[arin-ppml] Clarify /29 assignment identification requirement

Kevin Kargel kkargel at polartel.com
Mon May 7 11:06:12 EDT 2012


> -----Original Message-----
> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On
> Behalf Of William Herrin
> Sent: Friday, May 04, 2012 9:06 PM
> To: David Krumme
> Subject: Re: [arin-ppml] Clarify /29 assignment identification requirement
> On 5/4/12, David Krumme <david at airbits.com> wrote:
> >> I would think that any indirect evidence of a customer's existence
> >> would support the address utilization claim. A bank statement listing
> >> deposits and charges.
> >
> > Our bank statement shows all sources of our income and would not in any
> > way tend to either validate or discredit our ISP activities.
> Hi David,
> It would demonstrate a plausible customer count (or the lack thereof)
> for the address utilization you claimed.
> >> A demonstration of access to the routers implied
> >> by assignment claims with apparent programming and interface statuses
> >> that match.
> >
> > I am not going to allow access to our routers to anyone out there on the
> > Internet, out of security as well as trade secret concerns. Sorry.
> I believe the suggestion was for a webex session in which an ARIN rep
> on the phone asks you to operate the router and then observes
> (read-only) the result.
[kjk] I would tend to also be hesitant to have someone watch over my
shoulder as I did things like listing router configs showing detailed
network infrastructure, passwords, secrets, (encrypted or not) etc..

Video screen capture for replay of a webex session is trivial, decrypting
cisco passwords from config listings is also trivial, getting clear text
from a cisco type 7 password takes less than a minute for a casual admin..
There are better ways to protect things, but this example works for this
While I trust ARIN in general there are just some things that one doesn't
do, and exposing critical core configurations is one of them.

Telecommunications carriers in particular are under a lot of regulations
that are vaguely written and have HUGE gray areas that may be impacted my
releasing customer identification data tied to networking.  Even things like
CPNI regulations that are primarily aimed at telephone data could possibly
be construed to apply to data referring to a telephone/data customer of a
telephone carrier.  Hopefully everyone has the "ok to disclose to necessary
third parties" type of clause built in to their contracts.  

Exposing customer data for retention in a third party database is definitely
something to be avoided if at all possible.  



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4935 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20120507/5a681c7f/attachment-0001.bin>

More information about the ARIN-PPML mailing list