I just had a conversation with John Curran (of ARIN) about this, in fact...
You don't own IP addresses. But you also don't rent IP addresses, either.
IP addresses are not a thing, good, or object, not even an intangible good.
They are an address, or an index, if you will. (You might think of an IP
address as the index on a giant, internet-wide, shared array... that we call
"the routing table".)
Your annual fee purchases registration services, specifically, the service of
ARIN entering your IP addresses into their master copy of a database that other
people use. (And some ancillary services that ARIN provides to you.) That's
it.
The closest analogy I have are either phone numbers or street addresses. You
don't own either of those things, nor do you rent them. In the case of phone
numbers, the phone company isn't renting you the phone#, they're renting you
the POTS service that gives you the ability to make outgoing, and answer
incoming, calls. Your ILEC also typically adds your name and # into a phone
book, as part of the service. (Yeah, VoIP providers have mangled this analogy
beyond recognition.) They can (and have) changed your phone number at will.
At least ARIN doesn't do that.
In the case of a street address, you own the property. The address is just an
index to a giant, irregular 2D array called "the streets in your city". Again,
when you buy or rent the property, you aren't buying or renting the address
itself from anyone, much less the city. But there are all sorts of directories
("databases") you can register your business in so that people know who
occupies such-and-such a property, and marketing folks do this all the time
(even in 2021). When you pay those companies money, you aren't renting the
property from them, you're registering your property with them.
Here's the problematic part: there's absolutely nothing saying you have to
register your addreses with an RIR to get them into the global routing table.
You could probably find an ISP somewhere willing to overlook all the rules and
conventions and advertise new address space that just happens to overlap with
someone else's registered addresses, or maybe you found some that aren't
currently advertised. In fact, I'd say it's 100% possible to do so.
However, nearly everyone agrees to play by a common set of rules, in order that
the Internet, well... works. As expected. Almost 100% of the time, taken as a
whole. Those rules include requiring you to register with an RIR, to ensure
there are no overlaps, and law enforcement can find you if necessary.
Again, you aren't buying or renting IP addresses - you're paying an admission
fee of sorts, in order to play in the global routing table. The fact your RIR
assigned you a block of addresses is part of good internet governance, and is
not actually the commercial aspect of the transaction (even though we all think
of it that way anyway, including me).
Ultimately, almost everyone thinks of it the way you do, but it's technically
quite wrong. (My statements may not be correct in jurisdictions deriving from
systems other than English common law.)
Beyond this, this is a discussion for ARIN-DISCUSS not NANOG-L. Or perhaps in
your case, whatever discussion list APNIC runs, since ARIN rules don't apply in
Thailand. But I expect APNIC will tell you almost the same thing as I just did.
-Adam
P.S. If you feel this is B.S. and it shouldn't work this way, most of the RIRs
are always looking for participants in their policy process - I know ARIN is.
Well, I don't know what's up with AfriNIC, that unfortunately seems to be a
rolling dumpster fire, but I suppose they'll need new people to put the pieces
all back together, too.
Adam Thompson
Consultant, Infrastructure Services
[1593169877849]
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athomp...@merlin.mb.ca<mailto:athomp...@merlin.mb.ca>
www.merlin.mb.ca<http://www.merlin.mb.ca/>
________________________________
From: NANOG <nanog-bounces+athompson=merlin.mb...@nanog.org> on behalf of
Pirawat WATANAPONGSE via NANOG <nanog@nanog.org>
Sent: August 19, 2021 13:32
To: nanog@nanog.org <nanog@nanog.org>
Subject: Re: Newbie Questions: How-to monitor/control unauthorized uses of our
IPs and DNS zones?
Huh.
And I thought that I did lay down information (and questions) pretty clearly,
but as you correctly pointed out, I didn't.
So, here goes the second version:
Background Information Section (v2):
We are a Registrant and already registered a zone/domain with a Registry, we
are also a LIR and have been allocated an IP block straight from RIR.
[What I meant to say is that they all keep saying that we don’t “own” those
resources and we also have to pay the annual fee so, even though we are a
Registrant and a LIR, it’s still practically a form of rent anyway.]
We DNSsec-sign and host both forward and reverse zones ourselves, with NSEC3 to
prevent zone enumeration.
We register our IP block on both IRR and ROA, and constantly monitor them both
for poison records.
Here’s the sticky part:
We have ‘jurisdiction’ over all those things above.
But: the Web Server part---hardware, software, and content---belongs to the
‘other department’. That’s my fact-of-life; can’t change it. [Does anyone have
this same ‘arrangement’? Or do you guys rule over everything?]
Second but: ‘they’ want me to prevent anyone from using organization
resources---IPs, hostnames, web server hardware/software---without asking
permission; essentially asking me to look over the web admins’ shoulders.
I know for a fact that some websites with FQDN outside our zone have A/AAAA
records with addresses from my IP block.
On the other hand, some other websites offload contents onto our servers.
Question Section (v2):
Since I am not the web admin:
1. How-to monitor whether some outsiders are putting our IP addresses into
their A/AAAA records without me knowing about it?
2. How-to monitor whether some outside websites are just ‘shells’, with
contents actually being hosted by our servers without me knowing about it?
--
Pirawat.
On Thu, Aug 19, 2021 at 9:45 PM Bill Woodcock
<wo...@pch.net<mailto:wo...@pch.net>> wrote:
> On Aug 19, 2021, at 4:05 PM, Pirawat WATANAPONGSE via NANOG
> <nanog@nanog.org<mailto:nanog@nanog.org>> wrote:
> Background Information Part:
> We rent an IP Address Block and a DNS zone.
> [We have to pay the annual fees, so they are renting, yes? :-) ]
We don’t have enough information to know whether you’re renting or are the
registrant, based on what you’ve said.
If you receive your domain name from a registrar, and the whois shows you to be
the registrant, you’re the registrant. If you have a subdomain or you pay
“rent” to someone who is shown as the registrant in the whois, then you’re just
renting.
Likewise, if you receive your IP addresses from a regional Internet registry
(ARIN in the NANOG region), you’re the LIR, or Local Internet Registry. If you
have a subnet (which may be SWIPped into the whois, or may not) which you
received from an LIR, then you’re just renting.
> We run our own DNS authoritative server, with DNSsec on.
Meaning that you’re DNS signing both the forward (A/AAAA) and reverse
(in-addr/ip6) zones?
> Authority over DNS records, ROAs, and BGP table are with us, but authority
> over the Web Servers are (naturally) not.
It’s not clear what you mean by this. You mean that you don’t operate your own
web servers, but instead use an outsourced service, which in turn uses its own
IP addresses?
> Question Part:
> 1. How (or where) can I monitor/control such that no one can ‘map’ my IP
> addresses to external FQDNs [hijacking my IPs] without me knowing about it?
These are separate and unrelated things.
Hijacking your IP addresses would be originating BGP announcement of them.
Which other people should not do, and other people should not pay attention to
if they’re validating ROAs and IRR entries.
Mapping your IP addresses to domain names (in-addr/ip6) is not an effective
attack vector, and nobody will pay attention to anyway, if you’re the
authoritative delegate for those blocks.
Mapping domain names to IP addresses (A/AAAA) is not an effective attack
vector, and anyone can do, without disrupting anything.
> 1.1. My understanding is that, as long as I control the authoritative
> (DNSsec)server and people out there validate the DNS responses, hijacking my
> IPs outright for use somewhere else is (theoretically) impossible, yes?
If someone else conducts an effective DNS hijacking attack, intermediating
themselves between your users and your servers, and your users don’t DNSSEC
validate, then the attack will be successful. If your users do DNSSEC
validate, AND THE APPS AND OSES THEY USE DON’T CIRCUMVENT IT, then the attack
will fail. But that’s a big if. Many apps and OSes prefer a MITM attacker to
a DNSSEC validation failure, because support costs.
> 2. But, web admins can still essentially ‘rent out’ part or whole of my
> websites by hosting 'forreign' pages/codes and allowing in ‘external
> redirection’ from outside (to use my hardware! my IPs!) anyway, yes?
If by “web admins” you mean third parties, rather than people who are
responsible to you, yes. Which is why people concerned with security host
their own services.
> 3. How (or where) can I monitor/control such that no one can ‘map’ FQDNs from
> within my DNS zone to external IP addresses [hijacking my hostnames] without
> me knowing about it?
There are at least three possibilities here.
One is that someone has access to the unsigned zone data below your delegation,
in which case this is an internal security problem. If you’re using NSEC3 to
prevent zone enumeration, and it were occurring in a delegated subdomain, this
might actually be a difficult problem.
The second possibility is that someone external to your organization, who has
access to DNS traffic flows (client, recursive, etc.) interposes themselves as
a MITM or injects false data into a resolver cache. You could, hypothetically,
buy access to “passive DNS” feeds which might reveal some portion of such
traffic, if it existed, but that’s a very long shot.
A third (and probably most likely) possibility is that someone hijacks your
domain at the registrar level, because registrars generally have crap security
and fall over all the time, and registrants routinely use crap passwords to
secure their accounts with registrars, etc. They could then add an additional
nameserver, or substitute in all of their own nameservers. At that point,
their actions would be fairly visible, and they’d still have to do a dirty roll
of the DNSSEC KSKs, if they wanted to make things validate, but most wouldn’t
bother doing so. There are monitoring services which watch for nameserver
changes, but all the ones I’ve seen don’t actually check as often as they say
they do, so miss attacks of this sort that are done quickly.
> 3.1. My understanding is that, web admins can write all sorts of ‘redirect’
> in such a way that parts or even my whole websites can be ‘hosted’ on
> external IPs/hardware, yes?
Yep. See “why you shouldn’t do that” above.
> 4. Does that mean I need a big Web Application Firewall (WAF)
Absolutely not. I have no idea what a Web Application Firewall is, but if it’s
anything like it sounds like, I wouldn’t let one anywhere near anything I was
responsible for securing.
> The thing is, no one should be able to use organization resources [IPs,
> FQDNs, and Web Services, for a start] for his/her own purpose without asking
> permission.
Sounds like you’re going to be writing a lot of shell scripts and cron jobs.
Welcome to security. Remember to test your backups, that’s always the most
important thing in any security regime.
-Bill
