[arin-ppml] Comments on Draft Policy 2010-3

[Chris Engel]

As a corporate end user of IP Address space, I appreciate the sentiments for Customer Confidentiality both on the part of protecting the IP's interests (in protecting it's customer lists) and on the part the organization holding the address space in maintaining some level of privacy. However, I think the draft probably is deficient in it's current form.

There have been many arguements put forward as to why having that information availble is useful for legitimate purposes. However said information is just as useful for illegitimate or malicious use.

Yes, the information can be used by white-hats to help profile networks where malicious attacks are being launched from..... but the very same information can be used by black-hats to profile a target organization for attack. It has been pointed out to me previously that such use would be a violation of WHOIS acceptable use policy....but I have yet to hear or see a single actual example of enforcement of that policy upon a violator...can anyone point me toward one? Nor do I see how, under current usage (anonymous lookup for anyone) such a policy COULD practicaly be enforced.

As some-one who has had a small bit of experience in IT security (I don't claim to be an expert by any stretch of the imagination).... I do know one basic truism... A policy that cannot be or is not practicaly enforced may as well not exist... except, perhaps, as a fig leaf for an organizations lawyers.

Ultimately, I would like to see a system whereby the holder (not ISP) of an IP address block can designate a responsible AGENT.... Any Agent (could be the ISP or not) to ACT as a point of contact for ALL WHOIS information (including Name).

I think you'd actualy see better results in terms of voluntary compliance with providing information...as well as responsiveness to technical issues... if this option existed for organizations.

It's NOT an unreasonable request for an address holder to want to designate some-one to act as a Gatekeeper for thier information... to require a requester of said information to at least divulge WHO they are and WHY they legitimately want the information in return for recieving said information. Allowing an agent to act as Gatekeeper CAN achieve that. Many organizations may not care or bother with that...but some legitimately will.

I think in practical terms you MAY see better responsiveness among contacts if you allow for this. Essentialy if you call my organizations publicaly listed number for an urgent technical matter on 2:00 AM on a Saturday...you won't get ANY response until 9:00 AM on Monday. I'm not going to list my cell phone numbers or any of the ones belonging to people who work for me on a public registry so that some guy can wake me up in the middle of the night to try to sell me hosting space in Hong Kong...and I expect many small organizations (without 24/7/365 NOC's) won't either. However, I'm perfectly willing to provide such emergency contact info along with an escalation list to a responsible Agent who can act intelligently to verify the identity of the entity requesting such information and justify the legitimate NEED for it, BEFORE handing it out.

For other purposes...it's not like you wouldn't be able to find out which address block a particular IP address belonged to for the purposes of filtering the block.... and for malicious organizations that were seeking to shield thier identities in order escape from legal consequences (like they'd list thier legitimate contact info in WHOIS anyway)....you STILL have a listed entity to point your lawyers at...the Agent (if they won't cough up the info when requested)....and you could probably claim the cost and delay in obtaining the correct information as part of your damages.... so where is the problem?




Christopher Engel