[arin-ppml] Draft Policy ARIN-2017-5: Equalization of Assignment Registration requirements between IPv4 and IPv6

Thu Jul 20 16:34:33 EDT 2017

Hey David,

On Mon, Jul 17, 2017 at 01:54:08PM -0400, David R Huberman wrote:
> Hello Joe,
> 
> Thanks for the reply. A reminder that I'm *asking* a genuine question. 

Sure, and I was supplying my genuine response. My personal hat is still 
firmly on my head, fwiw.

> Now, I wrote:
> 
> >> Whois reassignments are not the proper place for the information LE 
> >> wants, in my opinion, and has almost no value to NOCs.
> 
> Joe replied:
> 
> > I find this assertion at odds with both my experience and direct
> > inquiries to those in the anti-abuse community.  Upon what basis
> > is it made?

Nit - I should have trimmed LE because my scope in response was 
regarding the NOC comment. I work in the operational realm, not legal
interface.

> So a few things.
> 
> 1) I specifically said 'reassignments', and by that I meant end-user data. 
> I have always been in favor of 'reallocations' (to downstream ISPs) being 
> in Whois.

I find both to be of value in the data gathering phase of investigating 
anamolies, dealing with incidents, and so on. Frankly, most all data
sources are noisy and therefore multiple sources of medium confidence
are better than attempting to pin high confidence to fewer sources.

> 2) The *vast* majority (and we're talking 99%+ -- I've studied the data 
> many times) of end-user SWIP data is things like:
> 
> AT&T Internet Services SBCIS-SIS80-1005 (NET-69-0-0-0-1) 69.0.0.0 - 
> 69.0.127.255
> THE MEDICINE SHOPPE SBC069000000000030204 (NET-69-0-0-0-2) 69.0.0.0 - 
> 69.0.0.7
> 
> When you lookup the specific /29, you get:
> 
> CustName:       THE MEDICINE SHOPPE
> Address:        310 ORANGE ST
> City:           NEW HAVEN
> StateProv:      CT
> PostalCode:     06510
> Country:        US
> 
> ... with vanilla AT*T contact information from the parent /17.
> 
> Yes: I assert this data has no value to NOCs or general internetworking 
> operations, in my experience, and I wrote that I do not believe this is 
> the proper place for LE to be gleaning it's info. (That's a whole other 
> conversation, but it's my opinion here.)
> 
> I don't understand how this SWIP data provides value in terms of 
> transparency?  It is, as others have noted, just giving out customer lists 
> -- information which is typically considered confidential.  ARIN policy 
> *can* require this information, but *should* it?

Even if the published *contact* data is incorrect, it is a trivial step
to get contact data for the reassigned entity which is published via 
other vectors. Your straw-man provides me the info to contact the user 
of the designated resources directly ["Hi, you are owned"] rather than 
contact an entity with which I have no association. There are a vast 
number of organizations across the globe who will not accept external 
reports or contacts regardless of impact. If you aren't a customer or 
have subpeona power, you don't exist as they are optimized around call 
metrics.  Avoiding them is a win, and even if the direct contact ends 
up being fruitless, the attempt can be made (and documented for evidence 
if need be).

> Additing to this conversation, two other items:
> 
> 3) Since 2004, when Dave Barger first got up to a microphone at an ARIN 
> meeting (Reston) and admitted that his company's SWIPs were non-compliant 
> because of software issues, we've had huge swaths of SWIP data that is 
> just wrong.  It's very difficult (especially at scale) to both publish and 
> maintain accurate SWIP data.  There's a real cost to requiring accurate 
> SWIP data for providers -- large and small.  If we're going to put this 
> cost on them for IPv6, I'd really like us to have a solid justification 
> that's relevant to 2017 network operations, and not based on what was true 
> in 1999.

Sadly those we can't rely upon for accurate SWIP data also couldn't be 
trusted for accurate rWHOIS data. I'd be interested in hearing other 
distributed options, and suspect there's an answer involving blockchain 
buried in there but I'm just not clever enough to unearth it.  If as a 
community we still value being able to get things done without involving 
legal action then providing an reasonable accounting of how an organization
is using the community's resources (and let's make no mistake - that is 
what the concensus pool of addressing *is*) is simply the cost of doing 
business. If recouping the cost of data publication and upkeep isn't 
built into their product or customer relations then they probably have
a broken business plan. 

> 4) And finally, we go back to an early convversation point that as 
> presently drafted, this policy idea (required SWIPs for IPv6) is not 
> enforceable by ARIN.  In a world where you generally do not go back to the 
> RIR for additional IPv6 prefixes, ARIN has no enforcement tools in the 
> policy -- and the one's they could have that I can envisage, I don't 
> support.

I see this to be a fundamental failing of our region's fragmented 
model.  We dither over things which are non-problems in other regions
due to decisions made quite some time ago... that would be a "2017 rather 
than 1999" conversation worth having, IMNSHO.

Cheers,

Joe

-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling 