Ruediger,
(And everyone else!)
First off, thank you for stimulating lots of useful discussion on 2016-01!
I apologise for my delay in responding to this.
On 28/02/2016 18:38, Ruediger Volk wrote:
Dear colleagues,
I object to passing the policy as proposed.
There is no serious need for the policy,
and at this time and under curent circumstance it would
actually be harmful.
I believe that the supposed good intentions would be better
served by other actions, and the policy focussing on enforcement
is ill advised.
Thank you for your comments. I will admit that I'm unsure on why it
would be harmful, per se, rather than something you don't quite see the
point of.
I understand that the current implementation of the RIPE database allows
legacy holders to enter abuse-c attributes for their legacy resources
if that's currently not possible the required extension of the database
should be discussed (in the approprioate wg) and implementation would NOT
require the PDP (as more drastic changes have been done to the database
- and that extension hardly would contradict existing policy).
No PDP is needed to send friendly invitations to legacy holders to populate
their data objects with abuse-c information;
I'm sure asking the RIPE NCC to do this would not create an undue burden
or serious problem.
Yes, friendly reminders can be sent and obviously many Legacy Resource
Holders have already added an abuse-c: but a policy not only mandates it
(which I do believe is useful in pushing things up everyone's very
crowded priority stack), but it also signals intent more widely.
I admit I'm one of the people who believes that legacy resources are
just numbers and while I have some sympathy for Randy's point of view on
the operation of the registry, I do think we're past the point of only
doing that now.
Enhancing the invitations with some additional information potentially
helpful to the recipients could be considered too:
- some hints/guidance about expected use and support of that mailbox
(active members of the abuse handling community probably will NOT be the
typical recipient! and no injuries are expected if any community member sees
that information:-)
- specific suggestions what to put into the abuse-c field
(whatever the RIPE NCC might use to extrapolate abuse-c from existing data)
The working group should contribute helpful information to be included.
There is an outstanding DB-WG action on the AA-WG that we have not
completed. This is my fault. My previous commitment was to have a draft
of this out before Copenhagen. I will further commit to having this
issued before the end of March 2016. It will be light, but at least if
we have that we can see what else is needed.
We've agreed to this, but I honestly have difficulty seeing how this is
really a blocker. Yes, more discussion is good, more detail is good, but
is there really that much confusion over what is generally expected when
an abuse complaint is sent to your company?
Now we do NOT HAVE TO repeat past errors...
Specifically with legacy resource holders it would be a good idea
for RIPE community and NCC to address them with an inviting and
helpful approach; as there is a sad history of seemingly coercive
and unfriendly communications towards legacy holders.
We're proposing policy here, that needs to be proposed specifically for
this group. I think we should be nice and polite to everyone in the
community, I'm not convinced we need to be more polite to one group than
another at this point. Should all policies now be proceeded by polite
invitations?
REPEATING the error now - even considering the much lower number of
relevant records - is however actually MORE SERIOUS in DAMAGING
the CREDIBILITY of the working group (and as a consequence the RIPE NCCs
position) because of the accumulated history.
More serious?
Repeated requests for information on supposed use und handling of abuse-c
has been answered by pointing out that it is required by a policy
that was consciously created without any such information.
The new policy proposal painfully fits into the sad observation that
the anti-abuse working group as a community has constantly
put effort into enforcing creation and population of abuse-c data
but not (even tried) to provide to the rest of the world helpful
explanations on requirements and expected handling at the requested mailboxes.
That observations leads to the question whether the community is not able to
come up with some helpful explanation or whether it does not care... :-(
In both cases asking for enforcement does seem neither appropriate
nor acceptable and means that the request cannot be taken serious
- bad for the perception of RIPE and RIPE NCC activety by parties
that are not heavily involved in the community processes.
Consider the typical person confronted with a request to define abuse-c:
how deeply is he involved with the anti-abuse working group
(where a common understanding might exist - I consider myself only occassional
observer and not a member and don't know)?
abuse-c: leads to abuse complaints. There is quite a lot of
documentation out there on how to deal with them. abuse-c: generated
complaints are no different. However, yes, this will be worked on, see
above.
The policy content does actually not matter that much - look for a sketch of
a potential harmless implementation approach above in this message.
What matters is appropriate use of the PDP (it can be abused!!!)
and what are good goals of the working group and good ways of achieving them.
The assumed good goals (as I understand it) are
(a) improving quality of abuse-c information in order to
(b) improve abuse reporting and report handling processes and
(c) extending the abuse-c coverage for Internet number resources
in the RIPE NCC registry
The policy proposal references (a) and (b) quite explicitly;
I took the liberty to interpolate (b) which actually seems to be the
primary goal, and it looks like the working group decided that this will
be helped by means of creating distinctly identified mailbox information
to be put into abuse-c.
Well, yes, we already did. This policy was discussed and it reached
consensus. This is not a new policy, it's an attempt to extent the
policy to as many of the resources in the DB as possible. The
implementation details need to be discussed, but is there an issue with
the core idea here?
We have to assume that Internet number resource holders requested
to establish abuse-c
- usually are NOT focussed an abuse handling (different core business:-)
- in many cases are not members of the anti-abuse working
(and unlikely to have insight into undocumented potential consensus views
of the working group or the larger abuse-c activist community)
- in general willing to cooperate
(we really should care for those and help them!
... yes, there are others - from "don't care" to "evil")
I think the percentage of resource holders who are aware of the
existence of the AA-WG is vanishingly small. I wonder, however, if the
number who are aware of the AP-WG or RIPE in general is much bigger?
We're in a bubble here, but I'm not sure what the alternative is?
If they care to ask for helpful information and the answer stays "this is
required by policy, and it consciously declines to explain", they are likely
to conclude that they have to submit to RIPE policies and the policy
makers+process that cannot be taken serious...
Has this been said? If so it's certainly not the stance of the
Co-Chairs, nor should it, imo, be the stance of the working group.
I do not expect to see formal, precise, and exhaustive definition of
requirements and intended/expected use of abuse-c use - that would seem
fairly impossible and certainly would not provide a practical answer
to the issue.
The working group needs to followup it previous abuse-c policy
by starting to create practically useful explanations, before considering
more "enforcement" (actually IMHO all enforcement activety should
[have] be[en] postponed - potentially replaced by friendly invitations).
It may take considerable effort to develope consensus on such
documentation - but is it reasonable to rely on all relevant outside parties
to have the first contact figure out completely on his own and explain
to his management, consultants, service providers, etc... what needs to be
done? (what aggregated cost and what "quality" implications do you expect?)
I will slightly repeat my question from above, is abuse-c: really seen
as something different to other ways in which people have been
sending/receiving abuse complaints for years and years?
It's ok to have working groups that just have internal fun between some
birds of a feather. If a working group feels like making demands
(e.g. policies) to a larger community it should also consider what
support it needs to provide to serve the purposes of that larger community.
I think that's veering into being more than a little unfair, albeit I
am, of course biased!
Thanks for your attention and consideration.
Thank you for your feedback!
Brian
Co-Chair, RIPE AA-WG
Brian Nisbet, Network Operations Manager
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301 tel: +35316609040 fax: +35316603666
web: http://www.heanet.ie/
