[159218] in North American Network Operators' Group
Update: Re: GeekTools Whois Proxy and RIPE/RIPE-NCC
daemon@ATHENA.MIT.EDU (Rodney Joffe)
Mon Dec 31 14:37:02 2012
From: Rodney Joffe <rjoffe@centergate.com>
In-Reply-To: <77455F9F-4ED4-4494-A3BB-679BDA81479B@atrato-ip.com>
Date: Mon, 31 Dec 2012 14:36:44 -0500
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
So we think we're working out the impact, and have a work-around for =
users.
There seem to be more than a few hundred network operations groups =
(thats many of you on NANOG) that use GeekTools (we can tell by the NAT =
IP addresses, and the rate of queries) that will be affected. It seems =
that what RIPE is doing is removing the ability for us to query their =
whois server using the special format that passes "your" ip address to =
RIPE in our queries that go to them. This was how they satisfied =
themselves that if *you* were abusing the query limit, and we had not =
caught it, and were not already preemptively blocking you or rate =
limiting you, they could do it. I guess its their version of "trust, but =
verify". No argument from us.=20
They are not alone. We do the same thing with AFRINIC and APNIC amongst =
RIRs, nic.br as a TLD operator, and Network Solutions as a registrar. =
DENIC and a few others have asked us to provide queries in special =
formats, and we happily comply with all of these. We appreciate their =
efforts to enable us to help the community. And I think they've mostly =
been happy with us for the last 14 years or whatever. (BTW there are =
about 310 of them total at the moment that we're able to parse and =
identify and query for, as well as many more specially requested cases, =
like uk.com, au.com, etc.
RIPE-NCC has decided to limit this to their members only. Not us.
So they are now removing that from us. We will now be subject to their =
normal limits (whatever that is). When we reach our daily limit, we will =
be blocked. When we do that a few times, we will be permanently =
blacklisted.
The good news is that if you query them yourselves, you'll be able to =
query them up to your daily individual limit before being blocked. So if =
you have been using us, and have never been blocked with RIPE queries, =
you will likely not be blocked when you query then direct (we have =
already been passing them your IP address so they can count and rate =
limit). The only difference is that now you you can make a single query =
for every TLD, every RWHOIS delegated server via the TLD whois server, =
and every RIR, and get a answer in one. Except if it ends up in RIPE =
land. Then you're on your own, walking their tree, etc. But you can do =
it manually.
Later today, when we see how RIPE handles rejecting us, we'll write a =
script, and <sarcasm> without asking you all to become members and pay =
us $1,800 a year </sarcasm>, we'll post here, identifying the text we'll =
pass so that you can configure scripts to recognize the rejection, and =
handle the query in an exception routine.
Also, more than 10 years ago, we created a windows program that loaded =
in the systray, and provided desktop capabilities. And we also made =
available the gpl'd unix source for people who wanted to run it locally. =
We haven't updated it for years, but many of you have it and did =
update, and that will not be affected, beyond the existing limitation =
you would be seeing - the app queries from your own IP address already. =
If any of you has been maintaining and upgrading/updating the app, and =
feels like sharing it, please do ;-). If you want, send it to us and =
we'll audit it (I know you won't mind in today's environment) and then =
add it to the geektools website.
I guess I should also put together a smartphone app that uses the proxy =
as well=85=20
Anyway, enough noise for now. Apologies. And thanks to all of you who =
responded privately, with offers etc. Fortunately we don't need finance, =
or resources or support. I'm just happy it has helped for so long.
Wishing you everything you want for yourselves in 2013 - the year of =
IPv6 and hundreds of new TLDs.
Rodney and the CenterGate/GeekTools crew (yes, we're still around ;-)).
. . . - . -
=20
On Dec 31, 2012, at 11:46 AM, Job Snijders <job.snijders@atrato-ip.com> =
wrote:
> Hi Rodney,
>=20
> =46rom the looks of it, this decision was made by the RIPE NCC =
Executive Board rather than at the General Meeting. Inqueries will have =
to be made why this was decided, and what the consequences are. But, I =
don't expect a resolution to be reached in the next 6 hours.=20
>=20
> In the meantime you could consider setting up an irrd[1], redirect =
queries to that instance instead of whois.ripe.net, and keep it kind of =
fresh by feeding it ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz on a daily =
basis.=20
>=20
> Kind regards,
>=20
> Job
>=20
> [1] http://www.irrd.net/
>=20
> On Dec 31, 2012, at 4:41 PM, Rodney Joffe <rjoffe@centergate.com> =
wrote:
>=20
>> NANOG and ARIN Friends,
>>=20
>> 14 Years ago, at the suggestion of Jon Postel and some of the early =
participants in NANOG, we developed the GeekTools Whois proxy to make it =
easier for *us* - network security and abuse techs - to deal with the =
expanding number of gtlds and registrars and the varied whois servers =
that were appearing. The service had both a CLI and web interface.
>>=20
>> The service also led directly to the creation of whois-servers.net, =
which now seems to be part of a number of *nix distributions.
>>=20
>> The service has been up for 14 years, and over that time we have =
fulfilled the requirements of all of the whois server operators in =
regards to minimizing and stopping abuse of the GT whois proxy by domain =
scrapers, spammers, etc, while enabling the security folks to do their =
jobs. In some cases we have even written code to pass the ip address of =
the requestor to the whois server registry operator when they wanted to =
manage quota's directly. We think we have a really good relationship =
with all of the whois server operators, and I think we provide a useful =
service to the community, and is widely used. And in 14 years we have =
never been tarred as an enabler of abuse of "the whois" system.
>>=20
>> There has obviously never been any kind of charge or fee for using =
the proxy, or any of the other tools on GeekTools. In about 2002 we =
started placing a banner ad on the web interface page to offset some of =
the costs for the bandwidth that the proxy consumes. An average of about =
$70 a month for over the last 10 years. Actual bandwidth costs are =
higher than that of course, but it was a thought in 2002 that we had =
frankly forgotten about until recently.
>>=20
>> Two weeks ago RIPE-NCC, who provide the whois data for IP addresses =
in the RIPE region, informed us that based on decisions by their =
members, as of January 1st 2013, tomorrow, they would no longer provide =
whois proxy query response services to GeekTools unless we ponied up =
$1,800 a year for RIPE membership.
>>=20
>> I don't work very well above layer 7. It is what it is. So I wanted =
to let you know that as of midnight tonight, apparently, you won't be =
able to use GeekTools for RIPE related queries. If you have automated =
scripts, and you are one of the users who has expanded access to =
GeekTools, you'll need to find an alternative for RIPE queries *today*. =
My guess is that you will be able to query RIPE directly, once you have =
worked out that the address space is within RIPE's assignments.
>>=20
>> I think its wrong to have to pay for whois data that is part of a =
community resource . So I won't do it.
>=20
> --=20
> AS5580 - Atrato IP Networks
>=20
>=20
>=20
>=20
