RIPE Autonomous System Numbers
A few questions, if you don't mind... Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields? Give an AS number, issued within the RIPE region, how can I find the identity of the associated LIR? Is the identity of the associated LIR provided by the sponsoring-org: field of the WHOIS record for the AS? What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)? Has any AS number allocation, issued within the RIPE region, ever been revoked without the consent of the registrant of that allocation? If so, which ones? And in those cases, what policies and/or procedures were used or followed during the revocation process? Are these policies and/or procedures written down someplace, or are they entirely ad hoc?
Ronald, I've raised this with the NCC and asked them to prepare an answer to these questions as I feel they fall within their purview. Hopefully they will be able to get back to you soon. Brian Ronald F. Guilmette wrote, On 01/11/2014 03:52:
A few questions, if you don't mind...
Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields?
Give an AS number, issued within the RIPE region, how can I find the identity of the associated LIR? Is the identity of the associated LIR provided by the sponsoring-org: field of the WHOIS record for the AS?
What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)?
Has any AS number allocation, issued within the RIPE region, ever been revoked without the consent of the registrant of that allocation? If so, which ones? And in those cases, what policies and/or procedures were used or followed during the revocation process? Are these policies and/or procedures written down someplace, or are they entirely ad hoc?
In message <5458EB47.5000901@heanet.ie>, you wrote:
Ronald,
I've raised this with the NCC and asked them to prepare an answer to these questions as I feel they fall within their purview.
Hopefully they will be able to get back to you soon.
Brian Ronald F. Guilmette wrote, On 01/11/2014 03:52:
A few questions, if you don't mind...
Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields?
Just to make sure I'm clear... No one on this list knows the answer, even to the above trivial question?
Give an AS number, issued within the RIPE region, how can I find the identity of the associated LIR? Is the identity of the associated LIR provided by the sponsoring-org: field of the WHOIS record for the AS?
Same again. I am rather astonished that not a single person within a group focused on dealing with network abuse issues within the RIPE region can even say how to find the LIR that issued a given AS. Does no one, other than me, ever even get curious about such things?
What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)?
Same comments as above.
Has any AS number allocation, issued within the RIPE region, ever been revoked without the consent of the registrant of that allocation? If so, which ones? And in those cases, what policies and/or procedures were used or followed during the revocation process? Are these policies and/or procedures written down someplace, or are they entirely ad hoc?
Someone did write to me, off-list, with a semi-response to the above, informing me that ``details'' of RIPE investigations are non-public. I should probably have clarified that I wasn't asking for any specific details about any specific case. I asked, in the first instance, if any AS allocation had ever been revoked. That's a yes/no question, and one which I thought would have been easy to answer, particularly by members of a group focused on network abuse issues. But if all of these questions can only be answered by the NCC, then I guess that's the way it is, and I thank you for forwarding my queries to them.
On Tue, Nov 04, 2014 at 11:16:44AM -0800, Ronald F. Guilmette wrote:
A few questions, if you don't mind...
Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields?
Just to make sure I'm clear... No one on this list knows the answer, even to the above trivial question?
Or noone care/want to answer "above trivial question". My advice is - check the --list-versions description plus latest updates from the db-wg. Best regards, Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl
Dear Ronald, I will try to answer some of your questions. Others may correct me if I am wrong.
I've raised this with the NCC and asked them to prepare an answer to these questions as I feel they fall within their purview.
Hopefully they will be able to get back to you soon.
Brian Ronald F. Guilmette wrote, On 01/11/2014 03:52:
A few questions, if you don't mind...
Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields?
Just to make sure I'm clear... No one on this list knows the answer, even to the above trivial question?
I guess there is no good answer to this. As far as I can tell, you have no means to find out when an object was first added to the database (i.e. created). The earliest changed: field usually gives you only an upper limit (i.e the object is most probably not younger than that date). You can also look at the historical data of the object, see https://labs.ripe.net/Members/kranjbar/proposal-to-display-history-of-object... however, this does not necessarily help either. As far as I know, the RIPE NCC, however, in a given case, could tell you exactly when the given object was created. There are, however, plans to introduce new attributes (created: and last-modified:) that would replace the (rather useless) changed: attribute.
Give an AS number, issued within the RIPE region, how can I find the identity of the associated LIR? Is the identity of the associated LIR provided by the sponsoring-org: field of the WHOIS record for the AS?
Same again. I am rather astonished that not a single person within a group focused on dealing with network abuse issues within the RIPE region can even say how to find the LIR that issued a given AS.
This is probably due to the fact that there is no such data available in the database. You can make some assumptions, but these may be wrong in some cases. The sponsoring-org: is probably not what you are looking for, as it only says which LIR is currently taking care of this resource. A question comes to my mind, however, why do you care about who issued a given AS? I would think that from an abuse point of view who _uses_ the AS is much more relevant. I hope this helps.
Does no one, other than me, ever even get curious about such things?
This is not necessarily the case. However, as I pointed out, there are some data that at present cannot be retrieved form the database. Best regards, Janos
What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)?
Same comments as above.
Has any AS number allocation, issued within the RIPE region, ever been revoked without the consent of the registrant of that allocation? If so, which ones? And in those cases, what policies and/or procedures were used or followed during the revocation process? Are these policies and/or procedures written down someplace, or are they entirely ad hoc?
Someone did write to me, off-list, with a semi-response to the above, informing me that ``details'' of RIPE investigations are non-public. I should probably have clarified that I wasn't asking for any specific details about any specific case. I asked, in the first instance, if any AS allocation had ever been revoked. That's a yes/no question, and one which I thought would have been easy to answer, particularly by members of a group focused on network abuse issues.
But if all of these questions can only be answered by the NCC, then I guess that's the way it is, and I thank you for forwarding my queries to them.
In message <5459613B.6010604@iszt.hu>, Janos Zsako <zsako@iszt.hu> wrote:
I will try to answer some of your questions.
Thank you.
Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields? ... I guess there is no good answer to this. As far as I can tell, you have no means to find out when an object was first added to the database (i.e. created). The earliest changed: field usually gives you only an upper limit (i.e the object is most probably not younger than that date).
You can also look at the historical data of the object, see https://labs.ripe.net/Members/kranjbar/proposal-to-display-history-of-object... in-ripe-database however, this does not necessarily help either.
As far as I know, the RIPE NCC, however, in a given case, could tell you exactly when the given object was created.
Thanks, but that begs the question... What exactly do you mean by "case" in this context? (I _had_ vaguely hoped that I might be able to do at least some very modest and very preliminary investigation of some fishy goings on, *without* having to initiate a full blown and formal legal proceeding in order to do so. But it is looking more any more as if RIPE NCC is not making available even some very basic types of information... e.g. age... about the objects in its data base. Over here on this side of the pond, we have a name for this. It's called "hiding the ball.")
There are, however, plans to introduce new attributes (created: and last-modified:) that would replace the (rather useless) changed: attribute.
That will be helpful. (Of course, it will be even more helpful if those things actually make their debut within my lifetime.)
Same again. I am rather astonished that not a single person within a group focused on dealing with network abuse issues within the RIPE region can even say how to find the LIR that issued a given AS.
This is probably due to the fact that there is no such data available in the database. You can make some assumptions, but these may be wrong
So there is no trace... no chain of documentation on how an AS got to be an AS. Is that correct? Is that really what you are telling me? (Where I live, it is necessary to obtain a formal written license from the state, even if all you want to do is to cut people's hair in exchange for money. And the relevant documents get filed, in triplicate, and are available for public inspection in Sacramento. Given what we all know these days about the kind of damage that can be caused, throughout the world, and for millions of people and companies, e.g. by a "rogue" AS operator, I remain both stunned and mystified that in the RIPE region, no documentation is available on how a given AS came to be.)
A question comes to my mind, however, why do you care about who issued a given AS? I would think that from an abuse point of view who _uses_ the AS is much more relevant.
The answer to the question in the first sentence just above is contained in the second sentence just above. I want to know who registered a given AS. And I would like to know how they demonstrated that they were indeed who they said they were (and/or I'd like to know if the LIR even bothered to check). Remember, I also asked this:
What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)?
At the present moment, it appears to me that a drunken one-eyed sailor can simply show up in the offices of certain LIRs in certain European cities, claim to have lost his wallet, driver's license, birth certificate, and all other forms of identification, and then can ask for his own AS, which will be awarded to him on the spot, and without any of those silly annoying questions of the kind those stupid impolite Americans are in the habit of asking... like for instance who he actually is or whether or not he had ever been convicted of murdering anyone. Alternatively, if you call in to the right LIR(s) and simply pretend to be some famous big-name movie star who is well known within the country in question, then in deference to your status, they will give you your AS, no questions asked... and none of that annoying paperwork stuff. Regards, rfg P.S. I _would_ just simply ask RIPE NCC for the info I'm seeking, but past experience suggests to me that if I did that, their first response would most probably be to start to grill _me_, e.g. asking me who I am and why I want to know. Then in the end, they would go off and do their own sooper sekrit investigation, and never tell me a single blessed thing.
I thought it was more like "we will set up a shell company by paying some random guy in a bar drinking money to use his ID and register one". At least if we're talking of a certain european country with LIRs known for handing out /14s earlier, smaller but still significant IP blocks now, to some "high volume email deployers" among others. Most of what you ask is, I suspect, doable if people decide to forget that "we're not the internet police" trope. And if there's more active participation from the security and abuse handling side of various RIPE members rather than just their network and DNS people. --srs On Wed, 5 Nov 2014 at 06:07 Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <5459613B.6010604@iszt.hu>, Janos Zsako <zsako@iszt.hu> wrote:
I will try to answer some of your questions.
Thank you.
Given some arbitrary record which is stored within the RIPE WHOIS data base, such as an organization (ORG-*) record or a record for a number resource, such as an AS, how can I determine the date on which that record was created? Do I just look for the earliest date found in any of the associated changed: fields? ... I guess there is no good answer to this. As far as I can tell, you have no means to find out when an object was first added to the database (i.e. created). The earliest changed: field usually gives you only an upper limit (i.e the object is most probably not younger than that date).
You can also look at the historical data of the object, see https://labs.ripe.net/Members/kranjbar/proposal-to- display-history-of-objects- in-ripe-database however, this does not necessarily help either.
As far as I know, the RIPE NCC, however, in a given case, could tell you exactly when the given object was created.
Thanks, but that begs the question... What exactly do you mean by "case" in this context?
(I _had_ vaguely hoped that I might be able to do at least some very modest and very preliminary investigation of some fishy goings on, *without* having to initiate a full blown and formal legal proceeding in order to do so. But it is looking more any more as if RIPE NCC is not making available even some very basic types of information... e.g. age... about the objects in its data base. Over here on this side of the pond, we have a name for this. It's called "hiding the ball.")
There are, however, plans to introduce new attributes (created: and last-modified:) that would replace the (rather useless) changed: attribute.
That will be helpful.
(Of course, it will be even more helpful if those things actually make their debut within my lifetime.)
Same again. I am rather astonished that not a single person within a group focused on dealing with network abuse issues within the RIPE region can even say how to find the LIR that issued a given AS.
This is probably due to the fact that there is no such data available in the database. You can make some assumptions, but these may be wrong
So there is no trace... no chain of documentation on how an AS got to be an AS. Is that correct? Is that really what you are telling me?
(Where I live, it is necessary to obtain a formal written license from the state, even if all you want to do is to cut people's hair in exchange for money. And the relevant documents get filed, in triplicate, and are available for public inspection in Sacramento. Given what we all know these days about the kind of damage that can be caused, throughout the world, and for millions of people and companies, e.g. by a "rogue" AS operator, I remain both stunned and mystified that in the RIPE region, no documentation is available on how a given AS came to be.)
A question comes to my mind, however, why do you care about who issued a given AS? I would think that from an abuse point of view who _uses_ the AS is much more relevant.
The answer to the question in the first sentence just above is contained in the second sentence just above.
I want to know who registered a given AS. And I would like to know how they demonstrated that they were indeed who they said they were (and/or I'd like to know if the LIR even bothered to check).
Remember, I also asked this:
What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)?
At the present moment, it appears to me that a drunken one-eyed sailor can simply show up in the offices of certain LIRs in certain European cities, claim to have lost his wallet, driver's license, birth certificate, and all other forms of identification, and then can ask for his own AS, which will be awarded to him on the spot, and without any of those silly annoying questions of the kind those stupid impolite Americans are in the habit of asking... like for instance who he actually is or whether or not he had ever been convicted of murdering anyone.
Alternatively, if you call in to the right LIR(s) and simply pretend to be some famous big-name movie star who is well known within the country in question, then in deference to your status, they will give you your AS, no questions asked... and none of that annoying paperwork stuff.
Regards, rfg
P.S. I _would_ just simply ask RIPE NCC for the info I'm seeking, but past experience suggests to me that if I did that, their first response would most probably be to start to grill _me_, e.g. asking me who I am and why I want to know. Then in the end, they would go off and do their own sooper sekrit investigation, and never tell me a single blessed thing.
In message <CAArzuouDzB-NMyL4DoU-D704zT5G+c9ApoNmH4frCjDB7NPttw@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Most of what you ask is, I suspect, doable...
Huh?? I am genuinely puzzled. What did I ask? I didn't ask anybody to _do_ anything. At least nothing other than to tell me how to find certain bits of unarguably useful information (which apparently aren't available to mere mortals... I am guessing by design, since it wouldn't exactly be rocket surgery to add them into the WHOIS responses). I don't have a big agenda to make the world safe for democracy here or anything like that. I already know many of the reasons why THAT ain't gonna happen. But my innate curiosity does cause me to at least want to know who the outright crooks are, and who the screw-ups are who let them onto the Internet, and when. I feel that everyone has a right to this information, not to punish, but to protect ourselves from the bad guys and also maybe from the dopes who, wittingly or otherwise, help them.
Hi, On Tue, Nov 04, 2014 at 07:12:34PM -0800, Ronald F. Guilmette wrote:
bits of unarguably useful information (which apparently aren't available to mere mortals... I am guessing by design, since it wouldn't exactly be rocket surgery to add them into the WHOIS responses).
All of this (both publication of the sponsoring LIR and the creation and modification date of an object) is being worked on as we speak. Changing the output of the RIPE DB not something being done lightly as people's programs use that information and might be upset if new fields appear - so there's an implementation plan, timeline, advance warning, and so on. What already appeared is the historical information "which version of this object exist in the database, when has it been changed, and what is the difference between version X and Y". Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
In message <20141105144541.GX31092@Space.Net>, Gert Doering <gert@space.net> wrote:
On Tue, Nov 04, 2014 at 07:12:34PM -0800, Ronald F. Guilmette wrote:
bits of unarguably useful information (which apparently aren't available to mere mortals... I am guessing by design, since it wouldn't exactly be rocket surgery to add them into the WHOIS responses).
All of this (both publication of the sponsoring LIR and the creation and modification date of an object) is being worked on as we speak.
Thank you. I am very pleased to hear this, and look forward to the completion of this project. Regards, rfg
On Tue, Nov 04, 2014 at 04:37:13PM -0800, Ronald F. Guilmette wrote:
Same again. I am rather astonished that not a single person within a group focused on dealing with network abuse issues within the RIPE region can even say how to find the LIR that issued a given AS.
That is because LIRs do not "issue" (or assign) ASN resources. Had you bothered to read http://www.ripe.net/ripe/docs/ripe-525 and http://www.ripe.net/ripe/docs/ripe-452 , you would be closer to an understanding of the process to assign ASN resources to end-users.
So there is no trace... no chain of documentation on how an AS got to be an AS. Is that correct? Is that really what you are telling me?
It is not. There is a contract for every independent resource assigned after -525 came into force and when Phase 3 is completed, there will be contracts for legacy ASN/PI resources also. These contracts are confidential and not public information. On this side of the pond, we call it "data protection" and it is the law.
I want to know who registered a given AS. And I would like to know how they demonstrated that they were indeed who they said they were (and/or I'd like to know if the LIR even bothered to check).
Remember, I also asked this:
What sorts of credentials or bona fides must or should applicants who are requesting AS number allocations provide to the RIPE LIR which processes the request(s)?
This is laid down in http://www.ripe.net/ripe/docs/ripe-556 rgds, Sascha Luck
In message <20141105063836.GB58573@cilantro.c4inet.net>, Sascha Luck <lists-ripe@c4inet.net> wrote:
So there is no trace... no chain of documentation on how an AS got to be an AS. Is that correct? Is that really what you are telling me?
It is not. There is a contract for every independent resource assigned after -525 came into force and when Phase 3 is completed, there will be contracts for legacy ASN/PI resources also. These contracts are confidential and not public information. On this side of the pond, we call it "data protection" and it is the law.
I admit to being eager to be further educated, by you and/or others, about the law of which you speak, and especially how it may relate to the disbursment, or lack thereof, of various bits of information held by RIPE NCC. As a result of your response, I've already tried to educate myself, at least a little bit, about the subject of "data protection" regulation within the EU. I began here, and started reading: http://en.wikipedia.org/wiki/Data_Protection_Directive Of course, I don't take anything appearing in Wikipedia as being the absolute correct and final word on any subject, so perhaps, since you know about the law you have referred to... at least presumably a bit better than this ignorant American, who has never had to deal with it or live under it... perhaps you can explain one or two small points which are still eluding me. To begin with, I noticed this within the above Wikipedia page: Scope Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject");... I am asuming that, in this context, "natural person" has the same meaning on both your side of the pond and mine, i.e. a carbon-based life form, and an entity composed of flesh and blood. Does that term have that meaning also within the EU? Assuming, just for the sake of argument, that it does, I am wondering how the EU data protection law applies to the particular sorts of entities that typically register ASNs within the EU. I'll just pick one at random, for the purposes of example... let's say the AS from which you sent the e-mail message to which I am now responding, AS47720. It appears from the RIPE data base record for AS47720... a record which I believe is generally available, without restriction, to the public at large on all parts of planet earth, and in some cases perhaps even beyond... that the entity that registered AS47720 is known as, or wishes to be known as "Chip Electronic Services Limited". So, um, using that as just an arbitrary, but perhaps representative ex- ample of the kinds of entities that might typically register ASNs with RIPE NCC, and assuming that this entity is not in fact a "natural person", per se... at least as I understand that term... I am left rather befuddled, because Wikipedia seems to say that EU data protection only applies to "natural persons" and yet it seems that you just asserted the opposite, i.e. that the registrant of AS47720... or of any arbitrary AS for that matter... is entitled to have its name and, perhaps more importantly, any an all other identifying details protected under EU data protection regulations. So, um, which view is correct? Do EU data protection regulations apply to all European entities, natural or otherwise, as it seems you have said? Or do they in fact only apply to natural persons, as Wikipedia says? If the latter, then it remains unclear why... as you seem to have asserted... "{all} contracts {with RIPE} are confidential and not public information". Do EU data protection regulations prevent RIPE from being open and trans- parent with respect to the contracts which it has entered into with things which are not "natural persons", e.g. Chip Electronic Services Limited? Well, leaving that aside for the moment, even if, as I believe you have correctly stated, RIPE, which is resident within the EU and which deals with EU data, is obligated to obey EU data protection directives... either for all entities it has data on or only the natural ones... I do confess that I am still terrifically puzzled by your assertion that RIPE is somehow obligated to keep *everything* secret. I am puzzled by that assertion for the simple reason that it seems self evident that in fact RIPE does not do so. Even though RIPE is clearly subject to EU data protection regulations, I, here in the United States, just now had no trouble at all fetching from the RIPE data base the following record, which, I believe, contains some very specific types of "protected" information relating to _both_ a legal (business) entity _and_ also to a protected "natural person": ========================================================================= % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to 'JS6689-RIPE' person: Jerry Sweeney address: Cork Internet Exchange Hollyhill Ind. Estate Cork, Ireland e-mail: js@cix.ie phone: +353 21 4854300 nic-hdl: JS6689-RIPE mnt-by: MNT-CIX changed: sascha@cix.ie 20100622 source: RIPE % This query was served by the RIPE Database Query Service version 1.75 (DB-1) ========================================================================= So, as I say, I am perplexed. You tell me that RIPE has a legal obligation to protect secrecy/privacy, and I _do_ believe you. The several online articles I've read on the subject this evening are all quite clear that this is indeed correct. Nontheless, the clear evidence which is right before my eyes (and which is reproduced just above) would seem to indicate that it, RIPE NCC, has found some legally tenable way around these draconian EU privacy regulations. If it had not, then how was it able to send me the above data base record without some humorless unforgiving EU data protection commissar coming down on them like the proverbial ton of bricks? And if, as would seem to be the case, RIPE *has* indeed found a legally viable way to be transparent about certain things... e.g. the entries in its data base... even while still remaining within bounds of EU data protection regulations... then why can it not do so also with respect to all those contracts that it signs with things which are not natural persons? I do look forward to being enlightened on both of the above points. Regards, rfg P.S. I learned something relevant today. The web-based WHOIS service for the .EU TLD _will_ show the user full contact details for any domain which is registered by something other than a natural person. Those details are however suppressed, selectively, in the WHOIS output, but only in cases where the registrant is a natural person. Anyway, the point is that the operators of the .EU registry seem to have mastered this dicotomy... between "natural" and other-than-natural registrants... and to have done so within the EU data protection legal framework, even while being as transparent as possible. Is there some specific reason that I am not aware of why RIPE cannot do likewise?
On Wed, Nov 05, 2014 at 01:31:04AM -0800, Ronald F. Guilmette wrote:
Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject");...
I am asuming that, in this context, "natural person" has the same meaning on both your side of the pond and mine, i.e. a carbon-based life form, and an entity composed of flesh and blood. Does that term have that meaning also within the EU?
You are probably right that the DPD only applies to natural persons, however natural persons also hold independent resources (I personally had both a PI assignment and an ASN at some stage)
% Information related to 'JS6689-RIPE'
So, as I say, I am perplexed. You tell me that RIPE has a legal obligation to protect secrecy/privacy, and I _do_ believe you. The several online articles I've read on the subject this evening are all quite clear that this is indeed correct. Nontheless, the clear evidence which is right
I personally think that publishing "person" objects does indeed break the law, NCC Legal clearly disagrees. TTBOMK, this has never been tested in court. However, there is currently no requirement to have any other info than some contact info in this object, so data hygiene is clearly possible. (it also does not have to be "official" information)
And if, as would seem to be the case, RIPE *has* indeed found a legally viable way to be transparent about certain things... e.g. the entries in its data base... even while still remaining within bounds of EU data protection regulations... then why can it not do so also with respect to all those contracts that it signs with things which are not natural persons?
So there might not be an actual legal obligation to keep these contracts confidential. I'm not even sure now that the general LIR Service Contract (which states that all contractual information is confidential) applies in this case as (in case of a sponsoring LIR) it is not a contract that the NCC is a party to. In any case, this is for NCC Legal to answer, not for me. I'm not sure that the contract contains any relevant information, besides that which is published in the db already. Whatever pricing and other conditions were agreed is none of your business. Whatever documentation is used to verify ID is, in case of passport copies, etc, very much subject to the DPD; in case of registration documents, these are (usually) public information, there may be a copyright issue though as many authorities make these available, but not for free. In any case, I'm sure I'm not the only member whose idea of what we pay the NCC for is to be a resource registry, *not* an intelligence repository for curtain-twitchers and anyone who fancies themselves some kind of Internet Stasi. We already pay taxes for government agencies to be that. rgds, Sascha Luck
Ah, a Godwin on the other side, just to start with. Stasi are the new Hitler like orange is the new black? Right now Ronald is, in admittedly a rather roundabout way, talking about people who are running rings around your favorite 'resource registry' processes, such as they are, and leaving the rest of you very little v4 space that isn't irretrievably poisoned after a day or two of their using it. And yes, everybody is supposed to have switched to v6 over a decade back, funny how v4 manages to be so long lived. And as for arguments about let them register as much v6 ad they want, there is plenty, remember that 'should be enough for everyone' attitude in the early days of v4? History, especially operational history, is out there for people to actually learn from it, not trot out stale tropes about Internet police and the stasi. On Nov 5, 2014 3:42 PM, "Sascha Luck" <lists-ripe@c4inet.net> wrote:
On Wed, Nov 05, 2014 at 01:31:04AM -0800, Ronald F. Guilmette wrote:
Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject");...
I am asuming that, in this context, "natural person" has the same meaning on both your side of the pond and mine, i.e. a carbon-based life form, and an entity composed of flesh and blood. Does that term have that meaning also within the EU?
You are probably right that the DPD only applies to natural persons, however natural persons also hold independent resources (I personally had both a PI assignment and an ASN at some stage)
% Information related to 'JS6689-RIPE'
So, as I say, I am perplexed. You tell me that RIPE has a legal obligation to protect secrecy/privacy, and I _do_ believe you. The several online articles I've read on the subject this evening are all quite clear that this is indeed correct. Nontheless, the clear evidence which is right
I personally think that publishing "person" objects does indeed break the law, NCC Legal clearly disagrees. TTBOMK, this has never been tested in court. However, there is currently no requirement to have any other info than some contact info in this object, so data hygiene is clearly possible. (it also does not have to be "official" information)
And if, as would seem to be the case, RIPE *has* indeed found a legally
viable way to be transparent about certain things... e.g. the entries in its data base... even while still remaining within bounds of EU data protection regulations... then why can it not do so also with respect to all those contracts that it signs with things which are not natural persons?
So there might not be an actual legal obligation to keep these contracts confidential. I'm not even sure now that the general LIR Service Contract (which states that all contractual information is confidential) applies in this case as (in case of a sponsoring LIR) it is not a contract that the NCC is a party to. In any case, this is for NCC Legal to answer, not for me.
I'm not sure that the contract contains any relevant information, besides that which is published in the db already. Whatever pricing and other conditions were agreed is none of your business.
Whatever documentation is used to verify ID is, in case of passport copies, etc, very much subject to the DPD; in case of registration documents, these are (usually) public information, there may be a copyright issue though as many authorities make these available, but not for free. In any case, I'm sure I'm not the only member whose idea of what we pay the NCC for is to be a resource registry, *not* an intelligence repository for curtain-twitchers and anyone who fancies themselves some kind of Internet Stasi. We already pay taxes for government agencies to be that. rgds, Sascha Luck
In message <CAArzuos3fjDeZ0XWktjGRCV=pMgiTcW6MQc+KAQeTbmFc5nVow@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
History, especially operational history, is out there for people to actually learn from it, not trot out stale tropes about Internet police and the stasi.
I thank Suresh for coming to my defense, if that is what he intended. But for the record let me also say that I am not at all offended, in the present context, to be equated to the hated Stasi of old. I recognize that there is a difficult balance between security on the one hand and privacy on the other, and that one man's defender of the public good is another man's loathsome Stasi agent, and vise versa. In fact, I'm more of a privacy advocate that some here might expect, and was myself greatly amused upon seeing on TV scenes of European protesters carrying satirical posters of Barack Obama with headphones, clearly reminicent of the old Stasi listeners. (He richly deserved that, I think. And I say that as somebody who voted for the guy... twice.) To be clear, I detest what our NSA has done, both to us here in the US and also to the rest of the world. I believe it to be immoral, illegal, and downright criminal. The hair stands up on the back of my neck, and I get up on my hind legs and start screaming whenever someone reminds me that my own tax dollars have been used to collect the SMTP metadata for each e-mail I send... e-mails for which I believe I have... or had, anyway... a reasonable expectation of privacy, at least until Mr. Snowden came along and helpfully diabused me of that notion. I do however draw a distinction... as it seems you Europeans do... between gathering intelligence about individual natural persons for whom there is -zero- basis for any clearly articulatable suspicion, and gathering intelligence about relationships between -corporations- and more specifically about ones for which there _is_ a clearly articulatable basis for suspicion. Also and separately, I believe that there should be complete transparancy in the operations of, and relationships with any and all `public interest'' organizations, and I personally would categorize RIPE, and all other RiRs, under that banner, even if a majority of the dues paying members would prefer it to be viewed strictly as a private commercial consortium, with no external or public responsibilities whatsoever. Regards, rfg
On Wed, Nov 05, 2014 at 04:00:42AM -0800, Ronald F. Guilmette wrote:
I do however draw a distinction... as it seems you Europeans do... between gathering intelligence about individual natural persons for whom there is -zero- basis for any clearly articulatable suspicion, and gathering intelligence about relationships between -corporations- and more specifically about ones for which there _is_ a clearly articulatable basis for suspicion. Also and separately, I believe that there should be complete transparancy in the operations of, and relationships with any and all `public interest'' organizations, and I personally would categorize RIPE, and all other RiRs, under that banner, even if a majority of the dues paying members would prefer it to be viewed strictly as a private commercial consortium, with no external or public responsibilities whatsoever.
I think this is a fundamental (if very common) misunderstanding that often happens with people from the US. For personal data: in the US, data belongs to whomever holds it. in the EU at least, data belongs to the subject of this data regardless of who holds it. And the owner of the data still determines how it is used (usually by agreement to T&C, outside of which propagation is forbidden). I've asked my lawyer and he is of the opinion that this does *not* apply to data regarding corporations. So, in theory, the NCC could publish the company registration number in whois, for what *that* is worth (it's public information anyway in most countries) rgds, Sascha Luck
In message <20141105101221.GC58573@cilantro.c4inet.net>, Sascha Luck <lists-ripe@c4inet.net> wrote:
You are probably right that the DPD only applies to natural persons,
Thank you.
however natural persons also hold independent resources (I personally had both a PI assignment and an ASN at some stage)
Yes, but is that the general rule, or is that the exceptional case? Do we want the tail to wag the dog?
% Information related to 'JS6689-RIPE'
So, as I say, I am perplexed. You tell me that RIPE has a legal obligation to protect secrecy/privacy, and I _do_ believe you. The several online articles I've read on the subject this evening are all quite clear that this is indeed correct. Nontheless, the clear evidence which is right
I personally think that publishing "person" objects does indeed break the law, NCC Legal clearly disagrees.
It would seem so, and may God bless them for that. I am of the opinion that the net would fall apart at the seams in short order if the people who operate it, day in and day out, had no off-net way of contacting one another about problems.
TTBOMK, this has never been tested in court.
You say that as if it is a bad thing. Personally, I think it is great... terrific... that nobody has ever challenged RIPE on this in a courtroom. That fact alone tends to support the belief that the RIPE legal folks who have decided to allow WHOIS to continue to operate as it always has are in fact on a solid legal footing in doing so, or at the very least that the question presents such a level of complexity and ambiguity that nobody has been motivated to spend the kinds of sums that would be necessary to mount a legal challenge.
So there might not be an actual legal obligation to keep these contracts confidential.
No one could be happier to hear that than I.
In any case, this is for NCC Legal to answer, not for me.
I can only agree.
I'm not sure that the contract contains any relevant information, besides that which is published in the db already.
Well, I'm not so sure. Having read one or two of the RIPE documents I have been pointed at, I can say that it _seems_ that if you read between the lines, RIPE NCC will perform "due diligence"... a term which is left somewhat ill defined, but which, one hopes, means at least -some- kind of verification... at the time a resource allocation first occurs. Thereafter, it is up to the registrant to maintain the relevant WHOIS data, and all registrants are pledged to, and expected to do so in a way that causes the WHOIS data to always be accurate. But I did not get any clear sense that RIPE NCC would always and in all cases vet, or re-vet changes made by a registrant to a WHOIS record, post- allocation... and perhaps they routinely do not do so. This would leave open the door to deliberately malicious registrants who might provide all correct contact information initially, and then, a week or a month later, go in and scramble their WHOIS to make it point to something/someone entirely fictitious.
Whatever pricing and other conditions were agreed is none of your business.
I agress completely, and as should be obvious from the context of my questions, I really do not give a hoot about any of that anyway.
Whatever documentation is used to verify ID is, in case of passport copies, etc, very much subject to the DPD; in case of registration documents, these are (usually) public information
Registration documents for RIPE resources??? They are??? Where can I view those please? TIFFs will be fine, but PDFs will work for me too. (Many U.S. State level authorities do make available, via their web sites, actual TIFF images of original corporate registration documents. If RIPE is doing, or can do likewise, for resource registrants, I believe that might be most helpful, i.e. to the ongoing fight against network abuse.)
there may be a copyright issue though as many authorities make these available, but not for free.
I am willing to pay any price, bear any burden, etc., etc.
In any case, I'm sure I'm not the only member whose idea of what we pay the NCC for is to be a resource registry, *not* an intelligence repository
In order to insure the viability and success of the former mission, it may occasionally be helpful to also serve the latter one as well. If there are people out there... and there are... who are stealing other people's identities and/or number resources, does it not seem wise to gather as much data about those miscreants as possible, in order to protect the community from their misdeeds in the future? To be clear, I _do not_ want to bug their homes and/or offices, but anything that _corporations_ have _voluntarily_ given to RIPE should be fair game, and a matter of public record, I think. Regards, rfg P.S. While I do think that EU data protection regulation goes rather too far, I do nontheless admire and applaud you folks in the EU for having the wisdom and good common sense to at least recognize the clear and overwhelming distinction between living, breathing people and corporations. Now, if only you Europeans could somehow find a way to impart that same simple understanding to our United States Supreme Court, quite a lot of people over here would be in your eternal debt for that.
On Wed, Nov 05, 2014 at 03:03:15AM -0800, Ronald F. Guilmette wrote:
Thereafter, it is up to the registrant to maintain the relevant WHOIS data, and all registrants are pledged to, and expected to do so in a way that causes the WHOIS data to always be accurate. But I did not get any clear sense that RIPE NCC would always and in all cases vet, or re-vet changes made by a registrant to a WHOIS record, post- allocation... and perhaps they routinely do not do so. This would
I don't think so. However, the "organisation:" object is maintained by the NCC and they will revert changes that don't agree with the documentation they have. (Actually has happened to me)
leave open the door to deliberately malicious registrants who might provide all correct contact information initially, and then, a week or a month later, go in and scramble their WHOIS to make it point to something/someone entirely fictitious.
Not possible AFAIK. You can put anything you want in role: and person: objects but the organisation: object is under NCC control. (and if you put fictional info in the objects that refers, you can be sanctioned up to de-registration of resources and closure if a LIR. (cf MoU and service terms)
Registration documents for RIPE resources??? They are??? Where can I view those please?
For corporations: At the appropriate national registrar-of-companies. Usually from their website, depends on the country though. The NCC requires those for the registration of independent resources (cf ripe-556) but I don't know whether they even keep them after checking. For natural persons I think you are out of luck.
In any case, I'm sure I'm not the only member whose idea of what we pay the NCC for is to be a resource registry, *not* an intelligence repository
To be clear, I _do not_ want to bug their homes and/or offices, but anything that _corporations_ have _voluntarily_ given to RIPE should be fair game, and a matter of public record, I think.
This information is not voluntary and given to the NCC on the understanding that it is confidential and used only to verify that a resource holder exists, be it a natural or legal person. It is certainly not "fair game". rgds, Sascha Luck
On Wed, Nov 05, 2014 at 03:03:15AM -0800, Ronald F. Guilmette +wrote:
I personally think that publishing "person" objects does +indeed break the law, NCC Legal clearly disagrees.
It would seem so, and may God bless them for that.
Actually, this is something I'd like to hear the "official" answer to, so let's ask the NCC: Having looked at some resources registered in the ripedb to natural persons and having found that the organisation: objects contain information such as full names, addresses and phone numbers, Assuming that this information is *required* to be there in order to be assigned independent resources, how does the uncontrolled publishing of that data possibly comply with the EU Data Protection Directive and imminent General Data Protection Regulation, especially considering the entirely uncontrolled transfer of such data to non-EU countries (whois lookups!)? IANAL, but to me it looks like a breach of said regulations. rgds, Sascha Luck
On 5 Nov 2014, at 16:20, Sascha Luck <lists-ripe@c4inet.net> wrote:
how does the uncontrolled publishing of that data possibly comply with the EU Data Protection Directive and imminent General Data Protection Regulation,
especially considering the entirely uncontrolled transfer of such data to non-EU countries (whois lookups!)?
IANAL, but to me it looks like a breach of said regulations.
Sacha, what matters here is how Dutch law enacts the EU directive and regulation and how the Dutch Data Protection Authority enforces that law(s). I would presume/expect the NCC's legal staff have already checked this or got expert advice. The NCC is already publishing Personal Data -- eg names and addresses for Contact Objects -- without violating Dutch/EU Data Protection and/or Privacy legislation. So I would assume that publishing Person Objects will be equally acceptable. My understanding is the issues around export of Personal Data apply to cases where the data are processed/controlled in a country that does not have a Data Protection regime or Safe Harbour provisions equivalent to the EU Directives and Regulations. Publishing whois data probably does not fall into that. IANAL either. Though I have dealt with whois issues, ICANN, Data Protection and far too many lawyers in a previous life. The scars have nearly healed.
On Wed, Nov 05, 2014 at 06:38:36AM +0000, Sascha Luck wrote:
On Tue, Nov 04, 2014 at 04:37:13PM -0800, Ronald F. Guilmette wrote: [...]
So there is no trace... no chain of documentation on how an AS got to be an AS. Is that correct? Is that really what you are telling me?
It is not. There is a contract for every independent resource assigned after -525 came into force and when Phase 3 is completed, there will be contracts for legacy ASN/PI resources also. These contracts are confidential and not public information. On this side of the pond, we call it "data protection" and it is the law.
But if the community perceives that the amount of information disclosed in the public database is not adequate to the needs (and I personally regretted to be unable to get the informations that RFG is talking about, several times!), then new information could be supplied in the whois after asking for consent from the resource holder, no ? So perhaps we can take this opportunity to discuss an extension of the data shown in the public whois. furio
On Wed, Nov 05, 2014 at 11:06:34AM +0100, furio ercolessi wrote:
On Wed, Nov 05, 2014 at 06:38:36AM +0000, Sascha Luck wrote:
On Tue, Nov 04, 2014 at 04:37:13PM -0800, Ronald F. Guilmette wrote: [...]
So there is no trace... no chain of documentation on how an AS got to be an AS. Is that correct? Is that really what you are telling me?
It is not. There is a contract for every independent resource assigned after -525 came into force and when Phase 3 is completed, there will be contracts for legacy ASN/PI resources also. These contracts are confidential and not public information. On this side of the pond, we call it "data protection" and it is the law.
But if the community perceives that the amount of information disclosed in the public database is not adequate to the needs (and I personally regretted to be unable to get the informations that RFG is talking about, several times!), then new information could be supplied in the whois after asking for consent from the resource holder, no ?
So perhaps we can take this opportunity to discuss an extension of the data shown in the public whois.
Have any of you ever consider making a policy proposal to change this? Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl
On Wed, Nov 05, 2014 at 11:06:34AM +0100, furio ercolessi wrote:
several times!), then new information could be supplied in the whois after asking for consent from the resource holder, no ?
Which will not be forthcoming from *this* resource holder.
So perhaps we can take this opportunity to discuss an extension of the data shown in the public whois.
Not while this member pays membership fees. rgds, Sascha Luck
On Wed, November 5, 2014 11:14, Sascha Luck wrote:
On Wed, Nov 05, 2014 at 11:06:34AM +0100, furio ercolessi wrote:
several times!), then new information could be supplied in the whois after asking for consent from the resource holder, no ?
Anyone believing that those parties which can expect to become the target of Ronald-Style investigations would consent and supply the info? This is barking up the wrong tree (again). Wilfried
Which will not be forthcoming from *this* resource holder.
So perhaps we can take this opportunity to discuss an extension of the data shown in the public whois.
Not while this member pays membership fees.
rgds, Sascha Luck
On Wed, Nov 5, 2014 at 3:53 PM, Wilfried Wöber <wilfried.woeber@univie.ac.at> wrote:
Anyone believing that those parties which can expect to become the target of Ronald-Style investigations would consent and supply the info?
This is barking up the wrong tree (again).
No. But sometimes even faked whois can tell an interesting story. -- Suresh Ramasubramanian (ops.lists@gmail.com)
In message <CAArzuouHcofUOdnraOH_AbWYeoHXCE8rYVOVWJxJCHWhR6PQAA@mail.gmail.com> Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
On Wed, Nov 5, 2014 at 3:53 PM, Wilfried W=C3=B6ber <wilfried.woeber@univie.ac.at> wrote:
Anyone believing that those parties which can expect to become the target of Ronald-Style investigations would consent and supply the info?
This is barking up the wrong tree (again).
No. But sometimes even faked whois can tell an interesting story.
And has indeed done so, time and time again, in my own personal experience. Regards, rfg P.S. As those of you who have seen the Ben Affleck movie "The Town" already know, if you see someone dressed as a nun, wearing a Haloween mask, heading into your local bank, be afraid. Be very afraid.
On Wed, Nov 05, 2014 at 10:14:42AM +0000, Sascha Luck wrote:
On Wed, Nov 05, 2014 at 11:06:34AM +0100, furio ercolessi wrote:
So perhaps we can take this opportunity to discuss an extension of the data shown in the public whois.
Not while this member pays membership fees.
I do not see how your membership status can affect the ability of people to discuss abuse-related topics in this working group. furio
On Wed, Nov 05, 2014 at 11:23:08AM +0100, furio ercolessi wrote:
Not while this member pays membership fees.
I do not see how your membership status can affect the ability of people to discuss abuse-related topics in this working group.
Apologies, this was supposed to be in reply to the post that wanted a policy proposal for this. Of course you can discuss anything you want. rgds, Sascha Luck
On Wed, Nov 5, 2014 at 6:02 PM, Sascha Luck <lists-ripe@c4inet.net> wrote:
Apologies, this was supposed to be in reply to the post that wanted a policy proposal for this. Of course you can discuss anything you want.
Sure. That includes policy proposals that furio may or may not propose. You are of course free to vote against it if you like. -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (10)
-
Brian Nisbet -
furio ercolessi -
Gert Doering -
Janos Zsako -
Jim Reid -
Piotr Strzyzewski -
Ronald F. Guilmette -
Sascha Luck -
Suresh Ramasubramanian -
Wilfried Wöber