(Long) rant about some LIRs in RIPE region, most likely linked to RFG's earlier email

Vasile Capdefier vasile.capdefier at yahoo.co.uk
Tue Jan 15 17:13:39 UTC 2013

Disclaimer: this is just my POV, I didn't investigate (too) much/deep. All the information bellow is public, easy to find and Google Translate seems to work most of the times.

From what I know, Jump.RO's business model is to *sell* IP space from their ALLOCATED PA ranges received from RIPE. Not *sub-allocate*, not *assign* or similar terms. They don't ask too many questions. They give you IPs faster than other LIRs. They market this as being professional.

All of the Jump.RO's sub-allocations (that I've seen in whois) have *ASSIGNED PA* status, which according to ripe-553 [1] is to be used when the range is assigned to an end user for services provided by the issuing LIR. This is probably not the case because except the (new) annual fee for the registration service there are no other services provided by that LIR to the end user.

Most of Jump.RO's "end users" are in fact small ISPs that can't afford the RIPE membership fees and bypass the rules of not using PI space for customers by deaggregating Jump's IP space. I don't know about the 12k number, but they have a large client base in the country and neighboring countries.

I also think that Jump is aware of their IPs being in use by spammers as they advertise on their website that new and unused IP blocks cost about 2 times more than "used" ones. They also note that the previously "used" PA space is checked with "MxToolBox" in 120 anti-spam lists [2].

Even though Jump.RO's business model isn't exactly in the spirit of the RIPE region rules or following best practices (no prefix aggregation, but their excuse is that they are not the only ones doing it), I don't think that they are willing to risk their LIR status by defending known spam operations, so reporting well documented cases of false information provided during registration first to RIPE and then to them would probably get them to withdraw the PA from that customer. The ranges found by you clearly suggest that fake information has been used. Only "under construction" sites, nobody ever heard of those companies, all using same ISPs.

With all this said about ro.registry (Jump.RO's LIR id) i'd like to add the following. There are entire LIRs with very large IP allocations and suspicious activities. I'll just list here a few:

(RIPE allocation list publicly available here [3])

The first candidate that pops up is ro.visnet (VisNetwork Media SRL).
According to their web page [4] they are a pretty large ISP with over 300 experienced employees and over 30 vehicles used for interventions and installations. They provide no CIF (Romanian for Fiscal Identification Code) or other identifying information, but the company is valid and has CIF 25083281.
According to the Romanian Trade Register [5], the company named VisNetwork Media SRL with Fiscal Identification Code 25083281 is registered since February 2009, has no employees (where did those 300 professionals go?) and has registered for the 2011 fiscal year expenses of roughly about 3000 EUR (this value is around the value of the RIPE maintenance fees) and an amazing income of 100 EUR.
Also, they are not registerd with ANCOM [6] (Romanian National Agency for Management and Regulation in Communications), so they are not a real ISP.

They have received from RIPE the following IP space:
20090624    ALLOCATED PA
20100713    ALLOCATED PA
20110404    ALLOCATED PA
20110707    ALLOCATED PA
20110707    ALLOCATED PA
20111012    ALLOCATED PA
20120113    ALLOCATED PA
20120405    ALLOCATED PA
20120730    ALLOCATED PA
20121113    ALLOCATED PA
20110331    2a03:4100::/29

With this much IP space I would think they must have at least a few LARGE cities covered, but nobody ever heard of them or their professional employees.

Also, because apparently their IPs were not enough and their employees seem that they couldn't handle hosting their main website, their website is hosted on IP ranges from another LIR.

visnet.ro has address

inetnum: -
netname:        ROSITE-EQUIPMENTS

The second obvious candidate for our small investigation is, as you might have guessed, ro.rosite (RoSite Equipment SRL).
Information about their deaggregation habits can be found here [7].
According to the Trade Register, ROSITE EQUIPMENT SRL has CIF 17352052 and is a registered company since march 2005.
They are registered as an ISP at ANCOM, but with a different company name (ROSITE NET SRL).
Their second company, the one registered as an ISP, ROSITE NET SRL has CIF 13669105 and is a registered company since january 2001.

The larger company, not the ISP, received from RIPE a large number of IP addresses:
20090706    ALLOCATED PA
20090813    ALLOCATED PA
20091223    ALLOCATED PA
20100325    ALLOCATED PA
20100628    ALLOCATED PA
20110712    ALLOCATED PA
20110712    ALLOCATED PA
20120105    ALLOCATED PA
20120105    ALLOCATED PA
20120724    ALLOCATED PA
20101217    2a03:8800::/32

On the third place in our list we have ro.swift (now Media Trend Sistem SRL, formerly using the company Swift Marketing SRL).
Swift Marketing SRL (nice name, huh?) was deleted from the Trade Registry in may 2011. During 2010 they had 0 employees.
The new company, Media Trend Sistem SRL (CIF 26301830) is registered since december 2009 and was known under another name (not publicly available) until changing it's name to the current one in december 2010.
They are also not registered as an ISP with ANCOM and had 0 employees in 2011.

This didn't seem to stop them from receiving the following IP ranges from RIPE:
20070730    ALLOCATED PA
20080319    ALLOCATED PA
20090303    ALLOCATED PA
20110518    2a00:aa80::/32

Another interesting Romanian LIR is ro.ssnet (SISTEM SOFT NETWORK SRL).
The company is registered with the Trade Register with CIF 24496484 since september 2008, had in 2011 only 1 employee and is not a registered ISP with ANCOM.
They became LIR just a few months before the final /8 was reached in RIPE region.

They only got from RIPE this /15:
20120719    ALLOCATED PA

They also seem to like deaggregating very much [8], now originating 369 prefixes.

Now with all this in sight I suppose the ro.registry issue of about an /14 block seems a rather small issue.

[1] https://www.ripe.net/ripe/docs/ripe-553
[2] http://www.ip.ro/ip.html
[3] ftp://ftp.ripe.net/pub/stats/ripencc/membership/alloclist.txt
[4] http://www.visnet.ro/despre/
[5] http://www.mfinante.ro/agenticod.html
[6] http://www.ancom.org.ro/furnizoricomunicatii-electronice_133
[7] http://bgp.he.net/AS49687#_prefixes
[8] http://bgp.he.net/AS56465#_prefixes

More information about the NANOG mailing list