Hi, > The aim of the 2019-03 proposal, as far as I understand it, is to grant the > RIPE NCC the authority to make formal judgements about alleged abuse of > network resources with the implicit intention that unless the party involved > ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR > shutdown if the alleged infringer were a member, or refusal to provide > service if the alleged infringer were not. > > There are several aspects of this proposal that are pretty disturbing, but > the two that jump out are 1. over-reach by the RIPE Community, 2. > encroachment into the arena of supranational law enforcement. > > I'm not going to go into the technical content of the proposal, despite the > fact that I don't believe it would have any impact whatever on dealing with > the problem of hijacking. Limited companies can be registered for tiny > amounts of money, and it's naive to believe that any actor who is dishonest > enough to engage in persistent bgp hijacking would think twice about > switching from one company to another in a heartbeat, in order to avoid the > consequences of a policy like 2019-03. > > Regarding over-reach, the RIPE NCC was instituted as a numbering registry and > as a supporting organisation for the RIPE Community, whose terms of reference > are described in the RIPE-1 document. The terms of reference make it clear > that the purpose of the RIPE Community and the RIPE NCC is internet > co-ordination and - pointedly - not enforcement. Proposal 2019-03 goes well > outside the scope of what the RIPE Community and the RIPE NCC were > constituted to do, and I do not believe that the Anti Abuse working group has > the authority to override this. > > The second point relates to the long term consequences of the proposal. If > the RIPE Community were to pass this policy, then it would direct the RIPE > NCC to act as both a judiciary and policing agency for internet abuse. > Judgement and enforcement of behaviour are the competence of national > governments, courts and law enforcement agencies, not of private companies. > If the RIPE NCC starts encroaching in this territory, it should expect > national governments and law enforcement agencies to start taking an active > interest in taking control. This scenario would not be beneficial to the > RIPE Community. > > There are other pile of other considerations here, not least whether the RIPE > NCC would have any legal jurisdiction to deregister resources where it had > determined "abuse", and what the legal liability of the company would be if > it were determined that they didn't have jurisdiction to act. > > I don't question the motives of the authors of this proposal - neither of > them has anything but the best of intentions in mind. Regarding BGP > hijacking in general, I've been involved in attempting to deal with many > hijackings over the years and am as frustrated as anyone. Like many other > people in this community, I have also spent a lot of time and effort trying > to deal with the problem from a practical point of view, both in terms of > tooling and deployment standards for IXPs and service providers. > > But, this is not how to handle the problem of BGP hijacking. Even if it had > the slightest possibility of making any difference at a technical level > (which it won't), the proposal would set the RIPE Community and the RIPE NCC > down a road which I believe would be extremely unwise to take from a legal > and political point of view, and which would be difficult, if not impossible > to manoeuver out of.
I fully agree with Nick. BGP hijacking has to be fought, but this is not the way… Cheers, Sander
signature.asc
Description: Message signed with OpenPGP