[arin-ppml] private whois record
Owen DeLong
owen at delong.com
Wed Aug 8 15:25:14 EDT 2012
On Aug 8, 2012, at 11:06 , Milton L Mueller <mueller at syr.edu> wrote:
> I just love the way people present their own views as "the community's" views. Intentionally or not, it can have the effect of pre-empting discussion of things that need to be discussed, and thus needs to be identified and challenged whenever it occurs.
>
Milton,
Heather did not present her views as the community's. She presented a summary of the conclusion of previous discussions of this topic among the community as just that... Historical context of this discussion within the ARIN region. Heather did go on to state some of her own opinions, but she did so in a new paragraph and made it pretty clear that's what she was doing. She also made it pretty clear that she was not discouraging or pre-empting discussion and even provided a link to help someone propose alternative policy, if desired.
While members of the APNIC Policy SIG may well be members of the ARIN community also, no, the APNIC Policy SIG is not part of the ARIN community in and of itself. Further, the APNIC Policy SIG is NOT the entire Asia-Pacific region or even the entirety of the region that is served by APNIC. It is merely those people that choose to participate in the policy development process within APNIC, just as PPML and ARIN PPMs are the set of people from throughout the world that choose to participate in the ARIN Policy Development Process.
Until your message, I hadn't actually looked into the details of the APNIC policy in this regard, but now that I have, here is what I found:
The only references I could find in the APNIC policy documents to "private" all referred to either private networks (those not connected to the internet) or private addresses (RFC-1918 IPv4 addresses). In the former case, it was a statement in the IPv6 policy that private networks might be eligible to receive IPv6 space from APNIC. In the latter case, it was a statement that APNIC did not manage or in any way deal with private addresses.
The only reference I could find to privacy in the APNIC policy documents was in the IPv6 policy (no equivalent in the IPv4 policy) and reads as follows:
> 3.3 Registration
>
> Internet address space must be registered in a registry database
> accessible to appropriate members of the Internet community. This
> is necessary to ensure the uniqueness of each Internet address and
> to provide reference information for Internet troubleshooting at
> all levels, ranging from all RIRs and IRs to end users.
>
> The goal of registration should be applied within the context of
> reasonable privacy considerations and applicable laws.
I believe that the current ARIN Residential Customer Privacy policy is a more specific, less ambiguous policy which arguably implements exactly what is described in the APNIC policy and which has gained the consensus of the ARIN community.
> If I am not mistaken - or more accurately, if Chu Yi is not mistaken - APNIC already has the kind of policy or practice he is requesting. Thus, Heather, I must ask: are you saying that the entire Asia-Pacific region is not part of "the community" that has favored transparency? Keep in mind that AP is the world's most populous region with the most Internet users and that the "badness" of which you speak is global and not bounded by any region or territory.
>
I'm honestly not sure what Chu Yi was referring to. Perhaps he will clarify. I could not find anything like what he described in the APNIC policy documents at http://www.apnic.net/community/policy/current unless that is his interpretation of section 3.3 of the IPv6 policy at APNIC. If that is his interpretation, then his interpretation differs from mine and I admit I am not sure what the APNIC staff interpretation of that policy is.
I will point out that APNIC operates in areas which have radically different societal, cultural, and legal frameworks than those in the ARIN region. As such, it is not unreasonable for their idea of "context of reasonable privacy considerations and applicable laws" to be significantly different from our current policy or even our collective decisions on any future policy in this regard.
Owen
>> -----Original Message-----
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
>> Behalf Of Schiller, Heather A
>> Sent: Wednesday, August 08, 2012 1:26 PM
>> To: Chu, Yi [NTK]; Kevin Kargel; 'ARIN PPML (ppml at arin.net)'
>> Subject: Re: [arin-ppml] private whois record
>>
>>
>> I offer this info for historical context - to give you an overview of what's been
>> discussed previously. Don't let it get in your way of suggesting an alternative
>> via: https://www.arin.net/policy/pdp_appendix_b.html You may want to
>> address these concerns in writing the rationale.
>>
>> This has come up before. You can look through meeting minutes, ppml &
>> policy proposal archives for the past versions of this discussion- but so far the
>> community has favored transparency in requiring whois records. I think the
>> prevailing argument has been that "companies" are inherently public -
>> company name and address are already public record, as they are registered
>> and searchable in state records. Law Enforcement folks argue that having
>> whois info published facilitates legal investigations, especially in
>> emergencies. In addition the anti-spam/security community will oppose it -
>> as they use whois information to track badness.
>>
>> Having managed some IP's in the past - the folks who are doing really super
>> s3kr3t stuff aren't doing it on the public internet. Those that are doing
>> sensitive things over the public internet, have a better game plan for security
>> than obscuring whois, and the good ones have implemented that before it
>> gets to asking you not to swip. The rest can get by with listing already publicly
>> identifiable contact info - corp name, corp headquarters, etc. No one should
>> be relying on obscuring swip as a security practice, if you are still accepting
>> packets. An experienced network security auditor would have experience
>> with swip records and would know that in the ARIN region commercial space
>> isn't going to be marked "private". In fact, the point could be made that
>> marking them private is likely to raise more curiosity, especially when its
>> clearly not residential space.
>>
>> --Heather
>>
>> -----Original Message-----
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
>> Behalf Of Chu, Yi [NTK]
>> Sent: Tuesday, August 07, 2012 2:08 PM
>> To: Kevin Kargel; 'ARIN PPML (ppml at arin.net)'
>> Subject: Re: [arin-ppml] private whois record
>>
>> The situation is my customer (a company, not residential) had gone through a
>> security audit. The audit identified the whois record as a potential security
>> risk. What they are asking is for their whois record (inetnum, or network
>> record) to be private. So the assigning LIR has access to the private record, as
>> well as ARIN. But not to general public. This 'private' feature has been
>> incorporated in APNIC for almost 10 years (APNIC-16, 2003
>> http://www.apnic.net/services/services-apnic-
>> provides/helpdesk/faqs/privacy-of-customer-assignments---faqs) . I would
>> like to know first if ARIN has a similar feature to accommodate my customer's
>> request. If not, has the topic been discussed and if there is interest in
>> pursuing.
>>
>> yi
>>
>> -----Original Message-----
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
>> Behalf Of Kevin Kargel
>> Sent: Tuesday, August 07, 2012 1:01 PM
>> To: 'ARIN PPML (ppml at arin.net)'
>> Subject: Re: [arin-ppml] private whois record
>>
>> I see no great problem with private registration so long as there are active
>> authoritative contacts that can actually do something should a network or
>> abuse issue occur. Having an abuse or NOC contact point to someone who
>> can call someone who knows who to call is unacceptable. We need to be
>> able to reach a network administrator directly.
>>
>> Having said that, if you are operating on the public network and wish to keep
>> your contact information private then something just doesn't jive. I do
>> strongly support transparency. If you don't want to disclose any information
>> the solution is simple, don't transact on public networks.
>>
>>
>> Kevin
>>
>>
>> ________________________________________
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
>> Behalf Of Chu, Yi [NTK]
>> Sent: Tuesday, August 07, 2012 11:26 AM
>> To: ARIN PPML (ppml at arin.net)
>> Subject: [arin-ppml] private whois record
>>
>> APNIC has a 'private' option for LIR to make the non-portable assignments
>> private. It fulfills the LIR's registration requirements, and at the same time
>> gives LIR option to address its customer's privacy concerns. It does seem a
>> superb idea. I wonder if the topic has ever been raised and discussed in
>> ARIN?
>>
>> Yi Chu
>> IP Engineering
>> Sprint
>>
>>
>> ________________________________________
>>
>> This e-mail may contain Sprint Nextel proprietary information intended for
>> the sole use of the recipient(s). Any use by others is prohibited. If you are
>> not the intended recipient, please contact the sender and delete all copies of
>> the message.
>>
>> ________________________________
>>
>> This e-mail may contain Sprint Nextel proprietary information intended for
>> the sole use of the recipient(s). Any use by others is prohibited. If you are
>> not the intended recipient, please contact the sender and delete all copies of
>> the message.
>>
>> _______________________________________________
>> PPML
>> You are receiving this message because you are subscribed to the ARIN
>> Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-ppml
>> Please contact info at arin.net if you experience any issues.
>> _______________________________________________
>> PPML
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-ppml
>> Please contact info at arin.net if you experience any issues.
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20120808/c701d064/attachment.htm>
More information about the ARIN-PPML
mailing list