ARIN Public Policy Meeting Day 2 Notes - 12 October 2006

Call to Order and Announcements

Speaker: Ray Plzak, ARIN President and CEO


Ray Plzak opened the second day of the ARIN Public Policy Meeting. He thanked ARIN XVIII network connectivity sponsor SAVVIS, Inc, and the Center for the Application of Information Technology (CAIT) at Washington University in St. Louis' School of Engineering and Applied Science for its partial sponsorship of the Cyber Café. And finally, thanks to Cisco for its sponsorship of the "Networking with IPv6" workshop held on Sunday for both ARIN and NANOG attendees.

Ray reviewed the rules of discussion to be followed throughout the meeting, the meeting agenda, and relevant meeting information. He reminded those in attendance of the importance of being subscribed to the Public Policy Mailing List to raise and discuss policy-related topics.

At the beginning of the meeting, approximately 109 people were in attendance.

[ARIN offered the opportunity for remote participation throughout the meeting. Comments from remote participants are read aloud at the meeting and are integrated into the meeting report. There were approximately 20 individuals viewing the meeting webcast throughout the proceedings, and 10 registered remote participants.]

Words from Sponsor

Speaker: Don Bertier, Chief Security Officer, Savvis Communications


Ray Plzak introduced Don Bertier, Chief Security Officer with Savvis Communications, to welcome attendees to St. Louis as the sponsor of the ARIN XVIII network connectivity. Don highlighted the helpfulness of ARIN's staff in general, and on some recent resource transfers specifically. In addition, he thanked Katie Flowers, the Team Lead for the Abuse and Security Department at Savvis, for her work on the Blacklisting Round Table the previous day.

2006-2: Micro-allocations for Internal Infrastructure

Speakers: Jason Schiller and Heather Skanks, Proposal Authors

Introduction: PDF
Presentation: PDF

Ray Plzak presented an introduction to the proposal. Highlights included:

  • Advisory Council shepherds: Stacy Taylor and Bill Darte
  • Introduced on PPML on 9 February 06, designated as a formal policy on 17 February 06. This was first discussed at ARIN XVII, where there was consensus to revise the proposal. Last revision was on 18 July 06.
  • Presentation of Staff Impact Analysis, Legal Review, Staff Comments, and overview of PPML discussion activity. [see presentation and transcript links above for details]

Heather Skanks, as one of the authors, continued with the presentation of the proposal. She provided details on the history of the proposal, the reasons for it, its intended benefits, and the nature of the revisions made since it was last discussed at ARIN XVII. She noted that the previous version of the proposal rewrote the entire micro-allocation section, and that the revision now concisely addresses only a subset of that policy. She went on to explain that the proposal now simply says that if you currently have IPv6 address space, you can request an additional /48 of noncontiguous space for use with internal infrastructure provided there exists a technical justification, such as alleviating BGP convergence.

Discussion Overview [Transcript]
  • An attendee stated that he believed that during the discussion at ARIN XVII, a point was made that this issue could be addressed by router vendors fixing or improving the software and inquired if anyone else remembered details of that discussion and if any follow-up to the appropriate vendors was undertaken. Jason Schiller replied that one of the comments on PPML was that it was already fixed in some implementations, allowing the software to do route resolution policies that restrict what routes are considered. He went on to say that this approach has not been taken by all vendors in stable production-level code, or in some cases at all. He further explained that he had been in touch with Cisco about this, and is actually in the process of drafting an RFC with someone from Cisco to try and make this functionality standard. However, that will take significant time to get approved and trickle out through available code, while a policy could address this issue much more quickly, and in the future if appropriate implementations exist from vendors, this policy could be revoked.
  • It was noted that while handing out /48s for this specific purpose wouldn't be considered wasteful of address space, it does open the door to others making similar requests which could lead to waste of address space. The attendee noted that a proposed solution for this exists, namely ULA Central, but has not been advanced as the IETF and the RIRs haven't reached agreement on whether to move ahead with it. Jason Schiller responded that this is actually a reason to support this proposal, as it sets the groundwork for the registries to handle these sorts of allocations and could be a stepping stone to getting these parties to agree to move forward on ULA Central.
  • A question was raised about the removal from the proposal of a prohibition on routing these prefixes, and how that squares with the idea that the authors are still saying these can't be globally routed. Jason Schiller responded that yes, the text was removed, but that the justification for the addresses still needs to include information that shows the organization making the request is trying to solve something like BGP convergence, which shows that they would be using it for a purpose where it wouldn't need to be globally routed. In addition, he stated that part of the reason for the removal of the text was based on feedback that ARIN policies don't specify routing policies.
  • An attendee stated that he had previously been opposed to the proposal, but with the revisions he now supported it.
  • A suggestion was made that since the text concerning a prohibition against routing these prefixes was removed, the text of "non-routed" should be removed as well. Jason Schiller responded that he was fine with leaving it in or taking it out.
  • A question was asked about whether the equivalent of RFC 1918 space would address this need. Jason Schiller responded that it would not, as these addresses are going to be used for loopbacks and point-to-point interfaces for the purposes of troubleshooting, and there might be significant problems with address space overlap if they were all pulled out of a common shared pool like the RFC 1918 space in IPv4.
End of Discussion:

John Curran took a straw poll to determine the sense of the room. After the tally was conducted, John stated that this information would be provided to the Advisory Council for use in their deliberations.

APNIC Update

Speaker: Paul Wilson, APNIC Director General

Presentation: PDF

Paul Wilson provided a presentation on recent activities and developments within APNIC and its region.

  • APNIC has gone through a reorganization, and is now set up with a a two-tiered structure with four areas of major activity at the top. These areas are Services, Communications, Technical, and Business. There's also a Chief Scientist.
  • With its Helpdesk Unit, APNIC has extended helpdesk hours/days, and noted an increasing demand for VoIP and "live chat."
  • Released a revamped ICONS, APNIC's ISP support website. Current projects include "ARMS" or APNIC Resource Management System, and a public statistics service using "O3."
  • Training and education unit has had a new member appointed, APNIC has done a pilot webcast of APNIC training, and have held 40 training events in 18 different locations.
  • Engaged in several marketing and outreach activities including APNIC Interactive CD, posters, and multimedia efforts. Funding and in-kind assistance to PACNOG, SANOG, and NZNOG. MoUs for training and cooperative activities with ISP associations in South Asia, ISOC-AU, PICISOC, and NIDA.
  • In the technical area, APNIC has been working on providing the ability to update reverse DNS records by XML over https, featuring immediate success or error reporting and updates to APNIC's name servers within seconds. This was demonstrated at the last APNIC meeting. Other activities include the issue of resource certification.

There were no questions or comments from the floor.


Speaker: Axel Pawlik, RIPE NCC Managing Director

Presentation: PDF

Axel Pawlik provided a presentation on recent activities and developments within RIPE NCC and its region.

  • In the Registration Services area, all of RIPE NCC's request forms have been updated, and now have clearer text written in plain English, and supporting documentation has better examples.
  • The IPv6 Global Policy has now been adopted in the RIPE region.
  • Work is on going in the area of 32-bit AS numbers and getting ready for 1 January 2007; this will affect many systems.
  • Training efforts continue to be successful, with 55 LIR, 11 RR and 10 DNS for LIRs courses. There have been a total of 76 courses in 36 countries, with about 1700 attendees from 50 countries. Also several e-learning efforts are already underway, with more available soon.
  • Recent legal issues include data protection regarding the RIPE database; a review of the Articles of Association, a revision of closing procedures, and an increasing number of LEA requests for information.
  • Membership liaison and outreach activities have included one regional meeting in Moscow this past September and one upcoming in Manama, Bahrain in November, as well as the "Roundtable for Governments & Regulators" held during Monday afternoons at RIPE meetings.
  • Work is also continuing within RIPE NCC's Certification Task Force, with prototype development, a trial deployment in the RIPE region in 2007, and planning for two additional FTE for integration in business processes and systems.

There were no questions or comments from the floor.

IANA Activities Report

Speaker: Barbara Roseman, IANA Operations Manager

Presentation: PDF

Barbara Roseman provided an update on recent IANA activities, both within the organization and its public activities.

  • Staff changes - the IETF Liaison position has been filled by Michelle Cotton, and the RIR Liaison spot is still open.
  • In regard to allocations to RIRs, the RIRs have commented that ticketing requests gives better feedback during the process.
  • With the implementation of the IPv6 Global Policy, there have been new allocations made to the RIRs in accordance with this policy.
  • IANA is undertaking a pilot project to convert registries' internal format to XML. This includes protocol registries and number resource registries, but not domain registries, as a separate project is automating those. The ultimate goal is to allow multiple formats to be generated.

There were no questions or comments from the floor.

NRO Activities Report

Speaker: Raul Echebarria, Chair of the NRO Executive Council

Presentation: PDF

Raul Echebarria provided a presentation on recent Number Resource Organization activities. He began with some background information about the NRO and its history, and then went on to discuss recent activities in 2005 and 2006.

  • The EC meets periodically by teleconference and in face-to-face meetings. There were 10 NRO EC meetings in 2005, and 7 meetings in 2006 so far.
  • Current issues being addressed are procedures for the ASO and the Charters for NRO Coordination Groups.
  • In the area of Internet Governance, two NRO EC Members are serving on the IGF Advisory Group; an agreement has been signed with the ITU-T to establish a liaison relationship with the ITU; and plans have been made to participate in the ITU Telecom World 2006 in Hong Kong.
Discussion Overview [Transcript]
  • An attendee asked if the NRO considers the routing registries run by the registries to be part of their mission. Raul Echebarria responded that personally that he believed it was up to each RIR. He stated that in his view, it has not been considered as part of the registries' mission, though that may change with new technologies like CRISP.
  • A follow-up question was asked about the RIRs meeting the requirements of an informational RFC concerning security for RPSL systems. Ray Plzak responded that with regard to that particular RFC, ARIN has not, and that he didn't believe RIPE NCC had, he wasn't sure about APNIC, and AFRINIC has not because they are just now developing a routing registry, and LACNIC doesn't have one setup. Andrei Robachevsky of RIPE NCC clarified that the RIPE NCC routing registry fully implements RFC 2725, which actually specifies security authentication for the routing registry. However, it only works for the address space and internal numbers assigned by the RIPE NCC.

Internet Governance Forum (IGF) Information

Speaker: Lynn St. Amour, Internet Society President and CEO

Presentation: PDF

Lynn St. Amour provided a presentation on developments around the Internet Governance Forum activities. She started by offering an overview of the WSIS events and activities that led to the current situation, and then segued into a explanation of what the goals of the forum are, and the key concerns for the RIR communities going forward.

  • IGF's mandate states that the Forum should be a place for "multi-stakeholder policy dialogue." Its mandate is for five years: Greece in 2006, Brazil 2007, India 2008, Egypt 2009, and the location for 2010 as not yet been determined.
  • The IGF is led by Nitin Desai, a representative of the United Nations Secretary General (UNSG). The IGF Advisory Group (AG) is appointed by the UNSG, and is comprised of 47 representatives of business, government, civil society, and the technical (Internet) community. The IGF AG's role to date has been to assist in drafting the agenda, propose speakers, and address logistics.
  • She outlined what ISOC believes are criteria for success in the IGF efforts, and noted that these criteria can realistically be met.
  • Lynn went on to provide information about the IGF meeting in Athens, Greece, taking place 30 October - 2 November.
  • The meeting in Athens will likely be a test case for future meetings, and the following meeting in Brazil during 2007 may very well be different.
  • While attention needs to be paid to this process, the IGF is but one component of Internet governance activities.
Discussion Overview [Transcript]
  • The question was raised about whether there had been any impact assessments on possible outcomes of this process. Lynn St. Amour replied that, at this point, many people would say nothing will happen. She went on to say that the need for the IGF and the UN to balance any possible recommendations or outcomes against the willingness of countries and organizations to agree will probably limit negative outcomes. She added that a minimum positive outcome would occur even if the IGF ends up being nothing more than an opportunity to increase communication and education on the issues of importance to our community.

NRO NC Report

Speaker: Martin Hannigan, NRO NC Member from the ARIN Region

Presentation: PDF

Martin Hannigan provided a report on the activities of the ICANN Address Supporting Organization Address Council (ASO AC) / Number Resource Organization Number Council (NRO NC). He offered information on how the ASO AC operates, what its duties are, and offered some statistics on the participation of the ASO AC representatives from the five RIR regions.

  • Sandy George was unanimously re-appointed to the ICANN NomCom for another 1-year term.
  • The Global Policy for the allocation of IPv6 address space from the IANA to the RIRs was certified by the ASO AC to have followed the correct proceduresd and forwarded to the ICANN Board, where it was then ratified.
  • Created procedure for processing global policy proposals.
  • There was an election of a Director for seat 10 on the ICANN Board, which Dave Wodelet won.
  • Face-to-face meeting in Sao Paulo, Brazil will involve planning for 2007 activities.

There were no questions or comments from the floor.

APNIC Cert Demo

Speaker: Geoff Huston, APNIC Chief Scientist

Presentation: PDF

Geoff Huston presented a progress report on APNIC's trial of resource certification. He began by highlighting some recent comments from the ARIN Public Policy Mailing List that touched on the issue of authenticating address prefixes. He then went on to discuss what the goal of resource certification is, and some of the motivation behind this effort.

  • At APNIC, the Resource Certificate Trial used X.509 v3 Public Key Certificates (RFC3280) with IP address and ASN extensions (RFC3779).
  • This involved the design of a certification framework, anchored on the IP resource distribution function.
  • Geoff then provided an overview of how this trial worked, what was involved, how this could be expanded out to the wider community, and what it could be used for.
  • He then provided a demonstration of how this works in terms of user interaction with both signing certificates for resources and then the validation of those certificates.
  • The presentation concluded with information on what work remains and what needs to be done to move forward.
Discussion Overview [Transcript]
  • In the use of these certificates, if someone is starting with just an IP address that is in their routing table, how can they validate the route for it? Do they have to go to an IRR to get that information? Geoff Huston responded that without secure BGP, you would go to an IRR. And assuming that people sign whatever they publish, if the IRR has an object and it's signed, there would be a certificate that could be used to validate.
  • An attendee asked if one could take ARIN's collection of templates for the direct allocation and assignments and sign them all and produce certificates? Geoff Huston replied that in the trial, they have been using that style of information and generating trial certificates, but that may be cutting across a few corners in terms of due diligence, because once you have those certificates any further issuance can be certified cleanly. The certification of a history is an issue, and that's part of this evaluation -- determining how much work it is to certify what we've done in the past versus what we're going to do in the future. A follow-up question, about having some record in the template about AS origination and whether that could be used to produce a route origination, was asked. Geoff replied that in this model, the route origination authority would require no other form of validation other than the certificate chain, and that the route origination would be signed by the ISP, not ARIN.
  • A question about the legal implications of issuing these certificates was raised. Geoff Huston replied that there is still much work to be done in that area and that it is being looked into.
  • An attendee asked how did this work relate to what's proposed in policy proposal 2006-3. Specifically will that work lead in to this, or is that essentially a separate track? Geoff Huston replied that he didn't believe they would be tightly related. A follow-up was asked that the original question was not based so much on a technical relationship between the two approaches, but on how ARIN is treating this work versus what is proposed in proposal 2006-3. Ray Plzak responded that ARIN's involvement at this point is that the Board of Trustees has decided that the RIRs should have something that works interchangeably between them in this area, and so development work would produce something that we could all use if we chose to.
  • The issue of it not being a good idea to use past data, which is known to be flawed, to authenticate resources was raised. This idea for resources given out going forward is easy, going backward is not.
  • An attendee asked that for an average advertiser for a prefix, how many certificates would be involved in certifying or validating the advertisement in BGP? Geoff Huston responded that he had done a quick scan across BGP updates over 14 days, and just looking at origination validation, around 88-percent of all BGP updates have been seen before in the previous 36 hours and sometime in the previous 1,000 prefix updates. This implies a certain repetition from second to second, and he believes the whole validation issue is being vastly inflated without true data -- it's not going to be as big a problem as many people make it out to be.
  • An attendee asked how people could assist in this effort. Geoff Huston replied that the URL presented with the slides is where the group that is working on this have put their thoughts so far, and if you'd like to take a look, reading through this would be a good place to start and the team would be interested in hearing feedback. Also, Geoff stated he believed ARIN and the other RIRs will actually be doing their own evaluations of this, and providing feedback to them at that time would also help.

CRISP Status

Speaker: Tim Christensen, ARIN System Architect

Presentation: PDF

Tim Christensen provided a report and update on activities surrounding the Cross-Registry Information Service Protocol (CRISP). After making his presentation, he was asked to provide a short overview of what CRISP is and what it would mean for ARIN to work on this.

  • From the IETF's view, most of the CRISP working group goals and milestones are complete, with work remaining on the IESG review of schema element specification drafts and a Domain Availability Check (dchk) Registry Type for the Internet Registry Information Service (IRIS).
  • RIPE NCC and LACNIC have been working in this area, but there's been no development at AFRINIC, APNIC, or ARIN.
  • Questions for the community:
    • Is the ARIN community interested in CRISP?
    • Should ARIN develop a prototype?
Discussion Overview [Transcript]
  • After Tim Christensen's presentation, the questions presented were asked of the attendees. Due to the results of that hand count, it was suggested that perhaps more information needed to be provided to the community before it could make a decision. Tim provided an overview, and Mark Kosters provided more details, namely that CRISP is based in XML, includes an authentication mechanism to provide access control, and is capable of truly multilingual output.
  • An attendee stated that they thought this was a good idea, and that he had been using LACNIC's WHOIS service primarily because no matter what IP address is submitted, it goes to whatever RIR is authoritative for that record. Also, the ability to provide access control would answer many of the current issues about what data to make public or private.
  • Ray Plzak added that this is not a trivial issue for ARIN and that it will be continually looked at and likely will be presented for additional discussion in the future. At this time a request was made to re-poll the room on the questions put forward in the presentation.
  • It was suggested that everyone start thinking about the issue of access control and how this would actually be implemented and what possible impacts there would be.

WHOIS By the Numbers

Speaker: Leo Bicknell, Harrah's Entertainment

Presentation: PDF

Leo Bicknell provided a presentation on analysis he had undertaken on the data provided in WHOIS, specifically his attempt to find the actual scope of records involved with several WHOIS issues including residential customer privacy.

  • When discussing policy that affects WHOIS, speakers will often base their opinion on what they believe to be in WHOIS. Actual numbers are almost never used and most speakers seem to believe that other organizations put similar data into WHOIS as their own organization.
  • All analysis was done on a data set retrieved on 2 May 2006. ARIN came into existence on 22 December 1997, and data with dates prior to that came from other sources. Also, no data is included from RWhois servers, though some simple analysis of the availability of RWhois data was done.
  • Within WHOIS data, 97-percent of the records are from SWIP, and 95.5-percent of the organizations in the data are also from SWIP.
  • In regard to missing or incomplete data, some records do not contain all fields, as the fields may be optional, or may have been added making them absent from earlier records. In addition, historical data may have never been recorded, or may have been lost. Records from the period of ARIN starting operations to current day are more complete than earlier records, and ARIN consistently includes the information it is responsible for, as opposed to information provided by the holder of the resource.
  • In regards to RWhois, there are 377 organization records that list referral servers, but only 346 actual different RWhois servers are listed. In testing simple accessibility, only 59-percent actually accepted a connection.
  • Some information, notably within e-mail addresses, is obviously incorrect even though the records are marked as having been updated recently. In regard to postal addresses, he stated that he was unable to find a way to easily validate these addresses. Though such services exist, there is usually a fee, and with more than a million records, this simply was not feasible. Any assistance in this would be appreciated.
  • An analysis of the impact of the implementation of policy proposal 2003-3 dealing with residential customer privacy was provided. Roughly 50-percent of new records created after the implementation of this policy are marked as private residence; this currently equals approximately 186,000 records, with additional records existing with this designation that were created before the policy went into effect.
  • Additional analysis of the records not marked as private include many that have the exact same postal address, often that of a local ISP office. For example, a single address in San Francisco is listed for 104,000 records.
  • There are 294,000 total records listed as private residential customers, and 232,000 that are listed with the ISP's address, using just the top 10 streets most commonly listed. 284,000 of these records appear to be parented by SBC, making them responsible for 97-percent of the 2003-3 compliant records.
  • The issue of what a record can indicate about a specific individual was addressed, with an example of using no other information but a name, submitting it to a search engine, and finding postal addresses and other information. There are 195 different countries represented in the data, but most don't have many records, with the US accounting for 94-percent.
  • Among the top ten zip codes, most are SBC records, which shows they are providing more specific records than virtually anyone else.
Discussion Overview [Transcript]
  • An attendee asked for clarification if the decision to make a record private was usually left up to the ISP. Leo Bicknell replied that yes, though there are cases where the ISP allows a customer to request it.
  • An attendee asked if it was correct that if your organization is a cable provider and you're just giving someone a single IP address, you do not have to submit that via SWIP. The attendee went on to explain that is why many providers are not providing this information. Leo Bicknell replied that was correct, and the intention was not to imply that anyone was doing anything wrong or against policy, merely that SBC feels they need to SWIP everything and pretty much no one else does.
  • An attendee asked what the data would look like if you stripped out all the pre-ARIN data. Leo Bicknell responded that with IPv6, obviously no difference as that didn't exist prior to ARIN. With IPv4, if you go by the registration date, 5-percent of the information is pre-ARIN, and if you go by the last modified date, it would give you 3- to 5-percent.
  • An attendee raised the issue of several records marked as private obviously being businesses, and how that reconciled with the idea of protecting residential customers. Leo Bicknell replied that, going through the records, that seemed to be a common occurrence and was something that might need to be considered.
  • An attendee asked how can we determine, with all the data that is submitted via SWIP, what should receive resource certificates and what shouldn't. Leo Bicknell stated that in the model he believed Geoff Huston proposed, it would be up to the people who got the resources to decide that.
  • Dave Barger, of SBC, spoke as a representative of the company that figured prominently in the presentation. He pointed out that the data submitted by SBC reflects its corporate policy, which in turn is driven by customer demand. He also thanked Leo Bicknell for making the presentation, and for putting actual numbers out for discussion. He added that on the issue of businesses being listed as private residences, SBC's internal policies do not allow this, but with the load of data being provided, this information is not automatically vetted and that he and his team try and fix those instances they can find as time and resources allow.

Harmonization of RIR Practices

Speaker: Leslie Nobile, ARIN Director of Registration Services

Presentation: PDF

Leslie Nobile presented on the issue of whether the Regional Internet Registries (RIRs) should harmonize their allocation periods.

  • An allocation period is the length of time defined by policy used to determine the appropriate amount of IP address space a requesting organization needs to sustain its operations for that entire time.
  • There is currently a disparity in allocation periods across regions, though the RIR system was set up to allow allocation policies to address the divergent needs of different regions.
  • Allocation periods are:
    • ARIN – 3 or 6 months
    • LACNIC – 3 months initial/1 year subsequent
    • APNIC – 1 year
    • AFRINIC – 2 years
    • RIPE NCC – 2 years
  • Discussions on this issue are taking place in the LACNIC, RIPE NCC, and AFRINIC regions.
  • Leslie then presented some common perceptions about the impact and fairness of various allocation periods, stating that she was not aware of enough supporting evidence to say if they are true or false, and was interested in hearing feedback from the community.
Discussion Overview [Transcript]
  • An attendee mentioned that while she thought the presentation was geared more toward IPv4, this was also an important issue for IPv6. There needs to be guidance on this, not only for registries giving address space to ISPs, but for ISPs giving address space for their customers. A question was asked in response, seeking clarification about if the issue was not being able to get larger than a /32 for an initial allocation in IPv6. The attendee's response was that indeed was the issue and that they had been working with ARIN to determine how much aggregated space to cover their current infrastructure was needed and how much they'll need going forward.
  • An attendee stated that the basic problem is that if you get enough address space to cover the customers you currently have and you want to do aggregation to your internal routing table, and keep it small, you need to have extra space at each level of aggregation so that customers can grow into that space over time. Over time, this makes any sort of decent internal aggregation difficult. Another attendee responded that they had run into a similar problem, but used the multiple discrete networks policy to essentially get space for two separate networks.
  • An attendee stated that he believed it would be a good idea for there to be parity between ARIN's policy and the policy that it requires ISPs to meet internally, as otherwise it creates a desire for organizations to come to ARIN directly when they really shouldn't.
  • An attendee pointed out that there are other differences in policy from region to region that really affect how people get address space.
  • The issue of what will happen as address space gets more scarce in IPv4 was raised, and the question of whether or not this would cause some sort of arms race between the RIRs to get space was posed.
  • It was stated that as an ISP, it's easier for my customers if my policies are in harmony with my next upstream, which in my case is ARIN, and if other RIRs mirrored that - if they all came into harmony, it would make things easier as you go further downstream. Another attendee stated that they believe just the opposite, and that it would be impossible to come up with a globably allocation period that would please everyone.

2006-1: Residential Customer Privacy

Speaker: Samuel Weiler, Proposal Author

Introduction: PDF
Presentation: PDF

Ray Plzak presented an introduction to the proposal. Highlights included:

  • Advisory Council shepherds: Marla Azinger and Paul Andersen
  • Introduced on PPML on 18 January 06, designated as a formal policy on 26 January 06. This was first discussed at ARIN XVII. No revisions have been made since then
  • Presentation of Staff Impact Analysis, Legal Review, Staff Comments, and overview of PPML discussion activity. [see presentation and transcript links above for details]

Sam Weiler, as the proposal author, continued with the presentation of the proposal. He stated his motivation in bringing the policy proposal forward originally, described the changes it was intended to implement, offered a review of the discussion at ARIN XVII, and covered some of the discussion since then about the proposal.

Discussion Overview [Transcript]
  • An attendee spoke in opposition to this proposal, citing a previous offer to assist in revising the text, and the author's refusal to change the proposal to provide partial zip codes, even after the attendee's organization provided data and actively sought a compromise on the proposal language. Other attendees also voiced opposition, stating the partial zip code was a reasonable compromise, and that those instances where a person was still identifiable were very, very small.
  • An attendee spoke in favor of the proposal as he believed it would help improve the integrity of the data available through WHOIS. He also offered the suggestion that if this policy is approved and implemented, the option is available as a checkbox, so that the representation that this is a private record is kept consistent throughout WHOIS.
  • A question was put forward about whether the option currently existed to SWIP, for example, a /20 as a block for DSL customers, and then SWIP a portion of that, say a /29, as a private residence. Leslie Nobile responded that was currently allowed. The attendee who posed the question stated that this should be a best practice today, but that a policy along those lines would be useful.
  • An attendee voiced support of the proposal, stating that current policy doesn't meet the privacy needs of end-users, and that law enforcement can still get the information from the appropriate ISP or upstream provider, though that may require a court order.
  • Clarification on a portion of the policy was sought, specifically the precise enforcement method for the following statement: "Each private downstream residential customer assignment must have accurate upstream abuse and technical POC visible to the WHOIS record for that block." Sam Weiler responded that was the text that was in the existing policy. John Curran asked that the discussion focus on the changes that this proposal would introduce and not on existing language.
  • An attendee spoke in opposition to the proposal, stating the she disagreed that it would make the data cleaner and that it goes too far in the wrong direction. It would be better to have a narrower special-case policy to cover the one person in the one zip code town than to have this broad policy covering everybody. In reply to this, and to the earlier statement in opposition based on the author not willing to change the text, Sam Weiler stated that he thought the proposals to simply shorten the zip codes did not adequately address privacy concerns and that he was not willing to incorporate those changes. An attendee suggested perhaps listing the closest large town's zip code, and Sam Weiler responded that still reduces customer privacy and he would need to see exact language to make a determination, but that he might be amenable to that change if the solution were not considered overly complex.
  • An attendee spoke in favor of the proposal, stating that within the historical context of WHOIS usage, the idea that WHOIS data has been fully and publicly available is a myth. For most of the lifetime of the Internet, access to this data was restricted by technological capability. We might want to consider if there are reasons that are good enough to continue with the current default assumptions on this data being public.
  • An attendee from the Federal Bureau of Investigation spoke in opposition to the proposal, citing the possible hindrance of law enforcement efforts.
  • On the issue of the implementation of the original 2003-3 residential customer privacy policy being faulty or incorrect, some attendees disputed that the way the policy was implemented was at odds with the direction from the community, and stated that the intent at the time was to specifically keep in the city, state, and zip code information.
  • It was pointed out by an attendee that there were actually two distinct issues here and that they needed to be addressed separately. Specifically, the regulation of what data an organization provides to ARIN about a reassignment and the regulation of what data ARIN publishes in WHOIS are separate issues and confusing them would be a mistake. It was asked of ARIN staff to state why it believes it needs this information. Ray Plzak responded that he would have Leslie Nobile respond directly to that question, but would first add that additional information on this topic was provided to the community in a recent posting on PPML and that if necessary, a formal letter could be prepared and sent out. Leslie Nobile replied to the question that staff had revised their assessment of this proposal, and that when ISPs report the actual reassignment, ARIN doesn't need a lot of data at that time. Essentially ARIN's need comes into play when that organization comes back for additional resources, ARIN needs to know exactly who the customers are, needs to be able to audit that information, and verify it before we can issue additional resources. In addition, there are other policies that require the collection of that information by ARIN. The community decided that everyone needs to show reassignment information on a regular basis to get additional space.
  • Steve Ryan, as ARIN Counsel, spoke of two cases where ARIN is currently utilizing this sort of data. In one case a person trying to transfer resources has been convicted of a crime related to the use of the resources. In response to a grand jury subpoena, ARIN is using that utilization data. In another case, in looking at the utilization data, ARIN staff couldn't verify the information and that caused us to believe the original application for resources was fraudulent. Steve stated that these were examples of why ARIN needs this information on an on-going basis.
  • An attendee stated opposition to the proposal on the grounds that a more reasonable proposal that differentiated between the data that ARIN collects and what it publishes could be easily drafted.
  • An attendee spoke in opposition to the proposal, based on the belief that it represented a short-term solution to a problem that would be better addressed by the IRIS/CRISP work being done.
  • An attendee spoke that this proposal, if implemented, would severely hurt the core research efforts her organization is involved in.
End of Discussion:

John Curran took a straw poll to determine the sense of the room. After the tally was conducted, John stated that this information would be provided to the Advisory Council for use in their deliberations.

Open Microphone

Moderator: John Curran, ARIN Chairman of the Board


[see transcript link above for details]

  • Leo Bicknell stated that, based upon his experience in pulling together the information for his presentation on the WHOIS data, he would suggest a different format for Bulk WHOIS, possibly SQL Insert statements that could be loaded easily, or any other machine-friendly format.
  • In light of proposals that remained unchanged between ARIN XVII and this meeting, an attendee suggested that the issue of bringing forward unchanged proposals be addressed. Scott Bradner responded that procedures exist for the Advisory Council to decide to abandon a proposal and a petition process exists for the author to overcome that decision. Issues with how this could be carried out in different instances were raised by other attendees. John Curran added that the default behavior is to try and move proposals forward, and that there exists a risk in dismissing out of hand proposals that have not changed. Another attendee suggested that perhaps if an issue keeps getting brought up without resolution, perhaps there should be a process change that would introduce a one- or two-year pause in the discussion before the subject can be broached again. John Curran responded that the determination to continue forward with a proposal or abandon it is up to the Advisory Council, and that the petition process exists as a safeguard in case there is still community support for something that was abandoned. He added that in the case today, whether there was change or not in the proposal, people were educated by the discussion and as a result we may end up with a proposal that does move forward.
  • An attendee spoke of a concern that 2006-1 was unfairly dismissed by the perceptions of attendees unrelated to the actual content of the proposal. Another attendee seconded this concern, and John Curran explained that this issue could be re-opened if there was consensus in the room to do so. There was not consensus to re-open the consideration of proposal 2006-1.
  • An attendee stated that other attendees should clearly state who they are really working for as that indicates where their biases may be. In addition, the attendee asked for a show of hands on if there was sufficient interest in working on some proposal in the residential customer privacy area. Another question was suggested by a different attendee who was looking for the number of people in the room interested in defining the purpose of WHOIS. Additional comments on the exact wording of the questions were offered.
  • John Curran posed the question of who in the room would be interested in work being done on a residential end-site privacy. There was some support among attendees that work should continue on a policy for residential end-site privacy.

Closing Announcements and Adjournment

Speaker: Ray Plzak, ARIN President and CEO


Ray Plzak made closing announcements, including thanking the network connectivity sponsor SAVVIS, Inc, and the Center for the Application of Information Technology (CAIT) at Washington University in St. Louis' School of Engineering and Applied Science for its partial sponsorship of the Cyber Café. In addition, thanks were also given to Cisco for its sponsorship of the "Networking with IPv6" workshop held on Sunday for both ARIN and NANOG attendees and to Internet2 for its support of some of the webcast. Ray concluded by reminding the attendees about the Members Meeting starting the next morning and adjourned the Public Policy Meeting.