[arin-ppml] Privacy expectations for large requests - food for thought

David Farmer farmer at umn.edu
Wed Apr 27 21:43:52 EDT 2011

On 4/27/11 20:07 CDT, John Curran wrote:
> On Apr 27, 2011, at 6:36 PM, William Herrin wrote:
>> Should we reconsider the transparency requirements that go in to IPv4
>> allocations and transfers? Is there a size of IPv4 consumption above
>> which an organization should not have an expectation of privacy with
>> respect to their documentation? A consumption so large that it must be
>> subject to public scrutiny in all details?
>> Offered as food for thought.
> An excellent topic...  Some thoughts for consideration:
> - The same issues apply to IPv6 as IPv4, so unless there is a
>    particular reason to solve it differently for IPv6, we should
>    look for general solutions if at all possible.
> - Removing confidentially at the time when we are nearing
>    depletion of IPv4 availability actually puts ARIN directly
>    in the path of businesses who are simply trying to continue
>    running their networks without a ready alternative. It may
>    take years for a large carrier to have solid IPv6 solutions
>    so a sudden change in available privacy for requests over a
>    certain size might be seen as imposing unavoidable terms on
>    one class of members, and changing the privacy expectations
>    for all requests might be seen as a more equitable solution.

I'll add, that this would probably require more than just an ARIN policy 
change, it would likely require global policy work too;

 From ICP2

10) Confidentiality

Information collected by a RIR in the registration process must be kept 
in strict confidence, and used for registration purposes only. It must 
be transmitted only to another RIR or IANA upon request, but will not be 
transmitted to any other party unless explicitly agreed to in writing by 
the LIR/ISP served.

RIRs may establish their own local standards and policies for 
confidentiality, providing that the basic confidentiality provisions are 

It even diverges from RFC 2050;

4.  Operational Guidelines For Registries
6.  Information provided to request address space is often considered 
sensitive by the requesting  organization.  The assigning registry must 
treat as confidential any and all information that the requesting 
organization specifically indicates as sensitive. ...

So my conclusion, confidentiality is fundamental to the registry 
process, it would be unfortunate to abandon this principle because of 
forces created by IPv4 scarcity. If we focus on what would be import for 
IPv6 going forward and then apply that to IPv4 too, maybe we can avoid 
the trap of making this only about IPv4 scarcity.

Stephen's suggestion to look at some kind of independent audit review of 
the registry functions could be promising direction to deal with this 
issue. ARIN, as almost all corporations, already has a financial 
auditor. However, given the relatively unique nature of the registry 
functions that ARIN performs it could be challenging to find an auditor 
with the proper balance of technical skills, experience, and true 
independence necessary to provide an effective independent audit of the 
registry functions.  There are probably any number of auditing firms 
that could provide the necessary independence, but not necessarily the 
technical skills or experience for truly effective oversight of the 
registry functions.

So some care would be necessary in selecting a truly effective 
independent auditor for these functions.  But, I'm relative confident 
there are organizations that could help provide an additional level of 
confidence that these functions are performed fairly and impartially.

David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota	
2218 University Ave SE	    Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952

More information about the ARIN-PPML mailing list