[ppml] Policy Proposal 2002-3: Micro-Assignments for Multihomed Networks

william at elan.net william at elan.net
Thu Aug 21 18:55:56 EDT 2003


On 21 Aug 2003, Jeff S Wheeler wrote:

> On Thu, 2003-08-21 at 16:03, william at elan.net wrote:
> > This "honesty" coming from the person responsible for taking somebody elses 
> > ip block (hijacking four old micro-assignments in fact) is very interesting...
> The majority of your "hijackers" do so not because they are unwilling to
> be accountable for the activities conducted on their networks (or they
> would steal ASNs and domain names as well); nor because they aren't able
> to pay the ARIN fees associated with legitimately obtaining addresses.
> They do so because the ARIN's allocation policies prevent their small
> networks from getting provider-independent space.
I disagree. If you notice at the list at http://www.completewhois.com/hijacked/
of the ips hijacked in ARIN geographical area, the majority are legacy 
/16 ip blocks. Its not likely somebody would hijack /16 if they only 
needed portable /24. And since I've been doing investigations based on 
abuse complaints, I can tell that there is a pattern for some to hijack
one ip block, use it until it is blackholed and then hijack another one as 
well as pattern of certain individuals and groups of setting up different
new companies for purposes of hiding their activities. There are, of course,
those that hijacked ip blocks just go get portable space and where there 
is no pattern of abuse, but even there (like 3sheep group) they don't seem
to stop at just one or two /24s and if their activites are not noticed,
they continue to do it and go for more larger ip blocks (and I've checked 
usage on those ip blocks, its usually minimum a lot less then typical isp 
with /24 assigned from upstream).

> I can assure you that if the ARIN more easily made PI space available to
> BGP-speaking organizations, your "hijacking" problem would be limited
While problem with hijacking of ip blocks may decrease a little with 
availability of PI space in ARIN region, I do not believe this decrease 
would be that significant. And we do have an example with another RIR - 
as you know APNIC policies are such that its pretty easy to get portable 
ip block from them, nevertheless there is a signifacant number of small 
portable ip blocks that have been hijacked from APNIC space. Just like 
with ARIN majority of these are legacy ip block assignments (made directly 
AUNIC at that time).

> only to those who announce and withdraw different address blocks for
> brief timeframes to conduct their business -- and these groups do so on
> unfiltered BGP sessions working with transit providers who don't have
> the infrastructure to watch out for themselves and their customers.
The above problem is indeed something that needs to be seriously looked at.
At this time there is no numbers available to indicate how bad this 
problem is, but we do need to get some statistics, find which ISPs luck 
proper policies of accepting bgp feeds from their customers, find which ip 
blocks are being used this way, etc. This is in fact on my agenda in the 
future, but first I'll be working on working specific bogons list, so 
from myself examination of short term bgp-only ip hijacking will not 
happen until next year, but if I do find enough interesting data there, 
then I might do presentation on in on one of next nanogs (but this would 
be at least year from now). 

> The ARIN cannot control that, but it can improve the process for 
> obtaining legitimate, accountable address space.
>From the ARIN side, the best way to deal with above problem would be to 
work futher on security related to BGP, such as sponsoring more work 
on BBN's S-BGP proposal

> You of all people, "William", should realize that my unique perspective
> is valuable to the PPML readership and to the policy-making process.
To Jeff Wheeler: 
 I appreciate your honesty in regards to why you have done this and have 
no problem with you continuing to express your opinion on ppml and work within
ARIN structures to get their policies changed and then afterwards you can 
properly apply for portable ip block if you have enough justification for it.

And If you notice and have read ppml, you'd know that for several years 
I've been one of the biggest proponents of portable allocations directly 
by ARIN on this list and have brought this topic up many times. I'll
continue to advocate futher on it until there is enough change at ARIN 
to provide valuable services not focused on larger ISPs but on smaller
companies as well.

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the ARIN-PPML mailing list