[arin-ppml] private whois record

Chu, Yi [NTK] Yi.Chu at sprint.com
Wed Aug 8 16:32:06 EDT 2012


Owen:
Under myapnic portal for inetnum, there are 'private' and 'public' buttons that you can click.  If you click 'private', what it amounts to is you have an inetnum registered with apnic, but the record is not visible in the public whois.

The policy was discussed and adopted in apnic-16 (2003).  See the url for the discussion in apnic-16 http://archive.apnic.net/meetings/16/programme/transcripts/database-sig.txt and the presentation Paul Wilson presented http://archive.apnic.net/meetings/16/programme/sigs/docs/db/db-pres-wilson-privacy.pdf.  The policy number is prop-007-v001<http://archive.apnic.net/policy/proposals/prop-007-v001.html>

I do greatly appreciate Heather's summary.  I am still going through the mailing list archives for both ARIN and APNIC around 2003 to understand the dichotomy of the two communities' views on the topic.

yi




From: Owen DeLong [mailto:owen at delong.com]
Sent: Wednesday, August 08, 2012 3:25 PM
To: Milton L Mueller
Cc: Chu, Yi [NTK]; 'ARIN PPML (ppml at arin.net)'
Subject: Re: [arin-ppml] private whois record


On Aug 8, 2012, at 11:06 , Milton L Mueller <mueller at syr.edu<mailto:mueller at syr.edu>> wrote:


I just love the way people present their own views as "the community's" views. Intentionally or not, it can have the effect of pre-empting discussion of things that need to be discussed, and thus needs to be identified and challenged whenever it occurs.

Milton,

Heather did not present her views as the community's. She presented a summary of the conclusion of previous discussions of this topic among the community as just that... Historical context of this discussion within the ARIN region. Heather did go on to state some of her own opinions, but she did so in a new paragraph and made it pretty clear that's what she was doing. She also made it pretty clear that she was not discouraging or pre-empting discussion and even provided a link to help someone propose alternative policy, if desired.

While members of the APNIC Policy SIG may well be members of the ARIN community also, no, the APNIC Policy SIG is not part of the ARIN community in and of itself. Further, the APNIC Policy SIG is NOT the entire Asia-Pacific region or even the entirety of the region that is served by APNIC. It is merely those people that choose to participate in the policy development process within APNIC, just as PPML and ARIN PPMs are the set of people from throughout the world that choose to participate in the ARIN Policy Development Process.

Until your message, I hadn't actually looked into the details of the APNIC policy in this regard, but now that I have, here is what I found:

The only references I could find in the APNIC policy documents to "private" all referred to either private networks (those not connected to the internet) or private addresses (RFC-1918 IPv4 addresses). In the former case, it was a statement in the IPv6 policy that private networks might be eligible to receive IPv6 space from APNIC. In the latter case, it was a statement that APNIC did not manage or in any way deal with private addresses.

The only reference I could find to privacy in the APNIC policy documents was in the IPv6 policy (no equivalent in the IPv4 policy) and reads as follows:

3.3   Registration

      Internet address space must be registered in a registry database
      accessible to appropriate members of the Internet community. This
      is necessary to ensure the uniqueness of each Internet address and
      to provide reference information for Internet troubleshooting at
      all levels, ranging from all RIRs and IRs to end users.

      The goal of registration should be applied within the context of
      reasonable privacy considerations and applicable laws.

I believe that the current ARIN Residential Customer Privacy policy is a more specific, less ambiguous policy which arguably implements exactly what is described in the APNIC policy and which has gained the consensus of the ARIN community.


If I am not mistaken - or more accurately, if Chu Yi is not mistaken - APNIC already has the kind of policy or practice he is requesting. Thus, Heather, I must ask: are you saying that the entire Asia-Pacific region is not part of "the community" that has favored transparency? Keep in mind that AP is the world's most populous region with the most Internet users and that the "badness" of which you speak is global and not bounded by any region or territory.

I'm honestly not sure what Chu Yi was referring to. Perhaps he will clarify. I could not find anything like what he described in the APNIC policy documents at http://www.apnic.net/community/policy/current unless that is his interpretation of section 3.3 of the IPv6 policy at APNIC. If that is his interpretation, then his interpretation differs from mine and I admit I am not sure what the APNIC staff interpretation of that policy is.

I will point out that APNIC operates in areas which have radically different societal, cultural, and legal frameworks than those in the ARIN region. As such, it is not unreasonable for their idea of "context of reasonable privacy considerations and applicable laws" to be significantly different from our current policy or even our collective decisions on any future policy in this regard.

Owen


-----Original Message-----
From: arin-ppml-bounces at arin.net<mailto:arin-ppml-bounces at arin.net> [mailto:arin-ppml-bounces at arin.net<mailto:ppml-bounces at arin.net>] On
Behalf Of Schiller, Heather A
Sent: Wednesday, August 08, 2012 1:26 PM
To: Chu, Yi [NTK]; Kevin Kargel; 'ARIN PPML (ppml at arin.net<mailto:ppml at arin.net>)'
Subject: Re: [arin-ppml] private whois record


I offer this info for historical context - to give you an overview of what's been
discussed previously.  Don't let it get in your way of suggesting an alternative
via: https://www.arin.net/policy/pdp_appendix_b.html  You may want to
address these concerns in writing the rationale.

This has come up before.  You can look through meeting minutes, ppml &
policy proposal archives for the past versions of this discussion- but so far the
community has favored transparency in requiring whois records.  I think the
prevailing argument has been that "companies" are inherently public -
company name and address are already public record, as they are registered
and searchable in state records.  Law Enforcement folks argue that having
whois info published facilitates legal investigations, especially in
emergencies.  In addition the anti-spam/security community will oppose it -
as they use whois information to track badness.

Having managed some IP's in the past - the folks who are doing really super
s3kr3t stuff aren't doing it on the public internet.  Those that are doing
sensitive things over the public internet, have a better game plan for security
than obscuring whois, and the good ones have implemented that before it
gets to asking you not to swip.  The rest can get by with listing already publicly
identifiable contact info - corp name, corp headquarters, etc.  No one should
be relying on obscuring swip as a security practice, if you are still accepting
packets.  An experienced network security auditor would have experience
with swip records and would know that in the ARIN region commercial space
isn't going to be marked "private".  In fact, the point could be made that
marking them private is likely to raise more curiosity, especially when its
clearly not residential space.

--Heather

-----Original Message-----
From: arin-ppml-bounces at arin.net<mailto:arin-ppml-bounces at arin.net> [mailto:arin-ppml-bounces at arin.net<mailto:ppml-bounces at arin.net>] On
Behalf Of Chu, Yi [NTK]
Sent: Tuesday, August 07, 2012 2:08 PM
To: Kevin Kargel; 'ARIN PPML (ppml at arin.net<mailto:ppml at arin.net>)'
Subject: Re: [arin-ppml] private whois record

The situation is my customer (a company, not residential) had gone through a
security audit.  The audit identified the whois record as a potential security
risk.  What they are asking is for their whois  record (inetnum, or network
record) to be private.  So the assigning LIR has access to the private record, as
well as ARIN.  But not to general public.  This 'private' feature has been
incorporated in APNIC for almost 10 years (APNIC-16, 2003
http://www.apnic.net/services/services-apnic-
provides/helpdesk/faqs/privacy-of-customer-assignments---faqs) .   I would
like to know first if ARIN has a similar feature to accommodate my customer's
request.  If not, has the topic been discussed and if there is interest in
pursuing.

yi

-----Original Message-----
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
Behalf Of Kevin Kargel
Sent: Tuesday, August 07, 2012 1:01 PM
To: 'ARIN PPML (ppml at arin.net)'
Subject: Re: [arin-ppml] private whois record

I see no great problem with private registration so long as there are active
authoritative contacts that can actually do something should a network or
abuse issue occur.  Having an abuse or NOC contact point to someone who
can call someone who knows who to call is unacceptable.  We need to be
able to reach a network administrator directly.

Having said that, if you are operating on the public network and wish to keep
your contact information private then something just doesn't jive.  I do
strongly support transparency.  If you don't want to disclose any information
the solution is simple, don't transact on public networks.


Kevin


________________________________________
From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
Behalf Of Chu, Yi [NTK]
Sent: Tuesday, August 07, 2012 11:26 AM
To: ARIN PPML (ppml at arin.net)
Subject: [arin-ppml] private whois record

APNIC has a 'private' option for LIR to make the non-portable assignments
private.  It fulfills the LIR's registration requirements, and at the same time
gives LIR option to address its customer's privacy concerns.  It does seem a
superb idea.  I wonder if the topic has ever been raised and discussed in
ARIN?

Yi Chu
IP Engineering
Sprint


________________________________________

This e-mail may contain Sprint Nextel proprietary information intended for
the sole use of the recipient(s). Any use by others is prohibited. If you are
not the intended recipient, please contact the sender and delete all copies of
the message.

________________________________

This e-mail may contain Sprint Nextel proprietary information intended for
the sole use of the recipient(s). Any use by others is prohibited. If you are
not the intended recipient, please contact the sender and delete all copies of
the message.

_______________________________________________
PPML
You are receiving this message because you are subscribed to the ARIN
Public Policy Mailing List (ARIN-PPML at arin.net<mailto:ARIN-PPML at arin.net>).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net<mailto:info at arin.net> if you experience any issues.
_______________________________________________
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net<mailto:ARIN-PPML at arin.net>).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net<mailto:info at arin.net> if you experience any issues.
_______________________________________________
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net<mailto:ARIN-PPML at arin.net>).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact info at arin.net<mailto:info at arin.net> if you experience any issues.


________________________________

This e-mail may contain Sprint Nextel proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20120808/d680882c/attachment.html>


More information about the ARIN-PPML mailing list