search

massimocandela / geofeed-finder

Utility to find geofeed files linked from rpsl.
BSD 3-Clause "New" or "Revised" License
76 stars 7 forks source link

Some ARIN NetRange not showing up #4

Closed edugas closed 3 years ago

edugas commented 4 years ago

I ran the binary for ARIN to validate the NetRanges for both AS1403 (as1403.net) and AS14086 (qix.ca) and there's a few missing.

edugas@noc:~$ ./geofeed-finder-linux-x64 -i arin
Using ARIN cached whois data
2606:6d00:0:0:0:0:0:0/32 https://as1403.net/geofeed.csv [cache]
206.126.112.0/24 https://qix.ca/geofeed.csv [cache]
199.58.248.0/22 https://as1403.net/geofeed.csv [cache]
198.58.128.0/17 https://as1403.net/geofeed.csv [cache]
198.16.128.0/17 https://as1403.net/geofeed.csv [cache]
192.222.128.0/17 https://as1403.net/geofeed.csv [cache]
192.169.0.0/23 https://rg.net/geofeed [cache]
173.246.0.0/19 https://as1403.net/geofeed.csv [cache]
172.93.16.0/20 https://as1403.net/geofeed.csv [cache]
107.159.0.0/16 https://as1403.net/geofeed.csv [cache]
104.163.128.0/17 https://as1403.net/geofeed.csv [cache]
96.127.192.0/18 https://as1403.net/geofeed.csv [cache]
74.116.184.0/21 https://as1403.net/geofeed.csv [cache]
67.221.48.0/20 https://as1403.net/geofeed.csv [cache]

Missing NetRange:

AS1403
64.58.32.0/20
107.161.56.0/21
107.167.248.0/21
185.146.32.0/22
216.25.240.0/20

AS14086
2620:1F:4000::/48

Looking up the first NetRange 64.58.32.0/20 using whois version 5.5.6 shows the Comment field:

edugas@noc:~$ whois 64.58.32.0|grep Comment
Comment:        Geofeed https://as1403.net/geofeed.csv

Looking with ARIN's RDAP, can't see anything.

edugas@noc:~$ curl -v --silent https://rdap.arin.net/registry/ip/64.58.32.0/20 2>&1 | grep Geofeed

The common denominator for these NetRanges is they're reassigned. This is probably not an issue with your tool, but I hope there's a workaround for it.

For AS14086's NetRange 2620:1F:4000::/48, I don't have an explanation so far:

edugas@noc:~$ whois 2620:1F:4000::|grep Comment
Comment:        Geofeed https://qix.ca/geofeed.csv
edugas@noc:~$ curl -v --silent https://rdap.arin.net/registry/ip/2620:1F:4000:: 2>&1 | grep Geofeed
    "description" : [ "Geofeed https://qix.ca/geofeed.csv" ]
massimocandela commented 4 years ago

Hi @edugas,

Sorry for the late answer, temporarily swamped. I have been looking a way to solve this in the meanwhile. As you said, it looks like a bug of arin rdap that doesn't report comments for reassigned addresses (didn't look yet on 2620:1F:4000::).

I will contact arin, I hope they will fix it soon. In the meanwhile I'm working on a flag to use whois instead of rdap for arin.

Thanks again for reporting

massimocandela commented 3 years ago

Hi @edugas,

I fixed the issue for 2620:1F:4000:: and released a new version, it was a -stupid- bug related to how I was doing equality check of ipv6 addresses.

Also, I contacted ARIN for addressing the other issue in rdap. I tried to implement a workaround, and use whois directly instead of rdap api, but it was absolutely not feasible. Whois takes forever to answer compared to the api, a 15 min data download becomes 4+ hours.

Thanks again for discovering these bugs.

massimocandela commented 3 years ago

Cause: When you have a NetRange and you reassign this NetRange, the arin portal automatically creates a new nested NetRange covering the same prefix range. This causes an ambiguity, since whois will retrive the first matching NetRange (the parent) and RDAP the deeper NetRange (the nested one). Keep in mind they both cover the same prefix range. Apparently there is no way to change this behavior or to ask RDAP to get all NetRanges for a specific range.

Solution: Be aware of this behavior of the arin portal and always add the link to the geofeed file in the more nested NetRange for the reassigned prefixes.

This comment is for future reference. This was tested with @edugas and the issue can be closed.