[anti-abuse-wg] Re: Interaction between the RIPE and anti-abuse communities

Greetings all,

I am a relative newcomer within RIPE community - but been working for
some 10 years with CERT-FI, the national CERT team in Finland. During
this period I have got a feeling (no statistics - yet) that the majority
of cases where the validity of ipv4 / AS resource registration details
can be questioned are within RIPE service area. APNIC, AFRINIC, LACNIC, ARIN
-provided resources with this suspicion are quite rare on my radar.

I have a couple of questions on my mind:

1) What is the current procedure to initiate an investigation with RIPE NCC
on resource registration data consistency?

2) Are there any spesific requirements to be filled to trigger investiation
   procedures - what proof of suspicious registration data is needed?

3) Where I can find the current RIPE policies applied on this type of investigation request?

4) What kind of reply time one could expect from RIPE NCC for this type of request?

5) What methods I could use to extract
   -sponsoring LIR data of a inetnum / autnum object
   -all inetnum/autnum objects delegated by a spesified LIR

   from RIPE NCC WHOIS database?

   (personally I think there is no need to hide this information - all customer
   networks of an ISP can be easily extracted from BGP routing data, business
   protection needs IMHO do not warrant blocking this information)

I have a couple of examples that could perhaps warrant a concentrated look.
First is a recent and public one, documented here:

http://www.abuse.ch/?p=3130

Could regisgtry consistency procedures be initiated on the suspicious resources mentioned
in the blog post?

A second case I would like to work with appropriate RIPE NCC staff directly.

--Kauto

-- 
Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority  / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi