[address-policy-wg] Clarification of policy requirements for contact information

At my current job we have a single Org object and a shared mntner object,
and each employee within the network group has their own person and
mntner objects to avoid sharing passwords and for auditability.  As is
obvious, this can grow quite quickly even for a small LIR.  LIR person
accounts all use the same HQ address and phone information.

I am *also* an end-user, as I have a few PI allocations issued to my
natural person and not to my employer.  So I have a separate person and
mntner objects for that.

I am generally comfortable with the groups I have a contract with
having my home address and my home phone number.  (to spell it out, my
Sponsoring-LIR, and RIPE NCC).  I am *not* happy for that data to be
published widely on the internet, so I have censored them on purpose
(with a reference that the sponsoring-lir has my actual contact details).
The email address does get delivered to me.

(as a side note: I would like to join RIPE as a LIR, but are not willing
to have my home address publicized so I have not done so.)


Concrete suggestion:
I think that person objects should have the address and phone attributes
be changed from mandatory to optional.

It may also be worthwhile for there to be a *private* way to register
addresses with RIPE NCC so they can use it for verification without
violating the privacy of natural persons.

-peter


On 2019 Apr 09 (Tue) at 08:46:55 +0000 (+0000), Kennedy, James via address-policy-wg wrote:
:Hi everyone,
:For those not already aware of recent discussions on the topic, there is an ever increasing need primarily for network operators and others running the internet, but also CSIRTs, certain governmental bodies, LEAs and more to have contact details for IP networks correct at all times in the RIPE database.
:
:This is actually required by RIPE policy and is one of the database’s fundamental missions but as flagged during the RIPE77 meeting, on the RIPE mailing lists and felt daily by those managing IP networks it is clear that improvements are very much needed to help contact registration accuracy and ease of maintenance.
:•       Community members have questioned the reliability of the RIPE database today – Whois has been described as “broken”, “a horrible mess”, even “should be gotten rid of”
:•       +2M PERSON objects were found in the database though the number of LIRs is less than 22K
:•       The increasing amount of contact data has become more difficult for operators to manage, which also puts IP number resources at risk of hijacks and even deregistration
:•       The RIPE NCC is challenged with contacting and validating IP network holders, with additional pressure stemming from the growing monetary value of IP resources
:
:It is our responsibility as the RIPE community to build and implement improvements as and when needed. To echo Hans Petter’s comment during the RIPE NCC Services WG at RIPE77 – we made the mess, we must clean it up!
:
:Rather than just mandating the RIPE NCC to perform validation exercises on 2M PERSON objects, we would like to start by re-evaluating exactly what contact info the community actually wants in the database and then consider if the current RIPE policies sufficiently reflects this. Please see Denis’ mail below for contact detail references in current policies.
:
:So we ask the community – please can you please tell us what contact info do you want to see in the RIPE database? Do it differ per type of IP network user – LIRs and PA/PI End Users, orgs and individuals (sole trader or residential), 3rd parties managing IP resources on behalf of an LIR/org/individual, etc.?
:
:Regards,
:James
:
:
:From: address-policy-wg [mailto:address-policy-wg-bounces at ripe.net] On Behalf Of ripedenis--- via address-policy-wg
:Sent: 22 March 2019 11:00
:To: address-policy-wg at ripe.net
:Subject: [address-policy-wg] Clarification of policy requirements for contact information
:
:Colleagues,
:
:Elvis, James and myself have started talking about personal data in the RIPE Database. I said we would bring sub issues to the community when we need direction or clarification. We looked at three policy documents maintained by AP-WG and have a few questions.
:
:Before we look at WHERE and HOW the data is stored, we would like to get community feedback on exactly WHAT contact details should be published as per current policies?
:
:Below are the quotes and links to the 3 policy documents we looked at.
:
:cheers
:denis
:co-chair DB-WG
:
:
:In the "IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region" (ripe-708) [1] first mention about contact data is 4.0:
:
:"4.0 Registration Requirements
:
:All assignments and allocations must be registered in the RIPE Database. This is necessary to ensure uniqueness and to support network operations.
:
:Only allocations and assignments registered in the RIPE Database are considered valid. Registration of objects in the database is the final step in making an allocation or assignment. Registration data (range, contact information, status etc.) must be correct at all times (i.e. they have to be maintained)."
:
:and then in 6.2:
:
:"6.2 Network Infrastructure and End User Networks
:
:IP addresses used solely for the connection of an End User to a service provider (e.g. point-to-point links) are considered part of the service provider's infrastructure. These addresses do not have to be registered with the End User's contact details but can be registered as part of the service provider's internal infrastructure. When an End User has a network using public address space this must be registered separately with the contact details of the End User. Where the End User is an individual rather than an organisation, the contact information of the service provider may be substituted for the End Users.
:
:[...]"
:
:In the "IPv6 Address Allocation and Assignment Policy" (ripe-707) [2] the requirement is even more vague in 3.3:
:
:"3.3. Registration
:
:Internet address space must be registered in a registry database accessible to appropriate members of the Internet community. This is necessary to ensure the uniqueness of each Internet address and to provide reference information for Internet troubleshooting at all levels, ranging from all RIRs and IRs to End Users.
:
:The goal of registration should be applied within the context of reasonable privacy considerations and applicable laws."
:
:The "Autonomous System (AS) Number Assignment Policies" [3] does not mention anything about contact data requirements.
:
:[1] https://www.ripe.net/publications/docs/ripe-708
:[2] https://www.ripe.net/publications/docs/ripe-707
:[3] https://www.ripe.net/publications/docs/ripe-679
:
:

-- 
Flugg's Law:
	When you need to knock on wood is when you realize that the
	world is composed of vinyl, naugahyde and aluminum.