Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Reallocation Control Features (John Sweeting)
2. Re: Consultation on Reallocation Control Features (William Herrin)
3. Re: Consultation on Reallocation Control Features (John Sweeting)
----------------------------------------------------------------------
Message: 1
Date: Tue, 15 Oct 2024 20:22:47 +0000
From: John Sweeting <[email protected]>
To: William Herrin <[email protected]>, Chris Woodfield
<[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Reallocation Control
Features
Message-ID:
<mn2pr15mb2751e3aab4bfc6dd3ddb4162c5...@mn2pr15mb2751.namprd15.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
The frequency is on average roughly once a month that ARIN will receive a
complaint about this. It is usually more than 5 and less than 20 reassignments
that ARIN is asked to remove because the Admin POC that did the reassignments
is not responding to the request to remove it. ARIN has been informed that this
has caused problems due to subpoenas being issued for nefarious activities that
have taken place using these IP addresses. So yes, it does happen and yes,
there are negative effects to the organization that these reassignments are
made to.
From: ARIN-consult <[email protected]> on behalf of William Herrin
<[email protected]>
Date: Tuesday, October 15, 2024 at 2:29?PM
To: Chris Woodfield <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Reallocation Control Features
On Tue, Oct 15, 2024 at 10:48?AM Chris Woodfield <[email protected]> wrote:
> I?m reading Bill Herrin?s interpretation downthread as to the intent of this
> potential feature, and to the extent this is a not-theoretical issue, I?d be
> in full support. I?m slightly skeptical that an org controlling reallocate
> able resources would send /24s to an unaffiliated party just to add a layer
> of obfuscation to their abuse, but I?ve seen bolder attempts to make money in
> more dubious ways on the internet, so?
Well, it depends on what you're trying to obfuscate.
Suppose Joe goes to an "IP leaser" and claims to be a particular
ARIN-registered org. Joe gets IP addresses which he controls and
announces them from a "bulletproof hoster" from which Joe proceeds to
distribute child porn. As SWATting goes, it's a bit on the pricey side
but it's not inconceivable.
> Again, I?d be curious how often this actually happens in the wild, vs this
> being a theoretical brand of Bad Acting, before I think I could have an
> opinion here.
Same. Additional questions for ARIN are:
1. Has this happened to an ARIN registrant?
2. If yes, how many times is ARIN aware of it having happened to an
ARIN registrant?
We can sit here and dream up all manner of ways to abuse the ARIN
process, but at the end of the day security is a cost/value
proposition. If delta threat x delta vulnerability x incident cost is
less than the implementation and operational cost of the proposed
security then it shouldn't be done.
> another approach to this could be that an org can choose to require that they
> affirmatively accept any attempted reallocation request to their Org ID
I like this approach much better than the whole screwy "domain lock"
thing they do with the DNS.
--
William Herrin
[email protected]
https://bill.herrin.us/
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult
Mailing
List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services
Help Desk at [email protected] if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20241015/cae9955d/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 15 Oct 2024 13:38:40 -0700
From: William Herrin <[email protected]>
To: John Sweeting <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Reallocation Control
Features
Message-ID:
<CAP-guGVW3vPgpNGz2VhLtZeost+b+7XpVC8PP6JCMDkvn=z...@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
On Tue, Oct 15, 2024 at 1:22?PM John Sweeting <[email protected]> wrote:
> The frequency is on average roughly once a month that ARIN will receive a
> complaint about this. It is usually more than 5 and less than 20
> reassignments that ARIN is asked to remove because the Admin POC that did the
> reassignments is not responding to the request to remove it. ARIN has been
> informed that this has caused problems due to subpoenas being issued for
> nefarious activities that have taken place using these IP addresses. So yes,
> it does happen and yes, there are negative effects to the organization that
> these reassignments are made to.
Hi John,
For that monthly number, are we talking all folks who complain that an
address block is incorrectly linked to them, or just folks for which
ARIN has confirmed a malicious linkage?
I note that the proposed solution could only impact cases where (A)
the org legitimately created their own POC and (B) never legitimately
had the addresses assigned to it. Stale ISP entries and orgs for whom
registrations were created without their knowledge would not be
helped.
Regards,
Bill Herrin
--
William Herrin
[email protected]
https://bill.herrin.us/
------------------------------
Message: 3
Date: Tue, 15 Oct 2024 20:42:20 +0000
From: John Sweeting <[email protected]>
To: William Herrin <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Reallocation Control
Features
Message-ID:
<mn2pr15mb2751c120aeaf0d6ec12be721c5...@mn2pr15mb2751.namprd15.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
From: William Herrin <[email protected]>
Date: Tuesday, October 15, 2024 at 4:39?PM
To: John Sweeting <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Reallocation Control Features
On Tue, Oct 15, 2024 at 1:22?PM John Sweeting <[email protected]> wrote:
> The frequency is on average roughly once a month that ARIN will receive a
> complaint about this. It is usually more than 5 and less than 20
> reassignments that ARIN is asked to remove because the Admin POC that did the
> reassignments is not responding to the request to remove it. ARIN has been
> informed that this has caused problems due to subpoenas being issued for
> nefarious activities that have taken place using these IP addresses. So yes,
> it does happen and yes, there are negative effects to the organization that
> these reassignments are made to.
Hi John,
For that monthly number, are we talking all folks who complain that an
address block is incorrectly linked to them, or just folks for which
ARIN has confirmed a malicious linkage?
Bill, these would be only those complaints that RSD received and confirmed were
suspicious. That is the only way ARIN would have visibility.
I note that the proposed solution could only impact cases where (A)
the org legitimately created their own POC and (B) never legitimately
had the addresses assigned to it. Stale ISP entries and orgs for whom
registrations were created without their knowledge would not be
helped.
Regards,
Bill Herrin
--
William Herrin
[email protected]
https://bill.herrin.us/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20241015/3ae8695f/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 110, Issue 3
********************************************
