[arin-ppml] ARIN-prop-180 ISP Private Reassignment - intent to revise

Chu, Yi [NTK] Yi.Chu at sprint.com
Thu Aug 16 11:34:06 EDT 2012


See inline.

yi

-----Original Message-----
From: David Farmer [mailto:farmer at umn.edu]
Sent: Thursday, August 16, 2012 1:16 AM
To: Chu, Yi [NTK]
Cc: ppml at arin.net; David Farmer
Subject: Re: [arin-ppml] ARIN-prop-180 ISP Private Reassignment - intent to revise



On 8/15/12 20:06 CDT, Chu, Yi [NTK] wrote:
> All:
> After reviewing the feedback and discussions, I intend to modify prop-180 as follows.   Please let me know if I have made improvements in gaining your support or made things worse.
>
> 1. ARIN approval:  ISP to submit private reassignment request to ARIN for approval.  The info in the request is exactly the same as it would be for public records.  -- This addresses concern of abuse.  As ARIN has to approve, and the info provided is the same as public, so no more prune to abuse.

If you leave it to ARIN to approve or not, what criteria should they
apply to approving or not? Otherwise this is meaningless.
[Chu, Yi [NTK]] ARIN approval based on the same criteria for public registration.  Private or not is a decision between ISP and its customer.  I do not intend to introduce extra criteria for ARIN to decide if the request warrants privacy or not.
[Chu, Yi [NTK]]
> 2. Alignment with residential policy: Upon ARIN's approval, the ISP may substitute that organization's name for the customer's name, e.g. 'Private Customer - XYZ Network', and the customer's street address may read 'Private'. Each private downstream reassignment must have accurate upstream Abuse and Technical POCs visible on the WHOIS directory record for that block.  --- This aligns with residential requirement.  As ARIN and ISP have the real info, so when a law enforcement need to request info with a subpoena, the ISP and ARIN would be able to produce the info.

This seems reasonable.
[Chu, Yi [NTK]] Glad you agree.

> 3.  'Slow zone': Each ISP may only have one outstanding private reassignment request with ARIN. (alternatively, it can also be stated that 'ARIN is putting the ISP's private request in its own queue, and ARIN is not required to process more than one request per ISP per day, something to this effect) --- This addresses people's concern of abuse, ie, ISP swip everything private.   As I envision ISP's private request is rare, that limiting the throughput is OK.

I'm not sure how effective this is or if it matters how quickly they
happen.  If an ISP private SWIPs 100 in one day, or 1 a day for 100 days
and does a 1000 SWIPs the rest of the year what's the diff, its still
10%.  Most of the data needs to be public that what matters not how many
in one day.
[Chu, Yi [NTK]] I am struggling here too.  I just do not want to set a hard limit (10%), as each ISP may have different customer profile.   I welcome suggestions, as always.

> Rationale for the proposal:  I would add that it is for businesses to prevent the prying eyes of hacking.  Right now, a hacking teenage can find IP info on arin whois for any company with just a few clicks by just looking up the company name, which I find a bit un-nerving.  We made it unnecessarily easy for the hackers.

This is bull, that's like saying if banks only took down their signs no
one would rob them. BULL!!!  I want to see more flexibility here.  But
let's not make up silly excuses, its about privacy not security.
[Chu, Yi [NTK]] As you can tell, I need help here as well.  My customer used security as a reason for asking privacy.  I do have a bit problem articulating the delineation between security and privacy.
As for the BULL, one can argue that banks do not have to put a sign telling where the vault is or the keys to the vault are on the front door either.  But I guess all analogy is just analogy.


> Please let me know your comments.
>
> yi
>
> -----Original Message-----
> From: David Farmer [mailto:farmer at umn.edu]
> Sent: Thursday, August 09, 2012 2:55 PM
> To: Chu, Yi [NTK]
> Cc: Brian Kearney; ppml at arin.net; David Farmer
> Subject: Re: [arin-ppml] ARIN-prop-180 ISP Private Reassignment
>
> First, I cannot support this proposal as written, however I would like
> to see more flexibility provided on this issue.
>
> So here is the problem, your one customer that wants their data private
> isn't that big of deal, the system won't fall apart if their data is
> private.  However, if everyone wants their data private or ISPs start
> marking all their data private by default then the system may fall part.
>    Or, at the very least we probably need a radically different system,
> I'm not fundamentally opposed to that either, but that's not what your
> proposing.
>
> As written, your proposal allows an ISP to mark all their data as
> private.  You seem to be saying the that everyone can make all their
> data private without any consequences to the current system.  To be
> honest I think your wrong, others seem to think so as well.  However, I
> also don't believe that all data needs to be public for the system to
> work as intended either, just a majority of it.
>
> My suggestion is to go one of two directions, propose a complete rethink
> of the current system that doesn't need public data, or provide some
> limits to how much data can be private or provide other compensating
> policy controls that make up for the lack of public data.
>
> Some examples of possible options, only allow a certain threshold of
> private data, say 10% or 20% by volume of addresses, or after a
> threshold of private data require escrow of all records with an
> independent custodian and who that custodian is must be published, or
> require an annual audit of records by ARIN, etc...
>
> Without a complete rethink of the system there needs to be some
> consequence for having to much data marked as private or a limit on the
> amount of data that can be marked as private.
>
> Thanks
>
> On 8/9/12 12:40 CDT, Chu, Yi [NTK] wrote:
>> The private registration would need to go through exact the same scrutiny as is done for the public ones.  The ISP's are still required to register with ARIN.  Private just means the record is not shown/visible on the public whois.  'Private registration' does not relieve the ISP from registration responsibility of their reassignments.
>>
>> ISP's are still bound by their RSA contract with ARIN, as I stated in another email.
>>
>> yi
>>
>> -----Original Message-----
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Brian Kearney
>> Sent: Thursday, August 09, 2012 11:50 AM
>> To: ARIN
>> Cc: ppml at arin.net
>> Subject: Re: [arin-ppml] ARIN-prop-180 ISP Private Reassignment
>>
>> This could easily be abused for utilization justification.
>>
>>
>> Thank You,
>> Brian Kearney
>> Sent from my iPhone
>>
>>
>> On Aug 9, 2012, at 8:32 AM, ARIN <info at arin.net> wrote:
>>
>>> ARIN-prop-180  ISP Private Reassignment
>>>
>>> ARIN received the following policy proposal.
>>>
>>> The ARIN Advisory Council (AC) will review the proposal at their next
>>> regularly scheduled meeting (if the period before the next regularly
>>> scheduled meeting is less than 10 days, then the period may be extended
>>> to the subsequent regularly scheduled meeting). The AC will decide how
>>> to utilize the proposal and announce the decision to the PPML.
>>>
>>> The AC invites everyone to comment on the proposal on the PPML,
>>> particularly their support or non-support and the reasoning
>>> behind their opinion. Such participation contributes to a thorough
>>> vetting and provides important guidance to the AC in their deliberations.
>>>
>>> Draft Policies and Proposals under discussion can be found at:
>>> https://www.arin.net/policy/proposals/index.html
>>>
>>> The ARIN Policy Development Process can be found at:
>>> https://www.arin.net/policy/pdp.html
>>>
>>> Mailing list subscription information can be found
>>> at:https://www.arin.net/mailing_lists/
>>>
>>> Regards,
>>>
>>> Communications and Member Services
>>> American Registry for Internet Numbers (ARIN)
>>>
>>>
>>> ## * ##
>>>
>>> On Thursday, August 9, 2012 10:52 AM, Yi Chu wrote
>>>
>>> Template: ARIN-POLICY-PROPOSAL-TEMPLATE-2.0
>>>
>>>     1. Policy Proposal Name:  ISP private reassignment
>>>     2. Proposal Originator
>>>           1. name: Yi Chu
>>>           2. e-mail: yi.chu at sprint.com
>>>           3. telephone: +1-703-592-4850
>>>           4. organization: Sprint
>>>     3. Proposal Version: 1
>>>     4. Date: 2012-08-09
>>>     5. Proposal type: new
>>>     6. Policy term: permanent
>>>     7. Policy statement:
>>>                  NRPM 4.2.3.7.1.1 and 6.5.5.1.1 ISP private reassignment
>>>                  ISP has the option to register a reassignment as private.  A private reassignment is not visible on the public whois database.  Private reassignment is used in calculation of ISP utilization.  By register a reassignment as private, the ISP takes responsibility as POC by means of the direct allocation (parent of the reassigned address block) from ARIN that is publically registered in the whois database.
>>>
>>>     8. Rationale:
>>>                  Some ISP's customers wish to keep their reassignment private.  This can be for security reasons.  It can also be that the customer does not have the staff or know-how to manage their network.  They in term outsource the management of their network to the upstream ISP.  By not having their reassignemnt record showing in public, the whois record of the parent ISP block is a truer representation of the reality.  It make shte whois database more accurate and cleaner.
>>>     9. Timetable for implementation: immediate
>
> --
> ===============================================
> David Farmer               Email:farmer at umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE      Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>
>
> ________________________________
>
> This e-mail may contain Sprint Nextel proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>

--
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE      Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================


________________________________

This e-mail may contain Sprint Nextel proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.




More information about the ARIN-PPML mailing list