Privacy, Broadband, & the Database

  I've tried to sort some of the various aspects/expectations.
  Lets see....

=>   It depends on the level of "responsibility" and functionality granted to
=>   and exercised by that end site. As I've said in a private mail already,
=>   we should ask the question about the usefulness of "assigning" (in the
=>   good old sense) very small amounts of addresses to sites which are tied
=>   in to the services of their provider anyway. I guess most of the ADSL,
=>   dial-up, cable-TV connection assignments sh/could be reviewed from that
=>   point of view.
=
=The name and address info in the RIPE database needs to contain the
=person (or organisation) responsible for a certain amount of IP space,
=in my opinion.
=
=So, if an ISP wants to be responsible for the IP space it hands out to
=customers, then the ISP should be free to fill in their own name and
=address. This gives ISPs the freedom to fill the RIPE db with names
=and addresses of customers (that saves them the hassle of dealing with
=for example abuse coming from that site), or putting their own name
=in it (meaning they have to respond actively to for example abuse reports,
=which is the ISP's job anyway).

  1) IP-Addresses are taken from a globally unique pool. Thus the global
     Internet community expects to have access to publicly accessible
     registry data to query the status (unassigned/reserved - allocated -
     assigned) for a particular address or address block or other unique
     resource.
     
  2) The contact information listed for the individual resource serves 
     2 purposes:

     a) it offers info to get in contact with a human being to resolve
        connectivity problems (IP or application layer) between end sites

     b) it offers info to get in touch with a human being in case of
        operational problems that have an unwanted impact on the
	performance or security of networks other than the source of the
	problem (routing issues, spam, abuse).
	
  Ref: 1:
  While I still think that the open availability of that info is essential
  for the responsible and continued operation of the Internet, it can be
  argued whether contact info to get in touch with a human being has to be
  publicly available.
  
  In the long run, we probably have to deal with the authorities in one
  way or another (on a national and international level), to get the
  existence and maintainance of such a global registry recognized and
  endorsed.
  
  Ref: 2)a):
  While "we" certainly have become comfortable with the notion of being
  able to "talk" to everyone who is on the net (to resolve operational
  problems for our own applications or customers), we might have to let
  go here - and also to openly tell *our* customers, that we cannot help
  in case of problems when the "other end" opts to remain anonymous (by
  requesting contact info to be suppressed or, better yet, not to be
  collected at all).
  
  Ref: 2)b):
  I think it is
  - as much a resonable expectation held by all people and sites and
    backbones on the net that their network(s) can be protected against
    misuse (proactively), or that any incidents can be resolved quickly
    and easily,

  - as it might be reasonable to request anonymity on the net for end
    sites.

  I guess we have similar situations in real life, where there is a
  conflict of expectations and interests between the individual and the
  community, like
  . license plates on vehicles to follow up on violation of rules,
  . a public registry for real estate ownership to settle ownership claims
  . or to track down the owners in case the patch of land becomes a source
    of danger or nuisance for neighbours,
  . registries for companies, their legal representatives and financial
    backing (which many would certainly prefer not to disclose :-)
  . registries for the address of citizens in case they do not live up to
    contractual obligations
    
  So, would we be better off by following up on our "IRT-pointer" proposal
  and then offer the alternative to supply
  - *either* the end users's contact information
  - *or* the contact information for an IRT that has accepted
    responsibility for the operational use of that resource? In most
    cases, and for small end-user sites, this would be ISP staff, anyway.
    
  Having a certain resource listed in the registry without any contact
  information (neither individual contact nor IRT/ISP contact) should be
  seen as a _strong_ hint to exercise strong care in dealing with that
  site - by applying whatever means available to minimize the impact of
  misconfiguration and/or attacks originating from those sites.

  This could indeed limit the usefulness of those resources on a global
  scale, much like you are allowed to obtain and drive a vehicle without
  registration and thus without a license plate on private property -
  but this vehicle gets filtered or blocked on any public road :-)

  Comments?
  
  Wilfried.
 _________________________________:_____________________________________
  Wilfried Woeber                 : e-mail: Woeber at CC.UniVie.ac.at
  UniVie Computer Center - ACOnet : Tel: +43 1 4277 - 140 33
  Universitaetsstrasse 7          : Fax: +43 1 4277 - 9 140
  A-1010 Vienna, Austria, Europe  : RIPE-DB: WW144, PGP keyID 0xF0ACB369
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~