Proof of ownership; when someone demands you remove a prefix
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory. In this case we have a signed LOA on file for that prefix and I've reached out to our customer to verify the validity of the sender's request. The sender claims to have proof that they are authorized to speak on behalf of the owner. I will wait until I hear from our customer before I consider a response to the sender. I don't get a real sense of legitimacy from the sender making the request. No one else announces the prefix. Nothing about the request appears to be legitimate, especially considering the sender. I thought about requesting they make changes to their RIR database objects to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone? Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
I would personally reach out to the technical POC for the customer. Perhaps have your sales rep for the account resolve the issue. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Monday, March 12, 2018 1:47 PM To: nanog@nanog.org Subject: Proof of ownership; when someone demands you remove a prefix We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory. In this case we have a signed LOA on file for that prefix and I've reached out to our customer to verify the validity of the sender's request. The sender claims to have proof that they are authorized to speak on behalf of the owner. I will wait until I hear from our customer before I consider a response to the sender. I don't get a real sense of legitimacy from the sender making the request. No one else announces the prefix. Nothing about the request appears to be legitimate, especially considering the sender. I thought about requesting they make changes to their RIR database objects to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone? Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
What about contacting ARIN? Does the customer have their own ASN? ETC ETC On Mon, Mar 12, 2018 at 2:52 PM, Naslund, Steve <SNaslund@medline.com> wrote:
I would personally reach out to the technical POC for the customer. Perhaps have your sales rep for the account resolve the issue.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Monday, March 12, 2018 1:47 PM To: nanog@nanog.org Subject: Proof of ownership; when someone demands you remove a prefix
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
In this case we have a signed LOA on file for that prefix and I've reached out to our customer to verify the validity of the sender's request. The sender claims to have proof that they are authorized to speak on behalf of the owner. I will wait until I hear from our customer before I consider a response to the sender. I don't get a real sense of legitimacy from the sender making the request. No one else announces the prefix. Nothing about the request appears to be legitimate, especially considering the sender.
I thought about requesting they make changes to their RIR database objects to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone?
Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
This could definitely be an attempt at a DoS attack, and wouldn't be the first time I've heard of something like this being done as such. I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone?
They may also be leasing one chunk of space from an organization without actually having access to the RIR db too - in that case, they could ask the org they are leasing from to put in a SWIP with the RIR, but if they don't choose to, then that's not a hard requirement. On the same token, having access to the org account at the RIR pretty much makes you as legitimate as you're going to be as far as any of us can really tell. If there's an issue where the RIR account has been compromised, then that issue lies between the RIR and their customer, and isn't really your business because you have no way to know whatsoever.
Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
A notarized copy stating *ownership* seems overboard. Lots of organizations lease IPv4 space, and lots more now since depletion in many regions, and their use of it is entirely legitimate in accordance with their contractual rights established in the lease agreement with the owner. I'd probably think about looking at the contact info in the RIR whois and ask them, if I had a situation like this myself. Ultimately, the RIR's contact which would be in their whois db should be authoritative more so than anyone else. I doubt the RIR would be able to say much if you contacted them beyond that everything that isn't in whois isn't something they'd share publicly. Take care, Matt
I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care who they lease to, for example Logicweb, Cloudinnovation ( see bgp.he.net/search?search[search]=cloudinnovation+OR+%22cloud+innovation%22 ), Digital Energy-host1plus. The ranges get abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly for further resale. On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote:
On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
This could definitely be an attempt at a DoS attack, and wouldn't be the first time I've heard of something like this being done as such.
I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone?
They may also be leasing one chunk of space from an organization without actually having access to the RIR db too - in that case, they could ask the org they are leasing from to put in a SWIP with the RIR, but if they don't choose to, then that's not a hard requirement.
On the same token, having access to the org account at the RIR pretty much makes you as legitimate as you're going to be as far as any of us can really tell. If there's an issue where the RIR account has been compromised, then that issue lies between the RIR and their customer, and isn't really your business because you have no way to know whatsoever.
Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
A notarized copy stating *ownership* seems overboard. Lots of organizations lease IPv4 space, and lots more now since depletion in many regions, and their use of it is entirely legitimate in accordance with their contractual rights established in the lease agreement with the owner. I'd probably think about looking at the contact info in the RIR whois and ask them, if I had a situation like this myself. Ultimately, the RIR's contact which would be in their whois db should be authoritative more so than anyone else. I doubt the RIR would be able to say much if you contacted them beyond that everything that isn't in whois isn't something they'd share publicly.
Take care, Matt
Without revealing too much identifying information, the prefix is allocated to a 3rd party that is a customer of our customer. We have a signed LOA on hand that matches the RIR database object details (names, prefix, etc.), and the request to stop announcing came from another 3rd party that does not appear to be related to either our customer or their customer. Both the individual making the demand as well as the 3rd party that "owns" the prefix are in industries that suggest things are not entirely above-board. The email came from a IP broker domain whose TLD is an eastern European country. At this point I'm going to have to rely on our customer's POC, whom I've already contacted, to verify whether or not this is true and err in their favor. I was just curious what others have experienced. Since so much of the Internet is "best effort" in terms of validation, I wasn't sure if there was much else that could be done. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of nop@imap.cc Sent: Monday, March 12, 2018 12:08 PM To: nanog@nanog.org Subject: Re: Proof of ownership; when someone demands you remove a prefix I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care who they lease to, for example Logicweb, Cloudinnovation ( see bgp.he.net/search?search[search]=cloudinnovation+OR+%22cloud+innovation%22 ), Digital Energy-host1plus. The ranges get abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly for further resale. On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote:
On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
This could definitely be an attempt at a DoS attack, and wouldn't be the first time I've heard of something like this being done as such.
I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone?
They may also be leasing one chunk of space from an organization without actually having access to the RIR db too - in that case, they could ask the org they are leasing from to put in a SWIP with the RIR, but if they don't choose to, then that's not a hard requirement.
On the same token, having access to the org account at the RIR pretty much makes you as legitimate as you're going to be as far as any of us can really tell. If there's an issue where the RIR account has been compromised, then that issue lies between the RIR and their customer, and isn't really your business because you have no way to know whatsoever.
Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
A notarized copy stating *ownership* seems overboard. Lots of organizations lease IPv4 space, and lots more now since depletion in many regions, and their use of it is entirely legitimate in accordance with their contractual rights established in the lease agreement with the owner. I'd probably think about looking at the contact info in the RIR whois and ask them, if I had a situation like this myself. Ultimately, the RIR's contact which would be in their whois db should be authoritative more so than anyone else. I doubt the RIR would be able to say much if you contacted them beyond that everything that isn't in whois isn't something they'd share publicly.
Take care, Matt
Sounds right to me. Unless someone else can prove ownership of the allocation beyond a doubt I would leave it up and running. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Monday, March 12, 2018 2:46 PM To: nop@imap.cc; nanog@nanog.org Subject: RE: Proof of ownership; when someone demands you remove a prefix Without revealing too much identifying information, the prefix is allocated to a 3rd party that is a customer of our customer. We have a signed LOA on hand that matches the RIR database object details (names, prefix, etc.), and the request to stop announcing came from another 3rd party that does not appear to be related to either our customer or their customer. Both the individual making the demand as well as the 3rd party that "owns" the prefix are in industries that suggest things are not entirely above-board. The email came from a IP broker domain whose TLD is an eastern European country. At this point I'm going to have to rely on our customer's POC, whom I've already contacted, to verify whether or not this is true and err in their favor. I was just curious what others have experienced. Since so much of the Internet is "best effort" in terms of validation, I wasn't sure if there was much else that could be done. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of nop@imap.cc Sent: Monday, March 12, 2018 12:08 PM To: nanog@nanog.org Subject: Re: Proof of ownership; when someone demands you remove a prefix I've seen this type of situation come up more than a few times with the shadier IP brokers that lease and don't care who they lease to, for example Logicweb, Cloudinnovation ( see bgp.he.net/search?search[search]=cloudinnovation+OR+%22cloud+innovation%22 ), Digital Energy-host1plus. The ranges get abused to hell and back for garbage traffic selling, rate limit bypassing, scraping, proxies, banned from youtube/google/etc for view and like farms, and then thrown away, and the leaser tries to get them unannounced quickly for further resale. On Mon, Mar 12, 2018, at 11:57 AM, Matt Harris wrote:
On Mon, Mar 12, 2018 at 1:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
This could definitely be an attempt at a DoS attack, and wouldn't be the first time I've heard of something like this being done as such.
I thought about requesting they make changes to their RIR database objects
to confirm ownership, but all that does is verify that person has access to the account tied to the ORG/resource, not ownership. Current entries in the database list the same ORG and contact that signed the LOA. When do you get to the point where things look "good enough" to believe someone?
They may also be leasing one chunk of space from an organization without actually having access to the RIR db too - in that case, they could ask the org they are leasing from to put in a SWIP with the RIR, but if they don't choose to, then that's not a hard requirement.
On the same token, having access to the org account at the RIR pretty much makes you as legitimate as you're going to be as far as any of us can really tell. If there's an issue where the RIR account has been compromised, then that issue lies between the RIR and their customer, and isn't really your business because you have no way to know whatsoever.
Has anyone gone so far as to make the requestor provide something like a notarized copy stating ownership? Have you ever gotten legal departments involved? The RIR?
A notarized copy stating *ownership* seems overboard. Lots of organizations lease IPv4 space, and lots more now since depletion in many regions, and their use of it is entirely legitimate in accordance with their contractual rights established in the lease agreement with the owner. I'd probably think about looking at the contact info in the RIR whois and ask them, if I had a situation like this myself. Ultimately, the RIR's contact which would be in their whois db should be authoritative more so than anyone else. I doubt the RIR would be able to say much if you contacted them beyond that everything that isn't in whois isn't something they'd share publicly.
Take care, Matt
On Mon, Mar 12, 2018 at 3:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
I was just curious what others have experienced. Since so much of the Internet is "best effort" in terms of validation, I wasn't sure if there was much else that could be done.
Hi Sean, The best practice is to go for the status quo while you figure it out. How long have you been announcing the prefix? If only briefly, stop. If you've been announcing it for a long time, keep doing so. The RIR is the arbiter of who controls the address space. That's the purpose of a registry. Reach out to the published POC by email, by phone and if necessary by postal mail. Until you get a response to the query YOU initiated to the POC, stick with the status quo. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
i have been the requestor of such actions before, and i generally sent the take-down request with a referral to the ARIN entry with the netblock, which shows the appropriate contacts. i always sent the request from the account listed as ADMIN contact for the netblock or OrgID. in the request i noted that ARIN is the ultimate arbitor of who "owns" a block, and as such you can validate my request for takedown by contacting me through the details listed on their site. (i then provide the arin.net link). anyone receiving such a request, who validated it through the ARIN data, should probably act on it. if the request is coming from anyone other than the ARIN ADMIN contact, the response should be "we only accept such requests from parties what we can authenticate through ARIN". if the renter, et al, have not updated the ARIN data, then, that is their problem, not yours, as you would have done your due diligence. if they are not authorized by ARIN to speak on behalf of the block, i would be very cautious about proceeding. if they are unable to get the request sent on behalf of the ARIN ADMINs, then, also, i would be very cautious about proceeding. (i suspect that all of this could also apply to RIPE/etc/etc, but i have not had to do so). --jim On Mon, Mar 12, 2018 at 04:18:48PM -0400, William Herrin wrote:
On Mon, Mar 12, 2018 at 3:46 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
I was just curious what others have experienced. Since so much of the Internet is "best effort" in terms of validation, I wasn't sure if there was much else that could be done.
Hi Sean,
The best practice is to go for the status quo while you figure it out. How long have you been announcing the prefix? If only briefly, stop. If you've been announcing it for a long time, keep doing so.
The RIR is the arbiter of who controls the address space. That's the purpose of a registry. Reach out to the published POC by email, by phone and if necessary by postal mail. Until you get a response to the query YOU initiated to the POC, stick with the status quo.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Jim Mercer Reptilian Research jim@reptiles.org +1 416 410-5633 Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" -- Hunter S. Thompson
it's a real shame there is no authorative cryptographically verifyable attestation of address ownership.
How about signed ownership ? (https://keybase.io) if you are able to update the record … and it is able to be signed then shouldn’t that be proof enough of ownership of the ASN ? If you can update a forward DNS record then you can have the reverse record updated in the same sort of fashion and signed by a third party to provide first party of authoritative ownership… Assuming you have an assigned ASN and the admin has taken the time to let alone understand the concept and properly prove the identity in the first place… (EV cert ?) Just a light opinion from … https://jhackenthal.keybase.pub Trust is a big issue these days and validation even worse given SSL trust. -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Mar 12, 2018, at 21:20, George William Herbert <george.herbert@gmail.com> wrote:
Ownership?...
(Duck)
-george
Sent from my iPhone
On Mar 12, 2018, at 4:11 PM, Randy Bush <randy@psg.com> wrote:
it's a real shame there is no authorative cryptographically verifyable attestation of address ownership.
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a technical angle would be great. In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the assignee's RIR account and made some object updates (e-mail, country, etc.) that they could use to "prove" they had authority to make the request. I assume their offer of proof would have been to send us an email from the dubious @yahoo.com account they had listed as the admin contact. I agree with a private response that I received that at some point lawyers probably need to take over if a technical solution to verification is not reached. I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is limited to authenticating the announcement of resources to prevent route hijacking. If you've authorized a 3rd party to announce your routes, could you assign a certificate to that 3rd party for a specific resource and then revoke it if they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account and revokes the certificate? This would assume protocol compatibility, that everyone is using it, etc. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Jason Hellenthal Sent: Monday, March 12, 2018 6:40 PM To: George William Herbert <george.herbert@gmail.com> Cc: nanog@nanog.org Subject: Re: Proof of ownership; when someone demands you remove a prefix How about signed ownership ? (https://keybase.io) if you are able to update the record … and it is able to be signed then shouldn’t that be proof enough of ownership of the ASN ? If you can update a forward DNS record then you can have the reverse record updated in the same sort of fashion and signed by a third party to provide first party of authoritative ownership… Assuming you have an assigned ASN and the admin has taken the time to let alone understand the concept and properly prove the identity in the first place… (EV cert ?) Just a light opinion from … https://jhackenthal.keybase.pub Trust is a big issue these days and validation even worse given SSL trust. -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Mar 12, 2018, at 21:20, George William Herbert <george.herbert@gmail.com> wrote:
Ownership?...
(Duck)
-george
Sent from my iPhone
On Mar 12, 2018, at 4:11 PM, Randy Bush <randy@psg.com> wrote:
it's a real shame there is no authorative cryptographically verifyable attestation of address ownership.
On Tue, Mar 13, 2018 at 9:23 AM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. [......]
I believe the suggested process would be.... submit the stranger's request to the administrative & technical contacts listed for the organization and IP resource in public WHOIS at the time the request is received, and in order to confirm: Request whether their organization approves that the announcements must be withdrawn, and if so: that they also submit to you a signed official form to either revise, rescind, or repudiate the existing LOA provided by that WHOIS contact. Then reply to the "stranger" that official documentation is required to cancel the announcement, and you are unable to verify you have the right to make the request, and you will forward their message to the IP Address registry and officially listed WHOIS and customer technical contacts who must approve of the request, before any further actions can be taken. -- -JH
I would insist that this customer get with the RIR and resolve ownership of the account and prove that they did so. I would leave the burden on the RIR to figure out who is the rightful owner and not make any changes until that is done. Do you have a record of what the RIR account contact was when you began announcing the block? The fact that the requester has the RIR account and the email of the account contact makes me wonder if your customer did not renew with the RIR or something else that caused them to lose ownership of the net block. I could see this happen during an acquisition or change of ownership of a company or entity. I would give the customer a short period of time to open a dispute with the RIR and then hold the changes until the RIR makes a determination. I think that protects you from a legal perspective more than deciding on your own. Of course, keep a good record of all communications on this subject especially with the RIR, this could get ugly. Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Tuesday, March 13, 2018 9:23 AM To: nanog@nanog.org Subject: RE: Proof of ownership; when someone demands you remove a prefix
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. >Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a >technical angle would be great.
In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the assignee's RIR account and made >some object updates (e-mail, country, etc.) that they could use to "prove" they had authority to make the request. I assume their offer of proof would >have been to send us an email from the dubious @yahoo.com account they had listed as the admin contact.
I agree with a private response that I received that at some point lawyers probably need to take over if a technical solution to verification is not >reached.
I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is limited to authenticating the >announcement of resources to prevent route hijacking. If you've authorized a 3rd party to announce your routes, could you assign a certificate to that >3rd party for a specific resource and then revoke it if they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account >and revokes the certificate? This would assume protocol compatibility, that everyone is using it, etc.
On Tue, Mar 13, 2018 at 10:23 AM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a technical angle would be great.
Hi Sean, There is a definitive technical means. It's called contact the POC published in WHOIS by the RIR and ask. It isn't flawless and you don't have to like it, but there it is. If you contacted the POC and the POC replied stop, you stop. If the POC was hijacked at the RIR, that's between your customer and the RIR. The RIR has a standard process and an expert team for dealing with these situations. It's their job. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
Yes, absolutely go with the RIR. Only thing I might adjust it whether I let the customer launch a dispute with the RIR before or after I make the change and to me that would depend on the preponderance of the evidence either way. I might give the long term customer the reasonable doubt. A new customer with a new advertisement not so much. Talk to your legal people of course but I would think if the RIR could verify a dispute in progress, you are covered until the dispute is resolved. Seems legally reasonable to me and shows due diligence on your part without you getting in the middle. Steven Naslund Chicago IL
Hi Sean,
There is a definitive technical means. It's called contact the POC published in WHOIS by the RIR and ask. It isn't flawless and you don't have to like >it, but there it is.
If you contacted the POC and the POC replied stop, you stop. If the POC was hijacked at the RIR, that's between your customer and the RIR. The RIR has a standard process and an expert team for dealing with these situations. It's their job.
Regards, Bill Herrin
This is more or less the situation we're in. We contacted the customer and they informed us the matter is in dispute with the RIR and that their customer (the assignee) is in the process of resolving the issue. We have to allow them time to accomplish this. I've asked for additional information to help us understand the nature of the dispute. In that time we received another request to stop announcing the prefix(s) in addition to a new set of prefixes, and a threat to contact our upstream providers as well as ARIN - which is not the RIR the disputed resources are allocated to. This is a new(er) customer, so there is some merit to dropping the prefix and letting them sort it out based on the current RIR contact(s). However, there is obvious concern over customer service and dropping such a large block of IPs. I'm definitely leaning toward "let the customer (or customer's customer) and the RIR sort it out" if the POC validates the request weighed responsibly against customer age. However, from a customer service perspective, I think we owe it to our customers to make sure a request is legitimate before we knock them offline. With a limited toolset to validate that information, I can't help but feel conflicted. I appreciate all the feedback this thread has generated so far! -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Naslund, Steve Sent: Tuesday, March 13, 2018 8:27 AM To: nanog@nanog.org Subject: RE: Proof of ownership; when someone demands you remove a prefix Yes, absolutely go with the RIR. Only thing I might adjust it whether I let the customer launch a dispute with the RIR before or after I make the change and to me that would depend on the preponderance of the evidence either way. I might give the long term customer the reasonable doubt. A new customer with a new advertisement not so much. Talk to your legal people of course but I would think if the RIR could verify a dispute in progress, you are covered until the dispute is resolved. Seems legally reasonable to me and shows due diligence on your part without you getting in the middle. Steven Naslund Chicago IL
Hi Sean,
There is a definitive technical means. It's called contact the POC published in WHOIS by the RIR and ask. It isn't flawless and you don't have to like >it, but there it is.
If you contacted the POC and the POC replied stop, you stop. If the POC was hijacked at the RIR, that's between your customer and the RIR. The RIR has a standard process and an expert team for dealing with these situations. It's their job.
Regards, Bill Herrin
Dear Sean, On Tue, Mar 13, 2018 at 10:38:49AM -0700, Sean Pedersen wrote:
This is more or less the situation we're in. We contacted the customer and they informed us the matter is in dispute with the RIR and that their customer (the assignee) is in the process of resolving the issue. We have to allow them time to accomplish this. I've asked for additional information to help us understand the nature of the dispute. In that time we received another request to stop announcing the prefix(s) in addition to a new set of prefixes, and a threat to contact our upstream providers as well as ARIN - which is not the RIR the disputed resources are allocated to.
I've seen disputes too between end users and RIRs - usually this is due to non-payment. It can be helpful to do two things: set a reasonable deadline for the customer to resolve this, and verify with the RIR whether the dispute is actually ongoing or whether the RIR closed the case. Example case: customer said they were in dispute, but RIR indicated that the case was closed. If the RIR closed the case, I'd lean to dropping the announcement.
This is a new(er) customer, so there is some merit to dropping the prefix and letting them sort it out based on the current RIR contact(s). However, there is obvious concern over customer service and dropping such a large block of IPs.
Size of the block often is a poor indicator for legitimacy. Kind regards, Job
On Tue, Mar 13, 2018 at 1:59 PM, Job Snijders <job@ntt.net> wrote:
Dear Sean,
On Tue, Mar 13, 2018 at 10:38:49AM -0700, Sean Pedersen wrote:
This is more or less the situation we're in. We contacted the customer and they informed us the matter is in dispute with the RIR and that their customer (the assignee) is in the process of resolving the issue. We have to allow them time to accomplish this. I've asked for additional information to help us understand the nature of the dispute. In that time we received another request to stop announcing the prefix(s) in addition to a new set of prefixes, and a threat to contact our upstream providers as well as ARIN - which is not the RIR the disputed resources are allocated to.
I've seen disputes too between end users and RIRs - usually this is due to non-payment. It can be helpful to do two things: set a reasonable deadline for the customer to resolve this, and verify with the RIR whether the dispute is actually ongoing or whether the RIR closed the case. Example case: customer said they were in dispute, but RIR indicated that the case was closed. If the RIR closed the case, I'd lean to dropping the announcement.
What are people's experiences with the various RIRs discussion of these situations? I believe sometimes (though could be mistaken) they consider these matters confidential. Perhaps there are official RIR policies stated on how they handle such. It can be frustrating I'm sure. For the situation you describe, I'd be inclined to say that if the RIR's posted registration matches what you've got and has been so for a while, that ought to stand. Tony
On Tue, Mar 13, 2018 at 1:38 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
This is more or less the situation we're in. We contacted the customer and they informed us the matter is in dispute with the RIR and that their customer (the assignee) is in the process of resolving the issue. We have to allow them time to accomplish this. I've asked for additional information to help us understand the nature of the dispute. In that time we received another request to stop announcing the prefix(s) in addition to a new set of prefixes, and a threat to contact our upstream providers as well as ARIN - which is not the RIR the disputed resources are allocated to.
Sean, If you've been announcing the route for the past year before this complaint came in then you are, of course, correct. It would be unconscionable to suddenly cut a customer over a paperwork problem.
This is a new(er) customer, so there is some merit to dropping the prefix and letting them sort it out based on the current RIR contact(s). However, there is obvious concern over customer service and dropping such a large block of IPs.
If you've been announcing the route for the past week before this complaint came in then you are causing someone else a big operational headache. You must stop. Insist that the customer straighten out their problem with the RIR before you announce the route. You can ignore the threat to contact ARIN. ARIN does not involve itself in routing disputes. Your upstream (and their upstream, et cetera) will act to preserve their reputations. If that includes manually blocking some of your announcements, you'll have a devil of a time undoing it later. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
Biggest problems we had as a service provider is that the block is registered to a corporate entity which is then acquired or dissolves and then you have to figure out who actually has control. We always tried to push the dispute process to go between the customer and the RIR when this happens. It takes too many legal resources to get involved in figuring out who owns what during an acquisition or dissolution. Often this particular resources does not get called out specifically and can be a problem. Sometimes they get treated like corporate intellectual property and sometimes they get treated more like a utility. It’s a legal nightmare to get in the middle of it. I have had cases where it was so complex we forced one of the parties to get a court order one way or another. Steven Naslund Chicago IL
it's a real shame there is no authorative cryptographically verifyable attestation of address ownership.
On Mon, Mar 12, 2018 at 11:46:31AM -0700, Sean Pedersen wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
Best practice is for the prefix-user to have correct data of subdelegation in the correct RIR. LOA letters have been forged since well before runout, in the days when they were faxed. Issues with potential RIR haacks should be taken straight to that RIR; those hve also been unfortunately common. These days, ROAs would be nice to see for anyone up-to-date on methods. At the very least, the low bar of IRR data should be present. If there's only a private letter between two parties, no one a few hops away can validate that, so the user of the space flatly should expect poor propagation. If there's no data published that a remote party can use, there should be zero expectation any remote party will accept the prefix on that path. IME this is pretty old territory, and should be part of any providers' M&P for handling PI space. Cheers, Joe -- Posted from my personal account - see X-Disclaimer header. Joe Provo / Gweep / Earthling
Another thing that would affect me as a service provider would be the account history. I would probably be more skeptical if this was a long term customer who has been announcing this prefix for a long period of time vs a new customer that just began announcing it. i.e. If I just began announcing it and there is an ownership dispute right away, I might suspect my new customer misappropriated the block. If he had been announcing it for years and now someone wants it taken down, that is a higher burden of proof for me. As always bottom line is who has the block registered with RAR is the final authority. Steven Naslund Chicago IL On Mon, Mar 12, 2018 at 11:46:31AM -0700, Sean Pedersen wrote:
We recently received a demand to stop announcing a "fraudulent" prefix. Is there an industry best practice when handling these kind of requests? Do you have personal or company-specific preferences or requirements? To the best of my knowledge, we've rarely, if ever, received such a request. This is relatively new territory.
participants (15)
-
Dovid Bender
-
George William Herbert
-
james jones
-
Jason Hellenthal
-
Jim Mercer
-
Jimmy Hess
-
Job Snijders
-
Joe Provo
-
Matt Harris
-
Naslund, Steve
-
nop@imap.cc
-
Randy Bush
-
Sean Pedersen
-
Tony Tauber
-
William Herrin