Repeated Blacklisting / IP reputation, replaced by registered use

Douglas Otis dotis at mail-abuse.org
Mon Sep 14 17:40:33 UTC 2009


On 9/13/09 12:49 PM, joel jaeggli wrote:
> Frank Bulk wrote:
[]
>> If anything, there's more of a disincentive than ever before for
>> ARIN to spend time on netblock sanitization.
>
> This whole thread seems to be about shifting (I.E. by externalizing)
> the costs of remediation. presumably the entities responsible for the
> poor reputation aren't likely to pay... So heck, why not ARIN?
> perhaps because it's absurd on the face of it? how much do my fees go
> up in order to indemnify ARIN against the cost of a possible future
> cleanup? how many more staff do they need? Do I have to buy prefix
> reputation insurance as contingent requirement for a new direct
> assignm

Perhaps ICANN could require registries establish a clearing-house, where 
at no cost, those assigned a network would register their intent to 
initiate bulk traffic, such as email, from specific addresses.  Such a 
use registry would make dealing with compromised systems more tractable.

>> I do think that ARIN should inform the new netblock owner if it was
>> previously owned or not.
>
> We've got high quality data extending back through a least 1997 on
> what prefixes have been advertised in the DFZ, and of course from the
> ip reputation standpoint it doesn't so much matter if something was
> assigned, but rather whether it was ever used. one assumes moreover
> that beyond a certain point in the not too distant future it all will
> have been previously assigned (owned is the wrong word).
>
>> But if ARIN tried to start cleaning up a netblock before releasing
>> it, there would be no end to it.  How could they check against the
>> probably hundreds of thousands private blocklist?
>
> Note that they can't insure routability either, though as a community
> we've gotten used to testing for stale bogon filters.

The issues created by IPv4 space churn is likely to be dwarfed by 
eventual adoption of IPv6.  Registering intent to initiate bulk traffic, 
such as with SMTP, could help consolidate the administration of filters, 
since abuse is often from addresses that network administrators did not 
intend.  A clearing-house approach could reduce the costs of 
administering filters and better insure against unintentional impediments.

This approach should also prove more responsive than depending upon 
filters embedded within various types of network equipment.  By limiting 
registration to those controlling the network, this provides a low cost 
means to control use of address space without the need to impose 
expensive and problematic layer 7 filters that are better handled by the 
applications.  The size of the registered use list is likely to be 
several orders of magnitude smaller than the typical block list. 
Exceptions to the use list will be even smaller still.

This registry would also supplant the guesswork involved with divining 
meaning of reverse DNS labels.

-Doug




More information about the NANOG mailing list