[arin-ppml] Draft Policy 2010-3: Customer Confidentiality

Leo Bicknell bicknell at ufp.org
Tue Feb 2 20:53:51 EST 2010 

In a message written on Tue, Feb 02, 2010 at 04:55:49PM -0700, Chris Grundemann wrote:
> Correct, I believe that whois data should be both complete and
> accurate; 2008-7 addresses the latter, here we discuss the former.

For the record, I agree that whatever information the rules say should
be in whois needs to be accurate and up to date.  I support efforts to
make it so.

I will also note, one of the issues raised by staff is that with the
current level of information there are man-years of work to verify it
all.  Turning that around, if we have less information in the database
it's likely it can be verified more often, with less staff.  I suppose
that is a bit of a linkage, the more info in the database the harder it
is to keep it all accurate.

> Ok lets get more recent, this is from RFC 2050 "Internet Registry IP
> Allocation Guidelines:"
> 
> 2.2  Submission of Reassignment Information

2.2 covers that the ISP's must provide everything you quote to ARIN.
There is no requirement expressed or implied that ARIN in turn
provide all of that information to the public.

But let's break these down step by step:

>        a)  to provide operational staff with information on who is using
>            the network number and to provide a contact in case of
>            operational/security problems,

This becomes the core of the argument.  It is quite vague.

I could argue that a record of the form "Cable Modem Customers in
Detroit", "abuse at cableco.com" on a /20 satisifies this requirement.
I could also argue that even in the case of DHCP /32 assignments
in a cable network they need to be in whois so your operation staff
knows "who is using the network number".

I don't think the text really provides any strong guidence on the
standard by which this point is met.  A number of people have proposed
standards over time, and the only one that makes any sense to me is to
list the entity that is "ready, willing, and able" to handle operational
issues.

Unfortunately even on that standard I could make arguments for and
against various folks.

So, to our discussion above.  I'd rather ISP's and End Users decide
together who is, or is not listed.  I'd then like ARIN to agressively
test and verify that someone answer the phone, reply to the e-mail, etc.
That is, the useful response indicates that the person listed is right,
rather than any arbitrary standard.

>        b)  to ensure that a provider has exhausted a majority of its
>            current CIDR allocation, thereby justifying an additional
>            allocation,

Let's look at what is required of registries when making this
determination, also from 2050:

] 3.2 Network Engineering Plans
] 
] Before a registry makes an assignment, it must examine each address
] space request in terms of the requesting organization's networking
] plans. These plans should be documented, and the following information
] should be included: 
] 
]   1. subnetting plans, including subnet masks and number of hosts on 
]      each subnet for at least one year 
]   2. a description of the network topology 
]   3. a description of the network routing plans, including the routing 
]      protocols to be used as well as any limitations.
[And more]

So from an "audit" perspective, if you wanted to independantly
reconstruct that the ISP was justified in assinging a netblown
downstream you would need this documentation.  AFAIK, there has
never been any such documentation in WHOIS, and thus there has never
been any way to perform an independant audit.

Having tried to make sense of SWIP's in whois, I don't see how a third
party, armed only with whois data, could verify justification in any
way.

>        c)  to assist in IP allocation studies.

The vaguest of vague statements.  Assist how much?  Similar to point b,
without the data you can't do full independant studies, so we're already
in the weeds with respect to IP allocation studies.  Providing an entry
that a /24 is full of cable modem customers is "assisting".  Providing
/32 information is assisting.  With no objective standard, there's no
way to know what is "required".

I honestly have no idea what to make of this requirement.

> Justification of efficient use can be handled by DP 2010-3's inclusion
> of the line: "The customer's actual information must be provided to
> ARIN on request..." For now we will ignore the increased burden this
> likely puts on ARIN staff when evaluating new requests.

ARIN already collects information under NDA from those applying for
addresses.  All the diagrams and routing plans and such referenced
in 2050 are supplied under NDA and never listed in WHOIS.

I see no reason to change that.  If ARIN wants to ask for the
customer name and address under NDA, that's fine with me.  It may
be appropriate in many cases.

> I am far from convinced that having this data in whois has any
> negative impact, other than maybe a bit of extra spam - which is an
> except-able price for the rewards of a proper whois database, IMHO.

I suggest it has a chilling effect for a number of groups of people.
It may prevent various classes of people from obtaining various
classes of services.

For instance, one of the things behind residential privacy was that
a battered woman who's moved away from her spouse should be able
to get Internet access without being listed in a public database.
Another example is that America has a long history of protecting
anonymous polticial speach, but if you have to be in a public
database to host your web site then how can you have that?

But all those aside, I think the real negative impact is on the
quality of the data.  ARIN staff provided an esimtate on simply
e-mailing every contact in the database to see if the e-mail addresses
worked, and IIRC it was 3 years!  By putting so much data into whois
we've created a gigantic mountain for a proposal like 2008-7.  Rather
than verifing all the records once a year at a reasonable cost,
staff is predicting years of work and having to hire multiple FTE's
to keep the data accurate.  We're all going to pay for that in the
form of increased fees.

The devel will be in the details, but here's the compromise I am
willing to support.  If we can remove residential users from the
database completely, and provide a formal framework for ISP's to
indicate they are the abuse/noc contact for a downstream so it's
clear in the public facing database then I can support expending
much more staff effort on verifing that e-mail addresses and phone
numbers work on a regular basis.

So yes, there will be less data in the database, but it will be orders
of magnitude more likely to be correct and verified on a regular basis.
Is there some middle ground there?

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100202/ca870743/attachment.sig>

More information about the ARIN-PPML mailing list