Hi,
On 07/11/14 22:20, Ronald F. Guilmette wrote:
Hello,
I understand that there may have been some discussion of the rogue
AS201640 at the WG meeting in London. For the benefit of those of
us who were not able to attend that, could someone (anyone) please
post a brief summary of the WG's discussion of AS201640? (The
transcripts do not seem to be available just yet.)
as far as I understand, the WG will talk to the RIPE NCC and request an
action point from the NCC on whether there is a better way to allow
creation of route objects in the RIPE Database for IP addresses or AS
Numbers that are assigned/allocated by an other RIR.
Separately and additionally, I have been seeking answers to several
questions relating to AS201640, mostly on the anti-abuse WG mailing
list, but I have so far been rather spectacularly unsuccessful at
obtaining any answers whatsoever to any of these questions. Given
that, I hope that no one will mind very much if I put these questions
here.
(Note: I am sure that some of these questions only occur to me
because of my abundant ignorance. I am admittedly not very
familiar with RIPE or RIPE NCC operating procedures. I hope that
the members of this WG will show me the courtesy of forgiving my
ignorance and also attempt to remedy it.)
+_+_+_+_+_+_+_+_+_
1) How was it possible for various IPv4 block WHOIS records to be
stored in the RIPE WHOIS DB, even though it is quite apparently the
case that, according to IANA WHOIS records, the IP blocks in question
do not even belong to the RIPE region? Is there really no pre-checking
performed on such records before they are stored in the RIPE data base,
e.g. to see if the blocks in question belong either to RIPE or to some
other RiR?
address space allocated by an other RIR can have a route object in the
RIPE Database.
Usually, for address space and AS Numbers assigned by the RIPE NCC, you
would need two passwords, the AS password and the IP password. In this
case, they only needed the AS password as the IP password is public.
2) How was it possible for a particular Bulgarian commercial organization
to be granted its own AS number, when all available evidence seems to
indicate that it actually had, and has, -zero- IP addresses which are
actually and properly registered to it? Is there really no pre-checking
performed on AS number allocations, e.g. to see if the organization
requesting the AS has at least some IP addresses?
It had a /24 IPv4 PA assigned by the Sponsoring LIR. That IPv4 PA
assignment got deleted days after the request for the ASN. That leads me
to thinking that the Sponsoring LIR (Nettera Ltd from Bulgaria) knew
exactly what they are doing and helped this spammer get it's own ASN,
3) Why are some of the clearly bogus WHOIS records (for IPv4 blocks)
relating to this incident still present within the RIPE WHOIS DB, even
as we speak, in particular, these ones?
41.198.224.0/20
119.227.224.0/19
105.154.248.0/21
210.57.0.0/19
202.39.112.0/20
Already responded by Sander, those are route objects that you see.
Is anyone anywhere still harboring *any* lingering doubt about the fact
that these are all quite plainly bogus? If not, then why have these
records not already been removed from the WHOIS data base?
Because this is private data maintained by a maintainer and removing
that data can only be done by that maintainer.
4) Why is AS201640 still registered, as we speak?
good question.. it's probably because the request of the ASN has never
been fraudulent. As far as I know, there is a ticket opened with the
RIPE NCC asking them to investigate if the ASN assignment request has
been in order. As it has been more than two months since that ticket was
opened, I presume they have found nothing fraudulent.
5) Without reference to any specific incident, AS, legal entity, or any
other specifics, I have the following very general question:
With respect to the contracts that RIPE enters into with those parties for
whom RIPE provides registration services of *AS numbers*, specifically,
are the terms and conditions of those contracts adequate and sufficient
to strongly deter any and all AS registrants from deliberately and
willfully announcing routes to IP space to which neither they nor any
of their direct or indirect customers have any legitimate claim?
how do you demonstrate that something has been deliberate and not just
some fat fingering (typoes)?
+_+_+_+_+_+_
I look forward to the WG's responses to the above questions.
cheers,
elvis
