[149392] in North American Network Operators' Group
Regarding Hijacked Networks
daemon@ATHENA.MIT.EDU (John Curran)
Thu Feb 2 21:03:16 2012
From: John Curran <jcurran@arin.net>
To: Owen DeLong <owen@delong.com>
Date: Fri, 3 Feb 2012 02:02:01 +0000
In-Reply-To: <65E48EB1-A51C-4C70-9629-CD7477D6877B@delong.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 31, 2012, at 9:03 PM, Owen DeLong wrote:
> Not to put a damper on things, but, is there actually any law that preclu=
des use of integers as internet addresses contrary to the registration data=
contained in RIR databases?
ARIN spends a bit of time on these types of questions.
The right to exclusive use a particular block Internet addresses is=20
indeed provided by contract with ARIN, but the context is within the=20
registration system itself. We are not aware of any law in ARIN's=20
service region which would preclude other parties from configuring=20
equipment with any numbers they wish. Note also - if someone thinks=20
that they have a right of exclusive use of a particular block Internet=20
addresses because of convictions that the addresses themselves are=20
"property" (whatever that means), the outcome still doesn't change;
i.e. there is still no law or regulation as best we can determine=20
which prevents someone from configuring their own equipment with=20
any particular block of IP addresses... (and I would advise some
very careful thought before advocating that such be changed.[*])
In the end, the registry simple reflects a set of numbers managed for=20
uniqueness by the policies set by the community. Since the Internet=20
relies on unique host identifiers, it's a pretty useful database, but=20
that usefulness is predicated on people actually making use of it...
One would think that ISP's wouldn't accept routes accept from the=20
parties not listed on an address block, but that is not universally=20
the case, and correcting that other than at the point of injection
is rather problematic unless we have some relatively easy way to=20
build, propagate, and verify routing assertions by the address=20
holder (e.g. RPKI, as noted by Danny and Randy)
ARIN is slowly but steadily working on getting RPKI rolled out in=20
production this year... folks interested in gaining some hands-on=20
RPKI experience in the meantime can participate in ARIN's RPKI Pilot;
we have more than 50 organizations participating at this time -=20
<https://www.arin.net/resources/rpki.html>
FYI,
/John
John Curran
President and CEO
ARIN
p.s. [*] As previously noted in this discussion, address blocks may
sometimes be hijacked based on acts that _are_ violation of law=20
(e.g fraud), but the mechanisms for dealing with such are quite=20
slow by default (at least in the US.) That doesn't mean that=20
they can't work faster, but only that timeliness increases when=20
there are numerous harmed parties are plainly evident to the law=20
enforcement folks. Given the potential impact from abuse or even=20
human error for any orders affecting the Internet, the delay may=20
even be an important feature of the present system.
