Newbie Questions: How-to monitor/control unauthorized uses of our IPs and DNS zones?

Owen DeLong owen at
Thu Aug 19 21:18:50 UTC 2021

> On Aug 19, 2021, at 12:34 , Adam Thompson <athompson at> wrote:
> I just had a conversation with John Curran (of ARIN) about this, in fact...
> You don't own IP addresses.  But you also don't rent IP addresses, either.

True, but you can rent the registration of an IP address, or, you can acquire a registration that you pay a monthly maintenance fee for.

In the former case, you are obtaining the registration from an LIR or possibly an end user (though unlikely and not permitted in all RIRs). The LIR takes care of registering your temporary possession of all or part (usually part) of their registration in the appropriate shared database(s) and the rental fee is either included with your connectivity bill or billed separately, depending on the LIR’s particular business practices. Some LIRs don’t provide connectivity services, while most do. Some include address registration in their connectivity price, others do not.

In the latter case, you are going directly to one of the five RIRs and obtaining an allocation or assignment. The registration of a unique set of numbers specifically to your entity is recorded by the RIR in their database(s) and published for all the world to see.

> IP addresses are not a thing, good, or object, not even an intangible good.  They are an address, or an index, if you will.  (You might think of an IP address as the index on a giant, internet-wide, shared array... that we call "the routing table".)

That analogy breaks down very quickly as the routing table is built out of prefixes and not addresses, but as oversimplifications go, it’s not entirely terrible.

> Your annual fee purchases registration services, specifically, the service of ARIN entering your IP addresses into their master copy of a database that other people use.  (And some ancillary services that ARIN provides to you.)  That's it.

That depends on who you are paying your fee to, but if you’ve gone directly to an RIR, specifically ARIN, yes, that’s the case.

> The closest analogy I have are either phone numbers or street addresses.  You don't own either of those things, nor do you rent them.  In the case of phone numbers, the phone company isn't renting you the phone#, they're renting you the POTS service that gives you the ability to make outgoing, and answer incoming, calls.  Your ILEC also typically adds your name and # into a phone book, as part of the service.  (Yeah, VoIP providers have mangled this analogy beyond recognition.)  They can (and have) changed your phone number at will.  At least ARIN doesn't do that.

It’s actually a lot more like license plates. You don’t own the license plate or the license plate number, but you pay a registration fee every year for DMV (or your jurisdiction’s equivalent) for the privilege of them telling police officers who that plate points to whenever they ask. The car is like your routers and network… You own that, but you don’t own the numbers you got from DMV to label each piece of equipment. However, the numbers do uniquely point to the fact that the equipment is yours.

> Here's the problematic part: there's absolutely nothing saying you have to register your addreses with an RIR to get them into the global routing table.  You could probably find an ISP somewhere willing to overlook all the rules and conventions and advertise new address space that just happens to overlap with someone else's registered addresses, or maybe you found some that aren't currently advertised.  In fact, I'd say it's 100% possible to do so.

Fortunately, over time, this is actually getting harder. Between improved IRR filtering and other tools, combined with a tendency to de-peer networks that habitually announce prefixes on behalf of people they are not registered to, the situation has somewhat improved.

OTOH, RPKI, especially with AS0 ROAs radically alters this trust model in that it provides an avenue for an RIR that becomes a bad actor to do great and immediate damage to entities it chooses to attack. I’m not saying there are any RIRs that would abuse this power, but I’m also not as confident as I used to be that none of them would.

> However, nearly everyone agrees to play by a common set of rules, in order that the Internet, well... works.  As expected.  Almost 100% of the time, taken as a whole.  Those rules include requiring you to register with an RIR, to ensure there are no overlaps, and law enforcement can find you if necessary.

It’s also important to note that the RIRs have rules they are supposed to play by which are developed through their respective policy development processes. To date, they’ve generally made a pretty strong effort to do so. There is one RIR that is unfortunately a glaring exception at the moment.

> Again, you aren't buying or renting IP addresses - you're paying an admission fee of sorts, in order to play in the global routing table.  The fact your RIR assigned you a block of addresses is part of good internet governance, and is not actually the commercial aspect of the transaction (even though we all think of it that way anyway, including me).

You’re really paying a registration fee, just like you do for the license plates on your car every year. The biggest difference is that nobody is coming with a gun to collect your RIR fee.

> Ultimately, almost everyone thinks of it the way you do, but it's technically quite wrong.  (My statements may not be correct in jurisdictions deriving from systems other than English common law.)

To the best of my knowledge, your descriptions of how the RIRs work is accurate regardless of the legal framework. All RIRs specifically call out in their contract that addresses are registered to you and are not property and you don’t own them.

> Beyond this, this is a discussion for ARIN-DISCUSS not NANOG-L.  Or perhaps in your case, whatever discussion list APNIC runs, since ARIN rules don't apply in Thailand.  But I expect APNIC will tell you almost the same thing as I just did.

If they’re only in Thailand, then yes, APNIC. If they’re also in North America or the Caribbean, they can choose to use either registry or both. There’s a bit of a misstatement of the situation in RFC-7020, unfortunately.

(Who has some experience with RIR policy processes)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list