[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Tue Apr 6 17:27:51 EDT 2010

On 4/6/10 12:51 PM, Wes Young wrote:

> "ISPs may choose to enter the customer's name along with the ISP's
> address and phone number in reassignments and reallocations in lieu of
> the customer's address and phone number. The customer's actual
> information must be provided to ARIN on request and will be held in the
> strictest confidence."
> 
> Those "two lines" (at-least to me), represent sort of the "domains by
> proxy feature".
> 
> When dealing with security incidents, if the contact information is
> virtually proxy'd, then thats more time/money spent trying to get a-hold
> of someone close enough to the problem to do away with it. A single
> domain can't wipe out half of the internet, a single address (or set of
> addresses, or /29--) could. When we can't keep track of those closest to
> the situation (who care about the situation), the threat potential
> increases.

I have to respectfully disagree.  The vast majority of our customers are
small to medium sized businesses who have very little operational clue.
 Law firms, insurance agents, warehouse firms, etc.  The contacts at the
phone number or physical address of these operations can barely spell
BGP, let alone describe it.

As their ISP, we are much more likely to able to do away with any
problems that they may create than their on-premise staff.

Listing their phone number and address instead of ours results in total
confusion as their receptionist is likely to want to have someone call
you back.  And that someone is likely to be "Geek Squad" or equivalent
LAN vendor after a lengthy delay if at all.  Good luck reaching anything
other than voice mail evenings and weekends.  Considering the number of
scams going on, that receptionist is likely to be highly suspicious of a
phone call from some stranger speaking what will seem to be gibberish
about some computer security issue and asking them to disconnect
themselves from the Internet or shut off an offending host.

Calling a clueful ISP and being able to reach a NOC person with the
ability to deal with the problem when a customer gets pwn3d at 02:00
local time on a Sunday morning is going to be much more useful than
leaving a voice mail for the receptionist at the wholesale carpet
distributor whose server got hacked.

> I understand what you say about the change in allocations, maybe that
> shouldn't have been listed as a primary reason (more so than the
> obfuscation of "last mile" contact information). However, the very thing
> you're trying to protect against (eg: customer lists), is one of the
> very things security ops handlers are trying to build up and keep
> current. The public information in an unstructured and federated
> environment helps us do that. It is only two sentences, and that's
> dangerous when you're setting a standard for the backbone of the
> federated environment that is the internet.

The change is the *ability* to list the ISP's contact number and
address, not a *requirement* to do so.  For cases where the end user
customer has a security and technical staff that is willing able to deal
with these issues when they come up, said staff will probably want to
have their own contact number listed in WHOIS.  Indeed it should be.

If anything, I view this proposal as facilitating, not hindering, rapid
response to security incidents by those with the knowledge and ability
to deal with them.

Note that this proposal in my opinion is better for *technical* reasons,
without regard to any business and privacy concerns driving it.

-- 
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV