Search RPD Archives
[AFRINIC-rpd] RE: IPv4 Address Allocation and Assignment proposal
Andrew Alston
aa at alstonnetworks.net
Tue Sep 10 20:22:13 UTC 2013
Further to this,
If AfriNIC is requesting data that could be considered confidential and
commercially sensitive, I request that AfriNIC disclose to its membership
base exactly what is done to safeguard that information and provide
assurances that the information is secure.
As stated, there are information security standards and procedures that
have to be followed and at this point I have zero clue what AfriNIC does
to protect its client data, I have no idea what it's own security policies
are, and I have no idea what protections are in place.
Andrew
On 2013/09/11 12:18 AM, "Keshwarsingh Nadan"
<keshwarsingh.nadan at millenium.mu> wrote:
>Well I¹ve been told the following:
>
>"I believe that any meaningful data/log collected from a monitoring
>system (obfuscating critical customer details will be accepted - f.i a
>graph over a certain period of time of the number of IP addresses in
>used, the pool from which these addresses come from, concurrent number of
>customers/virtual-servers"
>
>obfuscating critical data ? asking a network engineer by profession to
>obfuscate critical customer details ? Is that in other words called
>tampering with data / log / graphs ?
>
>Assuming that critical customer details can be obfuscated & will be
>accepted, there is nothing which prevents one from modifying numbers
>displayed on the graphs axis! I believe such graphs should be sent as it
>is without being obfuscated..
>
>If AfriNIC requires such kind of info, I humbly request that such a
>clause to be included in the policy..
>
>Regards,
>Keshwarsingh NADAN
>
>________________________________________
>From: Andrew Alston [alston.networks at gmail.com] on behalf of Andrew
>Alston [aa at alstonnetworks.net]
>Sent: Tuesday, September 10, 2013 11:38 PM
>To: McTim
>Cc: Keshwarsingh Nadan; rpd at afrinic.net
>Subject: Re: [AFRINIC-rpd] RE: IPv4 Address Allocation and Assignment
>proposal
>
>McTim,
>
>I object to giving AfriNIC any information can could be considered
>commercially sensitive as such. Graphs of allocated IP's is an
>interesting question and I'd have to think that through, but there is a
>reason why when asked for invoices for proof of infrastructure I strongly
>believe that anyone supplying such should have the full right to redact
>any financial figures for example.
>
>Furthermore, graphs of DHCP leases for example would be meaningless, since
>DHCP servers typically hold onto leases for hours after they have been
>released, graphs of concurrent subscribers connected, well, again, it
>depends on just how many NDA's AfriNIC is prepared to sign, I hold by the
>fact that the MSA does not in any way shape or form have strong enough
>non-disclosure clauses to cover information like this.
>
>I realise that IANA may not have a process to cover a complaint like this,
>that does not mean a complaint cannot be submitted in some or other form
>or that such a process cannot be defined. To be quite blunt, I doubt IANA
>has ever *NEEDED* a process like that because I strongly suspect that no
>RIR has ever attempted to demand access to members equipment, and worse
>still, demand access to members client equipment....
>
>As a matter of interest to people on this list, I would like to conduct an
>impromptu survey which may form the grounds of further policy/actions.
>
>How many of you have had requests from AfriNIC for access to
>routers/servers/equipment.
>How many of you granted such access
>In the event of such a request coming from AfriNIC, would such a request
>be permissible within the bounds of your organisations security policies
>Even if it did some how pass the policies, how many of you would feel
>comfortable/willing to grant that access.
>
>Thanks
>
>Andrew
>
>
More information about the RPD
mailing list