I'd welcome comments as to solutions to this. Or is it just scaremongering?
j
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
If you mean "hijacking" unused IPv4 space, that's another history.
.as
Seriously?
http://www.networkworld.com/community/blog/microsoft-pays-nortel-75-million-ipv4-address
The next phases are anger, bargaining, depression, and finally acceptance.
Regards,
-drc
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
If you're not a legitimate business why would you bother with commonly
accepted policy?
If you mean "hijacking" unused IPv4 space, that's another history.
the post fails entirely to cite actual examples, then goes off into the
weeds on domain name reputation.
Yes, I forgot that one.
ARIN and APNIC allows it, LACNIC will when it reaches the last /12 (so now is not possible). RIPE NCC and Afrinic do not have a policy yet AFAIK.
-as
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
Nevertheless, it is possible in the real world.
I agree with Benson.
In fact, for this "problem" I find irrelevant that IPv4 is running out. They are just looking for good reputation IP nodes.
-as
isn't this a short-lived problem then?
If not short-lived, then at least self-limiting.
--Richard
Arturo,
Joly,
The author has drawn a relationship between a lot of unrelated things.
Hackers and spammers "rent" IP addresses all the time, and have done
so for two decades. It's called, "Here's my money for colo hosting
service and I need some IP addresses to go along with it." Nothing has
changed as a result of IPv4 depletion.
Botnets are hacked machines. They come with their own IP addresses
scattered about the globe and don't require any particular source. No
relation to IPv4 depletion and only tangentially related to the
"bulletproof hosting" that supplies IP addresses for the C&C servers.
As for auctioning IP blocks, my experience is that hackers don't
bother. If they want IP addresses beyond what the colo provider
offers, they steal them: find a block of addresses not routed on the
public Internet and forge LoAs they present to their ISP. They're
going to lose them anyway, so why bother paying money?
Regards,
Bill Herrin
ala: 146.20.0.0 ?
What do you mean with "purchasing or renting IPv4".
Last time that I check it was not possible in the RIR world.
maybe you should look again. it's a new century.
randy
I'd welcome comments as to solutions to this. Or is it just scaremongering?
Probably scaremongering... but it does raise an interesting thought.
It provides another argument why RIRs don't need to abandon justified
need as a mandatory
criteria for transferring addresses to specified recipients out of
fear that legacy and other
holders will engage in "unofficial" sales and transfers that they
intentionally fail to record via WHOIS.
The legacy holder/unofficial transferror would be putting the
reputation of their entire address block,
and their other allocations at risk; if the buyer eventually hands
some of the unofficial allocation
to a spammer, either by accident, or intentionally, doesn't matter.
The holder of addresses that unofficially transferred them, could have
some major headaches,
including service-affecting headaches to their network... just to
sell spare IP addresses faster for
a few extra bucks; when there is a legitimate process available
that doesn't have that risk?
The important outcome is that transfers are documented. Making it easier for sellers to update Whois (so it points to the buyer) will encourage documentation. If "needs justification" is ever a disincentive to update Whois, then it will discourage documentation.
Granted, a seller that doesn't update Whois should be more worried about the reputation of the buyer. But regardless, it is incorrect to assume that "needs justification" will prevent bad actors from acquiring address blocks. Even bad actors can justify their need, and some of them might even (*gasp*) lie about it in order to get what they want. The result would look like a normal transfer (with justified need, a Whois update, etc) and yet would result in a bad actor becoming an address holder.
Cheers,
-Benson
Granted, a seller that doesn't update Whois should be more worried about the reputation of the buyer. But regardless, it is incorrect to assume that "needs justification" will prevent bad actors from acquiring address blocks. Even bad actors can justify their need, and some of them might even (*gasp*) lie about it in order to get what they want. The result would look like a normal transfer (with justified need, a Whois update, etc) and yet would result in a bad actor becoming an address holder.
Yes.... I am completely conceded to the fact that some bad actors
will get all the addresses they want and more, in massive numbers.
And continue to manage to get new addresses to play with,
conveniently, as soon as their existing ones are blacklisted.
I believe they already get all the addresses they want inexpensively,
through lying to others or through illicit routing advertisements, and
IPv4 exhaustion will make it harder/more expensive for the bad actors
to "legitimately" get addresses that "look ok"; from the point of
view of actually receiving the assignment, or the bad actor
announcing address space "nobody will notice".
Address exhaustion simply ultimately means there are a lot fewer
addresses for bad actors to play; and they will be competing for
scarce IP addresses against legitimate businesses, resulting in
higher costs for bad actors attempting to utilize legitimate channels.
My suggestion is that the right solution is not to try to prevent bad
actors from getting addresses, but that the solution is for the bad
actors to get de-peered.
The important outcome is that transfers are documented. Making it easier for sellers to update Whois (so it points to the buyer) will encourage documentation. If "needs justification" is ever a disincentive to update Whois, then it will discourage documentation.
Granted, a seller that doesn't update Whois should be more worried about the reputation of the buyer. But regardless, it is incorrect to assume that "needs justification" will prevent bad actors from acquiring address blocks. Even bad actors can justify their need, and some of them might even (*gasp*) lie about it in order to get what they want. The result would look like a normal transfer (with justified need, a Whois update, etc) and yet would result in a bad actor becoming an address holder.
True, however, the existence of bad actors encourages documentation even
if one needs to comply with needs basis, which has many other benefits to the
community.
Documentation is NOT the highest single purpose of ARIN and eliminating
community developed policy in favor of some mythical incentive towards
documentation.
Indeed, there is actually no evidence to support the theory that organizations
that transfer outside of needs basis would choose to document those transfers
through ARIN even if that requirement were removed.
Likely if we removed needs basis, we would see the same level of undocumented
transfers, but, with the added detriments of speculative address hoarding, higher
artificial valuations of integers, etc.
Owen
* Christopher Morrow:
And hopefully... the greater the address space "pressure" or
contention there is for IPv4 address resources,
the more strongly organizations will feel compelled towards swapping
over to IPv6 
If you by difficult mean expensive, then I agree.
Regards,
Martin