[arin-ppml] Audits

Fri Nov 5 05:34:43 EDT 2010

In message <0F135456-F298-40D4-95BB-5C4087637B67 at arin.net>, 
John Curran <jcurran at arin.net> wrote:

>> {... big buch of non-responsive platitudes snipped... }
>
>Actually, I was providing clarity regarding the state of the registry infor
>mation on legacy resources and what constitutes number resource fraud.  I t
>hought that was what you were asking about, but easily could have been wron
>g.

No, John, I wasn't asking about any registry information.  And I think you
knew that.  I was asking the same question that I have asked you repeatedly
in private e-mail over several weeks, without any response from you whatsoever.

Again, just to repeat what I have already asked you in private e-mail (without
any reply), I, and also others I know would very much like to know exactly
how much unmitigated and unambiguous waste and fraud some entity holding
ARIN number resources can get away with before ARIN will see fit to do
anything about it.  I mean how much does the waste/fraud have to be?  What
is the "action" threshold?  25% ? 50% ? 75% ?

It really isn't just me that wants to know the answer here.  Numerous people
on the various anti-spam lists I'm on are, like me, often puzzeled when
they see ARIN handling out fresh /18 allocations to crooked ISPs who only
need the new allocations because their resident snowshoe spammers have
already throughly "burned" all of the IP space the ISP previously gave them,
i.e. they've already gotten all that old space blacklisted to hell and
back, forever, and so now they come back to ARIN and get a new, virginal
/19 or /18 or /17, then they put just two or three spammers into that, and
then start the cycle all over again.  Rinse, lather, repeat.

What's even more puzzling is that way all this has been happening in what
has been alleged to be a time of "scarcity".

(For some strange reason that I can't quite explain, I and others would like
to see this sort of cycle and this sort of practice ended, and would like
to see some of these crooked ISPs be held to account for a change, e.g. by
_not_ routinely being granted big new IP blocks, by ARIN... out of the ever
dwindling remaining pile... when what these crooked ISPs have done previously
was to utterly waste what was already given to them.)

And as I also asked you in private e-mail (also without any reply) does
ARIN care about and/or will ARIN _do_ anything about deliberately fradulent
sub-allocation WHOIS records?

I have already a record of several dozens of these... all being used by
a handful of crooked ISPs to give cover to their pet snowshoe spammers
(to whom, as I have told you, they typically give a /24 for each single
actual host).

So, if I report them all, will ARIN even bother to investigate any of these
bogus/fradulent WHOIS records?  Or should I not even waste my time, e.g.
because ARIN doesn't give a flying fig about SUB-allocation WHOIS records?
(Or should I not waste my time because as long as any given ARIN member stays
below, e.g., 15% fraud, ARIN will consider that inconsequential, in the
Grand Scheme of Things.)

I really would like to know, you know, before I waste all that time typing
into your fraud form, just to be told, e.g. that ARIN doesn't ``police''
fraud in SUB-allocation records.

And of course, I'd also like to know if ARIN is still dedicated to making
the task of reporting fradulent use of number resources as painful, slow
and as tedious as possible, i.e. by (1) following the ICANN model, refusing
to accept any more than one single report at a time and by (2) leaving
your fraud reporting form just exactly as it has been for months now,
i.e. with no more than a postage stamp sized data entry hole in which
the reporter is expected to explain to the ARIN reviewer exactly how the
conclusion was reached that a given registration is fradulent.

I gotta say, that if you folks running ARIN set out to maximally disuade
people from even reporting waste and/or fraud... well... then you have
succeded.  The rules for what is and isn't fraud and/or waste have been
made as opaque as possible, and the reporting _mechanism_ has been made
as tedious, laborious, and as painful as possible[1].

>>Conversely, if ARIN, at present, DOES perform utilization audits or reviews,
>>then please just describe, briefly, how an organization either passes or
>>fails such a thing.
>
>Example: if an applicant says "we have X CPE devices/routers/widgets, and h
>ence need Y additional number resources", we will ask for various hard-to-r
>eplicate materials that might back of those assertions regarding the X devi
>ces that they assert they have.  This could be copies of configurations, ou
>tput of various commands, various business documentation, etc.

Define "have".  What if two crooked ISPs work together?  So today, one of
them has 200 routers.  Tomorrow, the other one has 200 routers.  Does "have"
mean "own" or does "have" maybe mean "borrowed"?

And also, what's the allocation formula?  If I come to you and I say that
I have twelve Cisco 7204's (and give you the purchase reciepts for all
of them, so you know I really bought them) then what do I get from you?
A /18 ?  What?

>Ron - I believe I've extended you every courtesy, even in absence of same.

Well, ya know, answering, rather than just ignoring my private e-mails would
have been nice, even if only to tell me to buzz off.  (After all, you _did_
previously suggest to me that you'd be willing to answer my questions off
list, but then, in practice, apparently not so much.)  But we'll let that
go for now.

Regards,
rfg

===========================
[1]  As It happens, I broke two metacarpals in my right hand in late May,
and I'm still recouperating from that.  Typing on the keyboard is no longer
totally painful, but it is sufficiently so so that I do not relish the
thought of typing each one of the dozens of fradulent sub-allocation records
I know about into your form individually.

I hesitate to ask if you would consider allowing ``bulk'' submissions of
fraud reports, e.g. by trained and experienced investigators, because as
things stand now it looks to me like your organization doesn't even really
want to accept such reports, even when they are submitted one-at-a-time.