Re: Repeated Blacklisting / IP reputation

[JC Dill <jcdill.lists () gmail com>]

Joe Greco wrote:
> > John Curran wrote:
> >     
> > >  On Sep 8, 2009, at 2:18 PM, JC Dill wrote:
> > >
> > >       
> > > > It seems simple and obvious that ARIN, RIPE, et. al. should
> > > > determine the blacklist state of a reclaimed IP group and ensure
> > > > that the IP group is usable before re-allocating it.
> > > >
> > > > When IPs are reclaimed, first check to see if the reclaimed IPs are
> > > >  on any readily checked RBL or private blacklist of major ISPs,
> > > > corporations, universities, etc.  If so, work with those groups to
> > > > get the blocks removed *prior* to reissuing the IPs to a new
> > > > entity. Before releasing the IPs to a new entity, double check that
> > > >  they are not being blocked (that any promises to remove them from
> > > > a blacklist were actually fulfilled).  Hold the IPs until you have
> > > > determined that they aren't overly encumbered with prior blacklist
> > > > blocks due to poor behavior of the previous entity.  (The same
> > > > should be done before allocating out of a new IP block, such as
> > > > when you release the first set of IPs in a new /8.)
> > > >         
> > >  In this case, it's not the RBL's that are the issue; the address
> > >  block in question isn't on them.  It's the ISP's and other firms
> > >  using manual copies rather than actually following best practices.
> > >       
> > It's not that hard to make a list of the major ISPs, corporations, 
> > universities (entities with a large number of users), find willing 
> > contacts inside each organization (individual or role addresses you can 
> > email, and see if the email bounces, and who will reply if the email is 
> > received) and run some automated tests to see if the IPs are being 
> > blocked.  In your follow-up email to me, you said you check "dozens" of 
> > RBLs - that is clearly insufficient - probably by an order of magnitude 
> > - of the entities you should check with.  The number should be 
> > "hundreds".  A reasonably cluefull intern can provide you with a 
> > suitable list in short order, probably less than 1 day, and find 
> > suitable contacts inside each organization in a similar time frame - it 
> > might take a week total to build a list of ~500 entities and associated 
> > email addresses.  Because of employee turn-over the list will need to be 
> > updated, ~1-10 old addresses purged and replaced with new ones on a 
> > monthly basis.
> >     
>
> Really?  And you expect all these organizations to do ... what?  Hire an
> intern to be permanent liaison to ARIN? 

I'm expecting ARIN to spend a few staff-hours (utilizing low-cost labor 
such as an intern) to setup the list for ARIN to use to check the status 
of returned IPs, and spend a few more staff hours setting up an 
automated system to utilize the list prior to releasing reclaimed IPs 
for reallocation.  If, when using the list they discover out-dated 
addresses, spend a moment to find an updated address for that sole 
network.  Most of this can easily be automated once setup - the only 
things that need to be dealt with by hand would be purging the list of 
outdated contacts and finding new ones, which shouldn't take much time 
since it's not a very large list, and many of the contacts would (over 
time) become role accounts that don't become outdated as often or as 
easily as personal accounts.  Most of this is done by ARIN, not by the 
organizations they contact.  All each organization has to do is permit 
one employee or role account to be used for IP block testing, and reply 
to test emails.  The effort to setup a role account and autoresponder is 
minimal.

>  Answer queries to whether or not
> IP space X is currently blocked (potentially at one of hundreds or
> thousands of points in their system, which corporate security may not
> wish to share, or even give "some random intern" access to)?  Process
> reports of new ARIN delegations?  What are you thinking they're going to
> do?  And why should they care enough to do it?
>   

Because if they don't, they are needlessly blocking re-allocated IP 
addresses, potentially blocking their own users from receiving wanted 
email.  Organizations could (and should) setup a role account and 
auto-responder for this purpose.

> > > > Why isn't this being done now?
> > > >
> > > > Issuing reclaimed IPs is a lot like selling a used car, except that
> > > >  the buyer has no way to "examine" the state of the IPs you will
> > > > issue them beforehand.  Therefore it's up to you (ARIN, RIPE, et.
> > > > al.) to ensure that they are "just as good" as any other IP block.
> > > > It is shoddy business to take someone's money and then sneakily
> > > > give them tainted (used) goods and expect them to deal with
> > > > cleaning up the mess that the prior owner made, especially when you
> > > >  charge the same rate for untainted goods!
> > > >         
> > >  Not applicable in this case, as noted above.
> > >       
> > What do you mean, "not applicable"?  You take the money and issue IPs.  
> > There is no way for the "buyer" to know before hand if the IPs are 
> > "tainted" (used) or new.  It is up to you (ARIN) to ensure that the 
> > goods (IPs) are suitable for the intended use.  My analogy is entirely 
> > applicable, and I'm amazed you think otherwise.
> >     
>  
> WOW.  That's a hell of a statement.  There is absolutely nothing that
> ARIN can do if I decide I'm going to have our servers block connections
> from networks ending in an odd bit. 
100% correct. 

What they *can* do is determine IF the address is currently being 
blocked *before* they issue it to a new entity. 

>  Nobody is in a position to ensure
> that ANY Internet connection or IP space is "suitable for the intended
> use."  Welcome to the Internet.
>   

They can (and IMHO should) determine the state it is in before they 
reallocate it.  What happens next is obviously unpredictable but in 
reality an IP that isn't being blocked today and isn't being used (by 
anyone) is highly unlikely to be widely blocked between today and the 
day ARIN releases it for allocation to a new entity. 

They can hold IPs that are not suitable for re-allocation, or at least 
make the status of the IPs known to the new entity before asking the 
entity to take on the IP block, and perhaps offering a fee discount for 
"tainted" addresses.  (Some users may not care if the IPs are "tainted", 
if, for instance they plan to use the IPs for a DUL pool.  I have a 
friend who gets $5 off his cell phone bill because he has a phone number 
that starts with 666 - a number that many people prefer to avoid but 
which works fine for his purposes and he's quite happy to get the 
discount. :-)
>   
> > >  So, back to the question:  could someone explain why they've got
> > >  copies of the RBL's in their network which don't get updated on any
> > >  reasonable refresh interval? (weekly? monthly?)
> > >       
> > The "why" really isn't at issue - it happens and it's going to keep 
> > happening.  The question is what are you (ARIN) going to do about it? 
> >
> > Give me the serenity to accept the things I cannot change,
> > The courage to change the things I can,
> > And the wisdom to know the difference.
> >
> > You (ARIN et. al.) don't have any ability to change the why.  What you 
> > can change is how you go about determining if an IP block is suitable 
> > for reallocation or not, and what steps you take to repair IP blocks 
> > that aren't suitable for reallocation.
> >     
>
> So, in addition to just registering IP space, it's also their job to clean
> it up?
>   

Who do you propose clean up the mess?  The people who made the mess 
(spammers) won't clean it up.  Someone has to clean it up.  The IPs are 
in ARIN's possession now.  Why should it become someone else's problem 
(the entity they allocate it to) to clean it up?  They didn't do 
anything to taint the space, and they request (and expect) to get clean 
and usable IPs, not tainted IPs.

ARIN shouldn't allocate previously allocated IPs until they know the IPs 
are not widely blocked.  Or to *at the very least* ARIN should disclose 
what they know about the IP space before they make it someone else's 
problem, and give the requesting entity an option to request a 
new/clean/unused/unblocked IP block instead.
> I'm sorry, I agree that there's a problem, but this just sounds like it
> isn't feasible.

IMHO passing the problem on to someone else is just plain wrong.  It 
punishes an innocent party, and it doesn't scale.  There are other 
options, better options.

In commerce it is a violation of the UCC to knowingly or negligently 
sell the customer something that the seller knows (or should have known) 
doesn't serve the customer's stated purpose, and that the customer has 
no way of knowing (no way to do "due diligence" before completing the 
sale) is unsuitable for their needs.  ARIN's IP registry probably 
doesn't fall under the aegis of the UCC, but that doesn't excuse the 
practice.

I am not a lawyer, but it doesn't take a law degree to be able to tell 
right from wrong.  Issuing previously-issued and tainted IPs to an 
entity that requested and is expecting untainted and usable IPs is 
clearly wrong.  How ARIN plans to resolve this can be debated, but NOT 
solving this and just expecting someone else (the unlucky entity who is 
issued the tainted IPs) to solve it for them is not an honorable 
approach.  Similarly, asking on NANOG "why do tainted IPs linger on 
blocklists" isn't going to solve the problem.  ARIN can't change the why 
- what they can change is what ARIN does about it.  There are better 
options - they can make an effort to clean up the IPs prior to 
reallocation; they can disclose the IP status before reallocation and 
give an option for a new IP block; or they can simply declare the IPs 
"toxic" and hold them rather than reallocate them.  Giving the customer 
a dead parrot when they expected a live one (Beautiful Plumage!) is 
funny only in a Monty Python skit.

http://www.youtube.com/watch?v=4vuW6tQ0218

http://www.readnews.com/funny/story3.html

jc