - Time Sensitive

[Charles O'Hern]

In regards to Prop 95, it is my opinion that protecting the service
provider from the possibility of customer 'theft' is insufficient
grounds for obfuscating contact information for re-assigned IP networks.

However, I do believe that the current specification is both
insufficiently specific and overly restrictive in regards to the same
re-assignment information.

Not to pick on Mr. Hess, but his message brought up several good points
for comment.  Following those comments are my ideas on the issues with
Whois re-assignment information.

James Hess wrote: 
> _A server colocated with their local ISP_   stop. One server does not
> justify a /29,  it doesn't have to be SWIP'ed or listed in WHOIS.
>   
Quite to the contrary,  a single server chassis is perfectly capable of
justifying more than the one address that a /30 would provide.  A single
chassis is not necessarily a single host.

Its common practice for the co-location providers with which I have
experience to provide at least a /29 for each colo customer, isolated by
vlans and/or port isolation.  YMMV.
> Yes.   And part of that  "networking expertise"  includes providing
> someone to contact about abuse and other abuses.
>   
Agreed, but... (jump down)
>> tech support as and when needed, not on retainer and not
>> on-call 24x7. It is also reasonable to assume that they
>>     
> If they are not on-call 24x7,  then the contact information provided
> should be contact information that goes to a  "Voicemail service"
> when the contact is not on call.
>   
If the EU is not capable of handling inquiries about network abuse, and
they do not retain a consultant for the purpose (an expense that many if
not most small businesses can not justify) then the only consistently
available personnel who might be able to answer a query pertaining to
network abuse would be those of the ISP providing the address space and
the transit.  (note that I am assuming a subnet smaller than /24 which
can not be transit except through the re-assigning ISP.)
> It is not an issue with the registry if someone chose to provide a
> phone number capable of disrupting an  off-call admin.   Generally,
> the phone numbers used should be ones that belong to the organization,
>  that only work when an admin is available.
>
> Important networks should have someone on call 24x7.  <snipped all after>
>   
'Important' is subjective (as are my opinions of course).  Currently the
only qualifier we have in the NRPM is a quantity: "/29 or larger blocks"
mentioned in sections 4.2.2.1.2, 4.2.2.2.1, and 4.2.3.7.2.  Perhaps this
is the point to which a proposal to revise the Whois SWIP should be
directed. 

Basically Sections 4.2.2.1.2, 4.2.2.2.1 and 4.2.3.7.2 divide all network
re-assignment into two groups:  ">= /29" and "< /29".

What's becoming clear as I have read this thread and last years original
thread on the original prop 95 is that there is a third class of
networks smaller than a /24 that should perhaps be considered.

Point 1: As, in common usage, the smallest network that can be
advertised via BGP is a /24. Traffic originating from a re-assigned
network smaller than /24 can not be transit independent of the ISP that
re-assigned the subnet.  Therefore it is certain that for networks
smaller than /24, the ISP assigning that network has (a) contact
information for the end user consistent with the needs of both providing
such service and billing for such service, and (b) power over the
routing of all data to or from the EU network.

Point 2: Due to the proliferation of (or perceived need of) internet
connectivity and presence at all levels of both business and personal
interaction, it is my perception that in some cases the technical
competence of the end user is insufficient to meet the needs of
answering queries about their network operations.

Point 3: End Users, whether residential or business, have a vested
interest in their privacy and, within reason, should have the final say
on whether their contact information is available on a global public
listing.  'Within reason,' in this case, being directly related to the
size and routing of the subnet assigned to them.

Point 4: Accounting for utilization must still be included in any
revision of sections 4.2.2.1.2, 4.2.2.2.1, 4.2.3, and any other
pertinent sections of the NRPM.

>From this I propose that there be three categories for re-assignment
information.  The specific bit boundaries defining the sizes of networks
involved are mere suggestions. 

Large re-assignments, perhaps specified as "larger than /25":  Both
contact information _and_ statement of responsibility (and implied
liability) for the conduct of connections required of the End User by
the ISP for publication to the Whois database.  Basically by requesting
a network of such size the end user must agree to be the responsible
party for traffic originating from the network and for having competent
personnel, either on staff or on contract, to handle network operation
and abuse issues.  There may be a need here to forbid or restrict the
ability of the ISP to be named as contractual administrative proxy for
the EU.  Neither the data transport ISP nor the re-assigning ISP are
absolved of any other responsibilities in their respective roles.
i.e "You (the EU) are a big part of the internet, and are responsible
and accountable for the conduct of your network in our global community."

Small re-assignments, perhaps specified as "/25 to /29":  Contact
information and network responsibility must be provided and assumed by
the ISP providing the address space and transit _unless_ the end user
requests to be the listed entity.  ISP's are required to present the
option to be listed to the EU.  If the EU is the listed entity, the EU
must also assume responsibility for the conduct of connections from
their network and for providing competent personnel to handle network
operation and abuse issues as per the section for "Large
re-assignments".  It is permissible for the ISP to require the EU to be
the listed entity.  If the EU is the listed entity, it is permissible
for the ISP to be listed as a Technical or Abuse or other secondary
contact, as long as the EU is still the Administrative contact and
responsible party.  Listing the EU as the responsible entity does not
absolve the ISP of any other responsibilities as the data transport
provider and holder of the assignment of the larger aggregate network.
i.e. "You (the EU) are welcome to belong to the larger community if you
so choose to accept the responsibility. (While you're at it subscribe to
the PPML, we bark, but rarely bite.)  If not, the global community will
deal with your ISP, who will deal with you."

Trivial re-assignments, smaller than the bottom of the 'small' range, do
not require specific listing and are covered under the general listing
for the ISP as the point of contact and responsible party for the larger
aggregate network and implied transit provider.


I submit that the specifics are probably a bit 'half-baked', and welcome
any comments.  The flames might help the crust harden.

-- 
Charles O'Hern
Network Operations
 
TCSN - The Computer Shop Netlink
1306 Pine St. Paso Robles CA 93446
1-(805) 227-7000  1-(800) 974-DISK
http://www.tcsn.net  abuse at tcsn.net