Purchasing IPv4 space - due diligence homework
All, Side stepping a migration to IPv6 debate.... I'd like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What 'checks' should I perform?, and b) what results from those checks should cause us to walk away? My current list is: 1. Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. 2. Check the ARIN registry. The longer history without recent transfers or changes is better. I don't know what explicit results should cause me to walk away here. 3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away. Anything else? Advise? Thanks, Matt
Hi, While I think #3 is important, it depends on your use of the end-block, and those entries can sometimes be cleaned up with some work. If the block is listed, that would certainly lower my buying price I am willing to pay for the block. I did buy a block once in the ARIN region which showed up in IP geolocation databases as Russian (no idea why), but it took me quite a while to get it fixed. Sincerely, Jeffrey Hathaway Information Technology * Howard Center Inc. From: NANOG <nanog-bounces@nanog.org> On Behalf Of Torres, Matt via NANOG Sent: Wednesday, April 3, 2019 11:20 AM To: nanog@nanog.org Subject: Purchasing IPv4 space - due diligence homework All, Side stepping a migration to IPv6 debate.... I'd like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What 'checks' should I perform?, and b) what results from those checks should cause us to walk away? My current list is: 1. Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. 2. Check the ARIN registry. The longer history without recent transfers or changes is better. I don't know what explicit results should cause me to walk away here. 3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away. Anything else? Advise? Thanks, Matt ________________________________ HowardCenter.org<http://howardcenter.org> [http://howardcenter.org/assets/design/Facebook.jpg] <http://www.facebook.com/pages/HowardCenter/106516727431> [http://howardcenter.org/assets/design/Twitter.jpg] <https://twitter.com/HowardCenterVT> [http://howardcenter.org/assets/design/LinkedIn.jpg] <http://www.linkedin.com/company/HowardCenter> CONFIDENTIALITY NOTICE: This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is patient protected health information, privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Please notify the sender by reply e-mail and delete the original message immediately, or notify Howard Center, Inc. immediately by forwarded e-mail to our Privacy Officer, DaveK@howardcenter.org. Thank you.
Jeffrey, Thanks. A good start, but under-scoped. When you are purchasing IP number blocks whatever source you use; a marketplace, a broker, a single source should provide you with a compelling history on a number block REPUTATION that includes all the attributes listed below and then some. Some of the blocks I’ve seen being discussed lately appear notorious. In one case I counted 17 difffernt RBL’s being attributed to it. Checking Spamhaus is good, but then there are many others and some not so well known. There are many embedded in devices (remember auto config) that will never be updated. For most, do not buy v4 numbers blocks without a pro and you’ll sorta know when they talk about everything but price. Price matters, but if its unusable or you need to spend a month cleaning it up, no income = more cost. Best, -M< On Wed, Apr 3, 2019 at 15:38 Jeffrey Hathaway via NANOG <nanog@nanog.org> wrote:
Hi,
While I think #3 is important, it depends on your use of the end-block, and those entries can sometimes be cleaned up with some work. If the block is listed, that would certainly lower my buying price I am willing to pay for the block. I did buy a block once in the ARIN region which showed up in IP geolocation databases as Russian (no idea why), but it took me quite a while to get it fixed.
*Sincerely,*
*Jeffrey Hathaway*
Information Technology • Howard Center Inc.
*From:* NANOG <nanog-bounces@nanog.org> *On Behalf Of *Torres, Matt via NANOG *Sent:* Wednesday, April 3, 2019 11:20 AM *To:* nanog@nanog.org *Subject:* Purchasing IPv4 space - due diligence homework
All,
Side stepping a migration to IPv6 debate…. I’d like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What ‘checks’ should I perform?, and b) what results from those checks should cause us to walk away?
My current list is:
1. Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. 2. Check the ARIN registry. The longer history without recent transfers or changes is better. I don’t know what explicit results should cause me to walk away here. 3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away.
Anything else? Advise?
Thanks,
Matt
------------------------------
*HowardCenter.org* <http://howardcenter.org> <http://www.facebook.com/pages/HowardCenter/106516727431> <https://twitter.com/HowardCenterVT> <http://www.linkedin.com/company/HowardCenter> CONFIDENTIALITY NOTICE: This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is patient protected health information, privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Please notify the sender by reply e-mail and delete the original message immediately, or notify Howard Center, Inc. immediately by forwarded e-mail to our Privacy Officer, DaveK@howardcenter.org. Thank you.
Well, I did all three above and still had issues. I am still having issues. I had to contact many people to get off of various blacklists, etc. These are lists that are not publish and you will not know until you start using the space. Luckily, I have had great help from the list here in getting support and in some cases back-channel support. The hard part is getting a hold of the right people. For example: Softlayer/IBM was initially blocking my ip space. But, it was not really them. It was NTT on behalf of Softlayer. The request has to come from Softlayer. That has been resolved. I honestly do not even know who to thank. I am currently fighting the same issue with playstation.com. Akami is blocking access on behalf of Sony. The request has to come from Sony. After many emails with abuse@playstation, I am making headway. Problem is not solved yet, but I believe they are making headway. Luckly Akami open a ticket and told me what to tell the Sony NOC. Right now, I am fighting some odd ball blocks. Several mobile banking sites. There is not even a support number. I am having to try and use the NOC/Abuse contacts via ARIN first and not having any luck. Try calling a bank and telling them that your are a network engineer and can not access their sites. That goes downhill pretty quick. If you can get past the first line of tech support it is a challenge. "Have you cleared your cookies? You need to call your ISP", then you get a 2nd line person who basically blows you off. Here is the thing. You will have problems. Just be prepared to make lots of phone calls and send lots of emails. Once you get to the right person, things can get a moving. John On Wed, Apr 3, 2019 at 11:20 AM Torres, Matt via NANOG <nanog@nanog.org> wrote:
All,
Side stepping a migration to IPv6 debate…. I’d like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What ‘checks’ should I perform?, and b) what results from those checks should cause us to walk away?
My current list is:
1. Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. 2. Check the ARIN registry. The longer history without recent transfers or changes is better. I don’t know what explicit results should cause me to walk away here. 3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away.
Anything else? Advise?
Thanks,
Matt
On Wed, Apr 3, 2019 at 10:34 AM John Alcock <john@alcock.org> wrote:
Well,
I did all three above and still had issues. I am still having issues. I had to contact many people to get off of various blacklists, etc. These are lists that are not publish and you will not know until you start using the space.
Here is the thing. You will have problems. Just be prepared to make lots of phone calls and send lots of emails. Once you get to the right person, things can get a moving.
John
My experience has been quite different and quite a bit better. One of the things I paid attention to was whom the previous owner of the block was, what sort of company they were, and hence what their likely use case was. I have purchased/deployed a few /23s so far and have yet to run into any issues with blacklists. Some of the space I've purchased came from a small-town ISP which was acquired, and some came from newly-defunct retail-sector organizations. I stayed away from anything that had been associated with any sort of hosting, or that seemed to have been leased out in the past, etc. You can often check historical routing tables to see if more than one AS has announced the space in the past X number of years to identify blocks that have been leased around, and that's one other component you might want to consider looking at. But ultimately I think my best tactic has been to just check out the organization I'm acquiring it from and make sure they've owned it since the beginning via ARIN records. Dealing with a reputable broker is probably a good start, too. I've had no issues working with Hilco. Good luck!
I used this gentleman’s Powershell script and modified it slightly to check a block last summer. The broker we were using said that they also did their due diligence on the addresses, but I wanted to do our own because of the cost of the IPs. https://www.saotn.org/powershell-blacklist-check-script/ We worked with the Brander Group as a broker. They were great and have since launched a portal/storefront I believe. Kind regards, Sam. From: NANOG <nanog-bounces@nanog.org> On Behalf Of John Alcock Sent: Wednesday, April 3, 2019 11:34 AM To: Torres, Matt <Matt.Torres@state.or.us> Cc: nanog@nanog.org Subject: Re: Purchasing IPv4 space - due diligence homework Well, I did all three above and still had issues. I am still having issues. I had to contact many people to get off of various blacklists, etc. These are lists that are not publish and you will not know until you start using the space. Luckily, I have had great help from the list here in getting support and in some cases back-channel support. The hard part is getting a hold of the right people. For example: Softlayer/IBM was initially blocking my ip space. But, it was not really them. It was NTT on behalf of Softlayer. The request has to come from Softlayer. That has been resolved. I honestly do not even know who to thank. I am currently fighting the same issue with playstation.com<http://playstation.com>. Akami is blocking access on behalf of Sony. The request has to come from Sony. After many emails with abuse@playstation, I am making headway. Problem is not solved yet, but I believe they are making headway. Luckly Akami open a ticket and told me what to tell the Sony NOC. Right now, I am fighting some odd ball blocks. Several mobile banking sites. There is not even a support number. I am having to try and use the NOC/Abuse contacts via ARIN first and not having any luck. Try calling a bank and telling them that your are a network engineer and can not access their sites. That goes downhill pretty quick. If you can get past the first line of tech support it is a challenge. "Have you cleared your cookies? You need to call your ISP", then you get a 2nd line person who basically blows you off. Here is the thing. You will have problems. Just be prepared to make lots of phone calls and send lots of emails. Once you get to the right person, things can get a moving. John On Wed, Apr 3, 2019 at 11:20 AM Torres, Matt via NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> wrote: All, Side stepping a migration to IPv6 debate…. I’d like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What ‘checks’ should I perform?, and b) what results from those checks should cause us to walk away? My current list is: 1. Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. 2. Check the ARIN registry. The longer history without recent transfers or changes is better. I don’t know what explicit results should cause me to walk away here. 3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away. Anything else? Advise? Thanks, Matt
On Wed, 03 Apr 2019 15:20:17 -0000, "Torres, Matt via NANOG" said:
3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away.
SORBS isn't the only place to check. As an example, if Spamhaus doesn't have nice things to say about the block, it's time to start asking questions.... http://www.anti-abuse.org/multi-rbl-check/ has a fairly good list of places that could give your customer a bad time (whether or not the listing is deserved - the point is that being listed anywhere there will probably mean problems that have to be cleaned up) You may all now begin the religious war over where else to check.
A big +1 to checking Spamhaus, specifically their DROP and EDROP lists. These two lists are what causes us most pain when acquiring IPv4 space as a lot of providers put auto blocking in place based on these two which can be difficult to get removed. I won’t even contemplate prefixes on either of these lists unless the seller knocks $5/IP off the purchase price because of the associated time and pain trying to clean it up. Sent from my iPhone
On Apr 3, 2019, at 11:49 AM, Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
On Wed, 03 Apr 2019 15:20:17 -0000, "Torres, Matt via NANOG" said:
3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away.
SORBS isn't the only place to check. As an example, if Spamhaus doesn't have nice things to say about the block, it's time to start asking questions....
http://www.anti-abuse.org/multi-rbl-check/ has a fairly good list of places that could give your customer a bad time (whether or not the listing is deserved - the point is that being listed anywhere there will probably mean problems that have to be cleaned up)
You may all now begin the religious war over where else to check.
I cleaned two blocks last year with Spamhaus and others. Took me less than two weeks and Spamhaus were the quickest of the bunch (we're talking about a full or two business days). PSN can be tricky, same for Netflix and whatnot but I always put these new blocks in "quarantine" for a couple of weeks by using these services with random IPs in a new block. In order, I began to announce the prefixes right after the transfers were approved by ARIN. I then contacted Spamhaus and the others roughly a week later. As I mentioned, Spamhaus were really reactive. The others responded in about 2 weeks. What helped us (I think) is that we're a listed MANRS participant (so filtering, BCP38, proper NOC/Ops contacts). We also sign all of our routes with ROAs, proper route objects in an IRR and PTRs generated for every IPs. On Apr 3 2019, at 1:20 pm, Nikolas Geyer <nik@neko.id.au> wrote:
A big +1 to checking Spamhaus, specifically their DROP and EDROP lists. These two lists are what causes us most pain when acquiring IPv4 space as a lot of providers put auto blocking in place based on these two which can be difficult to get removed.
I won’t even contemplate prefixes on either of these lists unless the seller knocks $5/IP off the purchase price because of the associated time and pain trying to clean it up. Sent from my iPhone
On Apr 3, 2019, at 11:49 AM, Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote: On Wed, 03 Apr 2019 15:20:17 -0000, "Torres, Matt via NANOG" said:
3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away. SORBS isn't the only place to check. As an example, if Spamhaus doesn't have nice things to say about the block, it's time to start asking questions....
http://www.anti-abuse.org/multi-rbl-check/ has a fairly good list of places that could give your customer a bad time (whether or not the listing is deserved - the point is that being listed anywhere there will probably mean problems that have to be cleaned up)
You may all now begin the religious war over where else to check.
The issue isn’t with Spamhaus itself per se, more providers who implement automated edge filters based on those lists and then take a long time to get removed manually. Sent from my iPhone On Apr 3, 2019, at 1:40 PM, Eric Dugas <edugas@unknowndevice.ca<mailto:edugas@unknowndevice.ca>> wrote: I cleaned two blocks last year with Spamhaus and others. Took me less than two weeks and Spamhaus were the quickest of the bunch (we're talking about a full or two business days). PSN can be tricky, same for Netflix and whatnot but I always put these new blocks in "quarantine" for a couple of weeks by using these services with random IPs in a new block. In order, I began to announce the prefixes right after the transfers were approved by ARIN. I then contacted Spamhaus and the others roughly a week later. As I mentioned, Spamhaus were really reactive. The others responded in about 2 weeks. What helped us (I think) is that we're a listed MANRS participant (so filtering, BCP38, proper NOC/Ops contacts). We also sign all of our routes with ROAs, proper route objects in an IRR and PTRs generated for every IPs. On Apr 3 2019, at 1:20 pm, Nikolas Geyer <nik@neko.id.au<mailto:nik@neko.id.au>> wrote: A big +1 to checking Spamhaus, specifically their DROP and EDROP lists. These two lists are what causes us most pain when acquiring IPv4 space as a lot of providers put auto blocking in place based on these two which can be difficult to get removed. I won’t even contemplate prefixes on either of these lists unless the seller knocks $5/IP off the purchase price because of the associated time and pain trying to clean it up. Sent from my iPhone On Apr 3, 2019, at 11:49 AM, Valdis Klētnieks <valdis.kletnieks@vt.edu<mailto:valdis.kletnieks@vt.edu>> wrote: On Wed, 03 Apr 2019 15:20:17 -0000, "Torres, Matt via NANOG" said: 3. Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away. SORBS isn't the only place to check. As an example, if Spamhaus doesn't have nice things to say about the block, it's time to start asking questions.... http://www.anti-abuse.org/multi-rbl-check/ has a fairly good list of places that could give your customer a bad time (whether or not the listing is deserved - the point is that being listed anywhere there will probably mean problems that have to be cleaned up) You may all now begin the religious war over where else to check.
On Apr 3, 2019, at 11:20 AM, Torres, Matt via NANOG <nanog@nanog.org> wrote:
All, Side stepping a migration to IPv6 debate…. I’d like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What ‘checks’ should I perform?, and b) what results from those checks should cause us to walk away?
My current list is: • Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. • Check the ARIN registry. The longer history without recent transfers or changes is better. I don’t know what explicit results should cause me to walk away here. • Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away.
Anything else? Advise?
I’d like to ask a related question (I’m not questioning why you need IPv4 space) but are you also deploying IPv6 as well? If not, is there a reason? In my copious spare time I’m doing a small FTTH network and many services do work well with IPv6 while others (banks are a an example) perhaps don’t. We have T-Mobile USA saying with their network most bits go out as v6, so I’m guessing there’s that 5-10% you need v4 for if you deploy as aggressively as they do. Mostly curious if you are doing IPv6 if you see that slowing your need for v4 or if they are growing at the same rate. - Jared
On Wed, 03 Apr 2019 11:58:23 -0400, Jared Mauch said:
Mostly curious if you are doing IPv6 if you see that slowing your need for v4 or if they are growing at the same rate.
And remember kids - the more you can push off to native IPv6, the longer you can push off an upgrade to your CGNAT box. ;)
On Apr 3, 2019, at 12:04 PM, Valdis Klētnieks <valdis.kletnieks@vt.edu> wrote:
On Wed, 03 Apr 2019 11:58:23 -0400, Jared Mauch said:
Mostly curious if you are doing IPv6 if you see that slowing your need for v4 or if they are growing at the same rate.
And remember kids - the more you can push off to native IPv6, the longer you can push off an upgrade to your CGNAT box. ;)
For me, this is a big reason why if you’re doing CGNAT you want to compliment it with IPv6. At IETF last week there was an interesting discussion about the fact that things like DHCPv6-PD does not explicitly say that a DHCPv6-PD prefix should be inserted into the routing table (!), and you may not have the tools you need to mange these prefixes as a result. In DHCPv4 land of course you give out prefixes that are connected, but in DHCPv6-PD you may get something from a /56 to a /64 which may mean that route needs to go into your IGP. - Jared
Do you have sources for the ~90% T-Mobile IPv6? Not arguing, but to use that as a source myself when spreading the IPv6 good word. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Jared Mauch" <jared@puck.nether.net> To: "Matt Torres" <Matt.Torres@state.or.us> Cc: nanog@nanog.org Sent: Wednesday, April 3, 2019 10:58:23 AM Subject: Re: Purchasing IPv4 space - due diligence homework
On Apr 3, 2019, at 11:20 AM, Torres, Matt via NANOG <nanog@nanog.org> wrote:
All, Side stepping a migration to IPv6 debate…. I’d like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What ‘checks’ should I perform?, and b) what results from those checks should cause us to walk away?
My current list is: • Check BGP looking glass for route. It should not show up in the Internet routing table. If it does, walk away. • Check the ARIN registry. The longer history without recent transfers or changes is better. I don’t know what explicit results should cause me to walk away here. • Check SORBS blacklisting. It should not show up except maybe the DUHL list(?). If it does, walk away.
Anything else? Advise?
I’d like to ask a related question (I’m not questioning why you need IPv4 space) but are you also deploying IPv6 as well? If not, is there a reason? In my copious spare time I’m doing a small FTTH network and many services do work well with IPv6 while others (banks are a an example) perhaps don’t. We have T-Mobile USA saying with their network most bits go out as v6, so I’m guessing there’s that 5-10% you need v4 for if you deploy as aggressively as they do. Mostly curious if you are doing IPv6 if you see that slowing your need for v4 or if they are growing at the same rate. - Jared
Op 04-04-19 om 01:14 schreef Mike Hammett:
Do you have sources for the ~90% T-Mobile IPv6? Not arguing, but to use that as a source myself when spreading the IPv6 good word.
https://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/T-Mo... https://stats.labs.apnic.net/ipv6/US (a bit slow, but informative) -- Marco
On Wed, Apr 3, 2019 at 8:20 AM Torres, Matt via NANOG <nanog@nanog.org> wrote:
due diligence research on an IPv4 block [...] what results from those checks should cause us to walk away?
Hi Matt, I think it also depends on your intended use. If you want a flawlessly clean block you can use for anything, you'll spend more time and money than if it just has to accommodate a particular use case. Run a mail server? Better be clean as a whistle. Geolocation only moderately important. Eyeball source? Past mail abuse may not be an issue but past DOS source could be and woe betide those who don't pay attention to where in the world Maxmind thinks the block is located. We, DNS or game servers? It almost doesn't matter. Unless past abuse was so bad that folks straight-up black holed it in the network, users will be able to connect to you. It's also worth considering whether you can move non-sensitive services from older known-clean addresses to the new blocks, freeing those older addresses for use in the more challenging application. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
participants (13)
-
Eric Dugas
-
Jared Mauch
-
Jeffrey Hathaway
-
John Alcock
-
Marco Davids
-
Martin Hannigan
-
Matt Harris
-
Mike Hammett
-
Nikolas Geyer
-
Sam Roche
-
Torres, Matt
-
Valdis Klētnieks
-
William Herrin