On Fri, Oct 01, 2010 at 08:47:29AM -0400, David Miller wrote:
As to what ARIN can 'do' about addresses that are unused/abandoned and later hijacked...
ARIN delegates Reverse DNS for every allocation that they make. Address blocks that are reported, investigated, and determined to be unused/abandoned could be delegated to special ARIN name servers that merely returned the following for any reverse DNS query:
z.y.x.w.in-addr.arpa. 172800 IN PTR do.not.accept.anything.from.this.abandoned.address.space
This is something that ARIN *could* easily do technically. Admittedly, this would require reporting and investigation that I am uncertain whether or not ARIN is empowered/funded to do. This would also require a process be put in place for removing allocations from the delegation to the unused/abandoned reverse DNS servers...
-DM
Goodness me - I've seen that trick before. Worked for about 15 minutes before I had legal camped out in the office. Pulled it shortly there after. I -think- what you are really after is the (fairly) new rPKI pilot - where there are crypto-keys tied to each delegated prefix. If the keys are valid, then ARIN (or other RIR) has "sanctioned" thier use. No or Bad crypto, then the RIR has some concerns about the resource. the downside to this is that the RIR can effectivey cut off someone who would otherwise be in good standing. Sort of removes a level of independence in network operations. Think of what happens when (due to backhoe-fade, for instance) you -can't- get to the RIR CA to validate your prefix crypto? Do you drop the routes? Or would you prefer a more resilient and robust solution? YMMV here, depending on whom you are willing to trust as both a reputation broker -AND- as the prefix police. The idea is that the crypto is harder to forge. DNS forging is almost as easy as prefix "borrowing". --bill