[arin-discuss] Question about legacy IPv4 and RADB

Jeffrey Lyon jeffrey.lyon at blacklotus.net
Thu May 3 14:31:32 EDT 2012 

On Thu, May 3, 2012 at 2:22 PM, John Von Essen <john at quonix.net> wrote:
> Well, that's sort of what I told the customer. Instead of insinuating that
> these are "stolen" IPs, I basically said that the block they plan on using
> MUST be properly reassigned within Arin's whois before I would accept them
> through my BGP filter. i.e. If I do a whois query on X.X.0.0/23, it has to
> return info that exactly matches the customer - not some defunct 1993 Org.
>
> The logic, like yours, is that if they are legit - there should be no
> difficulty with this request. If they drag their feet and protest a lot,
> that indicates to me that something fishy is going on. Though if they were
> legit, you'd think that they would have cleaned all of this up a long time
> ago - but they didn't. Thats why I am suspect.
>
> I made this request yesterday, haven't heard back yet.
>
> -John
>
> On May 3, 2012, at 2:12 PM, Scott Leibrand wrote:
>
> As I understand it, any paying RADB customer can register route objects for
> any route they like, as long as no one else has already done so.  So I don't
> think RADB tells you much about the proper holder of a block whose original
> registrant is now defunct.
>
> Probably the best thing for organization FOO to do would be to contact ARIN
> and arrange to update ARIN's records.  That may require documenting their
> chain of custody of  X.X.0.0/16 from AAA.  It sounds like they've already
> done so with the Tech POC, so if it was a legitimate transfer they shouldn't
> have too much trouble demonstrating that to ARIN and getting all the records
> updated (and preferably getting the block transferred over to FOO).
>
> -Scott
>
> On Thu, May 3, 2012 at 10:33 AM, John Von Essen <john at quonix.net> wrote:
>>
>> Not sure if this is the right forum, but something came up with a
>> potential new BGP customer regarding a legacy IP block (1993, pre-Arin) they
>> want to advertise. This new customer is planning to buy internet from us, a
>> 100MB pipe.
>>
>> Whenever a customer is advertising a subnet that is not directly issued to
>> them via Arin, we have a process to verify authority before we allow that
>> block to propagate out to our BGP upstreams.
>>
>> Since I dont want to get in trouble with the client, the info here is
>> fictitious but represents the situation we need help with. Names/IPs have
>> been replaced.
>>
>> Here is the situation:
>>
>> 1. The IP block (say X.X.0.0/16) our new BGP customer wants to advertise
>> is a 1993 IP block, pre-Arin, it is in the Arin whois database, as well as
>> RA DB.
>> 2. The OrgID (say AAA) for X.X.0.0/16 is defunct, does not exist at all
>> anymore.
>> 3. There are 4 POCs listed for OrgID AAA, 3 of which are defunct and even
>> labeled as bad within Arin whois, the 4th (Tech POC) is valid, and the email
>> address for this POC is completely unrelated to OrgID AAA. This "4th POC" is
>> clearly not associated with OrgID AAA, but another Organization will call
>> FOO.
>>
>> At first glance, when I look at this, I think its a legacy hijacked IP
>> range. Somebody got a hold of the 4th POC in some way and changed it. We DO
>> NOT work with people remotely connected to hijacked IP space, in fact, we
>> use the SpamHaus DROP list and wont route any of those suspicious IP ranges.
>> This range is not in SpamHaus's DROP list.
>>
>> Problem is I am not entirely certain if my assumption is correct because
>> Merits RA DB shows a different story. If I lookup X.X.0.0/16 in Merit's RA
>> DB, the resource looks 100% legit.  You dont see any mention of OrgID AAA,
>> no bad POCs, everything in Merit's DB is related to Org FOO.
>>
>> Now, our upstreams all use different mechanisms to verify who has the
>> right to announce certain blocks. Level3 for example uses RA DB, so in
>> Level3's eye's there is nothing wrong here. But if Cogent uses Arin's whois
>> database, then Cogent might refuse it because it cant be verified or if it
>> is verified its very suspect.
>>
>> I dont know what to do here.... All of our other BGP customers have been
>> easy since they all use post-Arin IP space which is very easy to verify,
>> this is the first time we've had a customer try to announce "old" space.
>>
>> Any input would be appreciated.
>>
>> Thanks
>> John Von Essen
>>
>> _______________________________________________
>> ARIN-Discuss
>> You are receiving this message because you are subscribed to
>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-discuss
>> Please contact info at arin.net if you experience any issues.
>
>
>
>
> _______________________________________________
> ARIN-Discuss
> You are receiving this message because you are subscribed to
> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-discuss
> Please contact info at arin.net if you experience any issues.

John,

Given the scenario, I would take the customer. If their use of the
space turns up malicious, you're always welcome to cancel them for AUP
violation.

Thanks,
-- 
Jeffrey A. Lyon, CISSP
President | (757) 304-0668
http://www.blacklotus.net
Black Lotus Communications

More information about the ARIN-discuss mailing list