[arin-ppml] Clarify /29 assignment identification requirement
Jimmy Hess
mysidia at gmail.com
Thu Apr 26 20:34:00 EDT 2012
On 4/26/12, Jack Bates <jbates at brightok.net> wrote:
> I think it would be wiser to establish a structure of guidelines for
> auditing, personally. It appears ARIN also likes unfiltered configs or
> access to read unfiltered configs in routers, which provides much more
> detailed information concerning the network than the required
> justification (snmp communities, firewall rules, encrypted passwords).
[snip]
This is not really a "number resource policy" but nevertheless, there
should be internal rules about what is collected and how collected
data is handled. I can see there are potentially huge network
security risks with ARIN staff ever being provided access to read
unfiltered router configurations that contain passwords and SNMP
access details. Retaining unfiltered configs for any significant
amount of time is definitely something ARIN should not do; if ARIN
receives an unfilitered config, they should filter it immediately --
any submissions of potentially sensitive information should be
accepted only in a strongly encrypted manner, and should be kept
strongly encrypted at all times (e.g. never sent in an e-mail, and
no portion ever stored unencrypted at rest).
I am opposed to the proposal as written. It is not unreasonable
that ARIN request documentation of IP address usage down to the /32
level, as of a specific date.
The /29 cutoff pertains to the maintenace of CONTACT information in
external databases that are publicly visible..
The internal records of WHO or what person/organization/equipment
individual IPs are assigned to, and/or the documentation of
justification, must always be maintained, and made available to ARIN
when it will facilitate their auditing requirements. The record of
assignment of an IP is different from CONTACT records.
--
-JH
More information about the ARIN-PPML
mailing list