In message <608B18DB-6E75-4B5E-BA42-D1F69ECE4881@arin.net>, John Curran wrote:
You note the following:
They could say, to everyone involved, and to the community as a whole, ``This ain't right. *We* maintain the official allocation records. In most cases, *we* made the allocations, and that guy should NOT be announcing routes to that IP space, and he shouldn't be announcing anything at all via that AS number, because these things ain't his.''
At present, ARIN doesn't review the routing of address space to see if an allocation made to party is being announced by another party. From your emails, I'm guess that you'd like ARIN to do so.
John, First, let me say thanks for your personal response. Second let me also say that I am pleased to know, at least, that my serious efforts to express myself clearly were not lost on everyone. You have grasped my meaning clearly. (But not everyone here has done likewise.)
I've run several several ISPs and a hosting firm, and I'm not quite sure how ARIN can definitively know that any of the AS#'s involved should or should not be routing a given network block.
Please allow me to attempt to refute what you just said. I think that I can do so, briefly, in (at least) two different ways. 1) You folks _are_ already (apparently) making some efforts... at least as of this last summer, but perhaps also earlier... to ``validate'' (is that the word you would use?) POC contacts. I know because I've lately seen quite a number of your POC contact records (from the WHOIS data base) that have a very helpful annotation attached to them, saying quite directly and explicitly, that ARIN has been unable to verify or make contact with this POC or that POC. So you are already passing judgement on the validity and/or probable invalidity of things in your data base. And more, you are making your determinations public, via the data base itself. I'm not quite sure how it constitutes such a big leap to merely extend what you are already doing in the way of validating POCs and just impute the exact same level of confidence, or lack thereof, to IP block and/or AS records which are associated with unverifiable/uncontactable POCs... a set which you are already making serious efforts to delineate anyway. If you can put an annotation into a whois records for a POC, saying explicity that you can't get ahold of this person, then it would seem to me to be a rather trivial matter of programming to transplant a very similar sort of annotation into each and every IP block or AS record that has that same specific POC record as one of its associated POC records, either Admin, or Technical, or whatever. You could just say, you know, something like ``We have been tring to contact the Technical POC for this since XX-XX-2010, and we've been unable to do so.'' Well, not those words exactly, but I hope you get the general idea. Just take the determinations that you folks are _already_ making, for the POC records, and just impute them to, and include them in, also, to the relevant block and/or AS records. Or alternatively, you could stop using verbage altogether and just switch over to a system based on simple, universally understood icons: http://farm2.static.flickr.com/1082/820306671_6a0520fe17_m.jpg http://farm2.static.flickr.com/1382/1263977902_d0e9a43821_o.jpg Now, you may perhaps be tempted to quibble with my point here, and repeat again what you said above, I.e. that ARIN cannot make ``definitive'' determinations. Please don't yield to any such temptation. Quite frankly, to the best of my knowledge, no living human can reliably make any truly ``definitive'' determinations about anything at all. Only God can do that. (And frankly, I harbor lingering suspicions that even He gets it wrong a fair percentage of the time.) Nobody expects you to have the infallibility of God... or even of the Pope. And nobody is asking you to display such a level of infinite perfection, least of all me. But ya know, even in the abundant absence of certainty in our day-to-day lives, we all still drag ourselves out of bed in the morning and do the best that we can. And that's all that either I or anybody else has any right to ask of you/ARIN or to expect of you/ARIN. Just do the best you can. Are your deteminations that this POC or that POC cannot be contacted, or cannot currently be verified ``definitive''? No, that's probably too stong a word. But you/ARIN have the good sense and the courtesy to publish the information you have gathered regarding the contactability of POCs anyway, and it's appreciated. It helps. Please just do more of it. This is not an all-or-nothing ``We can't say anything definitively so we can't say anything at all, ever'' kind of situation, I think. 2) You are already (apparently) processing _some_ certain flavors of ``fraud reports'' that come in to you via that nice fancy web form you folks built and put up on the ARIN web site... you know... the one with the nice (and misleading) introduction that entices people like me to take the time to use it enter reports about incidents that have traditionally been called around these parts ``hijacking''. (Note: That's the word that _you_ used on your web site to say what should be reported via the form. Was I a fool to take you at your word? Let me be clear... I am *not* *not* *not* encouraging you to simply redact/delete that word from your web site. No no! Rather I hope to encourage you/ARIN to actually accept and at least investigate reports of _all_ flavors of what we around here used to call good old fashioned ``hijacking'', regardless of whether the perp was gracious enough to also make your choice clearer by dicking with the relevant WHOIS records or not.) So anyway, you are already, obviously, geared up to do ``investigations''. And you _are_ already doing them. Yes? And you are not doing these investigatons just for your health, as the saying goes, correct? I mean you have a goal when you do these investigations... an end goal. Right? And what is that goal? What comes out the other end when you feed the raw facts into the top of this process and then turn the crank? What do you have at the end of the day, eh? Do you have a... ahhh.. conclusion? Might one even say that at the end of the process, ARIN reaches a ``determination''? Would you characterize these determinations... which you obviously use as a basis for further action... as ``definitive detrminations''? (If not, why not? And if you use these determinations as a basis for further action, and yet you claim that they are not actually ``defininite determinations'', then aren't you placing ARIN at great risk of a lawsuit by so doing?) I think you can see where I'm going with this. You have, I think, tried to demur (is that the right word?) on ARIN's behalf, from _either_ investigating or, subsequently, from issuing any kind of ``determination'' as regards to whether a given block is being routed by the party or parties who ought to be routing it, or by some uninvited interloper. And you have done so on that basis of your very reasonable sounding claim that ARIN cannot make ``definitive'' determinations about such things. I would argue that this claim simply does not wash for two reasons: 1) ARIN is _already_, apparently, conducting investigations and thence making ``definitive'' determinations, presumably on a routine and ongoing basis, about things relating to the allocations that it, and it alone, is the official Keeper of Records for. And ARIN is already doing this, even in the absence of God-like certainty about the conclusions it reaches, and which it subsequently uses as a basis for further action. 2) If you (ARIN) claim to be utterly unable to make definitive determina- tions about what blocks belong to who, or who should be routing what, then (a) what exactly are we paying you for?? ... just kidding... *I* am not personally paying you... but more importantly (b) if even *you guys* cannot make definitive determinations about these things, then God help the rest of us! Because we mere mortals out here have a lot less data, knowledge, expertise, and experience than you ARIN folks have, and if you folks say you can't ``definitively'' figure out what belongs to who, then it sounds from where I'm sitting like you're saying that things inside of ARIN are just as bad as they were inside AIG the day _it_ went belly up... papers scattered all over the floors, and nobody even knows what all they actually own. Do I think that this is what you are trying to tell me? No. Do I even for a moment imagine that the inside of your shop... ARIN... is a confused and tangled mess like AIG was in its last days? No. No way. Not at all. Quiet the opposite. I think you folks... as the official Keepers of the Records... can... and apparently _do_ routinely make ``definitive'' determinations about the proper interpretation of the records that you yourselves keep. I'd just like to see you get on with it. Just saying that you can't ever know anything, definitively, because you're not God, is not a compelling argument to support the view that you should never do anything, or say anything, because you are not omniscient. None of us are. But we still get up in the morning and go to work. One does one's best, and leave the rest to history.
There are some heuristics that will suggest something is "fishy" about use of a network block...
SOME??? Try a lot. (I'll be more than happy to share with you folks anything and everything that I, bloodhound-like, manage to gleen. All I ask is that you at least accept it... which the response I received earlier seemed to indicate that you were not even willing to do. The teeny little one-inch by two-inch data entry window you have on your fraud reporting form doesn't help much either, and is very off-putting in a way that makes it seem like it was intended to be that way.)
but are you actually suggesting that ARIN would revoke resources as a result of that?
Did I say that? Again, I have tried to be clear, but in this case it seems that I may have failed. No, I *do not* expect ARIN to go out, guns drawn, and start choping people's wires. No, I *do not* expect ARIN do do whatever might be implied by this terminology you are using now, which is entirely foreign to me. I have no real idea what sorts of hot-pokers-up-the-backside you may be implying by your use of this terminology "revoke resources", but whatever it means, it certainly sounds terribly ominous and foreboding, and rather like something that I wouldn't wish on my worst enemy... especially given the context and the way you phrased your question. So no, please *do not* go around ``revoking resources''... whatever the hell that means. Certainly, if some half-dead, left-for-dead dot-bomb company has a /18, and if your records still say that they have a /18, then they still have a /18. Period. And if then, some hijacker punk criminal comes along and starts routing that /18... well... he's a shmuck, and ought to be dealt with. But the old Dot-Bomb semi-defunct company still does ``own'' (please excuse my use of that terminology, which I'm sure you won't approve) that block. So you shouldn't be ``revoking'' anything. That's not what any of this is about. All I want from ARIN, and all I expect from ARIN, in cases like these are (a) at least some willingness and effort expended to investigate and (2) at least *some sort* of (perhaps minimalist) public statement to the effect of ``Look folks, we've looked at this, and in our opinion, what's going on here just doesn't look kosher.'' I would be satisfied if that ``minimalist public statement'' would be in the form of a discrete little annotation within the relevant WHOIS record(s)... you know... rather like what you folks are _already_ attaching to POC records, only maybe worded a little stronger than that, when you can see some really clear hanky panky going on... as in the cases I have publicised here recently. Of course, that said, that's kind-of my minimum request. If it were entirely up to me, you guys would call a big press conference, with CNN, MSNBC (and of course, Comedy Central, BUT NOT FIXED NEWS!) every time you caught another one of these fly-by-night hijacker jokers red-handed... as it would appear I just have, in at least two of the cases I've reported on. (I infer that, with a high level of certainty, from the fact that these nitwits already stopped announcing routes to the space they had so obviously stolen. If it was really your's in the first place, then you wouldn't just give it back the minute somebody yelled ``thief'', now would you?) And after the press conference, everyone would be invited to come out by the pool for free beer and sandwiches, and a good time would be had by all, as we collectively burned the hijacker in effigy. But you know, I'm not really expecting all of that, so just however much of it you can manage to put together would be just fine by me. (Hell! I'll even volunteer to spring for, and bring, the beer and the sandwiches. Did I mention I was from California? I guess it's kind-of obvious now, huh?) So anyway, have I managed, successfully, to make my desires more clear and apparent now? I hope so. No, I neither want nor expect ARIN to be pulling plugs out of sockets, or to be diddling the global routing table, or to be ``revoking'' anything... least of all any allocations previously made to some perfectly legit company who, through only the minor sin of inattention, got their stuff hijacked out from under them. Revoking _their_ right-to-use would simply be adding insult to injury. Don't you agree? I'd just like to see investigations and some form of public statement(s) at the ends of those. And I won't even mind if you have corporate counsel water down the public statement so much that it ends up looking like the verbal equivalent of barely raising an eyebrow. I do understand that ARIN, like the rest of us, has to somehow survive and get by in this litigous environ- ment. So I don't even care what the public statements say, or even what subtle or un-subtle forms they take. Just so long as it is understood, within the community, that (wink wink nod nod) whenever ARIN says that ``Some evidence suggests that the routing for this block may be non-normative, as per Paragraph B, Subsection F, of the Addendum to the Bylaws of the Regulations, updated, (c)1947, (c)1972, revised Sept 27th, 2007, with respect to E.12 in sum and overview, as pertaining to all parts or to the sum of the parts, together, when viewed as a unit.'' we all know and understand that this really means ``hijacked''. (Ask your corporate counsel. I'm sure that he'll be able to suggest some equally obscure and convoluted way of saying ``hijacked'' without ever actually using that word itself. That's what they are best at, after all... making simple English statements utterly imponderable.[1]) Whatever doesn't get you sued is fine by me. As long as you investigate and then say _something_ about these kinds of cases.
In those rare cases where the perp is considerate enough to ALSO fiddle the relevant WHOIS records in some fradulent way, THEN (apparently) ARIN will get involved, but only to the extent of re-jiggering the WHOIS record(s). Once that's been done, they will happily leave the perp to announce all of the fradulent routes and hijacked space he wants, in perpetuity.
Correct. We will revoke the address space, but I'm uncertain what else you suggest we do... could you elaborate here?
See above. Investigate. Then somehow... in watered-down words, and burried in the WHOIS records, if necessary... tell us what you found out. As I've said, I really don't think I'm asking for much. And I'll say again too, you guys are the Keepers of the Records. If even you guys can't say what they mean or how that meaning might or might not comport with current existing objective reality (as known to us all via looking glass servers) they God help us all! Because in that case, I think we are REALLY screwed, and nobody knows anything, and the next stop is canibalism. Regards, rfg P.S. I meant to also inquire about those POC unable-to-contact annotations. What should be infered frm those, exactly? Could you please enumerate the ways in which your staff try (and sometimes, apparently, fail) to make contact with these POCs? Is it all sytrictly done via e-mail? Do your people ever try to _telephone_ any of these folks at the numbers you force them to give ou as part of establishing a POC record in the first place? Do your people ever try contacting the POCs via snail-mail? I hope you see where I'm headed. If some poor fool with too much time on his hands... you know... like me... submits something via your fraud reporting form... I mean... you know...after you fix it so that the amount of info that can be sent to you folks via the form is somewhat bigger than this: http://www.active-robots.com/products/intelligent-displays/lcd/16x2lcd-750.j... ...then my hope is that you would *not* just ``investigate'' by sending off an e-mail to the purported POC e-mail address, and then waiting a week to see if anything comes back. There's this wonderful new invention... you may have heard of it, although in my experience, an awful lot of Internet geeks refuse to use it. Why, I don't really know. Actually, here is a rare photo of a geek actually using one: http://farm1.static.flickr.com/5/5040260_a2c426a753.jpg So, you know, if you get a hijacking report, maybe, just maybe, could you please, please, please pick up the phone and make a call and just even try to see if the POC is alive or dead? http://farm4.static.flickr.com/3433/3176717757_20515698bf.jpg ======= [1] See also: "Sir Humphrey Appleby"