On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via
anti-abuse-wg wrote:
3) We may need to refine the text, but the suspected hijacker, in case of sponsored
resources, is the suspected hijacker, not the sponsoring LIR (which may not even have
relation to it). However, some people indicated that the direct peer should be also
accountable. I think I also mention this before, one possible option is to tell the
direct peer the first time "this is a warning report", please make sure to
improve your filters.
Now I'm confused. In another post, Carlos indicated that someone
who receives a hijacked prefix is a victim and here they are also
Bad People. I'm not sure what to think about a retributive
proposal that can't even keep the "victims" and the "offenders"
apart.
In this case ("neighbours are bad") it reminds me of a UK law
that punishes not only an illegal immigrant but also the landlord
who fails to refuse to rent them a flat.
rgds,
SL
Regards,
Jordi
???El 21/3/19 22:40, "anti-abuse-wg en nombre de Carlos Fria??as via anti-abuse-wg"
<anti-abuse-wg-boun...@ripe.net en nombre de anti-abuse-wg@ripe.net> escribi??:
On Thu, 21 Mar 2019, Jacob Slater wrote:
> Hello All,
Hi,
Thanks for your input.
> While I am in general support of the proposal?s ideas, I have several
> concerns with regards to the specific implementation.
>
> While the idea of an a complaint form (with teeth) sounds appealing, I
> do not believe submission should be open to everyone. Only the party
> holding rights (as registered in a RIR) should be able to file a report
> regarding their own IP space.
I had thought about that too.
The problem is hijackers tend to hijack space from:
- unallocated space
- companies which are unreachable (bankrupt/closed?)
- networks in conflict (war) zones
A variation of this will be allowing anyone _receiving_ the announcement
of an hijacked prefix to file a complaint/report.
Hijacks don't have to be seen by every network on the planet to be an
hijack...
And those receiving an hijacked prefix are (according to my dictionary)
also victims.
> If everyone is allowed to do so, we run
> several risks, namely that individuals with no knowledge of the
> situation (beyond that viewed in the public routing table) will file
> erroneous reports based on what they believe to be the situation (which
> may not be accurate, as some forms of permission for announcement are
> not documented in a way they could feasibly see).
Well, yes. That's one point... the IRR system is kind of broken. And RPKI,
unfortunately is still taking baby steps. I would say that in case of
doubt, then a rightful owner will be able to create a ROA for the
suspected hijack.......
Some might say NCC staff might act as a filter, before anything reaches
expert's hands. I personally wish that NCC staff is not involved at all.
> Allowing for competent complaints (with teeth) to be filed is a good
> idea; needlessly permitting internet vigilantes to eat management time
> based on a flawed view of the situation is not.
Maybe some automated checks? The reported prefix has a valid ROA, it
matches, so, the complaint is most likely bogus? :-))
> Additionally, while the policy does define a difference between
> accidental and intentional hijacking, it does not differentiate between
> the two with regards to policy violations.
I thought it did, by stating that accidental events are out of scope.
> While some discretion should be left up to the expert, it seems odd to
> include this differentiation without simultaneously explicitly stating
> that accidental hijacking should generally be treated less severely.
Accidental hijacking should never be treated as a policy violation. It
thought that was clear, but probably isn't -- despite section 3.0 and the
summary. Sorry for that. Needs to be addressed in the next version.
> I am by no means attempting to state that constant, unlearned-from
> mistakes should be overlooked; I am merely stating that the odd one-off
> event should be explicitly prohibited from bringing down an entire LIR.
> Fat fingering happens.
Yes, thus "This proposal aims to clarify that an intentional hijack is
indeed a policy violation."
Section 3.0 can be improved.
> Finally, how does the proposed policy apply to sponsored resources
> (ASNs and PI space)? Is an entire LIR to be held accountable for
> sponsoring the resources for users who are otherwise supposed to be
> independent?
In short, no. Unless the "customer" is the LIR itself.
Thanks.
Best Regards,
Carlos
>
> Jacob Slater
>
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the exclusive use of the
individual(s) named above and further non-explicilty authorized disclosure,
copying, distribution or use of the contents of this information, even if
partially, including attached files, is strictly prohibited and will be
considered a criminal offense. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, even if partially, including attached files, is strictly
prohibited, will be considered a criminal offense, so you must reply to the
original sender to inform about this communication and delete it.
