[ARIN-consult] Consultation on Reallocation Control Features

William Herrin bill at herrin.us
Tue Oct 15 14:29:16 EDT 2024


On Tue, Oct 15, 2024 at 10:48 AM Chris Woodfield <chris at semihuman.com> wrote:
> I’m reading Bill Herrin’s interpretation downthread as to the intent of this potential feature, and to the extent this is a not-theoretical issue, I’d be in full support. I’m slightly skeptical that an org controlling reallocate able resources would send /24s to an unaffiliated party just to add a layer of obfuscation to their abuse, but I’ve seen bolder attempts to make money in more dubious ways on the internet, so…

Well, it depends on what you're trying to obfuscate.

Suppose Joe goes to an "IP leaser" and claims to be a particular
ARIN-registered org. Joe gets IP addresses which he controls and
announces them from a "bulletproof hoster" from which Joe proceeds to
distribute child porn. As SWATting goes, it's a bit on the pricey side
but it's not inconceivable.


> Again, I’d be curious how often this actually happens in the wild, vs this being a theoretical brand of Bad Acting, before I think I could have an opinion here.

Same. Additional questions for ARIN are:

1. Has this happened to an ARIN registrant?

2. If yes, how many times is ARIN aware of it having happened to an
ARIN registrant?


We can sit here and dream up all manner of ways to abuse the ARIN
process, but at the end of the day security is a cost/value
proposition. If delta threat x delta vulnerability x incident cost is
less than the implementation and operational cost of the proposed
security then it shouldn't be done.


> another approach to this could be that an org can choose to require that they affirmatively accept any attempted reallocation request to their Org ID

I like this approach much better than the whole screwy "domain lock"
thing they do with the DNS.


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list