[ARIN-consult] Consultation on Reallocation Control Features

Tue Oct 15 16:22:47 EDT 2024

The frequency is on average roughly once a month that ARIN will receive a complaint about this. It is usually more than 5 and less than 20 reassignments that ARIN is asked to remove because the Admin POC that did the reassignments is not responding to the request to remove it. ARIN has been informed that this has caused problems due to subpoenas being issued for nefarious activities that have taken place using these IP addresses. So yes, it does happen and yes, there are negative effects to the organization that these reassignments are made to.

From: ARIN-consult <arin-consult-bounces at arin.net> on behalf of William Herrin <bill at herrin.us>
Date: Tuesday, October 15, 2024 at 2:29 PM
To: Chris Woodfield <chris at semihuman.com>
Cc: arin-consult at arin.net <arin-consult at arin.net>
Subject: Re: [ARIN-consult] Consultation on Reallocation Control Features
On Tue, Oct 15, 2024 at 10:48 AM Chris Woodfield <chris at semihuman.com> wrote:
> I’m reading Bill Herrin’s interpretation downthread as to the intent of this potential feature, and to the extent this is a not-theoretical issue, I’d be in full support. I’m slightly skeptical that an org controlling reallocate able resources would send /24s to an unaffiliated party just to add a layer of obfuscation to their abuse, but I’ve seen bolder attempts to make money in more dubious ways on the internet, so…

Well, it depends on what you're trying to obfuscate.

Suppose Joe goes to an "IP leaser" and claims to be a particular
ARIN-registered org. Joe gets IP addresses which he controls and
announces them from a "bulletproof hoster" from which Joe proceeds to
distribute child porn. As SWATting goes, it's a bit on the pricey side
but it's not inconceivable.

> Again, I’d be curious how often this actually happens in the wild, vs this being a theoretical brand of Bad Acting, before I think I could have an opinion here.

Same. Additional questions for ARIN are:

1. Has this happened to an ARIN registrant?

2. If yes, how many times is ARIN aware of it having happened to an
ARIN registrant?

We can sit here and dream up all manner of ways to abuse the ARIN
process, but at the end of the day security is a cost/value
proposition. If delta threat x delta vulnerability x incident cost is
less than the implementation and operational cost of the proposed
security then it shouldn't be done.

> another approach to this could be that an org can choose to require that they affirmatively accept any attempted reallocation request to their Org ID

I like this approach much better than the whole screwy "domain lock"
thing they do with the DNS.

--
William Herrin
bill at herrin.us
https://bill.herrin.us/
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult Mailing
List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
Help Desk at info at arin.net if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20241015/cae9955d/attachment.htm>