Squeezing IPs out of ARIN

Jack Bates jbates at brightok.net
Wed Apr 25 17:31:10 CDT 2012

This is the first time I've seen ARIN request actual individual names. 
I've had them requests SWIP and I've had them request exact user counts, 
and I generally get much larger allocations than what was being 
allocated. In addition, all their numbers matched up with all of my 
numbers and the allocated space matched what I had assigned them minus 1 
/24 (they had 5 /23's from me). After their initial renumber into the 
/21, they had to return to get the additional /24. They reorganized some 
networks to squeeze off the tenth /24.

On 4/25/2012 10:31 AM, Owen DeLong wrote:
> There is nothing whatsoever wrong with providing the information to 
> ARIN under NDA. ARIN provides a very good (IMHO) plain English mutual 
> NDA for just this purpose. What rational ethical ISP fails to include 
> a provision for this process in their TOS? 
Sure, and small ISP techs immediately think of NDAs when talking to 
ARIN. ARIN didn't suggest it. In addition, the entire "provide all this 
customer detail information" was overkill as well, given that the /21 
was justified without the last little bit of justification requiring 
customer names (or for that matter, the management equipment model/type 

>> I sometimes wonder what happens to that information; if it sits around in an archive somewhere in the vast digital repositories of ARIN awaiting someone to steal it.
> That's a very cynical view. I happen to know that ARIN takes the security of that data very seriously and I think they do a good job of protecting it. If you have any reason to believe otherwise, I invite you to offer some form of substantiation to support such a claim.
I would like to assume they do a good job protecting the data (although 
I have no proof that this is true). However, leaving unnecessary data 
laying around for no valid reason is careless. Historical information of 
customer names/addresses is not necessary, even if said information is 
provided to ARIN. A note on the account verifying that necessary 
information was seen by the ARIN representative is enough. Requiring 
this level of detail on the smallest fraction of the justified space 
makes it even worse.

Of course, ARIN might delete the information. I've seen nothing in the 
documentation to suggest if they do or not.

I never presume data is secure. The more unnecessary copies of it there 
are, the more likely it will be obtained by an unauthorized individual.


More information about the NANOG mailing list