[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Proof of ownership; when someone demands you remove a prefix

On Tue, Mar 13, 2018 at 1:58 PM, Naslund, Steve <SNaslund at medline.com> wrote:

I would consider that.... the RIR WHOIS records are currently the network's
authoritative source of truth about  IP number management.

For 99% of situations there's no such proper thing as "delaying
addressing abuse"
so someone claims they can go dispute the RIR record.   The rare exception
would be  you have  documented  the original contacts and LOAs,  and a stranger
who is a new WHOIS POC sends a request that you disrupt what has now been
a long-established operational network,  and  your customer is
the WHOIS record has been hijacked.

In that case:  avoid disrupting the long-established announcement:  to allow the
customer 5 to 10 days  to get it fixed with the RIR  or show you a
court order against
the false WHOIS contacts.

If you started announcing a newly setup prefix,  and it immediately
resulted in a phone call
or e-mail  within a few weeks  from   the resource holder
organization's   RIR-listed
WHOIS contact, then obviously corrective actions are in order to pull that
announcement quickly,  after confirming with the org. listed in WHOIS....

That would mean your new announcement is credibly reported as abuse,  AND
"claim of dispute in progress with the RIR" does not hold water  as
any kind of basis
to continue your AS  causing harm to this resource holder.

I would  not blame a legitimate WHOIS contact for immediately escalating to
upstreams and ARIN for  emergency assistance: if they don't  receive an
adequate resolution and removal of the rogue announcement within 15
minutes or so.......

While ARIN cannot do anything about the routing issues;  they might be
able to confirm the history of the resource....  the Rogue announcement
might include the IP space of 1 or more DNS  or SMTP Servers related to one
or more domain names  that are also  listed WHOIS  E-mail contacts.

You know.... because ARIN stopped supporting using PGP/GPG keys with POCs
and digitally signed e-mail templates  to formally authorize modifications :

"Wait while we dispute with the RIR"     could very well  truly mean:  -----

"Please wait while we try to use our rogue IP space announcement  to
quickly setup some

fake SMTP servers on hijacked IPs while we gear up our spamming
campaign to maximum
effectiveness and misuse ARIN's  single-factor  Email-based

password recovery process to fraudulently gain account access and
modify resource
WHOIS POC details  to make it look more like we're the plausible
resource holder....."

> The fact that it is a newer customer would make me talk to the RIR direct and verify
> that a dispute is really in progress.
> Steven Naslund
> Chicago IL