[arin-ppml] Draft Policy ARIN-2019-2: Waiting List Block Size Restriction

[Ronald F. Guilmette]

In message <CAN-Dau0jsZGD6fk4hM=p=tq8pUP501=knARFm_j7po9c5NAVqA at mail.gmail.com>
David Farmer <farmer at umn.edu> wrote:

>"Total transparency for everything" is nice hyperbole, but is not a
>practical policy even for my university. We need practical policy proposals
>with the details necessary to evaluate and implement them.

That's a fair point, but I'm not sure it makes any difference, in the end,
because transparency is clearly at odds with the vast majority of existing
practice with respect to the way ARIN has always operated.  In other words,
I don't see it as being even plausibly realistic to either hope or expect
the current and traditional level of cloak-and-dagger secrecy is at all
likely to be lifted anytime soon.  Too many people have too much invested
in the current status quo.

But I'll try to answer your question anyway, because, as I say, it's a fair
question, even though this is all just an academic exercise, because too
many parties have too much to hide, and thus, this will never actually go
anywhere.

>Exactly what information and at what level of detail do you want to be
>included your total transparency? If you mean, that the reports we have to
>give ARIN with the details of how all our current IP addresses are used...
>...
>Now if you want my university's audited financial records...

I would most probably not want, and do not ask for anybody's network
information.

I would not want, and do not ask for anybody's detailed financial records,
whether audited or not.

I believe that I was already clear in my prior posts in this thread that
from my perspective, the names and business addresses of all actual
natural person "beneficial owners" of each non-publicly-traded non-natural-
person entity that either requests, or that is awarded number resoures,
either by ARIN or by any other RIR, is a resonable floor on the kind of
information that should, by all rights, be a matter of public record.

And indeed, such information should be a matter of public record not just
as a way of limiting abuses of Internet number resources,... which its
general publication would most certainly help to do... but also as a general
matter, in order for ARIN to be consistant with current international anti-
money- laundering directives, including but not limited to europe's 4AML
and 5AML directives, as well as the U.S.'s current KYC requirements, as
codified in the 2001 Patriot Act.

Basically, I would like to see *all* RIRs conforming to *all* currently
ratified national level KYC directives, worldwide, and I would like to
see any and all documents produced to ARIN and/or to any other RIRs in
order to resonably and properly identify any customer thereof to be a
matter of public record, available for public viewing on the Internet.

https://en.wikipedia.org/wiki/Know_your_customer

This simple proposal, if adpoted, would lift ARIN and the other RIRs out of
the realm that they currently inhabit, and that they have always inhabited,
i.e. the realm of shadows, shell companies, and all manner of secretive (and
often criminal) skullduggery.

Why should banks be required to know their customers, to obtain photocopies
of the passports of sweet harmless little old ladies who only want to deposit
five pounds for their grandchildren's college fund, while persons of entirely
unknown origin, means, and motives are routinely granted /18 blocks or
larger on this thing we call the global Internet?  This is madness on the
face of it.  This is the worst aspect of a secretive "old boys club" which 
has been, due to inertia, catapulted into the 21st century and which is
now unambiguously and provably being exploited by numerous Bad Actors with
sinister and, as I say, often outright criminal motives.

Anyone who denies that there is a problem here isn't looking at what I am
looking at and also isn't looking at the data that John C. and his crew
found and that began this whole thread and that gave rise the proposal
being debated, which now requires the ARIN memberhip to design, on the
fly, some new restriction on the allocation process that might thwart
those seeking to game the system.  But we don't even know and aren't even
being told who it is that we are hoping to thwart!  (And that is also,
arguably, madness.)

I hope that I have clarified what I mean by "transparency" in this context.

It should not be in any serious doubt to anyone here that he current open
market price of a single /16 block is now in excess of $1 million USD.
Given that, and the ease with which one can make off with one of those,
by hook or by crook, perhaps piece-by-piece, a little at a time, from
behind an impenetrable shell company facade, and using a fountain pen
rather than a gun, why would any sane criminal -or- any sane capitalist
feel the need to either rob or swindle anyone or anything at the present
moment in time, when they could instead so easily and -legally- obtain
sizable chunks of ill-gotten gains simply by playing the IPv4 game, all
while never even having to reveal their true identities?


Regards,
rfg


P.S.  Regarding your network details... I'm not persuaded that having those
become a matter of public record would materially detract from your -actual-
(as opposed to perceived) network security.  I think that one would need to
have a belief, at some level, in the power of "security by obscurity" in
order to believe otherwise.

And anyway, what documentation have you ever given to ARIN that could be
levereaged against your network security that could not just as easly be
obtained by a deternmined attacker armed with your public WHOIS records
and a decent network scanner?

Your public IPs are, by definition, all public, right?  I mean they are
routed on the global Internet, right?

If there's some secrect burried in your University's confidential ARIN
paperwork that would of use to some teenager in Botswana or some crypto-
crook in Moscow as they attempt to break into your records department,
and if this -isn't- something that they could learn just from your WHOIS
records and simply scanning all of your publicly routed CIDRs then I, for
one, would sure like to have you tell me what that is, in gneral terms
of course.


P.P.S.  One of the more regretable features of American popular news media
is that very little of importance about the outside world even manages to
penetrate into the American consciousness.

For those of you... probably a majority... who missed it, please allow
me to suggest that you google for "Danske Bank" or "Deutsche Bank" or
"Swedbank" and start reading.  When you get done doing that, try also
"1MDB".

If you are too laxy to read, there are plenty of YouTube video covering
these various epic financial scandals also.