[arin-ppml] Draft Policy ARIN-2017-5: Equalization of Assignment Registration requirements between IPv4 and IPv6
ppml at rsuc.gweep.net
Thu Jul 20 16:34:33 EDT 2017
On Mon, Jul 17, 2017 at 01:54:08PM -0400, David R Huberman wrote:
> Hello Joe,
> Thanks for the reply. A reminder that I'm *asking* a genuine question.
Sure, and I was supplying my genuine response. My personal hat is still
firmly on my head, fwiw.
> Now, I wrote:
> >> Whois reassignments are not the proper place for the information LE
> >> wants, in my opinion, and has almost no value to NOCs.
> Joe replied:
> > I find this assertion at odds with both my experience and direct
> > inquiries to those in the anti-abuse community. Upon what basis
> > is it made?
Nit - I should have trimmed LE because my scope in response was
regarding the NOC comment. I work in the operational realm, not legal
> So a few things.
> 1) I specifically said 'reassignments', and by that I meant end-user data.
> I have always been in favor of 'reallocations' (to downstream ISPs) being
> in Whois.
I find both to be of value in the data gathering phase of investigating
anamolies, dealing with incidents, and so on. Frankly, most all data
sources are noisy and therefore multiple sources of medium confidence
are better than attempting to pin high confidence to fewer sources.
> 2) The *vast* majority (and we're talking 99%+ -- I've studied the data
> many times) of end-user SWIP data is things like:
> AT&T Internet Services SBCIS-SIS80-1005 (NET-69-0-0-0-1) 18.104.22.168 -
> THE MEDICINE SHOPPE SBC069000000000030204 (NET-69-0-0-0-2) 22.214.171.124 -
> When you lookup the specific /29, you get:
> CustName: THE MEDICINE SHOPPE
> Address: 310 ORANGE ST
> City: NEW HAVEN
> StateProv: CT
> PostalCode: 06510
> Country: US
> ... with vanilla AT*T contact information from the parent /17.
> Yes: I assert this data has no value to NOCs or general internetworking
> operations, in my experience, and I wrote that I do not believe this is
> the proper place for LE to be gleaning it's info. (That's a whole other
> conversation, but it's my opinion here.)
> I don't understand how this SWIP data provides value in terms of
> transparency? It is, as others have noted, just giving out customer lists
> -- information which is typically considered confidential. ARIN policy
> *can* require this information, but *should* it?
Even if the published *contact* data is incorrect, it is a trivial step
to get contact data for the reassigned entity which is published via
other vectors. Your straw-man provides me the info to contact the user
of the designated resources directly ["Hi, you are owned"] rather than
contact an entity with which I have no association. There are a vast
number of organizations across the globe who will not accept external
reports or contacts regardless of impact. If you aren't a customer or
have subpeona power, you don't exist as they are optimized around call
metrics. Avoiding them is a win, and even if the direct contact ends
up being fruitless, the attempt can be made (and documented for evidence
if need be).
> Additing to this conversation, two other items:
> 3) Since 2004, when Dave Barger first got up to a microphone at an ARIN
> meeting (Reston) and admitted that his company's SWIPs were non-compliant
> because of software issues, we've had huge swaths of SWIP data that is
> just wrong. It's very difficult (especially at scale) to both publish and
> maintain accurate SWIP data. There's a real cost to requiring accurate
> SWIP data for providers -- large and small. If we're going to put this
> cost on them for IPv6, I'd really like us to have a solid justification
> that's relevant to 2017 network operations, and not based on what was true
> in 1999.
Sadly those we can't rely upon for accurate SWIP data also couldn't be
trusted for accurate rWHOIS data. I'd be interested in hearing other
distributed options, and suspect there's an answer involving blockchain
buried in there but I'm just not clever enough to unearth it. If as a
community we still value being able to get things done without involving
legal action then providing an reasonable accounting of how an organization
is using the community's resources (and let's make no mistake - that is
what the concensus pool of addressing *is*) is simply the cost of doing
business. If recouping the cost of data publication and upkeep isn't
built into their product or customer relations then they probably have
a broken business plan.
> 4) And finally, we go back to an early convversation point that as
> presently drafted, this policy idea (required SWIPs for IPv6) is not
> enforceable by ARIN. In a world where you generally do not go back to the
> RIR for additional IPv6 prefixes, ARIN has no enforcement tools in the
> policy -- and the one's they could have that I can envisage, I don't
I see this to be a fundamental failing of our region's fragmented
model. We dither over things which are non-problems in other regions
due to decisions made quite some time ago... that would be a "2017 rather
than 1999" conversation worth having, IMNSHO.
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling
More information about the ARIN-PPML