[arin-ppml] SWIPs & IPv6

Chris Engel cengel at sponsordirect.com
Mon Dec 7 12:14:32 EST 2009

In the security world, the principle of "least privilege" is a well established best practice. That is, granting the minimum level of access/functionality/data in order to achieve a given task. I do not believe it is an unreasonable position to hold forth that ARIN should adhere to that best practice in regards to requirements for WHOIS.

So let me put forth the question.... What is the legitimate NEED for publicly accessible WHOIS lookup that can be accessed anonymously and that has no gate-keeping functionality inherent to it?

The one LEGITIMATE case that I've heard put forth is that a particular IP block is causing problems for another network by misdirecting traffic to it or directing unwanted traffic to it. The idea being that if the affected networks can lookup the contact information for the IP block that is causing the problem and they can inform them of the issue so it can be resolved (assuming that the owner of the IP block is cooperative). Since the problem is ongoing, timeliness of contact is an issue and placing barriers to obtain that contact would be an unacceptable negative. I can see the legitimacy of that claim. However, in that case, can anyone tell me why you would need anything OTHER then a technical contact phone number & e-mail ???

Note that this is far less information then what is currently collected and published through SWIPS/WHOIS.

How would knowing the legal name of the block-holder help you resolve that issue?? If they've already provided you with a contact e-mail and phone number ?? How would knowing their physical street address help? Does anyone contend that sending snail mail is more TIMELY then making a phone call or sending an e-mail? I don't even see that knowing the real name of the technical contact would help...if you had their e-mail & phone #.

Furthermore, I would posit that in MANY cases it actually makes more sense for an organization to list their ISP's NOC in that contact section. The ISP may not be authorized to take action to solve the problem (outside of their function in dealing with actual abuse) but they are FAR more likely to have a help desk that is monitored 24/7/365 then most small/medium organizations. Furthermore the organization MAY be willing to provide their ISP (or other trusted agent) with an escalation and emergency contact list which might include contact information (including home & private cell phone numbers) that they would generally NOT be comfortable with publishing publicly.

Can anyone put forward a case why the general public would legitimately NEED any information beyond technical contact & e-mail? If so I would like to hear it.

The only cases I can think of where the other information would be NEEDED would be ones where timeliness was NOT an issue...or where the entity requesting the information could be pre-vetted and authorized to access such info (such as legitimate LEA's).

For instance, ARIN staff might need that other info to vet justification for IP space assignment.... but as has been pointed out to me ARIN staff already has mechanisms for collecting and using privileged private information for such purposes....why would THIS information need to be treated as PUBLIC intead of private for ARIN staff to perform such duties?

I can see where a private individual/organization might want to file suit or make a criminal complaint against a block-holder for damaging/interrupting their network. However the private individual/organization has no ENFORCEMENT authority on their own. They are already going to the courts/LEA's that do have such authority for a redress of their grievances... having the courts/LEA's order the release of that privileged information would not be out of the scope of the functions they are ALREADY seeking from it.

I can see where in exceptional circumstances LEA's might require timely access to such information.... however ALL LEA's have access to the Courts for expedited subpoenas where timeliness is an issue...and frankly it would be a very rare case (I would think) that an LEA could legitimately claim exigent circumstances for IP address info.  Furthermore, denying the GENERAL PUBLIC access to ANONYMOUSLY lookup such data IN NO WAY precludes legitimate LEA's from having ready access to such data, even absent subpoenas. There is no particular reason whe LEA's couldn't be vetted in advance and given private access to a lookup database containing more complete info.

LEA's are (in theory at least) known entities who use such data for the legitimate pursuit of their duties. Pretty much all have data handling policies governing what they do with the data they collect associated with their duties... and (in theory at least) have mechanisms in place to hold them publicly accountable for the adherence to those policies. NONE of that holds true for an anonymous user of the general public.

In short, the only data that I see that might be REQUIRED without JUSTIFICATION is technical contact phone number & e-mail. I don't see how requiring a person that wants more then that to provide appropriate justification for it is unreasonable.

Christopher Engel

More information about the ARIN-PPML mailing list