[anti-abuse-wg] Whois database accuracy

On Wed, 21 Oct 2009 Jerome Bouat <jerome.bouat at wanadoo.fr> wrote:

> Could we possibly disconnect the network which aren't tidying their
> whois records ?

To amplify one of Brian's points:

The problem there is that WE (which for the purposes of this discussion
only, would include RIPE NCC) can't disconnect anybody.  You've made an
invalid assumption which - frankly - I also made for many years, until
the full reality of the situation dawned on me.

The only people who can disconnect a network are its peers and upstreams.
To a large extent that means that if any of the backbone networks agrees
to accept the traffic, the network stays connected.  If ALL the backbone
networks agree not to accept traffic from block owners that do not have
(or do not answer) valid abuse etc addresses, then we would have a way
forward.  It only takes one such backbone network to carry the traffic
and the problem remains.  And experience tells us that there will be one.

RIPE and other RIRs allocate IP ranges and ASNs.  Although there is
a routing database, that does NOT actually control the routing.  All
that RIPE NCC controls, is the entitlement to use the numbers, and the
reverse DNS delegations.  Now, if the RIPE NCC were to recover a block
allocation or ASN because the WHOIS data was bad, or the network would
not deal with abuse issues reported (and by the way I am not advocating
that as a policy) those addresses and ASN could continue to be used.
All that would happen would be that rDNS would stop working, and there
would no longer be any visible track of who was running that network.

In an ideal world the upstreams would stop routing the traffic as soon
as they became aware of the situation.  That's very far from being a
universally adopted practice, as was found recently when several of the
other RIRs withdrew numerous IP address blocks for non-payment of fees:
and Afrinic's withdrawal of Zimbabwean blocks was one example of this
triggered by the recent currency problems in Zimbabwe.

IP traffic is just like international telephone routing - if an entity
says it is using a number range, and its peers and upstreams accept the
claim, then connections will get through.  And in many cases those
upstreams will be influenced by the payments they get for the traffic,
either at standard or enhanced rates.  If there are conflicting routing
claims, then obviously the connectivity will become somewhat unreliable.

So effectively the only people who can "disconnect" an address range
are the individual ISPs - by rejecting that traffic locally - but that
rarely happens either, because of the probability of losing legitimate
traffic in the process.  There are a few network ranges that are known
to be all used for crime or abuse, and a lot of ISPs now use the list
at http://www.spamhaus.org/drop to block that traffic. I hope you do!

For the other cases, pressure on the upstreams carrying the traffic
from the entity that has misconfigured data, is probably the best way
to get the problem fixed.  Blocking that traffic locally is a good
thing for ISPs to do, but it will take a lot of them to impose blocking
before corrective action will be taken.

Regards,

Richard
Co-Chair, RIPE AA-WG