On Thu, 23 Sep 2004, Leo Bicknell wrote:
In a message written on Thu, Sep 23, 2004 at 05:56:42PM -0400, Joe Abley wrote:
The proposal (which comes from APNIC members, not from APNIC staff) concerns non-portable addresses assigned to end-users. I don't know about anybody else, but I've never had any luck getting a response from people in that category anyway; it's invariably the upstream ISPs who respond (if anybody does), and there is no suggestion that their contact details will be able to be hidden.
There are several proposals in various stages before ARIN and RIPE about this same issue. APNIC simply beat everyone to the punch, but most of the other groups are going down the same path.
Going down the path does not mean it'll happen.
The interesting case brought by several providers is that some residential DSL providers are now assigning /29's to end users to support multiple boxes. In some cases these additional boxes are service provider boxes to provide value-add services (think, a voice or video gateway box). This creates the very real situation where "grandma" is now published in whois.
"grandma" doesn't like the spam, doesn't want to be listed (she already has an unlisted phone number) and even if her machine is owned and spewing forth spam contacting her is just going to result in confusion. To that end the service provider would like to not list her, protect her privacy, and when people query have only their block and contact show up so they can field the call and either block her port, or have a (hopefully more helpful) customer service person help her clean her infected machine or whatever.
For ARIN, in case of grandma or any other residentual customer, there exist "residential customer privacy" policy, so her name need not be listed.
Generally the people who actually work abuse all have a similar report: end user assignments in whois are worthless. End users fall into one of two catagories:
1) "grandma", where contacting her is going to get you nowhere because they don't know what you're talking about.
2) An abuser (spammer, ddoser, whatever). These people either won't respond, or will respond but take no action, in both cases hoping to string you along and make you either go away, or at least buy some more time while they tie you up dealing with them.
Because of this most of the people dealing with abuse are already ignoring end user contact information and going straight to the upstream ISP anyway.
This is not the same thing. What we're talking about is not the record itself but who is listed as point of contact. And for most small records the person is not listed as point of contact, the ISP is. But info about actual customer still makes it possible to correlate multiple cases of abuse together and it is more difficult for spammers to run from one ISP to another.
This brings us to why these proposals are getting traction in all the RIR's. Spending thousands of hours maintaining data that many (most? nearly all?) of the users say is useless is silly.
But the proposals to hide the information do not change any of that, ISPs are still REQUIRED to provide all the same information to RIR they can just hide it from the public.
Chicken and egg, or egg and chicken? I'm not really sure. That said, the current rules basically ensure that at some point in the future, when everyone needs a /29, everyone on the planet will be listed in whois.
That I don't like either. I think ARIN database is overpopulated by otheless small records and this is a problem both for ARIN and for those tyring to use the data. But NOT ALL the records are useless and if we simply let ISPs not report anything at all, this is even worth. I actually do have proposal to make on this issue that will: 1. Reduce amount of data in arin whois by not requirying ISPs to report each small allocatoin and assignment 2. Keeps data about all small residential and small-business customers private out of whois (these represent 90% of all assignments) 3. Still keeps records that allow to determine general geographical location of service (for those of us mapping the net) 4. Still keeps records for almost all the types of cases where abuse and spam does happen. I'll now take this to ppml for further discussion. I don't have a concrete proposal text, but basic set of ideas that can be worked on further. --- William Leibzon Elan Networks william@elan.net