Oh boy. MIT Press is migrating to a new platform and they want us to be on
yet another IP registry platform. From the email...

*Sign up for PSI’s IP registry*, if you are not already registered.
https://www.psiregistry.org/
<https://mit.us2.list-manage.com/track/click?u=7caff40e82d72e9429c33df2a&id=2cb79f8b34&e=4349323911>
.

Does anybody have any experience with them?

Tom

On Sun, Dec 6, 2020 at 9:30 PM Fitchett, Deborah <
[log in to unmask]> wrote:

> In my experience, since we signed up, they do email us very occasionally
> to say “Oh we heard such-and-such an IP range is you, can you confirm?” so
> we can login and say “No, no that hasn’t been our IP range for 10 years,
> who on earth still has that on file?”
>
> --More precisely, we can say “No.” But at least that’s something.
>
> It’s… problematic that they’re maintaining ranges for institutions who
> haven’t signed up. I guess they’re thinking then there’s more incentive to
> get publishers to come on board, since it is one of those services that
> will work best if most people are on board, and getting momentum when few
> people are on board is a challenge.
>
> I do really like the idea of the service. I come at this from having to go
> through the “email/login to ALL the publishers to update IP ranges” about
> three times in not very many more years, it was painful and I remain
> traumatised. The idea of just being able to update a single place (or at
> least a single place for most publishers and a few outliers individually)
> is really appealing.
>
> I note a couple of their publishers are now using the IP Registry’s API to
> stay updated with IP addresses, which seems like another great development.
>
> Maybe it’s worth sending them feedback that if they provide IP addresses
> for institutions who haven’t signed up, they need to make it clear to
> publishers that these are non-verified and publishers should always confirm
> with the institution before making changes.
>
> Deborah
>
>
> From: Code for Libraries <[log in to unmask]> On Behalf Of Lolis,
> John
> Sent: Saturday, 5 December 2020 12:25 PM
> To: [log in to unmask]
> Subject: Re: [CODE4LIB] The IP Registry
>
> It seems to me that they have a glaring omission in not notifying a
> registrant when someone submitted or modified an IP address range for their
> institution. Seems like a no-brainer to me.
>
> As for *publishers* providing IP address ranges to update an institution's
> IP range, *what are they thinking?*
>
> John Lolis
> Coordinator of Computer Systems
>
> 100 Martine Avenue
> White Plains, NY 10601
>
> tel: 1.914.422.1497
> fax: 1.914.422.1452
>
> https://whiteplainslibrary.org/<https://whiteplainslibrary.org>
>
> *When you think about it, *all* security is ultimately security by
> ignorance.*
>
>
>
> On Fri, 4 Dec 2020 at 18:09, Will Martin <[log in to unmask]<mailto:
> [log in to unmask]>> wrote:
>
> > They portray themselves as offering accurate IP ranges, when what
> > they've got amounts to some guess-work. They don't really have any way
> > to catch errors like the Choopa.net example Tom Keays gave, or the
> > consortium sub-range in mine. Unless, of course, the way they catch
> > those is to rely on people from the institutions to eventually log in
> > and correct those for them.
> >
> > I'm going to go ahead and update my institutions ranges with them
> > anyway, because I think I have to. But I'm not going to like them for
> > it.
> >
> > Will
> >
> > On 2020-12-04 16:49, Tom Keays wrote:
> > > A couple of years ago, when I was reviewing the IP set up for Scitation
> > > for
> > > my institution, I noticed it included an unfamiliar IP range,
> > > 216.155.128.000 - 216.155.128.063. This was not the first time I had
> > > encountered this range (although I don't have a record of what the
> > > previous
> > > vendors were where I found it). After spending some time investigating,
> > > I
> > > determined that it belonged to an internet hosting company called
> > > Choopa.net. Definitely a bogus listing for us.
> > >
> > > Anyway, when I first set up my account at The IP Registry, they also
> > > listed
> > > this range. When I told them about it and asked them how they got it
> > > and
> > > explained that it should never have been there in their records, they
> > > replied, "This IP range was supplied to us by a number of publishers
> > > who
> > > are using it to provide access."
> > >
> > > I don't really know how this range got listed as being valid for my
> > > institution. Was it there because individual social engineered
> > > somebody's
> > > support team in order to get free access to online resources? I have to
> > > assume so. I also don't know if The IP Registry got it from the
> > > e-resource
> > > vendors and accepted it without question or the vendors got it from
> > > them,
> > > again without question. Either way, it made me worry about trusting
> > > them
> > > too far.
> > >
> > > Tom
> > >
> > > On Fri, Dec 4, 2020 at 2:33 PM Jeremiah Kellogg <[log in to unmask]
> <mailto:[log in to unmask]>>
> > > wrote:
> > >
> > >> Yikes, this does sound like we're being forced into a service whether
> > >> we
> > >> want to use it or not. At our institution we're the default owner of
> > >> a
> > >> range of IPs we manage on behalf of a public library consortium that
> > >> we're
> > >> not actually a part of (so the consortium shouldn't be accessing our
> > >> databases). The IP registry had grabbed that range of IPs and
> > >> included
> > >> them in our profile, but had them pending verification from our
> > >> institution
> > >> that we actually owned them before making them available to
> > >> publishers. I
> > >> ended up editing that range to exclude the consortium IPs, and then no
> > >> longer had to verify the remaining range of IPs that were correct.
> > >> Now
> > >> that I really think about this, had I not made those edits, our proxy
> > >> server would have been excluded and we would have faced a situation
> > >> where
> > >> our students, faculty and staff were denied access to the services
> > >> they
> > >> should be able to access. So we would have faced the opposite problem
> > >> that
> > >> you experienced, Will, where people would be denied access rather than
> > >> given access they shouldn't have. Either way, the only apparent way
> > >> these
> > >> problems can be fixed is by signing up with the IP registry and
> > >> updating
> > >> things ourselves... and that's kind of underhanded. I'm not sure I'd
> > >> worry
> > >> too much about the legalities because it appears vendors, unlike our
> > >> institutions, participate willingly, and if they're willing to take
> > >> the
> > >> ipregistry's word that our IP ranges are accurate that's on them.
> > >> It's
> > >> just really frustrating to think that we'd face these kinds of
> > >> problems due
> > >> to an outside entity getting things wrong on our behalf, and the only
> > >> way
> > >> to fix them is by signing up with them and making corrections.
> > >>
> > >> I don't think I mind them selling our improved IP data to vendors
> > >> because
> > >> that's the kind of thing most free services need to do to pay the
> > >> bills
> > >> these days. I might be putting the work into it, but it's not so much
> > >> that
> > >> I feel like I'm putting more in than I'm getting out of it. However,
> > >> as
> > >> you point out, Will, there doesn't appear to be a mechanism for opting
> > >> out
> > >> of their system, and that really stinks. I haven't dug too deep, but
> > >> I
> > >> wonder if there's a way of setting things up with vendors who use that
> > >> service to stop using it when we make such a request? I think I'm
> > >> pretty
> > >> much on the same page as you, Will. It's a great idea for a service,
> > >> but
> > >> being forced into it will understandably leave a bad taste in people's
> > >> mouths, and it also casts a bit of shadow on the service's integrity.
> > >> I
> > >> get that participation is important for this kind of thing, but I
> > >> suspect
> > >> there are better ways of getting people onboard!
> > >>
> > >> On Thu, Dec 3, 2020 at 6:02 PM Will Martin <[log in to unmask]
> <mailto:[log in to unmask]>>
> > >> wrote:
> > >>
> > >> > I am concerned by the fact that the IP Registry appears to have gone
> > >> > around figuring out the IP ranges for schools based on public
> records
> > >> > from the IANA and a bunch of vendor records. I'm sure that was
> > >> > difficult, and their site says it took four years. When it was done,
> > >> > they announced that 58% of IP ranges were wrong, and began selling
> the
> > >> > service to vendors and telling them what our IP addresses are based
> on
> > >> > their analysis.
> > >> >
> > >> > I claimed the account for my institution and discovered that there
> > were
> > >> > 26 vendors already pulling my university's IP ranges from the IP
> > >> > Registry. Unfortunately, the IP ranges were wrong. To name a few
> > >> > problems:
> > >> >
> > >> > 1) They conflated us with another school in the same university
> > system.
> > >> >
> > >> > 2) They could not know that there are a couple of IP ranges that we
> > >> > prefer to be treated as "off campus" even though they belong to the
> > >> > University.
> > >> >
> > >> > 3) They had no way to know that one particular range of our IPs is
> > >> > assigned to a library consortium in our state, and used for proxy
> > >> > servers that serve the other institutions in the university system
> > plus
> > >> > several dozen public libraries.
> > >> >
> > >> > The third point is critical. By distributing these erroneous IP
> > ranges
> > >> > on my school's behalf, without permission, the IP registry has
> > >> > effectively granted access to 26 of our subscriptions to basically
> > >> > everyone in my state. We are thus in violation of our license
> > >> > agreements and will be at risk of legal action by the publishers
> > until I
> > >> > can sort this mess out.
> > >> >
> > >> > Because this involves multiple institutions -- my own, the broader
> > >> > university system, the aforementioned library consortium -- I am
> going
> > >> > to have to contact and explain the situation to a lot of people, and
> > >> > spend a lot of time checking and re-checking IP ranges, all in
> service
> > >> > of updating the IP Registry's records.
> > >> >
> > >> > Then they get to turn around and charge the publishers for my work.
> > >> >
> > >> > But frankly, their business model feels like extortion to me. We
> have
> > to
> > >> > verify their records, or there's a chance that our resources will be
> > >> > accessible to people who should not have access because their
> analysis
> > >> > was incorrect. They appear to have engineered a situation that puts
> > my
> > >> > institution in potential legal jeopardy, which we can only get out
> of
> > by
> > >> > improving the data that the IP Registry is selling for a profit.
> > >> >
> > >> > I am not happy with them. The basic idea -- a centralized repository
> > of
> > >> > IP ranges for bulk updating publisher records -- is both sound and
> > >> > useful. But their business model leaves a bad taste in my mouth. If
> > I
> > >> > could, I would opt out of the system. But they do not appear to have
> > >> > made a mechanism available to do so.
> > >> >
> > >> > Will Martin
> > >> >
> > >> > Head of Digital Initiatives, Systems and Services
> > >> > Chester Fritz Library
> > >> > University of North Dakota
> > >> >
> > >>
> > >>
> > >> --
> > >> Jeremiah Kellogg
> > >> Systems Librarian
> > >> Pierce Library
> > >> Eastern Oregon University
> > >> [log in to unmask]<mailto:[log in to unmask]>
> > >> (541) 962-3017
> > >>
> >
>
> ________________________________
>
> "The contents of this e-mail (including any attachments) may be
> confidential and/or subject to copyright. Any unauthorised use,
> distribution, or copying of the contents is expressly prohibited. If you
> have received this e-mail in error, please advise the sender by return
> e-mail or telephone and then delete this e-mail together with all
> attachments from your system."
>