North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Questions about populating RIR with customer information.

  • From: James Hess
  • Date: Thu Aug 02 06:25:37 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=o/spfo0+xiy/I6LU0n8/294S4EE9ogNNlCeRccVjhqohlH6nOpLX8/0yzqYoEcyX40Y7Yumj9OJk/7SBNCWHR0M1rf0YwD5uNfNtcXZG7/IbOYAQohFaUorh/6cPT5OdmsER3iBJTJ/NSpHYG9MS/m7YcZ75XwSH/e5+qRhAIfo=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=M8u3Lz5o/YyFcyX3f7qCYuYWHJ6d0foPXOei5keoyMZfXNBqTvpIVdEUQyl7880AjXtnkR+j+4y9bMsLOfRvKZT8pU87+wEmKDcjMuM0ao+SEWuaSYcavulGe2kCSpbNWRrw0IeO+xD0SyGCxIBHntnWqh+RucCFOJF18cxqM04=
On 8/1/07, Drew Weaver <[email protected] > wrote:

       Most of our customers are co-location and dedicated hosting customers and we are simply unsure whether or not there are implications (legal or otherwise) in publishing our customer data in a public RIR database.
 
I would urge against publishing information about a customer in a WHOIS entry
without discussing it with that customer first.

WHOIS entries can be made without violating anyone's privacy, just be sure you get all
necessary verifiable permission; don't just automatically publish information you have
already gathered for internal purposes, when it wasn't previously your policy to publish
the information.
 
It is up to you as ISP to get the contact information  that the customer wants published 
in WHOIS (maybe it's different from contact information they would use for
other matters), at the time re-assignment of the ip addresses is being made,
 
And make sure they know that the listing is going to be publicly viewable.
 
You do have the option of refusing to sign up or renew a customer if they fail to provide
good contact information for publication in WHOIS or fail to provide the necessary
permission.
 
 
I suggest you carefully read the policy manual of your applicable RIR.
With regard to when you create SWIP or RWHOIS records, and what exactly you
put in them.

In the ARIN region, whenever an ISP re-assigns a /29 block or larger to a customer, in
addition to maintaining documentation of the justification for assignment of the address(es)
to the user,  the ISP is already be required/supposed to publish that re-assignment is (as
a matter of RIR policy) in SWIP or RWHOIS.

See more here: http://www.arin.net/policy/nrpm.html#four2372
 
And it's a good idea to allow people who need a contact for abuse from a machine to go to
the party responsibility over it, first, before having to bother you, a provider they
happen to be using.
 
 
Note that ARIN has a "Residential Customer Privacy" policy; for residential customers it is
legitimate to substitute the name in your WHOIS response with "Private Customer"
and "Private Residence" in place of street address.
 
So I would say there IS some precedant for such a replacement of contact information.

You need to check your particular RIR's policy manual to determine whether it is
an acceptable practice in your region, to mask contact information for the particular
type of customer.

--
-J