[arin-ppml] SWIPs & IPv6

[michael.dillon at bt.com]

> I'm probably going to get blasted for this, but speaking on 
> the Enterprise side of things there are fairly understandable 
> reasons why Enterprise Admins might want to avoid public 
> disclosure of their contact information and why they 
> sometimes put in contact information that isn't well 
> monitored..... 

Whatever the reasons, they boil down to the fact that this
enterprise admin is not ready, willing and able to act on
communications about network operational issues. Network
Operators and ARIN should say to such admins "We don't want
your contact data. While you are ignoring the emails, who
is looking after your network? That is who we want to be
able to contact.".

It is possible to test whether or not someone is ready,
willing and able to act on communications by trying to 
contact them. An audit process, if you will. But there is
no point in doing any kind of testing or auditing and
no point in even attempting to keep the directory data
clean unless we have established the principle that we
only want contact data for those ready, willing and able
to act. And we want 100% coverage of the allocated address
space with such contacts. We don't want to chase up the
hierarchy looking for a contact, we want the directory
to give us the right contact, first time, every time. Any
hierarchical lookup needs to be automatic.

> Frankly, it's been my experience 
> that the volume and frequency of illegitimate use of this 
> information far outweighs the legitimate use of it.

That's because our design mixes up identity information
and contact information. We would like to have some identity
information for assignees, but we don't need any contact
info for them. No email addresses, no postal addresses,
no phone numbers. There is never any need for us to contact
these people. On the other hand, any organization that 
gets allocations or assignments from ARIN, needs to either
maintain a NOC staffed with someone ready, willing and
able to act on communication, or delegate that function
to some other organization for specific address blocks.
We shouldn't care who these people are, i.e. their identity
is not relevant. But we do want to know how to contact 
them. NOC email address, NOC phone number, NOC IM account,
NOC twitter account, NOC web page, NOC Facebook account, etc.

ARIN can police the top level of this, i.e. the organizations
that get resources directly from ARIN. The rest of it could
potentially be policed by an audit process that would correct
contact data by replacing inactive contacts with the contact
for the larger aggregate.

> Frankly, I'm not convinced of the utility of WHOIS 
> information in catching criminals/spammers. Being who they 
> are, those people almost never use their own systems to do 
> their dirty work and they don't generally give out legitimate 
> contact information that can be easily traced to them.... and 
> in cases where they do it's usually because they are 
> operating out of jurisdictions where it doesn't matter 
> because the local authorities won't do anything about it 
> (heck sometimes the guys doing it ARE the local authorities). 

This isn't terribly important. The bad guys leave clues
and some people find these clues to be useful in an
investigation. I think it is reasonable to request identity
info for all assignees as long as that identity is not 
sufficient to help deranged people knock on someone's door,
or competitors to get an easy customer list. Both these issues
mostly impact the small end of the scale, i.e. individual 
subscribers, and small businesses. Once you get to businesses
with multiple offices then listing XYZ Pharmaceuticals, Milwaukee
is not going to ease the way for a competitor to steal the
account.

> The real utility of accurate contact information, I think 
> comes not in dealing with people who are actually committing 
> malicious acts but rather those who may have innocently 
> misconfigured their systems or may have been compromised by 
> hackers and who's resources are being used without their knowledge.

And if you contact XYZ organization's ISP, they will have that
accurate customer contact info in their customer file, and
can take care of the problem because they are ready, willing
and able to act.

> So while maintaining accurate contact info is important, I 
> can see why their is a legitimate desire (by people who 
> aren't doing anything wrong) to have their info shielded as 
> well.

Let's say that your teenage daughter uses some VOIP or file
transfer tool that makes direct connections, thus disclosing
her IP address to the recipient. And let's say that the 
recipient is a male predator looking for vulnerable teenage
girls. He looks up the IP address, finds your name and phone 
number on it, and using other means which are readily available
he gets your home address. At 3 am the next morning, he snips
your phone line, cuts your power, breaks a window, and climbs
into your daughter's bedroom with chloroform at the ready.
You aren't doing anything wrong so there is no legitimate
reason for you to have your info shielded, is there?

Fact is that we should be asking "Who has a need to know?"
and "How much do they need to know?".

--Michael Dillon