# Beware of IP justification and your personal data being abused



## drmike (Dec 11, 2015)

Did you order a server, maybe you colo'd something so you can play your game out there in the datacenter, maybe it's a hobby box... many are.


Remember that IP justification to get those few IPs from the provider?  Did they make you fill out a form about the use?


Did they tell you that your data is going to be sent to third parties and will appear in public for data miners to collect?


Well, your data is doing all of that and you should take control of this situation.  Even worse, your data may be used by others to justify IP allocations you have nothing to with.  This was done by many companies to BULLSHIT ARIN into allocating them large blocks of IPs.


Protect your identity and privacy.


Who is the first provider to be shamed for these lousy practices?


----------



## KuJoe (Dec 11, 2015)

This is why you should always read a provider's Privacy Policy before sending them any information.


----------



## drmike (Dec 11, 2015)

KuJoe said:


> This is why you should always read a provider's Privacy Policy before sending them any information.



Hahaha, well,  that's kind of unusual.  Yes as a purist I agree.  However, one assumes they declare such disclosures clearly. 


If anything, they should have policies and they should notify folks at the time of such data request.  Saying there are policies isn't really sufficient.  Most policies are boilerplate crap, if they even have that.


----------



## drmike (Dec 11, 2015)

I give a high-five to Incero for this in their Terms of Service:


@gordonrp


IPV4 ADDRESS USAGE



IPV4 (IP addresses in the format x.x.x.x e.g. 209.15.23.125) have been exhausted world-wide, soon there will be no way for even the largest companies to receive more IPV4 addresses. For this reason we must ensure that no customer is wasting IP space. Incero will run automated and manual processes to determine the use of IPV4 on it’s network. The following rules for IPV4 usage must be adhered to at all times: A server may not be issued more IPs than strictly required to function. A /30 (1 usable IP) is the default allocation. VPS, Cloud Server, and other virtual machine providers must not issue more than 1 IP per virtual machine unless strictly required to function. Customers who are currently issued more space than they need should contact support to have their IP allocation reduced in size. No downtime will result from resizing your IP space, and you may also save money on your monthly bill! All issued blocks must have 100% of the IPs responding to web based ping at all times. You may rate limit ping as desired (e.g. 20 per second). All servers (including Windows servers) must be configured to respond to ping. Incero may collect current and historical IP usage information for customer IP allocations and may share this data (including trends, predictions, ports found to be in use, machine type, and MAC address) with ARIN (the official agency in charge of IPV4 in the USA: http://www.Arin.net). Incero may share with ARIN the following customer information: Full Name, Company Name, Address, Phone Number, Email Address. ARIN may use this information only to contact the customer to confirm any IP allocations, enquire about any suspected IP waste, etc as required during their normal operations to determine whether Incero may be issued more IP space and/or is complying with ARIN regulations. In general Incero will only share this information for customers who have more than 5 IPs allocated, however Incero reserves the right to share this information with ARIN for any Incero customer with an active IPV4 allocation of any size. Most companies already share information with ARIN, but don’t explicitly tell their customers that they do this. Incero may port scan IPs from 23.29.121.146 to discover protocols being used on IPs. In general Incero may typically scan ports once per 24 hour period, however during IPV4 applications (by clients or by Incero to ARIN), an increased amount of scanning may occur. Incero typically only port scans a customer IP when that IP is not responding to ping. Clients should take no actions that reduce system security to accommodate Incero’s network scanning. System security is always the top priority. We will open a ticket with the client if we have concerns about not being able to ping or scan an IP.


----------



## TheLinuxBug (Dec 11, 2015)

I don't know , I don't want to be dictated to how I should use a product I purchased.  If I bought 5 IPs from you and have projects in line which I am not currently using the ips for yet, but I have plans to, I shouldn't be required to leave them online and open to ICMP, that just increases the attack vector for my server.  Also, just because I am not using them at this moment doesn't mean I won't be using them soon, for you to take back something I purchased and plan to use because it doesn't currently ping is silly. If a provider actually did take back ips from me like they threaten they would do, I would fire them in about 30 seconds and move away as I don't put up with someone I am paying money to for something telling me how I should or can use it.  Of course, I wouldn't purchase services from Incero or Gordon anyways after seeing the way they have handled them selves in the past regarding random pricing changes and other such stuff that I would just never put up with, that they do.


/rant


*TL;DR:*


Sure give them a high five, but this in my opinion is an abhorrent practice, if I pay you for it, I should be able to secure it however I want(disable ICMP) or choose when I want to use it or not.  If this was ever to be enforced on me I would consider this a fireable offense from a provider and would be moving out ASAP. I am only glad you provided me yet another reason to never do business with Incero.


*Edit:* However I do agree it is nice they are upfront about the information they share with ARIN, I think I read down through the IP part and was annoyed enough originally I didn't finish reading.  On that part, sure they deserve a high-five, I suppose, as at least they are up front about what information they do share.


my 2 cents.


Cheers!


----------



## HN-Matt (Dec 11, 2015)

Night of the Living IP Blocks


----------



## KuJoe (Dec 11, 2015)

TheLinuxBug said:


> I don't know , I don't want to be dictated to how I should use a product I purchased.



I kinda disagree with this in a sense. Not that you should be required to have the IPs online and pingable, but that if you order IPs you should plan to use them relatively soon after purchasing them. Unless of course you're ordering a /29 or something, then it makes sense you might not use all of them at once but it conserves IPs instead of ordering a /30 each time you need a new IP. I'm mainly talking about VPSs with individual IPs and not subnets.


We recently had a client who ordered 15 IPs and when I asked for justification they told me it would be for SSL certificates, I asked him what domains he would be using so I could note it on his account (when a new client orders a lot of IPs and pays with an unverified payment method, I am really cautious about handing over IPs) and his response was that he didn't know yet. I ask him how many he needed right now and he could order more later as he needed them but he just kept telling me that he paid for 15 IPs and wanted all 15 IPs.


----------



## HN-Matt (Dec 11, 2015)

KuJoe said:


> I kinda disagree with this in a sense. Not that you should be required to have the IPs online and pingable, but that if you order IPs you should plan to use them relatively soon after purchasing them.



hahahah, yeah, tell that to the monopolists out there who hoard IP space, creating the illusion of 'depletion' and scarcity for the sake of marketing narratives. Guess the same shouldn't be expected of them?

_"You must use the IP space relatively soon, but us? Nah, we don't have to. We're the rightful hoarders here."_


----------



## KuJoe (Dec 11, 2015)

HN-Matt said:


> hahahah, yeah, tell that to the monopolists out there who hoard IP space, creating the illusion of 'depletion' and scarcity for the sake of marketing narratives. Guess the same shouldn't be expected of them?
> 
> _"You must use the IP space relatively soon, but us? Nah, we don't have to. We're the rightful hoarders here."_



I agree, the hoarding makes me sick and it's complete BS that ARIN allowed and facilitated the current lack of IPs. As a provider I don't care too much because we have enough IPs, but it hurts the clients who want service elsewhere and as a consumer I fear that the services I have with other providers will change or be discontinued down the road.


----------



## asadito (Dec 12, 2015)

People who gives our personal data deserve a slow death !


----------



## KuJoe (Dec 12, 2015)

asadito said:


> People who gives our personal data deserve a slow death !



Did you bother reading anything posted here? Do you bother reading privacy policies before you voluntarily give out your own personal data?


----------



## HN-Matt (Dec 13, 2015)

drmike said:


> Did you order a server, maybe you colo'd something so you can play your game out there in the datacenter, maybe it's a hobby box... many are.
> 
> 
> Remember that IP justification to get those few IPs from the provider?  Did they make you fill out a form about the use?
> ...



Only provider that has ever made me fill out a form for IP justification was 'Quick Packet'. It was a goofy ass .docx template IIRC. Seemed to be more about information gathering than anything. That was last year and I had a server with them for only one month (never used in production, I usually stress test new servers for multiple months first). Presumably they aren't involved in what you're getting at?

For most VPS hosts who are 'merely' renting space from larger organizations, the concept of IP 'justification' is kinda silly in that the allocations are usually too small to matter. Unless you're in love with superfluous micromanagement, I guess.


----------



## mitgib (Dec 13, 2015)

HN-Matt said:


> For most VPS hosts who are 'merely' renting space from larger organizations, the concept of IP 'justification' is kinda silly in that the allocations are usually too small to matter. Unless you're in love with superfluous micromanagement, I guess.



You'd be surprised how honest people are when you ask them to justify their IP request. I've avoided countless spammers from getting on my network with that simple question.


----------



## winnervps (Dec 13, 2015)

HN-Matt said:


> Only provider that has ever made me fill out a form for IP justification was 'Quick Packet'. It was a goofy ass .docx template IIRC. Seemed to be more about information gathering than anything. That was last year and I had a server with them for only one month (never used in production, I usually stress test new servers for multiple months first). Presumably they aren't involved in what you're getting at?
> 
> For most VPS hosts who are 'merely' renting space from larger organizations, the concept of IP 'justification' is kinda silly in that the allocations are usually too small to matter. Unless you're in love with superfluous micromanagement, I guess.



I know a dedicated server provider here that is very strict in reviewing your 'form' of justification


----------



## HN-Matt (Dec 13, 2015)

mitgib said:


> You'd be surprised how honest people are when you ask them to justify their IP request. I've avoided countless spammers from getting on my network with that simple question.



Well I was going to add, as a VPS host who rents IP space from larger organizations, the only time 'my' IPs have ever appeared in blacklists is when the larger allocation—of which they were a subset—had been broadbrush listed, and never because of any spam being sent by my own clients. It became convenient to discover who the negligent, dishonest and untrustworthy RBLs were as a result, at least.

Perhaps the larger orgs should have sent justification notices to themselves in such cases? If only they had metacritically filled out their own simple .docx forms, no spam would have ever appeared!



winnervps said:


> I know a dedicated server provider here that is very strict in reviewing your 'form' of justification



You mean like, they're critical of Plato's theory of forms? Or something else?


----------



## winnervps (Dec 16, 2015)

HN-Matt said:


> You mean like, they're critical of Plato's theory of forms? Or something else?



I think they're Socrates fan   Apart from that, they do check the "formal requirements" to be able to have the IPs. (If you are a VPS provider, they will ask, what will be your clients in the next 3, 6, 12 months, etc. and what would be the plan to use it). They put it on a form of form. So might said it, a strict form.


----------



## drmike (Dec 16, 2015)

mitgib said:


> You'd be surprised how honest people are when you ask them to justify their IP request. I've avoided countless spammers from getting on my network with that simple question.



True on this.


Problem is, real spammers, especially the ROKSO crowd have pre-prepped data to fool you.  I mean full profiles, address, etc. all fluff, but yeah.  This approach like most will only catch the lazy / stupid / junior style ones.



HN-Matt said:


> Only provider that has ever made me fill out a form for IP justification was 'Quick Packet'. It was a goofy ass .docx template IIRC. Seemed to be more about information gathering than anything. That was last year and I had a server with them for only one month (never used in production, I usually stress test new servers for multiple months first). Presumably they aren't involved in what you're getting at?
> 
> For most VPS hosts who are 'merely' renting space from larger organizations, the concept of IP 'justification' is kinda silly in that the allocations are usually too small to matter. Unless you're in love with superfluous micromanagement, I guess.



In fairness justification is supposed to per ARIN be recorded for anything larger than a /30 allocation (do I have that right IP guys?).  Transmitting that data to ARIN and especially public posting that data isn't really required.  ARIN was busting chops for a year plus before IPs ran out demanding full justification with details from some shops.  Problem is, that data while ARIN wanted it and got it, ARIN claims no liability if such is accidentally released to public, hacked, etc.  Meaning they give no fucks about privacy especially of private customers using their bed location address. 


Now in fairness, ARIN does have policies about WHOIS and related, a whole policy subsection, which says private customers can be masked.  The stop short of saying it should always be done, but any company not doing such is as inept as it gets and sitting on a potential legal slap.   Would you be happy if [name that store] transmitted your data to its vendors and then those vendors resold, bundled, aggregated and otherwise exposed you as a shopper of [name that store]?  Yeah I know, some people care less than thise corporate machines, cause they can't focus and see the big long term picture.


QuickPacket is good people.  Nope, not them.   This was just a general heads up.


At this point, anyone on about IP justification in an ARIN area, meh, I think they are smoking dope.   IPs are goner kids.  What the heck needs justified?  Not like you can get more ARIN IPs unless you rob your bank to pay for them.  Can't see ARIN caring about deals involving large sums of money... Always thought ARIN was here just to rapidly allocate IPs and that's it. ARIN's role now is what? Having meetings, getting ready to be instrumental in IP sale market, what else?  Hoping IoT leads to IPv6 supervisory role?  I guess. Goons in suits that algorithms could have replaced 15 years ago.


----------



## qps (Dec 16, 2015)

drmike said:


> Now in fairness, ARIN does have policies about WHOIS and related, a whole policy subsection, which says private customers can be masked.



ARIN will not allow you to use "Private Customer" for anyone other than a residential ISP customer (dial up, cable, DSL, FTTH, etc).  The "Private Customer" policy does not apply to a dedicated server, which ARIN considers a business product and must list the name of the person or company that purchases it.  ARIN made us update all of the SWIPs we had with "Private Customer" to reflect the person's actual name.


We always list the address of the data center, not the address of the individual, which is considered an acceptable practice, since the address should match the location where the service is provided per ARIN policy.  Also, since geolocation goes off of the address listed in the SWIP, it's important to list the data center address to get proper geolocation.



HN-Matt said:


> Only provider that has ever made me fill out a form for IP justification was 'Quick Packet'. It was a goofy ass .docx template IIRC. Seemed to be more about information gathering than anything. That was last year and I had a server with them for only one month (never used in production, I usually stress test new servers for multiple months first). Presumably they aren't involved in what you're getting at?



QuickPacket only asks for the information on the form because that is what ARIN requires.  Our form mirrors the example form that ARIN provided to us.  ARIN requires that we obtain a completed form from every customer who requests more than a /29.  If another provider isn't requesting this information, they aren't following ARIN policy.


----------



## drmike (Dec 16, 2015)

qps said:


> QuickPacket only asks for the information on the form because that is what ARIN requires.  Our form mirrors the example form that ARIN provided to us.  ARIN requires that we obtain a completed form from every customer who requests more than a /29.  If another provider isn't requesting this information, they aren't following ARIN policy.



Is the ARIN IP justification just anything above /29 (i.e. 6 usable IPs)?  Anything less is no justification?


----------



## qps (Dec 16, 2015)

drmike said:


> Is the ARIN IP justification just anything above /29 (i.e. 6 usable IPs)?  Anything less is no justification?



I can only speak from our experience as primarily a dedicated server provider.  If it is being reassigned to a customer, yes, /29 or smaller does not require justification from ARIN; /28 and bigger requires a completed justification form.


----------



## rds100 (Dec 17, 2015)

People who don't want their personal information to be publicly visible in ARIN's or RIPE's database should use a single IP. People who need a subnet should be aware and should be prepared to have the subnet swiped and their information will be publicly visible by anyone checking the whois information for that subnet. I think it's common sense.


----------



## drmike (Dec 17, 2015)

Common sense to you... but not to MANY folks.    So let it serve as a public notice of sorts for them.


----------



## HN-Matt (Dec 17, 2015)

drmike said:


> Goons in suits that algorithms could have replaced 15 years ago.



Yeah, but that probably applies to at least ~99% of the government/corporate world. Kind of a futile angle to take unless you have a way to replace all of their jobs with automation without making their families go hungry.


----------



## drmike (Dec 17, 2015)

HN-Matt said:


> Yeah, but that probably applies to at least ~99% of the government/corporate world. Kind of a futile angle to take unless you have a way to replace all of their jobs with automation without making their families go hungry.



Not my problem if they need to find a job... They didn't give two shits when they pushed companies in manufacturing abroad (on their suit watch) and allowed good to come back into the US and Canada absent tarriffs to level the field.  Which cost millions of middle class jobs in developed countries.


Desk workers are next to have their skinny necks on the chopping block.  Generating reams of paper and chatting doesn't generate much tangible value.  The average unwashed masses are eventually going to give no regard about the 'educated' hierarchy and their importance theater and demand they go...


----------



## HN-Matt (Dec 18, 2015)

drmike said:


> QuickPacket is good people.  Nope, not them.   This was just a general heads up.



Dunno, I have nothing against them and was reconsidering a dedi today, but then noticed this in their ToS:



> *23. QuickPacket makes no guarantee of confidentiality or privacy of any information transmitted through or stored upon QuickPacket technology*, and makes no guarantee that any other entity or group of users will be included or excluded from QuickPacket's network. In addition, QuickPacket may periodically monitor transmissions over its network for maintenance, service quality assurance or any other purpose permitted by the Electronic Communications Privacy Act, P.L. No. 99-508, as amended.



Am not a lawyer, but far as I can tell it seems to contradict their privacy policy to some extent:



> Will you ever sell my details to another company?
> 
> 
> 
> Absolutely not! We will never sell or share your information with a third-party not outlined on this page.








drmike said:


> Desk workers are next to have their skinny necks on the chopping block.  Generating reams of paper and chatting doesn't generate much tangible value.  The average unwashed masses are eventually going to give no regard about the 'educated' hierarchy and their importance theater and demand they go...



Maoist revolution!


----------



## qps (Dec 20, 2015)

HN-Matt said:


> Dunno, I have nothing against them and was reconsidering a dedi today, but then noticed this in their ToS:
> 
> 
> Am not a lawyer, but far as I can tell it seems to contradict their privacy policy to some extent:



The statement in the privacy policy has nothing to do with what you quoted from the Terms of Service.  The language in the Terms of Serivce says the data stored on or transmitted through your services with us might not be confidential.  It is your responsibility to configure and secure your services.  We can't guarantee anything like that on an unmanaged service.


----------

