[anti-abuse-wg] DRAFT: RIPE proposal - implementation of an

Hi again,

> On 9 Apr 2010, at 20:43, Frank Gadegast , Dipl-Inform. Frank Gadegast wrote:
> > - whois is showing IP ranges and ranges are often quite small, what means
> >  that you have to look up each range, better each IP seperatly
> 
> Huh?

Who cares about a range, when I want the responsible person for a fixed IP ?

> > - whois has only a connection to the owner of the range and not to the
> >  member, unless you do even more queries
> 
> What are you talking about?
> 
> If you do a lookup on an IP you can clearly see which AS number they belong to. You might need to do a second lookup on the AS number to get a bit more verbose information, but it's clearly there

Thats it, you need a second query, thats weird these days.

whois is that old and has nothing to do with up-to-date database design.

If I design a database, I design it to serve the questions I like
to ask the database about, e.g. I like to ask the RIPEs database the following things:

- give me the abuse address of the responsible RIPE member for this IP
- give me the abuse address of the responsible IP user/owner
- give me the abuse address of the upstream provider for this IP
- give me the telephone number of the RIPE member for this IP
- aso ...
 
You cant do that with whois without programming a lot
of special cases, understand what type of objects to query
and to parse the first result, do a second query, parse
that result.

whois has really nothing to do with current databases.

If I could run RIPEs databases I would love to do a simple:
SELECT abuseemail FROM owner where ip='1.2.3.4'
and send this to port whatever via telnet and get a clean
asnwer in one line just containing what I asked for and
nothing else.

Easier ?
Yes.

Is whois kind of blocking the development of several tools
because of an non-up-to-date design ? Yes sure.
 
> > - queries to personal objects are limited, what makes automated systems
> >  impossible, if they are not starting to cache queries or read old
> >  database dumps or have the special right to receive as many infos
> >  as they need
> 
> Why do you need to query personal objects?

For the abuse email address or the owners email address or the tech-c email address.
A lot of netobjects do neither have a remark section including
an abuse address, they do not have a valid abuse-email field,
the only thing they have is a "link" to the admin-c or tech-c
object, that you have to query then again ...

> > - caching query results are causing delays, what means that the abuse contacts
> >  cant be correct all the time, because they could have changed already
> 
> Abuse contacts are unlikely to change that often.

Wrong. They change really quick.
Specially for those netrange objects that do only have personal objects
and no abuse-email field or remark.

> Sure, they may change, but they're not going to be changing on a regular basis.

admin-c and tech-c do change quite often, at least this is
our expirience with our own blacklist.

We decided to look up any object as quick again as RIPE whois allows
us with their limits, otherwise we will send report to the wrong person,
at that still happens too often.

> > and if you see it world-wide:
> > - the formatting of the world wide whois systems is not equal and sometimes
> >  even hard to parse, even if they nearly have the same fields
> > - IPv4 ranges are widely spread between all RIRs, you will need to look
> >  up arins whois first, to find out, where the range actually belongs to,
> >  and then ask that RIR
> 
> No you don't.
> You just do a whois lookup using a proper whois client and it will automatically handle the RIR side of things for you.

Love to have a whois tool, that can somehow sniff the right RIR
out of the air without having to do a query first, look it up
in whatever file on a ftp server or some other remote thing.
How do you think that a proper whois client is doing that decision ?

Come on ... he has to look it up first, to wich RIR it belongs.

> If you're having issues with this then your whois client is out of date.

Sure, and it will be out of date every week, if its not doing
that "magic" lookup.
109.x.x.x was assigned to RIPE not that long ago.
APNIC got a few blocks lately.
KRNIC got a few blocks from APNIC
All not long ago ...

> > - dont forget the early registration blocks spread all over the world
> > - arins whois requires up to three queries to finally get the abuse contact
> >  hidden in several possible objects, multi-range listings with more than one
> >  correct answer. What field will you really look for in arins whois ?
> 
> You're talking about a proposal for RIPE. Broadening it to other regions and any possible issues they may have isn't going to help RIPE much .. 

Its written in the draft, that other RIRs might pick up on the same idea.
In the end I would love if all RIRs have the same tools, protocols one day.

> >  OrgTechHandle, OrgAbuseHandle, RAbuseEmail, OrgNOCEmail, OrgTechEmail ?
> > - apnics whois is now spread along several other referral whois in different countries
> >  and there is not clear and often changing relocation or change in the size
> >  of the assigned blocks for those sub-RIRs
> > - lacnic also spreads, brasil has its own whois
> > - lacnic always includes the mains RIRs abuse contats, relevant ? yes, no, both ?
> > - the objects changed-date is not visible on all whois worldwide
> > - tools that should make this more easy (like jwhois for domainname) are
> >  always developed with big delays and are never accurate

No comment here ?

> > And many more problems, thats not what I understand as standarized ....
> > 
> > And if there is an RFC nearly for everything, its pretty weird,
> > that whois is not equal all over the world.

Hm, no answer on that too ?
Why is whois output different all over the world ?
Its like having a different internet everywhere.

> > (well, but the same with domain whois, at least the output format could
> > be the same, even if every country will hide fields or not like its
> > needed by local law or commitment)
> 
> What has domain whois got to do with anything?

That was only a note.
Domains are also hard to parse.
At least the last new domain registries (like .org, .biz, .name) finally
picked up, that whois should look the same, should be easy to parse
and should at least try to have the same fields all over the world.

But, look at ARINs whois, this one is a desaster according to a parsing function.

Sometimes you get even two answers when asking for ONE IP, then you have to parse
the least significant object from the NET-name and query that object again.
Really weird ...

> >> So, if I understand your proposal correctly, you want RIPE NCC membership fees to be used to create a system that will be used to 'name and shame' RIPE NCC members. I think this brings me back to the question I asked in my last message and which you did not answer: what is the incentive for RIPE NCC members to finance this system?
> > 
> > Yes, because the development and maintance cost are spread on all members,
> > instead on only those, that are willing to do something, this would
> > be one way to "punish" the others :o)
> 
> 
> Which doesn't answer Leo's question at all.

Different mail.

> > And the system only has to be developed once.
> > 
> > And it will get even cheaper for everybody, if you add more functionality
> > in the next steps ...
> > 
> > And no member that already receives and reads and works on abuse reports
> > has to fear this system, that how it should be constructed.
> 
> If we're already handling our own abuse reports and paying our normal RIPE fees why on earth would we want our RIPE fees to increase?
> 
> Sorry, but you've completely lost me on this one.

Answer in the reply to Leos mail ...


Kind regards, Frank
--
PHADE Software - PowerWeb                       http://www.powerweb.de
Inh. Dipl.-Inform. Frank Gadegast             mailto:frank at powerweb.de
Schinkelstrasse 17                                fon: +49 33200 52920
14558 Nuthetal OT Rehbruecke, Germany             fax: +49 33200 52921
======================================================================
Public PGP Key available for frank at powerweb.de
> 
> Regards
> 
> Michele
> 
> 
> Mr Michele Neylon
> Blacknight Solutions
> Hosting & Colocation, Brand Protection
> ICANN Accredited Registrar
> http://www.blacknight.com/
> http://blog.blacknight.com/
> http://mneylon.tel
> Intl. +353 (0) 59  9183072
> US: 213-233-1612 
> UK: 0844 484 9361
> Fax. +353 (0) 1 4811 763
> -------------------------------
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> Road,Graiguecullen,Carlow,Ireland  Company No.: 370845
> 
>