[ppml] Policy Proposal 2002-3: Micro-Assignments forMultihomed Networks

william at elan.net william at elan.net
Fri Aug 22 09:41:16 EDT 2003 

> In a message written on Fri, Aug 22, 2003 at 10:54:52AM -0400, Eric Van Tol wrote:
> > With this reasoning, I suppose it would be okay to go out and steal cars
> > because some people find it too difficult to purchase a car on their
> > own, or lack the finances to purchase one.
> 
> While I don't want to defend his reasoning, an interesting new
> problem has occured.
> 
> Many ISP's, including my employer have recently had customers who
> found ARIN's processes so "difficult" that they "bought" an IP
> address range on EBay (or other locations).  These were in fact
> stolen.  Sadly, these customers had no idea IP's couldn't be bought
> or sold, or that they were being sold stolen goods.
While I know exact cases when ip blocks were "sold", in majority I've seen 
its done directly by users of these ip blocks. I'd actually be very 
interested in finding who is actively trying to sell ip space and where 
they adverise it. If you have any info, send it to me privately.

> So, to extend your analogy, while it's not ok to steal cars, if car
> manufactures drove up the cost of cars and / or parts, or otherwise
> made them difficult to come by it would cause more people to steal
> cars and try and sell them as legitimate used autos.
> 
> I do think that legitimate (but clueless) business people are being
> driven away from ARIN to "chop shops" to get IP's is a problem that
> needs to be addressed.  There are several prongs to that attack though:
I don't think this is significant number. I've seen cases when somebody 
asks to buy ip block on one of may webhosting mailing lists I'm at, but 
this is really rare. And about these people being clueless - its more then 
that, of the several cases where I know somebody did in fact buy ip 
blocks, I'd say only one did the person buying ip block not know it was 
not allowed - they knew it was a shady deal and still went for it. Their 
business practices in other areas are also such that how they did it with 
ip block did not surprised me.
 
On the other hand, lately I've heard some intersting stories about some
making excuses to their upstreams when they loose ip block and saying to 
upstream they originally bought it and did not directly hijacked it 
(while I'm almost 100% certain they did) - this is basicly so that their 
upstreams would not turn them off or that they could find new upstreams 
even if company known to have used hijacked ip blocks.

> * Enforcement, get the people who are stealing address space in the
>   first place.
I'd love to see some move there. Biggest victim of ip hijacking activites 
is ARIN (they are being tricked and lied to and then have to conduct 
investigation after problems are reported; plus they loose potential 
income as well) but as far as I know ARIN has not done anything on legal 
grounds against people who stole these blocks.
 
> * Education, make it clear to non-techies what they need to do to
>   get address space.  This is going to be an uphill battle.
Make it clear to techies as well, that its NOT OK to take unused ip block 
even if it seems so easy.

But as far as ARIN, what would help is clear statement on ARIN website 
that ips can not be sold and any such transactions are illegal.

> * Smaller allocations.  ARIN needs to allocate down to /24's to end
>   users.  Business people are tried of their provider going Chapter 7
>   and being forced to renumber.  I know some places that had to renumber
>   3-4 times in a single year, at great expense, because their providers
>   had their own problems.  Many can't justify a /19, but are quite happy
>   to buy one because it's far cheaper than renumbering.
Microassiments are long overdue for ARIN region and everybody else is 
doing it, lets hope starting next year this will change.
 
> * Streamlined processes.  A business, getting their first /24 from arin
>   should be able to get it all from a web site.  Fill out a form, enter
>   a credit card for the payment, and boom in e-mail you get a /24.  Make
>   them send in tons of paperwork, drag it out for weeks, give them a
>   process with uncertian deadlines and they will turn to the theif on
>   e-bay who promises them IP's as soon as they get paid.
This I can not agree with, if process is too easy, it opens this up for 
abuse (spammers come in buy ip block, use it and then create new name and 
buy another ip block). And if its so easy to get ip block with credit 
card transation, we'll have people using stolen credit cards. This is 
a big problem for dedicated server isps that make things too easy and I'v 
see it firsthand. I do have  have an interesting way of detecting 
potential credit card fraud though - I have both non-secure and secure 
forms on the website for requesting info about services and website makes 
it clear you can not buy service, just do pre-authorization and still 
afterwards forms would need to be completed and faxed - nevertheless I 
still get at least one person per week going through non-secure webform 
and entering credit card info there - I've checked on these and not one 
of these was legit - all legit people at the very least went and used 
secure form - but almost no scammer did; and services they request are
as much as $1000/mo too - so these people would have no problem scamming 
ARIN if it made it too easy and totally through the web.

-- 
William Leibzon
Elan Networks
william at elan.net

More information about the ARIN-PPML mailing list