[arin-discuss] Question about legacy IPv4 and RADB

John Von Essen john at QUONIX.NET
Thu May 3 14:22:19 EDT 2012

Well, that's sort of what I told the customer. Instead of insinuating  
that these are "stolen" IPs, I basically said that the block they plan  
on using MUST be properly reassigned within Arin's whois before I  
would accept them through my BGP filter. i.e. If I do a whois query on  
X.X.0.0/23, it has to return info that exactly matches the customer -  
not some defunct 1993 Org.

The logic, like yours, is that if they are legit - there should be no  
difficulty with this request. If they drag their feet and protest a  
lot, that indicates to me that something fishy is going on. Though if  
they were legit, you'd think that they would have cleaned all of this  
up a long time ago - but they didn't. Thats why I am suspect.

I made this request yesterday, haven't heard back yet.


On May 3, 2012, at 2:12 PM, Scott Leibrand wrote:

> As I understand it, any paying RADB customer can register route  
> objects for any route they like, as long as no one else has already  
> done so.  So I don't think RADB tells you much about the proper  
> holder of a block whose original registrant is now defunct.
> Probably the best thing for organization FOO to do would be to  
> contact ARIN and arrange to update ARIN's records.  That may require  
> documenting their chain of custody of  X.X.0.0/16 from AAA.  It  
> sounds like they've already done so with the Tech POC, so if it was  
> a legitimate transfer they shouldn't have too much trouble  
> demonstrating that to ARIN and getting all the records updated (and  
> preferably getting the block transferred over to FOO).
> -Scott
> On Thu, May 3, 2012 at 10:33 AM, John Von Essen <john at quonix.net>  
> wrote:
> Not sure if this is the right forum, but something came up with a  
> potential new BGP customer regarding a legacy IP block (1993, pre- 
> Arin) they want to advertise. This new customer is planning to buy  
> internet from us, a 100MB pipe.
> Whenever a customer is advertising a subnet that is not directly  
> issued to them via Arin, we have a process to verify authority  
> before we allow that block to propagate out to our BGP upstreams.
> Since I dont want to get in trouble with the client, the info here  
> is fictitious but represents the situation we need help with. Names/ 
> IPs have been replaced.
> Here is the situation:
> 1. The IP block (say X.X.0.0/16) our new BGP customer wants to  
> advertise is a 1993 IP block, pre-Arin, it is in the Arin whois  
> database, as well as RA DB.
> 2. The OrgID (say AAA) for X.X.0.0/16 is defunct, does not exist at  
> all anymore.
> 3. There are 4 POCs listed for OrgID AAA, 3 of which are defunct and  
> even labeled as bad within Arin whois, the 4th (Tech POC) is valid,  
> and the email address for this POC is completely unrelated to OrgID  
> AAA. This "4th POC" is clearly not associated with OrgID AAA, but  
> another Organization will call FOO.
> At first glance, when I look at this, I think its a legacy hijacked  
> IP range. Somebody got a hold of the 4th POC in some way and changed  
> it. We DO NOT work with people remotely connected to hijacked IP  
> space, in fact, we use the SpamHaus DROP list and wont route any of  
> those suspicious IP ranges. This range is not in SpamHaus's DROP list.
> Problem is I am not entirely certain if my assumption is correct  
> because Merits RA DB shows a different story. If I lookup X.X.0.0/16  
> in Merit's RA DB, the resource looks 100% legit.  You dont see any  
> mention of OrgID AAA, no bad POCs, everything in Merit's DB is  
> related to Org FOO.
> Now, our upstreams all use different mechanisms to verify who has  
> the right to announce certain blocks. Level3 for example uses RA DB,  
> so in Level3's eye's there is nothing wrong here. But if Cogent uses  
> Arin's whois database, then Cogent might refuse it because it cant  
> be verified or if it is verified its very suspect.
> I dont know what to do here.... All of our other BGP customers have  
> been easy since they all use post-Arin IP space which is very easy  
> to verify, this is the first time we've had a customer try to  
> announce "old" space.
> Any input would be appreciated.
> Thanks
> John Von Essen
> _______________________________________________
> ARIN-Discuss
> You are receiving this message because you are subscribed to
> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-discuss
> Please contact info at arin.net if you experience any issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20120503/20b5ac29/attachment.html>

More information about the ARIN-discuss mailing list