[ppml] Policy Proposal 2002-3: Micro-Assignments forMultihomed Networks
william at elan.net
william at elan.net
Fri Aug 22 09:41:16 EDT 2003
> In a message written on Fri, Aug 22, 2003 at 10:54:52AM -0400, Eric Van Tol wrote:
> > With this reasoning, I suppose it would be okay to go out and steal cars
> > because some people find it too difficult to purchase a car on their
> > own, or lack the finances to purchase one.
>
> While I don't want to defend his reasoning, an interesting new
> problem has occured.
>
> Many ISP's, including my employer have recently had customers who
> found ARIN's processes so "difficult" that they "bought" an IP
> address range on EBay (or other locations). These were in fact
> stolen. Sadly, these customers had no idea IP's couldn't be bought
> or sold, or that they were being sold stolen goods.
While I know exact cases when ip blocks were "sold", in majority I've seen
its done directly by users of these ip blocks. I'd actually be very
interested in finding who is actively trying to sell ip space and where
they adverise it. If you have any info, send it to me privately.
> So, to extend your analogy, while it's not ok to steal cars, if car
> manufactures drove up the cost of cars and / or parts, or otherwise
> made them difficult to come by it would cause more people to steal
> cars and try and sell them as legitimate used autos.
>
> I do think that legitimate (but clueless) business people are being
> driven away from ARIN to "chop shops" to get IP's is a problem that
> needs to be addressed. There are several prongs to that attack though:
I don't think this is significant number. I've seen cases when somebody
asks to buy ip block on one of may webhosting mailing lists I'm at, but
this is really rare. And about these people being clueless - its more then
that, of the several cases where I know somebody did in fact buy ip
blocks, I'd say only one did the person buying ip block not know it was
not allowed - they knew it was a shady deal and still went for it. Their
business practices in other areas are also such that how they did it with
ip block did not surprised me.
On the other hand, lately I've heard some intersting stories about some
making excuses to their upstreams when they loose ip block and saying to
upstream they originally bought it and did not directly hijacked it
(while I'm almost 100% certain they did) - this is basicly so that their
upstreams would not turn them off or that they could find new upstreams
even if company known to have used hijacked ip blocks.
> * Enforcement, get the people who are stealing address space in the
> first place.
I'd love to see some move there. Biggest victim of ip hijacking activites
is ARIN (they are being tricked and lied to and then have to conduct
investigation after problems are reported; plus they loose potential
income as well) but as far as I know ARIN has not done anything on legal
grounds against people who stole these blocks.
> * Education, make it clear to non-techies what they need to do to
> get address space. This is going to be an uphill battle.
Make it clear to techies as well, that its NOT OK to take unused ip block
even if it seems so easy.
But as far as ARIN, what would help is clear statement on ARIN website
that ips can not be sold and any such transactions are illegal.
> * Smaller allocations. ARIN needs to allocate down to /24's to end
> users. Business people are tried of their provider going Chapter 7
> and being forced to renumber. I know some places that had to renumber
> 3-4 times in a single year, at great expense, because their providers
> had their own problems. Many can't justify a /19, but are quite happy
> to buy one because it's far cheaper than renumbering.
Microassiments are long overdue for ARIN region and everybody else is
doing it, lets hope starting next year this will change.
> * Streamlined processes. A business, getting their first /24 from arin
> should be able to get it all from a web site. Fill out a form, enter
> a credit card for the payment, and boom in e-mail you get a /24. Make
> them send in tons of paperwork, drag it out for weeks, give them a
> process with uncertian deadlines and they will turn to the theif on
> e-bay who promises them IP's as soon as they get paid.
This I can not agree with, if process is too easy, it opens this up for
abuse (spammers come in buy ip block, use it and then create new name and
buy another ip block). And if its so easy to get ip block with credit
card transation, we'll have people using stolen credit cards. This is
a big problem for dedicated server isps that make things too easy and I'v
see it firsthand. I do have have an interesting way of detecting
potential credit card fraud though - I have both non-secure and secure
forms on the website for requesting info about services and website makes
it clear you can not buy service, just do pre-authorization and still
afterwards forms would need to be completed and faxed - nevertheless I
still get at least one person per week going through non-secure webform
and entering credit card info there - I've checked on these and not one
of these was legit - all legit people at the very least went and used
secure form - but almost no scammer did; and services they request are
as much as $1000/mo too - so these people would have no problem scamming
ARIN if it made it too easy and totally through the web.
--
William Leibzon
Elan Networks
william at elan.net
More information about the ARIN-PPML
mailing list