[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Wes Young wes at ren-isac.net
Tue Apr 6 15:51:41 EDT 2010 

On Apr 6, 2010, at 3:01 PM, Aaron Wendel wrote:

> Hi Wes,
>
> Thank you for contributing to the discussion on Draft Policy 2010-3.
>
> I've been contacted recently by several people who have expressed  
> concerns
> such as yours over this policy.  In all cases these people, such as
> yourself, seem to be unaware of the ARIN whois structure or how this  
> policy
> changes it.  There are broad assumptions being made that this would  
> do away
> with the whois information or somehow "obscure" it and make life  
> tough for
> people like yourself.  Most respondents I've talked to have said  
> that they
> need to know who ARIN has allocated IP space to.  This proposal does  
> nothing
> to change the information that ARIN provides in a public format on  
> who IPs
> are allocated to.  It does not obscure any data currently available  
> on who
> has IPs from ARIN.

"ISPs may choose to enter the customer's name along with the ISP's
address and phone number in reassignments and reallocations in lieu of
the customer's address and phone number. The customer's actual
information must be provided to ARIN on request and will be held in the
strictest confidence."

Those "two lines" (at-least to me), represent sort of the "domains by  
proxy feature".

When dealing with security incidents, if the contact information is  
virtually proxy'd, then thats more time/money spent trying to get a- 
hold of someone close enough to the problem to do away with it. A  
single domain can't wipe out half of the internet, a single address  
(or set of addresses, or /29--) could. When we can't keep track of  
those closest to the situation (who care about the situation), the  
threat potential increases.

I understand what you say about the change in allocations, maybe that  
shouldn't have been listed as a primary reason (more so than the  
obfuscation of "last mile" contact information). However, the very  
thing you're trying to protect against (eg: customer lists), is one of  
the very things security ops handlers are trying to build up and keep  
current. The public information in an unstructured and federated  
environment helps us do that. It is only two sentences, and that's  
dangerous when you're setting a standard for the backbone of the  
federated environment that is the internet.

We are enumerating those customer lists on a daily basis to help make  
the internet a safer place. By design, this policy appears to be aimed  
at taking that functionality away. What appears to do (if executed by  
the isp), is force us to call upstream' ISP's first, and assuming we  
get a response, try to enumerate to them that we aren't looking to  
cherry-pick their customers, but have legit security concerns we need  
to discuss with them (assuming they're even willing to share that  
information with us anymore, in an effort to protect their customer  
lists). Not to mention if "address" is interpreted as "e-mail address"  
too, meaning "now we must go through abuse at upstream to get at  
abuse at downstream" ? In many cases we need those addresses and phone  
numbers to reach out to the down-streams. If the upstream IPS's do  
make it easy to get in touch with the downstream, then it's easy to  
enumerate those contact lists anyway, so then what's the point?

I don't want to rat-hole this (since it is policy after all). Just  
voicing an opinion that there are some ramifications for implementing  
a two-sentence policy that shifts accountability of a resource  
virtually "upstream".

Although there are somewhat legitimate business drivers behind it, the  
costs of re-routing notifications will ultimately be placed on the  
security handlers and whoever's phone/"address" is listed on that  
allocations page. The question is, are those costs worth it or not. My  
opinion is that they aren't ("to us", generally speaking as an  
incident handler).

> Since I will be presenting the proposal at the upcoming ARIN meeting  
> I'd
> like to get a better idea of what is perpetuating these  
> misunderstandings so
> I can present in a way that is understandable to all.  As it stands,  
> the
> policy is 2 sentences and does nothing to obscure any information  
> that ARIN
> currently reports on the allocations it makes.  If you could help me
> understand what makes you think otherwise it would be a great help  
> to me.
> There is still time for me to change the wording of the policy  
> before the
> meeting in a week.


on behalf of my own opinions, =)
--
Wes
http://claimid.com/wesyoung

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100406/99f196aa/attachment.sig>

More information about the ARIN-PPML mailing list