Joe Greco wrote:
John Curran wrote:
On Sep 8, 2009, at 2:18 PM, JC Dill wrote:
It seems simple and obvious that ARIN, RIPE, et. al. should determine the blacklist state of a reclaimed IP group and ensure that the IP group is usable before re-allocating it.
When IPs are reclaimed, first check to see if the reclaimed IPs are on any readily checked RBL or private blacklist of major ISPs, corporations, universities, etc. If so, work with those groups to get the blocks removed *prior* to reissuing the IPs to a new entity. Before releasing the IPs to a new entity, double check that they are not being blocked (that any promises to remove them from a blacklist were actually fulfilled). Hold the IPs until you have determined that they aren't overly encumbered with prior blacklist blocks due to poor behavior of the previous entity. (The same should be done before allocating out of a new IP block, such as when you release the first set of IPs in a new /8.)
In this case, it's not the RBL's that are the issue; the address block in question isn't on them. It's the ISP's and other firms using manual copies rather than actually following best practices.
It's not that hard to make a list of the major ISPs, corporations, universities (entities with a large number of users), find willing contacts inside each organization (individual or role addresses you can email, and see if the email bounces, and who will reply if the email is received) and run some automated tests to see if the IPs are being blocked. In your follow-up email to me, you said you check "dozens" of RBLs - that is clearly insufficient - probably by an order of magnitude - of the entities you should check with. The number should be "hundreds". A reasonably cluefull intern can provide you with a suitable list in short order, probably less than 1 day, and find suitable contacts inside each organization in a similar time frame - it might take a week total to build a list of ~500 entities and associated email addresses. Because of employee turn-over the list will need to be updated, ~1-10 old addresses purged and replaced with new ones on a monthly basis.
Really? And you expect all these organizations to do ... what? Hire an intern to be permanent liaison to ARIN?
I'm expecting ARIN to spend a few staff-hours (utilizing low-cost labor such as an intern) to setup the list for ARIN to use to check the status of returned IPs, and spend a few more staff hours setting up an automated system to utilize the list prior to releasing reclaimed IPs for reallocation. If, when using the list they discover out-dated addresses, spend a moment to find an updated address for that sole network. Most of this can easily be automated once setup - the only things that need to be dealt with by hand would be purging the list of outdated contacts and finding new ones, which shouldn't take much time since it's not a very large list, and many of the contacts would (over time) become role accounts that don't become outdated as often or as easily as personal accounts. Most of this is done by ARIN, not by the organizations they contact. All each organization has to do is permit one employee or role account to be used for IP block testing, and reply to test emails. The effort to setup a role account and autoresponder is minimal.
Answer queries to whether or not IP space X is currently blocked (potentially at one of hundreds or thousands of points in their system, which corporate security may not wish to share, or even give "some random intern" access to)? Process reports of new ARIN delegations? What are you thinking they're going to do? And why should they care enough to do it?
Because if they don't, they are needlessly blocking re-allocated IP addresses, potentially blocking their own users from receiving wanted email. Organizations could (and should) setup a role account and auto-responder for this purpose.
Why isn't this being done now?
Issuing reclaimed IPs is a lot like selling a used car, except that the buyer has no way to "examine" the state of the IPs you will issue them beforehand. Therefore it's up to you (ARIN, RIPE, et. al.) to ensure that they are "just as good" as any other IP block. It is shoddy business to take someone's money and then sneakily give them tainted (used) goods and expect them to deal with cleaning up the mess that the prior owner made, especially when you charge the same rate for untainted goods!
Not applicable in this case, as noted above.
What do you mean, "not applicable"? You take the money and issue IPs. There is no way for the "buyer" to know before hand if the IPs are "tainted" (used) or new. It is up to you (ARIN) to ensure that the goods (IPs) are suitable for the intended use. My analogy is entirely applicable, and I'm amazed you think otherwise.
WOW. That's a hell of a statement. There is absolutely nothing that ARIN can do if I decide I'm going to have our servers block connections from networks ending in an odd bit. 100% correct.
What they *can* do is determine IF the address is currently being blocked *before* they issue it to a new entity.
Nobody is in a position to ensure that ANY Internet connection or IP space is "suitable for the intended use." Welcome to the Internet.
They can (and IMHO should) determine the state it is in before they reallocate it. What happens next is obviously unpredictable but in reality an IP that isn't being blocked today and isn't being used (by anyone) is highly unlikely to be widely blocked between today and the day ARIN releases it for allocation to a new entity. They can hold IPs that are not suitable for re-allocation, or at least make the status of the IPs known to the new entity before asking the entity to take on the IP block, and perhaps offering a fee discount for "tainted" addresses. (Some users may not care if the IPs are "tainted", if, for instance they plan to use the IPs for a DUL pool. I have a friend who gets $5 off his cell phone bill because he has a phone number that starts with 666 - a number that many people prefer to avoid but which works fine for his purposes and he's quite happy to get the discount. :-)
So, back to the question: could someone explain why they've got copies of the RBL's in their network which don't get updated on any reasonable refresh interval? (weekly? monthly?)
The "why" really isn't at issue - it happens and it's going to keep happening. The question is what are you (ARIN) going to do about it?
Give me the serenity to accept the things I cannot change, The courage to change the things I can, And the wisdom to know the difference.
You (ARIN et. al.) don't have any ability to change the why. What you can change is how you go about determining if an IP block is suitable for reallocation or not, and what steps you take to repair IP blocks that aren't suitable for reallocation.
So, in addition to just registering IP space, it's also their job to clean it up?
Who do you propose clean up the mess? The people who made the mess (spammers) won't clean it up. Someone has to clean it up. The IPs are in ARIN's possession now. Why should it become someone else's problem (the entity they allocate it to) to clean it up? They didn't do anything to taint the space, and they request (and expect) to get clean and usable IPs, not tainted IPs. ARIN shouldn't allocate previously allocated IPs until they know the IPs are not widely blocked. Or to *at the very least* ARIN should disclose what they know about the IP space before they make it someone else's problem, and give the requesting entity an option to request a new/clean/unused/unblocked IP block instead.
I'm sorry, I agree that there's a problem, but this just sounds like it isn't feasible.
IMHO passing the problem on to someone else is just plain wrong. It punishes an innocent party, and it doesn't scale. There are other options, better options. In commerce it is a violation of the UCC to knowingly or negligently sell the customer something that the seller knows (or should have known) doesn't serve the customer's stated purpose, and that the customer has no way of knowing (no way to do "due diligence" before completing the sale) is unsuitable for their needs. ARIN's IP registry probably doesn't fall under the aegis of the UCC, but that doesn't excuse the practice. I am not a lawyer, but it doesn't take a law degree to be able to tell right from wrong. Issuing previously-issued and tainted IPs to an entity that requested and is expecting untainted and usable IPs is clearly wrong. How ARIN plans to resolve this can be debated, but NOT solving this and just expecting someone else (the unlucky entity who is issued the tainted IPs) to solve it for them is not an honorable approach. Similarly, asking on NANOG "why do tainted IPs linger on blocklists" isn't going to solve the problem. ARIN can't change the why - what they can change is what ARIN does about it. There are better options - they can make an effort to clean up the IPs prior to reallocation; they can disclose the IP status before reallocation and give an option for a new IP block; or they can simply declare the IPs "toxic" and hold them rather than reallocate them. Giving the customer a dead parrot when they expected a live one (Beautiful Plumage!) is funny only in a Monty Python skit. http://www.youtube.com/watch?v=4vuW6tQ0218 http://www.readnews.com/funny/story3.html jc