My view of the arin db boarked?
Christopher Morrow
christopher.morrow at gmail.com
Mon Jun 11 15:36:55 UTC 2012
On Sat, Jun 9, 2012 at 11:13 AM, Joe Provo <nanog-post at rsuc.gweep.net> wrote:
> On Fri, Jun 08, 2012 at 04:27:29PM -0400, Christopher Morrow wrote:
>> err, last 3 times I asked this I was shown the error of my ways, but
>> here goes...
>>
>> 209.250.228.241 - seems to not have any records in ARIN's WHOIS
>> database, everythign seems to roll up to the /8 record :(
>>
>> I see this routed as a /23: (from routeviews)
>> BGP routing table entry for 209.250.228.0/23, version 2072545487
>> Paths: (33 available, best #19, table Default-IP-Routing-Table)
>> Not advertised to any peer
>> 3277 3267 174 27431 14037
>> 194.85.102.33 from 194.85.102.33 (194.85.4.4)
>> Origin IGP, localpref 100, valid, external
>> Community: 3277:3267 3277:65321 3277:65323 3277:65330
>>
>> If I look at the ASN in particular: AS14037
>> no records exist for that in ARIN's WHOIS database either ;( If I look
>> at all the networks announced by AS14037:
>> 14037 | 204.8.216.0/21 |
>> 14037 | 209.250.224.0/19 |
>> 14037 | 209.250.228.0/23 |
>> 14037 | 209.250.242.0/24 |
>> 14037 | 209.250.247.0/24 |
>
> If you query filtergen.level3.com, they are expecting to see it from
> this ASN:
>
> Prefix list for policy as14037 =
> LEVEL3::AS14037
>
> 204.8.216.0/21
> 209.250.224.0/20
>
>> 14037 | 64.18.128.0/19 |
>> 14037 | 64.18.159.0/24 |
>
> ...but not those, which are registered in ALTDB (as the /19)along
> with the squatted 204.8.216.0/21 and 209.250.224.0/20
>
>
> route: 64.18.128.0/19
> descr: RackVibe LLC
> origin: AS14037
> admin-c: GC373-ARIN
> tech-c: GC373-ARIN
> notify: arin at 6gtech.com
> mnt-by: MNT-6GTECH
> changed: arin at 6gtech.com 20081007
> source: ALTDB
>
>
>> none of them have any records in the ARIN WHOIS database :( The
>> upstream for this network is AS 27431 - JTL Networks
>> who seems to get transit/peer with 3356/174.
>
> Amusingly, AS27431 is still the RR contacts cording to the IRR. Score
> another one in the 'inaccurate IRR' column.
yea, automated filter generation from IRR's ... not always good :(
>> It's nice to see folk who use IRR databases to filter their customers
>> still permit this sort of thing to go on though: AS3356 I'm looking at
>> you...
>
> Here's a clue of future prefixes to watch for 3356 allowing from
> this particular nest:
>
> % whois -h filtergen.level3.com -- "-searchpath=ARIN;RIPE;RADB;ALTDB;LEVEL3 as27431"
> Prefix list for policy as27431 =
> ARIN::AS27431 LEVEL3::AS27431 ALTDB::AS27431 RADB::AS27431
> RIPE::AS27431
>
> 66.132.44.0/24
> 66.132.45.0/24
> 66.132.47.0/24
> 69.36.0.0/20
> 209.41.200.0/24
> 209.41.202.0/24
> 209.115.40.0/24
> 209.115.41.0/24
> 209.115.42.0/24
> 209.115.43.0/24
> 209.115.108.0/24
> 216.28.47.0/24
> 216.28.134.0/24
> 216.29.53.0/24
> 216.29.115.0/24
> 216.29.116.0/24
> 216.29.117.0/24
> 216.29.121.0/24
> 216.29.122.0/24
> 216.29.152.0/24
> 216.29.194.0/24
> 216.29.247.0/24
> %
>
most (by random sample of queries to whois.arin.net) of these at least
still had entries in the db.
>> I think first: "Where are the records for this set of ip number resources?"
>> and second: "Why are we still seeing this on the network with no way
>> to contact the operators of the resources?"
>
> You can try and contact the entities that are called 'RackVibe' accordin
> and '6G Tech' according to the various IRR registry entries for 14037 and
> 46496. Sketchy things which geolocate to Seacaucus? Whoda thunk.
yea :( I'd sort of prefer if the transit here would just stop
accepting the announcement(s) in question (which they do today ,
several filter-gen runs since friday).
-chris
> --
> RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
More information about the NANOG
mailing list