[arin-ppml] Comments on Draft Policy 2010-3: Customer Confidentiality

Wes Young wes at ren-isac.net
Tue Apr 6 16:10:53 EDT 2010


Yes. But if it's all obfuscated by the upstream isp, we still have to  
go through the upstream to get to the downstream (unfettered access to  
"last mile" contact information is how we meant it).

example: i have an address, I whois it and it comes back the ISP name,  
but Verizon's contact phone number (as an example) and address. I have  
to now jump through hoops with verizon to "get access" to their  
customer. I may be able to share that information with verizon, I may  
not. Either way, it add's a significant cost.

Or at-least that was my interpretation.

It is my understanding that the "database can be obtained" is valid,  
my question is "will that data contain the last-mile information, or  
whatever the up-stream throws in there"?

My perception was "no, it will not" given the clause:

"The customer's actual information must be provided to ARIN on request  
and will be held in the strictest confidence."

given that ARIN will no longer warehouse this data (again, this is how  
*I* read it anyway). Please correct me if i'm missing something  
obvious though...

On Apr 6, 2010, at 3:58 PM, Davey, George wrote:

> I am concerned about this policy and would like further information:
>
> "unfettered access to contact information in the ARIN registry"
>
> It is my understanding the ARIN database can be obtained on a  
> periodic basis in its entirety so long as the reason can be  
> justified, the user can be verified  and the usage does not allow  
> bulk queries of the data.
> Has this policy changed?
>
> I was able to obtain a copy a few years back for my spam reporting  
> software by signing several documents and proving my identity.
>
>
>
>
>
>
>
>
> George Davey, B.S. MCSE
> Network Administrator
> 3200 Grand Avenue
> Des Moines, IA  50312
> DESK 515.271.1544
> FAX 515.271.7063
> CELL 515.221.2500
> George.Davey at dmu.edu
> www.dmu.edu
>
>
>
> -----Original Message-----
> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net]  
> On Behalf Of Wes Young
> Sent: Tuesday, April 06, 2010 1:35 PM
> To: arin-ppml at arin.net
> Subject: [arin-ppml] Comments on Draft Policy 2010-3: Customer  
> Confidentiality
>
> On behalf of the Research and Education Networking Information  
> Sharing and Analysis Center (REN-ISAC), we submit these comments on  
> ARIN Draft Policy 2010-3: Customer Confidentiality, herein referred  
> to as "the Policy".
>
> The mission of the REN-ISAC is to aid and promote cyber security  
> operational protection and response within the higher education and  
> research (R&E) communities. The mission is conducted within the  
> context of a private community of trusted representatives at member  
> institutions, and in service to the R&E community at-large. REN-ISAC  
> serves as the R&E trusted partner for served networks, the formal U.S.
> ISAC community, and in other commercial, governmental, and private  
> security information sharing relationships.
>
> Among the activities conducted, REN-ISAC sends notifications to EDU  
> abuse contacts regarding compromised or otherwise maliciously  
> behaving machines. Hundreds of notifications are sent daily.  
> Numerous commercial, non-commercial, and governmental organizations  
> rely on REN- ISAC's performance in this role, in addition to the  
> EDUs receiving the notifications.
>
> Although the REN-ISAC develops and maintains its own contact  
> database, unfettered access to contact information in the ARIN  
> registry permits us to:
>
> + Identify new or existing institutions that have obtained or returned
> allocated IP space within our scope of concern.
>
> + Identify a technical contact at an institution.
>
> Should the Policy be implemented and adopted, it would hamper our  
> ability to execute the mission. Implications would include:
>
> + Significantly increase lead-times and human interrupts required to
> perform notifications regarding compromised and misbehaving machines.
>
> + Increase the difficulty of identifying a technical contact at the
> organization that is in the best position to deal with a cyber  
> security incident.
>
> + Add a layer of process that would either prevent or inhibit timely
> event notification.
>
> + Add to the costs of performing notifications.
>
> While we appreciate the need for a balance of privacy on the  
> Internet, we don't believe that the Internet or its users would be  
> well-served by confidential registrations at above a /x. The policy  
> would prove to be a detriment to global cyber security. Ultimately  
> it would equate to a reduced ability to deal with active criminal  
> threat.
>
> on behalf of the REN-ISAC,
> --
> Wes Young
> Principal Security Engineer
>

--
Wes
http://claimid.com/wesyoung

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100406/e13be2d2/attachment-0001.sig>


More information about the ARIN-PPML mailing list