[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Aaron Wendel aaron at wholesaleinternet.net
Tue Apr 6 15:01:36 EDT 2010 

Hi Wes,

Thank you for contributing to the discussion on Draft Policy 2010-3.  

I've been contacted recently by several people who have expressed concerns
such as yours over this policy.  In all cases these people, such as
yourself, seem to be unaware of the ARIN whois structure or how this policy
changes it.  There are broad assumptions being made that this would do away
with the whois information or somehow "obscure" it and make life tough for
people like yourself.  Most respondents I've talked to have said that they
need to know who ARIN has allocated IP space to.  This proposal does nothing
to change the information that ARIN provides in a public format on who IPs
are allocated to.  It does not obscure any data currently available on who
has IPs from ARIN.

Since I will be presenting the proposal at the upcoming ARIN meeting I'd
like to get a better idea of what is perpetuating these misunderstandings so
I can present in a way that is understandable to all.  As it stands, the
policy is 2 sentences and does nothing to obscure any information that ARIN
currently reports on the allocations it makes.  If you could help me
understand what makes you think otherwise it would be a great help to me.
There is still time for me to change the wording of the policy before the
meeting in a week.

Any help is appreciated.  Thanks for your time.

Aaron



-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
Behalf Of Wes Young
Sent: Tuesday, April 06, 2010 1:35 PM
To: arin-ppml at arin.net
Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer
Confidentiality

On behalf of the Research and Education Networking Information Sharing and
Analysis Center (REN-ISAC), we submit these comments on ARIN Draft Policy
2010-3: Customer Confidentiality, herein referred to as "the Policy".

The mission of the REN-ISAC is to aid and promote cyber security operational
protection and response within the higher education and research (R&E)
communities. The mission is conducted within the context of a private
community of trusted representatives at member institutions, and in service
to the R&E community at-large. REN-ISAC serves as the R&E trusted partner
for served networks, the formal U.S.  
ISAC community, and in other commercial, governmental, and private security
information sharing relationships.

Among the activities conducted, REN-ISAC sends notifications to EDU abuse
contacts regarding compromised or otherwise maliciously behaving machines.
Hundreds of notifications are sent daily. Numerous commercial,
non-commercial, and governmental organizations rely on REN- ISAC's
performance in this role, in addition to the EDUs receiving the
notifications.

Although the REN-ISAC develops and maintains its own contact database,
unfettered access to contact information in the ARIN registry permits us to:

+ Identify new or existing institutions that have obtained or returned
allocated IP space within our scope of concern.

+ Identify a technical contact at an institution.

Should the Policy be implemented and adopted, it would hamper our ability to
execute the mission. Implications would include:

+ Significantly increase lead-times and human interrupts required to
perform notifications regarding compromised and misbehaving machines.

+ Increase the difficulty of identifying a technical contact at the
organization that is in the best position to deal with a cyber security
incident.

+ Add a layer of process that would either prevent or inhibit timely
event notification.

+ Add to the costs of performing notifications.

While we appreciate the need for a balance of privacy on the Internet, we
don't believe that the Internet or its users would be well-served by
confidential registrations at above a /x. The policy would prove to be a
detriment to global cyber security. Ultimately it would equate to a reduced
ability to deal with active criminal threat.

on behalf of the REN-ISAC,
--
Wes Young
Principal Security Engineer


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.800 / Virus Database: 271.1.1/2792 - Release Date: 04/06/10
01:32:00

More information about the ARIN-PPML mailing list