New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Can an IP be geolocated to any IP regardless of RIR ?
Hello all,
As far as i understand , an IP doesn't belong to a specific region and can be geolocated to anywhere but its mostly set to the location of the server. What is the importance of the RIR used ( ARIN , RIPE etc...) , when renting ip addresses?
Is it possible to rent ip addresses in RIPE to be used on a server based in USA for example ?
Thanks for the info
Comments
Short Answer: 1) RIR doesn't matter. 2) Yes.
Longer Answer:
Organizations hold resources with a RIR that is in the same region as them.
IP's can be announced and routed (via BGP) and geolocated (via whois) anywhere the organization holding them requires.
In the ARIN region for example, I hold some IP addresses directly. I can submit to ARIN a REASSIGN-SIMPLE template to the hostmaster@ to geolocate them to a particular datacenter anywhere in the world that I want (otherwise they would just geolocate to my company main office). If I was renting them to a customer, I can do the same for them for whatever whois information the customer provides to me.
With BGP, all I have to do is provide an LOA (letter of agency) to my upstream transit provider to BGP announce my IPs with them anywhere in the world. If I rented IP's to a customer to route themselves, I would provide an LOA to my customer which they can pass along to their datacenter / preferred upstream transit provider anywhere in the world.
I can't speak to how other RIRs work in detail, but it should be a similar process.
I really wish LOAs would die already. Easily faked paper.
Me too.
We don’t accept them for any RIPE/APNIC subnet anyway
I thought you could no longer add route objects for out-of-region ASNs, or is RPKI the expected one?
Easily validated against Origin AS, which everyone accepting LOA's should be doing (yet sadly most probably don't).
https://www.arin.net/resources/registry/originas/
If somebody wants you to announce their IPs for them and gives you an LOA, the least they can do is declare your AS number in the Origin AS whois field for the block so you know it's legit.
You require Origin AS?
Honestly most people just check the name at the bottom against the contacts for the range. If they do any checks at all.
It's primarily paper to point at after a hijacking to say "it wasnt our fault".
For APNIC/RIPE route(6) object is strictly required.
For ARIN we accept the LoA but we strongly suggest that the route object is created instead as many peers will built their own prefix lists on IX, etc, for optimal routing.
Is it still possible to add an ARIN or APNIC ASN onto a RIPE route object? I thought that was restricted a while ago
@Cloudvider do remember that doesn't mean much if that route object is for their own ASN.
If that's all you use someone could send you the request to announce one of my ranges, under my ASN. There are route(6) objects for those in APNIC whois. Doesn't mean I'm authorizing you (or anyone else) to announce my ranges.
Yes, it's possible.
True, sufficient malicious intent at scale surely can bypass verification through fraud to a degree, but I was talking about not accepting LoAs for a subnet from regions where route(6) objects are popular, and surely that’s a good practise.