nanog mailing list archives
Re: Proof of ownership; when someone demands you remove a prefix
From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 13 Mar 2018 17:11:00 -0500
On Tue, Mar 13, 2018 at 1:58 PM, Naslund, Steve <SNaslund () medline com> wrote: I would consider that.... the RIR WHOIS records are currently the network's authoritative source of truth about IP number management. For 99% of situations there's no such proper thing as "delaying addressing abuse" so someone claims they can go dispute the RIR record. The rare exception would be you have documented the original contacts and LOAs, and a stranger who is a new WHOIS POC sends a request that you disrupt what has now been a long-established operational network, and your customer is objecting/claiming the WHOIS record has been hijacked. In that case: avoid disrupting the long-established announcement: to allow the customer 5 to 10 days to get it fixed with the RIR or show you a court order against the false WHOIS contacts. If you started announcing a newly setup prefix, and it immediately resulted in a phone call or e-mail within a few weeks from the resource holder organization's RIR-listed WHOIS contact, then obviously corrective actions are in order to pull that announcement quickly, after confirming with the org. listed in WHOIS.... That would mean your new announcement is credibly reported as abuse, AND "claim of dispute in progress with the RIR" does not hold water as any kind of basis to continue your AS causing harm to this resource holder. I would not blame a legitimate WHOIS contact for immediately escalating to upstreams and ARIN for emergency assistance: if they don't receive an adequate resolution and removal of the rogue announcement within 15 minutes or so....... While ARIN cannot do anything about the routing issues; they might be able to confirm the history of the resource.... the Rogue announcement might include the IP space of 1 or more DNS or SMTP Servers related to one or more domain names that are also listed WHOIS E-mail contacts. You know.... because ARIN stopped supporting using PGP/GPG keys with POCs and digitally signed e-mail templates to formally authorize modifications : "Wait while we dispute with the RIR" could very well truly mean: ----- "Please wait while we try to use our rogue IP space announcement to quickly setup some fake SMTP servers on hijacked IPs while we gear up our spamming campaign to maximum effectiveness and misuse ARIN's single-factor Email-based password recovery process to fraudulently gain account access and modify resource WHOIS POC details to make it look more like we're the plausible resource holder....."
The fact that it is a newer customer would make me talk to the RIR direct and verify that a dispute is really in progress.
[snip]
Steven Naslund Chicago IL
-- -JH
Current thread:
- Re: Proof of ownership; when someone demands you remove a prefix, (continued)
- Re: Proof of ownership; when someone demands you remove a prefix Tony Tauber (Mar 13)
- Re: Proof of ownership; when someone demands you remove a prefix William Herrin (Mar 13)
- Re: Proof of ownership; when someone demands you remove a prefix Dovid Bender (Mar 13)
- RE: Proof of ownership; when someone demands you remove a prefix Naslund, Steve (Mar 13)
- Re: Proof of ownership; when someone demands you remove a prefix Joe Provo (Mar 13)
- RE: Proof of ownership; when someone demands you remove a prefix Naslund, Steve (Mar 13)
- Re: Proof of ownership; when someone demands you remove a prefix Scott Weeks (Mar 12)
- Re: Proof of ownership; when someone demands you remove a prefix Jason Hellenthal (Mar 12)
- Re: Proof of ownership; when someone demands you remove a prefix Naslund, Steve (Mar 13)
- RE: Proof of ownership; when someone demands you remove a prefix Sean Pedersen (Mar 13)
- Re: Proof of ownership; when someone demands you remove a prefix Jimmy Hess (Mar 13)
- RE: Proof of ownership; when someone demands you remove a prefix Naslund, Steve (Mar 13)