Security issues based on post RIR allocation rules

Hey, I lurk a bit, and try to stay out of stuff if I can, but I’ve had a bout of problems that appear to have a common source.

I work in the Educational networking area, and a lot of our members are pre-RIR formation internet users. They have IP ranges that were allocated from the 150/8 through 170/8 blocks. Unfortunately, a bunch of those are part of the legacy ranges handled by APNIC and AFRINIC. Here in the US, mention of either of those makes security people have dreams of Nigerian princes and Korean/Chinese hackers.

Don’t get me wrong, these are long term US based governmental and educational institutions. Bonified, accredited institutions. When I call a health care organization, or a web hosting provider, the first thing I get is that they think we are trying to pull one over on them and all these ranges must be in Africa or Asia. I show them the ARIN information for the specific /16, and sometimes I can make some headway. Sometimes there’s no convincing them. This issue appears to be getting worse over time, so I was wondering if some misguided organization or group is going around pressing for the rules that are triggering these issues? Is there a public information forum that might be able to educate security administrators to not cut off wide swaths of the US internet from taking advantage of their products and services?

It’s very frustrating


Shannon Spurling

I'm somewhat inclined to blame poor `whois` implementations for this.

Apart from `whois` being generally very crappy, there are specific issues
on the server side and the client side which mean the human driving whois
often needs a good deal of expertise to be able to properly track down the
authoritative registration details for a netblock.

On the server side, APNIC and RIPE do not return proper referrals for ERX
netblocks. This is annoying, because they know which of the other RIRs is
responsible for the registration - they have to get the reverse DNS
information from the other RIR. Examples: (an APNIC /8 but the
/16 is allocated to Fordham University and managed through ARIN); and (a RIPE /8 but the /16 is allocated to LANL and managed
through ARIN).

AfriNIC's whois server is more helpful: it seems to proxy queries to RIPE
and APNIC as appopriate, and returns RDAP referrals for ARIN.

On the client side, these days it is mostly possible to find the correct
whois server to ask by following referrals from IANA. (In the past whois
clients had to have a fairly large database of starting points.) A
reasonably intelligent referral-oriented whois client can work around
missing referrals for early netblock allocations by guessing, which
usually means restarting with ARIN. But in practice most whois clients are
pretty stupid, and the referral-oriented ones keep breaking when servers
change. (e.g. I just found out AfriNIC's behaviour has changed since I
last looked...)


I’ll simply endorse the ‘stop judging an IP by it’s RIR’ approach. As a New Zealander (and APNIC is our RIR), having to convince US institutions that our subnets should not be blocked simply because they’re out of the same /8 as those used by other Asian nations with poorer IP address reputations , is a challenge because, well, a nation of 4.5M in the south Pacific is insignificant, right? :S

Also if the whole /8 doesn’t sit within the same organisation or country, how is it smart to use it as any sort of differentiator?

Have banged my head against this one many times in my career to-date.


Likely with the growing number of inter-RIR transfers of IPv4 blocks, over
time, this is only going to get worse (or better)…

Worse in that the size of the problem will continue to grow.

Better in that as the size of the problem grows, it might become visible
enough to actually get addressed.