Re: The in-your-face hijacking example, was: Re: Who is announcing bogons?
At 06:09 AM 30-04-03 +0000, Christopher L. Morrow wrote:
That may be true, but what does a provider do when they are presented with written 'authority to use address space' from a customer? Certianly if the customer provides 'proper' documentation that the ip space is available for them to route, and that they have authority from the 'owner' to do this... what is an ISP to do? Aside from route the blocks?
A very valid question and one that all too few ISPs handle. How many ISPs have as part of their implementation/provisioning process an item called "check IP address space against IRRs"? I would suggest that written proof of ownership is not enough and that part of the legal framework each ISP has customers complete that it state something to the effect "IP address space and ASNs announced by the customer must be properly registered in one of the online IRRs such as ARIN, RADB, APNIC or RIPE and must reflect the name of the organization placing the request." -Hank
On 2003-04-30-03:26:47, Hank Nussbacher <hank@att.net.il> wrote:
A very valid question and one that all too few ISPs handle. How many ISPs have as part of their implementation/provisioning process an item called "check IP address space against IRRs"? [...]
A good first step, but is this adequate? What about folks who go so far as to incorporate under the name of a defunct which has legacy B/C space, register their domains, get POC and address information changed, and then submit a request to announce said address space? What recourse does the provider, or IP registry, have in this situation? Difficult to say "no," as the request looks legitimate in all regards. (Yes, it's happening...) -a
On 4/30/2003 at 3:26 AM, Hank Nussbacher wrote:
At 06:09 AM 30-04-03 +0000, Christopher L. Morrow wrote:
That may be true, but what does a provider do when they are presented with written 'authority to use address space' from a customer? Certianly if the customer provides 'proper' documentation that the ip space is available for them to route, and that they have authority from the 'owner' to do this... what is an ISP to do? Aside from route the blocks?
A very valid question and one that all too few ISPs handle. How many ISPs have as part of their implementation/provisioning process an item called "check IP address space against IRRs"?
I would suggest that written proof of ownership is not enough and that part of the legal framework each ISP has customers complete that it state something to the effect "IP address space and ASNs announced by the customer must be properly registered in one of the online IRRs such as ARIN, RADB, APNIC or RIPE and must reflect the name of the organization placing the request."
-Hank
It has been brought to my attention that such written/faxed authorization letters are outright forged at times. Copy&Paste job on the letterhead, an imaginary letterhead for a company that hasn't been in existence for years, etc. In light of the recent hijackings, any customer coming in the door with a /16 or with purported IP space located in a /16 that has been recently updated, but not routed, should be given the full royal treatment of a background check: Pull over and show us your state incorporation certificate and your seal...and dare you if the corporation is listed as "inactive" with the state, or the incorporation date is past the date the space was registered, or you don't have the paperwork showing your legal successorship to such corporation. The fact that a customer owns a domain that includes DNS servers and MX's for the registered POCs for a space means nothing (paging Scott Granados!). Just have a look at rogue AS 27595 (RegDate: 2003-04-07) (atrivo.com) interesting 'ownership' of some of their announced space: OrgName: ISD OrgID: ISD-1 Address: 180 Golf Club Road #118 City: Pleasant Hill StateProv: CA PostalCode: 94523 NetRange: 170.208.0.0 - 170.208.255.255 CIDR: 170.208.0.0/16 NetName: LANET-1 NetHandle: NET-170-208-0-0-1 Parent: NET-170-0-0-0-0 NetType: Direct Allocation NameServer: MAIL.ATRIVO.COM NameServer: PAVEL.ATRIVO.COM Comment: RegDate: 1995-01-05 Updated: 2003-03-04 How many owners of a /16 do you know that use an MBE/UPS Store address as their primary place of business? This is matching the current ARIN POC for the space: Name: Kacperski, Emil Handle: EKA4-ARIN Company: Atrivo Address: 180 Golf Club Road #118 City: Pleasant Hill StateProv: CA PostalCode: 94523 http://kepler.ss.ca.gov/list.html shows no fitting matches for "ISD" or "I.S.D." residing anywhere near Pleasanton, nor is there any corporation by the name of "Atrivo" in the California Republic. And comparing this record with a historical one shown at: http://spews.org/html/S2489.html shows: OrgName: ISD OrgID: ISD-1 Address: 1324 South Ridge Parkway City: Beverly Hills StateProv: CA PostalCode: 90210 Updated: 2003-01-23 TechHandle: DS127-ARIN TechName: Shelley, Dennis TechPhone: +1-213-246-6565 TechEmail: dshelley58@netscape.net This is a non-existing address as shown by Yahoo Maps, Mapquest and Mapsonus, in other words: pure fiction. Any other owners of freemail accounts in possession of a free /16 ? Paging ARIN: who or what is that "ISD" corporation that this /16 was originally assigned to, back in 1995 (a year before ARIN was formed)? In unrelated news: can someone explain to me the exact meaning of multiple AS numbers enclosed in {}'s (or []'s as far as RIS RIPE's display is concerned) at the end of the AS path? * 162.33.64.0/19 207.246.129.6 0 11608 2914 3356 14390 {22714,27481} i * 4.0.4.90 1080 0 1 701 14390 {22714,27481} i * 203.194.0.5 0 9942 1 701 14390 {22714,27481} i * 192.205.31.33 0 7018 3356 14390 {22714,27481} i * 195.66.224.82 31502 0 4513 3356 14390 {22714,27481} i * 216.140.2.59 981 0 6395 3356 14390 {22714,27481} i I am familiar with announcements with inconsistent AS's, but what exactly does the above mean? bye,Kai
When doing a look up at whois.arin.net the data looks correct, phone numbers listed are correct, and more importantly bills sent to the address listed get paid. So since the whois data matches the customer and nobody else announces the block I don't see the problem. Clearly someone or something at Arin has given authority to this block to be used and that authorized figure has requested service from us. I'm not sure the mission your on but it seems like a real misuse of time. This customer isnot advertising someone elses space ie advertising 18.0.0.0 for a goof or to be disrupting services. The customer has his name attached to a block which appears in a public database and matches the records we have internally for the customer. I checked before announcing the block and no other announcements existed not eeven from the same AS at that time. And this AS is a real AS so far as I can tell paid for. Unless I'm missing something obvious <which is possible> I don't see the problem. On Wed, 30 Apr 2003, Kai Schlichting wrote:
On 4/30/2003 at 3:26 AM, Hank Nussbacher wrote:
At 06:09 AM 30-04-03 +0000, Christopher L. Morrow wrote:
That may be true, but what does a provider do when they are presented with written 'authority to use address space' from a customer? Certianly if the customer provides 'proper' documentation that the ip space is available for them to route, and that they have authority from the 'owner' to do this... what is an ISP to do? Aside from route the blocks?
A very valid question and one that all too few ISPs handle. How many ISPs have as part of their implementation/provisioning process an item called "check IP address space against IRRs"?
I would suggest that written proof of ownership is not enough and that part of the legal framework each ISP has customers complete that it state something to the effect "IP address space and ASNs announced by the customer must be properly registered in one of the online IRRs such as ARIN, RADB, APNIC or RIPE and must reflect the name of the organization placing the request."
-Hank
It has been brought to my attention that such written/faxed authorization letters are outright forged at times. Copy&Paste job on the letterhead, an imaginary letterhead for a company that hasn't been in existence for years, etc.
In light of the recent hijackings, any customer coming in the door with a /16 or with purported IP space located in a /16 that has been recently updated, but not routed, should be given the full royal treatment of a background check: Pull over and show us your state incorporation certificate and your seal...and dare you if the corporation is listed as "inactive" with the state, or the incorporation date is past the date the space was registered, or you don't have the paperwork showing your legal successorship to such corporation.
The fact that a customer owns a domain that includes DNS servers and MX's for the registered POCs for a space means nothing (paging Scott Granados!). Just have a look at rogue AS 27595 (RegDate: 2003-04-07) (atrivo.com) interesting 'ownership' of some of their announced space:
OrgName: ISD OrgID: ISD-1 Address: 180 Golf Club Road #118 City: Pleasant Hill StateProv: CA PostalCode: 94523
NetRange: 170.208.0.0 - 170.208.255.255 CIDR: 170.208.0.0/16 NetName: LANET-1 NetHandle: NET-170-208-0-0-1 Parent: NET-170-0-0-0-0 NetType: Direct Allocation NameServer: MAIL.ATRIVO.COM NameServer: PAVEL.ATRIVO.COM Comment: RegDate: 1995-01-05 Updated: 2003-03-04
How many owners of a /16 do you know that use an MBE/UPS Store address as their primary place of business?
This is matching the current ARIN POC for the space: Name: Kacperski, Emil Handle: EKA4-ARIN Company: Atrivo Address: 180 Golf Club Road #118 City: Pleasant Hill StateProv: CA PostalCode: 94523
http://kepler.ss.ca.gov/list.html shows no fitting matches for "ISD" or "I.S.D." residing anywhere near Pleasanton, nor is there any corporation by the name of "Atrivo" in the California Republic.
And comparing this record with a historical one shown at: http://spews.org/html/S2489.html shows:
OrgName: ISD OrgID: ISD-1 Address: 1324 South Ridge Parkway City: Beverly Hills StateProv: CA PostalCode: 90210 Updated: 2003-01-23
TechHandle: DS127-ARIN TechName: Shelley, Dennis TechPhone: +1-213-246-6565 TechEmail: dshelley58@netscape.net
This is a non-existing address as shown by Yahoo Maps, Mapquest and Mapsonus, in other words: pure fiction.
Any other owners of freemail accounts in possession of a free /16 ?
Paging ARIN: who or what is that "ISD" corporation that this /16 was originally assigned to, back in 1995 (a year before ARIN was formed)?
In unrelated news: can someone explain to me the exact meaning of multiple AS numbers enclosed in {}'s (or []'s as far as RIS RIPE's display is concerned) at the end of the AS path?
* 162.33.64.0/19 207.246.129.6 0 11608 2914 3356 14390 {22714,27481} i * 4.0.4.90 1080 0 1 701 14390 {22714,27481} i * 203.194.0.5 0 9942 1 701 14390 {22714,27481} i * 192.205.31.33 0 7018 3356 14390 {22714,27481} i * 195.66.224.82 31502 0 4513 3356 14390 {22714,27481} i * 216.140.2.59 981 0 6395 3356 14390 {22714,27481} i
I am familiar with announcements with inconsistent AS's, but what exactly does the above mean?
bye,Kai
On Wed, 30 Apr 2003 16:46 (UT), Scott Granados <scott@wworks.net> wrote: | Clearly someone or something at Arin has given authority to this block | to be used and that authorized figure has requested service from us. I wouldn't say it was at all clear that "someone or something" at ARIN has given any authority for anything. Some - indeed several - records at ARIN have clearly been changed - fairly recently (the handle ISC1 on 2003-03-05, and the Netblock 170.208.0.0/16 on 2003-03-04, AS 27595 on 2003-04-07 - but netblock 170.208.0.0/20 was created before any of that, on 2003-01-23, and has AFAICT not changed since then. Previously ISD-1 showed: OrgName: ISD OrgID: ISD-1 Address: 1324 South Ridge Parkway (Mapquest confirms no such address) City: Beverly Hills StateProv: CA PostalCode: 90210 Updated: 2003-01-23 TechHandle: DS127-ARIN TechName: Shelley, Dennis TechPhone: +1-213-246-6565 (mobile range, number not in service) TechEmail: dshelley58#netscape.net So there was a change to ISD1 on the same day that 170.208.0.0/20 was created, where the address/phone number were a total fiction and the email address was at a free email service and probably untraceable? ARIN shows that block as being LANET-1; LANET-1 is listed by ARIN as: OrgName: State of Louisiana OrgID: STATEO-4 Address: Department of Health and Hospitals Address: Information Services Address: PO Box 3013 City: Baton Rouge StateProv: LA PostalCode: 70821 Country: US ASNumber: 2048 ASName: LANET-1 ASHandle: AS2048 RegDate: 1992-12-07 Updated: 1995-05-22 TechHandle: JL141-ARIN TechName: Joseph Lanier TechPhone: +1-504-342-7701 TechEmail: blanier#doa.state.la.us (Of course, the postholders have changed and there's been an area code split since 1992 ... this is an ANCIENT /16 block!) | Unless I'm missing something obvious <which is possible> Well, Kai summarised it rather well when he asked:
How many owners of a /16 do you know that use an MBE/UPS Store address as their primary place of business?
More to the point, do you not do credit checks as part of your "Due Diligence" these days? What credit check would pass when the primary address is at an MBE/UPS Store? I'm happy to give full credit to the Spamhaus Project, and ARIN, as sources of some of the information I used during this investigation. Full details of Spamhaus records are at: http://snurl.com/19fq I've had to delay reporting this by about six hours as, out of courtesy, I wanted to ensure that the appropriate people at Baton Rouge were aware of the situation before anything was announced. -- Richard Cox
I would not be so sure that LANET-1 ASN has anything to do with LANET-1 Network or with LANET organization id. When ARIN was setting up names for organizations, networks, etc, it was doing it out of first two letters of company name, plus net plus a number. This would not be the first time that different companies got same name for asn and netblock, nor would such be considered an error in their database, though if any of these organizations report such to arin and request different network name, they will do it to remove the confusion. A quick check shows that State of Louisiana has a number ip blocks with names lanet* and they are all linked to ASN2048: [whois.arin.net] OrgName: State of Louisiana OrgID: STATEO-4 Address: Department of Health and Hospitals Address: Information Services Address: PO Box 3013 City: Baton Rouge StateProv: LA PostalCode: 70821 Country: US Comment: RegDate: 1992-08-24 Updated: 1994-04-25 Resources Used By Organization: State of Louisiana (AS2048) LANET-1 2048 State of Louisiana LADOA (NET-192-206-109-0-1) 192.206.109.0 - 192.206.109.255 State of Louisiana LANET8 (NET-192-239-252-0-1) 192.239.252.0 - 192.239.252.255 State of Louisiana LANET9 (NET-192-239-253-0-1) 192.239.253.0 - 192.239.253.255 State of Louisiana LANET10 (NET-192-239-254-0-1) 192.239.254.0 - 192.239.254.255 State of Louisiana LANET3 (NET-198-51-207-0-1) 198.51.207.0 - 198.51.207.255 State of Louisiana DHHLA (NET-198-203-166-0-1) 198.203.166.0 - 198.203.166.255 Given the above I would suspect that if state of louisiana indeed had 170.208.0.0, it would be linked to their main organization id (given that all blocks that were obtained earlier were) and it is not. This does not necessarily means this was not their block, it just the same that we do not know it for certain and have no good evidence either way. "LA" is also often used to represent names for organizations with names beginning with "Los Angeles" (and organization "Los Angeles Network ..." would get first priority on LANET name). In particular here is what I find in ARIN database as well: [whois.arin.net] OrgName: County of Los Angeles OrgID: CLA-6 Address: Internal Services Department Address: 9150 E. Imperial Hwy City: A Downey StateProv: CA PostalCode: 90242 Country: US NetRange: 159.83.0.0 - 159.83.255.255 CIDR: 159.83.0.0/16 NetName: LANET NetHandle: NET-159-83-0-0-1 Parent: NET-159-0-0-0-0 NetType: Direct Assignment NameServer: DNS1.CO.LA.CA.US NameServer: PHOENIX.CO.LA.CA.US Comment: RegDate: 1992-03-20 Updated: 1998-02-18 Now the block in question (170.208.0.0/16) is listed for "ISD", unfortunetly ARIN creates names the first letters of first 3 words in organization names are used for acronym, so there are lots of names beginning with ISD in their database (like "Intelligent Systems Designs", "Interlake School Division", "Information Services Department", etc). Its more interesting to look at networks that are assigned to organizations that have name "ISD": [whois.arin.net] Innovative Systems Design ISD (NET-204-107-85-0-1) 204.107.85.0 - 204.107.85.255 ISD LANET-1 (NET-170-208-0-0-1) 170.208.0.0 - 170.208.255.255 isd UU-65-212-131-192-D3 (NET-65-212-131-192-1) 65.212.131.192 - 65.212.131.199 ISD 625 - ST PAUL PUBLIC SCHOOL Q0904-205-215-222-0 (NET-205-215-222-0-1) 205.215.222.0 - 205.215.222.255 ISD Corporation PBI-CUSTNET-3996 (NET-216-100-252-0-1) 216.100.252.0 - 216.100.252.255 ISD CORPORATION QWEST-65-115-100-0 (NET-65-115-100-0-1) 65.115.100.0 - 65.115.100.127 ISD CORPORATION Q1209-63-149-253-0 (NET-63-149-253-0-1) 63.149.253.0 - 63.149.25R.127 ISD NORTH DAKOTA FON-106830092861637 (NET-63-172-250-128-1) 63.172.250.128 - 63.172.250.255 ISD DSLNET-20001206-00128 (NET-64-205-53-128-1) 64.205.53.128 - 64.205.53.159 ISD 709 CPINTERNET-21 (NET-209-240-238-16-1) 209.240.238.16 - 209.240.238.31 ISD Inc SBCIS-101912-131748 (NET-66-73-231-96-1) 66.73.231.96 - 66.73.231.103 ISD Inc SBC068078085176030328 (NET-68-78-85-176-1) 68.78.85.176 - 68.78.85.183 ISD Infotech pvt Ltd. STPH16 (NET-196-12-47-0-1) 196.12.47.0 - 196.12.47.255 Looking into various addresses I find that "ISD Corporation" has locations in Riverside (CA), Corona (CA) and San Jose (CA). Two of these addresses are in LA area, so they would be my first choice what ISD stands for for that block, but it does look like ISD Corporation has not been in involved in internet until recently, but maybe there was some very old history there now forgotten. In any case I would more likely suspect that LA in that block stands for Los Angeles then for Louisiana. But overall in ARIN records I can not find any conclusive answer what company this block was originally used at. On Wed, 30 Apr 2003, Richard Cox wrote:
On Wed, 30 Apr 2003 16:46 (UT), Scott Granados <scott@wworks.net> wrote:
| Clearly someone or something at Arin has given authority to this block | to be used and that authorized figure has requested service from us.
I wouldn't say it was at all clear that "someone or something" at ARIN has given any authority for anything. Some - indeed several - records at ARIN have clearly been changed - fairly recently (the handle ISC1 on 2003-03-05, and the Netblock 170.208.0.0/16 on 2003-03-04, AS 27595 on 2003-04-07 - but netblock 170.208.0.0/20 was created before any of that, on 2003-01-23, and has AFAICT not changed since then.
Previously ISD-1 showed:
OrgName: ISD OrgID: ISD-1 Address: 1324 South Ridge Parkway (Mapquest confirms no such address) City: Beverly Hills StateProv: CA PostalCode: 90210 Updated: 2003-01-23 TechHandle: DS127-ARIN TechName: Shelley, Dennis TechPhone: +1-213-246-6565 (mobile range, number not in service) TechEmail: dshelley58#netscape.net
So there was a change to ISD1 on the same day that 170.208.0.0/20 was created, where the address/phone number were a total fiction and the email address was at a free email service and probably untraceable?
ARIN shows that block as being LANET-1; LANET-1 is listed by ARIN as:
OrgName: State of Louisiana OrgID: STATEO-4 Address: Department of Health and Hospitals Address: Information Services Address: PO Box 3013 City: Baton Rouge StateProv: LA PostalCode: 70821 Country: US
ASNumber: 2048 ASName: LANET-1 ASHandle: AS2048 RegDate: 1992-12-07 Updated: 1995-05-22
TechHandle: JL141-ARIN TechName: Joseph Lanier TechPhone: +1-504-342-7701 TechEmail: blanier#doa.state.la.us
(Of course, the postholders have changed and there's been an area code split since 1992 ... this is an ANCIENT /16 block!)
| Unless I'm missing something obvious <which is possible>
Well, Kai summarised it rather well when he asked:
How many owners of a /16 do you know that use an MBE/UPS Store address as their primary place of business?
More to the point, do you not do credit checks as part of your "Due Diligence" these days? What credit check would pass when the primary address is at an MBE/UPS Store?
I'm happy to give full credit to the Spamhaus Project, and ARIN, as sources of some of the information I used during this investigation.
Full details of Spamhaus records are at: http://snurl.com/19fq
I've had to delay reporting this by about six hours as, out of courtesy, I wanted to ensure that the appropriate people at Baton Rouge were aware of the situation before anything was announced.
Actually yes, you can use mbe / ups drops and po boxes for credit checks and for incorporation etc. In point of fact a credit check was done including the contacting of three trade references and some other searches, I can't speak as well to this as I didn't do the check myself but in this case the customer passed as I do know no deposit was required and in many cases they are. Many times PO boxes are used and PO boxes can be gotten from the PO obviously but also from third parties. On Wed, 30 Apr 2003, Richard Cox wrote:
On Wed, 30 Apr 2003 16:46 (UT), Scott Granados <scott@wworks.net> wrote:
| Clearly someone or something at Arin has given authority to this block | to be used and that authorized figure has requested service from us.
I wouldn't say it was at all clear that "someone or something" at ARIN has given any authority for anything. Some - indeed several - records at ARIN have clearly been changed - fairly recently (the handle ISC1 on 2003-03-05, and the Netblock 170.208.0.0/16 on 2003-03-04, AS 27595 on 2003-04-07 - but netblock 170.208.0.0/20 was created before any of that, on 2003-01-23, and has AFAICT not changed since then.
Previously ISD-1 showed:
OrgName: ISD OrgID: ISD-1 Address: 1324 South Ridge Parkway (Mapquest confirms no such address) City: Beverly Hills StateProv: CA PostalCode: 90210 Updated: 2003-01-23 TechHandle: DS127-ARIN TechName: Shelley, Dennis TechPhone: +1-213-246-6565 (mobile range, number not in service) TechEmail: dshelley58#netscape.net
So there was a change to ISD1 on the same day that 170.208.0.0/20 was created, where the address/phone number were a total fiction and the email address was at a free email service and probably untraceable?
ARIN shows that block as being LANET-1; LANET-1 is listed by ARIN as:
OrgName: State of Louisiana OrgID: STATEO-4 Address: Department of Health and Hospitals Address: Information Services Address: PO Box 3013 City: Baton Rouge StateProv: LA PostalCode: 70821 Country: US
ASNumber: 2048 ASName: LANET-1 ASHandle: AS2048 RegDate: 1992-12-07 Updated: 1995-05-22
TechHandle: JL141-ARIN TechName: Joseph Lanier TechPhone: +1-504-342-7701 TechEmail: blanier#doa.state.la.us
(Of course, the postholders have changed and there's been an area code split since 1992 ... this is an ANCIENT /16 block!)
| Unless I'm missing something obvious <which is possible>
Well, Kai summarised it rather well when he asked:
How many owners of a /16 do you know that use an MBE/UPS Store address as their primary place of business?
More to the point, do you not do credit checks as part of your "Due Diligence" these days? What credit check would pass when the primary address is at an MBE/UPS Store?
I'm happy to give full credit to the Spamhaus Project, and ARIN, as sources of some of the information I used during this investigation.
Full details of Spamhaus records are at: http://snurl.com/19fq
I've had to delay reporting this by about six hours as, out of courtesy, I wanted to ensure that the appropriate people at Baton Rouge were aware of the situation before anything was announced.
-- Richard Cox
On Wed, 30 Apr 2003, Scott Granados wrote:
In point of fact a credit check was done including the contacting of three trade references and some other searches, I can't speak as well to this as I didn't do the check myself but in this case the customer passed as I do know no deposit was required and in many cases they are. Many times PO boxes are used and PO boxes can be gotten from the PO obviously but also from third parties.
is wworks official position then that this customer is doing nothing wrong? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 30 Apr 2003, Scott Granados wrote:
In point of fact a credit check was done including the contacting of
I'd say our official position is that I'm not sure:). I'm just unclear on this whole thing so forgive me, just behing honest. Is basically what your saying that somehow Atrivo or someone for them probably played some games with headers or what ever and stole the ip range by tricking Arin? Am I getting this correct? Or is something else at work? Because I can see real reasons for transfers and so on or if something improper is going on then of course we'd be gaginst it. I'm just unclear and not certain that anything improper has happened yet. ----- Original Message ----- From: "Dan Hollis" <goemon@anime.net> To: "Scott Granados" <scott@wworks.net> Cc: "Richard Cox" <Richard@mandarin.com>; <nanog@merit.edu> Sent: Wednesday, April 30, 2003 4:22 PM Subject: Re[2]: The in-your-face hijacking example, was: Re: Who is announcing bogons? three
trade references and some other searches, I can't speak as well to this as I didn't do the check myself but in this case the customer passed as I do know no deposit was required and in many cases they are. Many times PO boxes are used and PO boxes can be gotten from the PO obviously but also from third parties.
is wworks official position then that this customer is doing nothing wrong?
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 30 Apr 2003, Scott Granados wrote:
In point of fact a credit check was done including the contacting of
Just to add to this discussion. I looked at the arin entry again, all of his data including name, address, telephone number are valid. 925-550-3947 rings directly to Emil personally I don't care what kind of phone it is cell, landline, ip phone it's him who answers:). Its also their published business number. It matched their trade references and bank data as well on the credit side <I asked after the last post>. So sincerely I'm not sure what the problem is. Now someone mentioned that LAnet owned the block. If LAnet calls me up or sends me proper proof its their block I'd pull the announcement. Else, if someone here convinces me that its improper, I'll pull the announcement, but on the surface I do think he's on ok Ground. I actually asked Emil to join the list and discussion on this I'm assuming its on topic. ----- Original Message ----- From: "Dan Hollis" <goemon@anime.net> To: "Scott Granados" <scott@wworks.net> Cc: "Richard Cox" <Richard@mandarin.com>; <nanog@merit.edu> Sent: Wednesday, April 30, 2003 4:22 PM Subject: Re[2]: The in-your-face hijacking example, was: Re: Who is announcing bogons? three
trade references and some other searches, I can't speak as well to this as I didn't do the check myself but in this case the customer passed as I do know no deposit was required and in many cases they are. Many times PO boxes are used and PO boxes can be gotten from the PO obviously but also from third parties.
is wworks official position then that this customer is doing nothing wrong?
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, Apr 30, 2003 at 12:34:07PM -0400, Kai Schlichting wrote:
In light of the recent hijackings, any customer coming in the door with a /16 or with purported IP space located in a /16 that has been recently updated, but not routed, should be given the full royal treatment of a background check: Pull over and show us your state incorporation certificate and your seal...and dare you if the corporation is listed as "inactive" with the state, or the incorporation date is past the date the space was registered, or you don't have the paperwork showing your legal successorship to such corporation.
Given that lots of companies reincorporate fairly often, typically to change where they're incorporated, what type of corporation, etc... I don't find this terribly compelling. It's just as easy to forge a bill of sale as it is these other forms of documentation. Same problem, different documents. --msa
Exactly, and I'm not sure what the whole reason for this thread is with the exception of I do understand if the space is previously announced. If the requirements for arin are met and if arin makes the appropriate changes to the whois records isn't that enough? Obviously, making anouncements can be more complex than that ie a customer has company A ip space but buys service from copmpany B so they wish to announce a's IPs through B. If swip or rwhois data matches again this should be ok assuming someone refered to as a contact makes the request. If someone uses company B's network to announce for company A IP space and A hasn't updated whois or doesn't authorize such advertisements then provider B should and I'd think must with draw announcements of company A's space. On Wed, 30 Apr 2003, Majdi S. Abbas wrote:
On Wed, Apr 30, 2003 at 12:34:07PM -0400, Kai Schlichting wrote:
In light of the recent hijackings, any customer coming in the door with a /16 or with purported IP space located in a /16 that has been recently updated, but not routed, should be given the full royal treatment of a background check: Pull over and show us your state incorporation certificate and your seal...and dare you if the corporation is listed as "inactive" with the state, or the incorporation date is past the date the space was registered, or you don't have the paperwork showing your legal successorship to such corporation.
Given that lots of companies reincorporate fairly often, typically to change where they're incorporated, what type of corporation, etc... I don't find this terribly compelling.
It's just as easy to forge a bill of sale as it is these other forms of documentation. Same problem, different documents.
--msa
[summary. - What started as a posting of an example for widespread wrongful, if not criminal conduct involving hijacking of IP space is now progressing into particulars of that example that most certainly doesn't concern network operations at large, rather than the general issue of stolen/hijacked/embezzled IP allocations in use by rogue parties for rogue purposes. This I fear will be with us for some considerable time to come. Please restrain your follow-up postings to the NANOG list bearing this in mind.] On 4/30/2003 at 12:46 PM, Scott Granados <scott@wworks.net> wrote:
When doing a look up at whois.arin.net the data looks correct, phone numbers listed are correct, and more importantly bills sent to the address listed get paid. So since the whois data matches the customer and nobody else announces the block I don't see the problem. Clearly someone or
Clearly you don't see the problem. Or won't.
something at Arin has given authority to this block to be used and that authorized figure has requested service from us.
ARIN has done no such thing, as I have documented with meticulous detail. ARIN assigns IP space to organizations, not individuals owning the POC, and such POCs are not authorized to act on their own and make use of such assignment for another organization on their own whim. I call on ARIN to immediately suspend the assignment of 170.208.0.0/16 based on the probable cause I and others have delivered that make it likely, if not certain, that the ARIN principles of assignment have been violated in this case. Do I need to mention "Trafalgar House Group"?
I'm not sure the mission your on but it seems like a real misuse of time. This customer is not advertising someone elses space ie advertising 18.0.0.0 for a goof or to be disrupting services.
See "96.0.0.0/3" below to avoid me having to repeat my own arguments. I think you are quite sure about my mission about now. Some examples have to be made to deter others. On 4/30/2003 at 6:20 PM, Scott Granados <scott@wworks.net> wrote:
Exactly, and I'm not sure what the whole reason for this thread is with the exception of I do understand if the space is previously announced. If
You are questioning the purpose of this discussion re: your direct customer's use of illicit/stolen/hijacked IP space, unless the space was 'previously used', while the purpose is, as you have certainly noticed, that the allocated space's registration is by nearly all stretches of imagination illicit, fraudulent or both? Gee, let's see: I will start to announce 96.0.0.0/3 starting NOW, because: well, it's not used, and I have somehow gained control over "iana.org": what is the big deal anyway, you say?
the requirements for arin are met and if arin makes the appropriate changes to the whois records isn't that enough?
And you have been presented with bonafide probable cause that such changes that were made BY YOUR CUSTOMER (unless you want to blame the automatic form processors at ARIN for not paying attention, as I am quite sure that no humans there were involved until now) were made in bad faith and while deceiving ARIN about matters of identity regarding that allocation?
Obviously, making anouncements can be more complex than that ie a customer has company A ip space but buys service from copmpany B so they wish to announce a's IPs through B. If swip or rwhois data matches again this should be ok assuming someone refered to as a contact makes the request.
Not if you are presented with an unusual request, such as authorization for the announcement of an entire /16 that had its contact details changed days before - in that case, one can reasonably expect a whole different level of scrutiny than for say: a /20 that has up-to-date contact info yet has not been updated in 2-3 years. ARIN does have a listed phone number, you know. On 4/30/2003 at 6:42 PM, Scott Granados <scott@wworks.net> wrote:
In point of fact a credit check was done including the contacting of three trade references and some other searches,
care to share the name of the corporation and D&B number of that business you ran this check against, presuming it was the sought-after "OrgName: ISD"? On 4/30/2003 at 7:50 PM, Scott Granados <scott@wworks.net> wrote:
I'd say our official position is that I'm not sure:). I'm just unclear on this whole thing so forgive me, [...] [.............] I'm just unclear and not certain that anything improper has happened yet.
I am not clear. And there is no bridge. And you are probably unclear about THIS as well: On 4/30/2003 at 6:56 PM, Kevin Brott <kbrott@ELI.NET> wrote on SPAM-L:
Date: Wed, 30 Apr 2003 15:56:50 -0700 Subject: Re: BLOCK: wworks.net/AS26346, update SPEWS S2489
At 02:17 PM 4/30/2003, Little Punk wrote:
And the beat goes on: 170.208.0.0/16 sliced, diced and meshed by Kai over on the NANOG list.
All routes to/from the of the parts of that block under wworks.net are currently suppressed at our edge routers. This was prompted by having our senior firewall admin discover through some clever logfile correlations that they were the source of daily vigorous open-proxy scans across portions (if not the entirety) of all of our registered netblocks. Notices to wworks.net only resulted in claimed null-routes, whereupon the IP of the source shifted at the next expected scan-time.
Our engineering staff is currently working on a more 'permanent' fix.
=== Today's Fortune === He who hesitates is last. (the fortune has an eery significance here, I think)
And following up on that, I have personal email in my Inbox that has a few similar things to say about you and your downstream Atrivo to that effect, Scott. I think your credibility with me is reaching a very deep low very fast, and the fact that abuse.net is listing no less than 3 of your upstreams as contacts for complaints relating to wworks.net is a very big hint that some people out there are not very satisfied with your handling of abuse issues, with some of these issues being pointed out to you by other people in this thread. It makes me think that it will become necessary to address abuse issues involving IP space announced with your AS in the AS path directly with AS's 11608, 8121, 293, 6517, 6939 instead of you. Not the the latter 2 would care to address such issues one bit. On 4/30/2003 at 8:04 PM, Scott Granados <scott@wworks.net> wrote:
[...] So sincerely I'm not sure what the problem is. Now someone mentioned that LAnet owned the block. If LAnet calls me up or sends me proper proof its their block I'd pull the announcement. Else, if someone here convinces me that its improper, I'll pull the announcement,
<sarcasm mode on> "gee kid! you can't continue to hit up stores and gas stations like that! If I catch you the next time, there'll be SERIOUS consequences! Now, move along!" *pad-on-back* </sarcasm> That reminds me of UUnet and Teleglobe's treatment of rogue AS 16506 (ayayai.com/eveloz.com/SPEWS S1348) recently, when confronted with the unlikely possibility that a german steel mill had moved to the swamps of Panama (152.143.0.0/16). Teleglobe filtered the announcement after other people's intervention (but after ignoring 2 complaints pointing out the obvious from me) or made AS 16505 stop it with a "friendly warning", while UUnet outright denied being responsible, or AS 16506 being their customer to begin with (at least that's what the official email correspondence would make any reader believe); then went on with business as usual. [ Nice going, UUnet. Are your managers and VPs-of-something-or-other drawing matches over who will take the blame and go to prison for housing relay- and proxy-raping spamware sites ("burglary tools") in violation of the new Virginia spam law, and defending such hosting up to VP level for 2-3 years ? (see www.spamhaus.org, there was a reference to that a while ago)]
but on the surface I do think he's on ok Ground. I actually asked Emil to join the list and discussion on this I'm assuming its on topic.
Oh, didn't we look forward to that. On 5/1/2003 at 1:42 AM, emil@atrivo.com wrote: [reformatted to 78 columns - which some folks here will appreciate]
Let's see if we can clarify this once and for all. ISD owner was a good friend of mine and helped me when I ran a computer store.
good friends/individuals do not have /16's allocated to them. Big institutions have /16's. Such institutions are decidedly too busy and not in the business of helping other people run their computer stores.
Without him I couldn't run the store and over the years I have repaid him for his contributions.
so nice!
A few years ago I closed the computer store and started Atrivo.
Do you pay taxes in California, Emil? Is your business incorporated? If it's not incorporated, have you filed a D/B/A "Atrivo" with the state? (With apologies to Hank and Barry: http://www.nanog.org/mtg-0302/ppt/hank.pdf) "Pull over and show us your state incorporation certificate and business seal!"
After discussing our expansion plans to Rob, I came to find out that he did posses a /16 which his now defunct company wasn't using anymore.
So his name is "Rob", hmm? Rob who? Care to name the defunct corporation, its corporate officers and provide us with the obvious link through http://kepler.ss.ca.gov/list.html ? ARIN will be most interested to hear that Rob believes he owns a /16. Is Rob the legal receiver of assets of his defunct corporation? (never mind that allocated space is not a tangible asset that can be owned by ARIN's understanding). But if we follow Richard Cox's posted lead: http://euclid.math.brandeis.edu/turtschi/whois/netb22.html dated Sept 19, 1999, containing the then-registrant of this /16: 170.208.0.0 ISD NET-LANET-1 9150 E. Imperial Hwy. Downey, CA 90242 which leads us directly to: http://www.google.com/url?sa=U&start=10&q=http://ops.co.la.ca.us/scripts/BrdLtExtnd4Cntrcts.9.23.02%2520for%2520WEB.pdf&e=912 dated Sept 19, 2002 : "5. ISD-Downey Data Processing Center 9150 East Imperial Highway, Downey 90242" Leading me to believe that this /16 is allocated to Los Angeles County's data processing center, and not "Rob" . How telling: points 2. through 4. in the document describe "District Attorney" facilities - en entity I took the liberty of Cc:'ing on this mail. Why don't you turn yourself in for this great stunt at this point, Emil? I am sure that'll avoid unnecessary time spent in Lompoc or at the Pelican Bay State penitentiary.
From that point I found out what it would take from Arin to have us use the space. We followed all the steps that Arin had told us to do.
I am sure that ARIN will make any emails regarding this available for scrutiny by a trusted party and the the LA County's DA's office.
We of course wanted to update contact information to reflect the new change and so we can respond to any issues that may arrive running a ISP.
I am wondering what we will get if someone faxes the UPS Store and demands to see what you list as your corporate HQ on the paperwork when you opened that PO BOX. You ARE using the box for commercial purposes and in public, after all, which is enough to satisfy the disclosure requirements under Postal CMRA regulations.
All our providers and vendors know us as a respectable company.
As long as the bills get paid on time, they will hardly if ever have a problem with the ongoing abuse from your netblock and the /16 that I continue to say is hijacked, for lack of further evidence beyond the information we have, and which evidence is establishing probable cause for that statement.
There is nothing wrong that we have done and all this witch hunting is unjust and unfair. Might I mention that Spews, SpamHaus or anyone that has
ugh, oh. The words "Witch hunt" and "SPEWS, Spamhaus" were uttered in the same breath. History will repeat itself.
made these claims has not even attempted to give me a call.
You run an 'ISP' and expect to deal with such an affair without email, given the complexity of the affair? On 5/1/2003 at 2:28 AM, Dan Hollis wrote and summed this up: > Maybe because they expect your email to actually work, and dont > care to spend money calling you long distance? > You have got porno spammers in these netblocks scanning for open > relays and relay raping innocent third parties. read: repeat 'business' as far as abuse is concerned, and I think I have heard the word "null-route" once too many times by now. Null-route is not customer "termination and sanctions". Especially not when the source of abuse is going elsewhere in your space within a short period of time.
I have even tried to make arrangements to meet up at the colo and to show anyone that we are for real. Of course this has been always declined.
noone here wants proof that you operate equipment in a datacenter. We already knew that.
Well I don't know how much this will help, since it's seems that no matter what I offer or do is just not enough. Maybe I have to give my DNA just to prove who I am?
Oh, we will reasonably believe that you exist and are a real person. Just like Nick Geyer. What we want is proof beyond a reasonable doubt that you didn't deceive ARIN or violated ARIN allocation rules in taking over that /16. And that proof can't come from you at this point, for obvious lack of credibility, given the allegations and probable cause.
Atrivo - Web Innovation Emil Kacperski Phone: 925-550-3947 E-mail: emil@atrivo.com ICQ: 23531098
The unincorporated corporation operating out of a UPS Store, armed with a PacBell cell phone and and ICQ account, and proud POC of a /16. Are you implying that 1372 North Main Street, Ste #205, Walnut Creek, CA 94596, 925-627-2000 is no longer your business address/number? And last but not least: On 5/1/2003 at 2:20 AM, Scott Granados <scott@wworks.net> wrote:
I would also like to state on Emil's behalf [...] Emil has on many occasions restarted machines or helped with server work in the colos we occupy together
We see. I think that cooperation will be the subject of further questioning.
I'll also publically offer here to assist Emil in obtaining a direct allocation which would be entirely new if he wishes that may put this matter to bed as well.
I don't think the state allows routed Internet connections to where Emil might be heading next, so he might not be needing it. And if you are indeed sharing facilities like that, why did he need his own ASN?
I'm quite certain that this has gone way way off topic however so I'll stop here and hopefully we can get back to more operational discussions.
"How to set up your route-prefix filters to drop all routes received with a specific AS present in the AS path" - but that wouldn't teach anyone here anything new. Current routes for the /16: 170.208.0.0/19 16631 27595 170.208.0.0/24 16631 170.208.6.0/24 16631 (was 6939 26346 27595 earlier today) 170.208.7.0/24 16631 (was 6939 26346 27595 earlier today) 170.208.8.0/24 16631 170.208.14.0/24 11608 26346 170.208.15.82/32 11608 26346 (how does 11608 leak that into the Oregon-IX?) (Scott said: "Can't have one on 170.208.15.82 I null routed it some time ago as it was a compromised machine." Gee. So has anyone recorded this route, and if yes: when?) 170.208.17.0/24 11608 26346 Moved 2 /24's to Cogent in a hurry? And obviously, filtering 170.208.14.0/24 and 170.208.17.0/24 to world (except AS 27595 peering, with no-export set) would have been a grand idea for wworks.net (26346), but whaddaya know. bye,Kai
I know I'm going to regret this, and I'm not debating that this particular network block was hijacked, but I do have a couple of questions. On Thu, 1 May 2003, Kai Schlichting wrote:
good friends/individuals do not have /16's allocated to them. Big institutions have /16's. Such institutions are decidedly too busy and not in the business of helping other people run their computer stores.
Perhaps today, but in the pre-CIDR days it wasn't that hard to get a "Class B" network (what people would call a /16 today). Even relatively small networks needed to get Class B's due to RIP, subnets, etc. If you had more than about 64 network devices, you probably needed a Class B. That was one of the big reasons for CIDR. If you look closely at many of the early registration records for old networks you'll find lots of questionable entries. Why was the network for F.ROOT-SERVERS.NET (192.5.5.241) registered in 1984, but the domain for ISC.ORG not registered until 1994? Why does the city and state for the ISC.ORG domain registration show up as "null?" Registrant: Internet Software Consortium (ISC2-DOM) 950 Charter Street null US Domain Name: ISC.ORG According to the California Secretary of State web portal, the Internet Software Consortium filed their corporate papers on December 17, 1997. So we have a 1997 corporation with a 1994 domain name using a 1984 network. Is this proof of evil intent? Should all ISPs immediately cease routing the network block for F.ROOT-SERVERS.NET because of questionable registration records?
Just like Nick Geyer. What we want is proof beyond a reasonable doubt that you didn't deceive ARIN or violated ARIN allocation rules in taking over that /16. And that proof can't come from you at this point, for obvious lack of credibility, given the allegations and probable cause.
Back to the original question Chris Morrow asked a long time ago. What should be considered acceptable proof? If Paul Vixie showed up on my doorstep tomorrow, and asked me to route 192.5.5.0; what proof should I accept from him (or anyone) to demostrate beyond a reasonable doubt he has the authority to route a particular network?
On Thursday, May 1, 2003, at 23:27 America/Phoenix, Sean Donelan wrote:
Back to the original question Chris Morrow asked a long time ago. What should be considered acceptable proof?
If Paul Vixie showed up on my doorstep tomorrow, and asked me to route 192.5.5.0; what proof should I accept from him (or anyone) to demostrate beyond a reasonable doubt he has the authority to route a particular network?
oh! i know! because i know paul, and will personally vouch for him? -b
On Thu, May 01, 2003 at 11:36:55PM -0700, brett watson wrote:
On Thursday, May 1, 2003, at 23:27 America/Phoenix, Sean Donelan wrote:
Back to the original question Chris Morrow asked a long time ago. What should be considered acceptable proof?
If Paul Vixie showed up on my doorstep tomorrow, and asked me to route 192.5.5.0; what proof should I accept from him (or anyone) to demostrate beyond a reasonable doubt he has the authority to route a particular network?
oh! i know! because i know paul, and will personally vouch for him?
To which the response is usually something like: "Then you are obviously a co-conspirator, and we will now begin investigating your involvement. Please provide all of your information and justify everything you are doing, before we post everything we can find on you to a mailing list or newsgroup." -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
I know I'm going to regret this, and I'm not debating that this particular network block was hijacked, but I do have a couple of questions.
i think these are reasonable questions and the answers may be instructive.
Why was the network for F.ROOT-SERVERS.NET (192.5.5.241) registered in 1984
it was an old DEC block, used to contain TOPS20.DEC.COM i think. in the old days, transferring network ownership just required consent by both parties. since i represented both parties, well, you get the idea.
but the domain for ISC.ORG not registered until 1994?
because it took a year after me leaving DEC (in 1993) to get ISC organized.
Why does the city and state for the ISC.ORG domain registration show up as "null?"
Registrant: Internet Software Consortium (ISC2-DOM) 950 Charter Street null US
Domain Name: ISC.ORG
because when networksolutions folded, spindled, and mutilated SRI's whois data for the Nth time, there was information lost (and gained for that matter). i am gradually sorting it all out but it's Really Hard now, not like the old e-mail template days.
According to the California Secretary of State web portal, the Internet Software Consortium filed their corporate papers on December 17, 1997.
well so without knowing what city to look in, you have no way to know what ficticious name statements or business licenses were issued earlier than the state's incorporation goo. (i was only an egg in those days.)
So we have a 1997 corporation with a 1994 domain name using a 1984 network. Is this proof of evil intent? Should all ISPs immediately cease routing the network block for F.ROOT-SERVERS.NET because of questionable registration records?
i hope not, since i think the questionability has some answerability. (in other words, i hope y'all judge by merit not by rule.)
If Paul Vixie showed up on my doorstep tomorrow, and asked me to route 192.5.5.0; what proof should I accept from him (or anyone) to demostrate beyond a reasonable doubt he has the authority to route a particular network?
in my case, answerability and continuity. but in the general case, i dunno. -- Paul Vixie
Good judgement should prevail. Thats the problem when you start calling for a bureaucratic solution. Bureucrats read from manuals and are inflexible. We have two blocks that had outdated information on them that took 3 years of haggling with ARIN to fix. ----- Original Message ----- From: "Paul Vixie" <vixie@vix.com> To: <nanog@merit.edu> Sent: Friday, May 02, 2003 13:38 Subject: Re: How to prove 192.5.5.0/24 is authorized?
I know I'm going to regret this, and I'm not debating that this particular network block was hijacked, but I do have a couple of questions.
i think these are reasonable questions and the answers may be instructive.
Why was the network for F.ROOT-SERVERS.NET (192.5.5.241) registered in 1984
it was an old DEC block, used to contain TOPS20.DEC.COM i think. in the old days, transferring network ownership just required consent by both parties. since i represented both parties, well, you get the idea.
but the domain for ISC.ORG not registered until 1994?
because it took a year after me leaving DEC (in 1993) to get ISC organized.
Why does the city and state for the ISC.ORG domain registration show up as "null?"
Registrant: Internet Software Consortium (ISC2-DOM) 950 Charter Street null US
Domain Name: ISC.ORG
because when networksolutions folded, spindled, and mutilated SRI's whois data for the Nth time, there was information lost (and gained for that matter). i am gradually sorting it all out but it's Really Hard now, not like the old e-mail template days.
According to the California Secretary of State web portal, the Internet Software Consortium filed their corporate papers on December 17, 1997.
well so without knowing what city to look in, you have no way to know what ficticious name statements or business licenses were issued earlier than the state's incorporation goo. (i was only an egg in those days.)
So we have a 1997 corporation with a 1994 domain name using a 1984 network. Is this proof of evil intent? Should all ISPs immediately cease routing the network block for F.ROOT-SERVERS.NET because of questionable registration records?
i hope not, since i think the questionability has some answerability. (in other words, i hope y'all judge by merit not by rule.)
If Paul Vixie showed up on my doorstep tomorrow, and asked me to route 192.5.5.0; what proof should I accept from him (or anyone) to demostrate beyond a reasonable doubt he has the authority to route a particular network?
in my case, answerability and continuity. but in the general case, i dunno. -- Paul Vixie
At 1:51 PM -0500 5/2/03, John Palmer wrote:
Good judgement should prevail. Thats the problem when you start calling for a bureaucratic solution. Bureucrats read from manuals and are inflexible.
Computers also read very rigid instruction sets and are completely inflexible and brittle and will do the same thing over and over until directed to do otherwise. The authentication process back in 1992 when I applied for my first netblocks from the InterNIC was twofold. Firstly, I had to figure out where and how to get a netblock. Secondly, I had to secure an Internet connection and pay to have my transit provider announce it. In the first case, I had to attain a sufficient level of clue before my forms were finally accepted. (I think that it was even one half-time position managing that entire process by hand then.) In the second case, it was a financial barrier since I was paying for transit. (~$1,500/mo for a 56K as I recall.) Untoward events tended to be technical mistakes as opposed to outright fraudulent behavior. (Default route injection into BGP, etc.) If you had enough clue and enough money, you were authorized to announce a network. In 1992, this used to be a reasonable barrier as there was little financial incentive to spend upwards of $20,000 for hardware and $18,000 a year for bandwidth. Plus, the InterNIC would pretty much give you what you wanted as long as you new the proper incantations on the forms. Bottom line, it was about trust. Trust that you knew what you were doing and that you were not going to take advantage of other operators networks. Flash forward to 2003, and the base requirements are still the same: clue and money. (And as with other processes in capitalistic societies, if you have enough money, you don't even need a clue.) Clue is easier today to obtain since everything you need to know is a few mouse clicks away to the entire world as opposed to buried on an ftp server that only a few hundred people know about. The hardware and bandwidth costs are for all practical purposes close enough to zero not to worry about. As as I've seen discussed here over and over, we're still operating on trust even when we know that there are network operators out there that don't give a damn if or how the technical system works as long as they are making money. They don't care if they screw us over in the process. They blithely violate our trust because they _just_don't_care_. Periodically we have our regular 'tragedy of the commons' discussions and we build more fences (read: filters,) and fret about the rabble that keep climbing over our fences and trampling our lands and breaking our fences. Now we're faced with the fact that the rabble have discovered where we were getting our fence materials from (the RIR's,) and are starting to build their own fences and then we go out into our lands, spot these new fences, scratch our heads and go, "Gee, did my neighbor build that or not?" Until we collectively get off of our butts and make something like SBGP, (I'm not advocating this method over any other, just using it as a talking point,) a requirement of network operation, we're going to continue to get screwed by unscrupulous network operators who will continue to cost us our time and our money to deal with them while they make their money. My quick spin through the ARIN web site shows one proposed policy that basically says that there should be correct contact information for a record. http://www.arin.net/policy/2003_2.html It says nothing about authentication, which is the root of our problem here. We need to re-build our web of trust somehow and then move forward from there. I view our situation as analogous to medieval bankers. Business is growing like crazy, but unless we get our act together and build new webs of trust, authentication and information exchange, it will inhibit our ability to scale the network effectively and leave us exposed to fraud. I'm at a point where I have some time that I can contribute to the effort, but before I go and re-invent the wheel here or tilt at a windmill, I see from the archives that there was some activity going on in 2000 with regards to this issue. Can someone point me to more recent efforts in this area? -- Regards, Chris Kilbourn Founder _________________________________________________________________ digital.forest Int'l: +1-425-483-0483 where Internet solutions grow http://www.forest.net
On Fri, May 02, 2003 at 02:27:08AM -0400, Sean Donelan wrote:
I know I'm going to regret this, and I'm not debating that this particular network block was hijacked, but I do have a couple of questions. [snip]
Probably the only real answers sounds sarcastic: - There's continuity in the announcements that don't make it appear suspect - Paul/the ISC is a smart hijacker, responsive to concerns/compaints and not the source of them. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
On Wed, Apr 30, 2003 at 12:34:07PM -0400, Kai Schlichting wrote:
In unrelated news: can someone explain to me the exact meaning of multiple AS numbers enclosed in {}'s (or []'s as far as RIS RIPE's display is concerned) at the end of the AS path?
* 162.33.64.0/19 207.246.129.6 0 11608 2914 3356 14390 {22714,27481} i * 4.0.4.90 1080 0 1 701 14390 {22714,27481} i * 203.194.0.5 0 9942 1 701 14390 {22714,27481} i * 192.205.31.33 0 7018 3356 14390 {22714,27481} i * 195.66.224.82 31502 0 4513 3356 14390 {22714,27481} i * 216.140.2.59 981 0 6395 3356 14390 {22714,27481} i
This means the address space was aggregated by a different AS than originated it, for instance parts of 162.33.64.0/19 were originated by AS 22714 and 27481, but AS 14390 aggregated these to the prefix above. By using the AS_SET notation, one can prevent the loss of origination AS information allowing loop avoidance. -Jon
participants (16)
-
Adam Rothschild
-
brett watson
-
Chris Kilbourn
-
Dan Hollis
-
Hank Nussbacher
-
Joe Provo
-
John Palmer
-
Jon Mitchell
-
Kai Schlichting
-
Majdi S. Abbas
-
Paul Vixie
-
Richard A Steenbergen
-
Richard Cox
-
Scott Granados
-
Sean Donelan
-
william@elan.net