Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Carlos Friaças via anti-abuse-wg]

Hi everyone,

My 2 cents:

I'm clearly for option 1.

Cheers,
Carlos


On Thu, 21 Mar 2024, Alessandro Vesely wrote:


Hi chairs, all,

I think this is a great working group.  Periods of silence are physiological; 
for example, they may arise after a thorough discussion about a proposed 
point which is eventually found to be unfeasible.  The idea to force every 
abuse-c to actually receive email messages and act on them suits that 
example.


If there are security topics that the current charter doesn't cover, 
re-chartering is certainly a good idea.  The chairs are great, especially 
Brian, and I see no reason to select new ones.  Closing the working group 
would be a matter of regret and I hope it's not going to happen.



Best
Ale


On Thu 21/Mar/2024 10:09:00 +0100 Markus de Brün wrote:


Dear Anti-Abuse Working Group Members,


As Co-Chairs, we have been carefully monitoring the discussions on the 
mailing list and are concerned about the current state of stagnation and 
lack of progress.


After consideration and discussion among the Co-Chairs, we believe it is 
necessary to initiate a dialogue regarding the future direction of our 
working group. Some action is needed to revitalise our efforts.



The Co-Chairs have discussed a number of options, both between ourselves 
and with the RIPE Chair Team. However, due to the lack of general 
engagement, and the circular conversations on the list, we see three viable 
options at this point::



 1.

Re-charteringthe working group, possibly transitioning it into a 
Security

Working Group to broaden our scope and address related concerns
comprehensively. (The current charter can be found here:
https://www.ripe.net/community/wg/active-wg/anti-abuse/
)

 2.

It is possible we are simply the wrong Co-Chairs at the wrong time, so 
we

can step-downand allow the working group to select new Co-Chairs.

 3.

Closing the working groupif consensus cannot be reached on a viable 
path

forward.


It may be that there are people in the Working Group who are eager to 
propose new policies, or embark on a project to systematically examine the 
abuse ecosystem, but over the last year or so, there has been no evidence 
this is the case.



However, we firmly believe that the best course of action is to engage all 
members of the Anti-Abuse Working Group in an open and transparent 
discussion about the challenges we face and the opportunities for positive 
change. Your input and perspectives are invaluable in shaping the future of 
our community.



Therefore, we are inviting you to participate actively in this crucial 
conversation. We encourage you to share your thoughts, suggestions, and 
concerns regarding the current state of the working group and your vision 
for its future direction.



Your input will help inform our next steps and guide the evolution of the 
Anti-Abuse Working Group. We encourage you to share your feedback openly on 
the mailing list so that all members can participate in the conversation. 
We hope to discuss the status at RIPE88.



Thank you for reading this far. We look forward to your active 
participation in shaping the future of the Anti-Abuse Working Group.



Best regards,

Brian, Tobias, Markus





--

To unsubscribe from this mailing list, get a password reminder, or change 
your subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Is the LoA DoA for Routing? - article at FIRST blog

[Carlos Friaças via anti-abuse-wg]

Greetings,

One can always go to the local authorities, then jurisdiction and how the local 
justice/court system works comes into play.

The RIRs have an authoritative view about who owns what, and they share it with 
everyone, so to me that's the simplest way.

Regards,
Carlos



On Friday, 19 January 2024 at 15:06, Tomás Leite de Castro via anti-abuse-wg 
 wrote:


> Hello Carlos,
> 
> > Even if who signs it can't hold what they claim with the RIRs' trust anchors
> 
> 
> If you believe this is true, then you can forward a claim to the local 
> authorities as signing a Fake LOA is a criminal offense which could end in 
> imprisonment.
> 
> Best Regards,
> 
> 
> Tomás
> 


-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Is the LoA DoA for Routing? - article at FIRST blog

[Carlos Friaças via anti-abuse-wg]

Greetings,

On Friday, 19 January 2024 at 11:40, Richard Clayton  
wrote:

> A key point that the article misses is that yes, LOAs can (and have
> been) forged. 

Yes, that didn't reach the final version in an explicit way... :-)



> However forging them is a criminal act (in the US it will
> be charged under "wirefraud" statutes) -- and numerous of the criminal
> proceedings which have been undertaken for theft of IP resources have
> used the wirefraud statutes.

Luckly! :-)

 
> Yes, stealing a private key (or guessing a password to it) and then
> creating cryptographic signed objects is also likely to be criminal but
> it may be somewhat harder for courts to understand (and for the matter
> for prosecutors to identify suitable caselaw that makes the current > case
> somewhat more open and shut).

I completely agree. And there is a fairly recent & notorious case...

 
> [[ Also, I have been told that some forgeries are laughably inept,
> whereas laughably weak passwords are a little harder to spot ]]

Nonetheless, the key idea is that we should be turning to "cryptographic 
trust", instead of papers (forged or not).


Best Regards,
Carlos


 
> --
> richard Richard Clayton
> 
> Those who would give up essential Liberty, to purchase a little temporary
> Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
> --
> 
> To unsubscribe from this mailing list, get a password reminder, or change 
> your subscription options, please visit: 
> https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet

[Carlos Friaças via anti-abuse-wg]

On Fri, 19 Jan 2024, Gert Doering wrote:


So there is LIR contact data in the RIPE DB which is not properly validated
- and that should certainly be brought to the NCC's attention, and fixed.


I agree.
But who wants to spend effort on that? :-)



This is still far from Suresh' usual claim "the NCC is complicit to all
the IPv4 gangsters out there, doesn't validate anything, and the DB is
full of fake data".  Which is being repeated frequently, to the point
of being outright detrimental because it just annoys, without spurring
anyone into corrective action.


The NCC has its due diligence process.

It's not bulletproof, of course, and if there is intention and enough 
detail/care from the parties that want bogus contact data in the DB, it 
is an extremely hard job to spot the bad data. But if i'm not mistaken, 
that still happens sometimes and results in LIR closures.


Cheers,
Carlos





Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet

[Carlos Friaças via anti-abuse-wg]

Greetings,

Maybe we need a bulletproof hosting directory on the web? :-))

From what i've learned, illegal content depends on jurisdiction, and 

effectively that's what greatly impacts the possibility of takedowns.

I've also seen what you mention about advertising services as 
'bulletproof', but i've already seen some of those companies remove that 
kind of advertising (in this case, web archives are your friend!)


The RIPE NCC, afaik, doesn't act on illegal content, because it lacks any 
mandate for that.


In the same way criminals are able to use phones, they are allowed to 
use IP addresses. The downside with the IP addresses is they can in 
practice build/manage (informal?) network operators, which provide them 
with a lot more flexibility. But that's the model we have had for 
decades...


I totally agree with the ICANN comparison, but it wouldn't be only RIPE 
NCC, for efectiveness you would have to have all the five RIRs on the same 
page.


But i'm afraid "the community" -- which also includes the 'bulletproofers' 
-- will not issue any mandate to the RIPE NCC to do something. Instead, 
at some point, we well see more regulatory stuff kicking in



Best Regards,
Carlos



On Wed, 17 Jan 2024, OSINTGuardian wrote:


hi,

There are more and more bulletproof hosting in the world every month and they 
are causing more and more chaos, feeding the dark web by
providing servers to criminals of all kinds who use the servers on .onion 
websites in Tor and flooding the clear web with illegal
content.

There is a bulletproof hosting market that is even openly promoted, it is as 
easy to find companies that provide bulletproof servers as
searching on Google, hacker forums or simple internet websites that provide 
lists of bulletproof hosting companies.

The business model of these companies is to ignore reports of abuse of illegal 
content, to look the other way when someone uploads
illegal content. This is openly their business model, what does RIPE NCC do 
about this?

RIPE NCC provides IP addresses to many of these companies with bulletproof 
servers that are then used by criminals on the Internet,
strengthening organized crime. 

ICANN publicly has an abuse reporting form, where users can report if a company 
provides bulletproof domains or ignores abuse reports.
If RIPE NCC did this same thing, the internet would become a better place.

If RIPE NCC did this and also other IP address accreditors, they would greatly 
affect criminals on the Internet and therefore the
Internet would become a slightly safer place than it is today. Bulletproof 
server companies would be afraid of being caught by RIPE NCC
committing these violations. Unfortunately, these companies currently feel 
enough freedom to do this, that they even show themselves
publicly.

Is RIPE NCC planning to do anything against this?

- Claudia Lopez
OSINTGuardian

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Is the LoA DoA for Routing? - article at FIRST blog

[Carlos Friaças via anti-abuse-wg]

On Friday, 19 January 2024 at 08:36, Gert Doering  wrote:

> 
> It's a good writeup to enlighten the unenlighted, but hardly a "novel
> approach" ("introduces the idea...") - this is how we've run our network
> for the last 20 years, or so. IRR filters based on RIPE route: objects,
> and later on ROA info.
> 
> Paper never played any role in authorizing route announcements here (not
> even fax).

Hi,

Great for you and the networks you manage, unfortunately (in the ~75k 
networks/autonomous systems) there is still people around the world that accept 
and rely on simple signed papers by someone. Even if who signs it can't hold 
what they claim with the RIRs' trust anchors... ;-) 

ps: unfortunately i have not enabled IPv6 on something today (did my part long 
ago...), but last week i still received a LoA :-) so yes, some people are still 
pushing papers.

Cheers,
Carlos

 
> Gert Doering
> -- NetMaster
> --
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
> Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet

[Carlos Friaças via anti-abuse-wg]

On Thu, 18 Jan 2024, Gert Doering wrote:


Hi,

On Thu, Jan 18, 2024 at 04:04:03AM +, Suresh Ramasubramanian wrote:

If the database is filled with nonsensical information that anyone can hand in 
and get themselves a large netblock there isn???t much point to the entire 
exercise.


This claim has, as usual, no basis.


Hi Gert, All,

Allow me to disagree.

Please check this WG's minutes at RIPE77 (October 2018):
https://www.ripe.net/community/wg/active-wg/anti-abuse/minutes/ripe-77/

I briefly presented about "LIRs from Outside the RIPE NCC Service Region".

If my mind doesn't fail me, at the time most of the "nonsensical 
information" was related to locations outside the RIPE NCC Service Region.



Cheers,
Carlos




Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

[anti-abuse-wg] Is the LoA DoA for Routing? - article at FIRST blog

[Carlos Friaças via anti-abuse-wg]

FYI

https://www.first.org/blog/20231222-Is-the-LoA-DoA-for-Routing

This article introduces the idea that instead of using LoAs for routing 
purposes, people should instead rely on ROAs and ROV.

Best Regards,
Carlos

Sent with [Proton Mail](https://proton.me/) secure email.-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] postal address in IRT objects

[Carlos Friaças via anti-abuse-wg]

Hello,

I see it as useful.

Not all CSIRTs are "purely virtual teams". 
We do have headquarters and hence a postal address.

I would say the majority of established CSIRTs has a postal address.

I don't have a strong opinion if the postal address should be mandatory or 
optional, though.


A letter (sent by post) might reach different people that might then call 
the attention of other folks that didn't read or reply to an e-mail 
message...


Cheers,
Carlos



On Fri, 22 Jul 2022, Alexander Talos-Zens wrote:


Hej,



usefulness (or not) of a mandatory  postal address in the IRT object.


If I can't reach someone by electronic media, I doubt I'd get better
response to snail mail. Furthermore, purely virtual teams might not
have a true physical location at all.

Cheers,

Alexander Talos-Zens

--
Alexander Talos-Zens
IT-Security - ACOnet-CERT
Zentraler Informatikdienst
https://zid.univie.ac.at


Universität Wien
Universitätsstraße 7
1010 Wien
T +43-1-4277-14351
a...@univie.ac.at
GPG-Key-Id: 0x757A494B


--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Proposal 2022-01

[Carlos Friaças via anti-abuse-wg]

Hi, please see inline.


On Thu, 23 Jun 2022, Ronald F. Guilmette wrote:


Just curious... How many of you folks have actually read sections 4.0, 5.0,
and 6.0 of this pending proposal from the Database Working Group?


Read it just now. :-)



https://www.ripe.net/participate/policies/proposals/2022-01

I suspect that many of you are going to want to read those sections before
you have your memberships revoked for non-compliance.


I can't read any details about membership revokation. Also i don't see it 
as implicit.


The three sections make perfect sense to me. In section 6.0, if i 
understood correctly this won't apply to legacy resources which are still 
out of any contractual relationship -- which also seems fine.



Regards,
Carlos



Regards,
rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Unanimity

[Carlos Friaças via anti-abuse-wg]

Hi,


"is this verified some time after the resources are allocated?"

This is something i would like to know.


My point was that unanimity is extremely difficult, and the universe for 
that unanimity with RIPE/RIPE NCC members is extremely huge.



Carlos



On Mon, 20 Jun 2022, Ronald F. Guilmette wrote:


In message ,
=?ISO-8859-15?Q?Carlos_Fria=E7as?=  wrote:


The RIPE NCC Service Region spans over 70+ economies.

In fact it spans over the whole planet when someone from outside the
service region details some plans to use IP addresses mostly within the
service region -- is this verified some time after the resources are
allocated?


I'm sorry Carlos, but I am not understanding either your question or its
relevance to what I recently posted (which you quoted).

Can you elaborate please?


Regards,
rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Unanimity

[Carlos Friaças via anti-abuse-wg]

Hi,

The RIPE NCC Service Region spans over 70+ economies.

In fact it spans over the whole planet when someone from outside the 
service region details some plans to use IP addresses mostly within the 
service region -- is this verified some time after the resources are 
allocated?


So perhaps the first hurdle to change anything is understanding that
RIPE/RIPE NCC <> EU, despite the fact the RIPE NCC must abide by the laws 
of ONE of EU's member countries.


Regards,
Carlos



On Sun, 19 Jun 2022, Ronald F. Guilmette wrote:


Just a brief point.  I previously noted here that RIPE's rules requiring
unanimity or near unanimity in order to declare "consensus" with respect
to any given proposal has recently been recognized, by some EU politicians
at least, as being a material impediment to forward movement on various
issues.

I only just noted that this growing sentiment has now apparently extended
even to the Chancellor of Germany:

https://twitter.com/EuromaidanPress/status/1538637496124317704

My hope, of course, is that RIPE and its various WGs are taking notes.


Regards,
rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Adding a "Security Information" contact?

[Carlos Friaças via anti-abuse-wg]

Hi,
(CSIRT hat on)

I don't really agree with the vision where the taxonomy needs to be 
overloaded into object fields.


I always perceived the abuse-c field already as the security-c.
People interested in processing security/abuse issues will take messages 
received on the abuse-mailbox: seriously.


Moreover, there are also irt objects.

Regards,
Carlos



On Tue, 7 Jun 2022, Ángel González Berdasco via anti-abuse-wg wrote:


El mar, 07-06-2022 a las 13:14 +0200, Gert Doering escribió:

Hi,

On Tue, Jun 07, 2022 at 11:02:19AM +, Ángel González Berdasco via
anti-abuse-wg wrote:

I don't think the problem would be to add a new attribute if

needed.

The problem would be to *define* what should go there (and then get
everyone downstream to use that new attribute)


This...  so, what would you suggest?

Gert Doering
-- NetMaster
--


I would use the Reference Security Incident Taxonomy (RSIT) as
the classification source, which is the taxonomy used by (most of) the
CSIRT community. See [1]

So the PTY-MAXGROBECKER network could have:

abuse-c: GROBECKER-ABUSE

and the GROBECKER-ABUSE object:
abuse-mailbox: gene...@abuse.grobecker.info
abuse-mailbox-vulnerable: vulnerability-repo...@abuse.grobecker.info
abuse-mailbox-fraud: fraudabu...@abuse.grobecker.info

where 'vulnerable', 'fraud', etc. are the machine readable tags defined
in the RSIT for the values in the classification column.

Thus, when CERT BUND wanted to report an unpatched Confluence, they
would have an incident of type: "Vulnerable ? Vulnerable System", find
that there is a 'abuse-mailbox-vulnerable' attribute and report it
there.

Whereas if it was a phishing landing page (incident of type Fraud ?
Phishing), that would go to fraudabu...@abuse.grobecker.info (from
'abuse-mailbox-fraud')

But if it was a host sending out spam, (incident classification Abusive
Content ? Spam), having no "abuse-mailbox-abusive-content", it would
fall back to abuse-mailbox and direct it to
gene...@abuse.grobecker.info.



Does something like this seem sensible to others?


Best regards



1-
https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md

--
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.



In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
d...@incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Carlos Friaças via anti-abuse-wg]

On Sun, 5 Jun 2022, Suresh Ramasubramanian wrote:


Good points here. There are no shortage of bad actors who will be happy to 
register a netblock as a private individual if this means their data is 
obfuscated (and in whois, even forged / fake data is quite useful as part of a
consistent pattern). 

There have even been bogus LIRs - it used to be quite easy to set up an LLC and 
get a couple of /14s with an exclusive clientele of snowshoe operators, for 
example.
--srs


Brian, Markus, Tobias,

Why not invite Suresh to do a presentation about this last sentence at 
some RIPE meeting in the near future?


I would be very curious about this :-)

Regards,
Carlos





_
From: anti-abuse-wg  on behalf of Carlos Friaças via 
anti-abuse-wg 
Sent: Sunday, June 5, 2022 3:23:01 PM
To: denis walker 
Cc: anti-abuse-wg 
Subject: Re: [anti-abuse-wg] personal data in the RIPE Database  

Hi Denis, All,

(Please see inline, CSIRT hat=ON)


On Sun, 5 Jun 2022, denis walker wrote:

(...)
>> However, besides wanting to contact someone, there is a legitimate need to 
identify bad actors and shun them with
>> whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, 
whatever). I do not want to communicate with
>> them, just as I don't want to discuss with burglars about their actions!
>
> This is starting to explain reasons why we need to identify resource
> holders, even natural persons.

Exactly!

When we are talking about companies, GDPR doesn't even apply.

When we are talking about natural persons GDPR applies, but there is
**purpose** and a minimal set of information **needs** to be available.



>> So, a mere contact database (which could contain fully anonymized forwarding addresses 
through a "privacy provider",
>> like it's nowadays common for whois entries) would work for the purpose of 
contacting someone, but it does not work for
>> identifying who can be held accountable for abuse emitted from a network 
range.
>
> I think there is general agreement that as long as a contact is
> contactable there is no need to identify the natural persons operating
> in that role.

No. No. No.
That is the general agreement for those who prefer to ignore
network abuse, or for those who have business models based in abusing
other people's networks.



> Accountability, and any subsequent enforcement action, needs an
> identity. This is the key element of why resource holders, even
> natural persons, need to be identifiable. Further questions still need
> to be answered like to what degree should they be identifiable, by
> what means and to who?

Authorities, at least.



>> For resources allocated to legal entities (companies, organizations, etc.) 
an identification of the organization should
>> be mandatory. This does not need to include personal data on employees that 
happen to be responsible for network or
>> abuse issues, I'm fine with role accounts here. So in this case, no 
objection to eliminate personal data (which often
>> becomes stale anyway after some years).
>
> Again I think there is general agreement that for resource holders
> that are NOT natural persons the name, address and legal country must
> be included in the public data.

Yes. But...

Please explain how the legal country of a natural person may help anyone
determine accurately how to identify a single natural person. Because i
don't see how. Even for micro-countries/economies.

Simply by having the accurate (and verified by the RIPE NCC) legal country
would be a big help in determining **which** is the legal jurisdiction the
offender is on.



>> However, resources allocated to private persons are a bit different. I 
suppose very few private persons hold a /24
>> network range, and if they do, they probably fall squarely in the area of 
operating a business or other publicly visible
>> enterprise under their personal name, and in many jurisdictions they are 
required to do so with identifying information.
>> For example, in Germany you can't even have a web page without an imprint 
containing the names of people responsible for
>> the content if you address the general public, and if you do business of any 
kind and you're not a corporation, you must
>> do so under your name.
>
> There are far more natural persons holding resources than you think.

Yes, i know.


> Looking at the membership list on the RIPE NCC's website, all the
> members are listed and you can see the natural persons. It has been
> argued that even if a natural person's details are listed on some
> other public business register, that alone is not a reason to publi

Re: [anti-abuse-wg] personal data in the RIPE Database

[Carlos Friaças via anti-abuse-wg]

Hi,
(please see inline)


On Thu, 2 Jun 2022, Michele Neylon - Blacknight via anti-abuse-wg wrote:


Jeroen

RIPE policy is not decided by a vote or astro-turfing.



Exactly, new policies can in fact be blocked by 2 or 3 individuals. Even 
with bogus arguments.


And there is a certain group of people that always ensures that, if the 
status quo is somehow at stake.


The astro-turfing argument is the most bogus argument i've seen over the 
years in these lists.


The policy process is expected/defined to be inclusive, but when someone 
talks about some possible changes in other communities, and new people do 
really come to this community to voice their opinion, then those 
newcomers that support policy changes are labelled as "astro-turfers", 
just because they don't share the views of the dominant "policy-making" 
group.





Also what you are proposing is over simplistic and would be impossible to 
operationalise without bankrupting the NCC.


That script is getting older and older.

After the astro-turfing bit, then it comes the NCC's "armageddon" 
argument... Boring.



Cheers,
Carlos




What is "abusive traffic"?

Who decides what is or is not "abusive"?

Who is going to enforce this?

How?

Bear in mind that RIPE does not have the power to fine a member, so that would 
have to change. And I can't imagine RIPE's Board or management would want to be 
put in that position. I know that most of the members wouldn't want RIPE to 
have that kind of power.

Now if you want to run your own network and impose those kind of sanctions on 
your own users you are free to do so.

Also if you want to effect change then you should do research into why things 
are the way they are now and who you are dealing with and where they are coming 
from.

Regards

Michele





--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] personal data in the RIPE Database

[Carlos Friaças via anti-abuse-wg]

Hi Denis, All,

(Please see inline, CSIRT hat=ON)


On Sun, 5 Jun 2022, denis walker wrote:

(...)

However, besides wanting to contact someone, there is a legitimate need to 
identify bad actors and shun them with
whatever means at your disposal (SpamAssassin rules, IP blocks, nullroutes, 
whatever). I do not want to communicate with
them, just as I don't want to discuss with burglars about their actions!


This is starting to explain reasons why we need to identify resource
holders, even natural persons.


Exactly!

When we are talking about companies, GDPR doesn't even apply.

When we are talking about natural persons GDPR applies, but there is 
**purpose** and a minimal set of information **needs** to be available.





So, a mere contact database (which could contain fully anonymized forwarding addresses 
through a "privacy provider",
like it's nowadays common for whois entries) would work for the purpose of 
contacting someone, but it does not work for
identifying who can be held accountable for abuse emitted from a network range.


I think there is general agreement that as long as a contact is
contactable there is no need to identify the natural persons operating
in that role.


No. No. No.
That is the general agreement for those who prefer to ignore 
network abuse, or for those who have business models based in abusing 
other people's networks.





Accountability, and any subsequent enforcement action, needs an
identity. This is the key element of why resource holders, even
natural persons, need to be identifiable. Further questions still need
to be answered like to what degree should they be identifiable, by
what means and to who?


Authorities, at least.




For resources allocated to legal entities (companies, organizations, etc.) an 
identification of the organization should
be mandatory. This does not need to include personal data on employees that 
happen to be responsible for network or
abuse issues, I'm fine with role accounts here. So in this case, no objection 
to eliminate personal data (which often
becomes stale anyway after some years).


Again I think there is general agreement that for resource holders
that are NOT natural persons the name, address and legal country must
be included in the public data.


Yes. But...

Please explain how the legal country of a natural person may help anyone 
determine accurately how to identify a single natural person. Because i 
don't see how. Even for micro-countries/economies.


Simply by having the accurate (and verified by the RIPE NCC) legal country 
would be a big help in determining **which** is the legal jurisdiction the 
offender is on.





However, resources allocated to private persons are a bit different. I suppose 
very few private persons hold a /24
network range, and if they do, they probably fall squarely in the area of 
operating a business or other publicly visible
enterprise under their personal name, and in many jurisdictions they are 
required to do so with identifying information.
For example, in Germany you can't even have a web page without an imprint 
containing the names of people responsible for
the content if you address the general public, and if you do business of any 
kind and you're not a corporation, you must
do so under your name.


There are far more natural persons holding resources than you think.


Yes, i know.



Looking at the membership list on the RIPE NCC's website, all the
members are listed and you can see the natural persons. It has been
argued that even if a natural person's details are listed on some
other public business register, that alone is not a reason to publish
those details in the RIPE Database.


Again, there is **purpose**.



So what personally identifiable info should we publish about a natural
person holding resources and what should we do with the rest of the
currently available public info? Would it be reasonable to publish the
name but not publish the (full) address publicly?


The full (verified by the RIPE NCC) address -- at least for LIRs -- would 
probably be more useful while determining legal jurisdiction, which is 
imho, the number 1 issue.




Now I looked back at a presentation made by EUROPOL at RIPE 73
https://ripe73.ripe.net/archives/video/1501/

They were very clear that the address of resource holders is also very
important to LEAs in their investigations. So I am going to make a
controversial suggestion here. Currently we have two categories of
registry data, Private and Public. The Public data is available to
LEAs and their use of it is covered by agreed purposes of the RIPE
Database defined in the Terms & Conditions. For Private data they need
to get a court order, which is an expensive and time consuming
process. Suppose we add a middle category Restricted data. This could
be data like the address of natural persons who hold resources. Data
that is now public but we are proposing to take out of the public
domain. We could allow LEAs (and maybe other recognised 

Re: [anti-abuse-wg] personal data in the RIPE Database

[Carlos Friaças via anti-abuse-wg]

Hi Ronald, All,

On Sat, 4 Jun 2022, Ronald F. Guilmette wrote:

(...)


Of course this is just the EU/AML part.  For now I won't even go into
the story of the time law enforcement officers showed up at RIPE
headquarters in 2009 and started asking questions in connection with a
money laundering investigation they were working on... which apparently
involved RIPE itself.


Never heard anything about it.

Any online references?

Regards,
Carlos



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Question about spam to abuse inbox

[Carlos Friaças via anti-abuse-wg]

Hi,

There seems to be at least one rule common to everyone: if you want to run 
a network with an independent routing policy you'll need to use BGP.


Unfortunately it seems dealing with abuse emerging from the networks one 
runs is not a common, basic, rule for everyone.


Also, network admins should stick to run networks, and not try to handle 
abuse by themselves. But a lot of networks don't have anyone to do that 
(or have a business model in which all abuse reports are discarded by 
default), hence the chaos.


Regards,
Carlos


On Sun, 21 Feb 2021, Randy Bush wrote:


there is a fair bit of spectrum between the internet of cooperating
competitors running their networks as prudently as they can afford
and an internet desired by some where everything is done uniformly
by rigid written rules.

what i find interesting is that a number of the folk here who
loudly espouse the latter don't actually run networks.

randy

Re: [anti-abuse-wg] Report & Co-Chair's Decision on Proposal 2019-04

[Carlos Friaças via anti-abuse-wg]

On Tue, 8 Sep 2020, Alex de Joode wrote:


There are a couple of things in play here.
Networks normally fall under the "mere conduit' provisions of the eCommerce 
Directive (ECD (EU law)), this
means they do not have a (legal) requirement to actively address abuse within 
their networks. They need to
forward the abuse to their customer, but basically that is it.


Before that, a webform may be in the way :-)

If the regulator understands that artificial 'requirement' to be a way of 
avoiding that action of forwarding the abuse, then they might act. Or not.





The up coming DSA (Digital Services Act, which
will supersede the ECD) (as it stand now) will retain this provision for 
networks. So the chance of regulation
(within the EU area) for networks with respect to 'abuse handling' is very low.


Unless there are some additional provisions...




The proposal was flawed, no clear identifiable upside (except for a feel good 
factor) and a lot extra work for
no real gain.

If you want to fight the prevalence of internet abuse, ripe policy might not be 
your best avenue.


Clearly. But this comment is directly tied with the earlier suggestion of 
renaming the WG...



Regards,
Carlos





Cheers,
Alex

?-- IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode

On Tue, 08-09-2020 13h 33min, Suresh Ramasubramanian  
wrote:
Probably through regulation as you say. If ripe doesn?t want to be the Internet 
police they?ll suddenly find
that there actually is such a thing created and with oversight over them, 
sooner or later. Nobody is
going to like the result if that happens, neither the government nor ripe nor 
its membership.

--srs

__
From: anti-abuse-wg  on behalf of Carlos 
Friaças via anti-abuse-wg

Sent: Tuesday, September 8, 2020 4:44:26 PM
To: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Report & Co-Chair's Decision on Proposal 2019-04  

Hi,

I would like to second Piotr's comment. Thank you for your hard work, and
for not quitting over anti-abuse.

As i read it consensus was not reached, and it's hard to dispute the
objections are not valid/admissible:

"
1) Nick Hilliard and Erik Bais commented that the effort and cost to
implement this proposal are too great in relations to the benefits that
are alleged.

2) Michele Neylon and Arash Naderpour commented that they oppose forcing
operators to use only email for
handling abuse reports and internal handling procedures should be solely
defined by the operator.
"

I just want to note that:
A) it's very hard to measure the benefits. some parties would see bigger
benefits than others.
B) converging abuse reports to email usage is a rule that is inexistent
*today*. people which are not worried about abuse, will likely want to
keep it that way... as a webform is an effective way of discouraging
reports.


At some point, people which discard abuse reports (or people which
simulate handling abuse reports) will not be able to run networks.
We're far from it, but if it gets to that point that will not be reached
through consensus, but probably through regulation.


Regards,
Carlos




On Mon, 7 Sep 2020, Piotr Strzyzewski via anti-abuse-wg wrote:

> On Mon, Sep 07, 2020 at 03:19:27PM +, Brian Nisbet wrote:
>
> Brian, Alireza, Tobias,
>
>> A few weeks ago we reached the end of the latest review phase for 2019-04. 
The Co-Chairs have worked
closely with the NCC Policy Development Office since then to try to make a 
decision on this policy. This
email contains a report on the Discussion Phase and Review Phase and then a 
final decision which, we
believe, is supported by the activity during those phases.
>>
>> As always, this is underpinned by the RIPE PDP - 
https://www.ripe.net/publications/docs/ripe-710
>
> [cut]
>
>> With all of this in mind, and with the continued failure of any kind of 
consensus from the working
group, the Co-Chairs have decided to withdraw this proposal. As always we would 
welcome proposals on
this and other matters, however we do not feel that there is any likelihood of 
2019-04, regardless of
possible edits, reaching consensus in the short or medium term.
>
> Thank you for all your hard work here. It was not an easy task to
> fulfill. With this is mind, it is even more important that you have made
> this report. Thank you.
>
> Stay safe,
> Piotr
>
> --
> Piotr Strzy?ewski
>

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,

On Mon, 11 May 2020, Suresh Ramasubramanian wrote:



Precisely.  But I wonder whether it is a greater problem to be packeted by a 
bot with C2 in IP space that would have been better off not being allocated, 
rather than being spammed
or phished from there.  And how much greater or lesser any or all of those 
compared to the inconvenience routing and networking people face from having 
resources taken away for
originating such traffic.


Spam and phishing happen above layer3, however, significantly reducing 
spam and phishing (and other malicious bits) would also reduce packets to 
be pushed around...


I can understand that for some people 90Gbps is (commercially) better 
than 9Gbps, even if 81Gbps of it are just plain crap...


Oh, and one man's crap can be another man's gold. Especially if the first 
is in the receiving end and the latter in a sender position. :-)


Regards,
Carlos

Re: [anti-abuse-wg] About "consensus" and "voting"...

[Carlos Friaças via anti-abuse-wg]

Hi everyone,


On Sat, 9 May 2020, Sander Steffann wrote:


Hi Randy,


Otherwise we change the way the working Groups works it will remain
unchanged for ever. I agree that we must get a way to vote or another
democratic way to get decisions.



(...)


for a large segment of the community, and that which was pretty much
the original population, there is an underlying physics and shared
experience of moving packets, routing, circuits, bgp, ixen, ... that
gives us a common experience and understanding.


I must note, however, that security is embedded inside "..."

*sigh*

Carlos

Re: [anti-abuse-wg] About "consensus" and "voting"...

[Carlos Friaças via anti-abuse-wg]

Hi,


On Sat, 9 May 2020, Nick Hilliard wrote:


Suresh Ramasubramanian wrote on 09/05/2020 15:23:
Having one might at least lay this discussion to rest once and for all. 
I?ve seen variants of it for several years now.


But imagine if someone contacted a bunch of their colleagues and said: "look, 
there's this policy proposal going on in RIPE AAWG and it would be really 
great if you could just join up on the mailing list and add in a +1, thanks!"


Therein lies the problem - or at least one of the problems - with voting: 
it's wide open to manipulation.


Same goes for "it takes only 2 or 3 voices to break consensus".

Even if arguments are somewhat "creative"...



There is another way of looking at this stalemate though:  there's a policy 
development process and it produces outcomes.  The outcomes may not be what 
some individuals on the WG want, but they are clear outcomes all the same.


In the sense that you're concerned that there's stalemate regarding some of 
these proposals, there isn't according to the PDP: no consensus is a 
legitimate and clear outcome, and when there is no consensus, the policy does 
not proceed.


The *proposal* does not proceed... the policy can already be in place, but 
remains unchanged.




So the issue is more: why are newer versions of this policy proposal 
returning repeatedly, and are they dealing adequately with the things that 
are blocking consensus?


It may, for those trying to accomodate "creative" arguments.

For those which may be impacted by rules changing, certainly they won't 
see it as "adequate".




It's surprising to see a third iteration of this policy proposal - the first 
two versions didn't look like they were going anywhere.  But resubmitting new 
versions is an issue between the WG chairs and the proposer.


That's the PDP.
You can also try to change it, to prevent 3rd, 4th, 5th, 6th, 7th, and so 
on versions, but i suspect consensus might not be easy to achieve :-)



Regards,
Carlos



Nick

[anti-abuse-wg] About "consensus" and "voting"...

[Carlos Friaças via anti-abuse-wg]

Hi Suresh, Gert, All,

"member organizations represented by" -- this only happens at the RIPE NCC 
GM, twice a year.


The PDP doesn't happen at the RIPE NCC GM, afaik, whether we like it or 
not.


When polarisation is obvious, "consensus" is impossible and everything 
tend to remain as is...


Cheers,
Carlos


On Sat, 9 May 2020, Suresh Ramasubramanian wrote:



In a case where the community is polarised to this extent it would be better to 
break with procedure and call a vote for once.  With member organizations 
represented by their abuse team heads, rather than IP / routing people, so that
the organisation?s stance on this is clear.

 

From: Gert Doering 
Date: Saturday, 9 May 2020 at 3:57 PM
To: Suresh Ramasubramanian 
Cc: Randy Bush , Nick Hilliard , 
anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of 
"abuse-mailbox")

Hi,

On Sat, May 09, 2020 at 01:12:32AM +, Suresh Ramasubramanian wrote:
> Has this even been put to a vote or is it the same group of extremely vocal 
RIPE regulars against it and the same group of extremely vocal security types for 
it?   Rough consensus has its limitations in such cases.

There is no voting.

It's either "there is sufficient support and counterarguments have been
adequately addressed" or "no consensus, rewrite or withdraw".

Gert Doering
    -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14    Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,

On Wed, 29 Apr 2020, Nick Hilliard wrote:


Serge Droz via anti-abuse-wg wrote on 29/04/2020 16:55:

So, it's the security guys, saying

   This may help a bit, but won't solve all problems.


+1 here.



versus the infrastructure operators saying

   Beware! This it creating huge costs and will not help at all, and
answering two mails a year will be our ruin.


The root problem is that the policy proposes to use the RIPE NCC to enforce 
abuse management processes.


The specifics in this iteration of the document are to threaten and then act 
to deregister an organisation's number resources - and thereby remove their 
ability to conduct business - if the organisation declines to handle abuse 
complaints over email.


If the "deregistration" could be placed outside of the picture (in a new 
version?), what's the next major hurdle then...?


I mean, if "deregistration" is not possible when validation fails 
(continuously), there might still be positive outcomes (transparency...), 
if the price tag on the RIPE NCC is not that big. I don't see an impact 
analysis yet, but if it's affordable for other RIRs, maybe it will be also 
for the RIPE NCC -- who knows?



To be clear, it's a fundamental right in large chunks of the RIPE service 
region to conduct business.  If the RIPE NCC acts to threaten to remove this 
ability to conduct business,


Very glad it's "business", not "abuse" :-))


Carlos


there would need to be sound legal justification 
for doing so.


Nick

Re: [anti-abuse-wg] AS24961 myLoc managed IT AG, uadns.com, ledl.net, and non-disclosing registries

[Carlos Friaças via anti-abuse-wg]

Hi Hans-Martin, All,



On Wed, 19 Feb 2020, Hans-Martin Mosner wrote:


AS24961 (RIPE NCC member myLoc managed IT AG) continues to host one persistent 
spam sender years after years. I have
complained to them a number of times, with no noticeable effect.

The sender is recognizable by characteristics of their domain names and local 
parts, and most importantly by their DNS
service, which is always uadns.com. Would be easy to deny them service if myLoc 
wanted to.

Domain registrations are most often done via Ledl.net GmbH (RIPE NCC member).


OK, so you started to expose some of the spammer's characteristics.



Registries DENIC eG (RIPE NCC member), EURid vzw (RIPE NCC member), nic.at GmbH 
(RIPE NCC member) willingly accept
registrations that have most likely fake data (which I can't check because 
these data are conveniently not disclosed,
although they very likely describe a commercial entity and not existing private 
persons and are therefore not subject to
GDPR protections.)


"most likely" will not get you anywhere.

I think you are completely right about the GDPR issue. While that wasn't 
the goal of GDPR some orgs actually use it as an excuse for company 
obscurity -- which seem to be acceptable for some or most of their service 
providers.




Excuse me while I vomit a little.


You are not alone.



I know that this working group is not responsible for handling individual cases 
of abuse,


Exactly, but should be responsible for finding ways to reduce abuse 
and/or its impact -- which is what is more or less written in the WG 
charter.



so my intention is not to get a solution (which I already did via 
nullrouting that AS)


You may have solved your problem. But that same spammer has a whole lot of 
targets to go on with the same "business model"...




but to understand how persistent abuse-enabling entities can act 
unhindered without any clear escalation path.


They simply do.
IMHO because they:
1) find service providers who look the other way.
2) build and operate their own networking/security/anti-ddos 
infrastructure.





Effectively extracting the last rotten tooth "ICANN Whois Inaccuracy
Complaint" by hiding all registration data so that an inaccuracy check 
is made impossible didn't help much...


Cheers,
Hans-Martin



Cheers,
Carlos

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,



On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:


In my opinion, the actual situation is the worst. We are validating over "nothing". We 
don't know how many of the "validated" mailboxes are real, or even read, full, etc.

I will prefer a mandatory abuse-c which is validated in the way I'm proposing, 
as it is being done in ARIN and APNIC and soon in LACNIC.


This detail is interesting...



If this can't reach consensus, I prefer to know in advance "this 
operator doesn't handle abuses" that wasting time in reporting them. I 
will have the choice to just block their network and when several folks 
block them and their customers complain, then they may change their 
mind.


I was wondering if this "block" would mean blocking all prefixes announced 
by the same ASN, or just the prefix where the abuse originated from.




Better 50% of good and *real* validated abuse contacts than 100% from which I 
don't know how may are for real.


As i already stated, i'm more worried about someone using real e-mail 
addresses of real unrelated people than the /dev/null or unattended 
mailboxes.


When someone uses a 3rd party address without authorization+knowledge, i 
think it's reasonable to allow for a fix, instead of directly running to 
ripe-716.



Cheers,
Carlos






El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" 
 escribió:


   Hi,

   I obviously don't speak for the incident handling community, but i think
   this (making it optional) would be a serious step back. The current
   situation is already very bad when in some cases we know from the start
   that we are sending (automated) messages/notices to blackholes.

   To an extreme, there should always be a known contact responsible for
   any network infrastructure. If this is not the case, what's the purpose
   of a registry then?

   Regards,
   Carlos



   On Tue, 14 Jan 2020, Leo Vegoda wrote:

   > On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
   >
   > [...]
   >
   >> A much simpler approach would be to make abuse-c: an optional attribute
   >> (basically, unrolling the "mandatory" part of the policy proposal that
   >> introduced it in the first place)
   >
   > This seems like a simple approach for letting network operators
   > indicate whether or not they will act on abuse reports. If there's no
   > way of reporting abuse then the operators clearly has no processes for
   > evaluating reports, or acting on them. This helps everyone save time.
   >
   > Regards,
   >
   > Leo Vegoda
   >





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi Sergio, All,

It seems you are proposing a new reputation system, to be managed by the 
RIPE NCC.


If this is the case, you can always try to draft a new policy proposal :-)

Cheers,
Carlos



On Wed, 15 Jan 2020, Sérgio Rocha wrote:


Hi,

Maybe we can change the approach.
If RIPE website had a platform to post abuse report, that send the email for
the abuse contact, it will be possible to evaluate the responsiveness of the
abuse contact.

This way anyone that report an abuse could assess not only the response but
also the effectiveness of the actions taken by the network owner. After some
time with this evaluations we would easy to realize who manages the reports
and even who does not respond at all.

Sérgio

-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Gert Doering
Sent: 15 de janeiro de 2020 08:06
To: Carlos Friaças 
Cc: Gert Doering ; anti-abuse-wg 
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation
of "abuse-mailbox")

Hi,

On Wed, Jan 15, 2020 at 07:23:38AM +0000, Carlos Friaças via anti-abuse-wg
wrote:

I obviously don't speak for the incident handling community, but i
think this (making it optional) would be a serious step back. The
current situation is already very bad when in some cases we know from
the start that we are sending (automated) messages/notices to blackholes.


So why is it preferrable to send mails which are not acted on, as opposed to
"not send mail because you know beforehand that the other network is not
interested"?

I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any way,
but at the same time increases costs and workload for those that do the
right thing alrady.



To an extreme, there should always be a known contact responsible for
any network infrastructure. If this is not the case, what's the
purpose of a registry then?


"a known contact" and "an *abuse-handling* contact" is not the same thing.

Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Wed, 15 Jan 2020, Gert Doering wrote:


Hi,


Hi,
(please see inline)



On Wed, Jan 15, 2020 at 07:23:38AM +, Carlos Friaças via anti-abuse-wg 
wrote:

I obviously don't speak for the incident handling community, but i think
this (making it optional) would be a serious step back. The current
situation is already very bad when in some cases we know from the start
that we are sending (automated) messages/notices to blackholes.


So why is it preferrable to send mails which are not acted on, as
opposed to "not send mail because you know beforehand that the other
network is not interested"?


I think Serge already took care of that answer/issue :-)

And in our case we do count the # of bounces we get resulting from the 
abuse complaints we send out.




I can see that it is frustrating - but I still cannot support a policy
change which will not help dealing with irresponsible networks in any
way, but at the same time increases costs and workload for those that
do the right thing alrady.


I guess you are not convinced with the 10 min/year argument then :-(



To an extreme, there should always be a known contact responsible for
any network infrastructure. If this is not the case, what's the purpose
of a registry then?


"a known contact" and "an *abuse-handling* contact" is not the same thing.


I don't really like the case where "a known contact" is used as a last 
resort contact because there is an abuse issue. Hence, the value i see on 
a mandatory definition of an abuse contact -- while any network can still 
decide to use the same contact for both (or more) purposes.



Cheers,
Carlos




Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,

I obviously don't speak for the incident handling community, but i think 
this (making it optional) would be a serious step back. The current 
situation is already very bad when in some cases we know from the start 
that we are sending (automated) messages/notices to blackholes.


To an extreme, there should always be a known contact responsible for 
any network infrastructure. If this is not the case, what's the purpose 
of a registry then?


Regards,
Carlos



On Tue, 14 Jan 2020, Leo Vegoda wrote:


On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:

[...]


A much simpler approach would be to make abuse-c: an optional attribute
(basically, unrolling the "mandatory" part of the policy proposal that
introduced it in the first place)


This seems like a simple approach for letting network operators
indicate whether or not they will act on abuse reports. If there's no
way of reporting abuse then the operators clearly has no processes for
evaluating reports, or acting on them. This helps everyone save time.

Regards,

Leo Vegoda

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Tue, 14 Jan 2020, Nick Hilliard wrote:


Gert Doering wrote on 14/01/2020 10:19:

And if it's not going to have the desired effect, do not waste time on it.


More to the point, the RIPE number registry should not be used as a stick for 
threatening to beat people up if they don't comply with our current favourite 
ideas about how to manage social policy on the internet.


It is a registry, not a police truncheon.


Hello,

(Going perhaps a bit off-topic...)

If people are not able to follow the rules of the registry, maybe they 
shouldn't be allowed inside the system... :-)


[Fact 1]
If someone provides falsified documents to the registry, that someone goes 
off the wagon.


[Fact 2]
If someone doesn't pay the registry in due time (after several warnings), 
that someone goes off the wagon.


the "registry wagon"...>



I would also feel comfortable if someone who indicates a 3rd party e-mail 
address as the abuse-mailbox for their _OWN_ address space, goes off the 
wagon (after some warnings, of course...).
BTW, some years ago our physical address was added in whois to someone 
else's address space in a different RIR and that was _NOT_ a nice 
experience...



Regards,
Carlos



Nick

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi,


After reviewing version 2, i'm not very sure about:


1) "Require intervention by the recipient"

Some reports will not require intervention, they work only as a warning 
for a possible device infection. Some incident response teams may also 
decide not to process certain categories of reports/incidents.
One of our examples is the huge set of reports we receive related to the 
webcrawling activity that feeds into the portuguese web archive 
(arquivo.pt). Some networks/servers are more sensible to webcrawling and 
have automated report generation mechanisms. That's also something that 
must be considered. We can't expect a manual intervention by the recipient 
if the sender has an automated process...



2) "Must guarantee that abuse reports and related logs, examples, or email 
headers are received".


I think this one can be tweaked: The recipient domain's policy might be 
to discard messages bigger than  megabytes (we have that in my org's 
domain, but not on the CSIRT's domain). Hence, i would say to add ", upto 
a reasonable limit in size" to the sentence.



3) About "5.0 Escalation to the RIPE NCC"

It's also important to note that a domain is entirely free to block 
incoming messages from another given domain. So, if someone receives 500 
reports/day from the same mailbox, or from several mailboxes of the same 
domain, it's perfectly normal to blacklist the sending domain locally...



4) About the 1 year to 6 months change, i'm OK with it as long as it's 
feasible for the NCC's system -- but i guess the I.A. might clarify that.



Final comments: I think the proposal is useful, and it's important to note 
that if something de-rails (abuse-wise), then the most probable line of 
action seems to be an ARC, which is already part of the NCC's duties 
anyway.



Regards,
Carlos



On Tue, 1 Oct 2019, Marco Schmidt wrote:



Dear colleagues,

A new version of RIPE Policy proposal, 2019-04, "Validation of 
"abuse-mailbox"", is now available for discussion.

This proposal aims to have the RIPE NCC validate "abuse-c:" information more 
often, and introduces a new validation process that
requires input from resource holders.

The proposal has been updated following the last round of discussion and is now 
at version v2.0. Some of the differences from
version v1.0 include:
- Removes ambiguous examples from the policy text
- Defines mandatory elements of the abuse handling procedures
- Removes the prohibtion of automated processing of the abuse reports

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-04

As per the RIPE Policy Development Process (PDP), the purpose of this four-week 
Discussion Phase is to discuss the proposal and
provide feedback to the proposer.

At the end of the Discussion Phase, the proposer, with the agreement of the 
Anti-Abuse Working Group Chairs, decides how to proceed
with the proposal.

We encourage you to review this proposal and send your comments to 
 before 30 October 2019.

Kind regards,

Marco Schmidt
Policy Officer
RIPE NCC

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi Nick, All,


On Tue, 1 Oct 2019, Nick Hilliard wrote:


Marco Schmidt wrote on 01/10/2019 13:18:
As per the RIPE Policy Development Process (PDP), the purpose of this 
four-week Discussion Phase is to discuss the proposal and provide feedback 
to the proposer.


This version addresses none of the issues I brought up with the previous 
version in May:



https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/2019-May/005120.html


There isn't a major problem with the RIPE NCC testing abuse mailboxes on a 
purely advisory basis, but the RIPE abuse working group has no authority to


I'm sure you meant the RIPE *anti*-abuse working group :-)))


dictate to internet resource holders how to perform their abuse management 
workflow, with an explicit threat that their businesses will be ruined unless 
they comply to the letter.


I don't think it's a matter of authority, but only a matter of 
understanding if the community wants to tighten the requeriments (or 
not).



Alex de Joode pointed out on May 17th that the proposal also lacks 
proportionality and would be unlikely to be upheld in court.  It seems 
inadvisable that the RIPE NCC should implement a policy with such poor legal 
basis.


What you mean is that if someone just flushes some bogus abuse contact, it 
isn't as serious as providing falsified data/documents to the RIPE 
NCC?
Because that bogus data is not aimed at the NCC but instead at the world, 
then it should be OK...?




The policy is fundamentally broken and should be withdrawn.


I haven't read this version yet, but i will.


Regards,
Carlos




Nick

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hello,

As the RIPE NCC's IA shows (imho), the proposed process is not perfect.

The main goal of having a process to start with was to allow some action 
regarding evident cases, and i hope people will agree that significant 
effort was made to accomodate comments during v1's discussion.


We tried to add more "safety knobs", because we felt that a wrong decision 
(by experts) would be a really, really bad thing, and we wanted to avoid 
that -- even knowing that sometimes even courts do get it wrong _and_ 
that ONE 'guilty of hijacking' case wouldn't result immediately in a LIR 
terminating process.


In the case there were no doubts that someone/some company was doing this 
(i.e. a 'guilty' conclusion), the expected outcome would be for that 
member to stop that behaviour from that point forward.


Regards,
Carlos




On Mon, 9 Sep 2019, Jacob Slater wrote:


All,
  Sure, but stat.ripe.net, bgp.he.net, rpki, and many other sources are free
  for everyone to access. :-)


Having a copy of the table and see historical data doesn't automatically give 
one the ability to determine if a given announcement
was a hijack.
I might strongly suspect that it was - sure. My personal suspicions should not 
be enough in this instance. 

  Honestly, i handed it back in late April. The IA and publishing took some
  time... :-)
  What i think supports what i wrote above is in Section 7.0, clause 1:
  "The RIPE NCC will verify that a report contains sufficient information
  before assigning it to a group of experts. If this is not the case, the
  report will be dismissed."

  Maybe it could be a bit clearer, or we could textually add "one event or a
  handful of events is not enough".

Stating that a single report isn't enough doesn't solve the issue. A thousand 
reports might not give enough quality information to
justify an investigation; a single report from an authoritative source might. 
It is for this reason that - in order to save
resources - I'm concerned with the amount of people who could potentially 
submit a report.

  Hence Section 7.0, clause 1 :-)

Section 7 of the current draft gives the accused the opportunity to defend 
themselves as the second step, right after the NCC
"verifies" the request. 
The accused entity is still being "asked" (under pressure) to provide 
information on the basis of a report that may or may not have
come from someone who actually knows about the situation.

  Sure. And i have already read the IA. All of it.

OK. I've done the same. I still feel that the IA outlines a lot of issues and 
problems. At this time, I don't think that the
potential benefits of the proposal outweigh the costs.

Jacob Slater
 

 

On Mon, Sep 9, 2019 at 5:56 PM Carlos Friaças  wrote:


  Hi,


  On Mon, 9 Sep 2019, Jacob Slater wrote:

  > All,
  >       If it's *your* table, you should be able.
  >
  > Again, I disagree. Just because you have a copy of the routing table 
doesn't automatically put you in a position to
  know what is going on with each entry present in that table.

  Sure, but stat.ripe.net, bgp.he.net, rpki, and many other sources are free
  for everyone to access. :-)


  >       But please keep in mind than one event or a handful of events 
shouldn't
  >       justify an investigation, or handing a case to "experts".
  >
  > The current policy proposal doesn't have text to support this.

  Honestly, i handed it back in late April. The IA and publishing took some
  time... :-)
  What i think supports what i wrote above is in Section 7.0, clause 1:
  "The RIPE NCC will verify that a report contains sufficient information
  before assigning it to a group of experts. If this is not the case, the
  report will be dismissed."

  Maybe it could be a bit clearer, or we could textually add "one event or a
  handful of events is not enough".



  >       If the issue is fixed and the issue originator isn't always the 
same, then
  >       no real need for an investigation. Maybe the amount of text on 
the current
  >       version fades a bit the two main concepts of "persistent" and
  >       "intentional".
  >
  > I am in agreement with you on this.
  >
  >       There should be enough "trail" to justify starting an 
investigation...
  >
  > If the person submitting a report isn't in an authoritative position to 
say whether or not an announcement was a
  hijack, there isn't a good enough "trail" to justify starting an 
investigation.

  Hence Section 7.0, clause 1 :-)



  >        The "proposal". It's just a proposal...! :-)
  >
  >        
  >
  >       I agree that there isn't a way to measure how many people around 
the
  >
  >       world would not resort to hijacking if this proposal was in place 
today 
  >
  > My apologies for misspeaking on that one.  Any references I 

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,


On Mon, 9 Sep 2019, Jacob Slater wrote:


All,
  If it's *your* table, you should be able.

Again, I disagree. Just because you have a copy of the routing table doesn't 
automatically put you in a position to know what is going on with each entry 
present in that table.


Sure, but stat.ripe.net, bgp.he.net, rpki, and many other sources are free 
for everyone to access. :-)




  But please keep in mind than one event or a handful of events shouldn't
  justify an investigation, or handing a case to "experts".

The current policy proposal doesn't have text to support this.


Honestly, i handed it back in late April. The IA and publishing took some 
time... :-)

What i think supports what i wrote above is in Section 7.0, clause 1:
"The RIPE NCC will verify that a report contains sufficient information 
before assigning it to a group of experts. If this is not the case, the 
report will be dismissed."


Maybe it could be a bit clearer, or we could textually add "one event or a 
handful of events is not enough".





  If the issue is fixed and the issue originator isn't always the same, then
  no real need for an investigation. Maybe the amount of text on the current
  version fades a bit the two main concepts of "persistent" and
  "intentional".

I am in agreement with you on this.

  There should be enough "trail" to justify starting an investigation...

If the person submitting a report isn't in an authoritative position to say whether or 
not an announcement was a hijack, there isn't a good enough "trail" to justify 
starting an investigation.


Hence Section 7.0, clause 1 :-)




   The "proposal". It's just a proposal...! :-)

   

  I agree that there isn't a way to measure how many people around the

  world would not resort to hijacking if this proposal was in place today 

My apologies for misspeaking on that one.  Any references I may have made to 2019-3 as a 
"policy" should read as "policy proposal".


No harm done :-)



Just because a policy proposal has the chance to discourage bad actors doesn't 
mean we should ignore the potential consequences of implementing the proposal. 


Sure. And i have already read the IA. All of it.


Regards,
Carlos




Jacob Slater
 


On Mon, Sep 9, 2019 at 5:25 PM Carlos Friaças  wrote:


  Hi,


  On Mon, 9 Sep 2019, Jacob Slater wrote:

  > All,
  >       If that happens, then potentially everyone can be a victim, yes.
  >       Then they should be able to place a report.
  >
  >  
  > I disagree. Just because you see what you think is a hijack in the full 
table doesn't mean you have enough information to justify a full investigation 
that is likely to consume valuable time and resources. 

  If it's *your* table, you should be able.
  But please keep in mind than one event or a handful of events shouldn't
  justify an investigation, or handing a case to "experts".


  >       Afaik, this is possible within LACNIC (i.e. through 
warp.lacnic.net). When
  >       the same proposal was discussed there, the yearly number of 
reports (if
  >       i'm not mistaken) was on the scale of dozens -- and they have a 
very high
  >       degree of helping stop/mitigate the incidents, almost close to 
100%, which
  >       is fantastic!
  >
  >  
  > Being asked to fix an issue is very different from getting investigated 
for an issue with the potential for termination of membership.

  If the issue is fixed and the issue originator isn't always the same, then
  no real need for an investigation. Maybe the amount of text on the current
  version fades a bit the two main concepts of "persistent" and
  "intentional".


  > While I haven't seen a proposal for establishing a system like LACNIC's 
WARP under RIPE, I'd be
  > open to the idea. 

  Great. Does anyone think this is a bad idea?

  That would probably fall under the ncc-services-wg, so we'll have to see
  :-)



  >       I fail to identify exactly were the proposal describes such a 
need.
  >       Even so, the experts should be binded to NDAs... :-)
  >
  >
  > While having the experts under NDA is a step in the right direction, it 
still involves effectively being required to turn information over to external 
parties due to the suspicions of some random AS. My concern isn't so
  much that the
  > information will be leaked; my concern is that, fundamentally, being 
required to turn information over to a third party on someone's unsupported 
suspicions seems wrong. 

  There should be enough "trail" to justify starting an investigation...



  > Right now, the policy seems to pull a large amount of resources and 
risk (per the impact analysis) without enough of a return. 

  The "proposal". It's just a proposal...! :-)

  I agree that there isn't a way to measure how many people around the
  world 

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,


On Mon, 9 Sep 2019, Jacob Slater wrote:


All,
  If that happens, then potentially everyone can be a victim, yes.
  Then they should be able to place a report.

 
I disagree. Just because you see what you think is a hijack in the full table 
doesn't mean you have enough information to justify a full investigation that 
is likely to consume valuable time and resources. 


If it's *your* table, you should be able.
But please keep in mind than one event or a handful of events shouldn't 
justify an investigation, or handing a case to "experts".




  Afaik, this is possible within LACNIC (i.e. through warp.lacnic.net). When
  the same proposal was discussed there, the yearly number of reports (if
  i'm not mistaken) was on the scale of dozens -- and they have a very high
  degree of helping stop/mitigate the incidents, almost close to 100%, which
  is fantastic!

 
Being asked to fix an issue is very different from getting investigated for an 
issue with the potential for termination of membership.


If the issue is fixed and the issue originator isn't always the same, then 
no real need for an investigation. Maybe the amount of text on the current 
version fades a bit the two main concepts of "persistent" and 
"intentional".




While I haven't seen a proposal for establishing a system like LACNIC's WARP 
under RIPE, I'd be
open to the idea. 


Great. Does anyone think this is a bad idea?

That would probably fall under the ncc-services-wg, so we'll have to see 
:-)





  I fail to identify exactly were the proposal describes such a need.
  Even so, the experts should be binded to NDAs... :-)


While having the experts under NDA is a step in the right direction, it still 
involves effectively being required to turn information over to external 
parties due to the suspicions of some random AS. My concern isn't so much that 
the
information will be leaked; my concern is that, fundamentally, being required 
to turn information over to a third party on someone's unsupported suspicions 
seems wrong. 


There should be enough "trail" to justify starting an investigation...




Right now, the policy seems to pull a large amount of resources and risk (per 
the impact analysis) without enough of a return. 


The "proposal". It's just a proposal...! :-)

I agree that there isn't a way to measure how many people around the 
world would not resort to hijacking if this proposal was in place today 
:-)



Regards,
Carlos





Jacob Slater



 


On Mon, Sep 9, 2019 at 3:45 PM Carlos Friaças  wrote:


  On Thu, 5 Sep 2019, Jacob Slater wrote:

  > All,

  Hi Jacob, All,


  > Given the number of people who may submit a report (anyone receiving a
  > full table from their upstream(s), assuming the accused hijack makes it
  > into the DFZ),

  If that happens, then potentially everyone can be a victim, yes.
  Then they should be able to place a report.
  But that's a fundamental part of why some changes are needed: it's not
  only the legitimate address space owner who is the victim of an hijack.
  People/networks whose packets are diverted by an hijack are also victims
  of traffic interception.

  Afaik, this is possible within LACNIC (i.e. through warp.lacnic.net). When
  the same proposal was discussed there, the yearly number of reports (if
  i'm not mistaken) was on the scale of dozens -- and they have a very high
  degree of helping stop/mitigate the incidents, almost close to 100%, which
  is fantastic!


  > I'm still concerned that the proposed policy would cause more harm than
  > good. A random AS that happens to receive the announcement isn't in an
  > authoritative position to know if a given announcement was unauthorized.

  I can fully agree that a system based on (possibly forged) LOAs, and
  unauthenticated IRR created the huge mess we are submerged in today...
  :(((


  > Putting them through a reporting process that might well require the
  > disclosure of internal information because of an unrelated
  > individual/group being suspicious is a problem.

  I fail to identify exactly were the proposal describes such a need.
  Even so, the experts should be binded to NDAs... :-)


  Regards,
  Carlos



  > Combined with the issues detailed in the Impact Analysis, I'm opposed 
to the policy as written.
  >
  > Jacob Slater
  >
  > On Thu, Sep 5, 2019 at 9:24 AM Marco Schmidt  wrote:
  >       Dear colleagues,
  >
  >       Policy proposal 2019-03, "Resource Hijacking is a RIPE Policy 
Violation"
  >       is now in the Review Phase.
  >
  >       The goal of this proposal is to define that BGP hijacking is not
  >       accepted as normal practice within the RIPE NCC service region.
  >
  >       The proposal has been updated following the last round of 
discussion and
  >       is now 

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,
(please see inline)


On Thu, 5 Sep 2019, Alex de Joode wrote:


??Dropping it might be the best thing:
The document does not clearly state what the procedure is (binding arbitrage? 
(the decision leads to a conclusion that might 
have an effect on the status of the LIR involved? (with anonymous 'experts' who 
act as 'judges' ? (a legal no-no))). 


The ruleset now is A.
2019-03 proposes to extend A, then the ruleset would become A+B.
People who doesn't abide by the rules, can have their LIR status changed, 
either the ruleset is A or A+B.


About the experts, v2 really expanded on the subject -- which resulted 
from a lot of diverse input. Experts are not completely anonymous, because 
they would have to collect support statements to enter the pool. The case 
assignments shouldn't be public in order to "avoid bribery attempts or 
reprisal actions against them". Is this something against Dutch Law? If 
that is the case, then "7." on Section 6 must be scrapped.



The proposal does not rule out the "hijacker" going to civil court if 
they might lose their LIR status (and IP space), if not RIPE 
will just incur extra costs. (going to civil court is impossible to 
rule out, anyways).


Yes, and going to courts also may happen when a company loses LIR status 
by any other reason, which is already part of the current ruleset... :-))





Do the contacts the LIR has with RIPE need 
to be  amended for this to function ?  (What if the LIRs refuse to sign 
the new contract, due to this introduced risk)


I don't think the contracts need to be amended, in the same way they 
didn't need to be ammended to include the possibility of losing membership 
if (for instance) false documents are provided to the RIPE NCC...


Thanks for your input.

Regards,
Carlos




?-- IDGARA | Alex de Joode | +31651108221

On Thu, 05-09-2019 21h 46min, Alex de Joode  wrote:
  ?Dropping it might be the best thing:
The document does not clearly state what the procedure is (binding arbitrage? 
(the decision leads to a conclusion that might 
have an effect on the status of the LIR involved? (with anonymous 'experts' who 
act as 'judges' ? (a legal no-no))). 

The proposal does not rule out the "hijacker" going to civil court if they 
might lose their LIR status (and IP space), if not RIPE 
will just incur extra costs. (going to civil court is impossible to rule out, 
anyways). Do the contacts the LIR has with RIPE need 
to be  amended for this to function ?  (What if the LIRs refuse to sign the new 
contract, due to this introduced risk)

?-- IDGARA | Alex de Joode | +31651108221

On Thu, 05-09-2019 20h 56min, Erik Bais  wrote:
  I fully agree with Nick.

  Drop it like its hot ...

  Erik Bais

  > Op 5 sep. 2019 om 18:15 heeft Nick Hilliard  het 
volgende geschreven:
  >
  > I'd like to suggest to the chairs that this proposal be formally 
dropped.

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 5 Sep 2019, Jacob Slater wrote:


All,


Hi Jacob, All,


Given the number of people who may submit a report (anyone receiving a 
full table from their upstream(s), assuming the accused hijack makes it 
into the DFZ),


If that happens, then potentially everyone can be a victim, yes.
Then they should be able to place a report.
But that's a fundamental part of why some changes are needed: it's not 
only the legitimate address space owner who is the victim of an hijack. 
People/networks whose packets are diverted by an hijack are also victims 
of traffic interception.


Afaik, this is possible within LACNIC (i.e. through warp.lacnic.net). When 
the same proposal was discussed there, the yearly number of reports (if 
i'm not mistaken) was on the scale of dozens -- and they have a very high 
degree of helping stop/mitigate the incidents, almost close to 100%, which 
is fantastic!




I'm still concerned that the proposed policy would cause more harm than
good. A random AS that happens to receive the announcement isn't in an 
authoritative position to know if a given announcement was unauthorized.


I can fully agree that a system based on (possibly forged) LOAs, and 
unauthenticated IRR created the huge mess we are submerged in today... 
:(((



Putting them through a reporting process that might well require the 
disclosure of internal information because of an unrelated 
individual/group being suspicious is a problem.


I fail to identify exactly were the proposal describes such a need.
Even so, the experts should be binded to NDAs... :-)


Regards,
Carlos




Combined with the issues detailed in the Impact Analysis, I'm opposed to the 
policy as written.

Jacob Slater

On Thu, Sep 5, 2019 at 9:24 AM Marco Schmidt  wrote:
  Dear colleagues,

  Policy proposal 2019-03, "Resource Hijacking is a RIPE Policy Violation"
  is now in the Review Phase.

  The goal of this proposal is to define that BGP hijacking is not
  accepted as normal practice within the RIPE NCC service region.

  The proposal has been updated following the last round of discussion and
  is now at version v2.0. Some of the changes made to version v1.0 include:
  - Includes procedural steps for reporting and evaluation of potential
  hijacks
  - Provides guidelines for external experts
  - Adjusted title

  The RIPE NCC has prepared an impact analysis on this latest proposal
  version to support the community?s discussion. You can find the full
  proposal and impact analysis at:
  https://www.ripe.net/participate/policies/proposals/2019-03
  
https://www.ripe.net/participate/policies/proposals/2019-03#impact-analysis

  And the draft documents at:
  https://www.ripe.net/participate/policies/proposals/2019-03/draft

  As per the RIPE Policy Development Process (PDP), the purpose of this
  four week Review Phase is to continue discussion of the proposal, taking
  the impact analysis into consideration, and to review the full draft
  RIPE Policy Document.

  At the end of the Review Phase, the Working Group (WG) Chairs will
  determine whether the WG has reached rough consensus. It is therefore
  important to provide your opinion, even if it is simply a restatement of
  your input from the previous phase.

  We encourage you to read the proposal, impact analysis and draft
  document and send any comments to  before 4
  October 2019.


  Kind regards,

  Marco Schmidt
  Policy Officer
  RIPE NCC

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Mon, 9 Sep 2019, Michele Neylon - Blacknight wrote:


Carlos


Hi Michele, All,



Nick and others have covered why it should be dropped in their emails to this 
list.


Quoting from Nick's:
"
that is as damning an impact analysis as I've ever seen, and it sends a 
clear signal that the proposal would not solve the root

problem while simultaneously being very harmful to the RIPE NCC.

I'd like to suggest to the chairs that this proposal be formally dropped. 
It's taken up a good deal of working group time at this
point and there is an obvious lack of consensus that the proposal should 
be adopted as a policy.


Nick
"

I simply read "very harmful" as "the possibility of lawsuits against 
RIPE NCC". Lawsuits can happen if you have the rules; if the rules are bad 
(or badly followed) or by the abscence of them (now...).


So i don't really agree with "very harmful".

The impact analysis points to a broad set of issues, YES, which we (the 
co-authors) may decide to address or not.




It's also pretty clear that the cost implications of this proposal far 
outweigh any potential benefit.


Perhaps i missed the numbers.

I only read in the IA about "significant finantial impact" (depending on 
the # of reports received) and "significant cost factor" (from liability 
insurance).





So it should just be dropped.

And your counterargument about cost is completely divorced from economic 
reality.


I haven't really seen a price tag.
The acceptance of that price tag will depend on the viewpoint -- a 
victim's viewpoint will certainly tolerate a higher price tag ;-)





RIPE NCC are not the routing police.


Of course not. Here we can agree.

But the RIPE NCC already provides some means to identify who is actually 
breaking the *unwritten* rule that hijacks are not tolerated, and it 
could do a lot more (imho) for its community at large, the end-users, by 
removing hijackers from the system after they are *undoubtably* 
identified. :-)



Regards,
Carlos





Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 09/09/2019, 15:53, "Carlos Friaças"  wrote:


   Hi Michele, All,

   Can you be more specific about which problems derive from this proposal's
   simple existence...?

   About:
  "going to cost more" -- when you try to improve something, it's
  generally not cheaper, yes. but then there is "worth", which generates
  different views.

   (...)
   The "causes more harms" bit is mostly derived from the possibility of
   lawsuits...?

   Regards,
   Carlos


   On Mon, 9 Sep 2019, Michele Neylon - Blacknight wrote:

   > 100% agreed
   >
   > This proposal should be dropped as it's creating more problems, going to 
cost more and generally causes more harms than those it was aimed to solve.
   >
   >
   >
   > --
   > Mr Michele Neylon
   > Blacknight Solutions
   > Hosting, Colocation & Domains
   > https://www.blacknight.com/
   > https://blacknight.blog/
   > Intl. +353 (0) 59  9183072
   > Direct Dial: +353 (0)59 9183090
   > Personal blog: https://michele.blog/
   > Some thoughts: https://ceo.hosting/
   > ---
   > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
   > Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
   >
   > On 05/09/2019, 17:15, "anti-abuse-wg on behalf of Nick Hilliard" 
 wrote:
   >
   >Marco Schmidt wrote on 05/09/2019 14:23:
   >> The RIPE NCC has prepared an impact analysis on this latest proposal
   >> version to support the community?s discussion. You can find the full
   >> proposal and impact analysis at:
   >> https://www.ripe.net/participate/policies/proposals/2019-03
   >
   >that is as damning an impact analysis as I've ever seen, and it sends a
   >clear signal that the proposal would not solve the root problem while
   >simultaneously being very harmful to the RIPE NCC.
   >
   >I'd like to suggest to the chairs that this proposal be formally
   >dropped.  It's taken up a good deal of working group time at this point
   >and there is an obvious lack of consensus that the proposal should be
   >adopted as a policy.
   >
   >Nick
   >
   >
   >
   >
   >

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Mon, 9 Sep 2019, Alexander Talos-Zens wrote:


Hej,


Hi Alexander, All,
(please see inline)




this is my first post in this list - my perspective is taht of a
security guy with little knowledge about BGP or the inner workings of
RIPE, but very interested in everything that helps definding against the
bad guys.

Den 2019-09-05 kl. 15:23, skrev Marco Schmidt:


The goal of this proposal is to define that BGP hijacking is not
accepted as normal practice within the RIPE NCC service region.


Firstly, thanks everyone involved for the effort in setting up this
policy proposal. I like many points, e.g. that it makes clear that
accidental events shall not be reprimanded. Others might deserve being
rephrased, e.g. CSIRTS being entitled to file reports.


That detail is new on version 2, derived from comments to version 1. :-)

The idea was to prevent anyone to "hunt" for hijacks and overload the 
system with reports, i guess. We didn't have that in version 1, so we 
added it to v2. As a workaround, a CSIRT (i work for one...) can ask the 
victim to file the report, or help the victim in doing that.





On the other hand, I had a hard time trying to determine the positive
impact of the proposed policy.


The original idea is/was:
Some (persistent, intentional) hijackers are RIPE NCC members, and if they 
don't respect the address space allocated to others, perhaps they 
shouldn't be inside the system.


However, it's important to note, that *one* policy violation will not 
result in the member/hijacker losing membership status...





On the formal side, to define that hijacking is a violation of policy
without specifying which policy is violated gives me a mental blue
screen.


There is currently no policy against hijacking.

Member X can actually hijack blocks or parts of blocks from Members Y,W,Z 
(or members from other RIRs) and life goes on. This proposal tries to 
establish that persistent, intentional hijacking is not to be tolerated -- 
unfortunately not everyone agrees... :-)





As far as I know, please correct me if I'm wrong, there is no
policy in RIPE that proscribes hijacking, and neither would 2019-03 do that.


2019-03 tries to introduce the notion that hijacking (again, persistent &
intentional) is not acceptable.




This makes sense to me, as (again, correct me if I'm wrong) RIPE isn't
involved in routing operations - but that's where hijacking attacks take
place.


Yes and no (imho).

RIPE NCC (and/or the RIPE community) doesn't tell anyone what to 
configure on their routers.


However what's the point of a registry system if some of its members 
decide to grab some space from other members...?





Should RIPE kick out the evil LIRs? Maybe, but the proposed policy
doesn't do that. The opposite holds true: "RIPE-716) may apply." and
"This policy does not endorse the initiation of an LIR closure procedure
on the basis of a single policy violation." No mention what happens
after multiple (how many? depending on LIR size? ...) violations.


More than one, at least.

This is something new in v2, because in the 400+ messages discussion 
about v1, several voices pointed out that losing LIR status shouldn't 
happen immediately at the first "offence"... so we took note and 
accomodated this comment in v2. I can easily agree v2 is less "strict" 
even if not enough for some (or most) people.





I failed to find any way how implementing this proposal would improve
security.


The way i see this as "preventive", is that *today* there isn't absolutely 
nothing at RIR/Registry policy level against hijacks (i mean, in any of 
the 5 RIRs, where we also launched this proposal).


If the proposal reaches to a point (clearly not in v2) where it would get
adopted, then a potential hijacker would know that it could lose it's LIR 
status (and corresponding numbering resources).




I've also tried to save the proposal's impetus by coming up
with realistic and effective suggestions - but failed as well.


If you read v1, it was significantly shorter... but the thing is that a 
lot of people expressed opposition to several aspects (or the lack of 
some) and we've tried to address them all [back in late April...] :-)





For now, my conclusion is that this isn't the way to go.



Thanks for your input!


Best Regards,
Carlos





Cheers,

Alexander

--
Alexander Talos-Zens
IT-Security - ACOnet-CERT
Zentraler Informatikdienst
http://zid.univie.ac.at

Universität Wien
Universitätsstraße 7
1010 Wien
T +43-1-4277-14351
a...@univie.ac.at
GPG-Key-Id: 0x757A494B

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Michele, All,

Can you be more specific about which problems derive from this proposal's 
simple existence...?


About:
  "going to cost more" -- when you try to improve something, it's
  generally not cheaper, yes. but then there is "worth", which generates
  different views.

(...)
The "causes more harms" bit is mostly derived from the possibility of 
lawsuits...?


Regards,
Carlos


On Mon, 9 Sep 2019, Michele Neylon - Blacknight wrote:


100% agreed

This proposal should be dropped as it's creating more problems, going to cost 
more and generally causes more harms than those it was aimed to solve.



--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 05/09/2019, 17:15, "anti-abuse-wg on behalf of Nick Hilliard" 
 wrote:

   Marco Schmidt wrote on 05/09/2019 14:23:
   > The RIPE NCC has prepared an impact analysis on this latest proposal
   > version to support the community?s discussion. You can find the full
   > proposal and impact analysis at:
   > https://www.ripe.net/participate/policies/proposals/2019-03

   that is as damning an impact analysis as I've ever seen, and it sends a
   clear signal that the proposal would not solve the root problem while
   simultaneously being very harmful to the RIPE NCC.

   I'd like to suggest to the chairs that this proposal be formally
   dropped.  It's taken up a good deal of working group time at this point
   and there is an obvious lack of consensus that the proposal should be
   adopted as a policy.

   Nick

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Suresh, Hank, All,


On Thu, 5 Sep 2019, Suresh Ramasubramanian wrote:


Hijacked route announcements can be carefully targeted to just a victim AS for 
any attack.


Yes, they can -- and several cases (as far as i read) were already seen 
when that was done over an IXP.


But that doesn't mean that "hijacked" announcement has to be 100% 
invisible, e.g. if the victim AS is sharing their routing view with 
someone else... :-)



If that victim AS holder complains to their national CERT the language 
here precludes the CERT from reporting into RIPE.


It might, yes (and that's not optimal), but the victim AS folks could 
also theoretically do it by themselves...




That is a technicality as I can't imagine RIPE would refuse reports 
from a CERT, but it is worth fixing.


*Today*, is there any way for a CERT (National or not) or any victim AS to 
do it...?


(I know that this is already possible in LACNIC.
They have WARP --  https://warp.lacnic.net )


Cheers,
Carlos




On 05/09/19, 8:26 PM, "anti-abuse-wg on behalf of Carlos Friaças via anti-abuse-wg" 
 wrote:



   On Thu, 5 Sep 2019, Hank Nussbacher wrote:

   > On 05/09/2019 16:23, Marco Schmidt wrote:
   >
   > "A.3.1. Reporting
   > Only persons directly affected by a suspected hijack can report to the RIPE
   > NCC that another party has announced resources registered to or used by the
   > reporter without their consent. "
   >
   > This thereby precludes any national CERT from reporting to the RIPE NCC any
   > suspected hijacks since they are not directly affected.  Can this text be
   > modified?


   Hi Hank, All,

   If a national CERT receives an hijacked route, it *is* affected -- in the
   sense their packets will go towards a wrongful destination.

   Not sure if the issue is with "person" vs. "organization", but a person
   should be able to report it on behalf of an affected organization...

   Regards,
   Carlos


   > Regards,
   > Hank
   >
   >> Dear colleagues,
   >>
   >> Policy proposal 2019-03, "Resource Hijacking is a RIPE Policy Violation" 
is
   >> now in the Review Phase.
   >>
   >> The goal of this proposal is to define that BGP hijacking is not accepted
   >> as normal practice within the RIPE NCC service region.
   >>
   >> The proposal has been updated following the last round of discussion and 
is
   >> now at version v2.0. Some of the changes made to version v1.0 include:
   >> - Includes procedural steps for reporting and evaluation of potential
   >> hijacks
   >> - Provides guidelines for external experts
   >> - Adjusted title
   >>
   >> The RIPE NCC has prepared an impact analysis on this latest proposal
   >> version to support the community?s discussion. You can find the full
   >> proposal and impact analysis at:
   >> https://www.ripe.net/participate/policies/proposals/2019-03
   >> 
https://www.ripe.net/participate/policies/proposals/2019-03#impact-analysis
   >>
   >> And the draft documents at:
   >> https://www.ripe.net/participate/policies/proposals/2019-03/draft
   >>
   >> As per the RIPE Policy Development Process (PDP), the purpose of this four
   >> week Review Phase is to continue discussion of the proposal, taking the
   >> impact analysis into consideration, and to review the full draft RIPE
   >> Policy Document.
   >>
   >> At the end of the Review Phase, the Working Group (WG) Chairs will
   >> determine whether the WG has reached rough consensus. It is therefore
   >> important to provide your opinion, even if it is simply a restatement of
   >> your input from the previous phase.
   >>
   >> We encourage you to read the proposal, impact analysis and draft document
   >> and send any comments to  before 4 October 2019.
   >>
   >>
   >> Kind regards,
   >>
   >> Marco Schmidt
   >> Policy Officer
   >> RIPE NCC
   >>
   >>
   >
   >

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Richard, All,


On Thu, 5 Sep 2019, Richard Clayton wrote:

(...)

BTW: it should be noted that the ARIN Board of Trustees threw out the
same proposal when it was made there...

https://www.arin.net/about/welcome/board/meetings/2019_0620/


The story is a bit longer than that (involves the AC, a petition and then 
the BoT), but yes, they did. Their PDP has some differences too...





... also (on a brighter note), although law enforcement does move slowly
in this space, it does indeed move.

https://krebsonsecurity.com/2019/09/feds-allege-adconion-employees-
hijacked-ip-addresses-for-spamming/


This is from ARIN-land.
Do you see any chance of something similar within the RIPE NCC service 
region reaching a court of law?




(and there a couple more cases in the pipeline).


Any of them outside ARIN-land...?


Regards,
Carlos



--
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 5 Sep 2019, Hank Nussbacher wrote:


On 05/09/2019 16:23, Marco Schmidt wrote:

"A.3.1. Reporting
Only persons directly affected by a suspected hijack can report to the RIPE 
NCC that another party has announced resources registered to or used by the 
reporter without their consent. "


This thereby precludes any national CERT from reporting to the RIPE NCC any 
suspected hijacks since they are not directly affected.  Can this text be 
modified?



Hi Hank, All,

If a national CERT receives an hijacked route, it *is* affected -- in the 
sense their packets will go towards a wrongful destination.


Not sure if the issue is with "person" vs. "organization", but a person 
should be able to report it on behalf of an affected organization...


Regards,
Carlos



Regards,
Hank


Dear colleagues,

Policy proposal 2019-03, "Resource Hijacking is a RIPE Policy Violation" is 
now in the Review Phase.


The goal of this proposal is to define that BGP hijacking is not accepted 
as normal practice within the RIPE NCC service region.


The proposal has been updated following the last round of discussion and is 
now at version v2.0. Some of the changes made to version v1.0 include:
- Includes procedural steps for reporting and evaluation of potential 
hijacks

- Provides guidelines for external experts
- Adjusted title

The RIPE NCC has prepared an impact analysis on this latest proposal 
version to support the community?s discussion. You can find the full 
proposal and impact analysis at:

https://www.ripe.net/participate/policies/proposals/2019-03
https://www.ripe.net/participate/policies/proposals/2019-03#impact-analysis 


And the draft documents at:
https://www.ripe.net/participate/policies/proposals/2019-03/draft

As per the RIPE Policy Development Process (PDP), the purpose of this four 
week Review Phase is to continue discussion of the proposal, taking the 
impact analysis into consideration, and to review the full draft RIPE 
Policy Document.


At the end of the Review Phase, the Working Group (WG) Chairs will 
determine whether the WG has reached rough consensus. It is therefore 
important to provide your opinion, even if it is simply a restatement of 
your input from the previous phase.


We encourage you to read the proposal, impact analysis and draft document 
and send any comments to  before 4 October 2019.



Kind regards,

Marco Schmidt
Policy Officer
RIPE NCC

Re: [anti-abuse-wg] diff online 2019-03 v1 vs v2

[Carlos Friaças via anti-abuse-wg]

Hi Michele, All,


On Thu, 23 May 2019, Michele Neylon - Blacknight wrote:

As I said in the face to face meeting this morning, I both withdraw my 
support for this proposal and would also urge you to completely withdraw 
it. The name of the policy does not reflect its intent and that alone 
should be reason enough for it to be removed


Is there any other detail that makes you withdraw your support besides the 
proposal's title...?



A proposal's title _can_ be changed... (recent) example:
https://www.ripe.net/participate/policies/proposals/2019-02/?version=1
https://www.ripe.net/participate/policies/proposals/2019-02/?version=2


Thanks,
Carlos




Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
http://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


On 23/05/2019, 09:00, "anti-abuse-wg on behalf of JORDI PALET MARTINEZ via 
anti-abuse-wg"  
wrote:

   Hi all,

   As v2 of  2019-03 is not yet published, according to the PDP, until the 
impact analysis is completed, I've published a diff online at:

   https://www.diffchecker.com/Fy6z4VYH

   Regards,
   Jordi





   **
   IPv4 is over
   Are you ready for the new Internet ?
   http://www.theipv6company.com
   The IPv6 Company

   This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Sat, 18 May 2019, Sérgio Rocha wrote:


We belong to this group: " Some people are really thankful when they receive
a notice and they understand they have something to fix. :-)"
And we would be more happy if we have sure that all the abuse contacts are
real, at least in RIPE region.


About the "at least in RIPE region", there is text on 2019-04 about that:

=
c. Alignment with other RIRs:
A similar proposal has been accepted in APNIC (being implemented) and is 
under discussion in the LACNIC, AFRINIC and ARIN regions.

=

i.e. 1 region on track, 4 still to go (RIPE included here).


Cheers,
Carlos




Sérgio Rocha


-Original Message-
From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of
Carlos Friaças via anti-abuse-wg
Sent: Friday, May 17, 2019 23:52 PM
To: Taras Heichenko 
Cc: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of
"abuse-mailbox")



On Fri, 17 May 2019, Taras Heichenko wrote:


My team has nearly sent out 6000 abuse reports (only about intrusion

attempts and brute force attacks) since Jan 1st this year.

I've just checked, and only 2.5% bounced. 2018's bounces were around

4.5%.


Did you calculate percentage of deliberate reactions to your abuse

reports?

No, not yet.



What is main purpose to deliver letter without problem or to get

deliberate reaction to it?

We assume some of the nasty stuff we see comes from infected devices. If
legitimate owners care to desinfect, it's possible we will receive less
events... i.e. everyone should be sending out more notices. Some people are
really thankful when they receive a notice and they understand they have
something to fix. :-)


Carlos

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Fri, 17 May 2019, Gert Doering wrote:


Hi,

On Fri, May 17, 2019 at 10:56:19AM +, Suresh Ramasubramanian wrote:

I am sorry but where did I say close down all LIRs?


You wanted an alternative proposal.  I did one.

Close down all LIRs = all abuse is stopped.


No, not really. You will still have "legacy", "hijackers" and four other 
regions... ;-)


Carlos

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Fri, 17 May 2019, Taras Heichenko wrote:


My team has nearly sent out 6000 abuse reports (only about intrusion attempts 
and brute force attacks) since Jan 1st this year.
I've just checked, and only 2.5% bounced. 2018's bounces were around 4.5%.


Did you calculate percentage of deliberate reactions to your abuse reports?


No, not yet.



What is main purpose to deliver letter without problem or to get deliberate 
reaction to it?


We assume some of the nasty stuff we see comes from infected devices. If 
legitimate owners care to desinfect, it's possible we will receive less 
events... i.e. everyone should be sending out more notices. Some people 
are really thankful when they receive a notice and they understand they 
have something to fix. :-)



Carlos

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Fri, 17 May 2019, Gert Doering wrote:


Hi,

On Fri, May 17, 2019 at 09:41:24AM +0100, Carlos Friaças via anti-abuse-wg 
wrote:

My team has nearly sent out 6000 abuse reports (only about intrusion
attempts and brute force attacks) since Jan 1st this year.
I've just checked, and only 2.5% bounced. 2018's bounces were around 4.5%.


But this means the existing efforts from the RIPE NCC are showing an
effect, and we do *NOT NEED* a new policy with lots of extra complications.

We do have abuse-mailbox verification, and we do have ARCs.

Why do we need more process?


Hi,

We might not need more processes, but hopefully improved processes :-)

Carlos





Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

+1 to Brian's comment, with or without the hat on :-))

Carlos



On Fri, 17 May 2019, Brian Nisbet wrote:


Folks,


-Original Message-
From: anti-abuse-wg  On Behalf Of Gert
Doering
Sent: Friday 17 May 2019 11:03

And, at least try the minimum amount of politeness in quoting according to
local customs.

(@chairs: can i propose a policy that makes it required policy to do proper e-
mail quoting style, and otherwise people will permanently lose their Internet
access?  This would arguably only hit bad people and would be so much relief
from this continuos abuse of my eyes!)


Can we please let this particular one go? For various reasons, such as 
software, style and the changing nature of reality, top posting is a common 
thing. This is the reality. I realise it breaks sacred oaths and trusts and I 
also understand a lot of people find it more difficult to parse, but it's the 
reality and, even if it could be changed, remarks on this mailing list will not 
change it.

I am happy to discuss this further with you over a beverage at the meeting next 
week, but it ain't gonna change, so I do not believe it's helpful to any 
discussion to continue to refer to it.

Thanks,

Brian
(Only slightly with his Co-Chair hat on, this is more of a hope than anything 
else...)

Brian Nisbet
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

Re: [anti-abuse-wg] Legality of proposal (apologies)

[Carlos Friaças via anti-abuse-wg]

On Fri, 17 May 2019, Nick Hilliard wrote:


Shane Kerr wrote on 17/05/2019 08:45:
All I can say is that the law is stupid then, and it SHOULD allow the 
proposed policy. ?


fundamentally, it shouldn't.  Proportionality is a cornerstone of most legal 
systems - if you don't have proportionality, you end up with tyranny.  The 
idea of threatening to cut off a LIR because they haven't updated an abuse 
contact is completely disproportionate to the scale of the policy infraction.


Hi,

It's probably not "haven't updated" but instead "haven't created".

Ideally this would also cover cases where company X deliberately inserts 
an e-mail address from someone which has nothing to do with the numbering 
resource... at least the legitimate owner of such mailbox should be able 
to resort to someone (hopefully not a court!) to have that corrected in 
the registry...


We had that with our postal address from an ARIN member some years ago. :/

Carlos



Nick

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

Hi All,

I'm not sure about the 6 month period (vs. 12 months), and probably some 
details can be improved in further versions, but i do support this 
proposal, which is clearly in the path of "anti-abuse".


My team has nearly sent out 6000 abuse reports (only about intrusion 
attempts and brute force attacks) since Jan 1st this year.

I've just checked, and only 2.5% bounced. 2018's bounces were around 4.5%.

Maybe when we start to send out (automated) abuse reports about spam, the 
percentage will increase. We also send messages, globally, so solving the 
issue only in RIPEland will have limited impact. I've read this is 
already under implementation in another region, and proposed in the 
remaining 3 -- great!


I also think some reference to the ARC (Assisted Registry Check) could be 
included in the proposal, and could work as a primary step well before 
going into other actions which can carry more impact.


Regards,
Carlos




On Thu, 16 May 2019, Marco Schmidt wrote:


Dear colleagues,

A new RIPE Policy proposal, 2019-04, "Validation of "abuse-mailbox"", is now 
available for discussion.

This proposal aims to have the RIPE NCC validate "abuse-c:" information more 
often, and introduces a new validation process that requires manual input from resource 
holders.

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-04

As per the RIPE Policy Development Process (PDP), the purpose of this four-week 
Discussion Phase is to discuss the proposal and provide feedback to the 
proposer.

At the end of the Discussion Phase, the proposer, with the agreement of the 
Anti-Abuse Working Group Chairs, decides how to proceed with the proposal.

We encourage you to review this proposal and send your comments to 
 before 14 June 2019.

Kind regards,

Marco Schmidt
Policy Officer
RIPE NCC

Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[Carlos Friaças via anti-abuse-wg]

On Fri, 17 May 2019, Alex de Joode wrote:


??I beg to differ.
The ripe membership set's the policy;
Ripe enforces the policy;
If a ripe member has it's resources withdrawn due the policy and the 
enforcement of the policy, the ripe member can go to court
in The Netherlands (see contact between member and ripe);
The Amsterdam court will apply the proportionality test to a case where the 
resources are withdrawn based only on the fact there
was no reply to the abuse-mailbox validation email;
The Amsterdam court will find this action is unreasonable;
The Amsterdam court will force ripe to re-instate the resources;
The Amsterdam court will be liable for any and all damages the ripe member 
suffered.


Hi,

You mean "The Amsterdam court will rule RIPE NCC is liable for any and 
all damages the ripe member suffered." ???


ps: is there any jurisprudence about what you are describing...?

Carlos




?-- IDGARA | Alex de Joode | +31651108221

On Fri, 17-05-2019 4h 49min, Fi Shing  wrote:
  This "proportionality" test you speak of,
 
has as much relevance to the regulating of internet resources, as "freedom of 
speech" does to regulating internet forum
membership
 
 
(no relevance at all).
 
 
 
 
 
 
 
  - Original Message - Subject: Re: [anti-abuse-wg] 2019-04 
New Policy Proposal (Validation of
  "abuse-mailbox")
  From: "Alex de Joode" 
  Date: 5/16/19 4:56 pm
  To: "JORDI PALET MARTINEZ" 
  Cc: anti-abuse-wg@ripe.net

  ?On Fri, 17-05-2019 1h 45min, JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:
Hi Nick,

[..]

Anyone failing in repetitive ocassions to comply with policies is 
subjected to further NCC
scrutiny, including account closure. This is a different policy 
already in place. If we don't like
that, we should change that policy, but then we don't need policies 
anymore. Policies are the
rules for the community to be respected by all, and not having an 
administrative enforcement by
the NCC is the wilde west.

It is an illusion to think ripe can suspend/withdraw resources if an 
organisation does not reply to a abuse
validation request. That simply will not pass the proportionality test needed 
under Dutch law. So you will have no
recourse. (Only if you can prove the entity has registered with false 
creditials (Due Diligence by new members takes
care of this) -and- the entity is active in a criminal enterprise, you might 
have a case) 
 
Cheers,
Alex

Re: [anti-abuse-wg] Policy Proposal 2019-03 Update

[Carlos Friaças via anti-abuse-wg]

Hi Brian, All,

This is a doubt i have about the PDP:

If concerns are addressed within a new text version, aren't people that 
have opposed the previous version required to state if they agree or 
not that their concerns were addressed...?


If those opposing remain silent the default interpretation will be that 
they are still opposing the proposal, even if the text they have opposed 
to is not there anymore?


Can you please clarify?

Thanks,
Carlos


On Fri, 26 Apr 2019, Brian Nisbet wrote:

(...)


one.  can we assume that the co-chairs and marco have memory, or do we all
need to restate our views, maybe even after reading a new version?


Yes, you can assume this.

I mean, we would, of course, strongly suggest that people read the new version, 
as we're sure you all will, and we're sure the authors would appreciate knowing 
if this version is better or worse, from the point of view of the members of 
the WG, but yes, we have memory.

Obviously if we reach a Concluding Phase and the Co-Chairs determination is 
other than what any member believes it should be, there are further 
opportunities to comment at that point.

Thanks,

Brian
Co-Chair, RIPE AA-WG

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Fri, 19 Apr 2019, Gert Doering wrote:


Hi,

On Fri, Apr 19, 2019 at 02:18:25PM +, Suresh Ramasubramanian wrote:

It would be an interesting sight to see the chairman and exec board of ripe 
summoned before a parliament or court to explain the situation.


You love to summon up dire legal consequences for the RIPE NCC if this
policy isn't coming into place.

Over here in Europe, we're not used to just sueing anyone for anything we
do not like and actually having chance in succeeding with it.  Unless
the RIPE NCC is actually *tasked* with "ensuring routing correctness"


Hi,

RIPE NCC isn't tasked with that, i agree.

It is also not tasked in ensuring that party A is just using their own 
numbering resources.


But 2019-03 also doesn't mandate that the RIPE NCC should start verifying 
that randomly. It just opens the door for someone to report a 
(suspected) resource hijack, and if a large set of circumstances are 
aligned, it may open the door to a membership status review -- which won't 
even happen at the first time... according to the current set of policies.




(which it isn't) whether or not someone configures their router correctly
cannot construct a liability for the NCC.


Maybe it can be a liability if the party responsible for the numbering 
resources administration does nothing and let's the hijacks run free...



Some years ago i had an issue with another RIR about one of its members 
adding *our address* to one of their netblocks.
That registry (whois) entry was clearly forged (the network wasn't and 
never was running at our address) and it took months to have this 
corrected with the people who forged the entry and the RIR in question 
didn't really help. If we had financial losses due to this incorrect 
entry, wouldn't it be normal to sue also the RIR for not aiding in solving 
this "address hijack" that hit the registry database???





Now, if the NCC neglects to secure their *registry*, and people can
use this neglect to attack others, this might be a valid case to bring
forward...


Big Kudos to those who have worked hard to try to close this gap lately 
(also through policy proposals) -- you know who you are... :-))



Regards,
Carlos



Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Fri, 19 Apr 2019, Nick Hilliard wrote:


Carlos Friaças via anti-abuse-wg wrote on 19/04/2019 15:03:
Would you find reasonable to have the rule/policy in place say for 2 or 3 
years, and then evaluate its impact/efectiveness...?


No.  In principle, the proposal is completely broken, antithetical to the 
RIPE NCC's obligations of being an address registry and Randy was right to 
point out that it is a proposal for a kangaroo court.  We don't need to make 
the mistake of testing it out to make sure.


Hi,

This question was just to express that noone really knows if the impact on 
abuse will be significant, minimal or none (but it seems there are people 
trying to state something without real data to back it up).


I would also like to read Gert's opinion on this.



It will not have any material impact on hijacking;


Oh, so you do have the data...?



there are better ways of handling hijacking


Such as...?


and the proposal will have a wide variety of serious but unintended side 
effects, some of which have been raised on this mailing list.


Do you care to list them, so we can work on their mitigation?
(i mean, those who have been raised in a disperse way in this list and 
those who haven't been raised yet)



And it's unimplementable - the board of the RIPE NCC would have a fiduciary 
duty to refuse to implement it.


Because you say so.

What i've heard from the Board so far on the list -- and the Board 
currently has seven members -- was a concern expressed by Piotr about 
timelines, which i think we have addressed in v2.0's text (which i 
also hope to see published soon).



Best Regards,
Carlos



Nick

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,

On Fri, 19 Apr 2019, ac wrote:

(...)

But anyway: the point that Randy is making that this policy is neither
common sense, nor effective in reducing abuse.  So it's not the way
to go.


so you are taking it upon yourself to attach your own opinion by
commenting on how you interpret the point(s) Randy is making?

how rude and presumptuous of yourself.

it seems many people (including myself) are rude, obnoxious, not
tolerant as well as very impolite and "unconsiderate"


Please let's not start with that...
(disclaimer: i value Gert's opinion on any Internet related subject as 
much as i value Randy's)




Anyway, to add my own interpretation, seeing as this is what we are now
reduced to, I am understanding that Randy is pointing out that when
2019-03 moves forward, this is common sense and not a "slippery slope"


It wasn't clear enough for me too at first, but i now clearly know that 
Randy objects 2019-03 (i.e. the potential "police state" and less energy 
in routing security).




*sigh* - this is one of the most commented on and longest suffering
thread(s) ever. It seems there are vested interests in ensuring that
RIPE does not exercise any administrative (or limited) authority and
only acts as a 'sort of' loose record or some sort of index of who may
possibly or potentially be assigned which public resources...


i.e. "land registry" has already been mentioned. Which is something i 
completely disagree, because, i don't see a (real) land registry as a 
member association, and having a role to actually distribute land -- among 
other details...





I just wish to add the one thing that I have not yet seen in the
thread(s):

I would propose that should RIR not act with administrative authority
we can expect world governments to legislate as chaos is not in the
best interests of civil society.


I'm not sure if that is the case for all governments in the world, but 
yes, i think that without enough self-regulation, some jurisdictions may 
perceive that more legislation is needed... so yes, i also see that risk.


Even from the individual perspective of an average Internet user, it could 
be hard to understand how resource hijackers are tolerated by the very 
same organisations that have administrative powers over said resources.



Regards,
Carlos



Andre

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Fri, 19 Apr 2019, Gert Doering wrote:


Hi,


(...)

But anyway: the point that Randy is making that this policy is neither
common sense, nor effective in reducing abuse.  So it's not the way to go.


Hi,

72 countries/economies in the service region (and in reality, the world), 
so i suspect "common sense" might turn out to be a tricky concept... :-)


But in fact, i think most Internet users would say it's common sense to 
have a rule saying that company A using resources held by company B 
(intentionally and persistently) is not tolerable.


About effectiveness in reducing abuse: We don't have any data, we would 
need to have the rule in place first... :-)


Would you find reasonable to have the rule/policy in place say for 2 or 3 
years, and then evaluate its impact/efectiveness...?


Regards,
Carlos



Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 18 Apr 2019, Fi Shing wrote:



What absolute crap. Why is that every time something resembling common sense 
enters this group, there are these people who insist on using slippery slop 
fallacy?

https://en.wikipedia.org/wiki/Slippery_slope

It wouldn't half surprise me if people like this "randy bush" are motivated by 
criminal groups. I cannot think of any reason, other than a criminal one, why someone 
would object to common sense policy that leads to a reduction in
abuse.

(Usually, there is one other motivation (financial) but not in this proposal).


Hi,

Please let me tell you that you are absolutely wrong about Randy Bush.

I co-authored another policy proposal together with Randy (and also some 
other people who have already objected to 2019-03) some years ago. 
Randy's contribution is always appreciated and (at least) i feel very 
lucky when he shows up at RIPE meetings, and i happen to be there too.


I hope this will destroy any doubt you may have about Randy:
https://www.internethalloffame.org/inductees/randy-bush

Let me also say that i think that energy into improving/deploying routing 
security (RPKI, MANRS, ...) should in any way be reduced just because of 
what 2019-03 proposes.


Randy's position is obviously not irrelevant for me, as other person who 
frequently brings as much value to the RIPE community as Randy does, 
already told me (in private), in even a less positive way.


Regards,
Carlos





   Original Message 
  Subject: Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking
  is a RIPE Policy Violation)
  From: Randy Bush 
  Date: Fri, April 19, 2019 1:55 am
  To: anti-abuse-wg@ripe.net

  < rant >

  this is insane. neither ripe nor the ncc should be the net police,
  courts, and prison rolled into one kangaroo court.

  it is droll that the erstwhile anti-abuse working group becomes a
  self-righteous abuser. so it is with so many abused children.

  put your energy into routing security not converting ripe and the ncc
  into an authoritarian state. we have enough of those.

  randy

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 18 Apr 2019, Richard Clayton wrote:



Hard to tell in some cases whether the people running the hosting
company were merely in league with the hijackers or the hijackers
themselves. Only a court would care about the difference -- the
practical view is that it just means that action needs to be taken by
peers or by an IXP (or both)



Even harder is having a court decision about such a matter.




and rightly so ... and in my experience (you really should note the
people here with experience) they want to gather their own evidence and
form their own judgment before doing something so significant. That's
why your proposal for RIPE NCC being forced to act by a semi-detached
panel of experts is so deeply flawed.



Why "semi-detached"? They must be impartial to start with.



I agree IXPs are important. However the RIRs can be useful at a larger scale...


you have no evidence for that -- you are just hoping that they will be


One IXP can show a bad actor the door.
The RIR, by revoking an ASN number (if it gets to that) can make the bad 
actor lose the main technical requirement to be part of most IXPs.


That said, *if* this happens, it's not a company shutdown, but the company 
will need a new ASN number, at least to keep its operation in several 
IXPs.
Again, without an ASN, company operation would still be possible (outside 
IXP environment), resorting even to a single upstream.



Carlos

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 18 Apr 2019, Peter Koch wrote:

(...)

BGP hijacking completely negates the purpose of a (Regional Internet) Registry.


This is unclear to me.  The Registry registers address space, not routes.


Yes, but one of the main purposes of a Registry is that everyone knows who
is using a specific resource (or who is the legitimate holder).


Definitely the registry puts on record who the holder is, I'm not
sure that always includes "use".


Without any rights of use attached, the value of having a registry is 
close to none.


If someone hijacks a resource to engage in a criminal activity, then the 
value for the legitimate holder of having a reference in the registry can 
be even *negative*, if he's forced to prove that he actually didn't have 
any part in said criminal activity...





Those who are intentionally and continuously hijacking resources are
removing value from the Registry for the whole community.


Quite to the contrary.  Without the registry you couldn't even tell.


Step 1 - Have a registry. Check.
Step 2 - Make people abide by the registy. Oooops. :/




What's the point in having a Registry if people just decide which numbers to
use, even if those Internet numbers are attached to another org with
legitimate holdership and exclusive rights of usage?


That question answers itself.  Even more so, what's the point of removing
the resources registered by those "people" if they allegedly don't care
anyway?


If an hijacker loses the rights to use its ASN, their peers/upstreams 
will likely need to review their configs/neighborships...





The rule, as we speak doesn't exist. Maybe using different wording, it could
mean: "Resource hijacking is not allowed". Period.


While "hijacking" still needs to be defined, the statement in and of
itself is not a policy.


We hope to improve the definition in version 2.0.

I disagree when you say " is not allowed" is not a policy.




So, the main/only course of action, as i see it today for an hijacked party
(if the hijacker is from the RIPE region), is sending a complaint to a dutch
court... and it's doubtful if the dutch court will not rule itself to be
"unable to rule" on the matter...


Why would you ask the Dutch court?


It's the only court who can rule that the RIPE NCC needs to do 
something...



Thanks to the Registry DB, the hijacked party is hopefully able to prove 
holdership of a resource to take mitigation to the operational level.


Hopefully, yes.
But that won't stop the hijacker to hop on to the next hijack/victim...

Again, we're focusing on the hijacked party as the sole victim, when those 
who *receive* hijacked routes are also the victims, as their traffic is 
attracted from such bogus announcements.



Cheers,
Carlos



-Peter

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,


On Thu, 18 Apr 2019, Richard Clayton wrote:


On Thu, 18 Apr 2019, Richard Clayton wrote:

... I am aware of peer pressure (literally), action by IXPs, action by
organisations providing reputation scores and even action by hosting
companies.


Yes, i'm aware of that too. Sometimes it fixes specific hijacks, but does
it stop or in anyway cause a delay for hijackers to hop onto the next
hijack...???


All of examples I gave come from my experience in putting a stop to
various actors hijacking address space. Now it may be that the same
actors have come back and found another completely different hosting
company to carry their hijacks -- but getting them to start again from
scratch has always looked like a win to me.


It's also a win in my dictionary. :-)))

But didn't you see any cases where the hijacker was the hosting company 
itself?





In particular there is nothing like being thrown off an IXP for putting
a crimp in your operations. There's real money involved.


With my IXP hat on, i can say that removing a member is not something the 
IXP will do lightly.





I advised you before to give up on getting RIPE to develop a completely
new approach to tackling abuse (especially since it really is not going
all that well) -- and instead to put your effort into getting IXPs to
develop robust policies in this space. After all IXPs and routing are a
far better fit that an RIR and routing.


I agree IXPs are important. However the RIRs can be useful at a larger 
scale...




hijacks are reported in numerous places, the NANOG mailing list springs
immediately to mind -- and posting there is certainly easy


Yes i'm aware about it, but is that the (globally?) de-facto place for
raising anyone's attention to an hijack or an hijacker operation?


it's not ideal from a global perspective, but it is certainly the de-
facto place at the moment


H. Perhaps we should look at how many hijack reports get there per 
year...



Thanks,
Carlos




--
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 18 Apr 2019, Töma Gavrichenkov wrote:


Fat fingers,


...we all have it :-)



On Thu, Apr 18, 2019 at 3:17 AM Töma Gavrichenkov  wrote:

Honestly, I think it's the opposite. If the NCC terminates a
membership agreement, it should be liable for all the consequences of
a wrong decision no matter how exactly the decision is made and what
arbiters/experts/oracles/grandmoms were asked for a definitive advice.


.., because if it turns out that the experts or oracles prepared a bad
advice, it would be the NCC's responsibility for not choosing a better
set of experts of oracles.


This sounds a bit far fetched to me...
I think it's not the NCC's role to select people, it should be the 
community's...




In any case, an individual won't be able to compensate a financial
damage


Liability insurance? (yes, i know... cost)



of an average ISP being shut down anyway, so it must be an org,
and highly unlikely it could be that individual's employer.


Does a RIPE NCC Service Agreement termination mean that an ISP or a 
company is necessarily shutdown...???


The NCC's membership base is not exclusively formed by ISPs to start 
with...


If someone doesn't abide by the rules, and needs to keep supplying 
services to 3rd parties, it can resort to other LIR's services.
Yes, that will at least imply a renumbering, which means added cost, but 
it will not necessarily mean the company will face a shutdown.



Regards,
Carlos



--
Töma

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,


On Thu, 18 Apr 2019, Töma Gavrichenkov wrote:


On Thu, Apr 18, 2019 at 1:39 AM Carlos Friaças via anti-abuse-wg
 wrote:

And how will a dutch court determine a wrong decision was made? by getting
a different set of experts...?


E.g. by judging on an evidence found later, and with that evidence
making a decision that original set of experts did their job poorly.


Experts (on any given subject matter) can be wrong, if they look only at a 
specific dataset.


If data is not available on the year a crime was commited, and it surfaces 
only 5 years later, i wouldn't say the experts did a poor job. They might 
have done a good job with the data available at the time.





NCC has arbiters for quite a while. Who's responsible for their mistakes?


Curiously or not, that's where all of this started: my first take was to 
think that arbiters were the solution, but *several* people pointed out 
the current pool of RIPE arbiters was formed for a different purpose and 
some of them might not have the skills (or the will...) to look into 
hijacking cases.





It shouldn't be the RIPE NCC, if the RIPE NCC is just following
the defined policy.


Honestly, I think it's the opposite. If the NCC terminates a
membership agreement, it should be liable for all the consequences of
a wrong decision no matter how exactly the decision is made and what
arbiters/experts/oracles/grandmoms were asked for a definitive advice.


OK, but that is relative to *any* termination reason, be it immediate or 
on a specific timescale (see RIPE-716).


I would like to know how many dutch court cases were filed to the date 
against RIPE NCC about wrongful membership agreement termination.



Thanks,
Carlos

ps: we've missed grandmoms on version 2.0's text. sorry about that :-))



--
Töma

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Thu, 18 Apr 2019, Richard Clayton wrote:


In message ,
Carlos Friaças via anti-abuse-wg  writes


So, the main/only course of action, as i see it today for an hijacked
party (if the hijacker is from the RIPE region), is sending a complaint to
a dutch court... and it's doubtful if the dutch court will not rule
itself to be "unable to rule" on the matter...


You are entirely incorrect that using the courts is the "main" or "only"
course of action.

Numerous hijack events have been dealt with down the years. I am not
aware of any instance in which a court got involved in stopping the
hijack from happening ...


OK, so if courts are not an option...



... I am aware of peer pressure (literally), action by IXPs, action by
organisations providing reputation scores and even action by hosting
companies.


Yes, i'm aware of that too. Sometimes it fixes specific hijacks, but does 
it stop or in anyway cause a delay for hijackers to hop onto the next 
hijack...???





However, yes, there are hijacks originating from the region, and there
isn't an easy way for anyone to report it, so hijacks (or persistent
hijackers) are stopped.


hijacks are reported in numerous places, the NANOG mailing list springs
immediately to mind -- and posting there is certainly easy


Yes i'm aware about it, but is that the (globally?) de-facto place for 
raising anyone's attention to an hijack or an hijacker operation?





Trying to sum it up in just a line:
"Persistent and intentional resource hijacking is not tolerated."


I'm still looking forward to the wording that will deal with the US DoD


Won't that fall under "legacy"...?

Are we having this discussion under RIPE or under ARIN? :-)))


Regards,
Carlos



--
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Wed, 17 Apr 2019, Nick Hilliard wrote:


Carlos Friaças via anti-abuse-wg wrote on 17/04/2019 22:13:
The main concept is that the RIPE NCC will not have the role to investigate 
or to judge, following a report.


who is liable if a mistake is made?  The individuals on the judging panel or 
the RIPE NCC?


Hi,

It shouldn't be the RIPE NCC, if the RIPE NCC is just following the 
defined policy.


If individuals on the judging panel are liable (by dutch courts, i 
imagine) for wrong decisions, then that may be a hurdle to form a pool of 
experts. Maybe liability insurance is possible, but i don't have a way of 
calculating that kind of cost.


And how will a dutch court determine a wrong decision was made? by getting 
a different set of experts...?


In the case the RIPE NCC closes a LIR based on RIPE-716 A.1.2.2.g, the 
RIPE NCC is also liable? Or the individual staff that decides that 
untruthful information was supplied to the NCC is also liable?


I'm not even aware if the NCC already has any liability insurance in 
place for those cases -- and if they haven't why they chose not to have 
it.



Regards,
Carlos



Nick

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Peter, All,


On Wed, 17 Apr 2019, Peter Koch wrote:


On Tue, Mar 19, 2019 at 01:41:22PM +0100, Marco Schmidt wrote:


A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy 
Violation", is now available for discussion.


I have read the proposal version 1.0 as published on 13 March.

I believe that the proposers try to act with the best of intentions.


Mainly because what we have *today* is not really working...




I also believe that certains occurences of "hijacking" constitute
unfriendly action, likely involving violation of crominal codes.


Yes, however, jurisdictions (and lack of laws in some of it) sometimes 
work against stopping criminal activities (again, dozens of different 
legal systems in the RIPE NCC Service Region, and beyond).





Looking at the supporting arguments however, I fail to see merit in any of them:


BGP hijacking completely negates the purpose of a (Regional Internet) Registry.


This is unclear to me.  The Registry registers address space, not routes.


Yes, but one of the main purposes of a Registry is that everyone knows who 
is using a specific resource (or who is the legitimate holder).


Those who are intentionally and continuously hijacking resources are 
removing value from the Registry for the whole community.


What's the point in having a Registry if people just decide which numbers 
to use, even if those Internet numbers are attached to another org with 
legitimate holdership and exclusive rights of usage?





This community needs to explicitly express that BGP hijacking violates RIPE 
policies.


This is self referential - it remains unclear how and why "BGP hijacking" would 
violate
RIPE policies.  It is also unclear that other courses of action are either 
unavailable
or unworkable.


I agree that the wording is a bit self referential, yes.

The rule, as we speak doesn't exist. Maybe using different wording, it 
could mean: "Resource hijacking is not allowed". Period.


Anyone who hijacks other org's resources can happilly keep theirs.
In fact they can even use their own legitimate ASN (which is also a 
resource) to perform said hijacks...


About "other courses of action which are unworkable":
The "intentional hijacker" and the "hijacked" usually are not within the 
same economy/law system/jurisdiction -- they may even be in different RIR 
Service Regions...


So, the main/only course of action, as i see it today for an hijacked 
party (if the hijacker is from the RIPE region), is sending a complaint to 
a dutch court... and it's doubtful if the dutch court will not rule 
itself to be "unable to rule" on the matter...


Hence, industry "self-regulation" comes to mind.



If nothing changes in this field, the reputation of the RIPE NCC 
service region will continue to be affected from a cybersecurity 
perspective due to BGP hijacking events.


Sorry, this is pure handwaving.


The issue is not an exclusive problem within the RIPE NCC Service Region.

However, yes, there are hijacks originating from the region, and there 
isn't an easy way for anyone to report it, so hijacks (or persistent 
hijackers) are stopped.





Looking at the proposal text itself, I fail to see what policy it actually 
proposes.


Trying to sum it up in just a line:
"Persistent and intentional resource hijacking is not tolerated."




Instead of defining policy it suggest to instantiate a court like system that 
will,
without having either appropriate competence nor investigatory power, issue a 
finding of
whether or not a "policy violation" has happened.  The only purpose is to 
construct
a compliance case for the NCC to terminate membership and/or withdraw ressource 
allocations
(or maybe assignments).


The main concept is that the RIPE NCC will not have the role to 
investigate or to judge, following a report.





The topic of attribution is heavily discussed in a variety of fora and the 
approach
chosen in 2019-03 is, at best, overly optimistic.


Version 2.0 (to be published soon) has more details, based on the feedback 
received during the discussion phase.





At the same time it is unclear why the RIPE NCC should even consider this 
"policy"
in their compliance assessment.


It's not "policy", it's a "proposal".
The PDP was followed, as far as i know.




That said, I wonder why this non-proposal met the threshold for being accepted 
in the
first place.


It's a "proposal", and while there isn't a voting involved and the 
consensus calling is upto the AAWG Chairs, the support expressed 
for 2019-03 largely exceeded objections (upto now, of course).




Upholding my previous assessment, I do object to 2019-03.


That was already clear, but thanks for writing it. :-)



The discussion phase has shown enough lack of clarity both in terms of defining 
what should
be considered "hijacking" as well as questions of proper jurisdiction.  
Therefore, I would
be highly surprised if this work of art would be declared ready for the review 
phase.


Again, 

Re: [anti-abuse-wg] Mysteries of the Internet: AS65000

[Carlos Friaças via anti-abuse-wg]

Hi Ronald, All,

On Sun, 14 Apr 2019, Ronald F. Guilmette wrote:

(...)

It would appear that the mysterious AS65000 has been sort of shadowing
the movements of AS56630 for some time now... over six months, I guess,
at least since 2018-08-17, according to the RIPE data on that last route
shown above.  Eveywhere AS56630 goes, AS65000 goes also.  When one moves,
the other does also, and on the same day.  Quite a romance going on between
those two!


If anyone cares to look into AS-PATHs...

https://stat.ripe.net/data/bgp-state/data.json?resource=91.244.204.0/22=2019-04-09T08:00

In this particular query AS65000 only shows up once (plus on a community 
entry), with AS-PATH "6881 3216 56630 56630 65000".



(...)

P.S.  I'm not entirely sure that I understand why a Lithuanian ASN (AS56630)
would be called upon to provide routing for an alleged telecom company located
in Tbilisi, Georgia (i.e. GE-RAILWAYTELECOM-20120605).


It's only 2500km (~1600 miles) between Tiblissi and Vilnius... :-))


Cheers,
Carlos

Re: [anti-abuse-wg] Mysteries of the Internet: AS65000

[Carlos Friaças via anti-abuse-wg]

On Sun, 14 Apr 2019, Ronald F. Guilmette wrote:

(...)

I will save all further comment until someone offers me some kind of an
explanation of this apparently strange stuff.  For now, I will only add
that whereas bgp.he.net is showing there as being a total of 66 IPv4
prefixes announced by this (reserved) ASN, the data I am getting from
RIPEstat is indicating a much smaller number of IPv4 announcements (35).

(...)

It seems it was a lot worse back in 2015...

https://stat.ripe.net/widget/prefix-count#w.resource=AS65000=2d

Cheers,
Carlos

Re: [anti-abuse-wg] Defining routing abuse

[Carlos Friaças via anti-abuse-wg]

Hi,


On Fri, 12 Apr 2019, Töma Gavrichenkov wrote:


Peace,

This is to continue the discussion around 2019-03. Here's our today's
article about the ways some operators do traffic engineering:
https://radar.qrator.net/blog/new-hijack-attack-in-the-wild

Should that also be treated as a policy violation? This is clearly intentional.



First question that comes to mind is:
Would you be willing to become one of the experts in a voluntary experts 
pool? -- if 2019-03 happens to get somewhere, obviously...



Second question:
Is the policy violation emerging from AS263444 to be treated as a policy 
violation?

(if i read well your article, i would say "yes")


Third question:
Is this overloading of rogue ASNs on your prefix's AS_PATH something that 
should also be considered a violation?


(i really don't have an answer for that...)


Thanks.


Regards,
Carlos

ps: will forward this to the LACNIC list.



--
Töma

Re: [anti-abuse-wg] Speaking of routing funny business... what's up with AS65021?

[Carlos Friaças via anti-abuse-wg]

Hi Ronald, All,


On Fri, 5 Apr 2019, Ronald F. Guilmette wrote:



Apparently, not all routing funny business involves hijacked IP address
space.


Yes. This one may seem a bit odd, but probably has nothing to do with an 
hijack.



(...)

Specifically, I have noticed some spammers cammped out on a block of IPv4
addresses that are currently routed by AS65021.  The whois.iana.org WHOIS
server tells me that this is a reserved ASN, and that it doesn't actually
belong to anybody at all.


Yes, AS65021 is for private use. Same as 10.0.0.0/8 (and all RFC1918 
space) is for private use. Sometimes people mess up with filters :-) It's 
usually fat fingers, and AS-PATH information may well confirm that.




Thus, my rather simple Perl script which attempts
to find a proper reporting email address for this one specific spammer
infestation fails rather horribly.


Extra line of code needed perhaps...
if  then  
:-)

or maybe look for the upstream's contact.



The CIDRs currently being routed by AS65021 are:

31.13.210.0/24
31.13.241.0/24
87.120.104.0/24
87.120.253.0/24
87.120.255.0/24
87.121.116.0/24
93.123.64.0/24
216.99.221.0/24  (seen by bgp.he.net)

Some of these have been routed by (bogus) AS65021 since 2018-12-03.


216.99.220/23 seems to have a RPKI ROA (associated with AS6939 - 
Hurricane Electric), resulting in any /24 from it becoming an INVALID.


RIPE stat shows me two INVALIDs:
- 216.99.220.0/23 from AS14587
- 216.99.221.0/24 from AS33132

It looks to me that someone should fix their RPKI stuff :-)




All of those CIDRs are properly registered to cloudware.bg except for the
last one which is registered to International Payout Systems Inc. (Florida).

Apparently, cloudware.bg is part of Neterra, Ltd. of Bulgaria (AS34224):

https://www.cloudware.bg/en/about
   "As part of Neterra..."

I would say that this is just a very temporary mishap, and a temporary
"fat fingered" anomaly if it were not for the fact that some of these
routes have, according to RIPE Rotuing History, been countinuously
announced for over four full months now.


That's a bit long so that noone notices it... (and fixes it).



Can anyone explain this to me?  Please? I have more than a little trouble
understanding why a company like Neterra, Ltd., which -does- already have
its very own ASN (AS34224), feels the need to effectively steal a reserved
ASN for their own private use.


It's not "stealing" as i see it. Private use ASNs are available so anyone 
can use them, but on a _private_ capacity. Meaning... you can agree with 
your neighbor to origin a route from that private ASN, but the neibhbor is 
expected not to let that go into any other network... Or if it does, 
it removes the private-AS from the route's AS-PATH. Thus, some filters 
are not in place or they have a serious hole... :-(




Are new AS numbers really all that expensive
in the RIPE region, so that some businesses might be motivated to save some
money by just grabbing onto one of the reserved ones?


If you are a LIR it costs _ZERO_. Of course there is an admnistrative 
process to get a new ASN, but that isn't something complext or 
time-consuming.
If you are not a LIR, then you just have to find a LIR that can sponsor 
the ASN for you. If the LIR will charge anything to the customer, that's 
their decision, but the LIR will not be charged by the RIPE NCC for the 
new ASN.


(...)


Regards,
rfg



Best Regards,
Carlos

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15 -- was about 2019-03

[Carlos Friaças via anti-abuse-wg]

Hi,

On Fri, 5 Apr 2019, Sascha Luck [ml] wrote:

(...)

And who would be doing that regulation?
- some EC org (service region goes way beyond EU...)


We will see this "EU Internet Regulator" within the term of the
next EU Commission / EUPARL. The (probably) next commisssion
president Manfred Weber has committed to this: 
http://www.spiegel.de/politik/ausland/manfred-weber-das-internet-muss-europaeischer-werden-a-1260900.html

(Sorry, it's in German. There is no other source I can find)

Now, this will happen whether 2019-03 passes or not, the question
is will they leave resource management alone, because it works,
or will it transfer into the domain of this regulator?


"Will _try_ to transfer." -- again, the service region is wider...

Imho, that will also depend on this regulator's f-u-n-d-i-n-g model.

Or are we supposed to see the uprising of a "FIR" (EU Federal Internet 
Registry), building on the NIR concept...? :-)




As for the service region, the EU cares only about the EU.
Whatever happens to the rest of the SR is not their concern.


Splitting the service region in two (EU and non-EU) sounds a bit 
impractical... :-)



Regards,
Carlos



rgds,
SL

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15 -- was about 2019-03

[Carlos Friaças via anti-abuse-wg]

Hi,

Thanks Wolfgang and Suresh,

That's something i have been probably saying in between the lines: it 
would be easier for anyone on the Internet to evaluate if an hijack took 
place if more people (or most people) would share their routing views. :-)


Carlos


On Fri, 5 Apr 2019, Wolfgang Tremmel wrote:


Which is why services like RIPE RIS are so valuable to the community.
If anybody would just send its full BGP table to RIS detecting hijacks (and 
later proofing that they happened) would be much easier.

If you do not know what I am talking about, read:
https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ris-peering-policy

...and setup a BGP session to RIS.

Wolfgang


On 5. Apr 2019, at 01:43, Suresh Ramasubramanian  wrote:

You might find a hijacked prefix advertised solely to a single asn at an ix 
where it peers, and this for the purpose of spamming to or otherwise attacking 
whoever owns the asn.  Most of these targeted announcements might not even be 
visible to anyone else.



--
Wolfgang Tremmel

Phone +49 69 1730902 26 | Fax +49 69 4056 2716 | Mobile +49 171 8600 816 | 
wolfgang.trem...@de-cix.net
Executive Directors: Harald A. Summa and Sebastian Seifert | Trade Registry: AG 
Cologne, HRB 51135
DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany 
| www.de-cix.net

Re: [anti-abuse-wg] On +1s and Policy Awareness AND Astro... something...

[Carlos Friaças via anti-abuse-wg]

Hi, Sascha, All,

Seriously? Newcomers welcomed?

It's just a matter of going back and re-read parts of the thread and some 
sub-threads...


Regards,
Carlos


On Thu, 4 Apr 2019, Sascha Luck [ml] wrote:


On Thu, Apr 04, 2019 at 04:52:32PM +0100, CSIRT.UMINHO Marco Teixeira wrote:
While I speak for myself, I might incur the risk of representing a lot of 
the so-called "Astroturfers?!". While some accuse (please don't take it 
personally, it's just clarification) the newcomers of being voiceless, I 
must say that I have been, with great effort, refraining from going into a 
long discourse on a list where I am new. That should not be understood as a 
sign of "spamming" a vetting process, but as a sign of respect for all of 
you, long-standing members of RIPE, guardians of our IP addresses, one of 
the building blocks of the Internet :-)


I know of forums where "the n00b" is expected to shut up and
listen, but this is not one of them. At least I have never
noticed that newcomers weren't welcomed - and as I stated before,
I personally would like to see more and different voices here -
and no, not just those who agree with me although I hope some
will...

So don't be afraid to speak up if you've something to say!

As one last thought, again IMHO, I believe BGP Hijacking is one of the most 
pressing issues, menacing the Internet resiliency, and it must be dealt 
with. In the same manner, we apply AUP's to our users, it's RIPE 
responsibility, to clearly state, it is not acceptable, and it will have 
consequences... Raising the risk for companies is the only way we tip the 
balance of "Loss vs Earning", and hopefully eradicate bad actors, or 
hopefully even stopping them right at their business plans.


1) The RIPE NCC is not the provider of "AUP" for the entire
Internet or even the Internet of the Service Region. I understand
that some would *like* it to be, but that is not what the members
are paying it for. 2) If anyone needs to be "eradicated", I'd prefer that to 
be

determined by a judge and, preferably, a jury. NOT some
neighbourhood watch curtain-twitcher with the help of a monopoly
service provider. 
This is why I support "2019-03 New Policy Proposal (BGP Hijacking is a RIPE 
Policy Violation)"


and this is why I oppose it :)

rgds,
SL

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15 -- was about 2019-03

[Carlos Friaças via anti-abuse-wg]

On Thu, 4 Apr 2019, Sascha Luck [ml] wrote:


On Thu, Apr 04, 2019 at 08:32:39PM +0200, Karl-Josef Ziegler wrote:
Yes, this is also my opinion. The community should do something against 
this abusive behavior.
If it isn't done by the community there might be some regulation coming 
from outside, i.e.
political entities. And I doubt that this will be the better way to handle 
this problem.


I am starting to come around to the opinion that such regulation
would actually be preferrable to this. Legislative regulation, at
least in democratic societies, imposes responsibilities but it
also gives *rights*. Namely constitutionality, the right to have
such regulation applied transparently and fairly and, most
importantly, the right to judicial review. None of which applies
to the vigilante kind of "justice" the proponents wish the RIPE
NCC to become the enforcer of. Given these two choices, I know
which way I'd vote.


Hi,

So you seem to prefer regulation over self-regulation?

And who would be doing that regulation?
- some EC org (service region goes way beyond EU...)
- the Dutch Telecoms Regulator?
- ITU-T?
- ...?

Honestly, i don't have a clue...

Regards,
Carlos



rgds,
SL

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15 -- was about 2019-03

[Carlos Friaças via anti-abuse-wg]

Hi,

On Thu, 4 Apr 2019, Nick Hilliard wrote:

People generally hijack prefixes in order to make money.  If hijacked 
prefixes are not generally visible in the internet, then the value of the 
hijacking is a good deal lower because the reach is smaller.


It depends on the purpose, and if visibility is a key issue or not. :-)


In order to stop something like hijacking from being a problem, you don't 
need to make it impossible to perpetrate - you just need to reduce the value 
to the point that it's not worth doing it.


The problem of that approach is the diversity of goals...


What makes hijacking attractive is when transit service providers don't 
filter ingress prefixes from their customers.  The value of hijacking at an 
IXP will be proportional to the size of the IXP and whether the IXP has 
implemented filtering policies at their route servers.  Direct peering 
sessions are troublesome, as they generally don't implement prefix filtering.


Yes. Trust is generally higher between peers/BGP speakers in a small 
environment, which might become a vulnerability...


But the value depends on the purpose. If the value for the hijacker is in 
announcing a bogus route just to _one_ network, it's irrelevant if the IXP 
has 20 members or 200 members.



But transit providers are where the bulk of the problem lies, and where 
efforts need to be concentrated in order to handle the issue.


I'm not completely sure about that.



MANRS is one part of this effort.


Let's hope MANRS can seriously take off in terms of adoption!

Cheers,
Carlos




Nick

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15

[Carlos Friaças via anti-abuse-wg]

Hi,


On Thu, 4 Apr 2019, Ronald F. Guilmette wrote:



In message <20190404183631.gz97...@space.net>,
Gert Doering  wrote:


Still targeting the wrong crowd.  A few willing Tier1 ISPs would have way
more effect than all policies we do in RIPE land against a rogue ISP that
might not even *be* a RIPE member (or a member of any LIR).


It is a fair point, but it raises an obvious question, which I ask now
in all seriousness, because I really and truly do not know the answer:

Wny have Tier 1 providers not stepped up and done a much better job
of policing hijacks better than they have done?


Not all hijacks reach the so-called DFZ.

"Partial visibility" hijacks can happen without touching any of the 
Tier-1s



Regards,
Carlos



Regards,
rfg

Re: [anti-abuse-wg] Astroturfing? -- was 2019-03

[Carlos Friaças via anti-abuse-wg]

Hi,
(please see inline)

On Wed, 3 Apr 2019, Sascha Luck [ml] wrote:

(...)


That may have just been because those have been seen here before.

That said, I agree with the general statement. Rather than "+1"
every supporter should provide *some* evidence that they've at
least *read* the proposal. For the avoidance of doubt, this means
*every* supporter, regardless of nationality or length of
subscription.


I think that was already clarified. Agreement is agreement. If you are 
trying to come up with a new rule, then you can write a new policy 
proposal about that... :-)



(...)


It used to be until the charter was changed. I didn't agree with
that then, I don't agree with it now. For exactly the reasons
that are now becoming evident.


You want everyone to discuss by your own set of rules -- that's clear.


(...)


Not all. Only those who suddenly turn up, "+1" and then disappear
again, as they undoubtedly will (or perhaps until *your* next
proposal comes up?)


https://www.ripe.net/participate/policies/current-proposals

I'm also the co-author of 2019-02. Unfortunately the support for that one 
is rather smaller. You can go and check that thread. You might want also 
to check what the other 2019-02 co-author (Sander) stated about 2019-03.




I'm not going reply with a different Wikipedia URL, but i suspect you know 
which one i'm thinking about :-))


No, I don't have a clue. Enlighten me?


Not going there, sorry. It doesn't serve the purpose of discussing 
2019-03.




(...)

What I do not welcome is "support" that takes the form of
subscribing here, plonking down "+1" and then vanishing into
obscurity again. Which is (at least the Wikipedia) definition of a 
meat-puppet.


Name-calling targeted at multiple people. Not very useful.


(...)

Easy. judge the worth of support at least in part on previous
contributions, and I fervently hope this is what the chairs are
doing.


You don't like/accept people supporting a proposal you don't like. That's 
not useful to discuss the proposal itself too.



(...) 

If not, I would like the opportunity to rise a hundred opponents
to each provide a "-1"...


Then talk to people, explain them why they should oppose the proposal, and 
wait for them to subscribe to the list and tell everybody what are 
exactly their concerns about the proposal.



Cheers,
Carlos



rgds,
SL

Re: [anti-abuse-wg] Astroturfing?

[Carlos Friaças via anti-abuse-wg]

Hi,


On Wed, 3 Apr 2019, Sascha Luck [ml] wrote:


Please provide evidence for your insinuation that anyone here
discriminates against Portuguese (or any other nationality for
that matter.) I can't but regard such an insinuation as a cheap
rhetorical trick.


Too easy (you might have missed this one...):

Date: Fri, 29 Mar 2019 22:00:32
From: Sergey Myasoedov via anti-abuse-wg 
Reply-To: Sergey Myasoedov 
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

Dear group members from Portugal stated your support for 2019-03,
Can you please provide some more arguments than your humble "+1" 
statement? This is a working group, not a voting.


Please.


The message was directed to a "group members from Portugal".
Members from IE, IL, US, CZ and so on that made brief statements of 
support were left out of this request.

I can't understand why.



(...)

I've long argued that all policy should only be discussed in
ap-wg as I don't think this limited an audience should make
policy with far-reaching consequences. Alas, everyone wants to
rule in Hell rather than serve in Heaven.


What you argue is _not_ "current rules" or the PDP.

Anyone who wants to participate in discussing 2019-03 only has to 
subscribe to this mailing list.




If someone has any doubt about if newcomers are real persons, then please 
Google away. :-)


Well, that gives me:
https://en.wikipedia.org/wiki/Sockpuppet_(Internet)#Meatpuppet

So the term "Astroturfing" is technically incorrect as that
implies fictitious entities with some commercial interest behind
it.


So you're now going further than attacking one nationality, aiming at all 
those who expressed support for 2019-03? (i.e. disagreeing with your 
view).


I'm not going reply with a different Wikipedia URL, but i suspect you know 
which one i'm thinking about :-))


(Alireza, Brian, Tobias, please feel free to comment on the above URL)




Nobody has said that and new participants are always welcome, the
more know about this the better.


It's not only about "knowing" it's also being able to support or oppose 
any proposal (present or future). For me the keyword is "participation".





However: If someone shows up here only to add a "+1" to a
proposal and is then never heard from again, I don't think their
support should carry much weight. I trust the chairs to consider
this, of course.


You might be rushing to judgements.
You might draw that conclusion if there is more to discuss on the table 6 
months or 1 year from now, and people stay silent or if they left the 
mailing list -- which is something noone can evaluate on such a short 
notice.




Regards,
Carlos




rgds,
SL





On Wed, 3 Apr 2019, Michele Neylon - Blacknight wrote:


All

Is someone encouraging astroturfing?

The number of either new or inactive members of this list who have posted 
one line messages in support of the recent policy discussion has reached 
insane levels


Regards

Michele???

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

Re: [anti-abuse-wg] Astroturfing?

[Carlos Friaças via anti-abuse-wg]

On Wed, 3 Apr 2019, Richard Clayton wrote:


In message <6faf5417-dc6d-4c95-ba14-fcc1b22f6...@blacknight.com>,
Michele Neylon - Blacknight  writes


I've absolutely zero issue with new people engaging, but lots of one line "+1"
or almost identical emails isn't meaningful engagement.


it's also somewhat of a problem for the proposers of the document since
they have said that they intend to revise it in the light of the
comments made on the list -- but there's all these people apparently
saying that they think it is just fine as is

so it seems that quite a lot of people are going to be disappointed -- I
hope they chip in after the changes are made and explain in some detail
why they preferred the initial version !


Hi,

If they don't comment further, imho, it can't also be interpreted that 
they prefer the initial version...


Carlos




--
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] Astroturfing?

[Carlos Friaças via anti-abuse-wg]

On Wed, 3 Apr 2019, Michele Neylon - Blacknight wrote:


Carlos

I've absolutely zero issue with new people engaging, but lots of one line "+1" 
or almost identical emails isn't meaningful engagement.


Hi,

As i understand it, it won't be meaningful only if people unsubscribe from 
the list after stating support or opposition -- but i have no clue even 
about the list's current size.


If newcomers are aware this list exists, and understand it is the proper 
place where they can contribute to policy-making (regarding Anti-Abuse), 
they could be a bit more interactive in further discussions. :-)


I think for most newcomers, it won't be very easy to just subscribe and 
immediately start writing long messages.


Regards,
Carlos




Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 03/04/2019, 12:53, "Carlos Friaças"  wrote:


   Hi Michele, All,

   I had to Google for 'astroturfing'. I learned something today. :-)

   As i see it, the "community" is not a closed group.

   It was repeateadly stated that "consensus" or "rough consensus" is not a
   vote. I think that is clear for everyone.

   Just like a few days ago i wrote that i hoped there wasn't any kind of
   discrimination against portuguese participants, i hope there isn't also
   any kind of discrimination against new participants on this WG.

   I may understand if some people prefer to have less people in the WG, but
   i'm not part of that set.
   While worrying about how we can improve rules/tools against Abuse (that's
   the point of an Anti-Abuse WG, right?), i would also like to see a much
   larger number of people involved!

   If someone has any doubt about if newcomers are real persons, then
   please Google away. :-)

   I met in person most of people that are supporting 2019-03 and also
   those that are opposing it (some of which i even co-authored other
   proposals), since a while back.

   ps: I think i haven't met Sebastien Lahtinen in person since 10y or so, so
   if 2019-03 made him show up on the list, that's another plus :-))

   Best Regards,
   Carlos




   On Wed, 3 Apr 2019, Michele Neylon - Blacknight wrote:

   > All
   >
   > Is someone encouraging astroturfing?
   >
   > The number of either new or inactive members of this list who have posted 
one line messages in support of the recent policy discussion has reached insane 
levels
   >
   > Regards
   >
   > Michele
   >
   > --
   > Mr Michele Neylon
   > Blacknight Solutions
   > Hosting, Colocation & Domains
   > https://www.blacknight.com/
   > https://blacknight.blog/
   > Intl. +353 (0) 59  9183072
   > Direct Dial: +353 (0)59 9183090
   > Personal blog: https://michele.blog/
   > Some thoughts: https://ceo.hosting/
   > ---
   > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
   > Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
   >
   >

Re: [anti-abuse-wg] Astroturfing?

[Carlos Friaças via anti-abuse-wg]

Hi Michele, All,

I had to Google for 'astroturfing'. I learned something today. :-)

As i see it, the "community" is not a closed group.

It was repeateadly stated that "consensus" or "rough consensus" is not a 
vote. I think that is clear for everyone.


Just like a few days ago i wrote that i hoped there wasn't any kind of 
discrimination against portuguese participants, i hope there isn't also 
any kind of discrimination against new participants on this WG.


I may understand if some people prefer to have less people in the WG, but 
i'm not part of that set.
While worrying about how we can improve rules/tools against Abuse (that's 
the point of an Anti-Abuse WG, right?), i would also like to see a much 
larger number of people involved!


If someone has any doubt about if newcomers are real persons, then 
please Google away. :-)


I met in person most of people that are supporting 2019-03 and also 
those that are opposing it (some of which i even co-authored other 
proposals), since a while back.


ps: I think i haven't met Sebastien Lahtinen in person since 10y or so, so 
if 2019-03 made him show up on the list, that's another plus :-))


Best Regards,
Carlos




On Wed, 3 Apr 2019, Michele Neylon - Blacknight wrote:


All

Is someone encouraging astroturfing?

The number of either new or inactive members of this list who have posted one 
line messages in support of the recent policy discussion has reached insane 
levels

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,


On Mon, 1 Apr 2019, Sascha Luck [ml] wrote:

On Mon, Apr 01, 2019 at 05:06:37PM +0100, Carlos Friaas via anti-abuse-wg 
wrote:

The same way it happens with lack of payment,


explicitly part of the contract (SSA).


or delivering false/forged information to the NCC.


explicitly part of the contract.

You are trying to change the contract. You can't do that here.


"The Member acknowledges applicability of, and adheres to, the RIPE 
Policies and RIPE NCC procedural documents" -- you know... those that 
could change with time...?





with, i.e. punishment by withdrawal of resources.


It shouldn't be their decision, it should be the experts' decision.


It gets better. By *what* authority does your expert get to
decide that a LIR should be punished? Deo gratias? It can't be a contractual 
obligation, I have no damn contract

with some expert...


"RIPE Policies" -- you are trying to discuss if a given policy is 
admissible even during the initial discussion phase...




It's possibly my fault, but (in this long thread) i still fail to read from 
someone that hijacking is not offensive, and thus it should be tolerated by 
the community. I understand you are trying to take this into a grey area by 
comparison with other examples/abuse.


It is quite possible to find "hijacking" offensive and yet to
oppose a dangerous and totalitarian policy.


Dangerous to who exactly?

Totalitarian? It's not one person which would be ruling directly over any 
consequence.


Perhaps with version 2.0 (if you care to read it) you will be able to 
calculate the minimum number of people involved until a LIR closure 
actually becomes possible.



Regards,
Carlos



rgds,
SL

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,


On Mon, 1 Apr 2019, Nick Hilliard wrote:


Carlos Friaças wrote on 01/04/2019 16:51:

But let's also focus on two words:

"punishing" -- no, that's not the goal, the goal is to close a clear gap 
and make people understand that hijacking is not tolerated.


The explicit aim of this proposal is that if the expert panel judges that you 
have hijacked prefixes, you will be punished by the RIPE NCC.


...in a *persistent* way.

The same way it happens with lack of payment, or delivering false/forged 
information to the NCC.





https://en.oxforddictionaries.com/definition/punish

"Inflict a penalty or sanction on (someone) as retribution for an offence, 
especially a transgression of a legal or moral code."



"weaponises" -- how?


"weaponises" == turns the registry into something to beat people with, i.e. 
punishment by withdrawal of resources.


It shouldn't be their decision, it should be the experts' decision.



<< Here you might have forgot to comment about "weaponized IXPs" :-) >>




So, rather than talking about how much we want to do something
about BGP hijacking, maybe we should discuss what grounds we'd have
for refusing to deregister resources for things that other people
in the RIPE NCC service region feel constitutes abuse, and where
the line would be drawn?  Let's start with political dissent and
gay rights.


None. But 2019-03 is exclusively about BGP hijacking.


Ok, so you accept that this is the thin end of the wedge and that if the RIPE 
community were to accept this proposal, we would have no grounds - none - to 
argue against other people who propose withdrawal of resources for things 
that they find offensive.


No. Anyone proposing anything would have to go through the PDP.

For me "jurisdiction" (and lack of agreement throughout the region) would 
be enough, as arguments.


It's possibly my fault, but (in this long thread) i still fail to read 
from someone that hijacking is not offensive, and thus it should be 
tolerated by the community. I understand you are trying to take this into 
a grey area by comparison with other examples/abuse.



Regards,
Carlos

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Sun, 31 Mar 2019, Richard Clayton wrote:

(...)

I meant that the experts cannot ever be absolutely certain that their
evaluation is correct -- though of course they can be correct in their
nuanced assessment.


I've been thinking about Cynthia Revstrom's argument, and now i'm thinking 
if unanimity between all experts in every case is a needed "feature".





In the summer of last year, 2018, I took steps to point out, in a very public
way, on the NANOG mailing list, two notable hijacking situations that came
to my attention *and* also to identify, by name, the actors that were quite
apparently behind each of those.  In neither of those instances was there
ever even any serious attempt, by either of the relevant parties, to refute
-any- of my very public allegations.


If they had refuted the allegations then it would have become rather
complicated and it would have come down to one entities word against
another and perhaps the examination of documentary evidence of what
arrangements had been authorised (and then perhaps forensic assessment
of the authenticity of those documents).


Afaik, some allegations were made in response to Mr.Krebs questions, 
however, as far as i've seen ASNs sourcing hijacks and the direct transit 
ASN kind of vanished some days later.




Some BGP hijacking cases have been prosecuted on the basis of the
forging of documents rather than on the hijack per se.


Really? in courts? i'll be very interested to know in which jurisdictions.

I don't have any doubt that if someone hijacks a prefix or sub-prefix from 
a mobile operator, consequences in justice should be unavoidable... But 
regarding Internet prefixes (or ASN) i'm really unaware of any case.




I agree that it can be pretty clear what has gone on and the accused
then helpfully acts in such a way as to make it clear to everyone that
they were "guilty" (or individual peers assess the situation from their
own standpoint and decide that they do not have an obligation to carry
the traffic).


If peers share their routing view publicly (i.e. peering with RIS) then 
anyone should be able to assess :-)





However, it is not necessarily clear at all and writing a policy which
assumes that it will always be clear is in my view unwise.


I don't think this is the case of 2019-03.

Cases/reports where there is unsufficient evidence or where there is any 
kind of doubts should be dismissed.


2019-03 aims to create an inexistent rule, that could lead to 
consequences, but it isn't trying to define those consequences are 
mandatory to be implemented in a 1st instance, 2nd instance, 3rd instance 
and so on. That should be left to the already existing concept of 
"repeateadly policy violations"





Assuming that experts will always be able to determine who is at fault
(along with deciding whether an event they know little of is accidental
or deliberate) is to live in a world that I do not recognise.


If they are not able, then a case should be dismissed. Simple as that.



If the policy stopped at the statement that unauthorised BGP hijacking
was unacceptable behaviour then I would be happy with it. Adding all the
procedural stuff about how BGP hijacking will be (easily of course)


We can rephrase/review it in version 2.0.



detected and exotic details about experts and report forms and time
periods is (a) irrelevant to establishing the principle and (b)
cluttered with false assumptions and unhelpful caveats and (c) way too
formalised to survive dealing with some real examples.


Some people seem to want the exact some opposite, a process to be detailed 
in its every aspect.



Thanks.

Best Regards,
Carlos




--
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

Hi,


On Sun, 31 Mar 2019, Richard Clayton wrote:


1) The hijackings you mentioned also affect your customers, right?


I do not believe they did, not all announced space is in use


If third parties could receive any of the customer's space is already bad 
enough. The hijacker could be impersonating the customer towards other 
networks (not necessarily to every network in the world).





2) Do you or your customers report these hijackings (and their impact) to
somebody?


The hijacks only came to light due to feedback about spam sending, where
it turned out to be impossible to identify anyone using the IPs that
were sending the spam. In that sense the reporting was the other way.


Although the victims (third party networks) directed their reports to the 
wrong people -- this is why i'm saying impersonating is an advantage to 
hijackers.





3) Is it in your customers' best interest to do nothing?


I think it's presumptuous to assume that nothing was done. Once it was
understood what was occurring (which took rather longer than I think it
would today) the matter was dealt with and the hijacks ceased


If enough harm was already done...




4) Is it in your customers' best interest to "protect" the lack of rules
about hijacking at registry level?


Rules do not prevent hijacks -- detection and mitigation do


I agree detection and mitigation do, but having no rules is actually 
helping hijackers.





As i understand it, if someone provides the RIR with falsified data


there was no falsified data provided to an RIR in this case


I wasn't clear enough. I'm saying the rule about falsified data exists and 
if someone does that, the RIR is able to act -- today it doesn't have the 
ability to act regarding hijacks!





, they
expose themselves to have a LIR closure (i.e. RIPE-716). Imho, having
this rule in place is protecting the RIR's long term stability -- the
point about 2019-03 is that someone doing persistent intentional hijacks
should be subject to the same "risk".


I have already pointed you towards IXPs once ... that's where this
example was dealt with.


That is precisely another excellent issue. IXPs are by nature "neutral". 
However, if rules are written, one member that announces hijacked routes 
will most likely be shown the door. When that happens the IXP is only 
"enforcing" the rules. In my opinion, the RIR (which also does that in 
other cases of rule breaking) should be doing the same -- but for that rhe 
rule needs to be in place.





I understand your point about partial visibility. With 2019-03 in place, i
think the incentive for anyone to share their routing view will increase,
as a way of protection -- i see it as "community protection".


this is a new point presented without any evidence whatsoever (albeit I
do agree that having more sensors would improve the detection of some
hijacking events).


That's basically it... more sensors, better "community protection".



The content of routing tables are often not shared
publicly for reasons of perceived commercial confidentiality -- you


It's always a choice not publicly detailing which your neighbors are. I'm 
only saying more public information helps in "detection".





should elaborate why that shyness would be changed by the proposed
policy (especially given the claims made that hijacking is already easy
to understand with the existing sensor network).


I only said it was an incentive to... i'm not suggesting it should be 
mandatory for every network to export info about who actually are their 
neighbors.



Best Regards,
Carlos





--
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Re: [anti-abuse-wg] 2019-03 and over-reach -- RIPE-001 document

[Carlos Friaças via anti-abuse-wg]

On Fri, 22 Mar 2019, Nick Hilliard wrote:

(...)
Regarding over-reach, the RIPE NCC was instituted as a numbering 
registry and as a supporting organisation for the RIPE Community, whose 
terms of reference are described in the RIPE-1 document.  The terms of 
reference make it clear that the purpose of the RIPE Community and the 
RIPE NCC is internet co-ordination and - pointedly - not enforcement. 


Hi Nick, All,

I understand you are talking about 
https://www.ripe.net/publications/docs/ripe-001


The word "enforcement" is not part of ripe-001.

So, it's not explicitely written as something which is completely out of 
scope. The RIPE NCC (as a supporting organization) is already "enforcing" 
that people abide by rules (i.e. it's against the rules to provide 
falsified information, and even unresponsiveness may lead to a LIR closure 
-- that's what i read from RIPE-716, just to name a few).



Best Regards,
Carlos

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

On Sat, 23 Mar 2019, Lu Heng wrote:

(...)
And for the record, it?s in my short term interest to have that policy 
as we do suffer from time to time hijackings, and I made presentation in 
this working group how more half million of our IP get hijacked for half 
a year. But for the long term stability of the registry, or the internet 
as a whole, in which in all my interest to protect, I really like to see 
community avoid policy like that.


Dear Lu Heng, All,

I suppose you have customers.

What you wrote above makes me wonder about:

1) The hijackings you mentioned also affect your customers, right?

2) Do you or your customers report these hijackings (and their impact) to 
somebody?


3) Is it in your customers' best interest to do nothing?

4) Is it in your customers' best interest to "protect" the lack of rules 
about hijacking at registry level?


As i understand it, if someone provides the RIR with falsified data, they 
expose themselves to have a LIR closure (i.e. RIPE-716). Imho, having 
this rule in place is protecting the RIR's long term stability -- the 
point about 2019-03 is that someone doing persistent intentional hijacks 
should be subject to the same "risk".



I've looked for your presentation, and found it (at RIPE 72). I especially 
like your slide which has: "Hijacker ARE NOT HIDING, THEY ARE RUNNING IT 
LIKE REAL BUSINESS" -- this is an exact quote, uppercase included :-)


At the time you wrote/presented this, did you identify the hijacker(s), 
and were they also operating one or more LIRs?


I understand your point about partial visibility. With 2019-03 in place, i 
think the incentive for anyone to share their routing view will increase, 
as a way of protection -- i see it as "community protection".


Thanks for your input. I hope you can help fine tune the proposal, in a 
way that your concerns about registry (in)stability and Internet as a 
whole (in)stability can be solved.



Best Regards,
Carlos Friaças

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Richard, All,

Thanks for your input. Please see inline.


On Sat, 30 Mar 2019, Richard Clayton wrote:


   
   There are already enough sources of historic and almost real-time
   routing data which function as a worldwide observatory. From these
   sources it is possible to accurately evaluate who is performing BGP
   Hijacks and harming (or trying to harm) third party networks by
   doing so.
   

It is not necessarily the case that BGP hijacks will be visible in the
globally collected datasets. what then ?


Then if there is no available proof related to a specific hijack, the case 
should be extremely hard to obtain confirmation from experts (or even 
reach the 2nd round of experts).




Also, where the resources of defunct companies are hijacked then it is
not the routing table which will be key evidence but rather the
paperwork on file at the RIR or elsewhere. There is no discussion of
this aspect of the issue at all (despite it being a major component of
hijack events over the past five years)


If that data is not public, then it could hardly be referenced within a 
report filed with the RIR.. if it is public (through a companies' 
register?), i think it could be referenced so the experts can check.
I think looking at BGP neighbors might also provide some insight. But 
anyway, if there isn't enough evidence, a complaint/report should be 
dismissed.


Do you have any suggestion to improve the process?




   
   The external experts are mere evaluators, who can use available sets
   of routing data to determine whether BGP hijacking events have taken
   place, and whether were intentional.
   

It is NOT possible (for experts or almost anyone else) to accurately
evaluate who is performing BGP hijacks -- for every announcement there
will be at least two networks (AS numbers) who might have done it and
the experts will be using their skill and judgment to guess which of
them is culpable.


I think a report should only point to _one_ specific party. If it points 
to the legitimate holder, then it's logical to dismiss it. If this is not 
the case, then it should be looked into by experts.





Although in many cases it is "obvious" who did it, there is always at
least one other AS on the path who is able to "frame" the suspect and so
the experts are mainly deciding how plausible it is that someone is
being framed


The keyword here should be *persistent*.
If you see several hijacks from the same source...
If not, anyone who is accused should have the opportunity to defend 
itself. The process could (and will) be more detailed, but the checks & 
balances already described were designed in a way that only after 
the ratification phase, an accused party is considered to have done an 
intentional hijack. It's not the accused party who has to prove that they 
didn't do it, it's the evidence that needs to be compelling enough so 
there are no doubts to (a significant amount of) experts that an 
intentional hijack had its origin on the accused party.


But again, let me remember you... a process will primarily depend on a 
report.





   
   The direct upstreams of the suspected hijacker, which facilitate the
   hijack through their networks, may receive a warning the first time.
   Nevertheless, in successive occasions they could be considered by
   the experts, if intentional cases are reproduced, as an involved
   party.
   

This is pretty opaque ... but if it is meant to be read as "global
transit providers are responsible for the behaviour of their customers"
then this is what Sir Humphrey would call a "courageous" approach.


No. Maybe a clarification is needed here, and possibly some rephrasing -- 
a transit provider should receive notices *after* an intentional hijack is 
determined and ratified. The spirit of the text above was to discourage 
people to "owning company A and B to Z, sourcing the hijacks at B and 
provide transit through A, then repeat replacing B with C, D, E, and so 
on... and keeping the transit through A".


We need to find the best wording possible, but "global transit providers" 
and "internet exchange providers" are not seen by the authors as possible 
"accused" parties.
I mean, it's possible that anyone will file a report including companies 
that fall under those categories, but those will most likely be easily 
dismissed by experts.





   
   The expert?s investigation, will be able to value relationships
   between LIRs/end users, of the same business groups.
   

How ?


Looking at public companies registries, for once...
"same business groups" could possibly be reworded into "same ownership".




   
   Accidental cases or those that can?t be clearly classified as
   intentional, will receive a warning, which may be considered if
   repeated.
   

this is incoherent -- and there does not seem to be any clarity about
what a "warning" means from a consequences point of view


Noted. The text needs more clarity. It means a message should be generated 
to the 

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Dear Cynthia,


On Mon, 25 Mar 2019, Cynthia Revström wrote:



Hi Carlos,

On 2019-03-24 15:16, Carlos Friaças via anti-abuse-wg wrote:
  "It will not stop determined miscreants" -- even if it stops some, it's 
already something positive, anti-abuse-wise.
  :-))

The thing is that, if you look at it from another direction, if it just does one 
"false positive", I would argue that it
outweighs 100 small hijacks.


I can relate to that argument, while probaly 100 different victims would 
be a bit more hard to convince.


Following mostly Toma's constructive arguments we understand the process
needs a lot more detail hardwired into the proposal. Our best attempt to 
control "false positives" in version 1.0 was the last "ratification" knob.





And then we have the other co-author,

On Sat, Mar 23, 2019 at 10:42 PM JORDI PALET MARTINEZ via
anti-abuse-wg  wrote:

I think is very obvious that the experts [..] will make sure that when a 
warning is sufficient

How is that obvious? Answer: it is not obvious, you are just making assumptions.


I think what Jordi meant (coming from the other direction) is a case will 
not reach the policy violation declaration stage.





After looking at this in a bit more detail, my stance on this proposal has to 
be that I strongly object to it.


Understood.




I do feel like the better way to go about this is on a technical level, with 
more things like RPKI and IRR, not this stuff.


This was already touched in the thread. RPKI deployment, unfortunately, is 
still in a very initial phase.


When someone asks me -- how do you know this is an hijack? -- my usual 
answer is: "OK, if they are the rightful owners then ask them to add a 
ROA". If they can't... well...


This is something which is not explicitely written, but it should be 
simple to dismiss a wrongfully submitted report -- if the ROA is not in 
place, then the "anomaly" could be fixed by creating one.


So yes, we strongly support RPKI and we will try to embed in v2.0 clauses 
that will clearly support RPKI usage.



On another note, unless all RIRs have a similar policy, then a hijacker 
wouldn't have to be from RIPE, or what if they have gotten hold of a 
legacy ASN.


As i've stated before on this thread, the other four RIRs will also have a 
proposal on their tables.
About legacy resources, the RIR can't de-register anything. The only angle 
i see where they could help contain hijackers is by refusing access to 
services.




My point is that, no matter what the authors intended, I think this 
policy, would stop close to no determined hijackers, and


We hope it might dissuade some of even trying (and we can't measure 
that...), but having *nothing* in place might work like an incentive for 
some.


Gert already suggested a new BCP. I think we'll try that too :-)



probably cause a few "false positives".


That's something we want to erradicate. We need more work and more text.
Any input is welcome!


Best Regards,
Carlos





- Cynthia

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

Hi,


On Sun, 24 Mar 2019, Nick Hilliard wrote:

(...)
Competition legislation talks about concepts like "dominant position", not 
just strict monopolies.


I sincerely hope the EU doesn't go after RIPE NCC due to this "dominant 
position".



The RIPE NCC is the registry for the addressing market in the RIPE NCC 
service area,


...and beyond, it seems. :-))

Something i need to find out is if the other four RIRs allow companies 
from outside their service region to request resources (IPv6 and ASNs 
mostly, nowadays...) on their region like RIPE NCC does.



so you can't easily avoid dealing with the RIPE NCC if your business is 
located in the RIPE NCC service area and involves something to do with 
internet number resources


H... i do think you can also go to a LIR but then you don't 
get true "independence", which is a downside but it shouldn't be a 
complete show-stopper.


I mean, *today* if company X stops paying RIPE NCC and loses assets (an 
IPv4 /22 and an IPv6 /32 maybe?) they can still go to any LIR that has 
that space available to rent an IPv4 /24 and a bunch of IPv6 /48s through 
a contract, right?




and you want to exercise your fundamental right to conduct business.


In the above case they would still exercise it, but not directly with the 
RIPE NCC.




Also, this is only a complicating factor on top of the objections I raised to 
2019-03 - although from a practical point of view, it likely causes 
catastrophic and inescapable problems for the principals behind the proposal.


I need to re-read all your objections. Thanks for the reminder.


Best Regards,
Carlos



Nick

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

On Sun, 24 Mar 2019, Sascha Luck [ml] wrote:

(...)

What do feelings have to do with NCC membership? There are many
members of the RIPE NCC I'd rather not share the organisation
with but that is not reason to deny them membership.
:feelsbadman:


It was only a small point about "membership" -- which land registries 
don't have.



Also, i have read allegations about a "monopoly" regarding the service 
region. Afaik, there is a transfer market which contradicts the concept of 
said "monopoly" (i.e. can't get more addresses from the RIR, then go to the 
market).


that's not an "allegation", it is a STATEMENT OF FACT. The "ip
address market" rgument is wholly invalid because the transfer
policy clearly states that transfers can only happen to a RIR
member. The only exception is legacy space that was never brought under
RIR authority.


There you have it.. legacy space is part of that address market, hence 
no "monopoly". :-))



Regards,
Carlos



rgds,
SL

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

Hi Niall, Ronald, All,
(please see inline)


On Sun, 24 Mar 2019, Niall O'Reilly wrote:


On 23 Mar 2019, at 3:12, Ronald F. Guilmette wrote:


These are the land deeds of the Internet.
And they have long since been accepted as such by virtually everyone.


Precisely.

I believe that a condition for their continued acceptance as such
is that the RIPE NCC avoid amalgamating quasi-judicial functions
to its "land-registry" function.

In my country, we have an agency called the Registry of Deeds,
which performs a land-registry function and acts as an agency of
record.  I expect that most other countries have each their own
agency with similar functions.  I am not aware of any which also
has a judicial or disciplinary function.


I'm not sure on how "Registries of Deeds/Land" work in different 
countries, but usually those Registries are not an Association which has 
(all?) its "customers" as members/shareholders.


So, while i think i understand why some people choose to use this analogy, 
RIPE NCC, as a registry has that different characteristic, apart from 
having also a distribution function/role (which land registries don't 
have).


And while a member can feel it shouldn't be part of the same 
org/company/association than (bad?) actors, it doesn't feel right that it 
is that said member that should quit his/her membership.


Also, i have read allegations about a "monopoly" regarding the service 
region. Afaik, there is a transfer market which contradicts the concept of 
said "monopoly" (i.e. can't get more addresses from the RIR, then go to 
the market).




Best regards,

Niall O'Reilly



Great to hear from you Niall!


Best Regards,
Carlos

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Gert, Töma, All,


"It will not stop determined miscreants" -- even if it stops some, it's 
already something positive, anti-abuse-wise. :-))


"sanctions are irrelevant for someone who does this on purpose" -- 
sanctions are not specified in 2019-03, but if there are will be any at 
some point, the impact will depend on the size of assets that "someone" 
already has gathered (and which part of it can be associated with 
him/her).


"it brings the RIPE NCC into difficult legal territory" -- i will leave 
this for the impact analysis (by the RIPE NCC).



More important than the three details above:

Creating a BCP along the lines you describe is something i can definitely 
support!


I haven't consulted with Jordi about this yet, but i think the BCP is 
something that can be worked in paralell with 2019-03's due course.
To be clear: it wouldn't be "change 2019-03 into a BCP", but "creating a 
new BCP in addition to 2019-03".



Best Regards,
Carlos




On Sun, 24 Mar 2019, Gert Doering wrote:


Hi,

On Sun, Mar 24, 2019 at 02:08:53AM +0100, Töma Gavrichenkov wrote:

E.g. I'm the attacker, I start the hijacking, I continue that for 10
weeks until I'm denied membership.
I don't lose any valuable address space at the time because it's just
IPv6 which is totally disposable.
I then switch to another LIR account I've obtained before, and start
doing the same thing, at a cost of a generous sign-up fee.

What's the value of the 2019-03 proposal then?


This is one of the aspects that makes me really sceptic of the value
of this proposal as written.

It will not stop determined miscreants, because the reaction time is
WAY too long, and the sanctions are irrelevant for someone who does this
on purpose.  So it does not stop, and does not deter, and as such, does
not achieve the stated purpose.

On the other hand, it brings the RIPE NCC into difficult legal territory,
for all the reasons Nick and Sascha have written.

As such, I have decided that I can not support the policy as written,
and change my stance from "neutral" to "object".


Now, I do share the wish to "do something!!" against BGP hijacking.

So, maybe a more workable way forward would be to change this into a BCP
("the RIPE anti-abuse community states with full backing from the RIPE
community that BGP hijacking, as defined in , is considered
unwanted behaviour") - and *then* use that on a commercial/peering basis
among transit ISPs to strengthen the message "we want *you* to filter
your customer BGP sessions, because that's the proper way to run a network!".

Sometimes just agreeing on a written-down message already helps on other
fronts.

Gert Doering
   -- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Töma, All,


Again i think i understand the need to describe each and every detail in 
the next version.



I'm not going to deeply discuss "2021 & IPv6" -- it's something i would 
personnally love to see (i think Jordi might even prefer 2020 & IPv6), but 
unfortunately that is almost impossible... :/



About the "another LIR account I've obtained before" bit:

Again, i think a clarification is needed on the proposal -- the 
complaint/report filing mechanism should enable the person filing the 
report to state the actor and all it's identifiable "under control" 
companies and resources, meaning:


[LIR list]
.
.
.
.
.

...could all be referenced within a single report.

This, logically, is easier to spot when the actor uses the same name in 
several companies' registrations (even if in different countries' 
registries). Then, if such actors prefer to use registrations in offshore 
places, spotting anything becomes obviously quite difficult. :-(



Regards,
Carlos



On Sun, 24 Mar 2019, Töma Gavrichenkov wrote:


Peace,


A new RIPE Policy proposal, 2019-03, "BGP Hijacking is
a RIPE Policy Violation", is now available for discussion.


Alright, folks, what I'm trying to do now is to stress the conditions.

Let's say it's 2021 and IPv6 is fully deployed, and IPv4 is no more.
[now no one could say I'm pessimistic, right?]

How's that policy supposed to work then?

E.g. I'm the attacker, I start the hijacking, I continue that for 10
weeks until I'm denied membership.
I don't lose any valuable address space at the time because it's just
IPv6 which is totally disposable.
I then switch to another LIR account I've obtained before, and start
doing the same thing, at a cost of a generous sign-up fee.

What's the value of the 2019-03 proposal then?

--
Töma

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

Hi,
(please see inline)


On Sat, 23 Mar 2019, Ronald F. Guilmette wrote:



In message ,
Nick Hilliard  wrote:


RPKI adoption is now taking off in a big way - see AT's recent
announcement and NTT's plans.  Commoditisation of RPKI support for IXP
route servers will be available within weeks.


The AT announcement was indeed heartening.

Can you see if you can drag a few IXP people into this conversation (please)?



Nick is part of "IXP people" afaik for a long time. I am too, although i'm 
more into the "IXP security people" set nowadays :-)


In general, i think IXP people will do everything they can to minimize 
hijacker's goals, especially if they receive a complaint from customer X 
saying customer Z is hijacking a prefix and they are announcing it to 
customer X (and possibly other customers).


That's where RPKI and route servers get into the picture -- if hijacked 
prefix announcements were not made directly, RPKI on route servers might 
stop those announcements, and even if RPKI is not applied on route 
servers, they could hold the proof that an hijack was made.


But the main point here about 2019-03 is that RPKI on route servers, or 
even recording all announcements through route servers will not happen 
overnight, and it will not solve hijacks made through direct peerings 
where the receiving end is not discarding the "bad prefix" through RPKI.


Again, there are tools with enough maturity than can be used to protect 
each and every of the 6+ ASNs from hijacks, but the "issue" between 
the chair and a keyboard makes something in the line of 2019-03 still 
needed.





If they all say that this proposal is pointless, and that the problem will
be essentially solved in time for Vappu, then it probably would then be
a reasonable choice to set this on the back burner, just for a bit, to see
how things really shake out.

I think we all understand that just because RPKI support may be available,
that doesn't mean that anybody who hasn't already done so is actually going
to deploy it.  So it would be Good to hear what the actual plans are.



Essentially agreeing with Ronald, i think anyone could also argue that 
people without the ability to use RPKI shouldn't be playing the BGP game, 
but i certainly prefer to think that intentional and persistens hijackers 
shouldn't be allowed (by the community) to keep playing the BGP game. :-)



Best Regards,
Carlos




Regards,
rfg

Re: [anti-abuse-wg] 2019-03 and over-reach

[Carlos Friaças via anti-abuse-wg]

Hi,

It's probably best to state examples using "country X" and "region Y" 
instead of using countries' concrete names.


I think i already used concrete country names at least once during this 
thread and i apologize for that.


ps: if we ackowledge there is a gap in legislation and enforcement why 
shouldn't we engineer something to try to minimize/reduce this gap's 
effects?


Best Regards,
Carlos


On Sat, 23 Mar 2019, Ronald F. Guilmette wrote:



In message <6179dc11-f299-c076-0ae1-2f2d22eb6...@foobar.org>,
Nick Hilliard  wrote:


If there were legislation and enforcement in this area, we wouldn't be
having this conversation.


Yes, actually, we would.

Does anybody really believe that if, for example, Moldova outlawed BGP
hijacking tomorrow *and* if they even started arresting suspects, that
the entire problem would utterly disappear from the entire RIPE region
the day after that?  I think not.  France?  The Neatherlands?  Sweden?
No. No. No.  There isn't a single european country whose laws can
bring this plague to an end, nor even any subset of european countries.
The problem no more respects national boundaries than does the influenza
virus.

Furthermore, I very much look forward to the day when one or more BGP
hijackers... or *any* kind of cybercriminal for that matter...  will be
extradited from Russia to stand trial in some less friendly jurisdiction.
But today is not that day.


Regards,
rfg

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Sat, 23 Mar 2019, Töma Gavrichenkov wrote:


Hi all,


Hi,
(will try to keep it short)


(...)

1. As of now, the draft looks like a nice example of "document
designed by a committee".

It's too strict where there's no real need to be strict, and at the
same time too weak where you don't expect it to be weak. E.g. 4 weeks
to report + 4 weeks to investigate + 2 weeks for an appeal give us
solid 10 weeks for an attack to stay there, which is, to put it
gently, a substantial amount of time.


Just two co-authors. The set will grow for proposals in other RIRs. And 
we'll gladly accept help, as Jordi is doing the most of heavy lifting.


If your issue is timescales they can be adapted in subsequent versions. 
What we tried to design here was "due process" with enough "checks & 
balances" embedded.



(...)

2. OTOH the ultimate result (membership cancellation) may be seen as a
very heavy punishment.

In fact in theory this policy could make things worse.


The scenarios you and others mentioned should be run through the process 
and what you call "the ultimate result" should only happen if there is 
absolutely no doubt about the intent and about the 'who'. If company A 
takes control of company B's router (or hires someone to do it) is already 
doing something which in most jurisdictions could fall onto "crime". If 
company A could be identified, then they could/should be the 'who', and 
not company B.


I won't expect this proposal will stop *all* intentional hijackers.
Firstly it will depend on a complaint/report, then it must be crystal 
clear (with all the checks & balances in place) that is was intentional, 
and the hijack was made by person/org X. So if you see bogus routes from 
's ASN coming from somewhere in the world where 
they have no business, that's because someone else is (ab)using their 
ASN...


(I would also like to hear Randy's take on 2019-03, even now before 
version 2)



(...)

3. If I were to design that process, I'd put it in a different way, e.g.:


It's not explicitely written down, but yes, the idea was to have a 
(pre-existing) worldwide pool of experts. The timescales were mostly 
designed expecting it would be possible to build that pool on a voluntary 
basis. So 4 weeks was for a set of experts to agree on the report, 
possibly on their own free time... :-)



Best Regards,
Carlos

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Fri, 22 Mar 2019, Töma Gavrichenkov wrote:


On Fri, Mar 22, 2019 at 5:24 PM JORDI PALET MARTINEZ via anti-abuse-wg
 wrote:

It has been already proposed/discussed in every RIR


This is thrilling. What's the idea about dealing with the nine NIRs?
You cannot just deny them membership, right?



Luckly that's an exception we don't need to add to the RIPE proposal :-))

Regards,
Carlos



--
Töma

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi,

We (the co-authors of 2019-03) are planning to do that.

The set of co-authors for those 4 proposals will probably be expanded in 
the other regions.


Those proposals will also benefit from input from the discussion started 
here 3 days ago.


Best Regards,
Carlos


On Fri, 22 Mar 2019, Töma Gavrichenkov wrote:


there has been a trend in recent years to make RIPE policy that
transforms the NCC from a resource registry into a political
agency...



I am a resident and citizen of the United States


Do you have any plans on proposing the same policy for ARIN?

| Töma Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto: xima...@gmail.com
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Fri, 22 Mar 2019, Sascha Luck [ml] wrote:

On Fri, Mar 22, 2019 at 12:21:43PM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
I don't think I've said that if it is really a victim. I know my English is 
bad, but not so terrible!


not you, that was Carlos and he has since clarified what he
meant.

A direct peer I mean here is the provider of the hijacker. Should you 
verify and filter anything that doesn't belong to your customer?


I do because my customers are small-ish and mostly personally
known to me and I can use manual prefix filters. I don't want
to presume as to what is possible or scalable for other networks, nor even 
what they should do.


Please let me add this:

Someone filing a report must identify the source of an hijack.

Sometimes hijackers "simulate" customers, to be able to shake-off any 
queries.


If you can prove you and "your customer" are not the one and the same 
party, the consequence should be zero, because you as a transit provider 
are also being a victim.


And here i would explicitely exclude any "warnings". 3rd parties can't be 
minimially liable for others' wrongdoings -- and currently to some people, 
hijacking is not even part of "wrongdoings".



Regards,
Carlos



rgds,
SL