Re: Proof of ownership; when someone demands you remove a prefix
The fact that it is a newer customer would make me talk to the RIR direct and verify that a dispute is really in progress. I would also look at some looking glasses and see if the prefix is being announced elsewhere, if so that might indicate that your customer is indeed stepping on a legit owner. I would also make it clear to the new customer that they are on thin ice here to light a fire under their process. Let them know that it is up to them to convince you that they are the legit owner. No one wants to lose a customer but they are threatening your business and putting you in legal jeopardy if they are not legit. Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Tuesday, March 13, 2018 12:39 PM To: nanog@nanog.org Subject: RE: Proof of ownership; when someone demands you remove a prefix
This is more or less the situation we're in. We contacted the customer and they informed us the matter is in dispute with the RIR and that their >customer (the assignee) is in the process of resolving the issue. We have to allow them time to accomplish this. I've asked for additional information >to help us understand the nature of the dispute. In that time we received another request to stop announcing the prefix(s) in addition to a new set of >prefixes, and a threat to contact our upstream providers as well as ARIN - which is not the RIR the disputed resources are allocated to.
This is a new(er) customer, so there is some merit to dropping the prefix and letting them sort it out based on the current RIR contact(s). However, >there is obvious concern over customer service and dropping such a large block of IPs.
I'm definitely leaning toward "let the customer (or customer's customer) and the RIR sort it out" if the POC validates the request weighed responsibly >against customer age. However, from a customer service perspective, I think we owe it to our customers to make sure a request is legitimate before we >knock them offline. With a limited toolset to validate that information, I can't help but feel conflicted.
I appreciate all the feedback this thread has generated so far!
I appreciate everyone's input and will incorporate it into our internal policies going forward. I also want to assure everyone who has taken the time to read or respond that we're going about this methodically; our customer is involved and is responding promptly and their customer is has opened a case with the RIR. We're in the process of following up with the RIR. Our goal is not to cause an 'operational headache' for anyone, but exactly the opposite. Thanks again for all of your feedback and responses. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Naslund, Steve Sent: Tuesday, March 13, 2018 11:59 AM To: nanog@nanog.org Subject: Re: Proof of ownership; when someone demands you remove a prefix The fact that it is a newer customer would make me talk to the RIR direct and verify that a dispute is really in progress. I would also look at some looking glasses and see if the prefix is being announced elsewhere, if so that might indicate that your customer is indeed stepping on a legit owner. I would also make it clear to the new customer that they are on thin ice here to light a fire under their process. Let them know that it is up to them to convince you that they are the legit owner. No one wants to lose a customer but they are threatening your business and putting you in legal jeopardy if they are not legit. Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Tuesday, March 13, 2018 12:39 PM To: nanog@nanog.org Subject: RE: Proof of ownership; when someone demands you remove a prefix
This is more or less the situation we're in. We contacted the customer and they informed us the matter is in dispute with the RIR and that their >customer (the assignee) is in the process of resolving the issue. We have to allow them time to accomplish this. I've asked for additional information >to help us understand the nature of the dispute. In that time we received another request to stop announcing the prefix(s) in addition to a new set of >prefixes, and a threat to contact our upstream providers as well as ARIN - which is not the RIR the disputed resources are allocated to.
This is a new(er) customer, so there is some merit to dropping the prefix and letting them sort it out based on the current RIR contact(s). However, >there is obvious concern over customer service and dropping such a large block of IPs.
I'm definitely leaning toward "let the customer (or customer's customer) and the RIR sort it out" if the POC validates the request weighed responsibly >against customer age. However, from a customer service perspective, I think we owe it to our customers to make sure a request is legitimate before we >knock them offline. With a limited toolset to validate that information, I can't help but feel conflicted.
I appreciate all the feedback this thread has generated so far!
On Tue, Mar 13, 2018 at 1:58 PM, Naslund, Steve <SNaslund@medline.com> wrote: I would consider that.... the RIR WHOIS records are currently the network's authoritative source of truth about IP number management. For 99% of situations there's no such proper thing as "delaying addressing abuse" so someone claims they can go dispute the RIR record. The rare exception would be you have documented the original contacts and LOAs, and a stranger who is a new WHOIS POC sends a request that you disrupt what has now been a long-established operational network, and your customer is objecting/claiming the WHOIS record has been hijacked. In that case: avoid disrupting the long-established announcement: to allow the customer 5 to 10 days to get it fixed with the RIR or show you a court order against the false WHOIS contacts. If you started announcing a newly setup prefix, and it immediately resulted in a phone call or e-mail within a few weeks from the resource holder organization's RIR-listed WHOIS contact, then obviously corrective actions are in order to pull that announcement quickly, after confirming with the org. listed in WHOIS.... That would mean your new announcement is credibly reported as abuse, AND "claim of dispute in progress with the RIR" does not hold water as any kind of basis to continue your AS causing harm to this resource holder. I would not blame a legitimate WHOIS contact for immediately escalating to upstreams and ARIN for emergency assistance: if they don't receive an adequate resolution and removal of the rogue announcement within 15 minutes or so....... While ARIN cannot do anything about the routing issues; they might be able to confirm the history of the resource.... the Rogue announcement might include the IP space of 1 or more DNS or SMTP Servers related to one or more domain names that are also listed WHOIS E-mail contacts. You know.... because ARIN stopped supporting using PGP/GPG keys with POCs and digitally signed e-mail templates to formally authorize modifications : "Wait while we dispute with the RIR" could very well truly mean: ----- "Please wait while we try to use our rogue IP space announcement to quickly setup some fake SMTP servers on hijacked IPs while we gear up our spamming campaign to maximum effectiveness and misuse ARIN's single-factor Email-based password recovery process to fraudulently gain account access and modify resource WHOIS POC details to make it look more like we're the plausible resource holder....."
The fact that it is a newer customer would make me talk to the RIR direct and verify that a dispute is really in progress. [snip] Steven Naslund Chicago IL -- -JH
That is about like saying email from you is the authoritative source of truth about you....unless your account is hacked. Sorry but in the real business world we give long standing customers the benefit of the doubt. We all make judgments every day in our real lives about who we believe and who we don't believe. It is not rare to know who the original contact for your customer is if you have any kind of provisioning records at all. Nothing is automatic or a set procedure in this circumstance. It's about like proving a false credit card charge...does the claim make sense or not. At the end of the day the RIR has to determine who owns the account. Right now, this minute you have to make the call based on incomplete information about what is best for your business, your customer, the Internet community, and your professional reputation. Steven Naslund Chicago IL
-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Tuesday, March 13, 2018 5:11 PM To: Naslund, Steve Cc: nanog@nanog.org Subject: Re: Proof of ownership; when someone demands you remove a prefix
I would consider that.... the RIR WHOIS records are currently the network's authoritative source of truth about IP number management.
For 99% of situations there's no such proper thing as "delaying addressing abuse" so someone claims they can go dispute the RIR record. The rare exception would be you have documented the original contacts and LOAs, and a stranger who is a new WHOIS POC sends a request that you disrupt what has now >been a long-established operational network, and your customer is objecting/claiming the WHOIS record has been hijacked.
participants (3)
-
Jimmy Hess -
Naslund, Steve -
Sean Pedersen