AFRINIC recently undertook an audit of all IPv4 number resources, which consisted of verifying the rightful custodianship of those resources. The audit verified the processes adopted for the allocation of IPv4 number resources, which covered both legacy and non-legacy resources that fall under AFRINIC’s service region.
AFRINIC has taken action to keep its stakeholders informed about the situation, brought about infrastructural improvements on its database and reviewed its operational business rules and procedures, including but not limited to a review of infrastructural user access.
Finally, the report provided some recommendations which will assist AFRINIC in ensuring it maintains an accurate whois database.
What happened?
The misappropriation of IP number resources in the AFRINIC Whois Database was brought to light in mid-2019. Following an internal investigation, a former employee was found to have misappropriated IP number resources forming part of AFRINIC’s pool of resources. This matter was reported to the Mauritian Central Criminal Investigation Division, and an inquiry is presently ongoing.
What did AFRINIC find?
The audit reveals that 2,371,584 IPv4 addresses were misappropriated from AFRINIC’s pool of resources and attributed to organizations without justification.
A total of 1,060,864 IPv4 resources have been reclaimed. They were deregistered from the AFRINIC Whois Database and are presently in ‘quarantine’ for a period of 12 months. Following the ‘quarantine’ period, the resources may be added to AFRINIC’s pool of resources available for new allocations.
A total of 1,310,720 IPv4 resources, related to two distinct organizations, are yet to be reclaimed due to ongoing due diligence.
With regard to misappropriation of IPv4 legacy space, 1,799,168 IPv4 addresses, deemed to be legacy address space appeared to have been compromised, and actions have been taken to contact the resource holders:
- 394,496 legacy IPv4 addresses have subsequently been consolidated at the request of the holding company of the organizations to which the resources were registered.
- Unsubstantiated changes to 467,968 legacy IPv4 addresses have been reversed.
- 936,704 legacy IPv4 addresses are currently under dispute and pending determination of rightful custodianship.
What is being done to keep this from happening again?
Following the findings of the audit, AFRINIC took several remedial actions, such as reinforcing internal and external processes and adding multiple layers of verification to our IP allocation and database update processes. Here is what has been done so far by AFRINIC:
- Regular communication through email updates and blog articles to keep stakeholders informed about the situation. All concerned organizations were informed to take appropriate measures to protect the custodianship of the resources they hold.
- AFRINIC undertook a review of its current processes relating to its core function and made various improvements in the control mechanisms for the management of Internet number resources. These covered the adoption of a fraud and corruption policy, and the introduction of a whistleblowing mechanism, to name just a few.
- Current business rules now provide better support to legacy resource holders, resulting in proper verification for legacy resources holders being conducted before any updates are made to records in the AFRINIC Whois Database.
- Resource Members have to meet new checks to comply with AFRINIC’s internal business process and policies: only registered contacts are allowed to request service support, verify domain names registration information, and cross-verify company registration information where those services are available.
- AFRINIC has been reinforcing its internal capacity and has embarked on a training program for staff members in registration services. This is ongoing to ensure that all team members are capable of diligently evaluating the requests and also able to identify any risks involved.
- The AFRINIC Whois Database has been upgraded with authentication mechanisms that have additional safety features. Staff authorized to perform changes to records in the MyAfrinic and whois databases authenticate such changes using their PGP key. Power maintainers only use PGP authentication. All resource holders have also been instructed to adopt secure password mechanisms.
- Additional layers of control for systems privileges for registration services staff have been implemented.
- AFRINIC has a mechanism in place that ensures all objects in its whois database are protected by a maintainer (auto-generated for person and role objects).
- AFRINIC also regularly monitors inconsistencies in its databases through reports that are generated daily. The Registration Services Team is informed when inconsistencies are detected between the resource file entries and the registry database.
How can AFRINIC and the community contribute to making things better?
As a result of the audit that was carried out on the accuracy of the AFRINIC Whois Database, the following recommendations were made:
- The report recommends that all AFRINIC resource holding Members keep their contact information updated.
- The report recommends that organizations ensure their details appearing on the AFRINIC Whois Database are kept up to date all times.
- The report recommends that AFRINIC devote resources to ensure that legacy resource holders’ requests are attended to within the service timelines.
- The report recommends the AFRINIC community critically assess how best the accuracy of the information pertaining to legacy resource holders can be improved and considers whether unused legacy resources should be left idle while AFRINIC exhausts its remaining pool of IPv4 addresses.
- The report also recommends that policies should be developed that may assist AFRINIC in ensuring the whois database is accurate at all times.
What’s next?
AFRINIC is committed to effectively executing the recommendations highlighted in the report. As the Regional Internet Registry for Africa and the Indian Ocean region, AFRINIC relies on the support and input of its community to implement those recommendations and improve on the accuracy and security of the whois database.
As we move forward, AFRINIC will keep its community informed about any improvements it implements for the whois database.
This post was first published on the AFRINIC Blog.
Ashil Oogarah is Communications Team Lead at AFRINIC.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.