[arin-ppml] Draft Policy 2008-7: Identify Invalid WHOIS POC's

Ted Mittelstaedt tedm at ipinc.net
Tue Apr 14 21:04:26 EDT 2009 

Hi Jon,

  If you read the Rationale's of both the "whois POC e-mail cleanup"
proposal from me, posted 9/19/2008 and the "Annual WHOIS POC Validation"
proposal posted 10/3/2008 from Chris, both Chris and I emphasize
repeatedly how the clearing of criminals and hijackers from WHOIS is
of paramount importance.  This topic was also discussed in "Whois
Authentication Alternatives" from Michael, posted 8/19/2008.  These
3 proposals were merged with 2008-7 on 11/25/2008, by the ARIN
advisory council, which originally was titled "Whois Integrity Proposal"
from Heather, and that proposal ALSO mentioned hijacking.

  So without question, one of the major issues that the 4 of us
were concerned with, was fraudulent use of the WHOIS database.
This is why the phrase "otherwise illegitimate" was deliberately and 
intentionally inserted in 2008-7.

  Now, with regards to your situation with  208.43.240.160 - 208.43.240.175 
and ARIN.

   208.43.240.160 - 208.43.240.175 is a SWIP entry, meaning that
the actual block owner (the actual block is  208.43.0.0/16) is
 SoftLayer Technologies Inc.  ARIN is correct to refer you to
the block owner.   Now, it so happens that if you query
 WHOIS you will note that  SoftLayer Technologies Inc. runs a
rwhois server that according to the POC for the main block,
is authoritative.

  This means that the SWIP entry 208.43.240.160 - 208.43.240.175
is superseded by whatever rwhois.softlayer.com hands out.

  If you query Softlayer's rwhois server, you will get this:

class-name network 
id NETBLK-SOFTLAYER.208.43.224.0/19 
auth-area 208.43.224.0/19 
network-name SOFTLAYER-208.43.224.0 
ip-network 208.43.240.160/28 
ip-network-block 208.43.240.160-208.43.240.175 
organization Private Residence 
street-address 1950 Stemmons Freeway Suite 2043 
city Dallas 
state TX 
postal-code 75207 
country-code US 
tech-contact sysadmins at softlayer.com 
abuse-contact admin at vissvpn.com 
admin-contact IPADM258-ARIN 
created 20081025 
updated 20081025 
updated-by ipadmin at softlayer.com 

So as you can see, the SWIP entry your getting from ARIN's WHOIS
shouldn't even be IN the ARIN whois server at all, not just because
it's bogus, but because Softlayer's rwhois server supersedes it.
It is merely useless and misdirecting clutter.

Our proposal aims to blow this kind of rubbish right out of
WHOIS.  It is confusing, and if that bogus SWIP hadn't been in
ARIN's WHOIS, when you queried on 208.43.240.160 you would
have got the response for block  208.43.0.0/16  and never got
sidetracked to begin with.

  As a final statement on this, I will say that it definitely
was our intention to open the door, so to speak,
to ARIN getting more aggressive about expelling fake entries in
WHOIS. However, 2008-7 is subject to interpretation and provides
wide leeway to ARIN staff to implement, so whether they decide to
take up the opportunity and go after the criminals is anyone's
guess.  But, after IPv4-runout it's clear that the value of IPv4 blocks will
rise, and there will be demands on ARIN staff to supply IPv4 allocations.
Right now, the cheapest way to respond to IPv4 allocations is to
just go to virgin blocks and assign from those - thus, ARIN has
a financial disincentive to identify cheaters and expel them from
blocks they have hijacked.  But post-IPv4 runout, that economic
disincentive will be reversed.  At that time I would expect ARIN staff
to be very aggressive at identifying abandoned or illegitimate
IPv4 and putting them in the free pool.  This may call for further
policy proposals to the NRPM.


Ted

> -----Original Message-----
> From: arin-ppml-bounces at arin.net 
> [mailto:arin-ppml-bounces at arin.net] On Behalf Of Orbeton, Jon
> Sent: Tuesday, April 14, 2009 4:26 PM
> To: arin-ppml at arin.net
> Subject: Re: [arin-ppml] Draft Policy 2008-7: Identify 
> Invalid WHOIS POC's
> 
> All:
> 
> I understand most of this discussion has already taken place 
> and I'm coming late to the game, but I did have a question 
> that was outside the scope of what had been asked already.
> 
> Regarding this policy on the Invalid POCs, the draft makes this
> statement:
> 
> "If ARIN staff deems a POC to be completely and permanently 
> abandoned or otherwise illegitimate, the record shall be deleted."
> 
> I understand this policy regards the process to identify an 
> "Invalid POC" by simply sending an email looking for a 
> response within 60 days.
> However, I wanted to focus on the "otherwise illegitimate" 
> phrase in this policy. 
> 
> I investigate cybercrime and constantly find bogus or fake 
> information placed into ARIN WHOIS IP space information. For example:
> 
> CustName:   Viss Technologies
> Address:    vissvpn.com
> City:       Ho Chi Minh
> StateProv:  OH
> PostalCode: 12345
> Country:    US
> RegDate:    2008-11-03
> Updated:    2008-11-03
>  
> NetRange:   208.43.240.160 - 208.43.240.175 
> CIDR:      208.43.240.160/28 
> NetName:    NET-208-43-240-160
> NetHandle:  NET-208-43-240-160-1
> Parent:     NET-208-43-0-0-1
> NetType:    Reassigned
> Comment:    Send abuse issues to abuse at vissvpn.com
> RegDate:    2008-11-03
> Updated:    2008-11-03
> 
> This is obviously "illegitimate" information -- does this 
> policy draft actually address this type of problem wuth the 
> "otherwise illegitimate"
> phrase or is there some other policy that addresses this 
> issue. We've contact ICANN, they said contact ARIN, ARIN said 
> they contact the net block owner. However, there are net 
> block owners who are not friendly and are engaged in 
> questionable activities who have no interest in fixing or 
> requiring legitimate information in these records.
> Furthermore, reporting to the "abuse contact" results in non-action. 
> 
> What can be done about this?
> 
> 
> Thanks,
> Jon Orbeton
> 
> Electronic Crime & Threat Intelligence PayPal, an eBay 
> Company _______________________________________________
> PPML
> You are receiving this message because you are subscribed to 
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>

More information about the ARIN-PPML mailing list