[arin-ppml] Micfo

Owen DeLong owen at delong.com
Tue May 14 22:45:27 EDT 2019



> On May 14, 2019, at 19:01 , Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> 
> 
> In message <CAN-Dau04sWS7k6v411MWtFQFn0eq__m3y1m5Cd5Uc=ZrQ1jVcA at mail.gmail.com>
> David Farmer <farmer at umn.edu> wrote:
> 
>> Punitive measures taken directly by ARIN, against these guys or anyone
>> else, need to be thought through very carefully, such measures are highly
>> likely to injure third parties that didn't knowingly participate in the
>> fraud.
> 
> Could *someone*, i.e. anyone please explain to me, in nice simple terms
> that my little pea brain can understand, why it is that ICANN has a proper
> response contingency plan already set up, tested, and in place for dealing
> with very similar sorts of wickeness in and among their accredited registrars,
> and yet none of the five families of the IP address world have yet seen fit
> to create any sort of a procedure or mechanism to clean up a mess like this
> when it comes to any one of *their* resellers?

In part:

Because ICANN controls the root zone and can turn off a registrar or registry.
This will cause significant disruption, of course, and ICANN doesn’t use that
particular cannon lightly (nor should it), but the fact that it exists does preempt
a great deal of shenanigans from the registrars and registries.

RIRs, OTOH, control a database. Routers do not depend on that database
in order to move packets. The database does not control the configuration of
routers. As such, RIR's ability to enforce its will upon the routing system is
rather limited. RIR's can enforce their will on the registry, but at the risk that
if their will departs significantly from the will of those running routers, it may
simply render the registry irrelevant rather than causing behavioral changes
by those running routers.

In theory, there’s the possibility of alternative DNS roots as well, which is about
the only check and balance that remains against ICANN power over the DNS,
but that’s a separate discussion and the need for vast widespread support for
alternative roots to be effective amongst OS vendors, Users, etc. makes this
a lot less likely than a router rebellion.

> And after all, that *is* what this is all about, right?  I mean the valid
> concern that David farmer brings up is utterly irrelevant in all cases
> were some crooked party is just using the purloined IP addresses strictly
> internally, and only for their own private purposes.  In those cases,
> there are no innocent third-parties to worry about.  So the only instances
> where David Farmer's concern is actually even going to be an issue is where
> the crooked party in question is acting in the role of a reseller (of ARIN
> issued resources) in a very analogous way to ICANN accredited registrar
> simply re-sell what ICANN gives them the rights to resell, i.e. points in
> the domain name space, rather than points in the IP address space.

Uh, define reseller… Usually, ISPs are not thought of as resellers fo ARIN
issued resources, per se, as they are mostly “lending” addresses to their
customers for use while attached to their network.

Certainly in this case, the customers of said ISP are quite often likely to be
innocent third-parties, no?

> My point is that this shouldn't be treated as a "one off" to be dealt with
> and then ignored forever after.  This is a teachable moment, and all of
> the five families should get their you-know-what together and come up with
> decent emergency response plans to provide for the relocation of innocents
> to safe ground in the event of a crooked reseller being discovered... or
> even a non-crooked one that happens to get hit by a tornado, either a
> physical one or a legal one or a financial one.

I’d really like to see what you think could possibly be a viable solution in
that space… I simply cannot conceive of how that would work.

I mean you’re literally talking about a plan to deploy physical interconnections
to replace existing circuits on short notice. I don’t think the RIRs are in such
a business, nor do I think they should be.

> I hope that I'm not the only one who has ever seen the ServPro[tm] TV
> commercials or heard their tag line "Like it never even happened.”

Correct me if I’m wrong, but ServPro is in the Disaster Recovery business,
not the Registry business. The RIRs are not in the disaster recovery business.
I’m not sure I support such an expensive scope creep for them, either.

> Maybe ARIN needs to sign a contingency contract with Servpro and then let
> *them* clean up the mess when crap like this happens.

I don’t see anything about circuit restoration in ServPro’s line of services.
Perhaps I missed something?

> I am reminded of the old saying:  To fail to plan is to plan to fail.
> 
> There should be a formal emergency/contingency plan in place that allows
> for the graceful swapping out of a crooked or dead reseller of ARIN IP
> space and the graceful swapping in of some replacement provider, as
> necessary, so that no innocents are harmed during the making of this film.

If they were just reselling IP addresses as in the transfer market, the registry
might have some role here. In the case of an ISP type relationship, I think
you’re advocating a very very large scope creep that I don’t see working out
well for anyone involved.

> I mean seriously, am I the only one who lived through 2008-2009 and the
> financial meltdown?  Am I the only one who read Sheila Bair's book?

Well, I lived through said meltdown, but I don’t see a parallel here. I’m utterly
unfamiliar with Ms. Bair, so you may well be the only one who read her book.

> I am in 100% agreement with David Farmer's concern about innocents, and
> hope that someday there will be a plan in place to protect them, even
> if/when one of ARIN's reseallers is declared insolvent or otherwise
> unable to fulfill its duties to its actual end-lusers.

You talk about ARIN resellers as if ARIN were a supplier and these entities were
merely retail outlets for ARIN products and/or services.

Simply not the case here. ARIN is a registry. ARIN tracks associations
between internet number resources and entities to guarantee uniqueness
among cooperating entities. ARIN doesn’t sell, transfer, move, or otherwise
engage in property transactions. You’re basically saying that ARIN should
give out new cars to Volkswagon owners because ARIN stamped out the
license plates on the VWs that were fraudulently sold in California.

I’m having a hard time grasping logic behind that idea.

Owen





More information about the ARIN-PPML mailing list