[98303] in North American Network Operators' Group
Re: Questions about populating RIR with customer information.
daemon@ATHENA.MIT.EDU (James Hess)
Thu Aug 2 06:23:29 2007
Date: Thu, 2 Aug 2007 05:21:16 -0500
From: "James Hess" <mysidia@gmail.com>
To: "Drew Weaver" <drew.weaver@thenap.com>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <B7152C470C9BF3448ED33F16A75D81C14D04152A29@exchanga.thenap.com>
Errors-To: owner-nanog@merit.edu
------=_Part_60853_5796855.1186050076803
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 8/1/07, Drew Weaver <drew.weaver@thenap.com > wrote:
>
>
> Most of our customers are co-location and dedicated hosting
> customers and we are simply unsure whether or not there are implications
> (legal or otherwise) in publishing our customer data in a public RIR
> database.
I would urge against publishing information about a customer in a WHOIS
entry
without discussing it with that customer first.
WHOIS entries can be made without violating anyone's privacy, just be sure
you get all
necessary verifiable permission; don't just automatically publish
information you have
already gathered for internal purposes, when it wasn't previously your
policy to publish
the information.
It is up to you as ISP to get the contact information that the customer
wants published
in WHOIS (maybe it's different from contact information they would use for
other matters), at the time re-assignment of the ip addresses is being made,
And make sure they know that the listing is going to be publicly viewable.
You do have the option of refusing to sign up or renew a customer if
they fail to provide
good contact information for publication in WHOIS or fail to provide the
necessary
permission.
I suggest you carefully read the policy manual of your applicable RIR.
With regard to when you create SWIP or RWHOIS records, and what exactly you
put in them.
In the ARIN region, whenever an ISP re-assigns a /29 block or larger to a
customer, in
addition to maintaining documentation of the justification for assignment of
the address(es)
to the user, the ISP is already be required/supposed to publish that
re-assignment is (as
a matter of RIR policy) in SWIP or RWHOIS.
See more here: http://www.arin.net/policy/nrpm.html#four2372
And it's a good idea to allow people who need a contact for abuse from a
machine to go to
the party responsibility over it, first, before having to bother you, a
provider they
happen to be using.
Note that ARIN has a "Residential Customer Privacy" policy; for residential
customers it is
legitimate to substitute the name in your WHOIS response with "Private
Customer"
and "Private Residence" in place of street address.
So I would say there IS some precedant for such a replacement of contact
information.
You need to check your particular RIR's policy manual to determine whether
it is
an acceptable practice in your region, to mask contact information for the
particular
type of customer.
--
-J
------=_Part_60853_5796855.1186050076803
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<div><span class="gmail_quote">On 8/1/07, <b class="gmail_sendername">Drew Weaver</b> <<a href="mailto:drew.weaver@thenap.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">drew.weaver@thenap.com
</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;"><br> Most of our customers are co-location and dedicated hosting customers and we are simply unsure whether or not there are implications (legal or otherwise) in publishing our customer data in a public RIR database.
</blockquote>
<div> <br>I would urge against publishing information about a customer in a WHOIS entry<br>without discussing it with that customer first.<br><br></div>
<div>WHOIS entries can be made without violating anyone's privacy, just be sure you get all<br> </div>
<div>necessary verifiable permission; don't just automatically publish information you have<br> </div>
<div>already gathered for internal purposes, when it wasn't previously your policy to publish <br>the information.</div>
<div> </div>
<div>It is up to you as ISP to get the contact information that the customer wants published </div>
<div>in WHOIS (maybe it's different from contact information they would use for </div>
<div>other matters), at the time re-assignment of the ip addresses is being made,</div>
<div> </div>
<div>And make sure they know that the listing is going to be publicly viewable.</div>
<div> </div>
<div>You do have the option of refusing to sign up or renew a customer if they fail to provide </div>
<div>good contact information for publication in WHOIS or fail to provide the necessary</div>
<div>permission.</div>
<div> </div>
<div> </div>
<div>I suggest you carefully read the policy manual of your applicable RIR.<br>With regard to when you create SWIP or RWHOIS records, and what exactly you<br>put in them.<br></div>
<div><br>In the ARIN region, whenever an ISP re-assigns a /29 block or larger to a customer, in <br>addition to maintaining documentation of the justification for assignment of the address(es) <br>to the user, the ISP is already be required/supposed to publish that re-assignment is (as
<br>a matter of RIR policy) in SWIP or RWHOIS.<br><br>See more here: <a href="http://www.arin.net/policy/nrpm.html#four2372">http://www.arin.net/policy/nrpm.html#four2372</a><br> </div>
<div>And it's a good idea to allow people who need a contact for abuse from a machine to go to</div>
<div>the party responsibility over it, first, before having to bother you, a provider they</div>
<div>happen to be using.</div>
<div> </div>
<div> </div>
<div>Note that ARIN has a "Residential Customer Privacy" policy; for residential customers it is<br>legitimate to substitute the name in your WHOIS response with "Private Customer"<br>and "Private Residence" in place of street address.
</div>
<div> </div>
<div>So I would say there IS some precedant for such a replacement of contact information.<br><br></div>
<div>You need to check your particular RIR's policy manual to determine whether it is<br>an acceptable practice in your region, to mask contact information for the particular<br>type of customer.<br><br>--<br>-J</div>
</div>
------=_Part_60853_5796855.1186050076803--
