Re: APNIC Privacy of customer assignment records - implementation update

["william(at)elan.net" <william () elan net>]

On Thu, 23 Sep 2004, Leo Bicknell wrote:

> In a message written on Thu, Sep 23, 2004 at 05:56:42PM -0400, Joe Abley wrote:
> > The proposal (which comes from APNIC members, not from APNIC staff) 
> > concerns non-portable addresses assigned to end-users. I don't know 
> > about anybody else, but I've never had any luck getting a response from 
> > people in that category anyway; it's invariably the upstream ISPs who 
> > respond (if anybody does), and there is no suggestion that their 
> > contact details will  be able to be hidden.
>
> There are several proposals in various stages before ARIN and RIPE
> about this same issue.  APNIC simply beat everyone to the punch, but
> most of the other groups are going down the same path.

Going down the path does not mean it'll happen.
 
> The interesting case brought by several providers is that some
> residential DSL providers are now assigning /29's to end users to
> support multiple boxes.  In some cases these additional boxes are
> service provider boxes to provide value-add services (think, a voice
> or video gateway box).  This creates the very real situation where
> "grandma" is now published in whois.
>
> "grandma" doesn't like the spam, doesn't want to be listed (she
> already has an unlisted phone number) and even if her machine is
> owned and spewing forth spam contacting her is just going to result
> in confusion.  To that end the service provider would like to not
> list her, protect her privacy, and when people query have only their
> block and contact show up so they can field the call and either
> block her port, or have a (hopefully more helpful) customer service
> person help her clean her infected machine or whatever.

For ARIN, in case of grandma or any other residentual customer, there 
exist "residential customer privacy" policy, so her name need not be listed. 
 
> Generally the people who actually work abuse all have a similar report:
> end user assignments in whois are worthless.  End users fall into one
> of two catagories:
>
> 1) "grandma", where contacting her is going to get you nowhere because
>    they don't know what you're talking about.
>
> 2) An abuser (spammer, ddoser, whatever).  These people either won't
>    respond, or will respond but take no action, in both cases hoping
>    to string you along and make you either go away, or at least buy
>    some more time while they tie you up dealing with them.
>
> Because of this most of the people dealing with abuse are already
> ignoring end user contact information and going straight to the
> upstream ISP anyway.

This is not the same thing. What we're talking about is not the record
itself but who is listed as point of contact. And for most small records
the person is not listed as point of contact, the ISP is.

But info about actual customer still makes it possible to correlate multiple
cases of abuse together and it is more difficult for spammers to run from
one ISP to another.

> This brings us to why these proposals are getting traction in all the
> RIR's.  Spending thousands of hours maintaining data that many (most?
> nearly all?) of the users say is useless is silly.

But the proposals to hide the information do not change any of that,
ISPs are still REQUIRED to provide all the same information to RIR
they can just hide it from the public.

> Chicken and egg, or egg and chicken?  I'm not really sure.  That
> said, the current rules basically ensure that at some point in the
> future, when everyone needs a /29, everyone on the planet will be
> listed in whois. 

That I don't like either. I think ARIN database is overpopulated
by otheless small records and this is a problem both for ARIN and
for those tyring to use the data. But NOT ALL the records are
useless and if we simply let ISPs not report anything at all,
this is even worth.

I actually do have proposal to make on this issue that will:
 1. Reduce amount of data in arin whois by not requirying ISPs
    to report each small allocatoin and assignment
 2. Keeps data about all small residential and small-business
    customers private out of whois (these represent 90% of all
    assignments)
 3. Still keeps records that allow to determine general geographical
    location of service (for those of us mapping the net)
 4. Still keeps records for almost all the types of cases where
    abuse and spam does happen.

I'll now take this to ppml for further discussion. I don't have a concrete 
proposal text, but basic set of ideas that can be worked on further.

---
William Leibzon
Elan Networks
william () elan net