Re: Tell me about AS19111

[Pierfrancesco Caci]

> "Ronald" == Ronald F Guilmette  writes:



Ronald> Try to think of a word that is the absolute antonym of "hygiene" and
Ronald> that's the global routing table.

Ronald> This stuff would be funny if only it wasn't so sick and pathetic.

Ronald> Even if we forget about all of the morons who are -using- these 
invalid
Ronald> ASNs for actually routing bits to their IPs, you have to ask 
yourself:
Ronald> Who are all of the morons who are -peering- with these invalid ASNs?

Ronald> Regards,
Ronald> rfg


Ronald> P.S.  Remember, out of all of the networking engineers in the 
entire world,
Ronald> by definition, half of them are of below average intelligence.

You would sound much more credible if you'd step down the high horse and
stop insulting the very same people you're supposed to work with.

plonk



-- 

Re: Tell me about AS19111

[Shane Ronan]

It's not clear to me that HE having reserved AS numbers in THEIR routing
table is actually a problem. These AS numbers are actually reserved for
private use. Perhaps they have a customer who wants to do BGP but doesn't
want to register their own AS number and is single-homed to HE. In this
case, HE can assign them a reserved AS number to use for the session and as
long as HE strips that AS number when it leaves THEIR network, things are
working as intended.

On Wed, Feb 5, 2020, 11:32 PM Ronald F. Guilmette 
wrote:

> In message <20200206013024.4b0b213c2...@ary.qy>,
> "John Levine"  wrote:
>
> >1800vitamins.org has a web site at 12.180.219.234 which looks like
> >they would sell me vitamins should I or my dog need any.
> >
> >Routeviews tells me that IP is in AS19111, routed via AS7018.  AS7018
> >is AT&T which isn't surprising for a 12/8 address, but ARIN says
> >AS19111 doesn't exist.  Huh?
>
> John you have no idea how many folks are using how many bogon ASNs
> as we speak.  Nobody does.  Even the guy who is doing weekly routing
> table reports isn't listing them all, I think, even after I talked
> to him and convinced him to list more things as bogon announcements
> than he formerly was listing.  (I think his bogin lists are still not
> nearly complete, e.g. if one takes into account bogon ASN announcments.)
>
> Go to bgp.he.net and type in any number from 65000 upwards and look at
> all of the effing route announcements!  These are all invalid/reserved
> AS numbers which *nobody* should be announcing routes for, at least not
> into the global routing table.  And yet the Internet is absolutely awash
> in this garbage.
>
> Try to think of a word that is the absolute antonym of "hygiene" and
> that's the global routing table.
>
> This stuff would be funny if only it wasn't so sick and pathetic.
>
> Even if we forget about all of the morons who are -using- these invalid
> ASNs for actually routing bits to their IPs, you have to ask yourself:
> Who are all of the morons who are -peering- with these invalid ASNs?
>
> Regards,
> rfg
>
>
> P.S.  Remember, out of all of the networking engineers in the entire world,
> by definition, half of them are of below average intelligence.
>

Re: Tell me about AS19111

[Ronald F. Guilmette]

In message 
, 
Shane Ronan  wrote:

>It's not clear to me that HE having reserved AS numbers in THEIR routing
>table is actually a problem. These AS numbers are actually reserved for
>private use. Perhaps they have a customer who wants to do BGP but doesn't
>want to register their own AS number and is single-homed to HE. In this
>case, HE can assign them a reserved AS number to use for the session and as
>long as HE strips that AS number when it leaves THEIR network, things are
>working as intended.

It is not in the least bit clear that such stripping is in fact occuring,
and if anything the available evidence seems to suggest that it may not be.

The key point is accountability.  In the case of bogon ASNs, no one is
responsible, and an aggreived or offended party cannot easily find out
even who to discuss the matter with if they are being hacked, attacked,
or spammed from a range of IPs being routed by a bogon ASN.


Regards,
rfg


P.S.  It does not seem to be the case that only HE internal sensors
are the only ones seeing some of these routes.  Here is what RIPEstat
is telling me right now about routes being announced by AS65000, just
to name one bogon ASN out of many:

46.102.148.0/22
212.93.181.0/24
168.205.156.0/24
93.118.40.0/22
2806:288:800::/40
190.15.126.0/23
197.6.0.0/16
31.207.16.0/20
188.240.32.0/22
89.36.232.0/22
89.42.48.0/23
89.40.108.0/23
188.210.94.0/23
197.5.0.0/18
31.207.8.0/21
82.97.196.0/23
84.247.32.0/22
82.97.192.0/23
213.150.187.0/24
193.124.240.0/22
89.35.164.0/22
197.9.0.0/16
197.4.0.0/16
194.58.24.0/22
93.115.102.0/23
212.93.182.0/24
185.125.64.0/22
81.91.16.0/21
197.7.0.0/16
89.38.106.0/23
186.32.9.0/24
109.232.251.0/24
93.115.48.0/22
31.219.177.0/24
194.135.48.0/22
86.105.160.0/22
89.46.132.0/22
195.122.244.0/24
89.43.68.0/23
2803:ea80::/36
80.240.108.0/23
197.8.0.0/16
188.214.40.0/21
194.58.216.0/22
213.150.185.0/24

Re: DiviNetworks

[Jeroen Wunnink]

We have worked extensively with them in the past, legit company that (at the 
time) used custom live traffic compression boxes via gre tunnels to squeeze 
more bandwidth out of (expensive) customer lines.

 
 
Jeroen Wunnink
Sr. Manager - Integration Engineering
 
www.gtt.net 


 

On 05/02/2020, 20:15, "NANOG on behalf of Steve Saner" 
 wrote:

Has anyone here worked with DiviNetworks (https://divinetworks.com/) to 
"sell" their unused bandwidth?

I'd be curious to hear any thoughts or experiences.

Steve

-- 
--
Steven Saner   Voice:  316-858-3000
Director of Network Operations  Fax:  316-858-3001
Hubris Communicationshttp://www.hubris.net

new tool: rpki-ov-checker

[Job Snijders]

Dear ops,

I wrote a simple tool to figure out what kind of invalid a rpki invalid
is, this can aid people in understanding the impact of "invalid ==
reject" routing policies. Only "invalid_unreachable" routes present
an operational issue in my opinion, IP addresses covered by "notfound"
or "valid" less specific routes will still be reachable.

You pass it a file name (or via stdin) with one prefix and origin ASN
per line (white space separated) representing your full BGP RIB, and
then you can grep specific for the task at hand to extract the info you
need:

$ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort 
-R | head
invalid_covered_by_not-found 123.101.0.0/21 4809 covering route:
123.101.0.0/16 4134
invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16 207636
invalid_unreachable 83.231.209.0/24 3949
invalid_unreachable 124.30.247.0/24 9583
invalid_covered_by_valid 125.21.232.0/24 9730 covering route: 125.21.0.0/16 9498
invalid_unreachable 120.29.92.0/24 17639
invalid_unreachable 31.40.164.0/24 200872
invalid_covered_by_notfound 45.12.139.0/24 40676 covering route:
45.12.136.0/22 35913
invalid_covered_by_valid 122.160.178.0/24 24560 covering route:
122.160.0.0/16 24560
invalid_covered_by_valid 61.90.251.0/24 21734 covering route:
61.90.192.0/18 7470

NTT is using this to figure out who we need to help fix their ROA or
correct their BGP announcements.

Get the goods at https://githqub.com/job/rpki-ov-checker

Enjoy!

Kind regards,

Job

Re: new tool: rpki-ov-checker

[Job Snijders]

Oops, I see a fat typo slipped in - the correct URL is
https://github.com/job/rpki-ov-checker :-)

Kind regards,

Job

On Thu, Feb 6, 2020 at 20:35 Job Snijders  wrote:

> Dear ops,
>
> I wrote a simple tool to figure out what kind of invalid a rpki invalid
> is, this can aid people in understanding the impact of "invalid ==
> reject" routing policies. Only "invalid_unreachable" routes present
> an operational issue in my opinion, IP addresses covered by "notfound"
> or "valid" less specific routes will still be reachable.
>
> You pass it a file name (or via stdin) with one prefix and origin ASN
> per line (white space separated) representing your full BGP RIB, and
> then you can grep specific for the task at hand to extract the info you
> need:
>
> $ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid |
> sort -R | head
> invalid_covered_by_notfound 123.101.0.0/21 4809 covering route:
> 123.101.0.0/16 4134
> invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16
> 207636
> invalid_unreachable 83.231.209.0/24 3949
> invalid_unreachable 124.30.247.0/24 9583
> invalid_covered_by_valid 125.21.232.0/24 9730 covering route:
> 125.21.0.0/16 9498
> invalid_unreachable 120.29.92.0/24 17639
> invalid_unreachable 31.40.164.0/24 200872
> invalid_covered_by_notfound 45.12.139.0/24 40676 covering route:
> 45.12.136.0/22 35913
> invalid_covered_by_valid 122.160.178.0/24 24560 covering route:
> 122.160.0.0/16 24560
> invalid_covered_by_valid 61.90.251.0/24 21734 covering route:
> 61.90.192.0/18 7470
>
> NTT is using this to figure out who we need to help fix their ROA or
> correct their BGP announcements.
>
> Get the goods at https://githqub.com/job/rpki-ov-checker
>
> Enjoy!
>
> Kind regards,
>
> Job
>

Re: Tell me about AS19111

[Rich Kulawiec]

On Thu, Feb 06, 2020 at 09:08:35AM +0100, Pierfrancesco Caci wrote:
> You would sound much more credible if you'd step down the high horse and
> stop insulting the very same people you're supposed to work with.

You're concerned with policing his tone instead of dealing with the
massive security failure -- on the part of *many* of us -- that this
represents?

If I have something horrible going on with a service/server/network/etc.
that I'm responsible for and I don't catch it, then I'm grateful to
anyone who reports it -- because they've caught my mistake, which is
helpful to me and to everyone impacted by it.  I'll worry about my
bruised ego later, it won't be the first time.  Or the last.

---rsk

RE: Disney+ Geolocation issues

[John van Oppen]

Did you happen to have this contact?   I have a couple of CIDR blocks still 
having this problem.

The blocks involved all seem right on the main geolocation blocks.

John

From: NANOG  On Behalf Of Cassidy B. Larson
Sent: Tuesday, November 12, 2019 3:54 PM
To: Michael Crapse 
Cc: nanog@nanog.org
Subject: Re: Disney+ Geolocation issues

We're seeing the same thing.  Actually we saw it during pre-signup.  Reached 
out to Disney+ weeks ago as well, with no response.  Now it's launched, our 
support lines are flooded with people unable to give Disney all their moneys.   
 We finally got through to Disney+ support after 2.5hrs on hold to supply them 
the error code, IP address, and zip code.. we'll see if it's passed to the 
right folks.

On Tue, Nov 12, 2019 at 3:30 PM Michael Crapse 
mailto:mich...@wi-fiber.io>> wrote:
Myself and a few other ISPs are having our eyeballs complain about disney+ 
saying that they're on a VPN. Does anyone have any idea, or who to contact 
regarding this issue?
This is most likely improper geolocation databases. Anyone have an idea who 
they use?

Mike

Re: Disney+ Geolocation issues

[Josh Luthman]

I post this link on this list weekly at least.  The past threads have this
link.  Please search!

http://thebrotherswisp.com/index.php/geo-and-vpn/

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Thu, Feb 6, 2020 at 10:30 AM John van Oppen  wrote:

> Did you happen to have this contact?   I have a couple of CIDR blocks
> still having this problem.
>
>
>
> The blocks involved all seem right on the main geolocation blocks.
>
>
>
> John
>
>
>
> *From:* NANOG  *On Behalf Of *Cassidy B. Larson
> *Sent:* Tuesday, November 12, 2019 3:54 PM
> *To:* Michael Crapse 
> *Cc:* nanog@nanog.org
> *Subject:* Re: Disney+ Geolocation issues
>
>
>
> We're seeing the same thing.  Actually we saw it during pre-signup.
> Reached out to Disney+ weeks ago as well, with no response.  Now it's
> launched, our support lines are flooded with people unable to give Disney
> all their moneys.We finally got through to Disney+ support after 2.5hrs
> on hold to supply them the error code, IP address, and zip code.. we'll see
> if it's passed to the right folks.
>
>
>
> On Tue, Nov 12, 2019 at 3:30 PM Michael Crapse 
> wrote:
>
> Myself and a few other ISPs are having our eyeballs complain about
> disney+ saying that they're on a VPN. Does anyone have any idea, or who to
> contact regarding this issue?
>
> This is most likely improper geolocation databases. Anyone have an idea
> who they use?
>
>
>
> Mike
>
>

Re: Disney+ Geolocation issues

[Brian Ellwood]

John,

Give netad...@disneystreaming.com a shout.

> On Feb 6, 2020, at 10:29, John van Oppen  wrote:
> 
> Did you happen to have this contact?   I have a couple of CIDR blocks still 
> having this problem.
>  
> The blocks involved all seem right on the main geolocation blocks.
>  
> John
>  
> From: NANOG  On Behalf Of Cassidy B. Larson
> Sent: Tuesday, November 12, 2019 3:54 PM
> To: Michael Crapse 
> Cc: nanog@nanog.org
> Subject: Re: Disney+ Geolocation issues
>  
> We're seeing the same thing.  Actually we saw it during pre-signup.  Reached 
> out to Disney+ weeks ago as well, with no response.  Now it's launched, our 
> support lines are flooded with people unable to give Disney all their moneys. 
>We finally got through to Disney+ support after 2.5hrs on hold to supply 
> them the error code, IP address, and zip code.. we'll see if it's passed to 
> the right folks. 
>  
> On Tue, Nov 12, 2019 at 3:30 PM Michael Crapse  wrote:
> Myself and a few other ISPs are having our eyeballs complain about disney+ 
> saying that they're on a VPN. Does anyone have any idea, or who to contact 
> regarding this issue?
> This is most likely improper geolocation databases. Anyone have an idea who 
> they use?
>  
> Mike

Re: new tool: rpki-ov-checker

[Owen DeLong]

> On Feb 6, 2020, at 03:35 , Job Snijders  wrote:
> 
> Dear ops,
> 
> I wrote a simple tool to figure out what kind of invalid a rpki invalid
> is, this can aid people in understanding the impact of "invalid ==
> reject" routing policies. Only "invalid_unreachable" routes present
> an operational issue in my opinion, IP addresses covered by "notfound"
> or "valid" less specific routes will still be reachable.

No guarantees about that last one…

A legitimate more specific announcement via a different origin AS may or may not
be reachable via the AS advertising the valid less specific.

Admittedly, this is a self-inflicted injury on the part of the AS providing the 
invalid ROA,
but no guarantees that it is harmless.

Owen


> You pass it a file name (or via stdin) with one prefix and origin ASN
> per line (white space separated) representing your full BGP RIB, and
> then you can grep specific for the task at hand to extract the info you
> need:
> 
> $ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort 
> -R | head
> invalid_covered_by_not-found 123.101.0.0/21 4809 covering route:
> 123.101.0.0/16 4134
> invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16 
> 207636
> invalid_unreachable 83.231.209.0/24 3949
> invalid_unreachable 124.30.247.0/24 9583
> invalid_covered_by_valid 125.21.232.0/24 9730 covering route: 125.21.0.0/16 
> 9498
> invalid_unreachable 120.29.92.0/24 17639
> invalid_unreachable 31.40.164.0/24 200872
> invalid_covered_by_notfound 45.12.139.0/24 40676 covering route:
> 45.12.136.0/22 35913
> invalid_covered_by_valid 122.160.178.0/24 24560 covering route:
> 122.160.0.0/16 24560
> invalid_covered_by_valid 61.90.251.0/24 21734 covering route:
> 61.90.192.0/18 7470
> 
> NTT is using this to figure out who we need to help fix their ROA or
> correct their BGP announcements.
> 
> Get the goods at https://githqub.com/job/rpki-ov-checker
> 
> Enjoy!
> 
> Kind regards,
> 
> Job

Re: Tell me about AS19111

[bzs]

Given events including the IPv4 runout etc perhaps it's long overdue
that the RIRs should hire a professional big-name (we used to call
them Big 5) accounting firm to audit or at least review IP address,
ASN, etc. allocation.

I am not talking about money, I am talking about resource allocation.

That would be a step towards accountability.

It would likely be a lot better than "someone on NANOG noticed a
discrepancy let's shout at each other about it for a few days."

The "rules" really aren't that difficult even if the details of
technical management can be.

A modern accounting firm could find the talent to grasp how it all
should work and review how it has worked and is working.

I've worked with accountants, they know things like what we'd call in
a phrase "game theory" (you cut, I choose, etc) regarding resource
allocation, memorialization (is the record-keeping broken?), "forcing"
organizations to fix outright bugs in rules and record-keeping,
internal accountability (e.g., who has access to critical records?
what's the process when an error or fraud occurs?), proper reporting,
etc.

It wouldn't be cheap.

But as an easy suggestion I'd recommend that ISOC help with the
funding for such a project. There could be other sources.

Or possibly, I haven't a clue how the numbers might work, a $10 or $20
new annual resource allocation surcharge to underwrite such auditing.

It would be a new and potentially valuable service so, within reason,
justified.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Tell me about AS19111

[Sandra Murphy]

> On Feb 6, 2020, at 2:38 PM, b...@theworld.com wrote:
> 
> 
> It would likely be a lot better than "someone on NANOG noticed a
> discrepancy let's shout at each other about it for a few days."


Did I miss something?  I thought the discrepancy being pointed out was that 
resources that were not currently allocated/assigned were still being actively 
used and actively accepted by people who should have rejected them.  Private 
address space and private ASNs are one case, resources that have not yet been 
allocated or were once allocated and have been reclaimed are another.

An accounting audit of ARIN resource management process is not going to help 
the fact that people are accepting routes they should not be accepting.

I suspect I did miss something.

—Sandy

Re: Tell me about AS19111

[bzs]

It could measure the extent of the problem and would be within what I
suggested.

For example if there were only one AS being abused that would make it
a different priority than 1,000 or 10,000 (some seem to be implying a
number like that) being abused.

Do we have that number?

And tracking the trend.

On February 6, 2020 at 14:50 sa...@tislabs.com (Sandra Murphy) wrote:
 > 
 > 
 > > On Feb 6, 2020, at 2:38 PM, b...@theworld.com wrote:
 > > 
 > > 
 > > It would likely be a lot better than "someone on NANOG noticed a
 > > discrepancy let's shout at each other about it for a few days."
 > 
 > 
 > Did I miss something?  I thought the discrepancy being pointed out was that 
 > resources that were not currently allocated/assigned were still being 
 > actively used and actively accepted by people who should have rejected them. 
 >  Private address space and private ASNs are one case, resources that have 
 > not yet been allocated or were once allocated and have been reclaimed are 
 > another.
 > 
 > An accounting audit of ARIN resource management process is not going to help 
 > the fact that people are accepting routes they should not be accepting.
 > 
 > I suspect I did miss something.
 > 
 > —Sandy

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: DiviNetworks

[Justin Wilson]

They don’t lease your IP space is the thing.


Justin Wilson
li...@mtin.net


—
https://j2sw.com - All things jsw (AS209109)
https://blog.j2sw.com - Podcast and Blog

> On Feb 6, 2020, at 2:07 PM, Mike Fuller  wrote:
> 
> I'd be very cautious about engaging with any company whose business model is 
> to get a short-term lease of your IP-space.  Many companies use IP reputation 
> data, and so you are essentially lending that reputation to a 3rd party, who 
> may use it in ways you don't anticipate until the reputation is sufficiently 
> damaged, and then return it to you and move on to another ISP.
> 
> Some organizations' response to unwanted traffic is simply to block large IP 
> ranges or entire ASes, and not everyone is good about following-up and 
> expiring such blocks in the future.  I realize your customers haven't 
> ended-up on any spam/abuse blocklists, but that doesn't mean they won't be, 
> or that their IP reputation hasn't already been affected in less obvious 
> ways.  You should ask yourself if you are being sufficiently compensated for 
> these risks as reputable IPv4 space is at a premium, so replacing the IPv4 
> space you lent out could get quite costly.
> 
> --
> Mike Fuller :: Security Reliability Engineer :: Google :: AS15169
> 
> On Wed, Feb 5, 2020 at 12:15 PM Justin Wilson  > wrote:
> Have several networks using them.  This he networks get paid, and no 
> blacklists.  Contact me off list if you want more details
> 
> 
> 
> Justin Wilson
> li...@mtin.net 
> 
> 
> —
> https://j2sw.com  - All things jsw (AS209109)
> https://blog.j2sw.com  - Podcast and Blog
> 
> > On Feb 5, 2020, at 2:14 PM, Steve Saner  > > wrote:
> > 
> > Has anyone here worked with DiviNetworks (https://divinetworks.com/ 
> > ) to "sell" their unused bandwidth?
> > 
> > I'd be curious to hear any thoughts or experiences.
> > 
> > Steve
> > 
> > -- 
> > --
> > Steven Saner mailto:ssa...@hubris.net>> 
> >  Voice:  316-858-3000 
> > Director of Network Operations  Fax:  316-858-3001 
> > 
> > Hubris Communicationshttp://www.hubris.net 
> > 
> > 
> 

Re: Tell me about AS19111

[thomas brenac via NANOG]

+1

I fully agree, not to mention, but probably a bit more tricky to manage, 
so many resources holder, eg universities or similar, using just a /24 
out of a /16, legacy of course  !


Funny enough bumped last week into a computing uni that was in the above 
exemple...and no IPv6... grrr



On 06/02/2020 20:38, b...@theworld.com wrote:

to audit or at least review IP address,
ASN, etc. allocation.


--
Thomas BRENAC
https://www.brenac.eu
+33686263575
Registered IPv4 Broker by RIPE NCC, ARIN, APNIC and LACNIC
.


The content of this email is confidential and intended for the recipient 
specified in message only. It is strictly forbidden to share any part of this 
message with any third party, without a written consent of the sender. If you 
received this message by mistake, please reply to this message and follow with 
its deletion, so that we can ensure such a mistake does not occur in the future.
This message has been sent as a part of discussion between BRENAC EURL and the 
addressee whose name is specified above. Should you receive this message by 
mistake, we would be most grateful if you informed us that the message has been 
sent to you. In this case, we also ask that you delete this message from your 
mailbox, and do not forward it or any part of it to anyone else. Thank you for 
your cooperation and understanding.
We puts the security of the client at a high priority. Therefore, we have put 
efforts into ensuring that the message is error and virus-free. Unfortunately, 
full security of the email cannot be ensured as, despite our efforts, the data 
included in emails could be infected, intercepted, or corrupted. Therefore, the 
recipient should check the email for threats with proper software, as the 
sender does not accept liability for any damage inflicted by viewing the 
content of this email.
The views and opinions included in this email belong to their author and do not 
necessarily mirror the views and opinions of the company. Our employees are 
obliged not to make any defamatory clauses, infringe, or authorize infringement 
of any legal right. Therefore, the company will not take any liability for such 
statements included in emails. In case of any damages or other liabilities 
arising, employees are fully responsible for the content of their emails.

Re: Tell me about AS19111

[John Sweeting]

I am replying to the original post as I am only answering John's question 
below. 

On 2/5/20, 8:30 PM, "NANOG on behalf of John Levine"  wrote:

1800vitamins.org has a web site at 12.180.219.234 which looks like
they would sell me vitamins should I or my dog need any.

Routeviews tells me that IP is in AS19111, routed via AS7018.  AS7018
is AT&T which isn't surprising for a 12/8 address, but ARIN says
AS19111 doesn't exist.  Huh?

John - there is a discrepancy with the registration of AS19111 that ARIN is 
working through with the organization that it was originally assigned to on 
11/20/2000. Once the discrepancy is corrected then the registration will be 
visible in whois. Having worked at several ISPs I would point out that 
customers are not normally cut off strictly based on a discrepancy with whois 
or any other database. We would usually work with our customers to help correct 
the discrepancy without disrupting their business. The other interesting thing 
that you pointed out is that the IPs belong to the upstream in this case so 
they most likely have a good idea of who is announcing them to their AS. ARIN 
always cautions on the side of "not disrupting" business and to help correct 
discrepancies and keep the Internet running.

Signed,
Confused
-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for 
Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Tell me about AS19111

[John Curran]

On 5 Feb 2020, at 8:45 PM, Jon Lewis 
mailto:jle...@lewis.org>> wrote:

On Wed, 5 Feb 2020, John Levine wrote:
I believe you, but isn't ARIN's list of North American ASNs supposed to be 
authoritiative?

Other than the funky ASN there doesn't seem anything particularly naughty about 
the site.

If POCs are unresponsive, and the bill goes unpaid, does ARIN note this in 
whois or just delete data from the db?

If POCs are unresponsive, the lack of response is noted in Whois per NRPM 3.6 


If the bill goes unpaid, then the resources will eventually be subject to being 
revoked per the RSA - https://www.arin.net/resources/fees/returns/

Does the answer to that change if the ASN was under an RSA, but allocated 
pre-ARIN?

Makes no difference whatsoever.

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: DiviNetworks

[Damian Menscher via NANOG]

They're not sending traffic from their own IPs, right?  So they're leasing
yours (whether they make that explicit or not).  And that carries all the
implications/risks Mike mentioned.

Damian

On Thu, Feb 6, 2020 at 12:37 PM Justin Wilson  wrote:

> They don’t lease your IP space is the thing.
>
>
> Justin Wilson
> li...@mtin.net
>
>
> —
> https://j2sw.com - All things jsw (AS209109)
> https://blog.j2sw.com - Podcast and Blog
>
> On Feb 6, 2020, at 2:07 PM, Mike Fuller  wrote:
>
> I'd be very cautious about engaging with any company whose business model
> is to get a short-term lease of your IP-space.  Many companies use IP
> reputation data, and so you are essentially lending that reputation to a
> 3rd party, who may use it in ways you don't anticipate until the reputation
> is sufficiently damaged, and then return it to you and move on to another
> ISP.
>
> Some organizations' response to unwanted traffic is simply to block large
> IP ranges or entire ASes, and not everyone is good about following-up and
> expiring such blocks in the future.  I realize your customers haven't
> ended-up on any spam/abuse blocklists, but that doesn't mean they won't be,
> or that their IP reputation hasn't already been affected in less obvious
> ways.  You should ask yourself if you are being sufficiently compensated
> for these risks as reputable IPv4 space is at a premium, so replacing the
> IPv4 space you lent out could get quite costly.
>
> --
> Mike Fuller :: Security Reliability Engineer :: Google :: AS15169
>
> On Wed, Feb 5, 2020 at 12:15 PM Justin Wilson  wrote:
>
>> Have several networks using them.  This he networks get paid, and no
>> blacklists.  Contact me off list if you want more details
>>
>>
>>
>> Justin Wilson
>> li...@mtin.net
>>
>>
>> —
>> https://j2sw.com - All things jsw (AS209109)
>> https://blog.j2sw.com - Podcast and Blog
>>
>> > On Feb 5, 2020, at 2:14 PM, Steve Saner  wrote:
>> >
>> > Has anyone here worked with DiviNetworks (https://divinetworks.com/)
>> to "sell" their unused bandwidth?
>> >
>> > I'd be curious to hear any thoughts or experiences.
>> >
>> > Steve
>> >
>> > --
>> >
>> --
>> > Steven Saner   Voice:
>> 316-858-3000 <(316)%20858-3000>
>> > Director of Network Operations  Fax:
>> 316-858-3001 <(316)%20858-3001>
>> > Hubris Communications
>> http://www.hubris.net
>> >
>>
>>
>

Re: Tell me about AS19111

[Brendan Carlson]

According to ARIN Who-Was they've had this ASN assigned and removed
multiple times.

Created 11-20-2000 19111 NATURES-BOUN AS19111 NATURE-24
Registration Removed 12-12-2006
Created 01-04-2007 19111 NATURES-BOUN AS19111 NATURE-24
Registration Removed 07-14-2009
Created 07-22-2009 19111 NATURES-BOUN AS19111 NATURE-24
Modified 01-09-2012 19111 NATURES-BOUN AS19111 NATURE-24
Registration Removed 04-07-2015
Created 02-01-2016 19111 NBTY19111 AS19111 NATURE-24
Registration Removed 04-11-2017

I'm assuming this is due to non-payment each time.

On Thu, Feb 6, 2020 at 7:22 AM Rich Kulawiec  wrote:

> On Thu, Feb 06, 2020 at 09:08:35AM +0100, Pierfrancesco Caci wrote:
> > You would sound much more credible if you'd step down the high horse and
> > stop insulting the very same people you're supposed to work with.
>
> You're concerned with policing his tone instead of dealing with the
> massive security failure -- on the part of *many* of us -- that this
> represents?
>
> If I have something horrible going on with a service/server/network/etc.
> that I'm responsible for and I don't catch it, then I'm grateful to
> anyone who reports it -- because they've caught my mistake, which is
> helpful to me and to everyone impacted by it.  I'll worry about my
> bruised ego later, it won't be the first time.  Or the last.
>
> ---rsk
>
>

-- 


http://www.bcarlsonmedia.com
@brendancarlson 
+1 (626) 921-6503

Re: DiviNetworks

[Mike Fuller via NANOG]

I'd be very cautious about engaging with any company whose business model
is to get a short-term lease of your IP-space.  Many companies use IP
reputation data, and so you are essentially lending that reputation to a
3rd party, who may use it in ways you don't anticipate until the reputation
is sufficiently damaged, and then return it to you and move on to another
ISP.

Some organizations' response to unwanted traffic is simply to block large
IP ranges or entire ASes, and not everyone is good about following-up and
expiring such blocks in the future.  I realize your customers haven't
ended-up on any spam/abuse blocklists, but that doesn't mean they won't be,
or that their IP reputation hasn't already been affected in less obvious
ways.  You should ask yourself if you are being sufficiently compensated
for these risks as reputable IPv4 space is at a premium, so replacing the
IPv4 space you lent out could get quite costly.

--
Mike Fuller :: Security Reliability Engineer :: Google :: AS15169

On Wed, Feb 5, 2020 at 12:15 PM Justin Wilson  wrote:

> Have several networks using them.  This he networks get paid, and no
> blacklists.  Contact me off list if you want more details
>
>
>
> Justin Wilson
> li...@mtin.net
>
>
> —
> https://j2sw.com - All things jsw (AS209109)
> https://blog.j2sw.com - Podcast and Blog
>
> > On Feb 5, 2020, at 2:14 PM, Steve Saner  wrote:
> >
> > Has anyone here worked with DiviNetworks (https://divinetworks.com/) to
> "sell" their unused bandwidth?
> >
> > I'd be curious to hear any thoughts or experiences.
> >
> > Steve
> >
> > --
> >
> --
> > Steven Saner   Voice:
> 316-858-3000 <(316)%20858-3000>
> > Director of Network Operations  Fax:
> 316-858-3001 <(316)%20858-3001>
> > Hubris Communications
> http://www.hubris.net
> >
>
>

RE: DiviNetworks

[Nathan Babcock]

So interesting thing about Divi.  I am a regional WISP operator and we did sign 
a deal with them and let them use our space.  One of the issues we developed 
while they were active on our network was all of our IP’s started being homed 
in the UK for google.  So anytime a customer would go to google or any google 
service, it would reroute us the .uk version of the site.  This took about 6 
months to start happening, so we didn’t have any issues for that long letting 
them use our IP space.  After a day or so of us cutting them off it went away 
and never came back.  I have discussed this with them at length in email phone 
and in person at conferences.  They assured me that this wasn’t them, but when 
I turned it back on, the issue came back in under a week.  Turn them off…. Goes 
away.  So we removed their connection.  This was over a year ago, and I have 
been talking with them again about this but am significantly more cautious 
about moving forward if for nothing else the above reason alone.  Not to 
mention the other items Mike pointed out which are of the greatest concern.  

 

What they do is create a VPN connection on your edge router and utilize your IP 
space for Geo location IP services and allow their customers to use IP’s from 
all over the world to check their sites for compatibility/interoperability.  
That’s what they tell you.  I’ve not seen any indication to believe otherwise 
in my dealings with them which is why we are talking with them again.

 

From: NANOG  On Behalf Of 
Justin Wilson
Sent: Thursday, February 6, 2020 1:35 PM
To: Mike Fuller 
Cc: nanog@nanog.org
Subject: Re: DiviNetworks

 

They don’t lease your IP space is the thing.

 

 

Justin Wilson

li...@mtin.net  



—
https://j2sw.com - All things jsw (AS209109)
https://blog.j2sw.com - Podcast and Blog





On Feb 6, 2020, at 2:07 PM, Mike Fuller mailto:m...@google.com> > wrote:

 

I'd be very cautious about engaging with any company whose business model is to 
get a short-term lease of your IP-space.  Many companies use IP reputation 
data, and so you are essentially lending that reputation to a 3rd party, who 
may use it in ways you don't anticipate until the reputation is sufficiently 
damaged, and then return it to you and move on to another ISP.

Some organizations' response to unwanted traffic is simply to block large IP 
ranges or entire ASes, and not everyone is good about following-up and expiring 
such blocks in the future.  I realize your customers haven't ended-up on any 
spam/abuse blocklists, but that doesn't mean they won't be, or that their IP 
reputation hasn't already been affected in less obvious ways.  You should ask 
yourself if you are being sufficiently compensated for these risks as reputable 
IPv4 space is at a premium, so replacing the IPv4 space you lent out could get 
quite costly.

--
Mike Fuller :: Security Reliability Engineer :: Google :: AS15169

 

On Wed, Feb 5, 2020 at 12:15 PM Justin Wilson mailto:li...@mtin.net> > wrote:

Have several networks using them.  This he networks get paid, and no 
blacklists.  Contact me off list if you want more details



Justin Wilson
li...@mtin.net  


—
https://j2sw.com   - All things jsw (AS209109)
https://blog.j2sw.com   - Podcast and Blog

> On Feb 5, 2020, at 2:14 PM, Steve Saner   > wrote:
> 
> Has anyone here worked with DiviNetworks (https://divinetworks.com/) to 
> "sell" their unused bandwidth?
> 
> I'd be curious to hear any thoughts or experiences.
> 
> Steve
> 
> -- 
> --
> Steven Saner mailto:ssa...@hubris.net> >  
> Voice:  316-858-3000  
> Director of Network Operations  Fax:  316-858-3001 
>  
> Hubris Communicationshttp://www.hubris.net 
>  
> 

 

Re: DiviNetworks

[William Herrin]

On Thu, Feb 6, 2020 at 1:37 PM Mike Fuller via NANOG  wrote:
> I'd be very cautious about engaging with any company whose business model is 
> to get a short-term lease of your IP-space.  Many companies use IP reputation 
> data, and so you are essentially lending that reputation to a 3rd party, who 
> may use it in ways you don't anticipate until the reputation is sufficiently 
> damaged, and then return it to you and move on to another ISP.

Hi Mike,

They explain what they're doing in their documentation and for what
it's worth they're probably telling the truth. Their business model is
to facilitate pseudonymous web scraping. If you want to anonymously
check out your competitors' pricing (anb automate it), you do it by
accessing your competitors' web site through DiviNetworks' tunneled
transits around the globe.

https://divinetworks.com/nature-of-the-traffic/

So, if you're Cogent and you want to gather business data from ARIN

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Equinix LA4

[Mehmet Akcin]

Hey there

I am looking for 100mbps burstable to 1G (copper preferred) transit in
Equinix LA4 to be used as out of band connectivity. Can do fiber if must.

Please let me know if you can provide this offlist
-- 
Mehmet
+1-424-298-1903

Re: Tell me about AS19111

[Tom Beecher]

Reporting the issue is good and I’m sure appreciated by all.

I appreciate that those who work in fields tracking down bad actors have a
natural tendency to start viewing everything through that same lens, but
assuming that every issue is cause by malice or stupidity gets really,
really tiring.

On Thu, Feb 6, 2020 at 10:23 Rich Kulawiec  wrote:

> On Thu, Feb 06, 2020 at 09:08:35AM +0100, Pierfrancesco Caci wrote:
> > You would sound much more credible if you'd step down the high horse and
> > stop insulting the very same people you're supposed to work with.
>
> You're concerned with policing his tone instead of dealing with the
> massive security failure -- on the part of *many* of us -- that this
> represents?
>
> If I have something horrible going on with a service/server/network/etc.
> that I'm responsible for and I don't catch it, then I'm grateful to
> anyone who reports it -- because they've caught my mistake, which is
> helpful to me and to everyone impacted by it.  I'll worry about my
> bruised ego later, it won't be the first time.  Or the last.
>
> ---rsk
>
>

Re: Tell me about AS19111

[Ronald F. Guilmette]

In message <24124.27418.388460.814...@gargle.gargle.howl>, 
Barry Shein  wrote:

>Given events including the IPv4 runout etc perhaps it's long overdue
>that the RIRs should hire a professional big-name (we used to call
>them Big 5) accounting firm to audit or at least review IP address,
>ASN, etc. allocation.
>
>I am not talking about money, I am talking about resource allocation.
>
>That would be a step towards accountability.
>...

Not sure how to break this to you, but the concept you appear to
be talking about, i.e. employing an actual accounting firm to,
you know, account for valuable IPv4 assets as, you know, valuable
assets would, as far as i have been able to determine, represent
a truly novel innovation in the world of Regional Internet
Registries.

During my investigation of the goings on down in AFRINIC, I had
occasion to look at the company's audited financial statement for
fiscal year 2015.  This is a company that was effectively gifted
with two /8 blocks, with current market value, as I calculated it
on the back of a napkin, of over $250 million USD.  In the one
specific document that I looked at, which I believe was prepared
by PriceWaterhouseCoopers (PwC) I saw no hint whatsoever of any
part or portion of these assets being accounted for in any way.
It was as if they didn't exist.

I was all set to be freshly outraged at AFRINIC about this until
I realized that it isn't just them.

As far as I am aware at this moment, *no* RIR had ever had its
accountants or auditors account for valuable IPv4 assets as assets.

If I am wrong, which is quite possible, I would be happy to be
proven so.


Regards,
rfg

Re: DiviNetworks

[Tom Beecher]

Agreed.

I also would be very wary of any traffic that I don’t know about sourcing
from my network. The amount of money spent on lawyers when something
malicious comes though this ‘sharing’ , and I’m in the jackpot because it
sourced from me, is likely going to be many multiples of whatever dollar
amount I make back. And this doesn’t consider any contractual terms on your
service that might not allow you to do this in the first place.

Maybe some situations where it makes some sense for somebody, but too much
risk for my tastes.

On Thu, Feb 6, 2020 at 16:39 Mike Fuller via NANOG  wrote:

> I'd be very cautious about engaging with any company whose business model
> is to get a short-term lease of your IP-space.  Many companies use IP
> reputation data, and so you are essentially lending that reputation to a
> 3rd party, who may use it in ways you don't anticipate until the reputation
> is sufficiently damaged, and then return it to you and move on to another
> ISP.
>
> Some organizations' response to unwanted traffic is simply to block large
> IP ranges or entire ASes, and not everyone is good about following-up and
> expiring such blocks in the future.  I realize your customers haven't
> ended-up on any spam/abuse blocklists, but that doesn't mean they won't be,
> or that their IP reputation hasn't already been affected in less obvious
> ways.  You should ask yourself if you are being sufficiently compensated
> for these risks as reputable IPv4 space is at a premium, so replacing the
> IPv4 space you lent out could get quite costly.
>
> --
> Mike Fuller :: Security Reliability Engineer :: Google :: AS15169
>
> On Wed, Feb 5, 2020 at 12:15 PM Justin Wilson  wrote:
>
>> Have several networks using them.  This he networks get paid, and no
>> blacklists.  Contact me off list if you want more details
>>
>>
>>
>> Justin Wilson
>> li...@mtin.net
>>
>>
>> —
>> https://j2sw.com - All things jsw (AS209109)
>> https://blog.j2sw.com - Podcast and Blog
>>
>> > On Feb 5, 2020, at 2:14 PM, Steve Saner  wrote:
>> >
>> > Has anyone here worked with DiviNetworks (https://divinetworks.com/)
>> to "sell" their unused bandwidth?
>> >
>> > I'd be curious to hear any thoughts or experiences.
>> >
>> > Steve
>> >
>> > --
>> >
>> --
>> > Steven Saner   Voice:
>> 316-858-3000 <(316)%20858-3000>
>> > Director of Network Operations  Fax:
>> 316-858-3001 <(316)%20858-3001>
>> > Hubris Communications
>> http://www.hubris.net
>> >
>>
>>

Re: Tell me about AS19111

[Ronald F. Guilmette]

In message <24124.30737.599536.809...@gargle.gargle.howl>, 
Sandra Murphy  wrote:

>It could measure the extent of the problem and would be within what I
>suggested.
>
>For example if there were only one AS being abused that would make it
>a different priority than 1,000 or 10,000 (some seem to be implying a
>number like that) being abused.
>
>Do we have that number?

I suggested that nobody has that number, to any degree of accuracy,
as of today.

Once again, this is something that I would be happy to be proven
wrong about.


Regards,
rfg

Need NOC/IP admin contact for AS27506/Crown Castle/Sidera

[Brandon Martin]

An RADB entry for IP range 64.25.104.0/22 was recently entered by Crown 
Castle Fiber that appears to be in error.  Please contact me off-list to 
help resolve.  Thank you.

--
Brandon Martin

Re: DiviNetworks

[Ronald F. Guilmette]

Regarding DiviNetworks...

I am not personally persuaded that an Israeli company that inserted
a route object into the RADB data base to act as a cover for the
company's apparent theft of a nice juicy /16 AFRINIC region legacy
block that actually belongs to, and belonged to a South African
state owned oil company (Sasol) is actually worthy of the Internet
equivalent of the Good Houskeeping[tm] seal of approval.


route:  169.129.0.0/16
descr:  This is a DiViNetworks customer route-object which is being 
exported under this origin AS12491 (origin AS). This route object was created 
because no existing route object with the same origin was found. Please contact 
supp...@divinetworks.com if you have any questions regarding this object.
origin: AS12491
mnt-by: MAINT-AS57731
changed:e...@divinetworks.com 20161021  #19:55:26Z
source: RADB


Regards,
rfg


P.S.  My past research into the company formally known as Netstyle Atarim
Ltd.  turned up the following interesting link, which may or may not be
relevant:

https://il.linkedin.com/in/erez-cohen-83402813

P.P.S.  Sasol has taken steps, in recent months to assert and reclaim
complete control over both of their two /16 AFRINIC region legacy blocks.
I have had multiple late night (my time) conversations with officials
there, right up to the Vice President level, regarding the unfortunate
circumstances that led to parties other than Sasol routing one or both
of their valuable AFRINIC legacy /16 blocks.

At last check, Sasol officials were still considering wther or not to file
formal police reports in South Africa regarding this matter.

P.P.P.S.  The above quoted fradulent route object is still present in
the RADB data base as we speak.

It is by no means alone.

Re: Need NOC/IP admin contact for AS27506/Crown Castle/Sidera

[Brandon Martin]

On 2/6/20 8:03 PM, Brandon Martin wrote:
An RADB entry for IP range 64.25.104.0/22 was recently entered by Crown 
Castle Fiber that appears to be in error.  Please contact me off-list to 
help resolve.  Thank you.


CCF claims it's been taken care of.  Thanks.
--
Brandon Martin

DiViNetworks

[Ronald F. Guilmette]

I mention in passing also that at the present time, DiViNetworks has
a grand total of some 6,070 unique route objects registered in the RADB
data base.

Where I come from, that's a lot of routes.

   https://pastebin.com/raw/YeFBd1qZ

I would be gnerally unconcerned if not for the fact that two of these
route objects (for 155.235.0.0/16 and 169.129.0.0/16) exactly cover
two AFRINIC legacy blocks that I feel I have proven to have been stolen
from AFRINIC legacy blocks holders, with the apparent collusion and
connivance of one particular gentleman who, coincidentally, I'm sure,
like DiViNetworks, also just happens to have offices in the greater
Tel Aviv metropolitan area.


Regards,
rfg


P.S.  Online reports suggest that DiViNetworks has received $15 million
USD worth of venture capital from the International Finance Corporation,
a commercial lender and member of the World Bank Group.


https://ifcext.ifc.org/ifcext/pressroom/IFCPressRoom.nsf/0/52F1A9E272AAFAB785257BE80051CB53

https://en.wikipedia.org/wiki/International_Finance_Corporation

Re: Equinix LA4

[Saku Ytti]

Hey there,

> I am looking for 100mbps burstable to 1G (copper preferred) transit in 
> Equinix LA4 to be used as out of band connectivity. Can do fiber if must.

Would Equinix Connect work?
https://www.equinix.com/interconnection-services/equinix-connect/

Lot of people in the past have preferred to do some kind of OOB WAN
goodwill swaps, but it's unclear if anyone should in equinix.
Considering how difficult support can be on goodwill connections and
more importantly the Equinix XC prices make their own Connect
competitively priced.

-- 
  ++ytti

Re: DiViNetworks

[Ahmed Borno]

How is it technically possible that they reuse unused bandwidth without
some funky AS/Route announcement fun?! Anyone can explain that ?

~A

On Thu, Feb 6, 2020 at 8:09 PM Ronald F. Guilmette 
wrote:

> I mention in passing also that at the present time, DiViNetworks has
> a grand total of some 6,070 unique route objects registered in the RADB
> data base.
>
> Where I come from, that's a lot of routes.
>
>https://pastebin.com/raw/YeFBd1qZ
>
> I would be gnerally unconcerned if not for the fact that two of these
> route objects (for 155.235.0.0/16 and 169.129.0.0/16) exactly cover
> two AFRINIC legacy blocks that I feel I have proven to have been stolen
> from AFRINIC legacy blocks holders, with the apparent collusion and
> connivance of one particular gentleman who, coincidentally, I'm sure,
> like DiViNetworks, also just happens to have offices in the greater
> Tel Aviv metropolitan area.
>
>
> Regards,
> rfg
>
>
> P.S.  Online reports suggest that DiViNetworks has received $15 million
> USD worth of venture capital from the International Finance Corporation,
> a commercial lender and member of the World Bank Group.
>
>
> https://ifcext.ifc.org/ifcext/pressroom/IFCPressRoom.nsf/0/52F1A9E272AAFAB785257BE80051CB53
>
> https://en.wikipedia.org/wiki/International_Finance_Corporation
>