[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Tue Apr 6 16:10:41 EDT 2010

> -----Original Message-----
> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
> Behalf Of Aaron Wendel
> Sent: Tuesday, April 06, 2010 12:02 PM
> To: 'Wes Young'
> Cc: ppml at arin.net
> Subject: Re: [arin-ppml] Comments on Draft Policy 2010-3: Customer
> Confidentiality
> 
> Hi Wes,
> 
> Thank you for contributing to the discussion on Draft Policy 2010-3.
> 
> I've been contacted recently by several people who have expressed
> concerns
> such as yours over this policy.  In all cases these people, such as
> yourself, seem to be unaware of the ARIN whois structure or how this
> policy
> changes it.  There are broad assumptions being made that this would do
> away
> with the whois information or somehow "obscure" it and make life tough
> for
> people like yourself.  Most respondents I've talked to have said that
> they
> need to know who ARIN has allocated IP space to.  This proposal does
> nothing
> to change the information that ARIN provides in a public format on who
> IPs
> are allocated to.  It does not obscure any data currently available on
> who
> has IPs from ARIN.

If I understand this argument correctly, Policy Proposal 2010-3 is a request for a policy change that will result in no actual, operational change. If that's the case, why do we need the policy change?

> 
> Since I will be presenting the proposal at the upcoming ARIN meeting
> I'd
> like to get a better idea of what is perpetuating these
> misunderstandings so
> I can present in a way that is understandable to all.  As it stands,
> the
> policy is 2 sentences and does nothing to obscure any information that
> ARIN
> currently reports on the allocations it makes.  If you could help me
> understand what makes you think otherwise it would be a great help to
> me.
> There is still time for me to change the wording of the policy before
> the
> meeting in a week.
> 
> Any help is appreciated.  Thanks for your time.
> 
> Aaron
> 
> 
> 
> -----Original Message-----
> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
> Behalf Of Wes Young
> Sent: Tuesday, April 06, 2010 1:35 PM
> To: arin-ppml at arin.net
> Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer
> Confidentiality
> 
> On behalf of the Research and Education Networking Information Sharing
> and
> Analysis Center (REN-ISAC), we submit these comments on ARIN Draft
> Policy
> 2010-3: Customer Confidentiality, herein referred to as "the Policy".
> 
> The mission of the REN-ISAC is to aid and promote cyber security
> operational
> protection and response within the higher education and research (R&E)
> communities. The mission is conducted within the context of a private
> community of trusted representatives at member institutions, and in
> service
> to the R&E community at-large. REN-ISAC serves as the R&E trusted
> partner
> for served networks, the formal U.S.
> ISAC community, and in other commercial, governmental, and private
> security
> information sharing relationships.
> 
> Among the activities conducted, REN-ISAC sends notifications to EDU
> abuse
> contacts regarding compromised or otherwise maliciously behaving
> machines.
> Hundreds of notifications are sent daily. Numerous commercial,
> non-commercial, and governmental organizations rely on REN- ISAC's
> performance in this role, in addition to the EDUs receiving the
> notifications.
> 
> Although the REN-ISAC develops and maintains its own contact database,
> unfettered access to contact information in the ARIN registry permits
> us to:
> 
> + Identify new or existing institutions that have obtained or returned
> allocated IP space within our scope of concern.
> 
> + Identify a technical contact at an institution.
> 
> Should the Policy be implemented and adopted, it would hamper our
> ability to
> execute the mission. Implications would include:
> 
> + Significantly increase lead-times and human interrupts required to
> perform notifications regarding compromised and misbehaving machines.
> 
> + Increase the difficulty of identifying a technical contact at the
> organization that is in the best position to deal with a cyber security
> incident.
> 
> + Add a layer of process that would either prevent or inhibit timely
> event notification.
> 
> + Add to the costs of performing notifications.
> 
> While we appreciate the need for a balance of privacy on the Internet,
> we
> don't believe that the Internet or its users would be well-served by
> confidential registrations at above a /x. The policy would prove to be
> a
> detriment to global cyber security. Ultimately it would equate to a
> reduced
> ability to deal with active criminal threat.
> 
> on behalf of the REN-ISAC,
> --
> Wes Young
> Principal Security Engineer
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.800 / Virus Database: 271.1.1/2792 - Release Date:
> 04/06/10
> 01:32:00
> 
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.