And so it ends...

Jimmy Hess mysidia at gmail.com
Fri Feb 4 00:57:46 CST 2011


On Thu, Feb 3, 2011 at 1:34 PM, Jay Ashworth <jra at baylink.com> wrote:
> I strongly suspect that his question is actually "Does ARIN have any
> enforceable legal authority to compel an entity to cease using a
> specific block of address space, absent a contract?"

ARIN has about as much to do with legally compelling an entity (who
has signed no contract with ARIN) to stop using a block of IP address
space,  as a DNSBL  has to do with  compelling some random spammer to
stop attempting to send spam.

What keeps people using only IPs they were allocated by a registry are network
policies of cooperating networks who are independent of ARIN  (aside
from possibly
receiving an assignment of their own from ARIN). The RIRs and IANA have not been
shown to have any  legally enforceable authority of their own to stop
an IP network
from using IPs not assigned by the registry,  or to prevent someone
from starting
to use IPs already assigned by the RIR  to someone else.

If you need examples; look at all the unofficial usage of 1.0.0.0/8
and 5.0.0.0/8
in private networks,  that the RIRs did not attempt to compel anyone to stop.

ARIN does not appear to directly legally compel any entity to cease
using any specific
block of address space.  Neither is any other RIR in the business of
'enforcing'
that only a  registrant uses the IPs, nor does the registry detect if
a wrong entity is
using the IPs.

Neither does any internet registry  promise that allocations can be
routed on the public internet.

You can ignore the RIRs and use whatever IP addresses you want, at
your own peril.
That peril is not created by any RIR, however;   the "peril"  is the
community response,
and response by other organizations you rely on for connectivity.


Neither does any internet registry promise that allocations will be
unique on the public internet.
A competing (non-cooperating) registry could have made a conflicting assignment.
The RIRs can only make promises about uniqueness within their own
allocations, and
that they made the allocations within address space they were delegated by other
registries  according to  their policies.


The only thing a registration tells you the registrant is this
particular registry administers a
database containing that block of IPs,  and  you are the only
organization currently assigned
that IP space _by that  registry_.

If you as a network operator do not cooperate with IANA,  then,
perhaps you create
your own registry, and just use whatever IP addresses you want.
However, other networks may refuse to interconnect with you due to
their policies determining that to be "improper addressing".



It is not as if ARIN has a policy of looking for hijacked/unofficial
announcements of address
space and dispatching an army of lawyers with 'cease and decist' letters.

Instead,  what happens is members of the internet community
investigate IP space
and AS numbers before turning up new interconnections,  and decide on their own,
which blocks to route,  based on peering network's request. Internet connected
 networks will  find the entry in the IANA database
for  the /8  the requested prefix resides in, find delegation to ARIN,  look
in the ARIN  WHOIS  database,   and then make a decision to route the
blocks or not.

The new peer might be required to show correct current registry
delegation of the block, authorization from the
contact listed in the database,  OR  merely sign a promise that they
will only originate prefixes assigned to them
through IANA or a RIR recognized by IANA,  BUT    the registry operator,
ARIN itself  is not the entity that  imposes any specific requirement.


If IP address space is legacy and not properly kept up to date in the
registry under current RIR policies,
then  some community members might choose to reject or disallow their use
by a peer,   based on their own internal routing policies.



Also,  many members of the community  rely on the ICANN delegated DNS
root for all DNS
lookups. the  .ARPA  TLD  servers refer to ARIN  for  Reverse DNS;
which is important for adequate SMTP operation,
in many mail environments,   lack of proper reverse DNS can lead to
mail being rejected.

If IP address spaces appear to be used by a person other than the registrant,
the listed registrant might submit complaints to ISPs  in order to act according
to their network's  routing policies;  if  their policy is to recognize ARIN's
listings as the authoritative ones,   they might even turn off  prior
users of the IP addresses.


There is the RPKI pilot.    In the future,  members of the community
may authenticate
resource assignment through resource certification according to the
policies of the
accepted registry, through cryptographic methods.

That would certainly give ICANN,  IANA, and the RIRs  stronger
technical enforcement powers.
It's even conceivable this could be used in the future to  "Revoke
such and such evil
outside country network's  Resource certificates"   (so they will be
forcibly disconnected)


But it's still not 'legal' enforcement of resource 'ownership'.    The
community members
still have the ability to accept  use of IP address blocks outside
what ARIN determines to
be the proper registrations,  and  recourse is not really ARIN's,   if
someone other than the proper  registrant is making use of the IP
address space in disagreement with the registry.

--
-JH




More information about the NANOG mailing list