[arin-discuss] Question about legacy IPv4 and RADB
Jeffrey Lyon
jeffrey.lyon at blacklotus.net
Thu May 3 14:48:43 EDT 2012
On Thu, May 3, 2012 at 2:37 PM, Jesse D. Geddis <jesse at la-broadband.com> wrote:
> Jeffrey,
>
> Wouldn't it be wonderful if everyone could just "cancel" people? I'm sure
> many on this list would dream of living within a legal framework where we
> can just up and pull the plug on people not to mention recover the
> network, personnel, and associated contracts signed to light that customer.
>
> --
> Jesse D. Geddis
> LA Broadband LLC
>
>
>
>
>
> On 5/3/12 11:31 AM, "Jeffrey Lyon" <jeffrey.lyon at blacklotus.net> wrote:
>
>>On Thu, May 3, 2012 at 2:22 PM, John Von Essen <john at quonix.net> wrote:
>>> Well, that's sort of what I told the customer. Instead of insinuating
>>>that
>>> these are "stolen" IPs, I basically said that the block they plan on
>>>using
>>> MUST be properly reassigned within Arin's whois before I would accept
>>>them
>>> through my BGP filter. i.e. If I do a whois query on X.X.0.0/23, it has
>>>to
>>> return info that exactly matches the customer - not some defunct 1993
>>>Org.
>>>
>>> The logic, like yours, is that if they are legit - there should be no
>>> difficulty with this request. If they drag their feet and protest a lot,
>>> that indicates to me that something fishy is going on. Though if they
>>>were
>>> legit, you'd think that they would have cleaned all of this up a long
>>>time
>>> ago - but they didn't. Thats why I am suspect.
>>>
>>> I made this request yesterday, haven't heard back yet.
>>>
>>> -John
>>>
>>> On May 3, 2012, at 2:12 PM, Scott Leibrand wrote:
>>>
>>> As I understand it, any paying RADB customer can register route objects
>>>for
>>> any route they like, as long as no one else has already done so. So I
>>>don't
>>> think RADB tells you much about the proper holder of a block whose
>>>original
>>> registrant is now defunct.
>>>
>>> Probably the best thing for organization FOO to do would be to contact
>>>ARIN
>>> and arrange to update ARIN's records. That may require documenting
>>>their
>>> chain of custody of X.X.0.0/16 from AAA. It sounds like they've
>>>already
>>> done so with the Tech POC, so if it was a legitimate transfer they
>>>shouldn't
>>> have too much trouble demonstrating that to ARIN and getting all the
>>>records
>>> updated (and preferably getting the block transferred over to FOO).
>>>
>>> -Scott
>>>
>>> On Thu, May 3, 2012 at 10:33 AM, John Von Essen <john at quonix.net> wrote:
>>>>
>>>> Not sure if this is the right forum, but something came up with a
>>>> potential new BGP customer regarding a legacy IP block (1993,
>>>>pre-Arin) they
>>>> want to advertise. This new customer is planning to buy internet from
>>>>us, a
>>>> 100MB pipe.
>>>>
>>>> Whenever a customer is advertising a subnet that is not directly
>>>>issued to
>>>> them via Arin, we have a process to verify authority before we allow
>>>>that
>>>> block to propagate out to our BGP upstreams.
>>>>
>>>> Since I dont want to get in trouble with the client, the info here is
>>>> fictitious but represents the situation we need help with. Names/IPs
>>>>have
>>>> been replaced.
>>>>
>>>> Here is the situation:
>>>>
>>>> 1. The IP block (say X.X.0.0/16) our new BGP customer wants to
>>>>advertise
>>>> is a 1993 IP block, pre-Arin, it is in the Arin whois database, as
>>>>well as
>>>> RA DB.
>>>> 2. The OrgID (say AAA) for X.X.0.0/16 is defunct, does not exist at all
>>>> anymore.
>>>> 3. There are 4 POCs listed for OrgID AAA, 3 of which are defunct and
>>>>even
>>>> labeled as bad within Arin whois, the 4th (Tech POC) is valid, and the
>>>>email
>>>> address for this POC is completely unrelated to OrgID AAA. This "4th
>>>>POC" is
>>>> clearly not associated with OrgID AAA, but another Organization will
>>>>call
>>>> FOO.
>>>>
>>>> At first glance, when I look at this, I think its a legacy hijacked IP
>>>> range. Somebody got a hold of the 4th POC in some way and changed it.
>>>>We DO
>>>> NOT work with people remotely connected to hijacked IP space, in fact,
>>>>we
>>>> use the SpamHaus DROP list and wont route any of those suspicious IP
>>>>ranges.
>>>> This range is not in SpamHaus's DROP list.
>>>>
>>>> Problem is I am not entirely certain if my assumption is correct
>>>>because
>>>> Merits RA DB shows a different story. If I lookup X.X.0.0/16 in
>>>>Merit's RA
>>>> DB, the resource looks 100% legit. You dont see any mention of OrgID
>>>>AAA,
>>>> no bad POCs, everything in Merit's DB is related to Org FOO.
>>>>
>>>> Now, our upstreams all use different mechanisms to verify who has the
>>>> right to announce certain blocks. Level3 for example uses RA DB, so in
>>>> Level3's eye's there is nothing wrong here. But if Cogent uses Arin's
>>>>whois
>>>> database, then Cogent might refuse it because it cant be verified or
>>>>if it
>>>> is verified its very suspect.
>>>>
>>>> I dont know what to do here.... All of our other BGP customers have
>>>>been
>>>> easy since they all use post-Arin IP space which is very easy to
>>>>verify,
>>>> this is the first time we've had a customer try to announce "old"
>>>>space.
>>>>
>>>> Any input would be appreciated.
>>>>
>>>> Thanks
>>>> John Von Essen
>>>>
>>>> _______________________________________________
>>>> ARIN-Discuss
>>>> You are receiving this message because you are subscribed to
>>>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>>>> Unsubscribe or manage your mailing list subscription at:
>>>> http://lists.arin.net/mailman/listinfo/arin-discuss
>>>> Please contact info at arin.net if you experience any issues.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> ARIN-Discuss
>>> You are receiving this message because you are subscribed to
>>> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-discuss
>>> Please contact info at arin.net if you experience any issues.
>>
>>John,
>>
>>Given the scenario, I would take the customer. If their use of the
>>space turns up malicious, you're always welcome to cancel them for AUP
>>violation.
>>
>>Thanks,
>>--
>>Jeffrey A. Lyon, CISSP
>>President | (757) 304-0668
>>http://www.blacklotus.net
>>Black Lotus Communications
>>_______________________________________________
>>ARIN-Discuss
>>You are receiving this message because you are subscribed to
>>the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
>>Unsubscribe or manage your mailing list subscription at:
>>http://lists.arin.net/mailman/listinfo/arin-discuss
>>Please contact info at arin.net if you experience any issues.
>
I've never had an issue cancelling a customer in violation of AUP.
--
Jeffrey A. Lyon, CISSP
President | (757) 304-0668
http://www.blacklotus.net
Black Lotus Communications
More information about the ARIN-discuss
mailing list