All,
Side stepping a migration to IPv6 debate…. I’d like to hear advise from the group about performing due diligence research on an IPv4 block before purchasing it on the secondary market (on behalf of an end-user company). My research has branched into two questions: a) What ‘checks’ should I perform?, and b) what results from those checks should cause us to walk away?
My current list is:
Hi,
While I think #3 is important, it depends on your use of the end-block, and those entries can sometimes be cleaned up with some work. If the block is listed, that would certainly lower my buying price I am willing to pay for the block. I did buy a block once in the ARIN region which showed up in IP geolocation databases as Russian (no idea why), but it took me quite a while to get it fixed.
Well,
I did all three above and still had issues. I am still having issues. I had to contact many people to get off of various blacklists, etc. These are lists that are not publish and you will not know until you start using the space.
Luckily, I have had great help from the list here in getting support and in some cases back-channel support.
The hard part is getting a hold of the right people.
For example:
Softlayer/IBM was initially blocking my ip space. But, it was not really them. It was NTT on behalf of Softlayer. The request has to come from Softlayer. That has been resolved. I honestly do not even know who to thank.
I am currently fighting the same issue with playstation.com. Akami is blocking access on behalf of Sony. The request has to come from Sony. After many emails with abuse@playstation, I am making headway. Problem is not solved yet, but I believe they are making headway. Luckly Akami open a ticket and told me what to tell the Sony NOC.
Right now, I am fighting some odd ball blocks. Several mobile banking sites. There is not even a support number. I am having to try and use the NOC/Abuse contacts via ARIN first and not having any luck. Try calling a bank and telling them that your are a network engineer and can not access their sites. That goes downhill pretty quick. If you can get past the first line of tech support it is a challenge. “Have you cleared your cookies? You need to call your ISP”, then you get a 2nd line person who basically blows you off.
Here is the thing. You will have problems. Just be prepared to make lots of phone calls and send lots of emails. Once you get to the right person, things can get a moving.
John
My experience has been quite different and quite a bit better. One of the things I paid attention to was whom the previous owner of the block was, what sort of company they were, and hence what their likely use case was. I have purchased/deployed a few /23s so far and have yet to run into any issues with blacklists. Some of the space I’ve purchased came from a small-town ISP which was acquired, and some came from newly-defunct retail-sector organizations. I stayed away from anything that had been associated with any sort of hosting, or that seemed to have been leased out in the past, etc. You can often check historical routing tables to see if more than one AS has announced the space in the past X number of years to identify blocks that have been leased around, and that’s one other component you might want to consider looking at. But ultimately I think my best tactic has been to just check out the organization I’m acquiring it from and make sure they’ve owned it since the beginning via ARIN records. Dealing with a reputable broker is probably a good start, too. I’ve had no issues working with Hilco.
Good luck!
SORBS isn't the only place to check. As an example, if Spamhaus doesn't have
nice things to say about the block, it's time to start asking questions....
http://www.anti-abuse.org/multi-rbl-check/ has a fairly good list of
places that could give your customer a bad time (whether or not the
listing is deserved - the point is that being listed anywhere there will
probably mean problems that have to be cleaned up)
You may all now begin the religious war over where else to check.
I used this gentleman’s Powershell script and modified it slightly to check a block last summer. The broker we were using said that they also did their due diligence on the addresses, but I wanted to do our own because of the cost of the IPs.
https://www.saotn.org/powershell-blacklist-check-script/
We worked with the Brander Group as a broker. They were great and have since launched a portal/storefront I believe.
Kind regards,
Sam.
I’d like to ask a related question (I’m not questioning why you need IPv4 space) but are you also deploying IPv6 as well? If not, is there a reason? In my copious spare time I’m doing a small FTTH network and many services do work well with IPv6 while others (banks are a an example) perhaps don’t.
We have T-Mobile USA saying with their network most bits go out as v6, so I’m guessing there’s that 5-10% you need v4 for if you deploy as aggressively as they do.
Mostly curious if you are doing IPv6 if you see that slowing your need for v4 or if they are growing at the same rate.
- Jared
And remember kids - the more you can push off to native IPv6, the longer you can
push off an upgrade to your CGNAT box. 
For me, this is a big reason why if you’re doing CGNAT you want to compliment it with IPv6.
At IETF last week there was an interesting discussion about the fact that things like DHCPv6-PD does not explicitly say that a DHCPv6-PD prefix should be inserted into the routing table (!), and you may not have the tools you need to mange these prefixes as a result. In DHCPv4 land of course you give out prefixes that are connected, but in DHCPv6-PD you may get something from a /56 to a /64 which may mean that route needs to go into your IGP.
- Jared
A big +1 to checking Spamhaus, specifically their DROP and EDROP lists. These two lists are what causes us most pain when acquiring IPv4 space as a lot of providers put auto blocking in place based on these two which can be difficult to get removed.
I won’t even contemplate prefixes on either of these lists unless the seller knocks $5/IP off the purchase price because of the associated time and pain trying to clean it up.
I cleaned two blocks last year with Spamhaus and others. Took me less than two weeks and Spamhaus were the quickest of the bunch (we’re talking about a full or two business days). PSN can be tricky, same for Netflix and whatnot but I always put these new blocks in “quarantine” for a couple of weeks by using these services with random IPs in a new block.
In order, I began to announce the prefixes right after the transfers were approved by ARIN. I then contacted Spamhaus and the others roughly a week later. As I mentioned, Spamhaus were really reactive. The others responded in about 2 weeks.
What helped us (I think) is that we’re a listed MANRS participant (so filtering, BCP38, proper NOC/Ops contacts). We also sign all of our routes with ROAs, proper route objects in an IRR and PTRs generated for every IPs.
The issue isn’t with Spamhaus itself per se, more providers who implement automated edge filters based on those lists and then take a long time to get removed manually.
Hi Matt,
I think it also depends on your intended use. If you want a flawlessly clean block you can use for anything, you’ll spend more time and money than if it just has to accommodate a particular use case.
Run a mail server? Better be clean as a whistle. Geolocation only moderately important.
Eyeball source? Past mail abuse may not be an issue but past DOS source could be and woe betide those who don’t pay attention to where in the world Maxmind thinks the block is located.
We, DNS or game servers? It almost doesn’t matter. Unless past abuse was so bad that folks straight-up black holed it in the network, users will be able to connect to you.
It’s also worth considering whether you can move non-sensitive services from older known-clean addresses to the new blocks, freeing those older addresses for use in the more challenging application.
Regards,
Bill Herrin
Jeffrey,
Thanks. A good start, but under-scoped. When you are purchasing IP number blocks whatever source you use; a marketplace, a broker, a single source should provide you with a compelling history on a number block REPUTATION that includes all the attributes listed below and then some. Some of the blocks I’ve seen being discussed lately appear notorious. In one case I counted 17 difffernt RBL’s being attributed to it. Checking Spamhaus is good, but then there are many others and some not so well known. There are many embedded in devices (remember auto config) that will never be updated.
For most, do not buy v4 numbers blocks without a pro and you’ll sorta know when they talk about everything but price. Price matters, but if its unusable or you need to spend a month cleaning it up, no income = more cost.
Best,
-M<
Do you have sources for the ~90% T-Mobile IPv6? Not arguing, but to use that as a source myself when spreading the IPv6 good word.
https://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/T-MobileUSA.png
https://stats.labs.apnic.net/ipv6/US (a bit slow, but informative)