[arin-ppml] Privacy expectations for large requests - food for thought
farmer at umn.edu
Wed Apr 27 21:43:52 EDT 2011
On 4/27/11 20:07 CDT, John Curran wrote:
> On Apr 27, 2011, at 6:36 PM, William Herrin wrote:
>> Should we reconsider the transparency requirements that go in to IPv4
>> allocations and transfers? Is there a size of IPv4 consumption above
>> which an organization should not have an expectation of privacy with
>> respect to their documentation? A consumption so large that it must be
>> subject to public scrutiny in all details?
>> Offered as food for thought.
> An excellent topic... Some thoughts for consideration:
> - The same issues apply to IPv6 as IPv4, so unless there is a
> particular reason to solve it differently for IPv6, we should
> look for general solutions if at all possible.
> - Removing confidentially at the time when we are nearing
> depletion of IPv4 availability actually puts ARIN directly
> in the path of businesses who are simply trying to continue
> running their networks without a ready alternative. It may
> take years for a large carrier to have solid IPv6 solutions
> so a sudden change in available privacy for requests over a
> certain size might be seen as imposing unavoidable terms on
> one class of members, and changing the privacy expectations
> for all requests might be seen as a more equitable solution.
I'll add, that this would probably require more than just an ARIN policy
change, it would likely require global policy work too;
Information collected by a RIR in the registration process must be kept
in strict confidence, and used for registration purposes only. It must
be transmitted only to another RIR or IANA upon request, but will not be
transmitted to any other party unless explicitly agreed to in writing by
the LIR/ISP served.
RIRs may establish their own local standards and policies for
confidentiality, providing that the basic confidentiality provisions are
It even diverges from RFC 2050;
4. Operational Guidelines For Registries
6. Information provided to request address space is often considered
sensitive by the requesting organization. The assigning registry must
treat as confidential any and all information that the requesting
organization specifically indicates as sensitive. ...
So my conclusion, confidentiality is fundamental to the registry
process, it would be unfortunate to abandon this principle because of
forces created by IPv4 scarcity. If we focus on what would be import for
IPv6 going forward and then apply that to IPv4 too, maybe we can avoid
the trap of making this only about IPv4 scarcity.
Stephen's suggestion to look at some kind of independent audit review of
the registry functions could be promising direction to deal with this
issue. ARIN, as almost all corporations, already has a financial
auditor. However, given the relatively unique nature of the registry
functions that ARIN performs it could be challenging to find an auditor
with the proper balance of technical skills, experience, and true
independence necessary to provide an effective independent audit of the
registry functions. There are probably any number of auditing firms
that could provide the necessary independence, but not necessarily the
technical skills or experience for truly effective oversight of the
So some care would be necessary in selecting a truly effective
independent auditor for these functions. But, I'm relative confident
there are organizations that could help provide an additional level of
confidence that these functions are performed fairly and impartially.
David Farmer Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
More information about the ARIN-PPML