[ppml] /29 limit for ARIN SWIP whois

[michael.dillon at bt.com]

> One problem is that bad actors often have dozens of /29s and 
> /28s at many different hosting providers, many of them not as 
> on the ball as servervault.
> 
> Being able to identify all those as "the same entity" leads 
> to entirely different approachs to mitigation than simply 
> blaming each provider for the malign traffic. Ones that the 
> providers are likely to prefer.

Yes. It leads the bad actors to registering each bit of their
infrastructure under a different fake name or DBA. This is 
a game of technical one-upmanship that the bad actors have
proven to be expert at winning.

The smart approach is to attack them where and when they
least expect it.

For instance, suppose we no longer publish any whois info
at all for people who have reassigned addresses. None at
all. This lulls the bad actors into a false sense of 
security and then, when they are not expecting it, the
law pounces on them and uses the reasonably accurate 
records of their 20 hosting providers as evidence in 
a court of law. We replace the technical attack vector
with a legal one. After all these bad actors are not
just network undesirables, they are LAWBREAKERS and the
system, outside of ARIN, already has processes to deal
with lawbreakers.

A smart bad actor already knows all of this and he
prefers that ARIN require ISPs to publish detailled
whois info so that he can cover his tracks and let
the unskilled bad actors, many of whom are customers
of his "bad actor toolkits" to take the heat. 

I believe that society, and law enforcement agencies,
would be better served by getting rid of most whois 
information. Only organizations with a direct, contractual,
relationship with ARIN would be in the whois directory.
ISPs with an ARIN allocation would be forced to either
bear the costs of managing abuse reports for their
customer base, or publish their own whois directory
if they so wish.

--Michael Dillon