Hi Töma,
El 23/3/19 13:25, "anti-abuse-wg en nombre de Töma Gavrichenkov"
<anti-abuse-wg-boun...@ripe.net en nombre de xima...@gmail.com> escribió:
Hi all,
> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is
> a RIPE Policy Violation", is now available for discussion.
Sorry if the issues I'm raising were already addressed somewhere
around the thread. As of now, I believe it's the size of an average
fiction book, and I don't quite have enough time to read that.
I also apologize now in advance for abstaining from the discussion at
some point in future, because in quite the same fashion I won't be
able to read unnecessarily (and sometimes I believe deliberately) long
responses. Whoever is planning to win a consensus through exhaustion
is going to win that anyway.
With that in mind,
1. As of now, the draft looks like a nice example of "document
designed by a committee".
It's too strict where there's no real need to be strict, and at the
same time too weak where you don't expect it to be weak. E.g. 4 weeks
to report + 4 weeks to investigate + 2 weeks for an appeal give us
solid 10 weeks for an attack to stay there, which is, to put it
gently, a substantial amount of time.
Our intent is to "stop" the attack with the claim (not efficient at all), but
to allow to be reviewed in order to avoid it, in the future, if possible from
the same actors.
The timing that we described is "maximum", may be need to add that word in
every part of the text that talks about timing. I think this provides
sufficient time to cover even complex cases.
Now, if the community believe that 4 weeks is too much to investigate even a
more complex case and 2 weeks too much for the hijacker response, I'm happy to
drop both by half, if Carlos agree as well.
2. OTOH the ultimate result (membership cancellation) may be seen as a
very heavy punishment.
I mention this before in a couple of emails and I'm more and more convinced
that a warning is needed, at least, in doubtful cases, before reporting for a
membership cancellation.
In fact in theory this policy could make things worse.
Most of the ISPs are very slow in applying security updates to their
equipment, including border routers. (Also, vendors themselves are not
quite keeping up as well) Now, say, I'm an ISP who really wants to
push my competitor out of business. With this policy here's a sequence
of steps that will win you the market:
- hire a script kiddie who will break into that company's Mikrotik;
- announce roughly half of IPv4 address space through that breach just
for it to be surely on the news;
- relax and enjoy watching your competition disappearing in no later
than 2,5 months.
While I would, in my perfect dream, personally support the idea of
cancelling an LIR membership for not updating one's devices at least
on a weekly basis, I don't really think this is what the authors of
the draft were going to propose, and I know quite a few people, Randy
Bush for starters, whom the authors, to put it mildly, won't probably
be able to convince.
The example by Warren also deserves attention, and I personally don't
really anticipate that "won't be too hard to figure out", because
frankly we're in fact yet to see the hijacking attempts where an
attacker would be deliberately trying hard to hide their identity.
3. If I were to design that process, I'd put it in a different way, e.g.:
- 2 business days to find experts. Really, four weeks for that?! Yes,
we know that NCC isn't the most dynamic organization out there, but
with a pre-populated pool of experts at the current rate of hijacking
incidents reported to public that shouldn't really be an issue.
In the actual text there is no time to find the experts. The 4 first weeks are
to select the experts (from a pool already known), and provide the report.
- 3 business days to investigate and prepare a preliminary report.
Another 5 business days to continue investigation if necessary, with
another report at the end. Maybe a third iteration if necessary.
Immediate membership suspension at the end if the experts decide it's
necessary to do so now.
So, it is in total up the here what I just said, about 2 weeks instead of 4.
- A grace period of 8 weeks for the suspected hijacker to collect
further evidence and provide additional arguments to justify their
position.
I think that's too much. He will get a notice once the case is being reported,
so he got already the same time as the experts to collect whatever information,
and then either 1 or 2 additional weeks after the expert's report.
- An appeal phase of another 8 weeks with ultimate decision and, where
necessary, membership termination in the end.
We have now in total 6 weeks here (2 weeks to file an appeal, 4 more weeks for
the next group or experts to reply)
All the numbers above are rough estimations, they are only there to
showcase the idea:
- the reaction to *mitigate* should be immediate;
- the reaction to *penalize* should allow for a large enterprise — or
a large ISP! — to keep up.
If once the report is filed the suspected hijacker get a notification, he has
the chance (if the hijack is still "live") to mitigate it.
--
Töma
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the exclusive use of the
individual(s) named above and further non-explicilty authorized disclosure,
copying, distribution or use of the contents of this information, even if
partially, including attached files, is strictly prohibited and will be
considered a criminal offense. If you are not the intended recipient be aware
that any disclosure, copying, distribution or use of the contents of this
information, even if partially, including attached files, is strictly
prohibited, will be considered a criminal offense, so you must reply to the
original sender to inform about this communication and delete it.
