[ARIN-consult] Consultation on Reallocation Control Features

Tue Oct 15 13:48:45 EDT 2024

This is an interesting problem, and I appreciate the community consultation. Responses inline.

> On Oct 15, 2024, at 10:19, ARIN <info at arin.net> wrote:
> 
> ARIN is seeking feedback from the community (https://www.arin.net/participate/community/acsp/consultations/2024/2024-6/) on a suggested feature that would allow customers to manage the ability to control reallocations to their Organization (Org IDs) to protect against bad actors and reputational damage. We are seeking community input on the specific functionality and the priority that should be placed on developing this feature.
> 
> ARIN can add a feature in the Organization record management section of ARIN Online that will allow customers the ability to manage reallocations to individual Org IDs. This feature would only be manageable via ARIN Online but would apply to reallocations to specified Org IDs using either ARIN Online or programmatically with our Registration RESTful Service (Reg-RWS).

I’m reading Bill Herrin’s interpretation downthread as to the intent of this potential feature, and to the extent this is a not-theoretical issue, I’d be in full support. I’m slightly skeptical that an org controlling reallocate able resources would send /24s to an unaffiliated party just to add a layer of obfuscation to their abuse, but I’ve seen bolder attempts to make money in more dubious ways on the internet, so…

My largest concern here would be that many ISPs have multiple Org IDs that they allocation resources from, and it could be difficult for an org to determine in advance which Org IDs they should be adding to their whitelist. So if an org is signing up with a new ISP and getting an allocation, they’d need to add *all* of the possible Org IDs they could get allocated from. In some cases, this could be a substantial number of them.

One possible solution (and probably out of scope for v1.0) might be to allow an org to define the equivalent of an AS-Macro; if an org has multiple Org IDs, they might be able to create an “Org-Macro” that contains all of them, and a downstream Org can add the Org-Macro to their whitelist instead of individual Org IDs.

> 
> Additional questions for community consideration are:
> 
> - If someone attempts to reallocate to an Org ID that does not have reallocation enabled, should they receive a notification that the organization does not accept reallocations?

Yes, I’d see this as no different than a permissions error being thrown by a website when a user attempts to access a URL they don’t have access to. The alternative, which I presume would be to fail the reallocation silently, could be misinterpreted as a system error (particularly if being hit innocuously - let’s say the org forgot to add their new ISP’s org handle to their whitelist)

> - Should the customer be notified of attempts to reallocate resources to their Org ID when reallocations are not enabled?

Yes, subject to some sort of rate limiting/whitelist. I’d hate to get 100+ emails on this in an hour if there’s a bad actor making the attempt that many times.

> - What priority should be placed on the development of this feature?
> 

Again, I’d be curious how often this actually happens in the wild, vs this being a theoretical brand of Bad Acting, before I think I could have an opinion here.

Regards,

-Chris

> --------
> References: 
> 
> ASCP Suggestion 2024.13: https://www.arin.net/participate/community/acsp/suggestions/2024/2024-13/
> 
> 
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.