[130432] in North American Network Operators' Group
Re: AS11296 -- Hijacked? (ARIN region & hijacking)
daemon@ATHENA.MIT.EDU (John Curran)
Sat Oct 2 22:05:59 2010
From: John Curran <jcurran@arin.net>
To: James Hess <mysidia@gmail.com>
Date: Sat, 2 Oct 2010 22:05:41 -0400
In-Reply-To: <AANLkTi=U6qrCPOg7=sX73iq77e7MOmktSaMswBRizVPS@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 2, 2010, at 7:59 PM, James Hess wrote:
> So, I wonder why only ARIN itself is singled out.. Have other RIRs
> found something much better to do with fraud reports? This matters, =20
> because scammers can concentrate on whichever IP blocks are easiest to hi=
jack.
The reason: approximately 15000 legacy address blocks which ARIN become the=
=20
successor registry for at its formation, many of which hadn't been updated=
=20
since they were allocated. In the other regions, there are significantly=20
fewer early allocations where the holders haven't also involved ongoing in
the combined registry/operator forum in the region. Two particular quicks o=
f=20
this region is that the registry is not combined with the operator forum,
and many of the assignments from the earliest days of the Internet are in=20
this region, made with minimal documentation, and were often forgotten or
never put into publicly routed use...
Ergo, when a party appears and says that they'd like to update the contacts
on their WHOIS record, and we see an organization which exists back to the=
=20
original allocation, it is fairly straightforward to make it happen and kno=
w
that we're not facilitating a hijacking. For this reason, legacy holders a=
re=20
allowed to change anything except the organization name without requiring
documentation.
It gets more challenging when you instead have a different organization nam=
e=20
XYX, which states it is the rightful holder of NET-ABC123 because it acquir=
ed=20
JKL company which in theory had earlier bought the right piece of company A=
BC=20
which is now defunct but never updated any of IP records post business deal=
,
and no one from ABC or JKL can be found and the public records may indeed s=
how
that JKL bought some part of ABC but most assuredly don't say anything abou=
t=20
networks or as#'s... Circumstances such as the aformentioned are regretful=
ly=20
the rule, not the exception.
(As an aside, I'll note that we do also look at the historical routing of t=
he=20
address block, since that provides some insight which often can corroborate=
=20
an otherwise weak documentary record.)
Now, we really want folks to come in and update their records but when it=
=20
comes to updating the actual organization name for an address block, we eit=
her
need to hold the line on legal/commercial documents (which reduces hijackin=
g=20
but almost sends some legitimate but underdocumented legacy folks away) or =
we=20
can simply have folks attest to their view of reality and update the record=
s=20
accordingly (which will get us much more current Whois records but with=20
"current" not necessarily implying any more accurate records...)
This is *your* (the collective "your") WHOIS database, and ARIN will admini=
ster
it per any policy which adopted by the community.=20
/John
John Curran
President and CEO
ARIN
P.S. I will note that we fully have the potential to recreate this problem=
=20
in IPv6 if we're not careful, and establishing some very clear record=
=20
keeping requirements for IPv6 with both RIRs and ISPs/LIRs is going t=
o
be very important if we ever hope to determine the party using a give=
n=20
IPv6 block in just a few short years...
