I have to disagree. SWIP is not meaningless.
In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means.
And I talk with plenty of other companies that fall into the same boat.
In short I find this one comment below to be argumentive and full of conjecture.
Regards
Marla Azinger
Frontier Communications
Just because *your* site has enough clue to get it right doesn't mean that
the *average* site has enough clue to get it right.
In fact, I'll go out on a limb and posit that *in the cases I care about*,
it's even *less* likely that the SWIP is correct, because the same general
attitude of cluelessness that made them unable to police their users and
enforce their AUP (resulting in malicious packets arriving at my network)
will also tend to mean they didn't get the SWIP right.
So to sum up: The sites that *do* SWIP right are more likely to deal with
their user before I hear about it, causing me to *check* the whois. Meanwhile,
the sites that cluelessly allow malicious traffic also often don't SWIP right -
and that results in me contemplating the smallest range I *do* see in the
whois data. They didn't SWIP it so I could find the offending /26, that's
tough noogies for the rest of their /18.
Now where did I leave my Nomex jumpsuit? 
I have to disagree. SWIP is not meaningless.
In my company some functions related to sending a SWIP are
automated, but my company has people on staff who know that
it is happening and what it means.And I talk with plenty of other companies that fall into the
same boat.In short I find this one comment below to be argumentive and
full of conjecture.
No more argumentative and full of conjecture than your posting. I said
that there were SOME companies where SWIP is just a mysterious automated
process and nobody on staff fully understands the meaning of it, beyond
the fact that it needs to be done to help get approval for that next
allocation request.
The fact that SOME companies do have a process for managing SWIP as they
understand it, does not mean that there are no delinquents.
I also find it curious that you claim to have people on staff at your
company who know what SWIP means. Perhaps you could ask them to share
that information with us since I have never seen this documented
anywhere. Do they really know what you claim they know?
--Michael Dillon
...
I also find it curious that you claim to have people on staff at your
company who know what SWIP means. Perhaps you could ask them to share
that information with us since I have never seen this documented
anywhere. Do they really know what you claim they know?
...
http://www.swip.com/: Scottish Widows Investment Partnership
http://www.uh.edu/~cfreelan/SWIP/: Society for Women in Philosophy
http://www.sat-tel.com/Swip.html: Shared WHOIS Project
http://www.swip.net/: The Swedish IP Network
Note that there are far more entries for chapters of SWIP #2 than for
any others. But one may assume that you refer to SWIP #3.
Definitions on the Web found by Google do vary slightly. The referenced
InterNIC policy appears to no longer be available on the InterNIC Web
site. However,
<http://www.arin.net/registration/guidelines/report_reassign.html>
will do.
There seem to have been more proposals on how to produce a better WHOIS
then one can assume in a reasonable amount of time. ;-]
Google is your friend.
http://www.arin.net/registration/guidelines/report_reassign.html
Shared WHOIS Project (SWIP)
"SWIP is a process used by organizations to submit information about downstream customer's address space reassignments to ARIN for inclusion in the WHOIS database. Its goal is to ensure the effective and efficient maintenance of records for IP address space.
"SWIP is intended to:
* Provide information to identify the organizations utilizing each subdelegated IP address block.
* Provide registration information for each IP address block.
* Track utilization of allocated IP address blocks to determine if additional allocations may be justified.
"For IPv4, organizations can use the Reassign-Simple, Reassign-Detailed, Reallocate, and Network-Modification templates to report SWIP information.
"Organizations reporting IPv6 reassignment information can use the IPv6 Reassign, IPv6 Reallocate, and IPv6 Modify templates.
"Organizations may only submit reassignment data for records within their allocated blocks. ARIN reserves the right to make changes to these records upon the organization's approval. Up to 10 templates may be submitted as part of a single e-mail."
SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server.
Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it.
Which numbering authority do you work with day to day?
Stephen Satchell wrote:
SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server.
Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it.
Being I work at a US network operator and others who've been
attacking my hosts come from US network operators, who can
I complain to when some of the bigger fish not complying with
these so called rules? Many network operators are required to
do a lot of things, one of these things should be the
mitigation of malicious traffic from LEAVING their network.
If some of these companies can't follow the rules, then I see
no need for me to discontinue "punishing" allocations on their
CIDRs whenever my network is attacked since it seems to be the
only method I found to 1) protect my networks and clients and
2) to get someone's attention.
Which numbering authority do you work with day to day?
Me? I work for an authority that many bigger provider should be
following its guidelines and setting examples for smaller
network operators. I shouldn't have to do the work for some of
these bigger operators. I shouldn't have to send emails making
them aware that 40 hosts on their /24 are sending out malicious
traffic.
Maybe ARIN staff should start re-writing policies and
implementing out punishments. Guarantee you if operators were
penalized for not following rules, for allowing filth to leave
their networks, I bet you many maladies on the net would be
cut substantially.
Not going to be a popular stance to most of the bigger fish, but
lets get real here, looking at normal everyday life, if a
country were shipping rotten products, don't you think those
in government would call for measures to halt these products
else no business would occur with said country. Why not
re-write policies to do the same with networks.
I will always point to dampening/flapping on BGP as a baseline...
Company X violates, null route them for a second or two until
they comply. They still don't listen double the penalty and
null route them twice the amount. Once their pockets start
hurting, they'll get a clue. And if their engineers still
don't get it, then management of that company would be fools
to keep their lazy asses around.
"SWIP is a process used by organizations to submit information about
downstream customer's address space reassignments to ARIN for
inclusion
in the WHOIS database. Its goal is to ensure the effective
and efficient
maintenance of records for IP address space.
Lovely language but it ignores the existence of Rwhois and does not
explain by what standard the effectiveness and efficiency is judged.
"SWIP is intended to:
* Provide information to identify the organizations
utilizing each
subdelegated IP address block.
* Provide registration information for each IP address block.
* Track utilization of allocated IP address blocks to
determine if
additional allocations may be justified.
This clearly omits any mention of network abuse. It doesn't even
directly mention that contact information is supplied or what the
contact info may/should be used for. It is heavily slanted towards a
bureaucratic process for counting addresses to support decision-making
about applications for additional address space.
Of course, SWIP is a ARIN thing, and you work for BRITISH
TELECOMMUNICATIONS PLC. As a US network operator,
BT is also a US network operator. And a global network operator and a
global network and security consulting firm. And some other stuff too
like the project to run the entire UK telephone network over IP, 21CN.
I was well
aware of
the requirements for SWIP, because ARIN rules make it clear
that, as a
netblock owner of an ARIN allocation, I'm required to do it.Which numbering authority do you work with day to day?
ARIN. I have a long history with ARIN predating the existence of the
organization and I was one of the founding members of the ARIN Advisory
Council. I was not asking a typical dumb question here.
The fact is that nobody really has a clear idea what SWIP is, why it
exists, what it is for. What is the purpose and meaning of SWIP? Why is
it different from RIPE or APNIC? All the answers I have ever seen boil
down to "It's traditional!". And I have spent a lot of effort in trying
to track down older documents to see if there was any more clarity back
in the early days of SWIP and whois, but I failed to find anything other
than some references to budget justifications by ealry ARPANET managers.
On two occasions I tried to address this by proposing some policy
language to ARIN which would define the purpose and scope of the whois
directory but the members were not interested in messing with tradition.
The fact is that SWIP/whois/rwhois suck badly. Different groups of
people have different ideas of what these things mean and the different
ideas do not match. If I ask a waitress for two eggs over-easy I do not
want to receive a slice of Quiche Lorraine. But in the world of
SWIP/whois/rwhois, this is what we deal with every day.
Network operators have a CRYING need for a database to identify contacts
for dealing with network abuse issues. They try to use the whois
directory for this, but too often it fails them because the people
stuffing the info into the directory are merely following tradition to
make sure that the numbers come up right the next time they apply for
additional IP addresses.
By the way, as a holder of an ARIN netblock allocation, you are *NOT*
required to do SWIP. That is just another myth propogated by the holders
of tradition and net folklore. Whenever you ask "Why?" and someone
says, "Because you are required to do it.", they are really telling you
not to think. You pointed me to a page written by ARIN staff as
justification for your views about SWIP but you somehow missed the line
which said:
SWIPs are required for reallocations of /29 and larger if the
allocation owner does not operate a RWhoIs server.
But, I take it a step further. Why should I believe what ARIN staff have
written and why should I do what they tell me to do? What is their
justification for writing this page? If you look in the ARIN policies it
always uses the term SWIP in the context of "efficient utilization". So
why do they publish it in the whois directory? Why do people think that
whois contains valid contact info? Why do people think that whois should
contain contacts who are ready, willing and able to act on network abuse
issues? The only reason people think these things is because it is
traditonal net folklore. It was never part of the purpose and scope of
SWIP/whois/Rwhois.
--Michael Dillon
Maybe ARIN staff should start re-writing policies and
implementing out punishments. Guarantee you if operators were
penalized for not following rules, for allowing filth to leave
their networks, I bet you many maladies on the net would be
cut substantially.
Sorry, that's not their job. That is *YOUR* job!
http://lists.arin.net/mailman/listinfo/ppml
Join the list and propose the new policy.
And ARIN will never mete out punishments or act as a police force in any
way because that is not in ARIN's charter. However, it could operate a
whois directory that meets the needs of network operators fighting
abuse, if said network operators would get off their butts, agree on a
policy describing such a whois directory, and propose it to ARIN.
It's like a lot of those people who complain about the Bush
administration. If you asked them whether they voted Democrat in the
last election, they often say no, they didn't vote at all. Well, you not
only get what you vote for, but you also get what you don't vote
against. Network operators who don't participate in ARIN policy
development don't deserve to complain about anything ARIN-related.
--Michael Dillon
And I want a pony.
We don't even do a (near) universal job of filtering rfc1918 addresses
and spoofed addresses. We aren't filtering obvious bogon packets, how
do you propose we filter less obvious malicious traffic (is that SYN
packet legit, or part of a DDOS, or just a slashdotting of a suddenly
popular site?).
When you say we, speak for yourself and your own networks. There ARE some
people who do take the time to properly design their networks. It is the
same "Well since Billy didn't do it neither will I" attitude that makes
me never think twice about blocking CIDR's.
Since 'THEY' (your "WE") didn't properly configure their network, why
should I think twice about letting it into my backyard. I guess its calling
for too much for network operators to actually do their work though and I
guess considering IPv6 is like how many years away now, I can expect that
much of a wait for people to implement what should have been done from the
onset.
I don't care how filtering gets done from someone else. Like I said if I
can watch and control what comes out of my networks using raw tools on
nix machines, you cannot with a straight face/typing method tell me that
someone at one of these big providers can't clue themselves in to getting
malicious traffic controlled.
Should someone want to comment about "oh golly the cost is outrageous"
I say bs... Its utter laziness from my eyes. So here I go politely
pointing it out... If I can do it with a couple of thousand machines on
my VERY OWN, not a "team", not a "department" but me, in a matter of
minutes, situate my network to not send out crap, then why can't these
companies? I'd like to here something logical, not someone's opinion.
Something like "According to ARIN/IEEE specifications of foobarfoo,
operators are not allowed to view traffic entering or leaving their
networks" which hinders this. There is no reason I could think of,
no scenario I could imagine, that would prohibit network operators
from putting the nail in the coffin with stuff LEAVING THEIR NETS.
Note the word LEAVING now. If it doesn't leave, you wouldn't have
complaints from some other operator now would you.
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
these so called rules? Many network operators are required to
do a lot of things, one of these things should be the
mitigation of malicious traffic from LEAVING their network.And I want a pony.
We don't even do a (near) universal job of filtering rfc1918 addresses
and spoofed addresses. We aren't filtering obvious bogon packets, how
do you propose we filter less obvious malicious traffic (is that SYN
packet legit, or part of a DDOS, or just a slashdotting of a suddenly
popular site?).* Valdis Kletnieks <valdis.kletnieks@vt.edu>
* 0xB4D3D7B0 - UnverifiedWhen you say we, speak for yourself and your own networks.
There ARE some
people who do take the time to properly design their networks.
And I would suggest that Valdis is one of them....
B: Some people don't.
I don't think that it is unreasonable that he used "we " to include all network engineers -- "we" as a community does include A and B
It is the
same "Well since Billy didn't do it neither will I" attitude that makes
me never think twice about blocking CIDR's.
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
Since 'THEY' (your "WE") didn't properly configure their network, why
should I think twice about letting it into my backyard. I guess its calling
for too much for network operators to actually do their work though
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
and I
guess considering IPv6 is like how many years away now, I can expect that
much of a wait for people to implement what should have been done from the
onset.I don't care how filtering gets done from someone else. Like I said if I
can watch and control what comes out of my networks using raw tools on
nix machines, you cannot with a straight face/typing method tell me that
someone at one of these big providers can't clue themselves in to getting
malicious traffic controlled.Should someone want to comment about "oh golly the cost is outrageous"
I say bs... Its utter laziness from my eyes. So here I go politely
pointing it out... If I can do it with a couple of thousand machines on
my VERY OWN, not a "team", not a "department" but me, in a matter of
minutes, situate my network to not send out crap, then why can't these
companies?
Yes, it is great that you are doing your bit to help keep the net clean. Congratulations and thank you. Perhaps you could write a nice, simple, friendly guide explaining how you ensure that your network is never the source of malicious traffic? And how this can be scaled up to work in a large, backbone network where? Perhaps you could politely contact those who are not doing their bit and, in a helpful manner explain how they could improve -- educating and encouraging change in those who are not doing their bit is much more likely to make things better than screaming "You suck, I'm not going to accept your packets, nah nah nah."
I'd like to here something logical, not someone's opinion.
Something like "According to ARIN/IEEE specifications of foobarfoo,
operators are not allowed to view traffic entering or leaving their
networks" which hinders this. There is no reason I could think of,
no scenario I could imagine, that would prohibit network operators
from putting the nail in the coffin with stuff LEAVING THEIR NETS.Note the word LEAVING now. If it doesn't leave, you wouldn't have
complaints from some other operator now would you.--
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
I suspect that I should have just stayed out of this thread....
W
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
You confused two things.
1) I do my best to stop malicious traffic from leaving my network. With
this said, if someone cannot get out somewhere, they're obviously going
to get in touch with me as to why. Once this is done, it is explained
to them that either their machine, or a machine on their network was
doing something fuzzy therefore they were blocked. Most are actually
thankful that it was pointed out to them as opposed to having to wait
for Security Company X to update its virus/spamware definitions.
2) I do not block getting TO company X at first signs of garbage coming
into my network from them. I've always contacted someone to some degree
so don't misconstrue my actions as "I block the first packets I see."
On the contrary I only block CIDR's after about 3 attempts at getting
someone to assess their network. After that, I begin with services.
This is my network so this is how it pans out... Spam? A CIDR to my
email ports are blocked. SSH brute forcing, etc., those ports are
blocked. Network who's blocked on ports continues, everything is then
blocked.
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
What does being polite and "matter of factly" have to do with
administrators cleaning up their networks? Should I beg an
administrator of some network to be polite and not refer me to their
generic abuse desk who'll do nothing about the issue?
I actually am a little too polite in the fact that 1) I'm doing
network operators a favor pointing them out to rogue hosts on
THEIR networks not mines. If they want to continue hosting said
rogue idiots, their problem. I won't be allowing it into my range.
If you knew me personally, or have dealt with me, I can guarantee
you within minutes of you contacting me for something I would be
on it. I as an admin/engineer whatever you want to call me would
want to make sure that nothing internal to me is affecting anyone
else since it is likely to make things more difficult for me if
left unchecked.
So on issues of politeness, I am being polite contacting people.
I'm being double polite posting evil doing networks on my personal
site so others can be aware that "These networks are infected.
Here are there hosts if you want to block them." I do this on my
own spare time, my own expense, and my own filtering of the
denials of service that ensue when some botnet reject sees me
post a percentage of his botnet. So please don't my messages as
anything other than "Hey... When is someone going to deal with
this?" frustration targeted at those with the power to do actually
something about it instead of waiting for someone else to take
the first move.
Analogy: You live in a house and sweep your property. Your
neighbors don't. Would you stop sweeping your house? Would you
keep your house dirty simply because the majority around you
do? I'm sure if you convinced the most visible neighbor to
make a change, the others would follow suit. Heck in some
areas those neighbors who didn't comply would face fines
after some point. Why not bring this chain of thought to a
network you maintain/manage.
As for documentation on this... There is PLENTY of it. Why should
I write another document no one would follow. If some can't follow
normal standards set by governmental bodies (for lack of better
terms), what makes you think someone would say "Gee... That
Oquendo sure wrote a nice document... Let me follow it" How
about following standards and using good old fashioned common
sense.
Identify your ownership, and ensure contact information is accurate and well attended. Inconsiderate anonymous behavior is a typical failing, where there is no excuse for remaining ignorant of abusive activity.
-Doug
As for documentation on this... There is PLENTY of it. Why should
I write another document no one would follow.
Because you might be a better writer than those other folks. You might
be able to present the right balance of technical detail and policy
goals to be understood by a larger number of people.
People often ask me to advise them which book they should buy to learn
language X fast. X being French or Russian or German etc. I always give
the same advice. Go to a good bookstore that stocks a large choice of
books in your chosen language. In some cities that means the local
university bookshop, in others there may even be a specialist bookshop
that sells just language books. The important thing is that you go and
look at several different books, compare them to one another and FIND
THE ONE WHOSE AUTHOR SPEAKS TO YOU. Find the writer whose writing
matches your way of thinking. Other than that, buy one dictionary that
you can carry with you all day long, one beginners book, and one graded
reader to start. Every 6 months, go back to this (or another) shop and
look over the selection again because you may have advanced to the point
where additional books/CDs will help. And always avoid beginners books
which do not use the native alphabet of the language you are learning, a
particular problem with Japanese.
In the masses of content that is indexed by Google, we need MORE
variety, not less. Please do try to write something if you can.
--Michael Dillon