[arin-ppml] Draft Policy ARIN-2017-5: Equalization of Assignment Registration requirements between IPv4 and IPv6

hostmaster at uneedus.com hostmaster at uneedus.com
Mon Jul 17 09:47:26 EDT 2017

As far as ARIN having access, you are right, ARIN itself has the right to 
the CPNI data on assigned IP resources, but not the right to make it 
publically accessable to the world.  The OP has confirmed that the issue 
is the CPNI rules.

there already exists specific CPNI
>    exception  that a carrier may permit access to customers’ CPNI when
>    necessary for provision of the telecommunications service.

This is the problem.  ARIN is not a carrier.  While disclosure to ARIN to 
obtain number resources for the connection is OK, Public disclosure by or 
at the direction of ARIN policy of elements like domain name, name, 
address and telephone number is not.  Since name, address, telephone 
number and domain name have already been identified have been defined in 
the order as elements of CPNI that are protected, world disclosure by ARIN 
or because of ARIN rules would not be a protected disclosure.

The ISP might also be in trouble for providing the information to ARIN, if 
they know that ARIN intends to publish this information in a public 
directory, rather than disclosing it to ARIN solely to maintain number 
resources.  As suggested by the OP, might have to call them customer 1-n. 
However that would violate the NRPM as written.  Since the City, State and 
Zip Code are part of the address, even the "protected" residential records 
CPNI are being disclosed in violation of the CPNI Order.

There is a big difference between disclosure to ARIN for taking care of 
numbering policy, and disclosure to the entire world.  Third party 
disclosure is the main thing that the CPNI rules are intended to address. 
That is only permitted when it is needed for the provision of service.

In the telecom world, a circuit from A to B might go from ILEC A to 
Interexchange Carrier, then to ILEC B at the other end.  Disclosure to 
each is permitted, as it is required for having the service.  Publication 
of information regarding this circuit to other parties or the world is 
not.  There is a large body of case law regarding CPNI disclosure, and 
maybe this is what the OP was talking about.

I read the FCC1524A1 order, and while it does say that the FCC will not 
assert jurisdiction over the assignment or management of IP addresses, I 
see nothing in the order that would allow ARIN to insist that the 
assignments must be recorded in a public directory, where neither the 
customer has consented.  The FCC has specifically been ruled that elements 
name, address and telephone number are protected CPNI. The customers are 
NOT ARIN members, so there is no contractual agreement with those parties 
to allow this disclosure.

Maybe I am missing something, but my read of the order does not seem to 
grant ARIN the rights to EVER publish CPNI to third parties without 
consent.  I have looked for the WISPA comments on line to find out exactly 
what the issue identified is, but I have not been able to find it. 
Information from the OP seems to state that I have found the correct order 
on CPNI.

Albert Erdmann
Network Administrator
Paradise On Line Inc.

On Mon, 17 Jul 2017, John Curran wrote:

> On 17 Jul 2017, at 1:04 AM, hostmaster at uneedus.com<mailto:hostmaster at uneedus.com> wrote:
> John,
> I think this is the FCC ruling he speaks of, and it does seem to shut down public disclosures of most of what is contained in SWIP/WHOIS without customer consent.  This has been the rule for regular phone calls for a long time, called CPNI. Until today I did not realise the FCC extended this to the internet. It also appears that even someone with a contract with ARIN could require ARIN to restrict their data from third party disclosure, as it states that private contract provisions cannot override the right to insist on privacy.
> http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf
> It looks like static and even dynamic IP addresses and MAC addresses are considered protected information. IP addresses are the bread and butter of ARIN. Domain names are protected, thus Email addresses are protected since they contain a domain name, and they have also ruled that name, address and telephone numbers are protected as well.  They even talk of DNS lookups being protected.
> It kinda looks like the FCC has made a large part of SWIP/WHOIS unlawful with this order unless ARIN has been given consent by each holder of the information, even if they are a current member under contract.
> Albert -
>    The FCC is well aware of the Internet Numbers Registry System and
>    our processes for management of IP addresses, and their recent Open
>    Internet/Title II reclassification order specifically acknowledges that the
>    Title II change of broadband services does not assert their jurisdiction
>    over the assignment or management of IP addressing  -
> "This definitional change to our regulations in no way asserts 
> Commission jurisdiction over the assignment or management of IP 
> addressing by the Internet Numbers Registry System.” (Reclassification 
> Order ¶ 391, note 1116)
>    <http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0403/FCC-15-24A1.pdf>
>    The Order makes plain that the use of “public IP addresses” from the
>    Internet Numbers Registry System are an element used in the provision
>    of broadband Internet services, and there already exists specific CPNI
>    exception  that a carrier may permit access to customers’ CPNI when
>    necessary for provision of the telecommunications service.
>    If ISPs can provide Internet services without use of IP addresses, then
>    then permitting access to that customer information would not meet the
>    limited exception, but that does not appear to be practical (and particularly
>    not with respect to the IP address blocks which are routed on the public
>    Internet, as being discussed in some variations of this draft policy)
>    ISP’s who have a concern in this area should obtain their own legal advice,
>    but compliance with community-developed registry policy is a prerequisite
>    for access to the public IP addresses, and our review notes that such access
>    is a necessary and required element for the provision of Internet services
>    and thus should fall without the limited CPNI exception that is provided.
>    (If somehow you can provision Internet services without the use of public
>    IP address, then availability of the “necessary for provision” exception would
>    not be the case, but then again, you also would not need to worry about
>    access to or compliance with the Internet Number Registry System…)
> Thanks,
> /John
> John Curran
> President and CEO
> American Registry for Internet Numbers

More information about the ARIN-PPML mailing list