Just a point of curiosity... For each newly created ORG record that is put into the data base, if the ORG record represents something other than a natural person, does NCC staff make any effort to check to make sure that the alleged non-person entity actually exists, I mean, you know, as a legal entity, somewhere on planet earth? Or is this just another one of those niceties that cannot, in practice, be performed within the RIPE region because the membership has not explicitly approved it? Regards, rfg
For each newly created ORG record that is put into the data base, if the ORG record represents something other than a natural person, does NCC staff make any effort to check to make sure that the alleged non-person entity actually exists, I mean, you know, as a legal entity, somewhere on planet earth?
yes. see https://my.ripe.net/#/public/membership randy
Hi, On Sat, Jul 27, 2019 at 10:53:28PM -0700, Ronald F. Guilmette via db-wg wrote:
Just a point of curiosity...
For each newly created ORG record that is put into the data base, if the ORG record represents something other than a natural person, does NCC staff make any effort to check to make sure that the alleged non-person entity actually exists, I mean, you know, as a legal entity, somewhere on planet earth?
Or is this just another one of those niceties that cannot, in practice, be performed within the RIPE region because the membership has not explicitly approved it?
I think this depends on the context that you want to *use* said org object. If you put it in as a standalone and unreferenced database object, I think no vetting takes place. If you want to tie resources to it that are maintained by the NCC (allocations [PA] or end user assignments [PI]) this needs to go through a NCC ticket, and they want to see paperwork. If you want to tie resources to it that are maintained by yourself (I have this customer, they have received a /27 out of my /22 PA, and, because I can, I want to put in an org object for them), they are not vetted, but by putting false data into the DB for your customer assignments you are violating your LIR contract - so that would be a good way to get a LIR into trouble should the NCC be made aware. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
In message <20190728211022.GK60824@Space.Net>, Gert Doering <gert@space.net> wrote:
On Sat, Jul 27, 2019 at 10:53:28PM -0700, Ronald F. Guilmette via db-wg wro=te:
Just a point of curiosity...
For each newly created ORG record that is put into the data base, if the ORG record represents something other than a natural person, does NCC staff make any effort to check to make sure that the alleged non-person entity actually exists, I mean, you know, as a legal entity, somewhere on planet earth? ...
I think this depends on the context that you want to *use* said org object. If you put it in as a standalone and unreferenced database object, I think no vetting takes place.
If you want to tie resources to it that are maintained by the NCC (allocations [PA] or end user assignments [PI]) this needs to go through a NCC ticket, and they want to see paperwork.
In the context of your response, would one or more ASNs count as "resources" which would trigger manditory vetting of the associated ORG? Or is it only the association of some IP address block that causes NCC to vet the ORG? Regards, rfg
Prior to an ASN or PI space being assigned by the NCC, the NCC goes through and checks the organization info. The only time an ORG ID can have resources registered to it without being vetted is in the case of PA IP space being sub allocated or assigned by a LIR, where the LIR is responsible for ensuring accurate information is provided. Jacob Slater On Sun, Jul 28, 2019 at 4:28 PM Ronald F. Guilmette via db-wg < db-wg@ripe.net> wrote:
In message <20190728211022.GK60824@Space.Net>, Gert Doering <gert@space.net> wrote:
On Sat, Jul 27, 2019 at 10:53:28PM -0700, Ronald F. Guilmette via db-wg wro=te:
Just a point of curiosity...
For each newly created ORG record that is put into the data base, if the ORG record represents something other than a natural person, does NCC staff make any effort to check to make sure that the alleged non-person entity actually exists, I mean, you know, as a legal entity, somewhere on planet earth? ...
I think this depends on the context that you want to *use* said org object. If you put it in as a standalone and unreferenced database object, I think no vetting takes place.
If you want to tie resources to it that are maintained by the NCC (allocations [PA] or end user assignments [PI]) this needs to go through a NCC ticket, and they want to see paperwork.
In the context of your response, would one or more ASNs count as "resources" which would trigger manditory vetting of the associated ORG?
Or is it only the association of some IP address block that causes NCC to vet the ORG?
Regards, rfg
In message <CAFV686eMtz+rYPwbNZ90N-WhK-Q9auHTkN5AKTXBXvhj_HyQ1w@mail.gmail.com> Jacob Slater <jacob@rezero.org> wrote:
Prior to an ASN or PI space being assigned by the NCC, the NCC goes through and checks the organization info.
Right. Got it. For some value of "checks". What would be the best way for a mere mortal, such as myself, to obtain some elaboration on the meaning of the word "checks" in this context? Not to digress too much from that one question, but to be frank, this whole notion of RIRs "checking" the organizations that they register has puzzled me for some time. Let me explain. In every one of the five regions there are national or local jurisdictions that are well known as corporate "secrecy" jurisdictions. I could easily rattle off the names of several of these for each of the five regions, but I'll spare you all and just assume you are all familiar with their names also. In each of the five regions, there are jurisdictions that allow for so-called "nominee" officers, i.e. people whose names get attached to the corporate registrations but who have neither any ownership of nor any day-to-day control over the operations of the company. In each of the five regions, there are jurisdictions that will not reveal the names of the actual "beneficial owners" of any given corporate entity registered in that jurisdiction, i.e. in the absence of a lawsuit and/or a court order to do so. In each of the five regions, there are jurisdictions that do not even -collect- information about the names of the actual "beneficial owners" of any given corporate entity registered in that jurisdiction. In each of the five regions, there are jurisdictions that DO collect information about the names of the (alleged) "beneficial owners" of each corporate entity registered within that jurisdiction, but where it is well and widely known that nobody ever checks any of this information due to an alleged lack of funding to do so (e.g. UK). In each of the five regions, there are jurisdictions that do not and will not reveal any information about -either- "beneficial owners" or even nominee officers in the absence of a lawsuit and/or a court order to do so. In each of the five regions, there are jurisdictions that do not operate -any- publicly accessible registry list of the corporate entities that -are- in fact legally incorporated in that jurisdiction. In each of the five regions, there are jurisdictions that do not, as a matter of either law or policy, divulge even the nanes of the corporate entities that are duly registered as legal entities within that jurisdiction, let alone any other or additional information about corporate entities, and these jurisdictions will not release even this minimal kind of yes/no, exists / doesn't exist kind of information on cororate entities in the absence of of a lawsuit and/or a court order to do so. In each of the five regions, there are jurisdictions that respect only their own local court rulings while utterly ignoring everyone else's (e.g. Nevis), and some of these jurisdictions go one step further and also make it both exceptrionally difficult and exceptionally expensive for outsiders to avail themselves of whatever passes for "justice" in these jurisdictions. In light of the final two paragraphs above, I am, have been, and remain in a state of ceaseless wonderment when it comes to this notion of RIRs vetting "all" entities that are resource holders in the various regions. The plain facts of the case would logically seem to render even the most minimal kind of *independent* vetting inherently and provably impossible, even in the best of conditions, at least with respect to those corpprate entities that have been formed within one of these maximally discreet corporate secrecy jurisdictions that litter the globe in every region. Am I wrong? Or should I just accept this self-evident logical quandary as yet another one of the eternal, mystical, and insoluable mysteries of the Universe, like what happened before the Big Bang and where single socks go when they somehow escape, apparently of their own volition, from the dryer, never to be seen or heard from again? Regards, rfg
In this context, RIPE's published guidelines on due diligence ( https://www.ripe.net/publications/docs/ripe-700) cover what exactly is checked. From my experience, the guidelines are always enforced as written. As you mention, due to a variety of factors (based primarily on differences in jurisdiction), this process isn't always perfect. I'm sure the NCC deals with at least some of fraudulent activity as a result of the flaws you mention. Unfortunately, short of drastic measures (such as prohibiting certain jurisdictions from requesting resources), I can't see an easy way to improve the current situation. Do you have a suggestion for how the process could be improved? Jacob Slater On Sun, Jul 28, 2019 at 6:59 PM Ronald F. Guilmette via db-wg < db-wg@ripe.net> wrote:
In message < CAFV686eMtz+rYPwbNZ90N-WhK-Q9auHTkN5AKTXBXvhj_HyQ1w@mail.gmail.com> Jacob Slater <jacob@rezero.org> wrote:
Prior to an ASN or PI space being assigned by the NCC, the NCC goes through and checks the organization info.
Right. Got it. For some value of "checks".
What would be the best way for a mere mortal, such as myself, to obtain some elaboration on the meaning of the word "checks" in this context?
Not to digress too much from that one question, but to be frank, this whole notion of RIRs "checking" the organizations that they register has puzzled me for some time. Let me explain.
In every one of the five regions there are national or local jurisdictions that are well known as corporate "secrecy" jurisdictions. I could easily rattle off the names of several of these for each of the five regions, but I'll spare you all and just assume you are all familiar with their names also.
In each of the five regions, there are jurisdictions that allow for so-called "nominee" officers, i.e. people whose names get attached to the corporate registrations but who have neither any ownership of nor any day-to-day control over the operations of the company.
In each of the five regions, there are jurisdictions that will not reveal the names of the actual "beneficial owners" of any given corporate entity registered in that jurisdiction, i.e. in the absence of a lawsuit and/or a court order to do so.
In each of the five regions, there are jurisdictions that do not even -collect- information about the names of the actual "beneficial owners" of any given corporate entity registered in that jurisdiction.
In each of the five regions, there are jurisdictions that DO collect information about the names of the (alleged) "beneficial owners" of each corporate entity registered within that jurisdiction, but where it is well and widely known that nobody ever checks any of this information due to an alleged lack of funding to do so (e.g. UK).
In each of the five regions, there are jurisdictions that do not and will not reveal any information about -either- "beneficial owners" or even nominee officers in the absence of a lawsuit and/or a court order to do so.
In each of the five regions, there are jurisdictions that do not operate -any- publicly accessible registry list of the corporate entities that -are- in fact legally incorporated in that jurisdiction.
In each of the five regions, there are jurisdictions that do not, as a matter of either law or policy, divulge even the nanes of the corporate entities that are duly registered as legal entities within that jurisdiction, let alone any other or additional information about corporate entities, and these jurisdictions will not release even this minimal kind of yes/no, exists / doesn't exist kind of information on cororate entities in the absence of of a lawsuit and/or a court order to do so.
In each of the five regions, there are jurisdictions that respect only their own local court rulings while utterly ignoring everyone else's (e.g. Nevis), and some of these jurisdictions go one step further and also make it both exceptrionally difficult and exceptionally expensive for outsiders to avail themselves of whatever passes for "justice" in these jurisdictions.
In light of the final two paragraphs above, I am, have been, and remain in a state of ceaseless wonderment when it comes to this notion of RIRs vetting "all" entities that are resource holders in the various regions. The plain facts of the case would logically seem to render even the most minimal kind of *independent* vetting inherently and provably impossible, even in the best of conditions, at least with respect to those corpprate entities that have been formed within one of these maximally discreet corporate secrecy jurisdictions that litter the globe in every region.
Am I wrong? Or should I just accept this self-evident logical quandary as yet another one of the eternal, mystical, and insoluable mysteries of the Universe, like what happened before the Big Bang and where single socks go when they somehow escape, apparently of their own volition, from the dryer, never to be seen or heard from again?
Regards, rfg
Jacob Slater via db-wg wrote on 29/07/2019 06:25:
In this context, RIPE's published guidelines on due diligence (https://www.ripe.net/publications/docs/ripe-700) cover what exactly is checked. From my experience, the guidelines are always enforced as written. As you mention, due to a variety of factors (based primarily on differences in jurisdiction), this process isn't always perfect. I'm sure the NCC deals with at least some of fraudulent activity as a result of the flaws you mention. Unfortunately, short of drastic measures (such as prohibiting certain jurisdictions from requesting resources), I can't see an easy way to improve the current situation. Do you have a suggestion for how the process could be improved?
Would it be feasible for the RIPE NCC to add a read-only record to org: objects which provided the date of the last due diligence check? E.g. something like organisation: ORG-FNL99-RIPE org-name: Foo Networks Limited org-type: LIR [...] mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: FOO2000-RIPE created: 2019-01-01T01:01:01Z last-modified: 2019-01-01T01:01:01Z due-diligence: 2019-07-01T12:00:00Z source: RIPE Otherwise it doesn't look like it's easy to heuristically work out whether due diligence has been carried out on a particular object or not. Nick
Hi (please see inline) On Mon, 29 Jul 2019, Nick Hilliard via db-wg wrote:
Jacob Slater via db-wg wrote on 29/07/2019 06:25: (...)
Do you have a suggestion for how the process could be improved?
Perhaps excluding jurisdictions *outside* the RIPE NCC service region, where company related data *can't* be verified by the RIPE NCC.
Would it be feasible for the RIPE NCC to add a read-only record to org: objects which provided the date of the last due diligence check? E.g. something like
organisation: ORG-FNL99-RIPE org-name: Foo Networks Limited org-type: LIR [...] mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: FOO2000-RIPE created: 2019-01-01T01:01:01Z last-modified: 2019-01-01T01:01:01Z due-diligence: 2019-07-01T12:00:00Z source: RIPE
Otherwise it doesn't look like it's easy to heuristically work out whether due diligence has been carried out on a particular object or not.
If this is feasible, it really sounds like a good idea to me! Cheers, Carlos
Nick
On 29 Jul 2019, at 12:02, Carlos Friaças <cfriacas@fccn.pt> wrote:
Perhaps excluding jurisdictions *outside* the RIPE NCC service region, where company related data *can't* be verified by the RIPE NCC.
The RIPE NCC doesn’t claim verification. It only states due diligence. Nick
On Mon, 29 Jul 2019, Nick Hilliard wrote:
On 29 Jul 2019, at 12:02, Carlos Friaças <cfriacas@fccn.pt> wrote:
Perhaps excluding jurisdictions *outside* the RIPE NCC service region, where company related data *can't* be verified by the RIPE NCC.
The RIPE NCC doesn?t claim verification. It only states due diligence.
To clarify: that was the spirit of my phrase... It should read ", where company related data *can't* be subject to due diligence by the RIPE NCC." :-)) Carlos
Nick
In message <B83C8F8C-C5C3-4AAA-B00F-07EA193AB943@foobar.org>, Nick Hilliard via db-wg <db-wg@ripe.net> wrote:
On 29 Jul 2019, at 12:02, Carlos Fria=C3=A7as <cfriacas@fccn.pt> wrote:
Perhaps excluding jurisdictions *outside* the RIPE NCC service region, where company related data *can't* be verified by the RIPE NCC.
The RIPE NCC doesn't claim verification. It only states due diligence.
For some reason, the above comment reminds me of this very old and tired joke: MAN: "Doctor, doctor! What's wrong with me?" DOCTOR: "Well, you evidently have a broken leg." MAN: "I want a second opinion!" DOCTOR: "OK. Also, you're an idiot." Sounds like due diligence of the doctor's part to me! :-) But seriously, one man's due diligence may be another man's slipshod pantomime. And it is not clear, to me at least, what the precise meaning of "due diligence" is in the context of RIPE NCC and the parties it is alleged to "vet". Traditionally, the term "due diligence" is used in the business world to denote an investigation relating to a merger or acqusition. And it involves, quite certainly, a detailed examination of all financial and bank records. I rather doubt that RIPE NCC ever undertakes any such invasive interrogations of any parties that are just trying to get some number resources. So in this context, "due diligence" must have some rather different meaning, and NOT it's traditional meaning from the world of mergers and acqusitions. What that meaning actually is, and or what it should be, in this context, is something that I personally think could benefit from some more detailed elaboration than what currently seems to be publicly available. But that's just my opinion. Regards, rfg
Hi Ronald I have followed this whole discussion and it seems to be going round in circles. You have made a valid point, but the whole discussion seems to be focusing on the negative. Some people have referred you to a number of published documents about the due diligence process carried out by the RIPE NCC. It has been stated that, whilst it does not guarantee to perfectly vet all details, due diligence is a best effort. We have reached a point in this discussion where perhaps you could read the suggested documents and if you believe there is something more than can be done realistically, practically and legally then please make a proposal for improving the RIPE NCC's due diligence process. Then we can turn this discussion into something more positive. cheersdenis co-chair DB-WG On Monday, 29 July 2019, 23:14:51 CEST, Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote: In message <B83C8F8C-C5C3-4AAA-B00F-07EA193AB943@foobar.org>, Nick Hilliard via db-wg <db-wg@ripe.net> wrote:
On 29 Jul 2019, at 12:02, Carlos Fria=C3=A7as <cfriacas@fccn.pt> wrote:
Perhaps excluding jurisdictions *outside* the RIPE NCC service region, where company related data *can't* be verified by the RIPE NCC.
The RIPE NCC doesn't claim verification. It only states due diligence.
For some reason, the above comment reminds me of this very old and tired joke: MAN: "Doctor, doctor! What's wrong with me?" DOCTOR: "Well, you evidently have a broken leg." MAN: "I want a second opinion!" DOCTOR: "OK. Also, you're an idiot." Sounds like due diligence of the doctor's part to me! :-) But seriously, one man's due diligence may be another man's slipshod pantomime. And it is not clear, to me at least, what the precise meaning of "due diligence" is in the context of RIPE NCC and the parties it is alleged to "vet". Traditionally, the term "due diligence" is used in the business world to denote an investigation relating to a merger or acqusition. And it involves, quite certainly, a detailed examination of all financial and bank records. I rather doubt that RIPE NCC ever undertakes any such invasive interrogations of any parties that are just trying to get some number resources. So in this context, "due diligence" must have some rather different meaning, and NOT it's traditional meaning from the world of mergers and acqusitions. What that meaning actually is, and or what it should be, in this context, is something that I personally think could benefit from some more detailed elaboration than what currently seems to be publicly available. But that's just my opinion. Regards, rfg
[ off list ] first, we are chasing an arin troll down a rabbit hole
organisation: ORG-FNL99-RIPE org-name: Foo Networks Limited org-type: LIR [...] mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: FOO2000-RIPE created: 2019-01-01T01:01:01Z last-modified: 2019-01-01T01:01:01Z due-diligence: 2019-07-01T12:00:00Z source: RIPE
i am not speaking for or against, as i do not understand what the threat model is. randy
In message <m27e8028bw.wl-randy@psg.com>, Randy Bush via db-wg <db-wg@ripe.net> wrote:
Randy Bush via db-wg wrote:
[ off list ] sigh apologies
do note that i replied to a message where the From: header had been *illegally* mangled by the mail exploder.
No worries mate! I for one always find it enlightening to read or hear people's actual and unfiltered opinons, as expressed in unguarded moments. For those of you woh can't get enough of this stuff... https://bit.ly/2MjtLf4 Regards, rfg
Randy Bush via db-wg wrote on 29/07/2019 14:40:
i am not speaking for or against, as i do not understand what the threat model is.
the idea is that some org objects are created by users and inserted into the ripe database while others are subject to due diligence by the ripe ncc. I.e. there's a qualitative difference in data quality between the two, but there is no way of distinguishing between them. There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z. Nick
the idea is that some org objects are created by users and inserted into the ripe database while others are subject to due diligence by the ripe ncc. I.e. there's a qualitative difference in data quality between the two, but there is no way of distinguishing between them.
aha! ok. i buy that.
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time. randy
While this is not ideal as it is only available via the web interface (afaik) it is still somewhat possible to see what the RIPE NCC has looked at as can be seen here https://i.imgur.com/BUEqB9J.png I can not edit the RIPE NCC Managed values. - Cynthia On Mon, Jul 29, 2019 at 5:32 PM Randy Bush via db-wg <db-wg@ripe.net> wrote:
the idea is that some org objects are created by users and inserted into the ripe database while others are subject to due diligence by the ripe ncc. I.e. there's a qualitative difference in data quality between the two, but there is no way of distinguishing between them.
aha! ok. i buy that.
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time.
randy
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time.
if you have a better suggestion, go for it. My concern is mainly about having a deterministic way of figuring out which org objects have been subjected to due diligence and which haven't. Nick
HI Nick The ORGANISATION object has an "org-type:" attribute. Most ORGANISATION objects have a value of either 'LIR' or 'OTHER'. If it is 'LIR' that ORGANISATION object was created by the RIPE NCC for a resource holder and has been through the due diligence process. If it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC. So I think the 'binary flag' you suggested already exists. cheersdenis co-chair DB-WG On Monday, 29 July 2019, 19:40:47 CEST, Nick Hilliard via db-wg <db-wg@ripe.net> wrote:
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time.
if you have a better suggestion, go for it. My concern is mainly about having a deterministic way of figuring out which org objects have been subjected to due diligence and which haven't. Nick
it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC.
'OTHER' objects which receive direct assignments from the NCC (PI IP space or ASNs) are still subjected to due diligence checks (though only at the time of assignment). I'd still argue the flag exists - search for 'ASSIGNED PI' (on IP space) or 'ASSIGNED (on ASNs) with the associated ORG object to see if any exist. Not exactly (currently) straight forward but it is still definitely doable. Jacob Slater On Wed, Jul 31, 2019 at 6:31 PM ripedenis--- via db-wg <db-wg@ripe.net> wrote:
HI Nick
The ORGANISATION object has an "org-type:" attribute. Most ORGANISATION objects have a value of either 'LIR' or 'OTHER'. If it is 'LIR' that ORGANISATION object was created by the RIPE NCC for a resource holder and has been through the due diligence process. If it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC. So I think the 'binary flag' you suggested already exists.
cheers denis
co-chair DB-WG
On Monday, 29 July 2019, 19:40:47 CEST, Nick Hilliard via db-wg < db-wg@ripe.net> wrote:
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time.
if you have a better suggestion, go for it. My concern is mainly about having a deterministic way of figuring out which org objects have been subjected to due diligence and which haven't.
Nick
In message <CAFV686cfOKP_FseWgFhV2CnHr3pgf-eS36BVXfXfZpn0eKpRjA@mail.gmail.com> Jacob Slater <jacob@rezero.org> wrote:
'OTHER' objects which receive direct assignments from the NCC (PI IP space or ASNs) are still subjected to due diligence checks (though only at the time of assignment).
Just curious.... Is that rule written down anyplace where I could look at it? Is it in some published procedure or policy manual someplace?
Hi Jacob Yes you are right. The RIPE NCC can correct me if I am not entirely correct here :) I believe, if an ORGANISATION object is referenced by a resource object (even if it is "org-type: OTHER") then some attributes in the ORGANISATION object will be locked. These, including the "org-name:", cannot be changed by the resource holder. This can be seen if you query the object in Webupdates, but I am not sure if there is a programatic way of checking this. Or you could do an inverse query on an ORGANISATION object and if any resource objects are returned (allocations, ASSIGNED PI or ASNs) then you know this ORGANISATION object was subject to due diligence. Again not easy but programatically doable. cheersdenis co-chair DB-WG On Thursday, 1 August 2019, 03:37:23 CEST, Jacob Slater <jacob@rezero.org> wrote: it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC. 'OTHER' objects which receive direct assignments from the NCC (PI IP space or ASNs) are still subjected to due diligence checks (though only at the time of assignment). I'd still argue the flag exists - search for 'ASSIGNED PI' (on IP space) or 'ASSIGNED (on ASNs) with the associated ORG object to see if any exist. Not exactly (currently) straight forward but it is still definitely doable. Jacob Slater On Wed, Jul 31, 2019 at 6:31 PM ripedenis--- via db-wg <db-wg@ripe.net> wrote: HI Nick The ORGANISATION object has an "org-type:" attribute. Most ORGANISATION objects have a value of either 'LIR' or 'OTHER'. If it is 'LIR' that ORGANISATION object was created by the RIPE NCC for a resource holder and has been through the due diligence process. If it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC. So I think the 'binary flag' you suggested already exists. cheersdenis co-chair DB-WG On Monday, 29 July 2019, 19:40:47 CEST, Nick Hilliard via db-wg <db-wg@ripe.net> wrote:
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time.
if you have a better suggestion, go for it. My concern is mainly about having a deterministic way of figuring out which org objects have been subjected to due diligence and which haven't. Nick
Hi Denis, The RIPE NCC considers an object "co-maintained" if it has both a user maintainer and a RIPE NCC maintainer. This is how we determine whether an object has "managed" attributes, which are highlighted in blue in the web application query response. If an ORGANISATION object is co-maintained with the RIPE NCC, the user is not able to change the highlighted values (e.g. “name:”) or remove the object from any RIPE NCC-allocated resources it is associated with. The user is also not able to add/remove the RIPE NCC maintainer from objects. More information on the highlighted values is available here: https://www.ripe.net/manage-ips-and-asns/db/support/highlighted-values-in-th... <https://www.ripe.net/manage-ips-and-asns/db/support/highlighted-values-in-the-ripe-database> Kind regards, Thiago da Cruz
On 1 Aug 2019, at 04:34, ripedenis--- via db-wg <db-wg@ripe.net> wrote:
Hi Jacob
Yes you are right. The RIPE NCC can correct me if I am not entirely correct here :) I believe, if an ORGANISATION object is referenced by a resource object (even if it is "org-type: OTHER") then some attributes in the ORGANISATION object will be locked. These, including the "org-name:", cannot be changed by the resource holder. This can be seen if you query the object in Webupdates, but I am not sure if there is a programatic way of checking this.
Or you could do an inverse query on an ORGANISATION object and if any resource objects are returned (allocations, ASSIGNED PI or ASNs) then you know this ORGANISATION object was subject to due diligence. Again not easy but programatically doable.
cheers denis
co-chair DB-WG
On Thursday, 1 August 2019, 03:37:23 CEST, Jacob Slater <jacob@rezero.org> wrote:
it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC. 'OTHER' objects which receive direct assignments from the NCC (PI IP space or ASNs) are still subjected to due diligence checks (though only at the time of assignment). I'd still argue the flag exists - search for 'ASSIGNED PI' (on IP space) or 'ASSIGNED (on ASNs) with the associated ORG object to see if any exist. Not exactly (currently) straight forward but it is still definitely doable.
Jacob Slater
On Wed, Jul 31, 2019 at 6:31 PM ripedenis--- via db-wg <db-wg@ripe.net <mailto:db-wg@ripe.net>> wrote: HI Nick
The ORGANISATION object has an "org-type:" attribute. Most ORGANISATION objects have a value of either 'LIR' or 'OTHER'. If it is 'LIR' that ORGANISATION object was created by the RIPE NCC for a resource holder and has been through the due diligence process. If it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC. So I think the 'binary flag' you suggested already exists.
cheers denis
co-chair DB-WG
On Monday, 29 July 2019, 19:40:47 CEST, Nick Hilliard via db-wg <db-wg@ripe.net <mailto:db-wg@ripe.net>> wrote:
There are ways of flagging whether this process was carried out. One option would be to use a binary flag. Another would be to implement a datestamp for the last due diligence process carried out if it's not been set by the NCC. Lack of data could be flagged by either the absence of the parameter or else use 0000-00-00T00:00:00Z.
less sure here. i can see wanting to differentiate between the two classes of objects. not sure i care when they were last separated. unless you expect things to change in time.
if you have a better suggestion, go for it. My concern is mainly about having a deterministic way of figuring out which org objects have been subjected to due diligence and which haven't.
Nick
In message <1430641036.4536872.1564623019201@mail.yahoo.com>, ripedenis--- via db-wg <db-wg@ripe.net> wrote:
If it is type 'OTHER' it was not created by the RIPE NCC and will not have been subjected to any due diligence checks by the RIPE NCC...
May "OTHER" organizations ever be issued number resources directly from NCC?
In message <c59c9c14-521e-e7f8-fb9f-51a1dcb3f757@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
Would it be feasible for the RIPE NCC to add a read-only record to org: objects which provided the date of the last due diligence check? E.g. something like
organisation: ORG-FNL99-RIPE org-name: Foo Networks Limited org-type: LIR [...] mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: FOO2000-RIPE created: 2019-01-01T01:01:01Z last-modified: 2019-01-01T01:01:01Z due-diligence: 2019-07-01T12:00:00Z source: RIPE
Otherwise it doesn't look like it's easy to heuristically work out whether due diligence has been carried out on a particular object or not.
I can't answer Nick's question, but I did just want to offer my take on this. Personally, my own inference/assumption when looking at records like the one above is that "vetting", however that is defined, took place on this ORG on or about the created: date and NEVER thereafter. This seems to be the way things are done in the ARIN region, as I learned the hard way. I made a fool out of myself awhile back on the ARIN Public Policy Mailing List (PPML) when I endlessly harangued John Curran (ARIN CEO) about how it came to pass that one tricky scoundrel (whose primary business name was/is "Micfo") somehow managed to create a lot of companies, each of which was... according to the relevant WHOIS records... located in a different U.S. state within which each such company had NEVER been registered. So, as I learned, according to Curran, at the time these different (fradulent) companies were initially granted (IPv4) resources, they -were- each vetted to make sure that they each existed and that they each were registered in the states they claimed to be in AT THAT TIME. If I understood Curran correctly, sometime AFTER that the WHOIS records for each of the IPv4 allocations that had been granted to each of these fake corporate entities has been FIDDLED (by the crook at the heart of this matter) to make it appear that the entities themselves were located in and/or operating in various other states where in fact, they had neither any operations nor any actual legal existance in those states. ARIN does NOT vet any of the changes that a registrant may make to his/her/its own pre-existing WHOIS records. I believe that is an accurate characterization of what Curran said on the PPML. If ARIN doesn't vet WHOIS -modifications- then I rather doubt that RIPE does so. So, except in very rare cases, I would assume that the "last vetting date" for any given RIPE WHOIS record is going to be approximately equal to the created: date. Regards, rfg
Hi Ronald "If ARIN doesn't vet WHOIS -modifications- then I rather doubt that RIPEdoes so." I think it is a little presumptuous to think if America doesn't do something then no one does it :) Whilst changes to whois records in the RIPE Database are not all monitored there are some parts of some objects that users cannot change. One of these is the "org-name:" attribute in the ORGANISATION object for resource holders. It is possible for the user to change the address in the ORGANISATION object. But if the address shown in the public RIPE Database no longer matches the address details held by the RIPE Registry then I am sure it would be questioned during an Assisted Registry Check, which is periodically conducted by the RIPE NCC. cheersdenis co-chair DB-WG On Monday, 29 July 2019, 22:52:02 CEST, Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote: In message <c59c9c14-521e-e7f8-fb9f-51a1dcb3f757@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
Would it be feasible for the RIPE NCC to add a read-only record to org: objects which provided the date of the last due diligence check? E.g. something like
organisation: ORG-FNL99-RIPE org-name: Foo Networks Limited org-type: LIR [...] mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT abuse-c: FOO2000-RIPE created: 2019-01-01T01:01:01Z last-modified: 2019-01-01T01:01:01Z due-diligence: 2019-07-01T12:00:00Z source: RIPE
Otherwise it doesn't look like it's easy to heuristically work out whether due diligence has been carried out on a particular object or not.
I can't answer Nick's question, but I did just want to offer my take on this. Personally, my own inference/assumption when looking at records like the one above is that "vetting", however that is defined, took place on this ORG on or about the created: date and NEVER thereafter. This seems to be the way things are done in the ARIN region, as I learned the hard way. I made a fool out of myself awhile back on the ARIN Public Policy Mailing List (PPML) when I endlessly harangued John Curran (ARIN CEO) about how it came to pass that one tricky scoundrel (whose primary business name was/is "Micfo") somehow managed to create a lot of companies, each of which was... according to the relevant WHOIS records... located in a different U.S. state within which each such company had NEVER been registered. So, as I learned, according to Curran, at the time these different (fradulent) companies were initially granted (IPv4) resources, they -were- each vetted to make sure that they each existed and that they each were registered in the states they claimed to be in AT THAT TIME. If I understood Curran correctly, sometime AFTER that the WHOIS records for each of the IPv4 allocations that had been granted to each of these fake corporate entities has been FIDDLED (by the crook at the heart of this matter) to make it appear that the entities themselves were located in and/or operating in various other states where in fact, they had neither any operations nor any actual legal existance in those states. ARIN does NOT vet any of the changes that a registrant may make to his/her/its own pre-existing WHOIS records. I believe that is an accurate characterization of what Curran said on the PPML. If ARIN doesn't vet WHOIS -modifications- then I rather doubt that RIPE does so. So, except in very rare cases, I would assume that the "last vetting date" for any given RIPE WHOIS record is going to be approximately equal to the created: date. Regards, rfg
In message <CAFV686cXFY63mHQ0H0xutLtcrzDxFjN1_F0=16PVRfZeSdFsZw@mail.gmail.com> Jacob Slater <jacob@rezero.org> wrote:
In this context, RIPE's published guidelines on due diligence ( https://www.ripe.net/publications/docs/ripe-700) cover what exactly is checked. From my experience, the guidelines are always enforced as written.
Thank you for the link! I was unware of that. In that document section 1.1 (a) seem to the one one and only section relevant to my question: a. Proof of establishment/registration Normally, proof of establishment of a legal person can be registration with the national authorities (e.g., a recent extract from the Commercial Trade Register or equivalent document proving registration with the national authorities). When this is not available, other proof of establishment may be required (e.g., the law according to which the legal person was established). That last sentence is quite obviously an attempt... and a rather feeble one, in my personal estimation... to cleverly dance around the exact inconvenient question that I raised. "When this is not available..." Yes. When the entity -claims- to be incorporated in Malta, or Cyprus, or Liechtenstein, or Gurnesy, or the Isle of Man, or... then what happens, exactly? This is not strictly an academic question, or one that I am asking just for the sake of my health. The answer... if a truthful one might ever be successfully extracted from either NCC or the membership or the community... has Real World practical implications. Where, how, and from whom can I get an actual answer about what -actually- happens in such cases? Is there some secret procedure manual, burried on some obscure shelf somewhere within NCC that explains the procedure?
As you mention, due to a variety of factors (based primarily on differences in jurisdiction), this process isn't always perfect. I'm sure the NCC deals with at least some of fraudulent activity as a result of the flaws you mention.
You refer to this as a "flaw". That terminology, it seems to me, may perhaps inadvertantly give some the false impression that this glaring problem is akin to the tiny spec of dust that ruins an otherwise perfectly good diamond. I however view it more along the lines of a self-evident and *major* design flaw, rather like the problematic rubber O-Rings that caused the destruction of the Space Shuttle Challenger. I guess it all depends on one's point of view.
Unfortunately, short of drastic measures (such as prohibiting certain jurisdictions from requesting resources), I can't see an easy way to improve the current situation. Do you have a suggestion for how the process could be improved?
I do. Or rather I should say, I would. However it would be presumptive and inapproporaie of me, as a non-European -and- a non-member to propose any solution, and least of all, on this particular mailing list, where any such propoal would quite certainly be out of order and off-topic. More to the point however, I haver no firm reason to believe that anyone other than your's truly even has a serious concern about this self-evident and gaping hold in what passes for "vetting" in the RIPE region. If noone other than me is at all concerned, then the liklihood of there ever being any change in procedure or policy must surely approach zero. I would however appreciate it if RIPE, NCC, the membership, and the community would discontinue the current practice of papering over this problem, pretending that it does not exist, or that it doesn't make a mockery of any and all pretenses of "vetting". I don't know how people in Europe feel, generally, about airport security, but where I am from it is widely derided as amounting to little more than "security theater" in practice. (Google for "beedoop machine".) I'm sorry to have to say it, but this notion of organization vetting in the RIPE region is so evidently riddled with loopholes that I personally feel that it is deserving of the same derision. Regards, rfg
Ronald F. Guilmette via db-wg wrote on 29/07/2019 18:39:
In that document section 1.1 (a) seem to the one one and only section relevant to my question:
a. Proof of establishment/registration
Normally, proof of establishment of a legal person can be registration with the national authorities (e.g., a recent extract from the Commercial Trade Register or equivalent document proving registration with the national authorities). When this is not available, other proof of establishment may be required (e.g., the law according to which the legal person was established).
That last sentence is quite obviously an attempt... and a rather feeble one, in my personal estimation... to cleverly dance around the exact inconvenient question that I raised. "When this is not available..." Yes. When the entity -claims- to be incorporated in Malta, or Cyprus, or Liechtenstein, or Gurnesy, or the Isle of Man, or... then what happens, exactly?
what happens, exactly, is what happens for an organisation from any other country: the entity is required to provide registration documents from legal authorities in those countries. This is usually checked against live online registers and usually requires back-up documentation such as Letters of Good Standing from legal authorities. As the countries that you mention have actual legal frameworks for handling things like this, all will have appropriate authorities which can issue enough identification documentation for the RIPE NCC to carry out due diligence on the organisation in question. Note that "due diligence" is about exercising a reasonable degree of care. It's not about guaranteeing something 100%, because that isn't possible in practice. The "When this is not available" bit is used for organisations which don't have entries in trade registers, etc. So for example, ORG-IG30-RIPE (The Irish Government) won't have an entry in the local companies registry or a company number, or some other registration entry with a national authorities - because it _is_ the national authority. There are lots of these outlier cases which is why the RIPE NCC provides a reasonable workaround for organisations or legal persons which don't fit into the usual buckets.
I'm sorry to have to say it, but this notion of organization vetting in the RIPE region is so evidently riddled with loopholes that I personally feel that it is deserving of the same derision.
If you're going to cast aspersions at the ripe ncc, please do yourself a favour and back them up with evidence rather than supposition and misunderstanding. Also, the RIPE NCC has lots of documentation. You could learn about how it operates by reading some of it. Nick
In message <d0b4503a-0a80-3eed-bbb1-9ec26e2deb7c@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
Ronald F. Guilmette via db-wg wrote on 29/07/2019 18:39:
In that document section 1.1 (a) seem to the one one and only section relevant to my question:
a. Proof of establishment/registration
Normally, proof of establishment of a legal person can be registration with the national authorities (e.g., a recent extract from the Commercial Trade Register or equivalent document proving registration with the national authorities). When this is not available, other proof of establishment may be required (e.g., the law according to which the legal person was established).
That last sentence is quite obviously an attempt... and a rather feeble one, in my personal estimation... to cleverly dance around the exact inconvenient question that I raised. "When this is not available..." Yes. When the entity -claims- to be incorporated in Malta, or Cyprus, or Liechtenstein, or Gurnesy, or the Isle of Man, or... then what happens, exactly?
what happens, exactly, is what happens for an organisation from any other country: the entity is required to provide registration documents from legal authorities in those countries.
Which can easily be forged.
This is usually checked against live online registers...
Which, as I've already noted, simply do not exist for *many* countries in the RIPE region.
and usually requires back-up documentation such as Letters of Good Standing from legal authorities.
Which can also be trivially forged.
As the countries that you mention have actual legal frameworks for handling things like this, all will have appropriate authorities which can issue enough identification documentation for the RIPE NCC to carry out due diligence on the organisation in question.
Yes. But how many will TRANSMIT such documents, upon request, direct from themselves to *any* non-LE requestor? Does RIPE NCC have its own MLATs (Mutual Legal Assistance Treaties) with nations in the RIPE region that routinely refuse informational requests from most other mere mortals? (If so, I'd like to inform the Vatican. I do believe that they would like to get on the privilege list also.)
Note that "due diligence" is about exercising a reasonable degree of care. It's not about guaranteeing something 100%, because that isn't possible in practice.
It is self-evident from the facts I've already posted that RIPE NCC -cannot- say with any certainty that XYZ, while -claiming- to be incorporated in one of these corporate secrecy jurisdictions, is in fact incorporated in that place. So you need not have stated the obvious, which is that RIPE NCC actually cannot and does not do the kind of verifications of corporate identities that would be routine in, say, a corporate merger or acqusition. As regards to your assertion that NCC nontheless exercises a "reasonable degree of care", I can only say that one man's "reasonable" is another man's ridiculous silliness, and we certainly have no commonly accepted yardstick to judge "reasonableness" in this context. (I will endeavor in the near future to provide at least one concrete example where we can compare views on what isn't and isn't reasonable in this context.)
I'm sorry to have to say it, but this notion of organization vetting in the RIPE region is so evidently riddled with loopholes that I personally feel that it is deserving of the same derision.
If you're going to cast aspersions at the ripe ncc, please do yourself a favour and back them up with evidence rather than supposition and misunderstanding.
I have not cast -any- aspersion. I have stated facts. Are you disagreeing with my assertion that there are national and/or local jurisdictions within the RIPE service region where there either is no national corpoprate registry in the normal sense and/or where there is one, but where nobody other than law enforcement may obtain any useful or meaningful data from it such as the names of actual directors? If so, it seems that some folks, at least, might agree more with me than with you on this point: http://registries.opencorporates.com/jurisdiction/at http://registries.opencorporates.com/jurisdiction/cy http://registries.opencorporates.com/jurisdiction/fi http://registries.opencorporates.com/jurisdiction/de http://registries.opencorporates.com/jurisdiction/gi http://registries.opencorporates.com/jurisdiction/gr http://registries.opencorporates.com/jurisdiction/gg http://registries.opencorporates.com/jurisdiction/hu http://registries.opencorporates.com/jurisdiction/is http://registries.opencorporates.com/jurisdiction/ir http://registries.opencorporates.com/jurisdiction/iq http://registries.opencorporates.com/jurisdiction/ie http://registries.opencorporates.com/jurisdiction/im http://registries.opencorporates.com/jurisdiction/it http://registries.opencorporates.com/jurisdiction/je http://registries.opencorporates.com/jurisdiction/jo http://registries.opencorporates.com/jurisdiction/kz http://registries.opencorporates.com/jurisdiction/xk http://registries.opencorporates.com/jurisdiction/kw http://registries.opencorporates.com/jurisdiction/kg http://registries.opencorporates.com/jurisdiction/lb http://registries.opencorporates.com/jurisdiction/li http://registries.opencorporates.com/jurisdiction/lt http://registries.opencorporates.com/jurisdiction/lu http://registries.opencorporates.com/jurisdiction/mk http://registries.opencorporates.com/jurisdiction/mt http://registries.opencorporates.com/jurisdiction/me http://registries.opencorporates.com/jurisdiction/nl http://registries.opencorporates.com/jurisdiction/pl http://registries.opencorporates.com/jurisdiction/pt http://registries.opencorporates.com/jurisdiction/qa http://registries.opencorporates.com/jurisdiction/sm http://registries.opencorporates.com/jurisdiction/sa http://registries.opencorporates.com/jurisdiction/es http://registries.opencorporates.com/jurisdiction/ch http://registries.opencorporates.com/jurisdiction/sy http://registries.opencorporates.com/jurisdiction/tj http://registries.opencorporates.com/jurisdiction/tr http://registries.opencorporates.com/jurisdiction/average_ae http://registries.opencorporates.com/jurisdiction/uz http://registries.opencorporates.com/jurisdiction/ps I say again, I have cast no aspersion upon either NCC nor anyone else. I have merely offered the observation that NCC simply -cannot- check out the legitimacy of corporate entities -or- any people claiming to represent thozse entities in cases where the host countries simply do not support that functionality. To put it another way, would you likewise accuse me of "casting aspersions" on you if I were to say that you would likely be unsuccessful if you tried to milk a bull? Or would I just be stating a rather obvious fact in that case? This kind of comment is not a reflection on the parties involved. It is instead just a rather obvious observation about the difference between the possible and the impossible. Regards, rfg
Ronald F. Guilmette via db-wg wrote on 30/07/2019 05:11:
Which can easily be forged.
Ron, Yes, obviously. Everything which can be created can also be forged. This includes company registration documentation with national legal authorities. I.e. national registration authorities are well known to have junk data in their registration databases, for example:
https://qz.com/1250047/pavel-durovs-fake-telgeram-case-shows-its-terrifyingl...
"Due diligence" is about carrying out a reasonable duty of care, not about making a canonical legally binding judgement on a binary issue.
Does RIPE NCC have its own MLATs (Mutual Legal Assistance Treaties) with nations in the RIPE region that routinely refuse informational requests from most other mere mortals?
No, obviously not. MLATs are bilateral international treaties between countries. Nick
Hi, On Sun, Jul 28, 2019 at 04:27:04PM -0700, Ronald F. Guilmette via db-wg wrote:
I think this depends on the context that you want to *use* said org object. If you put it in as a standalone and unreferenced database object, I think no vetting takes place.
If you want to tie resources to it that are maintained by the NCC (allocations [PA] or end user assignments [PI]) this needs to go through a NCC ticket, and they want to see paperwork.
In the context of your response, would one or more ASNs count as "resources" which would trigger manditory vetting of the associated ORG?
Or is it only the association of some IP address block that causes NCC to vet the ORG?
I'd assume that an AS would be handled the same as a PI block - you (the LIR who acts as contact between end user and NCC) need to present a contract with the end user, and company registration papers for said end user. The org object would then need to match the paperwork (name, address). At least this has always been my experience when we had to clean up end user resources (company name changes, change of sponsoring LIR, etc.) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Mon, Jul 29, 2019 at 07:39:05AM +0200, Gert Doering via db-wg wrote:
In the context of your response, would one or more ASNs count as "resources" which would trigger manditory vetting of the associated ORG?
Or is it only the association of some IP address block that causes NCC to vet the ORG?
I'd assume that an AS would be handled the same as a PI block - you (the LIR who acts as contact between end user and NCC) need to present a contract with the end user, and company registration papers for said end user. The org object would then need to match the paperwork (name, address).
At least this has always been my experience when we had to clean up end user resources (company name changes, change of sponsoring LIR, etc.)
In the context of RIPE DB one should not forget about aut-num's with either OTHER or LEGACY status or with the RIPE-NONAUTH source. Only around 10% of the latter do have organisation object linked. Those ones were most likely never vetted. Piotr -- Piotr Strzyżewski Silesian University of Technology, Computer Centre Gliwice, Poland
In message <20190729064352.GB31298@hydra.ck.polsl.pl>, Piotr Strzyzewski <Piotr.Strzyzewski@polsl.pl> wrote:
In the context of RIPE DB one should not forget about aut-num's with either OTHER or LEGACY status or with the RIPE-NONAUTH source. Only around 10% of the latter do have organisation object linked. Those ones were most likely never vetted.
ACK My questions were only about "normal" recent stuff, not LEGACY or OTHER. Regards, rfg
participants (10)
-
Carlos Friaças
-
Cynthia Revström
-
Gert Doering
-
Jacob Slater
-
Nick Hilliard
-
Piotr Strzyzewski
-
Randy Bush
-
ripedenis@yahoo.co.uk
-
Ronald F. Guilmette
-
Thiago da Cruz