[arin-ppml] Incorrect POC on resource records
tedm at ipinc.net
Thu Sep 20 23:32:20 EDT 2012
On 9/20/2012 6:50 PM, Heather Schiller wrote:
> On Thu, Sep 20, 2012 at 6:18 PM, John Curran <jcurran at arin.net> wrote:
>> Bill -
>> What you suggest is quite reasonable when a transfer is performed, and ARIN is vigilant for potential fraud in such cases.
>> That does not apply when no transfer was ever performed with a resource.
>> John Curran
>> President and CEO
> Precisely the point. Why bother with a transfer if it's cheaper and
> easier to hack the POC and make a change? Stronger Auth is needed
> because you don't have to effect a transfer in ARIN in order to change
> registration details (address and POC) to something convincing enough
> to get an ISP to route it.
Heather (and John),
I frankly believe that ARIN is HOPING that in the case of the
abandoned legacy resources out there that someone will indeed come along
and hack them to make a change.
ARIN views this issue from a birds eye view not a micro eye view.
To you or I, an abandoned /24 legacy space these days is enough
addressing to run a webhosting business that could generate enough
money to support someone as a full time job.
But from ARIN's point of view, a /24 is a microscopic amount
of the entire IPv4 space they are in charge of, and they don't give
a rat's ass that some smart cracker may come along and take advantage
of a loophole to change the POC on it.
I have approached ARIN before, through channels, with documented
proof that once such legacy block is abandoned. They know it's
abandoned because they have assigned a No, Contact Known NIC handle
to at least the tech contact. The Abuse contact on it is going to an
obvious domain name speculator.
But, the organization name on it is a legitimate and existing org.
My guess is ARIN has no guidelines on what to do in this case - the
org exists, the street address on it is correct, but none of the POCs
on it are valid, and the subnet hasn't appeared in the BGP table for
the past 8 years.
So, the addressing sits idle, and unused - and in the meantime there
are new orgs out there desperate for any amount of IPv4 who cannot take
advantage of it.
The long list of legacy holders that
> won't update their records proves that there are folks that don't care
> what's listed in whois, as long as their ISP routes it. Does ARIN
> compare POC changes against routing changes? or monitor all unrouted
> address space in the region and look for POC changes if it suddenly
> becomes routed? Probably not - you just rely on someone to complain,
> but what happens when there is no one left to complain? (when a tree
That's a different issue. If a legacy resource is routed, and an org is
depending on it being routed, but that org does not maintain it's POCs
on it, then in my opinion I have no sympathy if a cracker changes the
POC and steals it. In fact I would LIKE that since it would teach that
org a lesson.
i do not hold with the notion of obscuring POCs on a numbering resource
by putting bogus ones in. A legacy org that does this deserves to lose
their resources even if the loss is a criminal act. Frankly I feel that
doing nothing to maintain POCs on resources in use is a worse criminal
act than someone stealing them.
It's like the people who grow Marijuana. They are breaking the rules.
If someone else comes along and steals their pot, then I don't want my
tax dollars going to pay for chasing the thief who stole the pot. Or,
if someone is breaking into a home and gets shot and killed by the
homeowner, while in many states the homeowner is guilty of murder I
don't want him being prosecuted, either.
But, if the legacy resource is unused and abandoned, then your kind of
saying that ARIN should be diligent about keeping it abandoned. I think
in those cases ARIN rather likes it when a cracker assumes ownership of
an abandoned resource and starts using it.
PS, Under the law in the United States, I believe that someone illegally
changing a valid POC on an in-use Legacy resource could be successfully
sued for all of the costs incurred as a result of the network disruption
that happens from the moment the routing stops working to the moment
that ARIN puts it all back the way it was and the routing is restored.
I think other jurisdictions operate similarly.
Thus I think the scenario of a cracker trying to steal an in-use
resource and route it elsewhere is unrealistic.
Stronger auth for changes, better tools for ISP's to
> validate, maybe better monitoring .. or you know we could just do this
> v6 thing with some RPKI and bgpsec.
>> On Sep 20, 2012, at 6:12 PM, "William Herrin" <bill at herrin.us> wrote:
>>> When a registration change is promptly challenged, especially if the
>>> challenge is issued by someone who could reasonably be the registrant,
>>> it's the epitome of wisdom to err on the side of reverting the change
>>> pending adjudication.
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> Please contact info at arin.net if you experience any issues.
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> Please contact info at arin.net if you experience any issues.
More information about the ARIN-PPML