Hi,
On Fri, 3 May 2019, David Farmer wrote:
Simply getting involved in hijacking is not what is proposed. And, by the way,
ARIN and the other RIRs already are involved, heard of RPKI, IRR, etc... You
can't say the problem is being ignored. Are these responses truly
effective? Maybe not. Do we need to do more? Probably. Is this the answer?
Maybe, but it really scares me.
This proposal wants ARIN and the other RIRs to penalize hijacking. To do this
someone has to judge the intent behind these events. From the other side of the
Internet, it is difficult with any certainty to tell the difference
between a typo and malicious activity in many of these events.
That's perfectly fine. If there is any shred of doubt then a report should
be dismissed.
Have you ever been on a jury in a murder trial? I have.
I haven't.
The difference between the various counts of murder and manslaughter
basically comes down to determining the intent involved in the actions
causing the death of another human being. If you are involved in the
death of someone and even if there is no culpable negligence or intent
on your part, such an event is important enough for society to
scrutinize your actions.
So, I have some questions back to you;
Have you ever mistyped an IP address or an ASN?
I think everyone involved with BGP at some point have done that.
Across the Internet, how many mistyped IP addresses and ASNs occur on a daily
basis?
Several, for sure.
But the spirit of this proposal is not about mistakes. Mistakes can be
explained. People doing hijacks for several years (hopping from prefix to
prefix) is a whole different story.
This proposal asks ARIN and the other RIRs to create a system to
This one only asks ARIN. :-)
There are proposals in RIPE and LACNIC that are very similar.
And there are plans for submitting in AFRINIC and APNIC.
scrutinize the actions of network operators and also impose penalties
for those actions. This is not something that should be taken lightly.
Yes, and it isn't.
It is possible anyone on this mailing list will have to have their
actions judged by this system. The proponents of this proposal want you
to think this proposal only affects hijackers. That is not the case,
this proposal affects anyone who operates a router.
Potentially, yes. Depending if a victim decides to file a report.
It puts anyone who operates a router in jeopardy of losing their
Internet resources, for possibly something as innocent as making a typo
in their router config.
I think that is ruled out just in the beginning of the proposal's text.
Do we really need and want to go there? I'm not saying no, but let's be
really sure. And we have to make sure we get the system right, because
any one of us may have to be judged by this system. When I look at this
proposal, I don't see enough due process or safeguards involved that I
feel comfortable subjecting myself to it.
Great. So let's improve those. We already had a lot of input in RIPE, that
allowed a much more second version -- it's currently waiting for an impact
analysis to be published.
To be honest, I see more of a lynch mob mentality then true justice in
this proposal.
"lynch mob" - 2 vs. "pandora's box" - 2.
:-)
That certainly isn't the case. If you think the process is not
"guarantistic" enough (meaning, go all the way to exclude false
positives) then let's improve it.
When evaluating this proposal, don't envision a hijacker being judged,
envision yourself being judged by this system, because you just might
be.
Yes, i've actually done that while writing parts of the text. I know that
everyone can make mistakes, and i've certainly done them. However,
unresponsiveness, hopping through dozens of blocks (you don't have
holdership over), doesn't really match with my org's profile, and i think
with most orgs in the world which run networks. :-)
Regards,
Carlos
Thanks
On Fri, May 3, 2019 at 9:05 AM Andrew Bagrin <[email protected]> wrote:
I'm curious why do people not want to let ARIN try to start getting
involved to help resolve the issue of hijacking?
Are you doing hijacking and don't want interference?
Are you running a competitive service that you charge for?
Does anyone believe there is a valid reason to hijack and advertise IP space
that you do not own? (when the owner of that space does not want you to
advertise it)
Why would anyone be against ARIN having a process to help resolve these issues?
Sure we can question how effective it will be, but anything will be more
effective than nothing, and by actually doing, failing and learning, ARIN
will only improve and refine the process. We will all learn from this.
On Thu, May 2, 2019 at 10:08 PM Marilson Mapa <[email protected]> wrote:
The president of ARIN describes his institution as an RIR with
appropriate and functional policies. This is what we can deduce from his speech
whenever he describes the performance of his institution. This same
attitude can be seen in RIPE.
"Violation can have consequence".
It seems that the expression "can have" should be understood as "almost never",
after all how to explain the rot that permeates the global Internet? The complaints, the lawsuits,
the fines are becoming more and more
frequent.
I have today received as a member of BPF Cybersecurity the document **UN 1st
Committee Processes on Responsible State Behaviour in Cyberspace explainer**.
This 25-page document, addressed to ICANN, reports what they call
disastrous behavior. It was drafted by Rubin International Law Firm and Notary
of Israel for a Jewish religious institution.
Basically they are demanding:
"We require ICANN to terminate immediately the activities fostering Internet
addiction, including the performance of relevant IANA functions, relevant gTLD
activities, relevant Registry Operators' activities, relevant
ICANN-accredited registrars' activities, including through RESP and amendments
of registry and registrar agreements and to refrain from renewing the .info
registry agreement with Afilias unless Afilias and its related
companies terminate immediately activities fostering Internet addiction and the
.info registry agreement is amended to prohibit Internet addiction activities."
It's just one of the thousands of complaints popping up around the globe. And
ARIN does not move a finger... It's out of the scope...
Marilson
Em qui, 2 de mai de 2019 às 17:01, John Curran <[email protected]> escreveu:
> On May 2, 2019, at 2:12 PM, Carlos Friaças via ARIN-PPML
<[email protected]> wrote:
> ...
> It seems evident that a RIR can't revoke legacy space. Ever.
Carlos -
In the case of ARIN that would be incorrect, as ARIN has revoked legacy
address space from parties that have violated registry policies.
ARIN registry policies are applicable to all parties in the registry -
those legacy holders under RSA do have specific terms and conditions (and a
reduced fee schedule), but ARIN registry policies are
applicable regardless and violation can have consequence.
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
--
===============================================
David Farmer Email:[email protected]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
