Re: Repeated Blacklisting / IP reputation

[Joe Greco <jgreco () ns sol net>]

> John Curran wrote:
> >  On Sep 8, 2009, at 2:18 PM, JC Dill wrote:
> >
> > > It seems simple and obvious that ARIN, RIPE, et. al. should
> > > determine the blacklist state of a reclaimed IP group and ensure
> > > that the IP group is usable before re-allocating it.
> > >
> > > When IPs are reclaimed, first check to see if the reclaimed IPs are
> > >  on any readily checked RBL or private blacklist of major ISPs,
> > > corporations, universities, etc.  If so, work with those groups to
> > > get the blocks removed *prior* to reissuing the IPs to a new
> > > entity. Before releasing the IPs to a new entity, double check that
> > >  they are not being blocked (that any promises to remove them from
> > > a blacklist were actually fulfilled).  Hold the IPs until you have
> > > determined that they aren't overly encumbered with prior blacklist
> > > blocks due to poor behavior of the previous entity.  (The same
> > > should be done before allocating out of a new IP block, such as
> > > when you release the first set of IPs in a new /8.)
> >
> >  In this case, it's not the RBL's that are the issue; the address
> >  block in question isn't on them.  It's the ISP's and other firms
> >  using manual copies rather than actually following best practices.
>
> It's not that hard to make a list of the major ISPs, corporations, 
> universities (entities with a large number of users), find willing 
> contacts inside each organization (individual or role addresses you can 
> email, and see if the email bounces, and who will reply if the email is 
> received) and run some automated tests to see if the IPs are being 
> blocked.  In your follow-up email to me, you said you check "dozens" of 
> RBLs - that is clearly insufficient - probably by an order of magnitude 
> - of the entities you should check with.  The number should be 
> "hundreds".  A reasonably cluefull intern can provide you with a 
> suitable list in short order, probably less than 1 day, and find 
> suitable contacts inside each organization in a similar time frame - it 
> might take a week total to build a list of ~500 entities and associated 
> email addresses.  Because of employee turn-over the list will need to be 
> updated, ~1-10 old addresses purged and replaced with new ones on a 
> monthly basis.

Really?  And you expect all these organizations to do ... what?  Hire an
intern to be permanent liaison to ARIN?  Answer queries to whether or not
IP space X is currently blocked (potentially at one of hundreds or
thousands of points in their system, which corporate security may not
wish to share, or even give "some random intern" access to)?  Process
reports of new ARIN delegations?  What are you thinking they're going to
do?  And why should they care enough to do it?

> > > Why isn't this being done now?
> > >
> > > Issuing reclaimed IPs is a lot like selling a used car, except that
> > >  the buyer has no way to "examine" the state of the IPs you will
> > > issue them beforehand.  Therefore it's up to you (ARIN, RIPE, et.
> > > al.) to ensure that they are "just as good" as any other IP block.
> > > It is shoddy business to take someone's money and then sneakily
> > > give them tainted (used) goods and expect them to deal with
> > > cleaning up the mess that the prior owner made, especially when you
> > >  charge the same rate for untainted goods!
> >
> >  Not applicable in this case, as noted above.
>
> What do you mean, "not applicable"?  You take the money and issue IPs.  
> There is no way for the "buyer" to know before hand if the IPs are 
> "tainted" (used) or new.  It is up to you (ARIN) to ensure that the 
> goods (IPs) are suitable for the intended use.  My analogy is entirely 
> applicable, and I'm amazed you think otherwise.
 
WOW.  That's a hell of a statement.  There is absolutely nothing that
ARIN can do if I decide I'm going to have our servers block connections
from networks ending in an odd bit.  Nobody is in a position to ensure
that ANY Internet connection or IP space is "suitable for the intended
use."  Welcome to the Internet.

> >  So, back to the question:  could someone explain why they've got
> >  copies of the RBL's in their network which don't get updated on any
> >  reasonable refresh interval? (weekly? monthly?)
>
> The "why" really isn't at issue - it happens and it's going to keep 
> happening.  The question is what are you (ARIN) going to do about it? 
>
> Give me the serenity to accept the things I cannot change,
> The courage to change the things I can,
> And the wisdom to know the difference.
>
> You (ARIN et. al.) don't have any ability to change the why.  What you 
> can change is how you go about determining if an IP block is suitable 
> for reallocation or not, and what steps you take to repair IP blocks 
> that aren't suitable for reallocation.

So, in addition to just registering IP space, it's also their job to clean
it up?

I'm sorry, I agree that there's a problem, but this just sounds like it
isn't feasible.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.