IP Address Lookups: The Clues are Inside the Attributes
Finding out who’s in control of an IP address isn’t always as straight forward as you may think. Sometimes there’s more than one ISP mentioned in the record and that makes a difference when you need to know who’s in charge.
The process of sifting through an IP address record is like taking apart a Russian nesting doll. There can be several layers with each layer fitting in a particular order. To get to the secret inside you’ll want to take these layers apart.
In today’s post, we’re taking apart IP address records to identify the key attributes and what the attributes tell us about the record’s status.
When you think about it, an IP address is distributed in layers. On the top layer is the Regional Internet Registry (RIR) that oversee large areas like a continent. For example, ARIN is the North American registry and RIPE oversees Europe.
Each RIR allocates IP addresses in blocks to large networks that operate in one or several countries within their regions known as Local Internet Registries (LIR). These LIRs are ISPs that assign some of these IP addresses to their end-user customers.
LIRs also divide and allocate some of this space to other networks in their region. This improves the region by creating more connections with each LIR routing some of the traffic for their network clients.
IP address records document these key connections between the end-user and the RIR. But, these records can become challenging to read when multiple networks appear in the record or when the details provided are unusual or vague.
These details are informational fields known as attributes. Attributes identify the RIR that allocated the address and, by association, the region. It can also identify the network and if the network reallocated or reassigned to another entity operating like an ISP. Some attributes are descriptive fields that hint about how the address is being used and whether it is portable and can be physically relocated to another data center. In other words, attributes are powerful clues about the status of an IP address and who’s in charge of it – when they’re maintained correctly. Select a tab below to learn more about a key attribute and the types of information it can relay.
IP Address Attribute Definitions
There are rules to how an IP address can be distributed and rules for routing traffic to them. This section tells us which type we’re looking at. Several status codes describe these attributes, though the ones you’ll most likely encounter are Assigned PA, Reassignment, Reallocation and Anycast. Note that you will find similar announcements under “nettype” that include Direct Allocation and Reallocation.
It is important to note the difference between “allocation” and “assignment.” Allocation means the IP addresses are provided to networks and they maintain control of these addresses. .Assignment, on the other hand, means the address is delegated or loaned to the end-user which could also be an ISP. You should see these distinctions in the attributes below:
“Direct Allocation” means the ISP or end-user received the IP address block direct from the RIR. These ISPs are at the top level and are encouraged to assign or allocate segments of this space to other ISPs or end-users. An ISP with a direct allocation has the ability to move the block and this is something to look for with ISPs that have small allocations.
An Assigned PA or “provider aggregatable” means the ISP (provider) can divide and assign (aggregate) segments of their IP address block to end-users. These end-users can include other ISPs. When this happens, traffic is routed through the network that provided them with the addresses. This means the path to the IP address is controlled by the network and not the customer and that is an important distinction for PA addresses. Because of this, PA addresses are not portable: they can only be used with the network providing the address. When a customer ceases to do business, the IP address is returned to the network and not the RIR. Most IP addresses that you encounter will probably be Assigned PA.
Why would an ISP choose a PA address if they are sharing traffic with their upstream PA provider? For one thing, this is an easy and inexpensive solution. By getting a PA address, an ISP can host in their provider’s data centers and take advantage of their traffic exchange. It adds flexibility to the hosting location. A PA address ISP can create a network in multiple RIR regions and place servers strategically. They can place servers near their target users or in countries where laws are either lenient or more protective with their hosting. If things change, the ISP can walk away and migrate their customers to a new location.
Assigned PI or “provider independent” fits the description of a portable IP address, though you may never see one. Some are owned by banks and SSL accreditation services that may choose a PI address to maintain the reputation of their IP block. PI addresses are allocated directly to end-users by the RIRs and, as such, have no ties to a network. Their routing is always independent of the Internet, though it provides the owner with the flexibility of changing hosting without changing IP addresses.
Reassignment is the transfer of a block or some subset of a block of IP addresses from one network or ISP to another network.
Reallocation is the transfer of IP addresses between Local Internet Registries (LIR) and RIRs. Siteground.com is an example of an ISP with reallocations between RIRs.
IP address attributes are only as good as the networks that maintain the records and this is another reason why traceroute may be needed to determine the relationship between networks.
Hosting information can also provide clues. Look for resolvehosts, the domain names through Whois or DNS lookup services like Domaintools.com. These domain names are issued by an ISP or user with some additional access to the IP address as an internal reference to its location or use.
In summary: IP addresses can be distributed through multiple layers. Check the attributes for clues about the status and control of your target IP address. You may want to verify your findings with a traceoute, checking the resolvehost record, looking for listings on a data center map, and by viewing the record through the rWhois service of the RIR that allocated the address.
IP Address references
Image source: https://en.wikipedia.org/wiki/Hierarchy#Nested_hierarchy