A fight erupted between SEACOM and another network operator when SEACOM discovered that one of its network numbers was being used by an Internet service provider from Manila in the Philippines.
The dispute involves an Autonomous System Number (ASN) belonging to SEACOM, which was being used by another network – IPDC Solutions in Asia.
It also involves a block of 256 IP addresses, ranging from 126.96.36.199 to 188.8.131.52, which African Internet registry AFRINIC assigned to a company called Cloud Innovation.
Autonomous Systems are part of a standard called Border Gateway Protocol (BGP). This is a system which helps facilitate the routing of traffic on the Internet.
“An ASN is a unique identifier on the Internet for every network that participates in the global BGP. Think of it like your mobile phone number, physical home address, or thumb print, which are all unique to you,” SEACOM told MyBroadband.
“When anyone, other than you purports to identify themselves using your mobile phone number, physical address, or thumb print, you would be exposed to unnecessary risk. The same principle applies to networks who appropriate other networks’ ASNs.”
Apology from IPDC
The ASN in question, AS37353, belonged to MacroLan. SEACOM acquired MacroLan in 2017 to extend the reach of its metropolitan fibre network in the Western Cape. MacroLan’s offices also became the Cape Town regional office for SEACOM.
Cloud Innovation was a client of MacroLan, but their contract ended shortly after SEACOM acquired MacroLan. MacroLan had previously announced a BGP route for the 184.108.40.206/24 IP address block on behalf of Cloud Innovation.
IPDC explained that it had used the MacroLan ASN, which now belongs to SEACOM, at the instruction of one of its clients. While IPDC declined to identify its client, MyBroadband understands that the client is an ISP in the Philippines.
After the issue was detected and reported to IPDC, the company apologised for not paying closer attention and verifying that its client was authorised to use the ASN.
Cloud Innovation’s role
While IPDC took responsibility for the error, members of the African networking community called Cloud Innovation to task for what had happened.
IPDC is a client of Link Infinity and LARUS Cloud Service Limited in Hong Kong, who in turn are clients of Cloud Innovation.
Cloud Innovation owns the actual IP address block, 220.127.116.11/24, which was issued to it by AFRINIC. It delegated the block to LARUS, which delegated it to IPDC, which delegated it to their client.
Another issue discovered with the 18.104.22.168/24 block was that an old Internet Routing Registry (IRR) object was still attached to it. This route object announced the MacroLan ASN as the designated ASN for the IP address block.
Cloud Innovation founder Lu Heng told MyBroadband that he believes the IRR object was the reason IPDC’s client instructed IPDC to announce the IP address block using the MacroLan ASN.
“We believe that they looked up the prefix in the IRR database and found some antiquated route objects specifying MacroLan’s ASN. [They then] erroneously applied the ASN in the stale route object instead of their own,” Heng said.
“However, we don’t really know exactly how or why they did it,” he stated.
“What we do know is that we didn’t want to try too hard to throw our customer (or their customers) under the bus publicly. (Generally not good for business), yet we wanted to make it clear that this occurred both without our knowledge and without our participation.”
Cloud Innovation controversy
To understand the scepticism in the African networking community regarding Cloud Innovation’s explanation, it is necessary to understand the controversy surrounding how Lu Heng acquired large chunks of African IP addresses.
AFRINIC awarded Cloud Innovation a massive portion of Internet resources. Many in the community argue that these IP addresses were intended for use by Africans, preferably within AFRINIC’s service region.
While Cloud Innovation is technically registered in the Seychelles, the majority of its operations appear to be in Asia.
Asked about the controversy, Heng said there were no restrictions on how and where AFRINIC-issued IP resources may be used until recently.
“That understanding [that AFRINIC resources should be used in Africa] was not part of AFRINIC policy until AFRINIC began issuing from its final /8 [16 million addresses],” Heng stated.
“Cloud Innovations does not have any AFRINIC address space from the final /8. While there is a widespread community perspective that this should be applied retroactively, no such policy has ever gained consensus in the AFRINIC community.”
Heng said the claim that Cloud Innovation acquired this space “while African ISPs struggled to get more than a /20 (4,096 addresses) or even a /22 (1,024 addresses)” simply isn’t valid.
“At the time Cloud Innovation acquired our space from AFRINIC, space was readily available to any provider with a justified need,” Heng said. “Those struggles began after the soft landing policy kicked in and Cloud Innovation has not received any space from AFRINIC since that time.”
Heng added that there is general consensus around the world that Regional Internet Registries like AFRINIC are for registration purpose only.
“Routing is generally considered out of the scope of RIR policies. While some similar regional restrictive policies were proposed in almost all regions, none of them get passed,” he said.
“Moreover, we do realize the African Internet is underdeveloped, and we are doing everything we can to help Africa. Through our [Larus] foundation and other efforts, we have been working for years to widen participation in the policy process, especially by students and those just beginning their careers, to donate to African schools that need computers, and through other educational outreach.”
IPDC apology accepted – SEACOM
SEACOM told MyBroadband that it accepts IPDC’s apology.
“SEACOM appreciates the fact that IPDC apologised and we hope that nothing like this will happen again in the future,” the company said.
Asked whether it accepts Cloud Innovation’s explanation of what happened, SEACOM said that it does not wish to enter into a public debate on the matter.
“Suffice to say that the Internet is only able to achieve its success through the coordinated cooperation of all operators who have a stake in its success,” SEACOM stated.
“Guidelines are published and clear, and it remains the responsibility of all stakeholders to ensure that they participate in a manner that will not bring it into disrepute by reckless or unethical behaviour.”
No technical solution to ASN misuse
SEACOM also explained that there isn’t really a technical solution to prevent unauthorised use of ASNs as has happened here.
“The Internet Engineering Task Force has some drafts in progress, but nothing close to being ratified for widespread use,” SEACOM said.
“Until then, members take it upon themselves to uphold the ethos of good ‘netizenship’ and common decency by calling out unacceptable behaviours, and through coordinated activity to ensure that the Internet remains a safe place to operate.”