[arin-discuss] Question about legacy IPv4 and RADB

Jesse D. Geddis jesse at la-broadband.com
Thu May 3 14:37:21 EDT 2012


Jeffrey,

Wouldn't it be wonderful if everyone could just "cancel" people? I'm sure
many on this list would dream of living within a legal framework where we
can just up and pull the plug on people not to mention recover the
network, personnel, and associated contracts signed to light that customer.

-- 
Jesse D. Geddis
LA Broadband LLC





On 5/3/12 11:31 AM, "Jeffrey Lyon" <jeffrey.lyon at blacklotus.net> wrote:

>On Thu, May 3, 2012 at 2:22 PM, John Von Essen <john at quonix.net> wrote:
>> Well, that's sort of what I told the customer. Instead of insinuating
>>that
>> these are "stolen" IPs, I basically said that the block they plan on
>>using
>> MUST be properly reassigned within Arin's whois before I would accept
>>them
>> through my BGP filter. i.e. If I do a whois query on X.X.0.0/23, it has
>>to
>> return info that exactly matches the customer - not some defunct 1993
>>Org.
>>
>> The logic, like yours, is that if they are legit - there should be no
>> difficulty with this request. If they drag their feet and protest a lot,
>> that indicates to me that something fishy is going on. Though if they
>>were
>> legit, you'd think that they would have cleaned all of this up a long
>>time
>> ago - but they didn't. Thats why I am suspect.
>>
>> I made this request yesterday, haven't heard back yet.
>>
>> -John
>>
>> On May 3, 2012, at 2:12 PM, Scott Leibrand wrote:
>>
>> As I understand it, any paying RADB customer can register route objects
>>for
>> any route they like, as long as no one else has already done so.  So I
>>don't
>> think RADB tells you much about the proper holder of a block whose
>>original
>> registrant is now defunct.
>>
>> Probably the best thing for organization FOO to do would be to contact
>>ARIN
>> and arrange to update ARIN's records.  That may require documenting
>>their
>> chain of custody of  X.X.0.0/16 from AAA.  It sounds like they've
>>already
>> done so with the Tech POC, so if it was a legitimate transfer they
>>shouldn't
>> have too much trouble demonstrating that to ARIN and getting all the
>>records
>> updated (and preferably getting the block transferred over to FOO).
>>
>> -Scott
>>
>> On Thu, May 3, 2012 at 10:33 AM, John Von Essen <john at quonix.net> wrote:
>>>
>>> Not sure if this is the right forum, but something came up with a
>>> potential new BGP customer regarding a legacy IP block (1993,
>>>pre-Arin) they
>>> want to advertise. This new customer is planning to buy internet from
>>>us, a
>>> 100MB pipe.
>>>
>>> Whenever a customer is advertising a subnet that is not directly
>>>issued to
>>> them via Arin, we have a process to verify authority before we allow
>>>that
>>> block to propagate out to our BGP upstreams.
>>>
>>> Since I dont want to get in trouble with the client, the info here is
>>> fictitious but represents the situation we need help with. Names/IPs
>>>have
>>> been replaced.
>>>
>>> Here is the situation:
>>>
>>> 1. The IP block (say X.X.0.0/16) our new BGP customer wants to
>>>advertise
>>> is a 1993 IP block, pre-Arin, it is in the Arin whois database, as
>>>well as
>>> RA DB.
>>> 2. The OrgID (say AAA) for X.X.0.0/16 is defunct, does not exist at all
>>> anymore.
>>> 3. There are 4 POCs listed for OrgID AAA, 3 of which are defunct and
>>>even
>>> labeled as bad within Arin whois, the 4th (Tech POC) is valid, and the
>>>email
>>> address for this POC is completely unrelated to OrgID AAA. This "4th
>>>POC" is
>>> clearly not associated with OrgID AAA, but another Organization will
>>>call
>>> FOO.
>>>
>>> At first glance, when I look at this, I think its a legacy hijacked IP
>>> range. Somebody got a hold of the 4th POC in some way and changed it.
>>>We DO
>>> NOT work with people remotely connected to hijacked IP space, in fact,
>>>we
>>> use the SpamHaus DROP list and wont route any of those suspicious IP
>>>ranges.
>>> This range is not in SpamHaus's DROP list.
>>>
>>> Problem is I am not entirely certain if my assumption is correct
>>>because
>>> Merits RA DB shows a different story. If I lookup X.X.0.0/16 in
>>>Merit's RA
>>> DB, the resource looks 100% legit.  You dont see any mention of OrgID
>>>AAA,
>>> no bad POCs, everything in Merit's DB is related to Org FOO.
>>>
>>> Now, our upstreams all use different mechanisms to verify who has the
>>> right to announce certain blocks. Level3 for example uses RA DB, so in
>>> Level3's eye's there is nothing wrong here. But if Cogent uses Arin's
>>>whois
>>> database, then Cogent might refuse it because it cant be verified or
>>>if it
>>> is verified its very suspect.
>>>
>>> I dont know what to do here.... All of our other BGP customers have
>>>been
>>> easy since they all use post-Arin IP space which is very easy to
>>>verify,
>>> this is the first time we've had a customer try to announce "old"
>>>space.
>>>
>>> Any input would be appreciated.
>>>
>>> Thanks
>>> John Von Essen
>>>
>>> _______________________________________________
>>> ARIN-Discuss
>>> You are receiving this message because you are subscribed to
>>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-discuss
>>> Please contact info at arin.net if you experience any issues.
>>
>>
>>
>>
>> _______________________________________________
>> ARIN-Discuss
>> You are receiving this message because you are subscribed to
>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-discuss
>> Please contact info at arin.net if you experience any issues.
>
>John,
>
>Given the scenario, I would take the customer. If their use of the
>space turns up malicious, you're always welcome to cancel them for AUP
>violation.
>
>Thanks,
>-- 
>Jeffrey A. Lyon, CISSP
>President | (757) 304-0668
>http://www.blacklotus.net
>Black Lotus Communications
>_______________________________________________
>ARIN-Discuss
>You are receiving this message because you are subscribed to
>the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>Unsubscribe or manage your mailing list subscription at:
>http://lists.arin.net/mailman/listinfo/arin-discuss
>Please contact info at arin.net if you experience any issues.




More information about the ARIN-discuss mailing list