Re: My view of the arin db boarked?

[Christopher Morrow <christopher.morrow () gmail com>]

On Sat, Jun 9, 2012 at 11:13 AM, Joe Provo <nanog-post () rsuc gweep net> wrote:
> On Fri, Jun 08, 2012 at 04:27:29PM -0400, Christopher Morrow wrote:
> > err, last 3 times I asked this I was shown the error of my ways, but
> > here goes...
> >
> > 209.250.228.241 - seems to not have any records in ARIN's WHOIS
> > database, everythign seems to roll up to the /8 record :(
> >
> > I see this routed as a /23: (from routeviews)
> >   BGP routing table entry for 209.250.228.0/23, version 2072545487
> > Paths: (33 available, best #19, table Default-IP-Routing-Table)
> >   Not advertised to any peer
> >   3277 3267 174 27431 14037
> >     194.85.102.33 from 194.85.102.33 (194.85.4.4)
> >       Origin IGP, localpref 100, valid, external
> >       Community: 3277:3267 3277:65321 3277:65323 3277:65330
> >
> > If I look at the ASN in particular: AS14037
> > no records exist for that in ARIN's WHOIS database either ;( If I look
> > at all the networks announced by AS14037:
> > 14037   | 204.8.216.0/21      |
> > 14037   | 209.250.224.0/19    |
> > 14037   | 209.250.228.0/23    |
> > 14037   | 209.250.242.0/24    |
> > 14037   | 209.250.247.0/24    |
>
> If you query filtergen.level3.com, they are expecting to see it from
> this ASN:
>
> Prefix list for policy as14037 =
>  LEVEL3::AS14037
>
> 204.8.216.0/21
> 209.250.224.0/20
>
> > 14037   | 64.18.128.0/19      |
> > 14037   | 64.18.159.0/24      |
>
> ...but not those, which are registered in ALTDB (as the /19)along
> with the squatted 204.8.216.0/21 and 209.250.224.0/20
>
>
> route:      64.18.128.0/19
> descr:      RackVibe LLC
> origin:     AS14037
> admin-c:    GC373-ARIN
> tech-c:     GC373-ARIN
> notify:     arin () 6gtech com
> mnt-by:     MNT-6GTECH
> changed:    arin () 6gtech com 20081007
> source:     ALTDB
>
>
> > none of them have any records in the ARIN WHOIS database :( The
> > upstream for this network is  AS 27431 - JTL Networks
> > who seems to get transit/peer with 3356/174.
>
> Amusingly, AS27431 is still the RR contacts cording to the IRR. Score
> another one in the 'inaccurate IRR' column.

yea, automated filter generation from IRR's ... not always good :(

> > It's nice to see folk who use IRR databases to filter their customers
> > still permit this sort of thing to go on though: AS3356 I'm looking at
> > you...
>
> Here's a clue of future prefixes to watch for 3356 allowing from
> this particular nest:
>
> % whois -h filtergen.level3.com -- "-searchpath=ARIN;RIPE;RADB;ALTDB;LEVEL3 as27431"
> Prefix list for policy as27431 =
>  ARIN::AS27431   LEVEL3::AS27431 ALTDB::AS27431  RADB::AS27431
>  RIPE::AS27431
>
> 66.132.44.0/24
> 66.132.45.0/24
> 66.132.47.0/24
> 69.36.0.0/20
> 209.41.200.0/24
> 209.41.202.0/24
> 209.115.40.0/24
> 209.115.41.0/24
> 209.115.42.0/24
> 209.115.43.0/24
> 209.115.108.0/24
> 216.28.47.0/24
> 216.28.134.0/24
> 216.29.53.0/24
> 216.29.115.0/24
> 216.29.116.0/24
> 216.29.117.0/24
> 216.29.121.0/24
> 216.29.122.0/24
> 216.29.152.0/24
> 216.29.194.0/24
> 216.29.247.0/24
> %

most (by random sample of queries to whois.arin.net) of these at least
still had entries in the db.

> > I think first: "Where are the records for this set of ip number resources?"
> > and second: "Why are we still seeing this on the network with no way
> > to contact the operators of the resources?"
>
> You can try and contact the entities that are called 'RackVibe' accordin
> and '6G Tech' according to the various IRR registry entries for 14037 and
> 46496.  Sketchy things which geolocate to Seacaucus? Whoda thunk.

yea :( I'd sort of prefer if the transit here would just stop
accepting the announcement(s) in question (which they do today ,
several filter-gen runs since friday).

-chris

> --
>         RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG