[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Proof of ownership; when someone demands you remove a prefix
On Tue, Mar 13, 2018 at 1:58 PM, Naslund, Steve <SNaslund at medline.com> wrote:
I would consider that.... the RIR WHOIS records are currently the network's
authoritative source of truth about IP number management.
For 99% of situations there's no such proper thing as "delaying
addressing abuse"
so someone claims they can go dispute the RIR record. The rare exception
would be you have documented the original contacts and LOAs, and a stranger
who is a new WHOIS POC sends a request that you disrupt what has now been
a long-established operational network, and your customer is
objecting/claiming
the WHOIS record has been hijacked.
In that case: avoid disrupting the long-established announcement: to allow the
customer 5 to 10 days to get it fixed with the RIR or show you a
court order against
the false WHOIS contacts.
If you started announcing a newly setup prefix, and it immediately
resulted in a phone call
or e-mail within a few weeks from the resource holder
organization's RIR-listed
WHOIS contact, then obviously corrective actions are in order to pull that
announcement quickly, after confirming with the org. listed in WHOIS....
That would mean your new announcement is credibly reported as abuse, AND
"claim of dispute in progress with the RIR" does not hold water as
any kind of basis
to continue your AS causing harm to this resource holder.
I would not blame a legitimate WHOIS contact for immediately escalating to
upstreams and ARIN for emergency assistance: if they don't receive an
adequate resolution and removal of the rogue announcement within 15
minutes or so.......
While ARIN cannot do anything about the routing issues; they might be
able to confirm the history of the resource.... the Rogue announcement
might include the IP space of 1 or more DNS or SMTP Servers related to one
or more domain names that are also listed WHOIS E-mail contacts.
You know.... because ARIN stopped supporting using PGP/GPG keys with POCs
and digitally signed e-mail templates to formally authorize modifications :
"Wait while we dispute with the RIR" could very well truly mean: -----
"Please wait while we try to use our rogue IP space announcement to
quickly setup some
fake SMTP servers on hijacked IPs while we gear up our spamming
campaign to maximum
effectiveness and misuse ARIN's single-factor Email-based
password recovery process to fraudulently gain account access and
modify resource
WHOIS POC details to make it look more like we're the plausible
resource holder....."
> The fact that it is a newer customer would make me talk to the RIR direct and verify
> that a dispute is really in progress.
[snip]
> Steven Naslund
> Chicago IL
--
-JH