Print

Print


It seems to me that they have a glaring omission in not notifying a
registrant when someone submitted or modified an IP address range for their
institution.  Seems like a no-brainer to me.

As for *publishers* providing IP address ranges to update an institution's
IP range, *what are they thinking?*

John Lolis
Coordinator of Computer Systems

100 Martine Avenue
White Plains, NY  10601

tel: 1.914.422.1497
fax: 1.914.422.1452

https://whiteplainslibrary.org/

*When you think about it, *all* security is ultimately security by
ignorance.*



On Fri, 4 Dec 2020 at 18:09, Will Martin <[log in to unmask]> wrote:

> They portray themselves as offering accurate IP ranges, when what
> they've got amounts to some guess-work.  They don't really have any way
> to catch errors like the Choopa.net example Tom Keays gave, or the
> consortium sub-range in mine.  Unless, of course, the way they catch
> those is to rely on people from the institutions to eventually log in
> and correct those for them.
>
> I'm going to go ahead and update my institutions ranges with them
> anyway, because I think I have to.  But I'm not going to like them for
> it.
>
> Will
>
> On 2020-12-04 16:49, Tom Keays wrote:
> > A couple of years ago, when I was reviewing the IP set up for Scitation
> > for
> > my institution, I noticed it included an unfamiliar IP range,
> > 216.155.128.000 - 216.155.128.063. This was not the first time I had
> > encountered this range (although I don't have a record of what the
> > previous
> > vendors were where I found it). After spending some time investigating,
> > I
> > determined that it belonged to an internet hosting company called
> > Choopa.net. Definitely a bogus listing for us.
> >
> > Anyway, when I first set up my account at The IP Registry, they also
> > listed
> > this range. When I told them about it and asked them how they got it
> > and
> > explained that it should never have been there in their records, they
> > replied, "This IP range was supplied to us by a number of publishers
> > who
> > are using it to provide access."
> >
> > I don't really know how this range got listed as being valid for my
> > institution. Was it there because individual social engineered
> > somebody's
> > support team in order to get free access to online resources? I have to
> > assume so. I also don't know if The IP Registry got it from the
> > e-resource
> > vendors and accepted it without question or the vendors got it from
> > them,
> > again without question. Either way, it made me worry about trusting
> > them
> > too far.
> >
> > Tom
> >
> > On Fri, Dec 4, 2020 at 2:33 PM Jeremiah Kellogg <[log in to unmask]>
> > wrote:
> >
> >> Yikes, this does sound like we're being forced into a service whether
> >> we
> >> want to use it or not.  At our institution we're the default owner of
> >> a
> >> range of IPs we manage on behalf of a public library consortium that
> >> we're
> >> not actually a part of (so the consortium shouldn't be accessing our
> >> databases).  The IP registry had grabbed that range of IPs and
> >> included
> >> them in our profile, but had them pending verification from our
> >> institution
> >> that we actually owned them before making them available to
> >> publishers.  I
> >> ended up editing that range to exclude the consortium IPs, and then no
> >> longer had to verify the remaining range of IPs that were correct.
> >> Now
> >> that I really think about this, had I not made those edits, our proxy
> >> server would have been excluded and we would have faced a situation
> >> where
> >> our students, faculty and staff were denied access to the services
> >> they
> >> should be able to access.  So we would have faced the opposite problem
> >> that
> >> you experienced, Will, where people would be denied access rather than
> >> given access they shouldn't have.  Either way, the only apparent way
> >> these
> >> problems can be fixed is by signing up with the IP registry and
> >> updating
> >> things ourselves... and that's kind of underhanded.  I'm not sure I'd
> >> worry
> >> too much about the legalities because it appears vendors, unlike our
> >> institutions, participate willingly, and if they're willing to take
> >> the
> >> ipregistry's word that our IP ranges are accurate that's on them.
> >> It's
> >> just really frustrating to think that we'd face these kinds of
> >> problems due
> >> to an outside entity getting things wrong on our behalf, and the only
> >> way
> >> to fix them is by signing up with them and making corrections.
> >>
> >> I don't think I mind them selling our improved IP data to vendors
> >> because
> >> that's the kind of thing most free services need to do to pay the
> >> bills
> >> these days. I might be putting the work into it, but it's not so much
> >> that
> >> I feel like I'm putting more in than I'm getting out of it.  However,
> >> as
> >> you point out, Will, there doesn't appear to be a mechanism for opting
> >> out
> >> of their system, and that really stinks.  I haven't dug too deep, but
> >> I
> >> wonder if there's a way of setting things up with vendors who use that
> >> service to stop using it when we make such a request?  I think I'm
> >> pretty
> >> much on the same page as you, Will.  It's a great idea for a service,
> >> but
> >> being forced into it will understandably leave a bad taste in people's
> >> mouths, and it also casts a bit of shadow on the service's integrity.
> >> I
> >> get that participation is important for this kind of thing, but I
> >> suspect
> >> there are better ways of getting people onboard!
> >>
> >> On Thu, Dec 3, 2020 at 6:02 PM Will Martin <[log in to unmask]>
> >> wrote:
> >>
> >> > I am concerned by the fact that the IP Registry appears to have gone
> >> > around figuring out the IP ranges for schools based on public records
> >> > from the IANA and a bunch of vendor records.  I'm sure that was
> >> > difficult, and their site says it took four years.  When it was done,
> >> > they announced that 58% of IP ranges were wrong, and began selling the
> >> > service to vendors and telling them what our IP addresses are based on
> >> > their analysis.
> >> >
> >> > I claimed the account for my institution and discovered that there
> were
> >> > 26 vendors already pulling my university's IP ranges from the IP
> >> > Registry.  Unfortunately, the IP ranges were wrong.  To name a few
> >> > problems:
> >> >
> >> > 1) They conflated us with another school in the same university
> system.
> >> >
> >> > 2) They could not know that there are a couple of IP ranges that we
> >> > prefer to be treated as "off campus" even though they belong to the
> >> > University.
> >> >
> >> > 3) They had no way to know that one particular range of our IPs is
> >> > assigned to a library consortium in our state, and used for proxy
> >> > servers that serve the other institutions in the university system
> plus
> >> > several dozen public libraries.
> >> >
> >> > The third point is critical.  By distributing these erroneous IP
> ranges
> >> > on my school's behalf, without permission, the IP registry has
> >> > effectively granted access to 26 of our subscriptions to basically
> >> > everyone in my state.  We are thus in violation of our license
> >> > agreements and will be at risk of legal action by the publishers
> until I
> >> > can sort this mess out.
> >> >
> >> > Because this involves multiple institutions -- my own, the broader
> >> > university system, the aforementioned library consortium -- I am going
> >> > to have to contact and explain the situation to a lot of people, and
> >> > spend a lot of time checking and re-checking IP ranges, all in service
> >> > of updating the IP Registry's records.
> >> >
> >> > Then they get to turn around and charge the publishers for my work.
> >> >
> >> > But frankly, their business model feels like extortion to me. We have
> to
> >> > verify their records, or there's a chance that our resources will be
> >> > accessible to people who should not have access because their analysis
> >> > was incorrect.  They appear to have engineered a situation that puts
> my
> >> > institution in potential legal jeopardy, which we can only get out of
> by
> >> > improving the data that the IP Registry is selling for a profit.
> >> >
> >> > I am not happy with them.  The basic idea -- a centralized repository
> of
> >> > IP ranges for bulk updating publisher records -- is both sound and
> >> > useful.  But their business model leaves a bad taste in my mouth.  If
> I
> >> > could, I would opt out of the system.  But they do not appear to have
> >> > made a mechanism available to do so.
> >> >
> >> > Will Martin
> >> >
> >> > Head of Digital Initiatives, Systems and Services
> >> > Chester Fritz Library
> >> > University of North Dakota
> >> >
> >>
> >>
> >> --
> >> Jeremiah Kellogg
> >> Systems Librarian
> >> Pierce Library
> >> Eastern Oregon University
> >> [log in to unmask]
> >> (541) 962-3017
> >>
>