[arin-ppml] Draft Policy 2010-3: Customer Confidentiality

Chris Grundemann cgrundemann at gmail.com
Tue Feb 2 18:55:49 EST 2010 

On Tue, Feb 2, 2010 at 15:49, Leo Bicknell <bicknell at ufp.org> wrote:
> In a message written on Tue, Feb 02, 2010 at 03:15:21PM -0700, Chris Grundemann wrote:
>> See policy 2008-7 (and the surrounding discussions), my first step in
>> addressing the problems, as I see them, with our current use of whois.
>>  Although I am not prepared to lay out a plan for addressing the whole
>> system in this message - you can be assured that my convictions are
>> real.
>
> 2008-7 is a bit messy due to the merged proposals, but it seems to
> me the general concepts at work there are orthogonal to the ones
> we are discussing at this instance.
>
> The recent petition and related discussion is about who should or
> should not be listed in the database.  2008-7 addresses making sure
> the info in the database stays up to date post that decision, and
> what action we take if we find it out of date.

Correct, I believe that whois data should be both complete and
accurate; 2008-7 addresses the latter, here we discuss the former.

>
>> The status quo does not necessarily (and often does not at all)
>> represent the ideal or the intended. The original intent of whois was
>> to register everyone who was able to pass traffic across the
>> Internet[1]. The required information was name, physical address,
>
> Let me quote the passage from RFC 954 for others they don't have
> to go look it up:
>
>    WHO SHOULD BE IN THE DATABASE
>
>    DCA requests that each individual with a directory on an ARPANET
>    or MILNET host, who is capable of passing traffic across the DoD
>    Internet, be registered in the NIC WHOIS Database. MILNET TAC users
>    must be registered in the database.
>
> I want to point out, at that time substantially all of the network
> was directly paid for by government contract, so the government was
> asking for full documentation of who was benefiting from the use
> of public funds.  Indeed, I believe to some degree this is required
> by Government purchasing rules (that they disclose who receives the
> funding).
>
> As a result I'm dubious this historical artifact has anything to
> do with the privately run, privately paid for network run by RIR's,
> and not the DoD that we have today.

Ok lets get more recent, this is from RFC 2050 "Internet Registry IP
Allocation Guidelines:"

2.2  Submission of Reassignment Information

   It is imperative that reassignment information be submitted in a
   prompt and efficient manner to facilitate database maintenance and
   ensure database integrity.  Therefore, assignment information must be
   submitted to the regional registry immediately upon making the
   assignment.  The following reasons necessitate transmission of the
   reassignment information:

       a)  to provide operational staff with information on who is using
           the network number and to provide a contact in case of
           operational/security problems,

       b)  to ensure that a provider has exhausted a majority of its
           current CIDR allocation, thereby justifying an additional
           allocation,

       c)  to assist in IP allocation studies.

   Procedures for submitting the reassignment information will be
   determined by each regional registry based on its unique
   requirements.

   All sub-registries (ISPs, Local registries, etc.) must register with
   their respective regional registry to receive information regarding
   reassignment guidelines.  No additional CIDR blocks will be allocated
   by the regional registry or upstream providers until approximately
   80% of all reassignment information has been submitted.

>
>> ability to make changes on the network in question though. In some
>> cases, this is an ISP but in most cases involving an end-user who is a
>> business, it is the end-user.
>
> Actually, in many cases it is both.  When Grandma's PC is infected
> with a virus and made part of a botnet there are multiple solutions.
> Calling Grandma and explaining the situation and having her fix her
> machine might work.  Calling her ISP, and having them disconnect
> her box, or put it in a quaranteen VLAN and then working with her
> might work as well.
>
> What I advocate is that the RIR's allow the users and ISP's to
> choose.  If Grandma buys from Joes Bait and Internet on the $1.99
> a month budget plan, he may list her and not even pick up the phone.
> If she buys PlatinumCo's $499 a month hyperpeed premium Internet
> they may send her the PC, manage it remotely for her, and guarantee
> it to be virus free.  They may want to list themselves as the right
> contact.

A very nice corner-case. I will assume that Grandma has a /29 (or
larger) and cede that there must be a SWIP and that the proper
technical/abuse contact is in fact PlatinumCo. A similar scenario
might be if Grandma buys from Joes B&E and then hires ManageCo to
install and maintain her PC/Network - in this case ManageCO is very
likely the proper technical/abuse contact and I agree that Grandma
should be free to designate them as such. I also don't think that
current policy precludes this - maybe I missed the part that says
every POC must be Grandma (or even in her direct employ; contractors,
etc are often made POCs I assume).

There is of course more than one reason to list end-users in whois, my
primary concern (and the one that I have raised so far) is with valid
technical and abuse contacts. The other two raised in RFC 2050 above
are; justification of efficient use and research data. The second and
third apply more directly in your scenario.

Justification of efficient use can be handled by DP 2010-3's inclusion
of the line: "The customer's actual information must be provided to
ARIN on request..." For now we will ignore the increased burden this
likely puts on ARIN staff when evaluating new requests.

Access to information for IP allocation (and other similar) studies is
not well served by private data however. It is in the best interest of
the Internet for it to be studied and I think that we should
facilitate that whenever possible.

>
> I don't understand how Stewardship requires us to pick one business
> model over the over.

We should not pick one business model over another, we should write
clear policy that avoids impinging upon any responsible model.

Asking for a valid POC at the entity controlling a network does
nothing to establish or impede anyone's business model, with the
possible exception of those bad actors who have cause to remain
unknown (namely so they can jump from block to block causing
mischief).

Recording general customer data in whois does not stop either of the
models you suggested above from operating either.

I am far from convinced that having this data in whois has any
negative impact, other than maybe a bit of extra spam - which is an
except-able price for the rewards of a proper whois database, IMHO.

~Chris

>
> --
>       Leo Bicknell - bicknell at ufp.org - CCIE 3440
>        PGP keys at http://www.ufp.org/~bicknell/
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>

-- 
@ChrisGrundemann
weblog.chrisgrundemann.com
www.burningwiththebush.com
www.coisoc.org

More information about the ARIN-PPML mailing list