[arin-ppml] private whois record

Schiller, Heather A heather.schiller at verizon.com
Wed Aug 8 13:26:21 EDT 2012 

I offer this info for historical context - to give you an overview of what's been discussed previously.  Don't let it get in your way of suggesting an alternative via: https://www.arin.net/policy/pdp_appendix_b.html  You may want to address these concerns in writing the rationale.

This has come up before.  You can look through meeting minutes, ppml & policy proposal archives for the past versions of this discussion- but so far the community has favored transparency in requiring whois records.  I think the prevailing argument has been that "companies" are inherently public - company name and address are already public record, as they are registered and searchable in state records.  Law Enforcement folks argue that having whois info published facilitates legal investigations, especially in emergencies.  In addition the anti-spam/security community will oppose it - as they use whois information to track badness. 
 
Having managed some IP's in the past - the folks who are doing really super s3kr3t stuff aren't doing it on the public internet.  Those that are doing sensitive things over the public internet, have a better game plan for security than obscuring whois, and the good ones have implemented that before it gets to asking you not to swip.  The rest can get by with listing already publicly identifiable contact info - corp name, corp headquarters, etc.  No one should be relying on obscuring swip as a security practice, if you are still accepting packets.  An experienced network security auditor would have experience with swip records and would know that in the ARIN region commercial space isn't going to be marked "private".  In fact, the point could be made that marking them private is likely to raise more curiosity, especially when its clearly not residential space. 

--Heather

-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Chu, Yi [NTK]
Sent: Tuesday, August 07, 2012 2:08 PM
To: Kevin Kargel; 'ARIN PPML (ppml at arin.net)'
Subject: Re: [arin-ppml] private whois record

The situation is my customer (a company, not residential) had gone through a security audit.  The audit identified the whois record as a potential security risk.  What they are asking is for their whois  record (inetnum, or network record) to be private.  So the assigning LIR has access to the private record, as well as ARIN.  But not to general public.  This 'private' feature has been incorporated in APNIC for almost 10 years (APNIC-16, 2003 http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/privacy-of-customer-assignments---faqs) .   I would like to know first if ARIN has a similar feature to accommodate my customer's request.  If not, has the topic been discussed and if there is interest in pursuing.

yi

-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Kevin Kargel
Sent: Tuesday, August 07, 2012 1:01 PM
To: 'ARIN PPML (ppml at arin.net)'
Subject: Re: [arin-ppml] private whois record

I see no great problem with private registration so long as there are active authoritative contacts that can actually do something should a network or abuse issue occur.  Having an abuse or NOC contact point to someone who can call someone who knows who to call is unacceptable.  We need to be able to reach a network administrator directly.

Having said that, if you are operating on the public network and wish to keep your contact information private then something just doesn't jive.  I do strongly support transparency.  If you don't want to disclose any information the solution is simple, don't transact on public networks.


Kevin


________________________________________
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Chu, Yi [NTK]
Sent: Tuesday, August 07, 2012 11:26 AM
To: ARIN PPML (ppml at arin.net)
Subject: [arin-ppml] private whois record

APNIC has a 'private' option for LIR to make the non-portable assignments private.  It fulfills the LIR's registration requirements, and at the same time gives LIR option to address its customer's privacy concerns.  It does seem a superb idea.  I wonder if the topic has ever been raised and discussed in ARIN?

Yi Chu
IP Engineering
Sprint


________________________________________

This e-mail may contain Sprint Nextel proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

________________________________

This e-mail may contain Sprint Nextel proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

_______________________________________________
PPML
You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net if you experience any issues.

More information about the ARIN-PPML mailing list