Proof of ownership; when someone demands you remove a prefix

Naslund_Steve · March 13, 2018, 6:58pm

The fact that it is a newer customer would make me talk to the RIR direct and verify that a dispute is really in progress. I would also look at some looking glasses and see if the prefix is being announced elsewhere, if so that might indicate that your customer is indeed stepping on a legit owner. I would also make it clear to the new customer that they are on thin ice here to light a fire under their process. Let them know that it is up to them to convince you that they are the legit owner. No one wants to lose a customer but they are threatening your business and putting you in legal jeopardy if they are not legit.

Steven Naslund
Chicago IL

Sean1 · March 13, 2018, 7:48pm

I appreciate everyone's input and will incorporate it into our internal policies going forward.

I also want to assure everyone who has taken the time to read or respond that we're going about this methodically; our customer is involved and is responding promptly and their customer is has opened a case with the RIR. We're in the process of following up with the RIR. Our goal is not to cause an 'operational headache' for anyone, but exactly the opposite.

Thanks again for all of your feedback and responses.

James_Hess · March 13, 2018, 10:11pm

I would consider that.... the RIR WHOIS records are currently the network's
authoritative source of truth about IP number management.

For 99% of situations there's no such proper thing as "delaying
addressing abuse"
so someone claims they can go dispute the RIR record. The rare exception
would be you have documented the original contacts and LOAs, and a stranger
who is a new WHOIS POC sends a request that you disrupt what has now been
a long-established operational network, and your customer is
objecting/claiming
the WHOIS record has been hijacked.

In that case: avoid disrupting the long-established announcement: to allow the
customer 5 to 10 days to get it fixed with the RIR or show you a
court order against
the false WHOIS contacts.

If you started announcing a newly setup prefix, and it immediately
resulted in a phone call
or e-mail within a few weeks from the resource holder
organization's RIR-listed
WHOIS contact, then obviously corrective actions are in order to pull that
announcement quickly, after confirming with the org. listed in WHOIS....

That would mean your new announcement is credibly reported as abuse, AND
"claim of dispute in progress with the RIR" does not hold water as
any kind of basis
to continue your AS causing harm to this resource holder.

I would not blame a legitimate WHOIS contact for immediately escalating to
upstreams and ARIN for emergency assistance: if they don't receive an
adequate resolution and removal of the rogue announcement within 15
minutes or so.......

While ARIN cannot do anything about the routing issues; they might be
able to confirm the history of the resource.... the Rogue announcement
might include the IP space of 1 or more DNS or SMTP Servers related to one
or more domain names that are also listed WHOIS E-mail contacts.

You know.... because ARIN stopped supporting using PGP/GPG keys with POCs
and digitally signed e-mail templates to formally authorize modifications :

"Wait while we dispute with the RIR" could very well truly mean: -----

"Please wait while we try to use our rogue IP space announcement to
quickly setup some

fake SMTP servers on hijacked IPs while we gear up our spamming
campaign to maximum
effectiveness and misuse ARIN's single-factor Email-based

password recovery process to fraudulently gain account access and
modify resource
WHOIS POC details to make it look more like we're the plausible
resource holder....."

The fact that it is a newer customer would make me talk to the RIR direct and verify
that a dispute is really in progress.

[snip]

Naslund_Steve · March 13, 2018, 10:22pm

That is about like saying email from you is the authoritative source of truth about you....unless your account is hacked. Sorry but in the real business world we give long standing customers the benefit of the doubt. We all make judgments every day in our real lives about who we believe and who we don't believe. It is not rare to know who the original contact for your customer is if you have any kind of provisioning records at all. Nothing is automatic or a set procedure in this circumstance. It's about like proving a false credit card charge...does the claim make sense or not. At the end of the day the RIR has to determine who owns the account. Right now, this minute you have to make the call based on incomplete information about what is best for your business, your customer, the Internet community, and your professional reputation.

Steven Naslund
Chicago IL