Re: Security issues based on post RIR allocation rules
Likely with the growing number of inter-RIR transfers of IPv4 blocks, over time, this is only going to get worse (or better)… Worse in that the size of the problem will continue to grow. Better in that as the size of the problem grows, it might become visible enough to actually get addressed. Owen > On Dec 11, 2018, at 08:58 , Tony Finch wrote: > > Spurling, Shannon wrote: > >> When I call a health care organization, or a web hosting provider, the >> first thing I get is that they think we are trying to pull one over on >> them and all these ranges must be in Africa or Asia. I show them the >> ARIN information for the specific /16, and sometimes I can make some >> headway. Sometimes there's no convincing them. This issue appears to be >> getting worse over time, so I was wondering if some misguided >> organization or group is going around pressing for the rules that are >> triggering these issues? > > I'm somewhat inclined to blame poor `whois` implementations for this. > > Apart from `whois` being generally very crappy, there are specific issues > on the server side and the client side which mean the human driving whois > often needs a good deal of expertise to be able to properly track down the > authoritative registration details for a netblock. > > On the server side, APNIC and RIPE do not return proper referrals for ERX > netblocks. This is annoying, because they know which of the other RIRs is > responsible for the registration - they have to get the reverse DNS > information from the other RIR. Examples: 150.108.0.0 (an APNIC /8 but the > /16 is allocated to Fordham University and managed through ARIN); and > 141.111.0.0 (a RIPE /8 but the /16 is allocated to LANL and managed > through ARIN). > > AfriNIC's whois server is more helpful: it seems to proxy queries to RIPE > and APNIC as appopriate, and returns RDAP referrals for ARIN. > > On the client side, these days it is mostly possible to find the correct > whois server to ask by following referrals from IANA. (In the past whois > clients had to have a fairly large database of starting points.) A > reasonably intelligent referral-oriented whois client can work around > missing referrals for early netblock allocations by guessing, which > usually means restarting with ARIN. But in practice most whois clients are > pretty stupid, and the referral-oriented ones keep breaking when servers > change. (e.g. I just found out AfriNIC's behaviour has changed since I > last looked...) > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > West Forties, Cromarty, Forth: Southerly or southeasterly 5 or 6, occasionally > 7 in Cromarty. Moderate, becoming moderate or rough. Mainly fair. Good.
Re: Security issues based on post RIR allocation rules
I'll simply endorse the 'stop judging an IP by it's RIR' approach. As a New Zealander (and APNIC is our RIR), having to convince US institutions that our subnets should not be blocked simply because they're out of the same /8 as those used by other Asian nations with poorer IP address reputations , is a challenge because, well, a nation of 4.5M in the south Pacific is insignificant, right? :S Also if the whole /8 doesn't sit within the same organisation or country, how is it smart to use it as any sort of differentiator? Have banged my head against this one many times in my career to-date. Mark. On 12 December 2018 5:58:18 AM NZDT, Tony Finch wrote: >Spurling, Shannon wrote: > >> When I call a health care organization, or a web hosting provider, >the >> first thing I get is that they think we are trying to pull one over >on >> them and all these ranges must be in Africa or Asia. I show them the >> ARIN information for the specific /16, and sometimes I can make some >> headway. Sometimes there's no convincing them. This issue appears to >be >> getting worse over time, so I was wondering if some misguided >> organization or group is going around pressing for the rules that are >> triggering these issues? > >I'm somewhat inclined to blame poor `whois` implementations for this. > >Apart from `whois` being generally very crappy, there are specific >issues >on the server side and the client side which mean the human driving >whois >often needs a good deal of expertise to be able to properly track down >the >authoritative registration details for a netblock. > >On the server side, APNIC and RIPE do not return proper referrals for >ERX >netblocks. This is annoying, because they know which of the other RIRs >is >responsible for the registration - they have to get the reverse DNS >information from the other RIR. Examples: 150.108.0.0 (an APNIC /8 but >the >/16 is allocated to Fordham University and managed through ARIN); and >141.111.0.0 (a RIPE /8 but the /16 is allocated to LANL and managed >through ARIN). > >AfriNIC's whois server is more helpful: it seems to proxy queries to >RIPE >and APNIC as appopriate, and returns RDAP referrals for ARIN. > >On the client side, these days it is mostly possible to find the >correct >whois server to ask by following referrals from IANA. (In the past >whois >clients had to have a fairly large database of starting points.) A >reasonably intelligent referral-oriented whois client can work around >missing referrals for early netblock allocations by guessing, which >usually means restarting with ARIN. But in practice most whois clients >are >pretty stupid, and the referral-oriented ones keep breaking when >servers >change. (e.g. I just found out AfriNIC's behaviour has changed since I >last looked...) > >Tony. >-- >f.anthony.n.finchhttp://dotat.at/ >West Forties, Cromarty, Forth: Southerly or southeasterly 5 or 6, >occasionally >7 in Cromarty. Moderate, becoming moderate or rough. Mainly fair. Good. -- Sent from a mobile device.
Re: Security issues based on post RIR allocation rules
Spurling, Shannon wrote: > When I call a health care organization, or a web hosting provider, the > first thing I get is that they think we are trying to pull one over on > them and all these ranges must be in Africa or Asia. I show them the > ARIN information for the specific /16, and sometimes I can make some > headway. Sometimes there's no convincing them. This issue appears to be > getting worse over time, so I was wondering if some misguided > organization or group is going around pressing for the rules that are > triggering these issues? I'm somewhat inclined to blame poor `whois` implementations for this. Apart from `whois` being generally very crappy, there are specific issues on the server side and the client side which mean the human driving whois often needs a good deal of expertise to be able to properly track down the authoritative registration details for a netblock. On the server side, APNIC and RIPE do not return proper referrals for ERX netblocks. This is annoying, because they know which of the other RIRs is responsible for the registration - they have to get the reverse DNS information from the other RIR. Examples: 150.108.0.0 (an APNIC /8 but the /16 is allocated to Fordham University and managed through ARIN); and 141.111.0.0 (a RIPE /8 but the /16 is allocated to LANL and managed through ARIN). AfriNIC's whois server is more helpful: it seems to proxy queries to RIPE and APNIC as appopriate, and returns RDAP referrals for ARIN. On the client side, these days it is mostly possible to find the correct whois server to ask by following referrals from IANA. (In the past whois clients had to have a fairly large database of starting points.) A reasonably intelligent referral-oriented whois client can work around missing referrals for early netblock allocations by guessing, which usually means restarting with ARIN. But in practice most whois clients are pretty stupid, and the referral-oriented ones keep breaking when servers change. (e.g. I just found out AfriNIC's behaviour has changed since I last looked...) Tony. -- f.anthony.n.finchhttp://dotat.at/ West Forties, Cromarty, Forth: Southerly or southeasterly 5 or 6, occasionally 7 in Cromarty. Moderate, becoming moderate or rough. Mainly fair. Good.
Security issues based on post RIR allocation rules
Hey, I lurk a bit, and try to stay out of stuff if I can, but I've had a bout of problems that appear to have a common source. I work in the Educational networking area, and a lot of our members are pre-RIR formation internet users. They have IP ranges that were allocated from the 150/8 through 170/8 blocks. Unfortunately, a bunch of those are part of the legacy ranges handled by APNIC and AFRINIC. Here in the US, mention of either of those makes security people have dreams of Nigerian princes and Korean/Chinese hackers. Don't get me wrong, these are long term US based governmental and educational institutions. Bonified, accredited institutions. When I call a health care organization, or a web hosting provider, the first thing I get is that they think we are trying to pull one over on them and all these ranges must be in Africa or Asia. I show them the ARIN information for the specific /16, and sometimes I can make some headway. Sometimes there's no convincing them. This issue appears to be getting worse over time, so I was wondering if some misguided organization or group is going around pressing for the rules that are triggering these issues? Is there a public information forum that might be able to educate security administrators to not cut off wide swaths of the US internet from taking advantage of their products and services? It's very frustrating Thanks Shannon Spurling shan...@more.net
