[ppml] Last Call for Comment: Policy Proposal 2003-3

[Michael.Dillon at radianz.com]

>and, nothing
>that prevents the ISP from "making up" residential customers to chew
>up space to justify more allocations.

ARIN policies don't prevent anything. For that matter, neither do laws.
We needed a way to document what behavior is acceptable to the community
in relation to the management of IP addresses. The community of people
with an interest in this area, created ARIN and its policies to
document an orderly and fair process for managing the IP address space
in North America. We have no special powers that allow us to use force
or to prevent people from misbehaving.

>Hiding the data this way prevents ARIN from being able to do it's job
>and creates an invitation to abuse-friendly providers to do a land-grab
>of vast amounts of abuse-friendly space scattered far and wide throughout
>the IP space.

This is utterly ridiculous.

Let's take a real world example, namely my company. We assign blocks as
large as /22 to customers. As you know, I believe that we should have the
right to not publish any customer information unless the customer contact
is ready, willing and able to act upon abuse complaints. In our case, we
would not ask any of our customers to do this and would, in fact, remove
the entire set of customer assignment information from our rwhois database
so that all queries would return our company name. We don't ever want
anybody to contact our customers directly.

At the same time, we have signed an NDA with ARIN and provide them with
lots of sensitive and confidential information about our customers and
our network topology to justify our rather large IP address allocations.

As you can see the two issues are disjoint. We want to hide data from the
public and already do hide a lot by providing minimal information in
rwhois. But we do not hide information from ARIN and bend over backwards
to facilitate them in doing their job. 

Today, it is easy for network abusers to hide themselves in the mass
of useless, inacurate SWIP data. The solution is not to create huge
bureaucracies with stiff and complex publishing requirements. I believe
we are better off if we simplify. Get rid of all the data currently
in whois. Require the organizations with direct allocations from ARIN
to publish contact information. Offer other organizations the option
to also publish their own contact information if their upstream
agrees to offload abuse issues to that organization. A simple policy
with clear and unambiguous delegation of responsibility will remove
the hiding places for spammers and their ilk.

--Michael Dillon