[153720] in North American Network Operators' Group
Re: My view of the arin db boarked?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon Jun 11 11:37:38 2012
In-Reply-To: <20120609151349.GA93705@gweep.net>
Date: Mon, 11 Jun 2012 11:36:55 -0400
From: Christopher Morrow <christopher.morrow@gmail.com>
To: nanog-post@rsuc.gweep.net
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Jun 9, 2012 at 11:13 AM, Joe Provo <nanog-post@rsuc.gweep.net> wrot=
e:
> On Fri, Jun 08, 2012 at 04:27:29PM -0400, Christopher Morrow wrote:
>> err, last 3 times I asked this I was shown the error of my ways, but
>> here goes...
>>
>> 209.250.228.241 - seems to not have any records in ARIN's WHOIS
>> database, everythign seems to roll up to the /8 record :(
>>
>> I see this routed as a /23: (from routeviews)
>> =A0 BGP routing table entry for 209.250.228.0/23, version 2072545487
>> Paths: (33 available, best #19, table Default-IP-Routing-Table)
>> =A0 Not advertised to any peer
>> =A0 3277 3267 174 27431 14037
>> =A0 =A0 194.85.102.33 from 194.85.102.33 (194.85.4.4)
>> =A0 =A0 =A0 Origin IGP, localpref 100, valid, external
>> =A0 =A0 =A0 Community: 3277:3267 3277:65321 3277:65323 3277:65330
>>
>> If I look at the ASN in particular: AS14037
>> no records exist for that in ARIN's WHOIS database either ;( If I look
>> at all the networks announced by AS14037:
>> 14037 =A0 | 204.8.216.0/21 =A0 =A0 =A0|
>> 14037 =A0 | 209.250.224.0/19 =A0 =A0|
>> 14037 =A0 | 209.250.228.0/23 =A0 =A0|
>> 14037 =A0 | 209.250.242.0/24 =A0 =A0|
>> 14037 =A0 | 209.250.247.0/24 =A0 =A0|
>
> If you query filtergen.level3.com, they are expecting to see it from
> this ASN:
>
> Prefix list for policy as14037 =3D
> =A0LEVEL3::AS14037
>
> 204.8.216.0/21
> 209.250.224.0/20
>
>> 14037 =A0 | 64.18.128.0/19 =A0 =A0 =A0|
>> 14037 =A0 | 64.18.159.0/24 =A0 =A0 =A0|
>
> ...but not those, which are registered in ALTDB (as the /19)along
> with the squatted 204.8.216.0/21 and 209.250.224.0/20
>
>
> route: =A0 =A0 =A064.18.128.0/19
> descr: =A0 =A0 =A0RackVibe LLC
> origin: =A0 =A0 AS14037
> admin-c: =A0 =A0GC373-ARIN
> tech-c: =A0 =A0 GC373-ARIN
> notify: =A0 =A0 arin@6gtech.com
> mnt-by: =A0 =A0 MNT-6GTECH
> changed: =A0 =A0arin@6gtech.com 20081007
> source: =A0 =A0 ALTDB
>
>
>> none of them have any records in the ARIN WHOIS database :( The
>> upstream for this network is =A0AS 27431 - JTL Networks
>> who seems to get transit/peer with 3356/174.
>
> Amusingly, AS27431 is still the RR contacts cording to the IRR. Score
> another one in the 'inaccurate IRR' column.
yea, automated filter generation from IRR's ... not always good :(
>> It's nice to see folk who use IRR databases to filter their customers
>> still permit this sort of thing to go on though: AS3356 I'm looking at
>> you...
>
> Here's a clue of future prefixes to watch for 3356 allowing from
> this particular nest:
>
> % whois -h filtergen.level3.com -- "-searchpath=3DARIN;RIPE;RADB;ALTDB;LE=
VEL3 as27431"
> Prefix list for policy as27431 =3D
> =A0ARIN::AS27431 =A0 LEVEL3::AS27431 ALTDB::AS27431 =A0RADB::AS27431
> =A0RIPE::AS27431
>
> 66.132.44.0/24
> 66.132.45.0/24
> 66.132.47.0/24
> 69.36.0.0/20
> 209.41.200.0/24
> 209.41.202.0/24
> 209.115.40.0/24
> 209.115.41.0/24
> 209.115.42.0/24
> 209.115.43.0/24
> 209.115.108.0/24
> 216.28.47.0/24
> 216.28.134.0/24
> 216.29.53.0/24
> 216.29.115.0/24
> 216.29.116.0/24
> 216.29.117.0/24
> 216.29.121.0/24
> 216.29.122.0/24
> 216.29.152.0/24
> 216.29.194.0/24
> 216.29.247.0/24
> %
>
most (by random sample of queries to whois.arin.net) of these at least
still had entries in the db.
>> I think first: "Where are the records for this set of ip number resource=
s?"
>> and second: "Why are we still seeing this on the network with no way
>> to contact the operators of the resources?"
>
> You can try and contact the entities that are called 'RackVibe' accordin
> and '6G Tech' according to the various IRR registry entries for 14037 and
> 46496. =A0Sketchy things which geolocate to Seacaucus? Whoda thunk.
yea :( I'd sort of prefer if the transit here would just stop
accepting the announcement(s) in question (which they do today ,
several filter-gen runs since friday).
-chris
> --
> =A0 =A0 =A0 =A0 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
