Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Carlos Friaças via NANOG]

Hi Everyone,

Just a gentle reminder that May 1st is the last day to express 
support for this Open Petition at ARIN's Public Policy Mailing List 
(arin-ppml).


Best Regards,
Carlos



On Fri, 26 Apr 2019, Carlos Friaças via NANOG wrote:



Hi,

Just to let everybody know that a petition was started in order to try to 
enable a policy discussion about "BGP Hijacking is an ARIN Policy Violation".


If you would like to read the proposal, it is available at:
https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

Discussions are already ongoing at RIPE and LACNIC.

Best Regards,
Carlos

(sorry for the duplicates, if you also receive arin-p...@arin.net)

-- Forwarded message --
Date: Fri, 26 Apr 2019 17:13:12
From: ARIN 
To: arin-p...@arin.net
Subject: [arin-ppml] Open Petition for ARIN-prop-266: BGP Hijacking is an 
ARIN

   Policy Violation

A petition has been initiated for the following:

ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

This proposal was rejected due to scope at the 10 April meeting of the 
Advisory Council.


Anyone may take part in this petition. Per the Policy Development Process 
(PDP), a successful petition against a rejected Proposal requires the support 
of ten individuals from ten organizations.


To support this petition, simply send a response to the Public Policy Mailing 
list stating your support, name, and organization.


This petition window will remain open for five days, closing 1 May.

If successful, the petition will result in the Board of Trustees considering 
the Proposal's scope at their next meeting.


For more information on the PDP, visit: 
https://www.arin.net/participate/policy/pdp/


Regards,

Sean Hopkins
Policy Analyst
American Registry for Internet Numbers (ARIN)
___
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (arin-p...@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Hank Nussbacher]

On 27/04/2019 06:44, William Herrin wrote:
On Fri, Apr 26, 2019 at 7:48 PM Owen DeLong > wrote:
> Do you honestly believe that hijackings are being committed by ARIN 
members or even ARIN resource holders that have signed RSAs with ARIN?


Wasn't Softlayer (an ARIN resource holder) called out on this list 
about 14 hours ago for hijacking a couple /24s? And honest mistake no 
doubt but come on man, the hijackings happen.


I don't think the proposal is talking about valid mistakes.  The 
proposal is talking about active, repetitive, BGP hijacking.  If you 
disagree with the proposal, can you state what your proposed solution is 
for BGP hijacks?  What should we as a community do to prevent them from 
happening before some government/int'l agency mandates what they 
consider would be their solution?    Or do we just continue to drumbeat 
MANRS, post major BGP hijacks on NANOG and carry-on as we have for the 
past decade?



-Hank

Regarding the ARIN Advisory Council and ARIN PDP (was: Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation)

[John Curran]

On 26 Apr 2019, at 5:49 PM, JORDI PALET MARTINEZ via NANOG  
wrote:
> ...
> Not only that. I really think they have not invested enough time to read the 
> proposal, check with the authors and then take a decision. We have got some 
> email exchange, but clearly not sufficient. I also must state that the staff 
> has been very helpful and diligent to clarify and support the petition 
> process. Just the point is, should have never been needed, it exposes how bad 
> (in my opinion) is the ARIN AC model.

Jordi - 

I have no views on the particular policy proposal or the petition action, but 
want to be clear regarding some of your characterizations of the ARIN Policy 
Development Process (ARIN PDP).  It is correct that the ARIN Advisory Council 
(a body elected by the ARIN membership) is in charge of administering the 
policy development process, including working with submitters to get their 
proposals accepted as draft policies and revising draft policies based on the 
community discussion. 

In general, policy proposals are discussed at length between the submitter and 
the assigned ARIN Advisory Council (ARIN AC) members, with the goal of making a 
clear and understandable statement of the problem in number resource policy 
that is to be addressed – as that is the required criteria for a Draft Policy.  
Once a policy proposal has a clear problem statement, the ARIN AC accepts it as 
a Draft Policy and it is discussed (often at length) on the ARIN Public Policy 
Mailing List.   The ARIN AC works diligently with submitters to make sure that 
their proposals are clear and adopted as Draft Policies, and this occurs even 
when the assigned AC members don’t necessarily support the merits of the 
particular proposal.   The strength of the ARIN PDP process is that nearly 
anyone can submit an idea for changes to our number resource policy (even with 
no knowledge of ARIN's policy development process) and the ARIN AC becomes 
their advocate in getting a clear draft policy put before the community for 
discussion.   We have had policy proposals made by several segments of the 
Internet community that are not deeply involved in the RIR system or the 
network operator community, but have insight into specific problems in number 
resource policy that they were able to get addressed. 

There is an exception to this process, i.e. a case where the ARIN AC doesn’t 
work on a policy proposal, and it occurs with proposals which lie outside the 
scope of number resource policy.  The ARIN AC does make an initial 
determination of whether the policy proposal is within scope – the reason for 
such an evaluation is to make sure that the community doesn’t spend its time 
working on proposals which aren’t germane to how ARIN administers number 
resources, and I will note the overwhelming majority of policy proposals meet 
this criteria with ease.  Additionally, ARIN’s Policy Development Process 
contains many “checks and balances” to provide for the development of fair and 
impartial policy, and as you are aware, in the case of a policy proposal out of 
scope, there is a petition with a very low threshold (10 supporters) to provide 
for referral to ARIN’s Board of Trustees for review and final determination.  
Having the Board of Trustees handle such determinations makes perfect sense, as 
they are ultimately responsible for determining the scope of ARIN’s mission. 

I understand that your policy proposal has been deemed out of scope, but I’d 
like to point of that such events are a very rare occurrence, and do not 
reflect the circumstances that the vast majority of submitters face when 
working with the ARIN AC and the ARIN Policy Development Process.   You might 
not see the merits of the ARIN Advisory Council administration of ARIN’s policy 
development process, but their efforts are almost universally in support of 
those submitting policy proposals, and the effectiveness of their advocacy 
demonstrated by the long line of clear, technically sound and useful policy 
changes in the ARIN region. 

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

Hi,


El 27/4/19 1:35, "Jared Mauch"  escribió:



> On Apr 26, 2019, at 5:49 PM, JORDI PALET MARTINEZ 
 wrote:
> 
> "AP stated that at the LACNIC meeting has discussed it and they dismissed 
it as out of scope."
> 
> LACNIC will have the first meeting where this topic will be discussed in 
two weeks from now. How come an AC member can lie such way?
> 
> If I'm an AC member, or any other similar team, I will make sure to 
inform myself before stating something like that. In this case there is no 
excuse, you just need to visit a web page for the LACNIC policy proposals, 
similar in every RIR.
> 
> Then I continue reading this: "AP stated that she believed that the 
author was using ARIN to solve their problem."
> 
> How come somebody that doesn't know me, can state that?

I’m not going to go in depth on the above comments.  I’ve received at least 
one off-list inquiry and I’ll also assume no explicit malice here, but as you 
point out, it doesn’t smell tide fresh :)

-> And I'm also convinced there is not any malice, but is wrong doing this kind 
of accusations or providing such false information.


The linked AC minutes page does say "These minutes are DRAFT. They have 
been reviewed by the ARIN Advisory Council prior to posting. These minutes will 
remain draft until they are reviewed and approved by the ARIN Advisory Council 
at their next regularly scheduled meeting.”

I have pointed out another area that I consider suspect off-list, I will 
set a calendar item to watch for new minutes to see if they are approved with 
revisions.  Hopefully there’s misunderstandings here, but I’m also not 
confident as much of the conversation seems to have a disjoint with operational 
realities.  (This isn’t anything new with ARIN btw, they’ve long been concerned 
about interacting with systems that are operational as doing that may mean 
staffing for on call or other functions).

I’m hoping to see some updates/corrections to the text, so taking a 
snapshot may be useful to watch for the corrections to the draft minutes.

-> If this is changed in the final minutes, then it will be very suspicious 
that the AC is empowered to change something that in reality happened. I call 
this manipulation and the community need to be aware of such things if it 
happen. Minutes should reflect the reality of what happened in the meeting. I 
really thing the right way is that they use a side note or whatever to ack it 
was mistakes, lack of knowledge, lack of chat with the authors, whatever, but 
never an alternation of the minutes.


I’m also debating if I spend the weekend with family or pinging everyone I 
know on the AC (which is more than one) about these issues.  Either way, I’ll 
pick this up “soon” on my side.

I do consider that abuse of ARIN allocated resources (coke/pepsi for 
numbering or other integers for AS4_PATH) something that ARIN can efforts to 
enforce revocation in the case of violation of the RSA.

- Jared







**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Owen DeLong]

The policy specifically states that it’s not intended towards honest mistakes, 
but repeated deliberate persistent behavior.

Do you know of any such case involving resource holders that have signed RSAs 
with ARIN or any other RIR for that matter?

Owen


> On Apr 26, 2019, at 20:44 , William Herrin  wrote:
> 
> On Fri, Apr 26, 2019 at 7:48 PM Owen DeLong  > wrote:
> > Do you honestly believe that hijackings are being committed by ARIN members 
> > or even ARIN resource holders that have signed RSAs with ARIN?
> 
> Wasn't Softlayer (an ARIN resource holder) called out on this list about 14 
> hours ago for hijacking a couple /24s? And honest mistake no doubt but come 
> on man, the hijackings happen.
> 
> -Bill
> 
> 
> -- 
> William Herrin  her...@dirtside.com 
>   b...@herrin.us 
> Dirtside Systems . Web:  >

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[William Herrin]

On Fri, Apr 26, 2019 at 7:48 PM Owen DeLong  wrote:
> Do you honestly believe that hijackings are being committed by ARIN
members or even ARIN resource holders that have signed RSAs with ARIN?

Wasn't Softlayer (an ARIN resource holder) called out on this list about 14
hours ago for hijacking a couple /24s? And honest mistake no doubt but come
on man, the hijackings happen.

-Bill


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Owen DeLong]

> The proposal is “guarantor”, or at least that’s our intent. Is not ARIN 
> taking the decision, is the community by means of experts. We have improved 
> it in the v2 that will be posted in a matter of days in RIPE, but we can’t 
> improve it in ARIN because simply discussing it is not allowed by the AC 
> decision.

This isn’t entirely correct as I understand it.

Any policy or potential policy can be discussed on PPML even if it is not 
actually on the Advisory Council Docket.

You are certainly free to discuss the proposal as well as the petition there.
 
> Now if another ARIN member is misusing your resources (not by an operational 
> mistake, but repeatedly), ARIN is not going to do anything about it?

Do you honestly believe that hijackings are being committed by ARIN members or 
even ARIN resource holders that have signed RSAs with ARIN?

> Is not a problem or ARIN becoming the “routing police”. This has been 
> completely misunderstood by the AC. Is about ARIN making sure that the rights 
> of the members are respected by other members.

Please provide some evidence that this has happened. My understanding is that 
the intentional repetitive hijackings to which you refer are almost always 
(possibly always)  committed by people using not only fraudulent address space, 
but also fraudulent ASNs.

> Without clear rules, other members can do whatever they want with resources 
> allocated to another member.

I’m pretty certain that’s already clear from the RSA…

Section 2 of RSA version 12.0 / LRSA Version 4.0 covers this reasonably well:

2. CONDITIONS OF SERVICE

(a) Compliance. In receiving or using any of the Services, Holder must comply 
with the Service Terms.

(b) Provision of Services and Rights. Subject to Holder’s on-going compliance 
with its obligations under the Service Terms, including, without limitation, 
the payment of the fees (as set forth in Section 4), ARIN shall (i) provide the 
Services to Holder in accordance with the Service Terms and (ii) grant to 
Holder the following specified rights:

(1) The exclusive right to be the registrant of the Included Number Resources 
within the ARIN database;

(2) The right to use the Included Number Resources within the ARIN database; and

(3) The right to transfer the registration of the Included Number Resources 
pursuant to the Policies.

Holder acknowledges that other registrants with ARIN have rights that intersect 
or otherwise impact Holder’s rights and/or use of the Included Number 
Resources, including, but not limited to, other registrants benefiting from 
visibility into the public portions of registrations of the Included Number 
Resources as further described in the Policies. 

(c) redacted — not relevant here and long
(d) Prohibited Conduct By Holder. In using any of the Services, Holder shall 
not: (i) disrupt or interfere with the security or use of any of the Services; 
(ii) violate any applicable laws, statutes, rules, or regulations; or (iii) 
assist any third party in engaging in any activity prohibited by any Service 
Terms.


What does the policy proposal offer in terms of rules that aren’t already 
enshrined in the above text?

Your claim is that without clear rules, there is a problem. I claim we have 
clear rules that go as far as your policy and that the problem isn’t RIR 
members in general anyway, but bad actors who are generally NOT RIR members.
  
> Additionally, a question of scope does arise with regard to which resources 
> ARIN would be able to enforce any such policy with regard to.  Indeed, the 
> proposal as written currently calls for a "pool of worldwide experts" despite 
> being a proposal submitted to an RIR which is explicitly not worldwide in 
> scope.  For example, if a network with an ASN assigned by ARIN is "hijacking" 
> address space that is allocated by APNIC (or any other RIR) to an entity 
> outside of ARIN's region, would this be an issue for ARIN to consider?  What 
> if ARIN-registered address space is being "hijacked" by an entity with a RIPE 
> ASN and which is not located within ARIN territory?  I suspect that for this 
> proposal to have any meaningful enforcement mechanisms, it would require 
> inter-RIR cooperation on enforcement, and that's a very large can of worms.  
> Not one that is impossible to overcome, but likely one which will require 
> several years of scrutiny, discussion, and negotiation prior to any real 
> world implementation.  
>  
> This has been clarified in v2 that I mention before, to be publish in RIPE. 
> The idea is that the claim is done in the region where the hijacker is a 
> member (assuming that we get the policy going thru all the regions).

And also assuming that the hijacker is a member of any RIR at all… A dubious 
claim, IMHO.

> Right, we have a more complete v2 with many procedural details, which we 
> can’t even discuss in ARIN, and obviously the idea of the PDP is to allow the 
> policy proposals to be discussed until we reach a text that we can

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Suresh Ramasubramanian]

Even among the network security community the number of people who track bgp 
hijacks and gather data is quite small yet such people do exist and have been 
active in speaking for this proposal when the same thing was discussed on the 
ripe anti abuse wg to an expected chorus of "we are not the internet police"

--srs

From: NANOG  on behalf of JORDI PALET MARTINEZ via 
NANOG 
Sent: Saturday, April 27, 2019 3:58 AM
To: Jon Lewis
Cc: North American Network Operators' Group
Subject: Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy 
Violation

It may happen that the end of the discussion is, instead of a group of experts, 
we need something different, or may be a compensation for them is needed, or 
instead of a complex policy we need a simple one, in the line of:
"The resources are allocated for the exclusive use of the recipient. 
Consequently, other members can't use them (unless authorized by the legitimate 
resource-holder) and not following this rule is a policy violation".




Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Owen DeLong]

> I personally support the petition. I think the out of scope reasoning is 
> flawed. By enforcing minimum assignment sizes, ARIN has long acted as a 
> gatekeeper to the routing system, controlling who can and can not 
> participate. For better or worse, that puts the proposal in scope.

Speaking only for myself and not as a representative of the ARIN AC…

I believe this is a distortion of the realities of the situation and of the 
history.

ARIN actually led the charge to lengthen the maximum IPv6 prefix accepted by 
ISPs (from /32 all the way to /48).

ARIN prefix size limits have almost always been equal to or longer than those 
accepted by a majority of providers on the internet and in almost all cases 
where those limits changed, ARIN changed first, with providers changing as a 
result of the pressure that created.

As to how those were decided within the ARIN process, please note that it was 
community consensus that drove those changes (and resisted them in the earlier 
days). Nonetheless, the reason for having those limits had to do with how ARIN 
was managing the resources on behalf of the community. Any impact or lack 
thereof on the routing table was a secondary effect. The policy was in scope 
because it affected how ARIN managed the registry.

The current proposal doesn’t actually affect any action ARIN takes in managing 
the registry. It attempts to expand the scope of ARIN’s mission to include some 
vague form of policing routing. It doesn’t provide any real information about 
how this new mission should be accomplished, nor does it take into account the 
fact that since ARIN controls only a small handful of routers, it has little to 
no ability to make any decisive or useful action in this regard. It seems to 
assume that those hijacking resources are ARIN members (or at least ARIN 
resource holders who signed an RSA subjecting them to ARIN policy).

It is utterly untested waters as to whether ARIN has any ability to take any 
action against a party that hasn’t got a contract with ARIN for violating the 
rights of a party that does have a contract with ARIN. To be useful, this 
policy would, IMHO, need to somehow empower ARIN to do that. I am not a lawyer, 
but I doubt such empowerment can come from anything short of regulation, thus 
certainly out of scope of ARIN policy.

I agree with Bill that such empowerment would not be a good thing anyway, so 
it’s not like I want to see that regulation come about, but until it does, I 
don’t see an in-scope effect from this proposal.

Owen

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Jared Mauch]

> On Apr 26, 2019, at 5:49 PM, JORDI PALET MARTINEZ 
>  wrote:
> 
> "AP stated that at the LACNIC meeting has discussed it and they dismissed it 
> as out of scope."
> 
> LACNIC will have the first meeting where this topic will be discussed in two 
> weeks from now. How come an AC member can lie such way?
> 
> If I'm an AC member, or any other similar team, I will make sure to inform 
> myself before stating something like that. In this case there is no excuse, 
> you just need to visit a web page for the LACNIC policy proposals, similar in 
> every RIR.
> 
> Then I continue reading this: "AP stated that she believed that the author 
> was using ARIN to solve their problem."
> 
> How come somebody that doesn't know me, can state that?

I’m not going to go in depth on the above comments.  I’ve received at least one 
off-list inquiry and I’ll also assume no explicit malice here, but as you point 
out, it doesn’t smell tide fresh :)

The linked AC minutes page does say "These minutes are DRAFT. They have been 
reviewed by the ARIN Advisory Council prior to posting. These minutes will 
remain draft until they are reviewed and approved by the ARIN Advisory Council 
at their next regularly scheduled meeting.”

I have pointed out another area that I consider suspect off-list, I will set a 
calendar item to watch for new minutes to see if they are approved with 
revisions.  Hopefully there’s misunderstandings here, but I’m also not 
confident as much of the conversation seems to have a disjoint with operational 
realities.  (This isn’t anything new with ARIN btw, they’ve long been concerned 
about interacting with systems that are operational as doing that may mean 
staffing for on call or other functions).

I’m hoping to see some updates/corrections to the text, so taking a snapshot 
may be useful to watch for the corrections to the draft minutes.

I’m also debating if I spend the weekend with family or pinging everyone I know 
on the AC (which is more than one) about these issues.  Either way, I’ll pick 
this up “soon” on my side.

I do consider that abuse of ARIN allocated resources (coke/pepsi for numbering 
or other integers for AS4_PATH) something that ARIN can efforts to enforce 
revocation in the case of violation of the RSA.

- Jared

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

RSA (https://www.arin.net/about/corporate/agreements/rsa.pdf) clearly state 
that the services are subject to the terms and conditions stated in the policy 
manual.

 

There is explicit text in case of lack of payment. Not so clear what to do if 
there is a policy violation, but it looks like at a minimum, you will not get 
further services neither further resources.

 

Bylaws 
(https://www.arin.net/about/corporate/bylaws/#bylaws-of-american-registry-for-internet-numbers-ltd)
 don’t explicitly talk about the obligations of members. This may be related to 
US law, that you don’t need to explicitly say that behavior against other 
members is forbidden. In some countries, it is evident that if a member of an 
association is not following the rules (policies) or is acting against the 
rights of other members, it can be expelled.

 

As I said before, we may need another policy proposal to stated what to do.

 

Why a different policy proposal? Because the same policy section must be 
related to other policy violations (may be with warnings in case of policy 
violations and resource recovery only in extreme cases or repetitive 
misbehavior – this is the case in RIPE), if that’s not clear already in the 
bylaws, US laws, or RSA.

 

For me, it is obvious that an association MUST protect members about *any* 
misbehavior of other members. 


Regards,

Jordi

 

 

 

El 27/4/19 0:58, "NANOG en nombre de William Herrin"  escribió:

 

On Fri, Apr 26, 2019 at 2:36 PM Jon Lewis  wrote:

Maybe I missed it in the proposal, but I don't see that it actually says 
what ARIN will do other than produce a report "Yep, our expert panel says 
this is hijacked.".  What's the expected result (other than the report)? 
i.e. What action is ARIN expected to take after it's determined a route 
advertisement is a hijacking that will make a difference?

 

Tough question! If the author's petition succeeds so he's not cut off at the 
knees by the Advisory Council's out-of-scope ruling, I'll look forward to 
hearing how he answers.

 

Regards,

Bill Herrin

 

 

-- 

William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[William Herrin]

On Fri, Apr 26, 2019 at 2:36 PM Jon Lewis  wrote:

> Maybe I missed it in the proposal, but I don't see that it actually says
> what ARIN will do other than produce a report "Yep, our expert panel says
> this is hijacked.".  What's the expected result (other than the report)?
> i.e. What action is ARIN expected to take after it's determined a route
> advertisement is a hijacking that will make a difference?
>

Tough question! If the author's petition succeeds so he's not cut off at
the knees by the Advisory Council's out-of-scope ruling, I'll look forward
to hearing how he answers.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

A policy proposal typically is not perfect when submitted.

However, not having the discussion, doesn't allow to improve it and maybe then, 
reach consensus.

It may happen that the end of the discussion is, instead of a group of experts, 
we need something different, or may be a compensation for them  is needed,  or 
instead of a complex policy we need a simple one, in the line of:
"The resources are allocated for the exclusive use of the recipient. 
Consequently, other members can't use them (unless authorized by the legitimate 
resource-holder) and not following this rule is a policy violation".


El 27/4/19 0:08, "Jon Lewis"  escribió:

On Fri, 26 Apr 2019, JORDI PALET MARTINEZ wrote:

> The intent is to clearly state that this is a violation of the policies.
>
> The membership documents/bylaws or the RSA, your account may be closed. 
> I looked at it when adapting the policy from RIPE to ARIN, don't have 
> this information right in my mind, but I'm sure it was there.
>
> Otherwise, if needed another policy should state something like "if you 
> keep violating policies" this and that may happen. This should be 
> something generic for *any* policy violation not in general. We have 
> this in RIPE and LACNIC, and I'm also convinced that in APNIC and 
> AFRINIC (still working on those versions).

Not swip'ing your IPs is also a violation of the agreement, but until you 
go back to ARIN for more IPs (opps, they're out), that's not an issue.  I 
see this policy as pointless as written because it doesn't say that ARIN 
will take any action other than publishing an opinion.  I think you're 
also assuming there's a pool of experts standing by willing to investigate 
every alleged hijacking (for free?).  Maybe there are.  If there aren't, 
or once they get tired of investigating allegations, what then?


--
  Jon Lewis, MCP :)   |  I route
  |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Jon Lewis]

On Fri, 26 Apr 2019, JORDI PALET MARTINEZ wrote:


The intent is to clearly state that this is a violation of the policies.

The membership documents/bylaws or the RSA, your account may be closed. 
I looked at it when adapting the policy from RIPE to ARIN, don't have 
this information right in my mind, but I'm sure it was there.


Otherwise, if needed another policy should state something like "if you 
keep violating policies" this and that may happen. This should be 
something generic for *any* policy violation not in general. We have 
this in RIPE and LACNIC, and I'm also convinced that in APNIC and 
AFRINIC (still working on those versions).


Not swip'ing your IPs is also a violation of the agreement, but until you 
go back to ARIN for more IPs (opps, they're out), that's not an issue.  I 
see this policy as pointless as written because it doesn't say that ARIN 
will take any action other than publishing an opinion.  I think you're 
also assuming there's a pool of experts standing by willing to investigate 
every alleged hijacking (for free?).  Maybe there are.  If there aren't, 
or once they get tired of investigating allegations, what then?



--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

By the way, even if ARIN (or the community) decides to do *nothing* in case of 
a policy violation, clearly the victim will have a better situation to defend 
the case in courts, and not rely in the judgement of inexperienced folks that 
will know nothing about what is an Internet Resource, BGP, etc., etc.

Regards,
Jordi
 
 

El 27/4/19 0:03, "NANOG en nombre de JORDI PALET MARTINEZ via NANOG" 
 escribió:

The intent is to clearly state that this is a violation of the policies.

The membership documents/bylaws or the RSA, your account may be closed. I 
looked at it when adapting the policy from RIPE to ARIN, don't have this 
information right in my mind, but I'm sure it was there.

Otherwise, if needed another policy should state something like "if you 
keep violating policies" this and that may happen. This should be something 
generic for *any* policy violation not in general. We have this in RIPE and 
LACNIC, and I'm also convinced that in APNIC and AFRINIC (still working on  
those versions).

Regards,
Jordi
 
 

El 26/4/19 23:41, "NANOG en nombre de Jon Lewis"  escribió:

On Fri, 26 Apr 2019, William Herrin wrote:

> On Fri, Apr 26, 2019 at 9:41 AM Matt Harris  wrote:
>   Can you (or someone else on the list, perhaps even someone who 
was involved in voting this down) provide some more details as to why it was 
rejected?
> 
> 
> Hi Matt,
> 
> As I understand it (someone with better knowledge feel free to 
correct me) the proposal was ruled out of scope for ARIN because ARIN registers 
numbers, it doesn't
> decide how they're allowed to be routed. ISPs do that. 
> 
> I personally support the petition. I think the out of scope reasoning 
is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a 
gatekeeper to the
> routing system, controlling who can and can not participate. For 
better or worse, that puts the proposal in scope.
> 
> I personally think it's for worse. I oppose the proposal itself. I'd 
just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see 
it expand that
> role. 

Maybe I missed it in the proposal, but I don't see that it actually 
says 
what ARIN will do other than produce a report "Yep, our expert panel 
says 
this is hijacked.".  What's the expected result (other than the 
report)? 
i.e. What action is ARIN expected to take after it's determined a route 
advertisement is a hijacking that will make a difference?

Anecdotally, ARIN has, in the past, gotten involved in this sort of 
thing. 
Many years ago, during an acquisition that went sour at the last 
minute, 
the renegging seller went to ARIN complaining that we were hijacking 
his 
IP space.  ARIN contacted our upstreams and pressured them to pressure 
us 
to stop advertising the IP space.  Perhaps there's no official policy, 
and 
perhaps they wouldn't do this today without one?

--
  Jon Lewis, MCP :)   |  I route
  |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.







**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, 

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

The intent is to clearly state that this is a violation of the policies.

The membership documents/bylaws or the RSA, your account may be closed. I 
looked at it when adapting the policy from RIPE to ARIN, don't have this 
information right in my mind, but I'm sure it was there.

Otherwise, if needed another policy should state something like "if you keep 
violating policies" this and that may happen. This should be something generic 
for *any* policy violation not in general. We have this in RIPE and LACNIC, and 
I'm also convinced that in APNIC and AFRINIC (still working on  those versions).

Regards,
Jordi
 
 

El 26/4/19 23:41, "NANOG en nombre de Jon Lewis"  escribió:

On Fri, 26 Apr 2019, William Herrin wrote:

> On Fri, Apr 26, 2019 at 9:41 AM Matt Harris  wrote:
>   Can you (or someone else on the list, perhaps even someone who was 
involved in voting this down) provide some more details as to why it was 
rejected?
> 
> 
> Hi Matt,
> 
> As I understand it (someone with better knowledge feel free to correct 
me) the proposal was ruled out of scope for ARIN because ARIN registers 
numbers, it doesn't
> decide how they're allowed to be routed. ISPs do that. 
> 
> I personally support the petition. I think the out of scope reasoning is 
flawed. By enforcing minimum assignment sizes, ARIN has long acted as a 
gatekeeper to the
> routing system, controlling who can and can not participate. For better 
or worse, that puts the proposal in scope.
> 
> I personally think it's for worse. I oppose the proposal itself. I'd just 
as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it 
expand that
> role. 

Maybe I missed it in the proposal, but I don't see that it actually says 
what ARIN will do other than produce a report "Yep, our expert panel says 
this is hijacked.".  What's the expected result (other than the report)? 
i.e. What action is ARIN expected to take after it's determined a route 
advertisement is a hijacking that will make a difference?

Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. 
Many years ago, during an acquisition that went sour at the last minute, 
the renegging seller went to ARIN complaining that we were hijacking his 
IP space.  ARIN contacted our upstreams and pressured them to pressure us 
to stop advertising the IP space.  Perhaps there's no official policy, and 
perhaps they wouldn't do this today without one?

--
  Jon Lewis, MCP :)   |  I route
  |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

Not only that. I really think they have not invested enough time to read the 
proposal, check with the authors and then take a decision. We have got some 
email exchange, but clearly not sufficient. I also must state that the staff 
has been very helpful and diligent to clarify and support the petition process. 
Just the point is, should have never been needed, it exposes how bad (in my 
opinion) is the ARIN AC model.

Some details:

This is absolutely fake:
"AP stated that at the LACNIC meeting has discussed it and they dismissed it as 
out of scope."

LACNIC will have the first meeting where this topic will be discussed in two 
weeks from now. How come an AC member can lie such way?

If I'm an AC member, or any other similar team, I will make sure to inform 
myself before stating something like that. In this case there is no excuse, you 
just need to visit a web page for the LACNIC policy proposals, similar in every 
RIR.

Then I continue reading this: "AP stated that she believed that the author was 
using ARIN to solve their problem."

How come somebody that doesn't know me, can state that?

In my country, at least, this is an illegal (criminal) act (slander, ad 
hominem, etc.), unless you can prove that what you're suggesting is *actually 
true*.

I don't want to make a problem with that or even consider to go to courts with 
the case, but I really think that before saying that from someone, you must 
talk to him before.

I'm a very open and transparent guy, and I *never ever* did a policy proposal 
for *any* personal or even business motivation. I did that because if I 
discover an issue, and I believe I can contribute to resolve it and it will be 
good for the community, I just go for it. Even in several occasions my own 
proposal has been ***against*** my personal point of view and when I presented 
those policies I *clearly* stated that (for example when I was presenting 
policy proposals in all the 5 RIRs for IPv6 PI and I can find the videos if 
somebody doubt what I'm saying).

And by the way, I'm not new on this. A month ago, during the IETF meeting in 
Prague, somebody asked me how many proposals I've submitted to all the RIRs 
(since my first one around 2003 or so). I didn't know, no idea at all, so I 
decided to count them, and then I discovered that I authored over 75 (a few of 
them with other co-authors). And this isn't including an average of 3-4 
versions of each one, or many other documents in IETF (and the "n" number of 
versions of each one as well).

I do this at the cost of my own personal pocket for traveling to the RIR 
meetings, I contribute as much as I can with tutorials, workshops, 
presentations, all kind of documents, articles, sharing my *own* time. So, 
reading that is really exasperating and frustrating.

And just to be clear, let me state that I don't have anything against anyone in 
the AC or ARIN. In fact, I've been always convinced that the AC model for the 
PDP in ARIN is a bad one, and this is demonstrating that. Authors and comminity 
lose the control on a policy proposal at some point (and in this case is even 
rejected before starting).

Speaking in general, even if a proposal don't reach consensus, I'm sure any 
open discussion is always very productive and can bring new ideas, or new 
approaches to the problem.

In the Internet RIRs system, I don't think we need a kind of "representative 
democracy". The community is able to use, in any of the 5 RIRs, a very simple 
process to work on achieving (or not) consensus in policy proposals: a mailing 
list.

Regards,
Jordi
 
 

El 26/4/19 22:35, "NANOG en nombre de Jared Mauch"  escribió:

There are factual errors in the ARIN meeting minutes. It really is a 
disservice that people on the AC don’t have facts about ARIN and the function 
of their routing registry (for example).

It would be good if the ARIN AC had people that were more aware of the 
functions ARIN provides. 

If you control vote of resources by ARIN I encourage you to use this as 
part of your process. 

Sent from my iCar

> On Apr 26, 2019, at 12:47 PM, Joe Provo  wrote:
> 
>> On Fri, Apr 26, 2019 at 11:41:18AM -0500, Matt Harris wrote:
>> [snip]
>> Can you (or someone else on the list, perhaps even someone who was 
involved
>> in voting this down) provide some more details as to why it was rejected?
>> What were the arguments in favor of rejecting the proposal?  This seems
>> like an interesting idea to me, and one that I can't immediately come up
>> with any arguments against from my own perspective.  There's probably 
some
>> room for discussing and tuning specifics, but ultimately the concept 
seems
>> reasonable to me.  What am I missing here?
> 
> Speaking solely for myself, it would be reasonable to start
> any discussion based upon the on-record rationales for its
> rejection.  As such I would direct interested parties to the 
> Draft Advisory Cou

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Matt Harris]

On Fri, Apr 26, 2019 at 4:37 PM Jon Lewis  wrote:

>
> Anecdotally, ARIN has, in the past, gotten involved in this sort of thing.
> Many years ago, during an acquisition that went sour at the last minute,
> the renegging seller went to ARIN complaining that we were hijacking his
> IP space.  ARIN contacted our upstreams and pressured them to pressure us
> to stop advertising the IP space.  Perhaps there's no official policy, and
> perhaps they wouldn't do this today without one?
>

I would argue that action without an explicit official policy that outlines
the circumstances under which what action is taken is just asking for
awkward situations to arise.

- Matt

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Jon Lewis]

On Fri, 26 Apr 2019, William Herrin wrote:


On Fri, Apr 26, 2019 at 9:41 AM Matt Harris  wrote:
  Can you (or someone else on the list, perhaps even someone who was 
involved in voting this down) provide some more details as to why it was 
rejected?


Hi Matt,

As I understand it (someone with better knowledge feel free to correct me) the 
proposal was ruled out of scope for ARIN because ARIN registers numbers, it 
doesn't
decide how they're allowed to be routed. ISPs do that. 

I personally support the petition. I think the out of scope reasoning is 
flawed. By enforcing minimum assignment sizes, ARIN has long acted as a 
gatekeeper to the
routing system, controlling who can and can not participate. For better or 
worse, that puts the proposal in scope.

I personally think it's for worse. I oppose the proposal itself. I'd just as 
soon ARIN not act as a gatekeeper to BGP and certain don't want to see it 
expand that
role. 


Maybe I missed it in the proposal, but I don't see that it actually says 
what ARIN will do other than produce a report "Yep, our expert panel says 
this is hijacked.".  What's the expected result (other than the report)? 
i.e. What action is ARIN expected to take after it's determined a route 
advertisement is a hijacking that will make a difference?


Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. 
Many years ago, during an acquisition that went sour at the last minute, 
the renegging seller went to ARIN complaining that we were hijacking his 
IP space.  ARIN contacted our upstreams and pressured them to pressure us 
to stop advertising the IP space.  Perhaps there's no official policy, and 
perhaps they wouldn't do this today without one?


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Jared Mauch]

There are factual errors in the ARIN meeting minutes. It really is a disservice 
that people on the AC don’t have facts about ARIN and the function of their 
routing registry (for example).

It would be good if the ARIN AC had people that were more aware of the 
functions ARIN provides. 

If you control vote of resources by ARIN I encourage you to use this as part of 
your process. 

Sent from my iCar

> On Apr 26, 2019, at 12:47 PM, Joe Provo  wrote:
> 
>> On Fri, Apr 26, 2019 at 11:41:18AM -0500, Matt Harris wrote:
>> [snip]
>> Can you (or someone else on the list, perhaps even someone who was involved
>> in voting this down) provide some more details as to why it was rejected?
>> What were the arguments in favor of rejecting the proposal?  This seems
>> like an interesting idea to me, and one that I can't immediately come up
>> with any arguments against from my own perspective.  There's probably some
>> room for discussing and tuning specifics, but ultimately the concept seems
>> reasonable to me.  What am I missing here?
> 
> Speaking solely for myself, it would be reasonable to start
> any discussion based upon the on-record rationales for its
> rejection.  As such I would direct interested parties to the 
> Draft Advisory Council Meeting minutes from April 10
> https://www.arin.net/about/welcome/ac/meetings/2019_0410/
> 
> and most specifically on that page
> "16. ARIN-Prop-266: BGP Hijacking is an ARIN Policy Violation"
> 
> Cheers,
> 
> Joe
> 
> -- 
> Posted from my personal account - see X-Disclaimer header.
> Joe Provo / Gweep / Earthling 

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[JORDI PALET MARTINEZ via NANOG]

El 26/4/19 20:25, "NANOG en nombre de Matt Harris"  escribió:

 

On Fri, Apr 26, 2019 at 12:49 PM William Herrin  wrote:

I personally support the petition. I think the out of scope reasoning is 
flawed. By enforcing minimum assignment sizes, ARIN has long acted as a 
gatekeeper to the routing system, controlling who can and can not participate. 
For better or worse, that puts the proposal in scope.

 

I personally think it's for worse. I oppose the proposal itself. I'd just as 
soon ARIN not act as a gatekeeper to BGP and certain don't want to see it 
expand that role. 

 

A couple of things spring to mind here now that I've given this a few more 
minutes' thought.  I agree with your reasoning as to why it makes sense for 
this to be considered in scope for ARIN.  

 

As far as expanding roles goes... Over the past few decades, we've all watched 
as the internet became less and less "wild wild west" and more and more 
controlled (sometimes centrally, sometimes in a more or less decentralized way) 
by various organizations and entities.   In various and sundry ways, bad actors 
could get away with plenty of things in 1990 that they cannot so easily today.  
It may be the case that this problem will be "solved" in some way by someone, 
but that "someone" may end up being a less engaged community or a less 
democratic organization than ARIN is.  Ultimately, ARIN does a better job than 
some other internet governance bodies of promoting stakeholder and community 
interaction and some degree of democracy.  We have to consider the question: if 
some organization is going to expand into this role, is it better that ARIN be 
the organization to do so instead of one which may be ultimately less 
democratic and more problematic?  

 

Exactly, one of our thoughts (as co-authors) is: if we do nothing, some other 
governmental bodies will take care of it, even courts, taking irrational 
judgments.

 

One major problem with the proposal, having given it a couple of minutes 
thought, that I can see as of now would be enforcement being dependent on 
knowing whom the perpetrator is.  If I decide to announce to some other 
networks some IP space owned by Carlos, but I prepend Bill's ASN to my 
announcement, how does Carlos know that I'm the bad actor and not Bill?  Having 
good communication between network operators to determine where the issue 
actually lies is critical.  Unfortunately, that doesn't always happen.  When we 
talk about leveraging ARIN's authority or potentially applying penalties of any 
sort to bad behavior, we have to be able to be certain whom the bad actor is so 
that the penalties are not inappropriately applied to an uninvolved or innocent 
third party.  

 

The proposal is “guarantor”, or at least that’s our intent. Is not ARIN taking 
the decision, is the community by means of experts. We have improved it in the 
v2 that will be posted in a matter of days in RIPE, but we can’t improve it in 
ARIN because simply discussing it is not allowed by the AC decision.

 

One thing to clarify, is that the policy is basically saying something that is 
written in all the RIRs documents: “if you get resources from us, you have the 
exclusive right to use them or your authorized customers”.

 

Now if another ARIN member is misusing your resources (not by an operational 
mistake, but repeatedly), ARIN is not going to do anything about it?

 

In any membership association, members are bound to the rules (policies in the 
case of RIRs), and members can’t act against the rights of OTHER members. If 
you don’t follow the rules, you can get a warning, or even lose your 
membership. If you go to courts because you lost your membership, courts will 
confirm “you have not followed the rules, so the association has the right to 
get you out”.

 

Is not a problem or ARIN becoming the “routing police”. This has been 
completely misunderstood by the AC. Is about ARIN making sure that the rights 
of the members are respected by other members.

 

And again, it must be clear that it is intentional, not a mistake, not fat 
fingers.

 

Without clear rules, other members can do whatever they want with resources 
allocated to another member.

 

Additionally, a question of scope does arise with regard to which resources 
ARIN would be able to enforce any such policy with regard to.  Indeed, the 
proposal as written currently calls for a "pool of worldwide experts" despite 
being a proposal submitted to an RIR which is explicitly not worldwide in 
scope.  For example, if a network with an ASN assigned by ARIN is "hijacking" 
address space that is allocated by APNIC (or any other RIR) to an entity 
outside of ARIN's region, would this be an issue for ARIN to consider?  What if 
ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN 
and which is not located within ARIN territory?  I suspect that for this 
proposal to have any meaningful enforcement mechanisms, it would require 
inter-RIR cooperat

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Carlos Friaças via NANOG]

Hi,
(please see inline)


On Fri, 26 Apr 2019, Matt Harris wrote:

(...)

As far as expanding roles goes... Over the past few decades, we've all watched as 
the internet became less and less "wild wild
west" and more and more controlled (sometimes centrally, sometimes in a more or 
less decentralized way) by various organizations
and entities.   In various and sundry ways, bad actors could get away with 
plenty of things in 1990 that they cannot so easily
today.  It may be the case that this problem will be "solved" in some way by someone, but 
that "someone" may end up being a less
engaged community or a less democratic organization than ARIN is.  Ultimately, 
ARIN does a better job than some other internet
governance bodies of promoting stakeholder and community interaction and some 
degree of democracy.  We have to consider the
question: if some organization is going to expand into this role, is it better 
that ARIN be the organization to do so instead of
one which may be ultimately less democratic and more problematic?  


Good point. The same goes for RIPE NCC, LACNIC, AFRINIC and APNIC...



One major problem with the proposal, having given it a couple of minutes 
thought, that I can see as of now would be enforcement
being dependent on knowing whom the perpetrator is.  If I decide to announce to 
some other networks some IP space owned by
Carlos, but I prepend Bill's ASN to my announcement, how does Carlos know that 
I'm the bad actor and not Bill?  Having good
communication between network operators to determine where the issue actually 
lies is critical.  Unfortunately, that doesn't
always happen.  When we talk about leveraging ARIN's authority or potentially 
applying penalties of any sort to bad behavior, we
have to be able to be certain whom the bad actor is so that the penalties are 
not inappropriately applied to an uninvolved or
innocent third party.  


There are various sources of public routing data. But yes, sharing 
more routing views will increase the capacity to look at cases...


An uninvolved innocent third party should be able to show it was 
uninvolved (either by pointing out to public routing data, or by providing 
their own routing views if needed...)


In any case, if there is reasonable doubt, a case should always be 
dismissed.





Additionally, a question of scope does arise with regard to which resources 
ARIN would be able to enforce any such policy with
regard to.  Indeed, the proposal as written currently calls for a "pool of worldwide 
experts" despite being a proposal submitted
to an RIR which is explicitly not worldwide in scope.  For example, if a network with an 
ASN assigned by ARIN is "hijacking"
address space that is allocated by APNIC (or any other RIR) to an entity 
outside of ARIN's region, would this be an issue for
ARIN to consider?  What if ARIN-registered address space is being "hijacked" by 
an entity with a RIPE ASN and which is not
located within ARIN territory?  I suspect that for this proposal to have any 
meaningful enforcement mechanisms, it would require
inter-RIR cooperation on enforcement, and that's a very large can of worms.  
Not one that is impossible to overcome, but likely
one which will require several years of scrutiny, discussion, and negotiation 
prior to any real world implementation.  


Yes, this needs to be in place in every RIR to maximize efectiveness.

The idea of a "pool of worldwide experts" was to allow any RIR to use 
people from the same (larger) pool.




Ultimately, I don't think I can support a proposal this vague, either.  For 
something like this I think we need a lot more
objective language and a lot more specifics and details.  We must make policies 
easy to comply with, and at all costs avoid
vagueness which may allow for anything less than completely fair and objective 
enforcement - regardless of how simple the
concept may seem to us on the outset.  


Your comment in pretty much inline with some comments opposing version 1.0 
in RIPE. Hopefully version 2.0 will be published next week. And it's a bit 
more "extensive" regarding details... :-)



Regards,
Carlos




Take care,
Matt

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Matt Harris]

On Fri, Apr 26, 2019 at 12:49 PM William Herrin  wrote:

> I personally support the petition. I think the out of scope reasoning is
> flawed. By enforcing minimum assignment sizes, ARIN has long acted as a
> gatekeeper to the routing system, controlling who can and can not
> participate. For better or worse, that puts the proposal in scope.
>
> I personally think it's for worse. I oppose the proposal itself. I'd just
> as soon ARIN not act as a gatekeeper to BGP and certain don't want to see
> it expand that role.
>

A couple of things spring to mind here now that I've given this a few more
minutes' thought.  I agree with your reasoning as to why it makes sense for
this to be considered in scope for ARIN.

As far as expanding roles goes... Over the past few decades, we've all
watched as the internet became less and less "wild wild west" and more and
more controlled (sometimes centrally, sometimes in a more or less
decentralized way) by various organizations and entities.   In various and
sundry ways, bad actors could get away with plenty of things in 1990 that
they cannot so easily today.  It may be the case that this problem will be
"solved" in some way by someone, but that "someone" may end up being a less
engaged community or a less democratic organization than ARIN is.
Ultimately, ARIN does a better job than some other internet governance
bodies of promoting stakeholder and community interaction and some degree
of democracy.  We have to consider the question: if some organization is
going to expand into this role, is it better that ARIN be the organization
to do so instead of one which may be ultimately less democratic and more
problematic?

One major problem with the proposal, having given it a couple of minutes
thought, that I can see as of now would be enforcement being dependent on
knowing whom the perpetrator is.  If I decide to announce to some other
networks some IP space owned by Carlos, but I prepend Bill's ASN to my
announcement, how does Carlos know that I'm the bad actor and not Bill?
Having good communication between network operators to determine where the
issue actually lies is critical.  Unfortunately, that doesn't always
happen.  When we talk about leveraging ARIN's authority or potentially
applying penalties of any sort to bad behavior, we have to be able to be
certain whom the bad actor is so that the penalties are not inappropriately
applied to an uninvolved or innocent third party.

Additionally, a question of scope does arise with regard to which resources
ARIN would be able to enforce any such policy with regard to.  Indeed, the
proposal as written currently calls for a "pool of worldwide experts"
despite being a proposal submitted to an RIR which is explicitly not
worldwide in scope.  For example, if a network with an ASN assigned by ARIN
is "hijacking" address space that is allocated by APNIC (or any other RIR)
to an entity outside of ARIN's region, would this be an issue for ARIN to
consider?  What if ARIN-registered address space is being "hijacked" by an
entity with a RIPE ASN and which is not located within ARIN territory?  I
suspect that for this proposal to have any meaningful enforcement
mechanisms, it would require inter-RIR cooperation on enforcement, and
that's a very large can of worms.  Not one that is impossible to overcome,
but likely one which will require several years of scrutiny, discussion,
and negotiation prior to any real world implementation.

Ultimately, I don't think I can support a proposal this vague, either.  For
something like this I think we need a lot more objective language and a lot
more specifics and details.  We must make policies easy to comply with, and
at all costs avoid vagueness which may allow for anything less than
completely fair and objective enforcement - regardless of how simple the
concept may seem to us on the outset.

Take care,
Matt

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[William Herrin]

On Fri, Apr 26, 2019 at 9:41 AM Matt Harris  wrote:

> Can you (or someone else on the list, perhaps even someone who was
> involved in voting this down) provide some more details as to why it was
> rejected?
>

Hi Matt,

As I understand it (someone with better knowledge feel free to correct me)
the proposal was ruled out of scope for ARIN because ARIN registers
numbers, it doesn't decide how they're allowed to be routed. ISPs do that.

I personally support the petition. I think the out of scope reasoning is
flawed. By enforcing minimum assignment sizes, ARIN has long acted as a
gatekeeper to the routing system, controlling who can and can not
participate. For better or worse, that puts the proposal in scope.

I personally think it's for worse. I oppose the proposal itself. I'd just
as soon ARIN not act as a gatekeeper to BGP and certain don't want to see
it expand that role.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Carlos Friaças via NANOG]

On Fri, 26 Apr 2019, Matt Harris wrote:


On Fri, Apr 26, 2019 at 11:28 AM Carlos Friaças via NANOG  
wrote:

  Hi,

  Just to let everybody know that a petition was started in order to try
  to enable a policy discussion about "BGP Hijacking is an ARIN Policy
  Violation".

  If you would like to read the proposal, it is available at:
  https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

  Discussions are already ongoing at RIPE and LACNIC.

  Best Regards,
  Carlos


Hey Carlos,Can you (or someone else on the list, perhaps even someone who was 
involved in voting this down) provide some more
details as to why it was rejected?  What were the arguments in favor of 
rejecting the proposal?  This seems like an interesting
idea to me, and one that I can't immediately come up with any arguments against 
from my own perspective.  There's probably some
room for discussing and tuning specifics, but ultimately the concept seems 
reasonable to me.  What am I missing here?  


Hi,

Sure...

https://www.arin.net/about/welcome/ac/meetings/2019_0410
(Meeting of the ARIN Advisory Council - 10 April 2019)

You can also find the RIPE and LACNIC URLs here:
+ https://www.ripe.net/participate/policies/proposals/2019-03
+ https://politicas.lacnic.net/politicas/detail/id/LAC-2019-5?language=en


Best Regards,
Carlos



Thanks,
Matt

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Joe Provo]

On Fri, Apr 26, 2019 at 11:41:18AM -0500, Matt Harris wrote:
[snip]
> Can you (or someone else on the list, perhaps even someone who was involved
> in voting this down) provide some more details as to why it was rejected?
> What were the arguments in favor of rejecting the proposal?  This seems
> like an interesting idea to me, and one that I can't immediately come up
> with any arguments against from my own perspective.  There's probably some
> room for discussing and tuning specifics, but ultimately the concept seems
> reasonable to me.  What am I missing here?
 
Speaking solely for myself, it would be reasonable to start
any discussion based upon the on-record rationales for its
rejection.  As such I would direct interested parties to the 
Draft Advisory Council Meeting minutes from April 10
https://www.arin.net/about/welcome/ac/meetings/2019_0410/

and most specifically on that page
"16. ARIN-Prop-266: BGP Hijacking is an ARIN Policy Violation"

Cheers,

Joe

-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling 

Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Matt Harris]

On Fri, Apr 26, 2019 at 11:28 AM Carlos Friaças via NANOG 
wrote:

>
> Hi,
>
> Just to let everybody know that a petition was started in order to try
> to enable a policy discussion about "BGP Hijacking is an ARIN Policy
> Violation".
>
> If you would like to read the proposal, it is available at:
> https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/
>
> Discussions are already ongoing at RIPE and LACNIC.
>
> Best Regards,
> Carlos
>

Hey Carlos,
Can you (or someone else on the list, perhaps even someone who was involved
in voting this down) provide some more details as to why it was rejected?
What were the arguments in favor of rejecting the proposal?  This seems
like an interesting idea to me, and one that I can't immediately come up
with any arguments against from my own perspective.  There's probably some
room for discussing and tuning specifics, but ultimately the concept seems
reasonable to me.  What am I missing here?

Thanks,
Matt

Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)

[Carlos Friaças via NANOG]

Hi,

Just to let everybody know that a petition was started in order to try 
to enable a policy discussion about "BGP Hijacking is an ARIN Policy 
Violation".


If you would like to read the proposal, it is available at:
https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

Discussions are already ongoing at RIPE and LACNIC.

Best Regards,
Carlos

(sorry for the duplicates, if you also receive arin-p...@arin.net)

-- Forwarded message --
Date: Fri, 26 Apr 2019 17:13:12
From: ARIN 
To: arin-p...@arin.net
Subject: [arin-ppml] Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN
    Policy Violation

A petition has been initiated for the following:

ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

This proposal was rejected due to scope at the 10 April meeting of the Advisory 
Council.


Anyone may take part in this petition. Per the Policy Development Process 
(PDP), a successful petition against a rejected Proposal requires the support 
of ten individuals from ten organizations.


To support this petition, simply send a response to the Public Policy Mailing 
list stating your support, name, and organization.


This petition window will remain open for five days, closing 1 May.

If successful, the petition will result in the Board of Trustees considering 
the Proposal's scope at their next meeting.


For more information on the PDP, visit: 
https://www.arin.net/participate/policy/pdp/


Regards,

Sean Hopkins
Policy Analyst
American Registry for Internet Numbers (ARIN)
___
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (arin-p...@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.