[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality
wes at ren-isac.net
Tue Apr 6 14:34:43 EDT 2010
On behalf of the Research and Education Networking Information Sharing
and Analysis Center (REN-ISAC), we submit these comments on ARIN Draft
Policy 2010-3: Customer Confidentiality, herein referred to as "the
The mission of the REN-ISAC is to aid and promote cyber security
operational protection and response within the higher education and
research (R&E) communities. The mission is conducted within the
context of a private community of trusted representatives at member
institutions, and in service to the R&E community at-large. REN-ISAC
serves as the R&E trusted partner for served networks, the formal U.S.
ISAC community, and in other commercial, governmental, and private
security information sharing relationships.
Among the activities conducted, REN-ISAC sends notifications to EDU
abuse contacts regarding compromised or otherwise maliciously behaving
machines. Hundreds of notifications are sent daily. Numerous
commercial, non-commercial, and governmental organizations rely on REN-
ISAC's performance in this role, in addition to the EDUs receiving the
Although the REN-ISAC develops and maintains its own contact database,
unfettered access to contact information in the ARIN registry permits
+ Identify new or existing institutions that have obtained or returned
allocated IP space within our scope of concern.
+ Identify a technical contact at an institution.
Should the Policy be implemented and adopted, it would hamper our
ability to execute the mission. Implications would include:
+ Significantly increase lead-times and human interrupts required to
perform notifications regarding compromised and misbehaving machines.
+ Increase the difficulty of identifying a technical contact at the
organization that is in the best position to deal with a cyber
+ Add a layer of process that would either prevent or inhibit timely
+ Add to the costs of performing notifications.
While we appreciate the need for a balance of privacy on the Internet,
we don't believe that the Internet or its users would be well-served
by confidential registrations at above a /x. The policy would prove to
be a detriment to global cyber security. Ultimately it would equate to
a reduced ability to deal with active criminal threat.
on behalf of the REN-ISAC,
Principal Security Engineer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: This is a digitally signed message part
More information about the ARIN-PPML