Re: [anti-abuse-wg] What if a regional Internet Registry organization lost its authority?

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi,

 

This is just an issue in LACNIC, in all the regions we have similar situations, 
and I believe that if there is a mandatory abuse email, and it is not 
up-to-date, then the LIR is not following the policies, and consequently it is 
not following the service contract, and could get their resources retired, 
because all the services contracts in all the RIRs, if I’m not mistaken, 
enforce following the policies.

 

I’ve a policy proposal on this in several regions (coming on in RIPE as well, 
just need some time to clean it up). Here is the LACNIC version in English:

 

https://politicas.lacnic.net/politicas/detail/id/LAC-2018-5?language=en

 

In APNIC already reached consensus and is being implemented.


Regards,

Jordi

 

 

 

De: anti-abuse-wg  en nombre de Badguys Killer 

Fecha: miércoles, 6 de febrero de 2019, 12:47
Para: 
Asunto: [anti-abuse-wg] What if a regional Internet Registry organization lost 
its authority?

 

Hi,

 

This mail is a follow-up to my previous email "What to do when "abuse" email 
address does not work?" -- a short summary below:

I found some spams sent to my company came from an IP address under Telefonica 
Peru.  I sent a complaint email to the e-address found in WHOIS database, but 
it turned out that the e-address was fake!

 

With the help of people here, I managed to contact "hostmaster" of LACNIC who 
sent an email to someone of Telefonica Peru to request them to update their 
abuse email address.  That email was sent more than two weeks ago.

 

I have just checked but the abuse email address is still not up-to-date.  I 
started to wonder the real authority of LACNIC over ISP.

 

Can a regional Internet Registry organization like LACNIC apply 
sanction/punishment to ISP if they don't follow International standards?  
Personally, I hope the answer is "yes".

 

But what if these organizations actually have no real authority?  That means 
the Internet is one step forward to anarchy?

 

Hmm, some matter of reflection for our future.



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Verification of abuse contact addresses ?

[JORDI PALET MARTINEZ via anti-abuse-wg]

This is more in the line with the one that I submitted in other regions (coming 
also for RIPE, I think this week or next one), that has been already accepted 
(being implemented) by APNIC:

 

https://www.apnic.net/community/policy/proposals/prop-125

 


Regards,

Jordi

 

 

 

De: anti-abuse-wg  en nombre de Fi Shing 

Fecha: martes, 5 de marzo de 2019, 12:28
Para: "Ronald F. Guilmette" , 
Asunto: Re: [anti-abuse-wg] Verification of abuse contact addresses ?

 

Yes, the verification mechanism they chose to implement was a flop, with no 
input required from address owners.

 

 

In reality, it should be "verify your email address by clicking this link once 
a week or your resources are decommissioned within 24 hours" but alas, that 
would make too much sense.

 

 

abuse.net lists these contacts for mesh digital:

 

ab...@meshdigital.com (for meshdigital.com)

n...@meshdigital.com (for meshdigital.com)

r...@netsumo.com (for meshdigital.com)

 

 

 

 Original Message 
Subject: [anti-abuse-wg] Verification of abuse contact addresses ?
From: "Ronald F. Guilmette" 
Date: Tue, March 05, 2019 8:55 am
To: anti-abuse-wg@ripe.net


Sorry folks, when this topic was discussed, I confess that I wasn't
really paying much attention. So now I am forced to ask: Was someone
going to verify the abuse contact addresses listed in the RIPE WHOIS
data base?

If so, how is that project coming along?

I'll tell you why I ask. It's quite simple really. Some jerk, probably
Mexican, just sent me a spam wherein he was advertising for sale his
list of 18 million "business" email addreses. (I can't quite tell if
those are all supposed to be specifically Mexican email addrses or what...
because the spam was written in Spanish, and I don't speak Spanish.)

https://pastebin.com/raw/dT11krpN

Note that the specific email address of mine that was spammed was one that
I only used in ancient times, and only in conjunction with my activities
on one specific web site. (It obviously leaked somehow.)

The envelope sender address was forged to be my own.

The source IP was 109.68.33.19 as you can see. So naturally, I performed
a RIPE WHOIS query on that IP address and the results I got back indicated
that the contact email address for spam reports was .
So I emailed off a report to that address.

Of course, it bounced back to me immediately as undeliverable.

This causes me to suspect that either (a) that stuff that I thought that
I has seen previously about a project to verify abuse addresses was all
just a bunch of malarkey, or else (b) that project is still unfinished
and perhaps not going all that well.

Could someone please enlighten me and tell me which possibility actually
applies?


Regards,
rfg


P.s. It is annoying enough to have to lookup who the bleep should
receive a report about spamming from their network _and_ to have to
even write such reports, when 9 time sout of ten, the sending network
could have easly prevented the spam from even going out. It is just
adding insult to injury when the bloody "official" abuse reporting
address doesn't even actually exist.

And of course, neither meshdigital.com nor meshdigital.net even have
functioning web sites.

Apparently this is all the work of some dolts at a company called heg.com,
in Germany. Do any of you happen to know any of the clueless nitwits
who work there? If so, maybe you could put me in direct touch so that
I could personally apply a much needed clue-by-four.



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Verification of abuse contact addresses ?

[JORDI PALET MARTINEZ via anti-abuse-wg]

Speaking in general and not just about this case.

All the RIRs membership contracts mandate following the policies, otherwise 
there is a contractual breach and the "services" (read resources as well) can 
be canceled/reclaimed. At least, this is my reading.

So, no need to have an explicit text in each "policy" that talks about that. Of 
course, if some policies have that text, it is a good reminder about that.

In some regions, there is a more explicit policy about resource reclamation, 
which helps to define, for example, the period of time for the reclamation, etc.

Regards,
Jordi
 
 

-Mensaje original-
De: anti-abuse-wg  en nombre de Michele Neylon 
- Blacknight 
Fecha: viernes, 8 de marzo de 2019, 22:51
Para: Shane Kerr , Fi Shing , 
"anti-abuse-wg@ripe.net" 
Asunto: Re: [anti-abuse-wg] Verification of abuse contact addresses ?

Earlier versions of the proposed policy had language that some people took 
to mean that removing resources etc., was a possible escalation. 
I don't think it was originally the intent, though personally I can see 
merit in it being an escalation path. 


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
http://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
 

On 09/03/2019, 06:46, "anti-abuse-wg on behalf of Shane Kerr" 
 wrote:

Fi Shing,

As far as I know there is nothing in any policy about decommissioning 
resources. (I'm not even sure what that would mean in practice...)

I don't think that such a proposal would get consensus in the RIPE 
community, but I am often wrong so if you want this then please submit 
a 
policy proposal. The RIPE NCC staff, the working group chairs, or some 
friendly community member can help you with this.

Cheers,

--
Shane

On 08/03/2019 22.25, Fi Shing wrote:
> /But Marco's response mentions to *correcting* the contact addresses, 
not
> just verifying them. That involves working with human beings, so it
> makes sense that it will take a while./
> /
> /
> No it doesn't - that was the whole point of the "change" in the first 
> place, that it was to reduce the amount of verification needed to be 
> done by RIPE. There is a simple automated way to verify the entries - 
> click a link, enter a CAPTCHA, or your resources are decommissioned 
> within 24 hours.
> 
> How much crime can be committed in the months it has taken (and 
> continues to take)?
> 
> 
> 
> 
> 
>  Original Message 
> Subject: Re: [anti-abuse-wg] Verification of abuse contact 
addresses ?
> From: Shane Kerr  >
> Date: Fri, March 08, 2019 9:40 pm
> To: anti-abuse-wg@ripe.net 
> 
> Fi Shing,
> 
> I'm sure verifying the delivery of 70k e-mails (or however many 
is in
> the database) can be done in a few hours.
> 
> But Marco's response mentions to *correcting* the contact 
addresses,
> not
> just verifying them. That involves working with human beings, so 
it
> makes sense that it will take a while.
> 
> Cheers,
> 
> --
> Shane
> 
> On 08/03/2019 11.07, Fi Shing wrote:
> > If it takes more than a week to verify your entire database, 
there is 
> > the first sign that something is wrong with your system.
> > 
> > 
> >  Original Message 
> > Subject: Re: [anti-abuse-wg] Verification of abuse contact 
addresses ?
> > From: Marco Schmidt mailto:mschm...@ripe.net>
>  >>
> > Date: Thu, March 07, 2019 10:03 pm
> > To: "Ronald F. Guilmette" mailto:r...@tristatelogic.com>
> > >,
> > anti-abuse-wg@ripe.net 
> 
> > 
> > Hello Ronald,
> > 
> > We are planning to publish an updated timeline soon.
> > 
> > Ultimately, our implementation will depend of the level of 
cooperation
> > we ge

Re: [anti-abuse-wg] [routing-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation) to be discussed on Anti-Abuse Working Group Mailing List

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Andrey,

 

While it looks, in a first sight, a very good idea, if a neighbor ASN fails to 
do the filtering (for whatever reason, not necessarily on purpose), should we 
not just “punish” that one, but also next one and so on ?


Regards,

Jordi

 

 

 

De: anti-abuse-wg  en nombre de Andrey Korolyov 

Fecha: martes, 19 de marzo de 2019, 13:59
Para: 
Asunto: Re: [anti-abuse-wg] [routing-wg] 2019-03 New Policy Proposal (BGP 
Hijacking is a RIPE Policy Violation) to be discussed on Anti-Abuse Working 
Group Mailing List

 

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-03

 

Hey WG,

 

out of curiosity, why neighboring ASNs are not carrying any responsibility for 
not filtering out a malicious advertisement from a directly-peered neighbor in 
the proposal? AFAIU most leaks happen because large parties are letting their 
ACL loose, not because some state-backed player decides to take a pick on 
someone's else traffic (though both variants exists). The peer who allows any 
prefix announcement originating from its direct neighbor is no less responsible 
for the hijack as the origin AS itself. 

 

Could you please suggest a possibility to include that kind of relations 
(determined by third parties, as currently stated for hijacker's AS in the 
draft) and measures against a transit/upstream in same manner as they are 
currently defined for a hijacker?

 

Thanks. 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] [routing-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation) to be discussed on Anti-Abuse Working Group Mailing List

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Daniel,

Responses below, in-line.

Regards,
Jordi
 
 

-Mensaje original-
De: anti-abuse-wg  en nombre de Daniel Suchy 

Fecha: martes, 19 de marzo de 2019, 14:15
Para: 
Asunto: Re: [anti-abuse-wg] [routing-wg] 2019-03 New Policy Proposal (BGP 
Hijacking is a RIPE Policy Violation) to be discussed on Anti-Abuse Working 
Group Mailing List

Hello,
my comments:
- section 4.0: Assessers should be under direct community control
(voted/approved by community/members), not just defined by NCC.

As we are preparing also the same policy proposal for all the other RIRs, in a 
recent internal discussion we had already considered your point regarding the 
direct community control of the expert's group.

It looks that the authors agreement, at the time being, is on the direction 
that the RIR manage the procedure for selecting people but it should be done by 
means of a public open call. This is similar to what is done by other folks 
selected by the community.

- section 4.0 + 7.0 should define minimal number of assessers

Same regarding the number of experts, in the LACNIC proposal we understood that 
should be 3 people, same number for all the incidents, same number in the 
appeal phase (if it comes to that), and if in the future it is determined that 
it is too small, make sure that it is an odd number.

It will be very important for us to understand what other people believe on all 
those issues and possible pros/cons.

- reported incidents (reported by web-form defined at 4.0) should be
public, at least some metadata (prefix, offending ASN) to avoid
duplicate reports - with indication of assessment stage on that list

Making public the data for the reported incident seems a good idea, because 
even if you try to automate avoiding duplicate reports, it not necessarily 
works 100%. Furthermore, one possible idea is to allow to add "more" data to 
existing reports, which will probably, facilitate the work of the experts and 
the initial classification in terms of "fat fingers incident" vs "deliberate 
hijack".

- Daniel

On 3/19/19 1:42 PM, Marco Schmidt wrote:
> Dear colleagues,
> 
> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy
> Violation", is now available for discussion.
> 
> This proposed policy is of interest to both the Anti-Abuse and Routing
> working groups. The chairs of both these working groups have agreed to
> keep the discussion on one single mailing list to avoid duplication, and
> for formal consideration of the proposal within the RIPE Policy
> Development Process.
> 
> You are therefore requested to share your feedback on this proposal with
> the Anti-Abuse mailing list.
> 
> The goal of this proposal is to define that BGP hijacking is not
> accepted as normal practice within the RIPE NCC service region.
> 
> You can find the full proposal at:
> https://www.ripe.net/participate/policies/proposals/2019-03
> 
> We encourage you to review this proposal and send your comments to
>  before 17 April 2019.
> 
> Kind regards,
> 
> Marco Schmidt
> Policy Officer
> RIPE NCC
> 
> 







**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] [routing-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation) to be discussed on Anti-Abuse Working Group Mailing List

[JORDI PALET MARTINEZ via anti-abuse-wg]

 

What I'm trying to say is that *direct* peers are responsible for leaks as well 
(with un/misconfigured prefix list policy). Any other ASN simply have no strict 
method and no prior knowledge to determine legitimacy of the prefix announce, 
is should seem 

 

Just trying to act as the evil advocate, to know others opinions.

 

obvious. I personally don't believe that introduction of this policy will 
somehow change behavior of small companies who accidentally causing hijacks 
from time to time, but for their (larger at most) upstreams/peers the policy 
violation is something they want to prevent. 

 

Again, in our LACNIC proposal we have considered that incidental issues will 
also be communicated to those that created the problem, so we can improve the 
situation as time passes.

 

Another thing is to determine the existence of the purposeful effort - if we 
assume that such thing as leaks caused by state-backed providers exist, there 
is a very small chance that the leak would be represented as non-accidental by 
its nature and so on, so the policy probably should focus on preventing leaks 
caused by non-transit or smaller operators by enforcing certain rules on those 
who may be called transit ones, e.g. those whose business is entirely dependent 
on proper functioning of their infra.

 

Clearly this is the difficulty that will have the experts, correctly 
classifying the incidents, and may be this means that first time for some 
incidents (accidental or not) could not be declared as “on purpose”.

 

On Tue, Mar 19, 2019 at 4:14 PM JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Andrey,

 

While it looks, in a first sight, a very good idea, if a neighbor ASN fails to 
do the filtering (for whatever reason, not necessarily on purpose), should we 
not just “punish” that one, but also next one and so on ?


Regards,

Jordi

 

 

 

De: anti-abuse-wg  en nombre de Andrey Korolyov 

Fecha: martes, 19 de marzo de 2019, 13:59
Para: 
Asunto: Re: [anti-abuse-wg] [routing-wg] 2019-03 New Policy Proposal (BGP 
Hijacking is a RIPE Policy Violation) to be discussed on Anti-Abuse Working 
Group Mailing List

 

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-03

 

Hey WG,

 

out of curiosity, why neighboring ASNs are not carrying any responsibility for 
not filtering out a malicious advertisement from a directly-peered neighbor in 
the proposal? AFAIU most leaks happen because large parties are letting their 
ACL loose, not because some state-backed player decides to take a pick on 
someone's else traffic (though both variants exists). The peer who allows any 
prefix announcement originating from its direct neighbor is no less responsible 
for the hijack as the origin AS itself. 

 

Could you please suggest a possibility to include that kind of relations 
(determined by third parties, as currently stated for hijacker's AS in the 
draft) and measures against a transit/upstream in same manner as they are 
currently defined for a hijacker?

 

Thanks. 


**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Hank,
 

El 20/3/19 8:53, "anti-abuse-wg en nombre de Hank Nussbacher" 
 escribió:

On Wed, 20 Mar 2019, Gert Doering wrote:

> Hi,
>
> On Wed, Mar 20, 2019 at 09:06:11AM +0200, Hank Nussbacher wrote:
>> On Tue, 19 Mar 2019, Marco Schmidt wrote:
>>
>> More or less I agree with the proposal.  But what happens after a LIR is
>> found to be violation of the policy?  RIPE NCC puts out a statement "LIR 
X
>> is in violation of Policy "?  So what?  How does this policy assist
>> stopping the BGP hijack from taking place, even if it takes 1-2 months to
>> handle the paperwork?
>
> Well, that's a subtle twist of the proposal not actually spelled out - a
> LIR found to be in violation of RIPE policies is breaking their contract
> with the NCC (the SSA) and as such can be closed and their resources
> withdrawn.
>
> So that's a fairly effective way to sanction abusive behaviour.

The amount of time that will transpire from the time of abuse and a LIR 
closed and their resources withdrawn can well be in excess of a year if 
not two years.

Is that the end result we are looking for?

If we believe that this is an excessive period of time, we can always draft 
another policy that allows reclaiming resources in case of policy violation in 
a faster way.

In LACNIC there is one for that, I think following that policy will take less 
than 6 months, and of course than can be improved/tailored to our wishes as a 
community.

However, I think it is a separated discussion.

Regards,
Jordi

-Hank
>
> (I haven't decided whether I think this is going to work or do harm, so
> I'm not voicing support or opposition on the proposal itself)
>
> Gert Doering
>-- NetMaster
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Hank, 

El 20/3/19 9:15, "anti-abuse-wg en nombre de Hank Nussbacher" 
 escribió:

On Wed, 20 Mar 2019, Gert Doering wrote:

> Hi,
>
> On Wed, Mar 20, 2019 at 09:53:02AM +0200, Hank Nussbacher wrote:
>>> So that's a fairly effective way to sanction abusive behaviour.
>>
>> The amount of time that will transpire from the time of abuse and a LIR
>> closed and their resources withdrawn can well be in excess of a year if
>> not two years.
>>
>> Is that the end result we are looking for?
>
> I would hope that *having* a way to sanction abusive behaviour would
> deter criminals from doing so in the first place.  Today, not enough

I think we have different expections from criminals.  I view the criminals 
as ones who analyze every RFC and every standard to determine where they 
can be abused or manipulated for their benefit.  A sanction that would be 
implemented 18 months later would allow the evil LIR enough time to sell 
their resources to some other LIR such that they would not lose such 
resources.

I can figure several possible ways to avoid that.
1) Contractual (not sure if this can be done in a policy) changes to indicate 
than in case of a policy violation, the account becomes frozen immediately, 
until actions to close the account are completed.
2) A modification to the transfers policy that indicates that no transfers can 
be initiated if the any of the parties are involved in an investigation for 
policy violation.
3) A specific policy about implications of policy violations.

If instead of that we want explicit text about that in this policy proposal, 
that means possibly a way for slowing down the process, which at the time being 
it seems to me there is a major agreement of favor of doing something. 
Furthermore, having explicit text here means that other policy violations need 
to have their own way, and I think we must have a single path for resolving 
those issues, not one for each possible policy violation case.

Does that make sense ?

Can we agree that it will be better to have this discussion in a separate 
thread/policy proposal, in order to avoid this to be a show-stopper for this 
policy proposal?

Would the chairs allow that thread in this list or suggest an alternative WG 
for a possible policy proposal?

If we reach the conclusion that we should go for an specific policy proposal 
kind of "sanctions in case of policy violations", I will be happy to work on 
that, but I will prefer not being alone and have other co-authors involved as 
well.

-Hank

> people care, and playing havoc with BGP (intentional or accidentially)
> has hardly any consequences at all.
>
> OTOH, these are the questions that make me undecided on the proposal :-)
>
> Gert Doering
>-- NetMaster
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Brian,
 
I'm fine moving that thread to NCC Services and I know how complex that will be.

So, repeating my question to all the participants here:

Can we agree at least that we should not have text regarding that in the policy 
proposal under discussion (also considering Brian input)?

I hope everybody understands my insistence on this as the authors need to have 
a clear community feeling on that for our new version. 

Regards,
Jordi


El 20/3/19 10:27, "anti-abuse-wg en nombre de Brian Nisbet" 
 escribió:

Jordi,

> -Original Message-
> From: anti-abuse-wg  On Behalf Of


> I can figure several possible ways to avoid that.
> 1) Contractual (not sure if this can be done in a policy) changes to 
indicate
> than in case of a policy violation, the account becomes frozen 
immediately,
> until actions to close the account are completed.
> 2) A modification to the transfers policy that indicates that no 
transfers can
> be initiated if the any of the parties are involved in an investigation 
for policy
> violation.
> 3) A specific policy about implications of policy violations.
> 
> If instead of that we want explicit text about that in this policy 
proposal, that
> means possibly a way for slowing down the process, which at the time being
> it seems to me there is a major agreement of favor of doing something.
> Furthermore, having explicit text here means that other policy violations
> need to have their own way, and I think we must have a single path for
> resolving those issues, not one for each possible policy violation case.
> 
> Does that make sense ?
> 
> Can we agree that it will be better to have this discussion in a separate
> thread/policy proposal, in order to avoid this to be a show-stopper for 
this
> policy proposal?
> 
> Would the chairs allow that thread in this list or suggest an alternative 
WG for
> a possible policy proposal?

Good question, but I think that any policy dealing with changing how the 
NCC should react to policy violations will be... complex. I also don't think 
AA-WG is the right place for such a general policy. So if you, as the author, 
don't wish to insert it into your policy (and I can understand your reasoning 
fully), then I think  a separate policy, likely pointed towards somewhere like 
NCC Services would be more apt.

I would caution that such things are likely to have a large interaction 
with/involvement of the NCC Membership, where such discussions have been very 
divided in the past. I think you and many other people are aware of this, but I 
just wanted to flag it.

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet 
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Furio,

If we can find a non-contentious way to word it, I will be in favor of this.

Note that in order to speed-up the conversation, the co-authors are not 
coordinating responses, so I mean we don't necessarily agree, but this is part 
of the fun of this discussion!

Regards,
Jordi
 
 

El 20/3/19 12:00, "anti-abuse-wg en nombre de furio ercolessi" 
 escribió:

On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:
> >
> >
> > And when everything is made clear, if a report is filed against AS1, 
AS1's
> > holder might have a problem, so i see a strong reason for not even 
trying
> > :-)
> >
> >
> Out of interest, take an AS1 with single malicious upstream AS2, what 
stops
> AS2 to pretend that AS1 has made bogus announcements and make them for its
> own purposes? This situation looks pretty real without RPKI or other
> advertisement strengthening methods, as I could see. How experts are
> supposed to behave in this situation?

This has been seen many times, even chain situations like

 - AS X
 \
   AS 3 - AS 2 - AS 1
 /
 - AS Y

where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue
entity - or a set of rogue entities closely working together with a common
criminal goal.

In such a setup, AS 1 should be considered as the most "throw-away" 
resource,
while AS 3 would play the "customer of customer, not my business" role,
and AS 2 would play the  "i notified my customer and will disconnect them
if they continue" role.  When AS 1 is burnt, a new one is made - with 
new people as contacts, new IP addresses, etc, so that no obvious 
correlation
can be made.  Most of the bad guys infrastructure is in AS 3 and that 
remains
pretty stable because their bad nature can not be easily demonstrated.

Whatever set of rules is made against hijacking, it should be assumed that
these groups will do everything to get around those rules, and many AS's
can be used to this end.  Since there is no shortage of AS numbers, I 
assume that anybody can get one easily so they can change them as if they
were underwear.

And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs,
have also been seen.  Those are even easier to get :-)

So the ideal scheme to counteract BGP hijacking should be able to climb up
the BGP tree in some way, until "real" ISPs are reached.

Nice discussion!

furio ercolessi






**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

I agree that we could find a way to refine the text to include also the ASN 
hijacks.

Regards,
Jordi
 
 

El 20/3/19 12:10, "anti-abuse-wg en nombre de Richard Clayton" 
 escribió:

In message ,
Carlos Friaças  writes

>The misuse of AS numbers was not seen (maybe until now...) as a frequent 
>event (and thus a priority), 

Then you have not been looking at various announcements of Chinese
address space and asking yourself whether or not you think that it is
plausible or not that a large Chinese ISP would be buying transit for a
small subset of their space from this small out-of-region hosting
company :-(

>but if someone is (mis)using an AS number 
>that belongs to a third party, then it should also be stated in writing 
>that this practice is a violation of RIPE policy -- and of course, allow a 
>path for the affected party to issue a report about that.

AIUI the current discussion is intended to allow the proposer to refine
what they are proposing...

... in a world where RPKI is gaining some traction, the misuse of AS
numbers (to tag onto hijacked prefixes) is going to become more common.
I can see no reason to separate out this wickedness.

-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ricardo,

I've the feeling that if you're attacked, you will have some forensic info 
about that, or at least you will need to place a claim to authorities to probe 
it and try to minimize your responsibilities, like in the case of GDPR breach, 
etc..

In fact, if you haven't realized it and still under attack, this kind of policy 
will help you to:
1) Know that your network is being misused by others
2) Engage with the community about that
3) Take the opportunity to learn about how to avoid it

I'm convinced there are sufficient oportunities, thru the process to avoid 
creating a trouble to innocents:
1st initial NCC validation of the info provided
2nd experts evaluation
3rd your response to the expert's report
4th appeal
5th Board ratification

I also believe that when what you describe happens, it will happen to several 
folks (not neccesarily at the same time), so experts will consider it. You 
don't think so?

Remember that in the extreme case (this is just life, we like it or not), if 
you are responsible for a network and is being missused "because you did your 
job incorrectly", you are still reponsible for the harm caused and even legal 
consecuences and damages to third parties. If it was a vulnerabilty from the 
vendor, you can sue him as well.

Regards,
Jordi
 
 

El 20/3/19 14:36, "anti-abuse-wg en nombre de Ricardo Patara" 
 escribió:

On this line of one ISP trying to make damage to other.

One might abuse a vulnerable router (thousand out there), create a tunnel 
to it 
and announce hijacked blocks originated from victims ASN.

Both, victim ASN and vulnerable router owner, would be damaged and no 
traces of 
criminal.
How could they defend themselves to the so called group of experts?

And things in this line had happened already.

Regards,

On 20/03/2019 07:46, furio ercolessi wrote:
> On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:
>>>
>>>
>>> And when everything is made clear, if a report is filed against AS1, 
AS1's
>>> holder might have a problem, so i see a strong reason for not even 
trying
>>> :-)
>>>
>>>
>> Out of interest, take an AS1 with single malicious upstream AS2, what 
stops
>> AS2 to pretend that AS1 has made bogus announcements and make them for 
its
>> own purposes? This situation looks pretty real without RPKI or other
>> advertisement strengthening methods, as I could see. How experts are
>> supposed to behave in this situation?
> 
> This has been seen many times, even chain situations like
> 
>  - AS X
>   \
> AS 3 - AS 2 - AS 1
>   /
>  - AS Y
> 
> where X and Y are legitimate ISPs, while {1,2,3} is basically a single 
rogue
> entity - or a set of rogue entities closely working together with a common
> criminal goal.
> 
> In such a setup, AS 1 should be considered as the most "throw-away" 
resource,
> while AS 3 would play the "customer of customer, not my business" role,
> and AS 2 would play the  "i notified my customer and will disconnect them
> if they continue" role.  When AS 1 is burnt, a new one is made - with
> new people as contacts, new IP addresses, etc, so that no obvious 
correlation
> can be made.  Most of the bad guys infrastructure is in AS 3 and that 
remains
> pretty stable because their bad nature can not be easily demonstrated.
> 
> Whatever set of rules is made against hijacking, it should be assumed that
> these groups will do everything to get around those rules, and many AS's
> can be used to this end.  Since there is no shortage of AS numbers, I
> assume that anybody can get one easily so they can change them as if they
> were underwear.
> 
> And yes, unallocated AS's in the AS 1 position, announcing unallocated 
IPs,
> have also been seen.  Those are even easier to get :-)
> 
> So the ideal scheme to counteract BGP hijacking should be able to climb up
> the BGP tree in some way, until "real" ISPs are reached.
> 
> Nice discussion!
> 
> furio ercolessi
> 
> 






**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including a

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Definitively, authors will try to draft something for that, but specific text 
suggestions to the list are always very welcome ! (actually … please do so)

 

At the moment I can think in the line:

 

“Direct peers allowing the hijack thru their networks will be warned the first 
time, but may be considered by the experts evaluation to be a party involved in 
case of subsequent deliberated hijacks cases”


Regards,

Jordi

 

 

 

El 20/3/19 14:58, "anti-abuse-wg en nombre de Andrey Korolyov" 
 escribió:

 

 

 

On Wed, Mar 20, 2019 at 4:36 PM Ricardo Patara  wrote:

On this line of one ISP trying to make damage to other.

One might abuse a vulnerable router (thousand out there), create a tunnel to it 
and announce hijacked blocks originated from victims ASN.

Both, victim ASN and vulnerable router owner, would be damaged and no traces of 
criminal.
How could they defend themselves to the so called group of experts?

And things in this line had happened already.

Regards,

 

That's exactly my point from above for distributing responsibility over things 
that AS may do over its direct peers :)  With example from Furio all ASNs in 
proposed topology could be blamed at once, for example. Determining exact 
topology may be somewhat not trivial, but not as hard as paper relations where 
both sides are claiming their innocence. So, for this version of proposal, I 
rather NAK it because it brings more potential mess than the usefulness against 
bad actors.



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sascha, 
 

El 20/3/19 15:14, "anti-abuse-wg en nombre de Sascha Luck [ml]" 
 escribió:

All,

On Tue, Mar 19, 2019 at 01:41:22PM +0100, Marco Schmidt wrote:
>A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy 
Violation", is now available for discussion.
>The goal of this proposal is to define that BGP hijacking is not accepted 
as normal practice within the RIPE NCC service region.
>
>You can find the full proposal at:
>https://www.ripe.net/participate/policies/proposals/2019-03

there has been a trend in recent years to make RIPE policy that
transforms the NCC from a resource registry into a political
agency to monitor and prescribe the behaviour of the internet 
industry in the RIPE Service Region by weaponising the NCC
Service Agreement. This I consider harmful to the standing of
the RIPE NCC as an impartial, non-political resource registry. 

This has been one of our main concerns while developing the text, and this is 
why we decided to find the right wording that ensures that is up to external 
experts, not the NCC.

The major point, even if you accept that the NCC has a mandate to
act as a regulatory authority - which I want to state
unequivocally here that I do NOT - against this proposal is that
it is ineffective and a waste of time and membership funding:

1. The procedures for policy violations in the RIPE NCC are
restorative rather than retributive. If the NCC determines that a
policy violation has occurred, the "offender" is given an
opportunity to rectify the situation, if they do so the case is
closed. Only if the "offender" refuses to cooperate or is not
contactable is any further action taken.

I think this can be reconducted in other instances (NCC Services, membership 
agreement, etc.), in order to ensure that you're waived from the first 
violation, but not in subsequent ones.

2. "Resource hijacks" are transient in nature. They persist,
generally, only until the "offender's" neighbours take action.
Yet, 2019-03 proposes a long, convoluted, costly process involving
"experts", reports, appeals and the NCC Board. By the time this
process has run its course, the "resource hijack" in question
will have long faded from memory. So the end result of this
proposed process is that the "offender" gets a report which it
will, in all likelihood, consign to the round archive (ie the
recycling bin).

3. The time of the NCC staff and the Board will have been wasted. So
will have NCC funding which we, as the Membership have to
provide. The "experts" will in all likelihood not work for free
either, indeed a cynic could argue that the main effect of this
proposal is to let some "experts" dip their beak into NCC funds.

4. I want to forestall the inevitable argument here that "we can
make policy to have those evildoers thrown out of the NCC
later!". No, you can't. The SSA and its contents are solely the
domain of the NCC Membership and I sincerely hope that that body
will refuse to ratify any proposal that opens themselves to the
loss of the services of a monopoly provider on the say-so of some
activist randomers on a mailing list. I know which way I would
vote. 

I'm not sure if he membership will really will not accept a change as the "1st 
waiver, not 2nd one" that I introduced above. Why membership will support even 
if is a 10% (just to put an exaggerated figure here) of membership acting 
against all the community, which means extra cost for all (including the 
members but not only)?

Regards,
Jordi

5. If there is still any doubt, the above constitutes strenuous
opposition to 2019-03.

rgds,
Sascha Luck





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sascha,

El 20/3/19 16:09, "Sascha Luck [ml]"  escribió:

Hi Jordi,

On Wed, Mar 20, 2019 at 03:45:24PM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
>Service Agreement. This I consider harmful to the standing of
>the RIPE NCC as an impartial, non-political resource registry.
>
>This has been one of our main concerns while developing the text, and this 
is why we decided to find the right wording that ensures that is up to external 
experts, not the NCC.

Fallacious. The fact that some expert provides a finding does not
change that it is the NCC that is tasked with "doing something
about it".

The fact that the bank confirms that a member doesn't pay the invoice, doesn't 
mean the NCC  is the "police" they are just following the members/community 
orders, which is the task they are mandated to.

>1. The procedures for policy violations in the RIPE NCC are
>restorative rather than retributive. If the NCC determines that a
>policy violation has occurred, the "offender" is given an
>opportunity to rectify the situation, if they do so the case is
>closed. Only if the "offender" refuses to cooperate or is not
>contactable is any further action taken.
>
>I think this can be reconducted in other instances (NCC Services, 
membership agreement, etc.), in order to ensure that you're waived from the 
first violation, but not in subsequent ones.

FWIW, I would prefer this entire discussion to take place in
ncc-services. The entire effect of this proposal pivots on using
the NCC SSA to achieve some goal and I consider having part of
this debate in aawg and another part in ncc-services a not very
subtle divide-and-conquer approach.

I agree for the "actions" but not the policy proposal itself. Otherwise, ANY 
policy proposal will end up in the same WG, and then we don't need any other WG.

>I'm not sure if he membership will really will not accept a change as the 
"1st waiver, not 2nd one" that I introduced above. Why membership will support 
even if is a 10% (just to put an exaggerated figure here) of membership acting 
against all the community, which means extra cost for all (including the 
members but not only)?

I would hope that the Membership would be able to see that a
change in nature of the NCC frm (restorative) registry to
(retributive) enforcment agency would be fundamental and very 
dangerous and would *inevitably* fall back on themselves. But 
that is for the membership to decide.

rgds,
Sascha Luck




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Sorry a bit congested with work overload since yesterday (I will try to respond 
to other emails later/tomrorow, but this one caught my attention).

I've the feeling that Piotr is looking for a much shorter time frame, and I 
think I will agree.

I'm not ever sure if this is related to Retroactivity, so will need to look if 
it fits better in the previous section.

"A hijacking event will be only considered as a case for the experts while 
persisting or within a maximum period of 6 months since ceased."

Of course, because they will be still in the BGP historical data, and the 
reporting form has recorded them in a database (so to make it clear, I think we 
should allow reporting them, but not opening a case), it helps to determine, if 
they were not reported in time and they get repeated, that either somebody 
really needs help to avoid "fat fingers" again or it is a real/repetitive 
hijack (same folks involved somehow).

This will help also be very helpful, I think, for the overall community, and 
may solve some of the other issues that have been discussed up to now.

Regards,
Jordi
 
 

El 21/3/19 11:38, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:


Thanks for the input!

Trying to "retouch" 5.0:

5.0 Retroactivity

Only hijacking events that occur after this policy has been implemented 
are eligible to be considered.

Evidence older than 18 months (counted from the date where a report is 
filed) should be disregarded by experts.


Best Regards,
Carlos


On Thu, 21 Mar 2019, Piotr Strzyzewski wrote:

> On Thu, Mar 21, 2019 at 09:18:02AM +, Carlos Friaças wrote:
>
> Dear Carlos,
>
>> What would be reasonable for you?
>>
>> 2 or 3 years before the date when the report is filed?
>
> I was thinking more about weeks not years. Mostly due to the nature of
> the incident(s) itself. However, I'm not strongly opposed to 2y term.
>
> Piotr
>
> -- 
> Piotr Strzy?ewski
> Silesian University of Technology, Computer Centre
> Gliwice, Poland
>



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Top posting to make it short.

Not sure to understand "with teeth" (and google didn't helped). Please 
understand that there is a lot of people who is not native English, so this 
kind of expressions make it difficult to catch everything.

While, I basically agree with Carlos, have some additional points.

1) I recall there is form in the NCC web site, that anyone can use, to report 
broken whois data, or I'm mistaken?

2) I think in one of the previous responses, I already indicated that to ensure 
that accidental cases aren't repeated, it is fine to send a "warning" report 
about that, which will hopefully help the community to improve the situation, 
but not considering them a policy violation, and in case of doubt, experts can 
suggest a waiver for the first time.

3) We may need to refine the text, but the suspected hijacker, in case of 
sponsored resources, is the suspected hijacker, not the sponsoring LIR (which 
may not even have relation to it). However, some people indicated that the 
direct peer should be also accountable. I think I also mention this before, one 
possible option is to tell the direct peer the first time "this is a warning 
report", please make sure to improve your filters.


Regards,
Jordi
 
 

El 21/3/19 22:40, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:



On Thu, 21 Mar 2019, Jacob Slater wrote:

> Hello All,

Hi,

Thanks for your input.


> While I am in general support of the proposal?s ideas, I have several 
> concerns with regards to the specific implementation.
> 
> While the idea of an a complaint form (with teeth) sounds appealing, I 
> do not believe submission should be open to everyone. Only the party 
> holding rights (as registered in a RIR) should be able to file a report 
> regarding their own IP space.

I had thought about that too.
The problem is hijackers tend to hijack space from:
- unallocated space
- companies which are unreachable (bankrupt/closed?)
- networks in conflict (war) zones

A variation of this will be allowing anyone _receiving_ the announcement 
of an hijacked prefix to file a complaint/report.

Hijacks don't have to be seen by every network on the planet to be an 
hijack...

And those receiving an hijacked prefix are (according to my dictionary) 
also victims.


> If everyone is allowed to do so, we run 
> several risks, namely that individuals with no knowledge of the 
> situation (beyond that viewed in the public routing table) will file 
> erroneous reports based on what they believe to be the situation (which 
> may not be accurate, as some forms of permission for announcement are 
> not documented in a way they could feasibly see).

Well, yes. That's one point... the IRR system is kind of broken. And RPKI, 
unfortunately is still taking baby steps. I would say that in case of 
doubt, then a rightful owner will be able to create a ROA for the 
suspected hijack...

Some might say NCC staff might act as a filter, before anything reaches 
expert's hands. I personally wish that NCC staff is not involved at all.



> Allowing for competent complaints (with teeth) to be filed is a good 
> idea; needlessly permitting internet vigilantes to eat management time 
> based on a flawed view of the situation is not.

Maybe some automated checks? The reported prefix has a valid ROA, it 
matches, so, the complaint is most likely bogus? :-))


> Additionally, while the policy does define a difference between 
> accidental and intentional hijacking, it does not differentiate between 
> the two with regards to policy violations.

I thought it did, by stating that accidental events are out of scope.



> While some discretion should be left up to the expert, it seems odd to 
> include this differentiation without simultaneously explicitly stating 
> that accidental hijacking should generally be treated less severely.

Accidental hijacking should never be treated as a policy violation. It 
thought that was clear, but probably isn't -- despite section 3.0 and the 
summary. Sorry for that. Needs to be addressed in the next version.


> I am by no means attempting to state that constant, unlearned-from 
> mistakes should be overlooked; I am merely stating that the odd one-off 
> event should be explicitly prohibited from bringing down an entire LIR. 
> Fat fingering happens.

Yes, thus "This proposal aims to clarify that an intentional hijack is 
indeed a policy violation."

Section 3.0 can be improved.


> Finally, how does the proposed policy apply to sponsored resources 
> (ASNs and PI space)? Is an entire LIR to be held accountable for 
> sponsoring the resources for

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Erik,
 
Using > because for some reason this email is not being automatically 
"quoted" correctly in my email client.

Regards,
Jordi
 
 

El 21/3/19 23:54, "anti-abuse-wg en nombre de Erik Bais" 
 escribió:

Dear WG, 

I've read the proposal and the discussion that has been posted in the last 
couple of days. 

In the current form, I would like to state that I wouldn't support the 
proposal. 

I would like to give some history about BGP hijacks and specifically 2 that 
have been widely published (at least in the Netherlands for 1 in particular..) 
and another one after people found out via Wikileaks (Hacking Team 
involvement). 

The first one was when Bulgarian spammers hijacked IP space of the Ministry 
of Foreign Affairs in the Netherlands..  for more than 10 days.. without the 
Dutch ministry noticing .. BTW. Spamhaus did .. and listed their prefixes along 
with other prefixes from the hijackers. 
The ministry stated the IP space wasn't in use or announced .. at least not 
announced in BGP by them ..  
After the hijack came to surface, a Dutch national newspaper published a 
story about it.. and questions to the responsible minister were asked how / why 
/ who was responsible / why didn't anyone notice etc etc. 


https://www.volkskrant.nl/wetenschap/ip-adressen-ministerie-gekaapt-door-bulgaren~b75ad982/
  ( Dutch article ) 

https://tweakers.net/nieuws/104975/ip-adressen-buza-gekaapt-via-bgp-hijacking.html
  ( Dutch tech site article ) 

The official reaction to Dutch parliament was, that it was too hard to 
prosecute or even find the actual people behind the hijack and they decided not 
to go after them. 
While in fact there was the option to request the administrative 
information known at the RIPE NCC and the AMS-IX where they consumed services 
and had payment details and perhaps even more (both are Dutch entities and 
required to provide the information when asked by the Dutch authorities).   
But perhaps it was just not important enough to look into it and request 
the Bulgarian government to hand over some of their citizens as the Dutch 
government might needed the Bulgarian assistance in 2014/2015 during the 
refugee influx and their support in the EU.  #politics 

Even IF they would have proceeded .. under Dutch law, BGP Hijacking isn't a 
criminal offence and as a result, not directly illegal or criminal.. 
Performing a (D)DOS or breaking into a computer system is.. but BGP 
hijacking as such isn't.   Especially if the IP space wasn't in use.. so 
nothing broke or stopped working .. 


>

There are plenty of "bad" things, especially in Internet which are not 
classified as such, but if you go to the courts will get punished, or at least 
warned. Law is slow the change and adapt to new times.

Let give me an example. Let's suppose "A" has a flat. "A" is renting it to "B". 
"B" is not using it. "C" knows it, so usurp that property. Not just that but is 
creating troubles to neighbor's "X" "Y" "Z", such as smoke with the BBQ, too 
loud music. Even if "A" is not being impacted at all (because "B" still pay the 
bills"), what "B" is doing is against law.

* Usurpation is against law.
* Spam is also against law, as it is DDoS and many other things (and some of 
them are not classified as "such" by the law, but by comparison, in the 
real-life cases they are considered)
* add here other acts against law that I'm forgetting, I'm sure there are

Law can't cover every possible "example" of "bad actions", which doesn't mean 
they are illegal. Law allows membership organizations, such as RIPE, to setup 
their own by-laws and protect them. Law allows you to enforce by-laws, at a 
minimum with a very simple mechanism: if you don't follow by-laws, you're in 
breach, and we can cancel the membership.

I really think the Dutch government did very bad not making a courts case on 
this, but that's a different debate ...

>

So even if they would get the Bulgarian spammer/hijackers in front of a 
Dutch judge .. the change was that ... they would walk, because there was no 
harm done .. No law was broken, no system invaded and nothing stopped working . 
. . 

( Full disclosure I'm not a lawyer, but this is the information that I was 
handed at the time.. )  

The Dutch cyber prosecutor wasn't even sure under which section of the 
Dutch Criminal law (Strafrecht) this might fall and he suggested 'perhaps .. 
Art. 161 sexies Sr - https://twitter.com/Byte_Fighter/status/625012729171025920 
) 
That can be found here :  (in Dutch ) 
https://maxius.nl/wetboek-van-strafrecht/artikel161sexies 

Where it mentions ( He who deliberately destroys, damages or disables any 
automated telecommunications work, causes a disturbance in the workings or 
operation of such work, or defeats a safety measure taken in relation to such 
work, shall be punished: ) - * Google Translate transl

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sascha,



El 22/3/19 12:07, "anti-abuse-wg en nombre de Sascha Luck [ml]" 
 escribió:

On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
>3) We may need to refine the text, but the suspected hijacker, in case of 
sponsored resources, is the suspected hijacker, not the sponsoring LIR (which 
may not even have relation to it). However, some people indicated that the 
direct peer should be also accountable. I think I also mention this before, one 
possible option is to tell the direct peer the first time "this is a warning 
report", please make sure to improve your filters.

Now I'm confused. In another post, Carlos indicated that someone
who receives a hijacked prefix is a victim and here they are also
Bad People. I'm not sure what to think about a retributive
proposal that can't even keep the "victims" and the "offenders"
apart. 

I don't think I've said that if it is really a victim. I know my English is 
bad, but not so terrible!

A direct peer I mean here is the provider of the hijacker. Should you verify 
and filter anything that doesn't belong to your customer?

If your customer has been able to hack the information so it appears as the 
valid resource-holder, and you configure your prefixes based on that, then you 
are also a victim, as you have no way (the information has been hacked) to know 
in advance that.

In this case ("neighbours are bad") it reminds me of a UK law
that punishes not only an illegal immigrant but also the landlord
who fails to refuse to rent them a flat.

rgds,
SL

>
>
>Regards,
>Jordi
>
>
>
>El 21/3/19 22:40, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribiÓ:
>
>
>
>On Thu, 21 Mar 2019, Jacob Slater wrote:
>
>> Hello All,
>
>Hi,
>
>Thanks for your input.
>
>
>> While I am in general support of the proposal?s ideas, I have several
>> concerns with regards to the specific implementation.
>>
>> While the idea of an a complaint form (with teeth) sounds appealing, 
I
>> do not believe submission should be open to everyone. Only the party
>> holding rights (as registered in a RIR) should be able to file a 
report
>> regarding their own IP space.
>
>I had thought about that too.
>The problem is hijackers tend to hijack space from:
>- unallocated space
>- companies which are unreachable (bankrupt/closed?)
>- networks in conflict (war) zones
>
>A variation of this will be allowing anyone _receiving_ the 
announcement
>of an hijacked prefix to file a complaint/report.
>
>Hijacks don't have to be seen by every network on the planet to be an
>hijack...
>
>And those receiving an hijacked prefix are (according to my dictionary)
>also victims.
>
>
>> If everyone is allowed to do so, we run
>> several risks, namely that individuals with no knowledge of the
>> situation (beyond that viewed in the public routing table) will file
>> erroneous reports based on what they believe to be the situation 
(which
>> may not be accurate, as some forms of permission for announcement are
>> not documented in a way they could feasibly see).
>
>Well, yes. That's one point... the IRR system is kind of broken. And 
RPKI,
>unfortunately is still taking baby steps. I would say that in case of
>doubt, then a rightful owner will be able to create a ROA for the
>suspected hijack...
>
>Some might say NCC staff might act as a filter, before anything reaches
>expert's hands. I personally wish that NCC staff is not involved at 
all.
>
>
>
>> Allowing for competent complaints (with teeth) to be filed is a good
>> idea; needlessly permitting internet vigilantes to eat management 
time
>> based on a flawed view of the situation is not.
>
>Maybe some automated checks? The reported prefix has a valid ROA, it
>matches, so, the complaint is most likely bogus? :-))
>
>
>> Additionally, while the policy does define a difference between
>> accidental and intentional hijacking, it does not differentiate 
between
>> the two with regards to policy violations.
>
>I thought it did, by stating that accidental events are out of scope.
>
>

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Clearly it is a matter of wording and also introducing warnings in some cases.

I have sent a text about this before:

“Direct peers allowing the hijack thru their networks will be warned the first 
time, but may be considered by the experts evaluation to be a party involved in 
case of subsequent deliberated hijacks cases“

Regards,
Jordi
 
 

El 22/3/19 12:19, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:


On Fri, 22 Mar 2019, Sascha Luck [ml] wrote:

> On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via 
    > anti-abuse-wg wrote:
>> 3) We may need to refine the text, but the suspected hijacker, in case 
of 
>> sponsored resources, is the suspected hijacker, not the sponsoring LIR 
>> (which may not even have relation to it). However, some people indicated 
>> that the direct peer should be also accountable. I think I also mention 
>> this before, one possible option is to tell the direct peer the first 
time 
>> "this is a warning report", please make sure to improve your filters.
>
> Now I'm confused. In another post, Carlos indicated that someone
> who receives a hijacked prefix is a victim and here they are also
> Bad People. I'm not sure what to think about a retributive
> proposal that can't even keep the "victims" and the "offenders"
> apart. In this case ("neighbours are bad") it reminds me of a UK law
> that punishes not only an illegal immigrant but also the landlord
> who fails to refuse to rent them a flat.

Hi,

The issue here might be the difference between a peering and a transit 
relationship.

If hijacker Z announces prefix Y to network X. Then network X will 
route packets towards the hijacker, even if X doesn't propagate prefix Y 
any further to any other 3rd party networks.

An hijacker can join an IXP and announce an hijacked prefix to one, some 
or all of the IXP's membership. In that case we will have one, some or 
many victims.

Hope it is clear now.

Regards,
Carlos



> rgds,
> SL





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Töma,

It has been already proposed/discussed in every RIR, which appropriate changes, 
and in some cases,  there is a need for editorial review, etc., so not sure 
when it will be published at each one (LACNIC probably the first, ARIN next, 
and so on), and we already considered some of the issues discussed and in some 
cases some local co-authors.

We do not aim for a global policy (we had considered it), because if a single 
region fails, all the process will fall down. But that doesn't precludes in the 
future to try to align the text.

Regards,
Jordi

El 22/3/19 17:16, "anti-abuse-wg en nombre de Töma Gavrichenkov" 
 escribió:

>> there has been a trend in recent years to make RIPE policy that
>> transforms the NCC from a resource registry into a political
>> agency...

> I am a resident and citizen of the United States

Do you have any plans on proposing the same policy for ARIN?

| Töma Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto: xima...@gmail.com
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

In most of the cases the NIRs are bound by the same policies as the relevant 
RIR, so this is not a big problem.

We believe this policy is important for all the RIR communities (including 
NIRs), however, in general, when I find a problem that requires to draft a 
policy proposal for a given RIR, I usually check how it is solved or if it 
exist the same problem or also needs to be resolved in the other 4 RIRs, which, 
in many cases, means a single policy proposal turns into 3-4 (average).

Not always same text as sometimes the existing text already solved it (even if 
only partially), or there are other differences (other policies affected, 
service agreements, membership by-laws, etc.), even cultural differences, etc.

Regards,
Jordi
 
 

El 22/3/19 17:33, "Töma Gavrichenkov"  escribió:

On Fri, Mar 22, 2019 at 5:24 PM JORDI PALET MARTINEZ via anti-abuse-wg
 wrote:
> It has been already proposed/discussed in every RIR

This is thrilling. What's the idea about dealing with the nine NIRs?
You cannot just deny them membership, right?

--
Töma




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,

 

 

El 22/3/19 18:13, "anti-abuse-wg en nombre de Nick Hilliard" 
 escribió:

 

The aim of the 2019-03 proposal, as far as I understand it, is to grant the 
RIPE NCC the authority to make formal judgements about alleged abuse of network 
resources with the implicit intention that unless the party involved ends the 
alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the 
alleged infringer were a member, or refusal to provide service if the alleged 
infringer were not.


The legal bindings of the NCC already have that for those that don’t follow 
existing policies, don’t pay bills, etc. So, the proposal is adding in the 
table a policy for confirming what is a hijack according to the community 
consensus. Same way we did for how we distribute resources, do transfers, etc.


There are several aspects of this proposal that are pretty disturbing, but the 
two that jump out are 1. over-reach by the RIPE Community, 2. encroachment into 
the arena of supranational law enforcement.  

I'm not going to go into the technical content of the proposal, despite the 
fact that I don't believe it would have any impact whatever on dealing with the 
problem of hijacking.  Limited companies can be registered for tiny amounts of 
money, and it's naive to believe that any actor who is dishonest enough to 
engage in persistent bgp hijacking would think twice about switching from one 
company to another in a heartbeat, in order to avoid the consequences of a 
policy like 2019-03.

Yes, you can make a new company, but because the direct peers/transits will get 
a warning first, then a problem if cases are repeated (text that I’ve proposed 
in previous emails, which we will include in v2), they will not accept this 
kind of customers changing the company every few weeks or months.


Regarding over-reach, the RIPE NCC was instituted as a numbering registry and 
as a supporting organisation for the RIPE Community, whose terms of reference 
are described in the RIPE-1 document.  The terms of reference make it clear 
that the purpose of the RIPE Community and the RIPE NCC is internet 
co-ordination and - pointedly - not enforcement.  Proposal 2019-03 goes well 
outside the scope of what the RIPE Community and the RIPE NCC were constituted 
to do, and I do not believe that the Anti Abuse working group has the authority 
to override this.

The second point relates to the long term consequences of the proposal.  If the 
RIPE Community were to pass this policy, then it would direct the RIPE NCC to 
act as both a judiciary and policing agency for internet abuse.  Judgement and 
enforcement of behaviour are the competence of national governments, courts and 
law enforcement agencies, not of private companies.  If the RIPE NCC starts 
encroaching in this territory, it should expect national governments and law 
enforcement agencies to start taking an active interest in taking control.  
This scenario would not be beneficial to the RIPE Community.

According to my view, laws in the EU allows organizations based on membership, 
to enforce their by-laws and rules. I don’t think the NCC is different to that.

The NCC will be against law if we try to enforce a non-existing rule (policy).

I guess we have no other way than waiting for a legal confirmation of those 
aspects from the NCC, but we really think we are on the right track. Of course, 
wording matters, and we may need to change some bits here and there.


Regards,

Jordi


There are other pile of other considerations here, not least whether the RIPE 
NCC would have any legal jurisdiction to deregister resources where it had 
determined "abuse", and what the legal liability of the company would be if it 
were determined that they didn't have jurisdiction to act.

I don't question the motives of the authors of this proposal - neither of them 
has anything but the best of intentions in mind.  Regarding BGP hijacking in 
general, I've been involved in attempting to deal with many hijackings over the 
years and am as frustrated as anyone.  Like many other people in this 
community, I have also spent a lot of time and effort trying to deal with the 
problem from a practical point of view, both in terms of tooling and deployment 
standards for IXPs and service providers.

But, this is not how to handle the problem of BGP hijacking.  Even if it had 
the slightest possibility of making any difference at a technical level (which 
it won't), the proposal would set the RIPE Community and the RIPE NCC down a 
road which I believe would be extremely unwise to take from a legal and 
political point of view, and which would be difficult, if not impossible to 
manoeuver out of.


 

 


Nick



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclus

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

In my country, and I'm sure in many others, if the police (either individual 
members or as an authority) or anyone, even if he is a judge, from the 
government, is doing illegal actions, spying, including taking control of 
persons or organization computers/networks, etc., will be judged and jailed.

Because is Internet is not different than spying people with hiding mics or 
cameras in their homes, or opening their letters, etc.

Of course, unless there is a court order. However, I really can't believe that 
in most of our countries a judge will allow a court order for a massive hijack 
affecting many people and organizations, unless there is an emergency risk for 
the population, and this is done in those cases by declaring a "national 
emergency situation".

Regards,
Jordi
 
 

El 23/3/19 6:17, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:


In message <20190322230602.gj99...@cilantro.c4inet.net>, 
"Sascha Luck [ml]"  wrote:

>On Fri, Mar 22, 2019 at 02:43:14PM -0700, Ronald F. Guilmette wrote:
>>Yet Erik Bais is arguing that RIPE policy decisions should be driven by
>>a desire to accomodate the needs of exactly such Bad Actors.  That is
>...
>... Erik is in no way arguing Hacking Team's case...

You could have fooled me!  If he didn't want to use that case to try
to make a point -against- the proposal, then why did he even bring
up this old case in that kind of a context?

In any case, as the -full- posting that you snipped from made clear,
it doesn't really make any difference, one way or the other, to the
point that -I- tried to make.

I will try this again...

EVEN IF we accept, even just for the sake of argument, the highly
dubious and totally unsubstantiated allegation that the proprietors
of the Italian ISP Aruba were forced, threatened, cajoled, browbeat,
bribed, or tortured into doing the bidding of the Italian Police,
and specifically to perform a BGP hijack, then what lesson or message
should we all take from that?

The qustion is this:  Does the RIPE community want to continue to
effectively endorse... as it is now doing, by default, by failing to
condemn... the "rights" of the Italian Police, the British Police, the
German Police, the French Police, the Polish Police, the Serbian Police,
the Macedonian Ministry of Public Affairs, and maybe even the entire
Estonian Royal Navy Marching Band to perform BGP hijacks whenever it
suits the perceived purposes of each and every one of these organizations
or any of their constituent parts or departments?

If so, then I'd just like to point out that this is a VERY slippery
slope, and one that is quite likely to come back to haunt this
organization in the years ahead.  Is there a government anywhere
in all of europe that would NOT like to exercise more control over
what its own people and/or those of other nations hear, see, read, 
or think about?  Did the people of Spain have any say whatsoever in
the election of the Italian Police?  Given that they did not, does
this community really want to continue endorsing the notion that
various parts and pieces of individual national, regional, or local
governments have some sort of a soverign "right" to engineer BGP
hijacks, as the Italian Police are alleged to have done, at their
own unilateral whim?  Or should this body instead take arms against
this brewing sea of troubles and by opposing end them?

It cannot be both ways.  Either RIPE turns a deliberately blind eye
to hijacks or else it formally denounces them as being against policy.

I, for one, would be -glad- if indeed it was or could be proven that
the Italian Police were responsible for the hijacking incident in
question, because that fact, once proven, would hopefully make
everyone here wake up and smell the coffee.

It is fine for all of us here to sit around in our comfortable arm-
chairs and debate the finer points of the philosophical pros and cons
of the separation of church and state, or the separation of RIPE from
"enforcement", but while we are all sitting around having our high-
minded philosophical debates, out there in the real world, things
are happening, and not always good things.  If an Italian Police
Lieutenant can order the hijacking of a block of IP addreses today,
and if there are -zero- repercussions from that, then what is there
to prevent a Belarusian Minister of Information from doing the same
thing tomorrow, but with significantly more sinister intent?

Is this REALLY the future that the RIPE community wants?  A future
where every junior-league despot sitting in some cramped and dimly-lit
ministerial office in any country in europe can order a hijack, and
then no matter what the reasons or context, everyone will just shrug

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Exactly!

If customers, employees, visitors, students, etc., are misusing the network 
(for example using it for spam, DDoS, child pornography, etc.), they are 
typically acting against the contract arrangements (AUP). If you've a bad 
contract that's a different problem, but even in that case, I'm sure that if 
you're taken to the courts because you cancel the contract, in most of the 
cases the court will recognize it as a correct action, because using the 
network for illegal actions is part of the illegal act itself.

In fact, if you don't bring down that "customer", you are actually a cooperator 
of those illegal acts if anyone can probe that you were aware of it. That's why 
I think the text that I had presented a couple of times in the last days about 
simple warnings in case of doubt or the first time for direct peers, make a lot 
of sense.

To put that in the extreme: You will not be jailed or punished because the 
court considers you as a "censor".

If you're member of a sports club (RIPE NCC for us), and the rules (our policy 
proposal) say that you must use swimming cap (adequate BGP filters) and you 
don't do so, you can, depending on the rules, get a warning, or directly get 
your membership cancel and even not get a reimbursement.

Note that there isn't any law that enforces using a swimming cap, however, I'm 
100% sure the court will agree that the rule is lawful and enforceable.

Regards,
Jordi
 
 

El 23/3/19 6:29, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:


In message <20190322233739.gk99...@cilantro.c4inet.net>, 
"Sascha Luck [ml]"  wrote:

>I am also somewhat worried about the possible fall-out for the
>members if the NCC were to be found to have acted incorrectly and
>be liable for the damages to the business of a member that was
>shut down...

I only wish that I had a dollar for every time I had heard this
exact lame excuse from some ISP who I had asked to disconnect a
spammer over the past 20 years.  If I did, I'd have enough money
to run for President.

This excuse isn't as popular now as it was in the old days, but one
often used to get messages from ISPs saying "Oh, gee, we literally
CAN'T unplug that spammer, because we have a contract, and he might
sue us!"

(Yea, yea, yea.   Tell it to the hand.)

Simple solution:  Stop being an idiot and write better contracts.

Every contract has some "out" clauses... you know like force majure,
etc. etc., etc.

If RIPE cannot afford or cannot find an attorney with sufficient
skill to draft and include such "outs" I can refer it to some
excellent practioners with emminently modest rates.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Lu,

 

El 23/3/19 11:30, "anti-abuse-wg en nombre de Lu Heng" 
 escribió:

 

When you stealing electricity the electricity company will not cut your 
electricity at home but report you to the policy.

 

Depends on the contract. In my country, they are able to do, even at the same 
time all those:
Cut your electricity
Claim the case to the police (criminal case)
Claim the case to the courts for the damages (civil case)
 

No one saying stealing is ok, but no one agrees electricity company should have 
policing power.

 

Sometimes the stealing is not from the electricity company, but from a 
neighbors. Bad guys don’t care if they are damaging other people.

 

On Sat, Mar 23, 2019 at 18:27 ac  wrote:

On Sat, 23 Mar 2019 18:04:22 +0800
Lu Heng  wrote:
> 
> It’s very much like electricity company tell you if you do something
> bad we will cut you off and stop supply electricity.and yes, they
> will cut you if you stop paying them, but that doesn’t mean they can

they also cut if you cheat by stealing electricity.

you not talk about stealing but you and Nick talk about how use electricity.

use any way you like, ripe not internet police, but you no steal, okay?

> make themselve self juridical court in any bad thing happen in this
> world.
> 
not every bad thing, just administrative duty to say stealing is stealing.

stealing not the same as using electricity to fry naughty neighbor in chair.

stealing is when you no pay for electricity you use to fry neighbor, see?

you use for anything bad, this your business, ripe not judicial court,
administrative authority.

but you no hijack, okay?

> Internet, or registry, are starting if not already is, become part of
> base infrastructure of the society, but that does not give us any
> rights in the society to become the supreme court of the society,
> just like your water company or electricity company won’t judge you
> for what you use water or electricity for.
> 
> 
> 
> On Sat, Mar 23, 2019 at 16:54 ac  wrote:
> 
> >
> > ugh, english. I do not mean external as in outside I meant external
> > as in not
> > allocated.
> >
> > for example: complaint received about 147g8oobra912cx47.com
> >
> > versus a HIJACKING complaint received about apple.com
> >
> > my argument would be that; as 147Goobra912cX.com is not allocated,
> > any complaints about such a resource is outside the scope of any
> > administrative authority - and ianal, but, some of what Nick
> > Hilliard said, may apply. Same as abuse BY a resource, when what
> > Nick Hilliard said, may also apply.
> >
> > The main point is that;
> >
> > Because: "hijacking" of a domain name (or any resource) is a direct
> > administrative issue (this is factual - as per my previous post)
> >
> > BUT
> >
> > abuse BY a domain name (or any resource) is not necessarily an
> > administrative issue at all (this is debatable/opinion) - as you
> > said "some" TLD responds some do not...and RIPE NCC is not the
> > Internet Police
> >
> > So, anyway, as 2019-03 deals with hijacking, this entire over reach
> > argument is factually not relevant at all
> >
> > and, more so: 2019-03 not proceeding would be counter to the ethical
> > administration of resources, a dereliction of responsibility and a
> > breach of trust implied in any such administration (as well as
> > administrative authority)
> >
> >
> > On Sat, 23 Mar 2019 08:20:01 +
> > Suresh Ramasubramanian  wrote:
> >  
> > > They either find out for themselves or someone else points it out
> > > to them. In either case their responsibility continues if what
> > > you say holds good
> > >
> > > --srs
> > >
> > > 
> > > From: anti-abuse-wg  on behalf of
> > > ac  Sent: Saturday, March 23, 2019 1:44 PM
> > > To: anti-abuse-wg@ripe.net
> > > Subject: Re: [anti-abuse-wg] 2019-03 and over-reach
> > >
> > >
> > > some of what the wg discusses are opinions and some things are
> > > scientific facts.
> > >
> > > scientific facts may change as environments and other variables
> > > change, but currently it is so that;
> > >
> > > there is NO TLD registry that will allow the ongoing random
> > > hijacking of domain names (under that TLD of course)
> > >
> > > as, this would mean that the TLD does not need to exist at all
> > > and/or it will not have any trust/value.
> > >
> > > RIPE NCC though, is factually a resource administrative authority.
> > >
> > > As such, it does need to administer resources and an integral
> > > part of that resource administration is the core responsibility
> > > implied by such administration itself and the balance of
> > > exercising such authority with the implied and direct
> > > responsibility of any such administration.
> > >
> > > Factually, the authority to allocate (or not) is administrative.
> > >
> > > I think (my opinion) is that the confusion arises due to whether a
> > > resource (whether it be a domain name, ip number, etc) is
> > > allocated, or not. When resources are allocated the
> > > administ

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Lu,

El 23/3/19 11:04, "anti-abuse-wg en nombre de Lu Heng" 
 escribió:

 

Nick are making good point.

 

How about murder is a policy violation?

 

How about rape is a policy violation?

 

If you have in your contract an AUP that prohibits illegal activities (DDoS, 
spam, child pornography, etc.), you have the right to disconnect that customer. 
You just need to make sure to be able to probe it in case he brings you to the 
courts. The prosecutor will dismiss the case against you and make sure that the 
other party is actually judged.

 

In those “clear” cases, the AUP doesn’t need even to exist. If you’re in doubt 
you can inform the LEA “hey I found a guy using my network fur such bad things, 
I’m going to disconnect him, to avoid any penalties on my own”. They may tell 
you, via a court order (which in those cases I’ve seen they can happen in a 
matter of hours), please keep him connected for a few days so we can catch some 
other involved folks, and you’re then “excused” of anything wrong.

 

If you’re aware of criminal or illegal activities, and you don’t act against 
them, at least via a LEA notification, you may be found guilty of criminal 
cooperation as well.

 

Putting RIPE NCC in a juridical position just not what RIPE NCC is.

 

What this policy advocates is not that far as the examples I just wrote, but I 
think they are need to refute the latest messages about “murders and rapes”.

 

See my previous emails and the example of the sports club.

 

And start using the threat “if you do bad thing(whatever that is) we will take 
your IP number back” just simply a bad thing both for community as well as for 
the registry.

 

It’s very much like electricity company tell you if you do something bad we 
will cut you off and stop supply electricity.and yes, they will cut you if you 
stop paying them, but that doesn’t mean they can make themselve self juridical 
court in any bad thing happen in this world.

 

Internet, or registry, are starting if not already is, become part of base 
infrastructure of the society, but that does not give us any rights in the 
society to become the supreme court of the society, just like your water 
company or electricity company won’t judge you for what you use water or 
electricity for.

 

 

 

On Sat, Mar 23, 2019 at 16:54 ac  wrote:


ugh, english. I do not mean external as in outside I meant external as in not
allocated.

for example: complaint received about 147g8oobra912cx47.com

versus a HIJACKING complaint received about apple.com

my argument would be that; as 147Goobra912cX.com is not allocated, any
complaints about such a resource is outside the scope of any
administrative authority - and ianal, but, some of what Nick Hilliard
said, may apply. Same as abuse BY a resource, when what Nick Hilliard
said, may also apply.

The main point is that;

Because: "hijacking" of a domain name (or any resource) is a direct
administrative issue (this is factual - as per my previous post)

BUT

abuse BY a domain name (or any resource) is not necessarily an
administrative issue at all (this is debatable/opinion) - as you said
"some" TLD responds some do not...and RIPE NCC is not the Internet
Police

So, anyway, as 2019-03 deals with hijacking, this entire over reach
argument is factually not relevant at all

and, more so: 2019-03 not proceeding would be counter to the ethical
administration of resources, a dereliction of responsibility and a breach 
of trust implied in any such administration (as well as administrative 
authority)


On Sat, 23 Mar 2019 08:20:01 +
Suresh Ramasubramanian  wrote:

> They either find out for themselves or someone else points it out to
> them. In either case their responsibility continues if what you say
> holds good
> 
> --srs
> 
> 
> From: anti-abuse-wg  on behalf of ac
>  Sent: Saturday, March 23, 2019 1:44 PM
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] 2019-03 and over-reach
> 
> 
> some of what the wg discusses are opinions and some things are
> scientific facts.
> 
> scientific facts may change as environments and other variables
> change, but currently it is so that;
> 
> there is NO TLD registry that will allow the ongoing random hijacking
> of domain names (under that TLD of course)
> 
> as, this would mean that the TLD does not need to exist at all and/or
> it will not have any trust/value.
> 
> RIPE NCC though, is factually a resource administrative authority.
> 
> As such, it does need to administer resources and an integral part of
> that resource administration is the core responsibility implied by
> such administration itself and the balance of exercising such
> authority with the implied and direct responsibility of any such
> administration.
> 
> Factually, the authority to allocate (or not) is administrative.
> 
> I think (my opinion) is that the confusion arises due to whether a
> resource (whether it be a domain name, ip number, etc) is allocated,
> or not.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 23/3/19 11:39, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 18:35 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Lu,

 

El 23/3/19 11:30, "anti-abuse-wg en nombre de Lu Heng" 
 escribió:

 

When you stealing electricity the electricity company will not cut your 
electricity at home but report you to the policy.

 

Depends on the contract. In my country, they are able to do, even at the same 
time all those:

1.   Cut your electricity

2.   Claim the case to the police (criminal case)

3.   Claim the case to the courts for the damages (civil case)

No, if you stealing electricity at  random building, your home electricity will 
not be cut off, I don’t see any contract of electric company of any country 
would do that.

 

When you steal electricity, even if you do from the company, you can create 
troubles to other people, because you’re using “dangerous” connections to the 
grid. The electricity company can cut it as soon as they detect it.

 

This is in the newspapers as happening in some towns of the South of Spain, 
almost every other day. They have dangerous (fire, electrocution, etc.) 
installations to grow marijuana, which also take resources from the network 
disturbing other neighbors because the power needs create frequent “protection 
cuts”, etc.

 

No one saying stealing is ok, but no one agrees electricity company should have 
policing power.

 

Sometimes the stealing is not from the electricity company, but from a 
neighbors. Bad guys don’t care if they are damaging other people.

I don’t see the relevence to the discussion here. Doesn’t matter who they steal 
to, it’s a police matter not a electricity company matter.

 

The relevance is that a hijack is stealing resources (not just ASNs or 
addresses, but also bandwidth, routing slots, time to deal with it, etc.) from 
the community, and the community can decide to have rules about that.

 

On Sat, Mar 23, 2019 at 18:27 ac  wrote:

On Sat, 23 Mar 2019 18:04:22 +0800
Lu Heng  wrote:
> 
> It’s very much like electricity company tell you if you do something
> bad we will cut you off and stop supply electricity.and yes, they
> will cut you if you stop paying them, but that doesn’t mean they can

they also cut if you cheat by stealing electricity.

you not talk about stealing but you and Nick talk about how use electricity.

use any way you like, ripe not internet police, but you no steal, okay?

> make themselve self juridical court in any bad thing happen in this
> world.
> 
not every bad thing, just administrative duty to say stealing is stealing.

stealing not the same as using electricity to fry naughty neighbor in chair.

stealing is when you no pay for electricity you use to fry neighbor, see?

you use for anything bad, this your business, ripe not judicial court,
administrative authority.

but you no hijack, okay?

> Internet, or registry, are starting if not already is, become part of
> base infrastructure of the society, but that does not give us any
> rights in the society to become the supreme court of the society,
> just like your water company or electricity company won’t judge you
> for what you use water or electricity for.
> 
> 
> 
> On Sat, Mar 23, 2019 at 16:54 ac  wrote:
> 
> >
> > ugh, english. I do not mean external as in outside I meant external
> > as in not
> > allocated.
> >
> > for example: complaint received about 147g8oobra912cx47.com
> >
> > versus a HIJACKING complaint received about apple.com
> >
> > my argument would be that; as 147Goobra912cX.com is not allocated,
> > any complaints about such a resource is outside the scope of any
> > administrative authority - and ianal, but, some of what Nick
> > Hilliard said, may apply. Same as abuse BY a resource, when what
> > Nick Hilliard said, may also apply.
> >
> > The main point is that;
> >
> > Because: "hijacking" of a domain name (or any resource) is a direct
> > administrative issue (this is factual - as per my previous post)
> >
> > BUT
> >
> > abuse BY a domain name (or any resource) is not necessarily an
> > administrative issue at all (this is debatable/opinion) - as you
> > said "some" TLD responds some do not...and RIPE NCC is not the
> > Internet Police
> >
> > So, anyway, as 2019-03 deals with hijacking, this entire over reach
> > argument is factually not relevant at all
> >
> > and, more so: 2019-03 not proceeding would be counter to the ethical
> > administration of resources, a dereliction of responsibility and a
> > breach of trust implied in any such administration (as well as
> > administrative authority)
> >
> >
> > On Sat, 23 Mar 2019 08:20:01 +
> > Suresh Ramasubramanian  wrote:
>

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 23/3/19 12:17, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Sat, Mar 23, 2019 at 12:27:32PM +0200, ac wrote:
> On Sat, 23 Mar 2019 18:04:22 +0800
> Lu Heng  wrote:
> > 
> > It???s very much like electricity company tell you if you do something
> > bad we will cut you off and stop supply electricity.and yes, they
> > will cut you if you stop paying them, but that doesn???t mean they can
> 
> they also cut if you cheat by stealing electricity.

But they will not cut you off if you use the electricity in ways that
your neighbours do not like.  And this is where things start getting
complicated.

A and B have a contract.

B does something C does not like (but which is legal).

Why should that affect A?

Because A, B and C are under the same membership organization, which rules (our 
policies) that indicate that what B is doing is against those rules and the 
organization contract clearly indicates that you're bound to them?


Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Just recalled this example. Yesterday night, looking a research TV program on 
craft beer.

I learnt that there is an association for craft beer producers and one of the 
rules was that if you have a sharing from an industrial beer producer, you are 
automatically expelled from the association.

It was mention because the case of one of those craft beer producers that got 
50% of their shares acquired. Courts of course, respected the decision.

Regards,
Jordi
 
 

El 23/3/19 12:22, "anti-abuse-wg en nombre de JORDI PALET MARTINEZ via 
anti-abuse-wg"  escribió:


El 23/3/19 12:17, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Sat, Mar 23, 2019 at 12:27:32PM +0200, ac wrote:
> On Sat, 23 Mar 2019 18:04:22 +0800
> Lu Heng  wrote:
> > 
> > It???s very much like electricity company tell you if you do 
something
> > bad we will cut you off and stop supply electricity.and yes, they
> > will cut you if you stop paying them, but that doesn???t mean they 
can
> 
> they also cut if you cheat by stealing electricity.

But they will not cut you off if you use the electricity in ways that
your neighbours do not like.  And this is where things start getting
complicated.

A and B have a contract.

B does something C does not like (but which is legal).

Why should that affect A?

Because A, B and C are under the same membership organization, which rules 
(our policies) that indicate that what B is doing is against those rules and 
the organization contract clearly indicates that you're bound to them?


Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, 
Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. 
Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.









**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

 

 

El 23/3/19 12:05, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 18:58 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

El 23/3/19 11:39, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 18:35 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Lu,

 

El 23/3/19 11:30, "anti-abuse-wg en nombre de Lu Heng" 
 escribió:

 

When you stealing electricity the electricity company will not cut your 
electricity at home but report you to the policy.

 

Depends on the contract. In my country, they are able to do, even at the same 
time all those:

1.   Cut your electricity

2.   Claim the case to the police (criminal case)

3.   Claim the case to the courts for the damages (civil case)

No, if you stealing electricity at  random building, your home electricity will 
not be cut off, I don’t see any contract of electric company of any country 
would do that.

 

When you steal electricity, even if you do from the company, you can create 
troubles to other people, because you’re using “dangerous” connections to the 
grid. The electricity company can cut it as soon as they detect it.

 

This is in the newspapers as happening in some towns of the South of Spain, 
almost every other day. They have dangerous (fire, electrocution, etc.) 
installations to grow marijuana, which also take resources from the network 
disturbing other neighbors because the power needs create frequent “protection 
cuts”, etc.

 

That’s right, but if you steal at random building, they will stop you from 
stealing but will not cut your home electricity off, nor they will cut all the 
house under your name.

 

Right the electricity example works only in the case you steal the electricity 
in your home, but in this case your peers can disconnect you if they see that 
you’re doing something wrong, otherwise they have the risk that their transits 
filter them, etc.

 

 

You will get busted by police and court will decide how to punish you, but I am 
100% sure that doesn’t involve cut your home electricity off.

 

 

 

No one saying stealing is ok, but no one agrees electricity company should have 
policing power.

 

Sometimes the stealing is not from the electricity company, but from a 
neighbors. Bad guys don’t care if they are damaging other people.

I don’t see the relevence to the discussion here. Doesn’t matter who they steal 
to, it’s a police matter not a electricity company matter.

 

The relevance is that a hijack is stealing resources (not just ASNs or 
addresses, but also bandwidth, routing slots, time to deal with it, etc.) from 
the community, and the community can decide to have rules about that.

 

On Sat, Mar 23, 2019 at 18:27 ac  wrote:

On Sat, 23 Mar 2019 18:04:22 +0800
Lu Heng  wrote:
> 
> It’s very much like electricity company tell you if you do something
> bad we will cut you off and stop supply electricity.and yes, they
> will cut you if you stop paying them, but that doesn’t mean they can

they also cut if you cheat by stealing electricity.

you not talk about stealing but you and Nick talk about how use electricity.

use any way you like, ripe not internet police, but you no steal, okay?

> make themselve self juridical court in any bad thing happen in this
> world.
> 
not every bad thing, just administrative duty to say stealing is stealing.

stealing not the same as using electricity to fry naughty neighbor in chair.

stealing is when you no pay for electricity you use to fry neighbor, see?

you use for anything bad, this your business, ripe not judicial court,
administrative authority.

but you no hijack, okay?

> Internet, or registry, are starting if not already is, become part of
> base infrastructure of the society, but that does not give us any
> rights in the society to become the supreme court of the society,
> just like your water company or electricity company won’t judge you
> for what you use water or electricity for.
> 
> 
> 
> On Sat, Mar 23, 2019 at 16:54 ac  wrote:
> 
> >
> > ugh, english. I do not mean external as in outside I meant external
> > as in not
> > allocated.
> >
> > for example: complaint received about 147g8oobra912cx47.com
> >
> > versus a HIJACKING complaint received about apple.com
> >
> > my argument would be that; as 147Goobra912cX.com is not allocated,
> > any complaints about such a resource is outside the scope of any
> > administrative authority - and ianal, but, some of what Nick
> > Hilliard said, may apply. Same as abuse BY a resource, when what
> > Nick Hilliard said, may also apply.
> >
> > The main point is that;
> >
> > Because: "hijacking" of a domain name (or any resource) is a direct
> > administrative issue (this is factual - as per my previous post)
> >
> > BUT
> >
> > abuse BY a domain name (or any reso

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

 

 

El 23/3/19 12:13, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 19:05 Lu Heng  wrote:

 

 

On Sat, Mar 23, 2019 at 18:58 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

El 23/3/19 11:39, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 18:35 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Lu,

 

El 23/3/19 11:30, "anti-abuse-wg en nombre de Lu Heng" 
 escribió:

 

When you stealing electricity the electricity company will not cut your 
electricity at home but report you to the policy.

 

Depends on the contract. In my country, they are able to do, even at the same 
time all those:

1.   Cut your electricity

2.   Claim the case to the police (criminal case)

3.   Claim the case to the courts for the damages (civil case)

No, if you stealing electricity at  random building, your home electricity will 
not be cut off, I don’t see any contract of electric company of any country 
would do that.

 

When you steal electricity, even if you do from the company, you can create 
troubles to other people, because you’re using “dangerous” connections to the 
grid. The electricity company can cut it as soon as they detect it.

 

This is in the newspapers as happening in some towns of the South of Spain, 
almost every other day. They have dangerous (fire, electrocution, etc.) 
installations to grow marijuana, which also take resources from the network 
disturbing other neighbors because the power needs create frequent “protection 
cuts”, etc.

 

That’s right, but if you steal at random building, they will stop you from 
stealing but will not cut your home electricity off, nor they will cut all the 
house under your name.

 

You will get busted by police and court will decide how to punish you, but I am 
100% sure that doesn’t involve cut your home electricity off.

 

 

 

No one saying stealing is ok, but no one agrees electricity company should have 
policing power.

 

Sometimes the stealing is not from the electricity company, but from a 
neighbors. Bad guys don’t care if they are damaging other people.

I don’t see the relevence to the discussion here. Doesn’t matter who they steal 
to, it’s a police matter not a electricity company matter.

 

The relevance is that a hijack is stealing resources (not just ASNs or 
addresses, but also bandwidth, routing slots, time to deal with it, etc.) from 
the community, and the community can decide to have rules about that.

 

And I believe the rights to use the address, and bandwidth in fiber cable etc 
are private properties, they are not “from the community”, they have market 
value and legal ownership, they are not owned by the community and I fail to 
see how community have been given rights to decide private properties.

 

Market value doesn’t mean it is a property, it is a right to use.

 

You can pay to buy the right to reproduce a song, but this doesn’t mean that 
you’re the owner of it.

 

The difference is more evident in the case of the Internet resources, because a 
song can be “used” by many people at the same time, but not an IP address or an 
ASN which can only be “used” by the legitimate resource-holder or its customers.

 

It’s like your local community can decide your house away if you do something 
bad, because your house is “from the community?” , even though you paid for it 
and live in it?

 

The only institution in this society can decide take private properties away 
are the court and judges, and I don’t think any one or any community for that 
matter should have such rights.

 

 

 

On Sat, Mar 23, 2019 at 18:27 ac  wrote:

On Sat, 23 Mar 2019 18:04:22 +0800
Lu Heng  wrote:
> 
> It’s very much like electricity company tell you if you do something
> bad we will cut you off and stop supply electricity.and yes, they
> will cut you if you stop paying them, but that doesn’t mean they can

they also cut if you cheat by stealing electricity.

you not talk about stealing but you and Nick talk about how use electricity.

use any way you like, ripe not internet police, but you no steal, okay?

> make themselve self juridical court in any bad thing happen in this
> world.
> 
not every bad thing, just administrative duty to say stealing is stealing.

stealing not the same as using electricity to fry naughty neighbor in chair.

stealing is when you no pay for electricity you use to fry neighbor, see?

you use for anything bad, this your business, ripe not judicial court,
administrative authority.

but you no hijack, okay?

> Internet, or registry, are starting if not already is, become part of
> base infrastructure of the society, but that does not give us any
> rights in the society to become the supreme court of the society,
> just like your water company or electricity company won’t judge you
> for what you use water or electricity for.
> 
> 
> 
> On Sat, Mar 23, 2019 at 16:54 ac  wrote:
> 
> >
> > ugh, english. I

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,

El 23/3/19 12:32, "Nick Hilliard"  escribió:

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 22/03/2019 22:55:
> The legal bindings of the NCC already have that for those that don’t 
> follow existing policies, don’t pay bills, etc. So, the proposal is 
> adding in the table a policy for confirming what is a hijack according 
> to the community consensus. Same way we did for how we distribute 
> resources, do transfers, etc.

Hi Jordi,

couple of things:

1. it's not the job of the RIPE NCC to make up for a short-fall of civil 
legislation in this area, no matter how distasteful we might find the 
consequences of this;

And we aren't doing that.

2. you can throw anything into a contract, but that doesn't mean it's 
enforceable or even lawful.

If our membership/SSA agreement includes a clause to allow that, yes, we can, 
unless a new law or court order come into force later that say that "this or 
that policy is against law".

In other words, if the RIPE Community were to pass a particular policy, 
that wouldn't mean the policy would automatically be binding on the RIPE 
NCC membership, even if the RIPE NCC SSA includes a clause to state that 
a member will adhere to RIPE policies.

Please read my previous examples of the beer or the swimming cap. Doesn't 
matter if those conditions where in the membership agreement since the 
beginning or have been adopted under the membership agreement rules.

In this particular case, the suggestion is for the RIPE NCC to start 
making judgements about potentially legal actions between second or 
third parties, potentially involving non-related resources and to deny 
and/or withdraw number registration services on that basis.  This does 
not sound legally enforceable.

No, it is not a matter of parties. It is a matter of the membership rules.

If somebody got resources from RIPE NCC using fake information, and there is a 
form for third parties (even if they aren't impacted at all by anything wrong 
with those resources) to report that case, it is clear that under our rules, 
those resources will be claimed back.

Otherwise everybody will also be able to fake the information to repeat the 
same. Rule are to be followed when you sign a membership agreement.

What complicates things further is that the RIPE NCC has an effective 
monopoly for internet number registration services in this part of the 
world.  If withdrawal of these monopoly services were found to be 
unlawful, this would be taken extremely seriously by any court or 
regulatory authority.
 
If the reason for the withdrawal is doing actions that are used to make or 
facilitate illegal activities (again spam, DDoS, child pornography, etc.), I 
doubt it will be the reason for courts or regulators to change the situation. 
In fact, it might happen that then new laws are made to support that BGP 
hijacking is a criminal activity.

I can see that if there is any reason for a BGP hijacking to be done for a 
legitimate act (which I doubt), we can exclude it, and in fact that's why I 
suggested that in some cases the experts can consider a warning (for example, a 
student doing a research?).
   
Nick




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Lu,

 

You’re denying that the resources are from the community, which means they 
aren’t owned by the RIR members, so basically you deny the complete RIR system.

 

This is a different topic, I guess?


Regards,

Jordi

 

 

 

El 23/3/19 12:45, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 19:37 JORDI PALET MARTINEZ  
wrote:

 

 

El 23/3/19 12:13, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 19:05 Lu Heng  wrote:

 

 

On Sat, Mar 23, 2019 at 18:58 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

El 23/3/19 11:39, "Lu Heng"  escribió:

 

 

 

On Sat, Mar 23, 2019 at 18:35 JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Lu,

 

El 23/3/19 11:30, "anti-abuse-wg en nombre de Lu Heng" 
 escribió:

 

When you stealing electricity the electricity company will not cut your 
electricity at home but report you to the policy.

 

Depends on the contract. In my country, they are able to do, even at the same 
time all those:

1.   Cut your electricity

2.   Claim the case to the police (criminal case)

3.   Claim the case to the courts for the damages (civil case)

No, if you stealing electricity at  random building, your home electricity will 
not be cut off, I don’t see any contract of electric company of any country 
would do that.

 

When you steal electricity, even if you do from the company, you can create 
troubles to other people, because you’re using “dangerous” connections to the 
grid. The electricity company can cut it as soon as they detect it.

 

This is in the newspapers as happening in some towns of the South of Spain, 
almost every other day. They have dangerous (fire, electrocution, etc.) 
installations to grow marijuana, which also take resources from the network 
disturbing other neighbors because the power needs create frequent “protection 
cuts”, etc.

 

That’s right, but if you steal at random building, they will stop you from 
stealing but will not cut your home electricity off, nor they will cut all the 
house under your name.

 

You will get busted by police and court will decide how to punish you, but I am 
100% sure that doesn’t involve cut your home electricity off.

 

 

 

No one saying stealing is ok, but no one agrees electricity company should have 
policing power.

 

Sometimes the stealing is not from the electricity company, but from a 
neighbors. Bad guys don’t care if they are damaging other people.

I don’t see the relevence to the discussion here. Doesn’t matter who they steal 
to, it’s a police matter not a electricity company matter.

 

The relevance is that a hijack is stealing resources (not just ASNs or 
addresses, but also bandwidth, routing slots, time to deal with it, etc.) from 
the community, and the community can decide to have rules about that.

 

And I believe the rights to use the address, and bandwidth in fiber cable etc 
are private properties, they are not “from the community”, they have market 
value and legal ownership, they are not owned by the community and I fail to 
see how community have been given rights to decide private properties.

 

Market value doesn’t mean it is a property, it is a right to use.

 

You can pay to buy the right to reproduce a song, but this doesn’t mean that 
you’re the owner of it.

 

The difference is more evident in the case of the Internet resources, because a 
song can be “used” by many people at the same time, but not an IP address or an 
ASN which can only be “used” by the legitimate resource-holder or its customers.

 

No body say you are owner of that song, exclusive rights to use are also 
protected by law and not ripe NCC.

 

This exclusive rights are market tradable and protected.

 

But not by community, by law.

 

It’s like your local community can decide your house away if you do something 
bad, because your house is “from the community?” , even though you paid for it 
and live in it?

 

The only institution in this society can decide take private properties away 
are the court and judges, and I don’t think any one or any community for that 
matter should have such rights.

 

 

 

On Sat, Mar 23, 2019 at 18:27 ac  wrote:

On Sat, 23 Mar 2019 18:04:22 +0800
Lu Heng  wrote:
> 
> It’s very much like electricity company tell you if you do something
> bad we will cut you off and stop supply electricity.and yes, they
> will cut you if you stop paying them, but that doesn’t mean they can

they also cut if you cheat by stealing electricity.

you not talk about stealing but you and Nick talk about how use electricity.

use any way you like, ripe not internet police, but you no steal, okay?

> make themselve self juridical court in any bad thing happen in this
> world.
> 
not every bad thing, just administrative duty to say stealing is stealing.

stealing not the same as using electricity to fry naughty neighbor in chair.

stealing is when you no pay for electricity you use to fry neighbor, see?

yo

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 23/3/19 12:46, "Sascha Luck [ml]"  escribió:

On Sat, Mar 23, 2019 at 12:29:21PM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
>I learnt that there is an association for craft beer producers and one of 
the rules was that if you have a sharing from an industrial beer producer, you 
are automatically expelled from the association.

This is not even remotely comparable. If they are expelled from a
craft beer association it simply means they are not members of
the association anymore. It does *not* mean they cannot get
barley, hops or water anymore (except, theoretically, on another
continent)

Exactly, the vendors for barley, hops, etc., can also decide if they want to 
sell them or not.

Being expelled from the RIPE NCC means, in practical terms, that
one cannot conduct one's business in the RIPE Service Region
anymore. Why do you think a member would just lie down and take
that rather than using any means available to ensure its
survival?


The peers can decide also if, in addition to the warning or decision from the 
RIR, they want to keep the peering or transit.

If I don't want to accept a customer, I've the right to do so. If I'm in a 
membership organization that helps me to decide and provide info about bad 
behaviors, I will be very happy.

I know, you're taking it to the monopoly situation that Nick described, which 
I've already answered with my views.

I think regulators know we are doing well and not acting against bad things 
will make them to intervene, not in the other way around.

rgds,
SL




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Töma,


El 23/3/19 13:25, "anti-abuse-wg en nombre de Töma Gavrichenkov" 
 escribió:

Hi all,

> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is
> a RIPE Policy Violation", is now available for discussion.

Sorry if the issues I'm raising were already addressed somewhere
around the thread. As of now, I believe it's the size of an average
fiction book, and I don't quite have enough time to read that.

I also apologize now in advance for abstaining from the discussion at
some point in future, because in quite the same fashion I won't be
able to read unnecessarily (and sometimes I believe deliberately) long
responses. Whoever is planning to win a consensus through exhaustion
is going to win that anyway.

With that in mind,


1. As of now, the draft looks like a nice example of "document
designed by a committee".

It's too strict where there's no real need to be strict, and at the
same time too weak where you don't expect it to be weak. E.g. 4 weeks
to report + 4 weeks to investigate + 2 weeks for an appeal give us
solid 10 weeks for an attack to stay there, which is, to put it
gently, a substantial amount of time.


Our intent is to "stop" the attack with the claim (not efficient at all), but 
to allow to be reviewed in order to avoid it, in the future, if possible from 
the same actors.

The timing that we described is "maximum", may be need to add that word in 
every part of the text that talks about timing. I think this provides 
sufficient time to cover even complex cases.

Now, if the community believe that 4 weeks is too much to investigate even a 
more complex case and 2 weeks too much for the hijacker response, I'm happy to 
drop both by half, if Carlos agree as well.


2. OTOH the ultimate result (membership cancellation) may be seen as a
very heavy punishment.

I mention this before in a couple of emails and I'm more and more convinced 
that a warning is needed, at least, in doubtful cases, before reporting for a 
membership cancellation.

In fact in theory this policy could make things worse.
Most of the ISPs are very slow in applying security updates to their
equipment, including border routers. (Also, vendors themselves are not
quite keeping up as well) Now, say, I'm an ISP who really wants to
push my competitor out of business. With this policy here's a sequence
of steps that will win you the market:
- hire a script kiddie who will break into that company's Mikrotik;
- announce roughly half of IPv4 address space through that breach just
for it to be surely on the news;
- relax and enjoy watching your competition disappearing in no later
than 2,5 months.

While I would, in my perfect dream, personally support the idea of
cancelling an LIR membership for not updating one's devices at least
on a weekly basis, I don't really think this is what the authors of
the draft were going to propose, and I know quite a few people, Randy
Bush for starters, whom the authors, to put it mildly, won't probably
be able to convince.

The example by Warren also deserves attention, and I personally don't
really anticipate that "won't be too hard to figure out", because
frankly we're in fact yet to see the hijacking attempts where an
attacker would be deliberately trying hard to hide their identity.


3. If I were to design that process, I'd put it in a different way, e.g.:
- 2 business days to find experts. Really, four weeks for that?! Yes,
we know that NCC isn't the most dynamic organization out there, but
with a pre-populated pool of experts at the current rate of hijacking
incidents reported to public that shouldn't really be an issue.

In the actual text there is no time to find the experts. The 4 first weeks are 
to select the experts (from a pool already known), and provide the report.

- 3 business days to investigate and prepare a preliminary report.
Another 5 business days to continue investigation if necessary, with
another report at the end. Maybe a third iteration if necessary.
Immediate membership suspension at the end if the experts decide it's
necessary to do so now.

So, it is in total up the here what I just said, about 2 weeks instead of 4.

- A grace period of 8 weeks for the suspected hijacker to collect
further evidence and provide additional arguments to justify their
position.

I think that's too much. He will get a notice once the case is being reported, 
so he got already the same time as the experts to collect whatever information, 
and then either 1 or 2 additional weeks after the expert's report.

- An appeal phase of another 8 weeks with ultimate decision and, where
necessary, membership termination in the end.

We have now in total 6 weeks here (2 weeks to file an appeal, 4 more weeks for 
the next

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Fat fingers:

Our intent is NOT to "stop" the attack with the claim (not efficient at all), 
but to allow to be reviewed in order to avoid it, in the future, if possible 
from the same actors.

Regards,
Jordi
 
 

El 23/3/19 13:44, "anti-abuse-wg en nombre de JORDI PALET MARTINEZ via 
anti-abuse-wg"  escribió:

Hi Töma,


El 23/3/19 13:25, "anti-abuse-wg en nombre de Töma Gavrichenkov" 
 escribió:

Hi all,

> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is
> a RIPE Policy Violation", is now available for discussion.

Sorry if the issues I'm raising were already addressed somewhere
around the thread. As of now, I believe it's the size of an average
fiction book, and I don't quite have enough time to read that.

I also apologize now in advance for abstaining from the discussion at
some point in future, because in quite the same fashion I won't be
able to read unnecessarily (and sometimes I believe deliberately) long
responses. Whoever is planning to win a consensus through exhaustion
is going to win that anyway.

With that in mind,


1. As of now, the draft looks like a nice example of "document
designed by a committee".

It's too strict where there's no real need to be strict, and at the
same time too weak where you don't expect it to be weak. E.g. 4 weeks
to report + 4 weeks to investigate + 2 weeks for an appeal give us
solid 10 weeks for an attack to stay there, which is, to put it
gently, a substantial amount of time.


Our intent is to "stop" the attack with the claim (not efficient at all), 
but to allow to be reviewed in order to avoid it, in the future, if possible 
from the same actors.

The timing that we described is "maximum", may be need to add that word in 
every part of the text that talks about timing. I think this provides 
sufficient time to cover even complex cases.

Now, if the community believe that 4 weeks is too much to investigate even 
a more complex case and 2 weeks too much for the hijacker response, I'm happy 
to drop both by half, if Carlos agree as well.


2. OTOH the ultimate result (membership cancellation) may be seen as a
very heavy punishment.

I mention this before in a couple of emails and I'm more and more convinced 
that a warning is needed, at least, in doubtful cases, before reporting for a 
membership cancellation.

In fact in theory this policy could make things worse.
Most of the ISPs are very slow in applying security updates to their
equipment, including border routers. (Also, vendors themselves are not
quite keeping up as well) Now, say, I'm an ISP who really wants to
push my competitor out of business. With this policy here's a sequence
of steps that will win you the market:
- hire a script kiddie who will break into that company's Mikrotik;
- announce roughly half of IPv4 address space through that breach just
for it to be surely on the news;
- relax and enjoy watching your competition disappearing in no later
than 2,5 months.

While I would, in my perfect dream, personally support the idea of
cancelling an LIR membership for not updating one's devices at least
on a weekly basis, I don't really think this is what the authors of
the draft were going to propose, and I know quite a few people, Randy
Bush for starters, whom the authors, to put it mildly, won't probably
be able to convince.

The example by Warren also deserves attention, and I personally don't
really anticipate that "won't be too hard to figure out", because
frankly we're in fact yet to see the hijacking attempts where an
attacker would be deliberately trying hard to hide their identity.


3. If I were to design that process, I'd put it in a different way, 
e.g.:
- 2 business days to find experts. Really, four weeks for that?! Yes,
we know that NCC isn't the most dynamic organization out there, but
with a pre-populated pool of experts at the current rate of hijacking
incidents reported to public that shouldn't really be an issue.

In the actual text there is no time to find the experts. The 4 first weeks 
are to select the experts (from a pool already known), and provide the report.

- 3 business days to investigate and prepare a preliminary report.
Another 5 business days to continue investigation if necessary, with
another report

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 23/3/19 16:49, "Nick Hilliard"  escribió:

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 23/03/2019 11:52:
> El 23/3/19 12:32, "Nick Hilliard"  escribió:
>  1. it's not the job of the RIPE NCC to make up for a short-fall of 
civil
>  legislation in this area, no matter how distasteful we might find the
>  consequences of this;
> 
> And we aren't doing that.

If there were legislation and enforcement in this area, we wouldn't be 
having this conversation.

>  2. you can throw anything into a contract, but that doesn't mean it's
>  enforceable or even lawful. > [...]
>  In this particular case, the suggestion is for the RIPE NCC to start
>  making judgements about potentially legal actions between second or
>  third parties, potentially involving non-related resources and to 
deny
>  and/or withdraw number registration services on that basis.  This 
does
>  not sound legally enforceable.
> 
> No, it is not a matter of parties. It is a matter of the membership rules.

Jordi, you need to take legal advice on this before proceeding further.

We hope to get it from the NCC, may be even a preliminary report instead of 
waiting for an impact analysis?

Nick




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 23/3/19 22:33, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:


In message 

=?UTF-8?Q?T=C3=B6ma_Gavrichenkov?=  wrote:

>2. OTOH the ultimate result (membership cancellation) may be seen as a
>very heavy punishment.

Did you have some particular alternative in mind that you wanted to propose?
Sending the miscreant hijacker to bed without supper perhaps?

>- hire a script kiddie who will break into that company's Mikrotik;
>- announce roughly half of IPv4 address space through that breach just
>for it to be surely on the news;
>- relax and enjoy watching your competition disappearing in no later
>than 2,5 months.

I do believe that the main idea here was *not* to have the nuclear missles
on a hair-trigger *or* to launch them within a few minutes of the beginning
of a hijacking event, but rather to *notify* the party responsible, and
then, if and ONLY IF absolutely NO ACTION is taken to resolve the problem
after some reasonable period of time, then, and only then, it would
*begin* to be a real possibility that sanctions would be applied.

Believe me, none of the sponsors or proponents of this proposal wants to
see the nuclear missles launched mistakenly, for example, in response to
a falling meteor or a volcanic eruption somewhere.  Any such premature
over-reaction would quite obviously be Bad, and that passage of time
usually serves to clarify intent.

I think is very obvious that the experts (and the board as the last instance) 
will make sure that when a warning is sufficient (specially first time even for 
a clear hijack if there are no *very clear* evidences that it is intentional), 
but if the same organization or the same people hiding behind another 
organization, is repeating once and against, then it is time to stop it.

We can have more explicit text about that, but I think we must trust the 
experts judgement, and that's why there is an appeal chance and a final 
ratification step.

As you said, and thanks for that, *IT IS OUR MORAL AND ETHICAL RESPONSIBILITY*.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 and over-reach

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 23/3/19 23:40, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:


In message <6179dc11-f299-c076-0ae1-2f2d22eb6...@foobar.org>, 
Nick Hilliard  wrote:

>If there were legislation and enforcement in this area, we wouldn't be 
>having this conversation.

Yes, actually, we would.

Agree

Does anybody really believe that if, for example, Moldova outlawed BGP
hijacking tomorrow *and* if they even started arresting suspects, that
the entire problem would utterly disappear from the entire RIPE region
the day after that?  I think not.  France?  The Neatherlands?  Sweden?
No. No. No.  There isn't a single european country whose laws can
bring this plague to an end, nor even any subset of european countries.
The problem no more respects national boundaries than does the influenza
virus.

There is one more reason for that. There is no way LEA can act against every 
hijack in a timely fashion (I'm thinking in making sure that cases are taking 
no more than 2-3 months average), same way that massive spam or data protection 
cases, are most of the time even *not* actually prosecuted by DPAs.

Furthermore, I very much look forward to the day when one or more BGP
hijackers... or *any* kind of cybercriminal for that matter...  will be
extradited from Russia to stand trial in some less friendly jurisdiction.
But today is not that day.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sergey,

 

I think this is a completely different discussion and up to the chairs the PDP 
decision process, as we all know.

 

However, I want to point out, that from my perspective, supporting voices are 
perfectly valid, regardless of pointing out their motivations or not. This is 
my take on consensus.

 

On the other way around, non-supporting ones need to be motivated.

 

I agree that if I’m a proposal author (not speaking now about this one), and 
have more friends that somebody opposing and I convince all my friends to 
support it, is not fair. However, if those supporting voices aren’t “friends”, 
but colleagues working in the same area of work, and suffering the same 
problems as myself, it is fine asking them to support it.

 

I will love that all the policy proposals have this kind of support (or 
non-support), it makes easy for authors to improve the proposals, and I guess, 
to chairs to decide (even if it means extra work to track all the discussions).


Regards,

Jordi

 

 

 

El 29/3/19 23:01, "anti-abuse-wg en nombre de Sergey Myasoedov via 
anti-abuse-wg"  escribió:

 

Dear group members from Portugal stated your support for 2019-03,

 

Can you please provide some more arguments than your humble "+1" statement? 
This is a working group, not a voting.

 

Please.

 

 

--

Kind regards,

Sergey Myasoedov



On 29 Mar 2019, at 18:33, Vitor Leitao  wrote:

 

I would like to manifest my support to the proposal 2019-03.

 

Rgds,

 

Vitor Leitao

 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

If you want to have an idea of "what" we have captured during the discussion in 
this mailing list, we have also submitted the "improved" version to ARIN (and 
working on the same for APNIC and AfriNIC).

You can read that (in English) here:
https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

Actually, question for the chairs and Marco. Do you think it makes sense to 
continue the discussion with the current version before improving it, or 
already sending a new one? There is a lot of improvement already, the 
discussion has been extremely useful for the authors. However, we are missing 
some NCC inputs, for example, regarding legal questions that we raised several 
times, so if sending a new version means we can't get those inputs, then is not 
good ...

Note: As said this already before, I think. We aren't - the co-authors- 
coordinating our responses, so we may have different opinions in all what we 
say, and I think this is good because it helps with the responses of the 
community to build-out our own positions and clear our "internal" differences 
(which we have, don't have any doubt on it!) and reach consensus "among 
ourselves".

Regards,
Jordi
 
 

El 30/3/19 10:54, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:


On Fri, 29 Mar 2019, Sergey Myasoedov via anti-abuse-wg wrote:

> Hello community,

Hi Sergey, All,


> I strongly oppose to this proposal. The proposal gives a power for
> misuse to the RIR

I fail to understand how. The main concept of 2019-03 is that it isn't the 
RIR's role to evaluate if an intentional hijack was performed -- that 
should be the role of external, independent experts.

Btw, a similar policy proposal was published yesterday in LACNIC.


> and does not protect members against setup.

We aim to refine the proposal, so can you please specify exactly where 
the members might become "unprotected"?

The proposal was built with checks & balances in mind. If they are not 
enough, let's work towards solving that, so noone will feel "unprotected".


> I believe this policy have nothing to do in RIPE.

Quoting:
=
> -Original Message-
> From: Sascha Luck [ml] 
> Sent: Monday 25 March 2019 12:24
>
> I therefore argue that it is maybe time to have a discussion on what 
> exactly RIPE and the NCC should be and what, if any, limits on their 
> administrative power there should be.
> I hope, though, that everyone can at least agree that *this* is
> *not* the forum for that discussion.

To confirm, the Anti-Abuse WG is absolutely not the right forum for that 
discussion.

Thanks,

Brian
Co-Chair, RIPE AA-WG
=

I understood this as "the Anti-Abuse WG is not the right forum to discuss 
the RIPE NCC's charter, the PDP or if any given proposal is admissible or 
not".



> It's better to issue it as a BCP document or an informational RFC.

I agree a BCP document can also be useful, so we'll start that as soon as 
possible.
However, having a clear statement within RIPE policies sends a much 
stronger message to anyone thinking about engaging in such practices.

Again, i want to point out the detail that anyone performing intentional 
hijacks _today_ (or last month or the previous year) is *not* within the 
proposal's scope -- if it happens to get accepted.

There are absolutely no rules *today* against (IP address space/ASN) 
hijacks, and this is precisely the gap 2019-03 aims to fix.


Best Regards,
Carlos Friaças



> --
> Sergey
>
> Tuesday, March 19, 2019, 1:41:22 PM, you wrote:
>
> MS> Dear colleagues,
>
> MS> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE
> MS> Policy Violation", is now available for discussion.
>
> MS> The goal of this proposal is to define that BGP hijacking is not
> MS> accepted as normal practice within the RIPE NCC service region.
>
> MS> You can find the full proposal at:
> MS> https://www.ripe.net/participate/policies/proposals/2019-03
>
> MS> As per the RIPE Policy Development Process (PDP), the purpose of
> MS> this four-week Discussion Phase is to discuss the proposal and
> MS> provide feedback to the proposer.
>
> MS> At the end of the Discussion Phase, the proposers, with the
> MS> agreement of the Anti-Abuse WG co-chairs, decide how to proceed with 
the proposal.
>
> MS> We encourage you to review this proposal and send your comments
> MS> to  before 17 April 2019.
>
> MS> Kind regards,
>
> MS> Marco Schmidt
> MS> Policy Officer
> MS> RIPE NCC
>
> MS> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
>
>
>
>

Re: [anti-abuse-wg] Astroturfing?

[JORDI PALET MARTINEZ via anti-abuse-wg]

My personal view on this (not as a co-author now), and sorry to make it long, 
but I guess is important and many new people contributing in the list that we 
never heard about before and I hope this helps many people, as a frequent 
participant and contributor to discussions.

I know very well the consensus process here, in all the RIRs and IETF, which 
I've been a contributor since about 16-18 years ago, having 
authored/co-authored probably more than around 75 policy proposals in the 5 
RIRs, contributed in many other proposals discussions, and I think at least 3-4 
times those numbers of IETF documents.

When I know very well a topic, I usually tend to invest more time to write in 
the relevant list, never mind I'm for or against.

Sometimes, I just say +1 or I support the policy (if I know the topic very 
well), because I just agree with that one, even if I may disagree with some 
nits on the text, because it doesn't make sense to invest my time or others 
time to adjust minor issues, which will make the discussion longer and I can 
just accept as written.

However, if I disagree I need to explain why with detail and get engaged in the 
discussion until we find a middle-term point.

I fully agree that is not counting +1s, but those need to be considered as well:
"Lack of disagreement is more important than agreement" I read that as those 
opposing should explain why and provide inputs. Those agreeing can just say 
nothing or say "I agree".

I understand that it is a difficult balance, and how co-chairs have a really 
difficult task, and that they often ask for "say something if you agree, don't 
stay silence".

However, I don't think we can ask for the people that agree to explain why. 
Otherwise, we will get tons of messages repeating it, never mind they use the 
same or different words.

This is my reading of consensus, in summary, and I think is the most important 
aspect: "Rough consensus is achieved when all issues are addressed, but not 
necessarily accommodated".

That means that "One hundred people for and five people against might not be 
rough consensus", but if there is a minor number of insignificant non-addressed 
issues, having many "+1", should take preference than having silence or the 
opposing ones.

On the other way around, "+1" to "I oppose", even if there are 1.000 of them, 
may mean "nothing" against, because the reason for that opposition has been 
explained/addressed, even if some people "disagree" or don't like it.

Now, as a co-author (in general, not for the one being discussed). I try to 
respond to all the inputs (unless they become repetitive), and try to 
accommodate my proposal to as many folks as possible. I often change my mind 
with discussions, and reword text, but sometimes, I can have a strong opinion 
on a particular part of the proposal, and not concede on that part to others 
opinions, but even in that case I'm always try to improve.

I'm tempted to say this is like a negotiation, but not exactly the same. I 
think everybody can understand what I mean (in Spanish will be much easier to 
explain!), and always trying my best and NEVER did a policy proposal because 
I've any special personal or business interest, up to each participant to 
believe me or not. I just do it because I think is good for the community, for 
Internet, even if it means investing my (small) amount of available time, out 
of sleep or leisure time.

May be just passion, as somebody told me a week ago.

The demonstration of that: I've authored and defended policy proposals about 
IPv6 PI and transfers, even if I personally though that it was the wrong thing 
to do (and often I've said that in my presentation), but it was good for the 
community, so I took the role to defend the community position, not my own one.

Again, this is a very difficult task, and not everyone can be accommodated at 
100%.

I *really* prefer to write and defend 100 new policy proposals than being a 
co-chair (super-heroes for me!). We don't say it often, and we should repeat it 
much more: Thanks for all that work.

https://tools.ietf.org/html/rfc7282 is a good piece of text to read.

Regards,
Jordi
 
 

El 3/4/19 12:44, "anti-abuse-wg en nombre de Sebastien Lahtinen" 
 escribió:


On Wed, 3 Apr 2019, Michele Neylon - Blacknight wrote:

> Is someone encouraging astroturfing?
>
> The number of either new or inactive members of this list who have 
> posted one line messages in support of the recent policy discussion has 
> reached insane levels

This specific discussion was highlighted to me and was the reason I joined 
the list. I've been reading a lot of the comments and haven't responded 
yet, but this is my first post to this list so I come under the above 
group.

As an outsider, what I would say is that there's a lot of noise here. Was 
I not from the community in the wider sense and undertand the concept of 
how technical communities come up with

Re: [anti-abuse-wg] Astroturfing?

[JORDI PALET MARTINEZ via anti-abuse-wg]

As said in my previous email, if we take that strictly, then we will never have 
any IETF document or RIRs policy proposals reaching consensus. When I agree and 
will not provide any "extra" for that was has been already said (because the 
policy text or previous emails), I just do +1.

Or do you think people that agree, should then copy the rational for somebody 
that agrees in the policy proposals, or even the policy text, and say "this is 
what I agree"?

Regards,
Jordi
 
 

El 3/4/19 13:54, "anti-abuse-wg en nombre de Michele Neylon - Blacknight" 
 escribió:

Carlos

I've absolutely zero issue with new people engaging, but lots of one line 
"+1" or almost identical emails isn't meaningful engagement. 

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/ 
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

On 03/04/2019, 12:53, "Carlos Friaças"  wrote:


Hi Michele, All,

I had to Google for 'astroturfing'. I learned something today. :-)

As i see it, the "community" is not a closed group.

It was repeateadly stated that "consensus" or "rough consensus" is not 
a 
vote. I think that is clear for everyone.

Just like a few days ago i wrote that i hoped there wasn't any kind of 
discrimination against portuguese participants, i hope there isn't also 
any kind of discrimination against new participants on this WG.

I may understand if some people prefer to have less people in the WG, 
but 
i'm not part of that set.
While worrying about how we can improve rules/tools against Abuse 
(that's 
the point of an Anti-Abuse WG, right?), i would also like to see a much 
larger number of people involved!

If someone has any doubt about if newcomers are real persons, then 
please Google away. :-)

I met in person most of people that are supporting 2019-03 and also 
those that are opposing it (some of which i even co-authored other 
proposals), since a while back.

ps: I think i haven't met Sebastien Lahtinen in person since 10y or so, 
so 
if 2019-03 made him show up on the list, that's another plus :-))

Best Regards,
Carlos




On Wed, 3 Apr 2019, Michele Neylon - Blacknight wrote:

> All
>
> Is someone encouraging astroturfing?
>
> The number of either new or inactive members of this list who have 
posted one line messages in support of the recent policy discussion has reached 
insane levels
>
> Regards
>
> Michele
>
> --
> Mr Michele Neylon
> Blacknight Solutions
> Hosting, Colocation & Domains
> https://www.blacknight.com/
> https://blacknight.blog/
> Intl. +353 (0) 59  9183072
> Direct Dial: +353 (0)59 9183090
> Personal blog: https://michele.blog/
> Some thoughts: https://ceo.hosting/
> ---
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
Park,Sleaty
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] Astroturfing?

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 3/4/19 15:05, "Sascha Luck [ml]"  escribió:

On Wed, Apr 03, 2019 at 01:18:10PM +0200, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
>"Lack of disagreement is more important than agreement" I read that as 
those opposing should explain why and provide inputs. Those agreeing can just 
say nothing or say "I agree".

I don't actually agree with that premise. ("Lack of disagreement
is more important than agreement") Silence is not consent. 
Insofar, the "+1" is useful as an expression of consent.
Of course, that also means that anyone who does not "+1" should
at least be considered as possibly non-consenting. 

I don't think so. Silence is to be taken as consent. If you don't care don't 
respond. If you care, you express your disagreement.


>That means that "One hundred people for and five people against might not 
be rough consensus", but if there is a minor number of insignificant 
non-addressed issues, having many "+1", should take preference than having 
silence or the opposing ones.

No, and most assuredly not when it is so *obviously* a case of
"I've emailed all my friends and colleagues to support me" 
(You're not the only one guilty of this, I regularly receive
requests to "support me in this") But, I think the chairs are
experienced enough to give such contributions the weight they
deserve.

I never done it with my friends, but if I've an event with ISPs about a topic 
relevant to them and I can make a short talk to ask them their opinion, it is 
perfectly valid even if they NEVER participated before, same with related 
mailing list, etc. I never will (and never have done) ask those groups "please 
support me". My way is please, read this, I think is good for the community, 
and provide your inputs.

The only reason to even *have* a PDP is so issues with proposals
can be addressed. And I take this to mean *all* issues.

Rough consensus is achieved when all issues are addressed, but not necessarily 
accommodated.

>I'm tempted to say this is like a negotiation, but not exactly the same. I 
think everybody can understand what I mean (in Spanish will be much easier to 
explain!), and always trying my best and NEVER did a policy proposal because 
I've any special personal or business interest, up to each participant to 
believe me or not. I just do it because I think is good for the community, for 
Internet, even if it means investing my (small) amount of available time, out 
of sleep or leisure time.

Nobody, as far as I can ascertain, has leveled such an
accusation, so why defend against it? Proverbs 28:1?

I didn't mean that was the case, again, English is not my language. What I'm 
trying to say is that when you contribute to the community development (at 
least in my personal case), you should not take a personal/business position.

However, as you mention it, it actually happened to me and in RIPE. I can find 
the emails for you in the addressing policy, if I recall correctly it was 
during discussion of 2016-04.


>I *really* prefer to write and defend 100 new policy proposals than being 
a co-chair (super-heroes for me!). We don't say it often, and we should repeat 
it much more: Thanks for all that work.

Pfft, appeal to flattery. Though it is to be said that sifting
through this list is a task worthy of a Hercules.


rgds,
SL





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 18/4/19 9:15, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" 
 escribió:



Hi,


On Thu, 18 Apr 2019, Töma Gavrichenkov wrote:

> On Thu, Apr 18, 2019 at 1:39 AM Carlos Friaças via anti-abuse-wg
>  wrote:
>> And how will a dutch court determine a wrong decision was made? by 
getting
>> a different set of experts...?
>
> E.g. by judging on an evidence found later, and with that evidence
> making a decision that original set of experts did their job poorly.

Experts (on any given subject matter) can be wrong, if they look only at a 
specific dataset.

Even in courts cases, experts (judicial experts, "peritos judiciales" in 
Spanish), can produce wrong advice. This is why we have an appeal process.

If data is not available on the year a crime was commited, and it surfaces 
only 5 years later, i wouldn't say the experts did a poor job. They might 
have done a good job with the data available at the time.



> NCC has arbiters for quite a while. Who's responsible for their mistakes?

Curiously or not, that's where all of this started: my first take was to 
think that arbiters were the solution, but *several* people pointed out 
the current pool of RIPE arbiters was formed for a different purpose and 
some of them might not have the skills (or the will...) to look into 
hijacking cases.



>> It shouldn't be the RIPE NCC, if the RIPE NCC is just following
>> the defined policy.
>
> Honestly, I think it's the opposite. If the NCC terminates a
> membership agreement, it should be liable for all the consequences of
> a wrong decision no matter how exactly the decision is made and what
> arbiters/experts/oracles/grandmoms were asked for a definitive advice.

OK, but that is relative to *any* termination reason, be it immediate or 
on a specific timescale (see RIPE-716).

I would like to know how many dutch court cases were filed to the date 
against RIPE NCC about wrongful membership agreement termination.

Interesting question, and I will say that if we can have that information (I 
guess Marco can ask "officially" for it to other RIRs) for all the RIRs, even 
better. This is public information, but you need to search for it, while the 
RIRs know very well all their cases (if there are any).


Thanks,
Carlos

ps: we've missed grandmoms on version 2.0's text. sorry about that :-))


> --
> Töma
>



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] VoIP

[JORDI PALET MARTINEZ via anti-abuse-wg]

Reading the article in a minute !

However, as an information pointer I've some data ...

I've an VM with asterisk at home, and every day I've to ban (I use fail2ban to 
do it automatically after 3 failed attempts from the same IP), average about 20 
IPs attempting to use my SIP service to my provider. This turns into 100 per 
day in the office (average).

Of course, if they succeed, they can make "free" calls that I need to pay from 
my pocket ... So, I report automatically those attempts (once banned), 
including the logs, to the abuse contacts of the IP holder.

Some of them just don't care, unfortunately, as many abuse contacts, just don't 
work, or the mailboxes aren't being read, or they respond that you must fill in 
a form.

Regards,
Jordi
 
 

El 25/4/19 13:29, "anti-abuse-wg en nombre de ac" 
 escribió:

Hi,

I read an interesting article this morning and I thought I should share.


https://www.nytimes.com/2019/04/24/technology/personaltech/stop-robocalls.html

It is interesting how the types of abuse are related to the costs, geo,
etc as well as perceived benefits thereof. Although I have setup SIP
and have played extensively with stuff like asterisk, I do not work
much with VoIP abuse or have much experience with it. (which is
probably why it is interesting to me :) )

Andre





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] VoIP

[JORDI PALET MARTINEZ via anti-abuse-wg]

I will rather prefer an IETF standard for abuse reporting ... already thought 
about starting it several times ... sooner or later I will write down 
something, so may be some other people interested to co-author?

Regards,
Jordi

El 25/4/19 16:14, "anti-abuse-wg en nombre de ac" 
 escribió:

On Thu, 25 Apr 2019 14:06:39 +0200
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:
> Reading the article in a minute !
> However, as an information pointer I've some data ...
> I've an VM with asterisk at home, and every day I've to ban (I use
> fail2ban to do it automatically after 3 failed attempts from the same
> IP), average about 20 IPs attempting to use my SIP service to my
> provider. This turns into 100 per day in the office (average).
> Of course, if they succeed, they can make "free" calls that I need to
> pay from my pocket ... So, I report automatically those attempts
> (once banned), including the logs, to the abuse contacts of the IP
> holder.
> Some of them just don't care, unfortunately, as many abuse contacts,
> just don't work, or the mailboxes aren't being read, or they respond
> that you must fill in a form.
> Regards,
> Jordi
>  
this is something very worthy of discussion, listing services has
always existed for dynamic blocks, email abuse, bad neighborhood etc
etc - and these lists are reflected/delivered/offered as rbl, dnsbl, wrbl, 
text, 
sql, etc etc - imho, the latest trends are weird as the generic lists
are becoming too generic and specific or specialisation is the "next big
thingTM" - as in not unicorny big but tech useful (mostly free) big...
As an example of this, an combined email rbl (which also contains
certain dynamic ranges known for not filtering egress, would be
completely (or mostly) useless for filtering IP on SIP (or even brute)
and a comment form rbl would be well suited for iptables on a web
server... 

My latest new and shiny big idea is:

I have an idea and a plan to dev a dynamic ip use dnsl which will return a 
flag 
on query... 

The idea is that any device would receive a code when query a RR

The result on query would be multi digit and reflect the known data for
that resource (examples: User Dynamic/Static - Abuse Reported Y/N -
Port of abuse (all(dul)/21/22/25/53/80/443/etc) - Resource holder
responsive Y/N - etc etc etc

The further idea is to have exchangeable data streams so that the
query (as well as the IPv4/6 of the query) becomes a data provider and
then the reporting can be automated (or not) depending on the resource
holder itself...

What do you think?

Kind Regards

Andre





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] standard for abuse reporting (was: VoIP)

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi all,

To avoid unnecessary noise in the list, I think we should handle this in pvt.

At the moment, I've got emails from Andre, Angel and Jan about this.

I will try to work during this weekend in investigating if there is already an 
IETF WG that may be a fit for this work, or alternatively will discuss with the 
IESG about a BoF for it.

ASAP I've a clear view on this, I will inform all those interested, maybe is 
also appropriate then a short "summary" message in this list.

Regards,
Jordi
 
 

El 25/4/19 18:12, "Ángel González Berdasco"  
escribió:

On 25-04-2019 16:45 +0200, JORDI PALET MARTINEZ wrote: 
> I will rather prefer an IETF standard for abuse reporting ... already 
thought about starting it several times ... sooner or later I will write down 
something, so may be some other people interested to co-author?
> 
> Regards,
> Jordi

Hello Jordi

I would also be interested in having a standard for reporting abuses.
There is X-ARF but it isn't able to encode certain information, such as
multiple log entries for the same incident, or the only way to do so
would be extremely verbose, to the point of being impractical if the
recipient is not a bot.

Best regards

-- 
INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute
https://www.incibe-cert.es/

PGP Keys:
https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.



Disclaimer:
This message may contain confidential information, within the framework
of the corporate Security Management System.If you are not the intended
recipient, please notify the sender and delete this message without
forwarding or retaining a copy, since any unauthorized use is strictly
prohibited by law.







**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Angel,

Thanks a lot for the inputs, see below in-line.

Regards,
Jordi
 
 

El 16/5/19 16:36, "anti-abuse-wg en nombre de Ángel González Berdasco" 
 escribió:

Marco Schmidt writes:
> Dear colleagues,
> 
> A new RIPE Policy proposal, 2019-04, "Validation of "abuse-mailbox"", 
> is now available for discussion.
> 
> This proposal aims to have the RIPE NCC validate "abuse-c:"
> information more often, and introduces a new validation process that
> requires manual input from resource holders.
> 
> You can find the full proposal at:
> https://www.ripe.net/participate/policies/proposals/2019-04
> 
(...)

Looks good.

A couple of notes. In addition to the first notice, it may be worth to
add 'reminders' instead of escalating directly to the LIR, such as
sending a reminder after one week (day 7), and another on the 14th day,
prior to escalation.
 
My original proposal had many additional details and complexity, including 
warnings, blocking the account, etc., but conversations with the staff bring 
down some my original ideas as they are considered "operational details", in 
the expectation to discuss them in the list and re-add them if the community 
may think they must be explicitly part of the policy proposal.
   
*This should not be necessary,* as the resource owner should have put
the means so that emails received on the abuse-c are not lost, and
someone actually reviews them, without having to insist on them.
But I foresee that would improve the response process.

Clearly, I fully agree.

Also, the resource holder should be able to manually request a new
mailbox validation if the provided code is expired (eg. the main person
in charge was on holiday and their backup did not handle it).

I think this is not needed, because the NCC, after the validation fails, will 
be in touch with the resource holder, again may be an operational issue, but 
again, if the community think that it should be explicit in the proposal, I'm 
also happy about that.

RIPE should log the time taken by the different holders to validate
their abuse-c, so that those statistics can be used in the future to
better understand the effectivity of this process.

Very good point. Again, I think it is an operational aspect. I will suggest the 
impact analysis to consider if they already do this by default, or we need to 
explicitly say this.

Many of those aspects can be part of the policy proposal as "other 
information", not necessarily as policy text.

Finally, I have been thinking how to improve the phrase
«Commonly, if a ticket number has been generated, it should be kept
(typically as part of the subject) through successive communications.»

I came out with replacing it with this new paragraph:
«It is quite common to have ticket numbers/identifiers associated to
abuse reports in order to be able to differentiate them, which
are typically included as part of the subject. Replies (either manual
or automated) by the resource holder should maintain any identifiers
used by the reporter, optionally adding their own one. And any reply by
the abuse reporter should keep as well the identifier holding the
ticket number on the resource holder system.»

Fine for me. Let's see what others believe.


Best regards

-- 
INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute
https://www.incibe-cert.es/

PGP Keys:
https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys



INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.







**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including at

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,

As it has been observed several times, the actual validation system is 
extremely weak and very easy to avoid, so 99% useless.

If I put in my abuse-c your email (just an example). The validation will pass, 
and you will never notice that I've used your email to fake the system.

So, clearly is the wrong way.

If two validations are done per year, I don't think this is significant 
overhead for any resource holder vs the benefits of the time saving for the 
same resource holders that need to use the abuse mailbox of a counterparty that 
today is escaping from a real validation and creating troubles with abuse 
emails to someone else.

Anyone failing in repetitive ocassions to comply with policies is subjected to 
further NCC scrutiny, including account closure. This is a different policy 
already in place. If we don't like that, we should change that policy, but then 
we don't need policies anymore. Policies are the rules for the community to be 
respected by all, and not having an administrative enforcement by the NCC is 
the wilde west.

Regards,
Jordi
 
 

El 16/5/19 23:38, "anti-abuse-wg en nombre de Nick Hilliard" 
 escribió:

Gert Doering wrote on 16/05/2019 21:47:
> No positive effect, but lots of negative side-effects.

Abuse mailboxes are already checked.  What matters for abuse management 
is whether reports are acted on.  This policy doesn't address that.

If the RIPE NCC is instructed to send 6-monthly reminders to all abuse 
contacts with the implicit threat that if they aren't acted on in the 
way specified in this policy, that the organisation in question can look 
forward to having their addressing resources vapourised, this will 
aggravate the RIPE NCC membership and corrode community trust in the 
organisation.  The one thing it won't do is make abuse management better.

Internet abuse management is not something that you're going to fix by 
beating LIRs with sticks, and if they don't react, that you threaten to 
beat them harder.

Separate to this, it's inappropriate to micromanage the NCC in RIPE 
policy.  It would be good if the RIPE working groups stopped trying to 
tell the RIPE NCC people how to do their jobs.

Nick





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

My email client doesn't allow me to do it in a different way (Outlook for Mac). 
If somebody is able to help, I'm happy. I can't change my client, for different 
and long to explain business reasons.

Anyway, this is a curious thing ... last week I was asked in the LACNIC meeting 
policy session to avoid responding in-line to emails about policy discussions.

So, I'm confused.

Regards,
Jordi
 
 

El 17/5/19 12:08, "anti-abuse-wg en nombre de Brian Nisbet" 
 escribió:

Folks,

> -Original Message-
> From: anti-abuse-wg  On Behalf Of Gert
> Doering
> Sent: Friday 17 May 2019 11:03
> 
> And, at least try the minimum amount of politeness in quoting according to
> local customs.
> 
> (@chairs: can i propose a policy that makes it required policy to do 
proper e-
> mail quoting style, and otherwise people will permanently lose their 
Internet
> access?  This would arguably only hit bad people and would be so much 
relief
> from this continuos abuse of my eyes!)

Can we please let this particular one go? For various reasons, such as 
software, style and the changing nature of reality, top posting is a common 
thing. This is the reality. I realise it breaks sacred oaths and trusts and I 
also understand a lot of people find it more difficult to parse, but it's the 
reality and, even if it could be changed, remarks on this mailing list will not 
change it.

I am happy to discuss this further with you over a beverage at the meeting 
next week, but it ain't gonna change, so I do not believe it's helpful to any 
discussion to continue to refer to it.

Thanks,

Brian
(Only slightly with his Co-Chair hat on, this is more of a hope than 
anything else...)

Brian Nisbet 
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Internet is global, so local customs are from the "Internet planet". 

El 17/5/19 12:16, "Gert Doering"  escribió:

Hi,

On Fri, May 17, 2019 at 12:13:12PM +0200, JORDI PALET MARTINEZ wrote:
> Anyway, this is a curious thing ... last week I was asked in the LACNIC 
meeting policy session to avoid responding in-line to emails about policy 
discussions.

"If you go to Rome, do as the romans do" = "follow local customs"

And Outlook *can* do that.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 18/5/19 9:56, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Sat, May 18, 2019 at 12:02:48AM +0100, Carlos Friaças wrote:
> > There is no indication that the complications Jordi is proposing are
> > an actual improvement in any metric, except "human life time wasted".
> 
> Starting with "complications" is really not that constructive.
> 
> If the process is too complex let's work on it, and make it simpler where 
> it is possible.

We have an existing process that is the result of a PDP discussed in this
very working group, reflecting community consensus on the balance between
checking and annoyance.

Nobody has made a convincing argument why this needs to be made stricter
and more time consuming.

> Trying to build a softer approach, maybe the NCC doesn't need to send 
> _everyone_ a message twice a year, but if someone finds an abuse-mailbox 
> to be unresponsive, then if it is mandatory to have a working 
> contact/mailbox, the NCC could only get into the picture when someone 
> detects that is not in place.
> 
> Or is _that_ already in place...?

We *HAVE* a process to check abuse contacts.

We *HAVE* ARCs.


So, please state *first* what is wrong or insufficient with the current
process, and why these added complications would improve the end goal:
abuse reports sent to ISPs are handled "better" (in a to-be-defined
metric).

A process that allows to use emails from other random people is not a *real 
validation* it looks closer to a joke.

Note: taking away lifetime from the people doing abuse mail handling is
not going to make them more enthusiastic about doing their job.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 18/5/19 10:35, "Gert Doering"  escribió:

Hi,

On Sat, May 18, 2019 at 10:28:45AM +0200, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> So, please state *first* what is wrong or insufficient with the 
current
> process, and why these added complications would improve the end goal:
> abuse reports sent to ISPs are handled "better" (in a to-be-defined
> metric).
> 
> A process that allows to use emails from other random people is not a 
*real validation* it looks closer to a joke.

If the NCC's existing abuse mail validation mails hit other people's
mailboxes, those can report back, and the NCC will surely follow up with
the LIR that did this incorrect entry.


I have an idea.

I will set up a service where everyone can have an e-mail address which
will totally follow everything you propose as validation mechanism - like,
click on tokes, report back in 10 minutes (even in the middle of the 
night), etc. - LIRs that want to be spared this annoyance can just pay
me 50 EUR/month, and I'll handle all these chores for them.

So, this would totally fulfill your proposed policy, and not help in any
bit with *abuse handling*.

That automated system will be against the policy. I've already worded it out in 
such way that is not possible this type of "work-around the policy", at least 
it was my original intent to avoid it. If I've broken something across more 
than 20 versions that I edited internally since started, I will make sure to 
fix it in the next version.

Can you now see why your proposal is useless in achieving it (not very
clearly stated) goal?  And if something is not useful towards the goal,
but has lots of drawbacks, it should not be followed.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 17/5/19 10:41, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:


Hi All,

I'm not sure about the 6 month period (vs. 12 months), and probably some 
details can be improved in further versions, but i do support this 
proposal, which is clearly in the path of "anti-abuse".

My team has nearly sent out 6000 abuse reports (only about intrusion 
attempts and brute force attacks) since Jan 1st this year.
I've just checked, and only 2.5% bounced. 2018's bounces were around 4.5%.

I guess that means that it is increasing. 2.5% is only for 5 first months of 
this year, so it may end up in 2019 you have 5-6% ?

I've looked at my own network and the situation is even worst. Major number of 
abuse reports for me are intrusion attempts, attempts to use our SIP and SPAM. 
In total, the average number of abuse reports per month is about 3.800 (99% are 
automated). Bounces increase from previous year, average, is 23%.

Maybe when we start to send out (automated) abuse reports about spam, the 
percentage will increase. We also send messages, globally, so solving the 
issue only in RIPEland will have limited impact. I've read this is 
already under implementation in another region, and proposed in the 
remaining 3 -- great!

I also think some reference to the ARC (Assisted Registry Check) could be 
included in the proposal, and could work as a primary step well before 
going into other actions which can carry more impact.

Regards,
Carlos




On Thu, 16 May 2019, Marco Schmidt wrote:

> Dear colleagues,
>
> A new RIPE Policy proposal, 2019-04, "Validation of "abuse-mailbox"", is 
now available for discussion.
>
> This proposal aims to have the RIPE NCC validate "abuse-c:" information 
more often, and introduces a new validation process that requires manual input 
from resource holders.
>
> You can find the full proposal at:
> https://www.ripe.net/participate/policies/proposals/2019-04
>
> As per the RIPE Policy Development Process (PDP), the purpose of this 
four-week Discussion Phase is to discuss the proposal and provide feedback to 
the proposer.
>
> At the end of the Discussion Phase, the proposer, with the agreement of 
the Anti-Abuse Working Group Chairs, decides how to proceed with the proposal.
>
> We encourage you to review this proposal and send your comments to 
 before 14 June 2019.
>
> Kind regards,
>
> Marco Schmidt
> Policy Officer
> RIPE NCC
>
> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alex,

 

The intent of this policy is to ensure that the validation process is useful, 
and that means ensuring that the inbox is working, real (not from somebody 
else), monitored for abuse reports (automatically is ok if it really works, but 
there must be a way for human participation), and that those that send abuse 
reports don’t need to use a different form for every possible LIR in the world, 
which is not viable (unless there is a common standard for that – work in 
parallel but may take years).

 

A responsible organization will deal with abuse reports, and having a working 
abuse-c is part of it, otherwise people can’t report abuse cases. If abuse 
cases are ignored you escalate to the NCC or courts, or whatever, that’s 
another layer.


Regards,

Jordi

 

 

 

El 16/5/19 22:42, "anti-abuse-wg en nombre de Alex de Joode" 
 escribió:

 

​Ola,

​

It's unclear to me what you are trying to accomplish with this policy:

1.   ensure ripe members have a working (as in receiving mail) abuse email 
address;

2.   ensure ripe members have a working abuse email address and process 
incoming mails;

3.   ensure ripe members have a working abuse email address and read it;

4.   ensure ripe members have a working abuse email address and act 
responsibly on notices.

It seems you want to verify that a human reads the abuse box. However this will 
tell you nothing about how an organisation actually deals with abuse. So it 
will only burden ripe members to no avail.

 

It is my belief ripe should stick to technical verification that a abuse email 
box exists and is able to receive mail. Ripe is not the internet sheriff :)

 

Cheers,

Alex

 

​-- 

IDGARA | Alex de Joode | +31651108221



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

This will not work.

 

Allowing every resource holder in the world to use their own form means that 
you need to develop tons of specific reporting tools to match all those 
specific formats and bring the cost of that to the victims. Meanwhile, if 
reporting is done by email, attaching logs, it can be processed by the ISP that 
get the money from the abusive customer, and if the cost (if any) falls on the 
right side.

 

In addition to that, RFC5965 is only for reporting about email, but not other 
abuse cases. I agree that ideally, we should have X-ARF as a standard for *any* 
abuse reporting, and if you followed the previous discussion (a few weeks ago), 
I’m already working on that, but this will take typically 2 years. When this 
happens, we can update the existing policy to mandate the use of that standard.


Regards,

Jordi

 

 

 

El 18/5/19 14:36, "Alex de Joode"  escribió:

 

​Thanks Jordi,

 

You cannot force LIR's to act in the fashion below (that is wishful thinking). 
However you can make transparant, how abuse desks deal with complaints.

 

I would therefore suggest the following:

 

Keep the current validation procedure, add a date to the abuse-whois, when the 
address was last sucessfully checked. 

Give LIR's the options to add an acceptable abuse format for automated 
processing to the whois.

 

By this you     - make visible the adres works;

   - make the abuse 
whois act as a source for how responsible organisations deal with abuse.

 

I could image there would be the one or more of the following options:

{blank} = not filled in by LIR

{manual} = LIR handles abuse in a manual fashion

{XARF} = accepts Xarf/RFC5965 form and handles them automatically

{other specification, maybe with URL}

{api with url}

{'whatever'}

 

This would be more valuable for the whole global abuse handling process than 
the burdensome time waster that is now proposed.

 

​-- 

IDGARA | Alex de Joode | +31651108221


On Sat, 18-05-2019 13h 31min, JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Alex,

 

The intent of this policy is to ensure that the validation process is useful, 
and that means ensuring that the inbox is working, real (not from somebody 
else), monitored for abuse reports (automatically is ok if it really works, but 
there must be a way for human participation), and that those that send abuse 
reports don’t need to use a different form for every possible LIR in the world, 
which is not viable (unless there is a common standard for that – work in 
parallel but may take years).

 

A responsible organization will deal with abuse reports, and having a working 
abuse-c is part of it, otherwise people can’t report abuse cases. If abuse 
cases are ignored you escalate to the NCC or courts, or whatever, that’s 
another layer.


Regards,

Jordi

 

 

 

El 16/5/19 22:42, "anti-abuse-wg en nombre de Alex de Joode" 
 escribió:

 

​Ola,

​

It's unclear to me what you are trying to accomplish with this policy:

1.   ensure ripe members have a working (as in receiving mail) abuse email 
address;

2.   ensure ripe members have a working abuse email address and process 
incoming mails;

3.   ensure ripe members have a working abuse email address and read it;

4.   ensure ripe members have a working abuse email address and act 
responsibly on notices.

It seems you want to verify that a human reads the abuse box. However this will 
tell you nothing about how an organisation actually deals with abuse. So it 
will only burden ripe members to no avail.

 

It is my belief ripe should stick to technical verification that a abuse email 
box exists and is able to receive mail. Ripe is not the internet sheriff :)

 

Cheers,

Alex

 

​-- 

IDGARA | Alex de Joode | +31651108221


**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,


El 18/5/19 15:38, "Nick Hilliard"  escribió:

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 18/05/2019 14:32:
> This will not work.
> 
> Allowing every resource holder in the world to use their own form means 
> that you need to develop tons of specific reporting tools to match all 
> those specific formats and bring the cost of that to the victims. 
> Meanwhile, if reporting is done by email, attaching logs, it can be 
> processed by the ISP that get the money from the abusive customer, and 
> if the cost (if any) falls on the right side.

So, either RIPE LIRs adopt Jordi's work flow for abuse complaint 
management, or the RIPE NCC will take away their internet addresses?

I'm sure you know this, just in case ... policy proposals are precisely to find 
an agreement in the community, so yes, it is my proposal, but it is up to the 
community discussion to agree on what we believe is best, this is my 
understanding on rough consensus.

I'm definitively for making sure that the victims don't have costs, as they 
aren't getting money for that. I think it is a perfect valid wish.

In case you haven’t noticed it, APNIC already agreed with my proposal and is 
being implemented. Pity that we don't have a presentation of it in the next 
meeting, however, it was presented last week in LACNIC and you can follow the 
slides and video (English) here:

https://www.lacnic.net/innovaportal/file/3635/1/lacnic31-apnic-policies-update-sunny.pdf

For the video see minute 39:00:

https://www.youtube.com/watch?v=eUU7-FTv-n0&feature=youtu.be



Wow.

Nick





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Töma,

 

 

El 18/5/19 16:25, "anti-abuse-wg en nombre de Töma Gavrichenkov" 
 escribió:

 

On Thu, May 16, 2019, 11:42 PM Alex de Joode  wrote:

It seems you want to verify that a human reads the abuse box.

 

This is actually a very bright proposal in view of the next generation economy.

 

Everything would be machine learning and automated; cab drivers, delivery 
folks, factory and construction workers would lose their jobs; but we could 
then still adopt thousands if not millions of people, because there would be a 
requirement that abuse mailboxes would be to be handled by humans only.

 

Science fiction warns though: at some point, an X-ray and MRI scans might 
become necessary to ensure compliance.

 

Small clarification about what the proposal is asking for:

 

“Avoid exclusively automated processing”

 

So, I’m fine with automated processing, AI or anything that in the future we or 
our robots or the robots that they create for us, however the goal is to 
guarantee that at the end, instead of a “no response to an abuse report”, a 
human is reachable.

 

 

--

Töma



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 18/5/19 18:49, "anti-abuse-wg en nombre de Niall O'Reilly" 
 escribió:

On 18 May 2019, at 9:38, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

> El 18/5/19 10:35, "Gert Doering"  escribió:
>
> I have an idea.
>
> I will set up a service where everyone can have an e-mail address 
> which
> will totally follow everything you propose as validation mechanism 
> - like,
> click on tokes, report back in 10 minutes (even in the middle of 
> the
> night), etc. - LIRs that want to be spared this annoyance can just 
> pay
> me 50 EUR/month, and I'll handle all these chores for them.
>
> So, this would totally fulfill your proposed policy, and not help 
> in any
> bit with *abuse handling*.
>
> That automated system will be against the policy. I've already worded 
> it out in such way that is not possible this type of "work-around the 
> policy", at least it was my original intent to avoid it.

I wonder how words can make anything impossible.

I also wonder how to implement a dependable Turing Test for 
distinguishing
between what Gert suggests ( a kind of "Mechanical Turk") and a real 
human.

Obviously all what we have in our policies is not bullet proof (and you could 
fake almost every rule that we have), but that doesn't mean that if you don't 
follow policies and it is discovered you're not violating them.

Same in law. Nobody is looking that you follow law at 100%, but if you don't 
do, is your own decision and may have consequences.

I said this already several times. Don't having agreed reasonable rules that 
need to be followed will be like not need for having RIRs and being in the 
wild-west.

Just saying.

Niall





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Gert,
 
I'm fine if it is outsourced to comply with the policy, of course, but not to 
circumvent it.

I think any way to comply with policies is just fine if acting in good faith.

Regards,
Jordi

El 18/5/19 19:03, "Gert Doering"  escribió:

Hi,

On Sat, May 18, 2019 at 10:38:46AM +0200, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> I have an idea.
> 
> I will set up a service where everyone can have an e-mail address 
which
> will totally follow everything you propose as validation mechanism - 
like,
> click on tokes, report back in 10 minutes (even in the middle of the 
> night), etc. - LIRs that want to be spared this annoyance can just pay
> me 50 EUR/month, and I'll handle all these chores for them.
> 
> So, this would totally fulfill your proposed policy, and not help in 
any
> bit with *abuse handling*.
> 
> That automated system will be against the policy. I've already
> worded it out in such way that is not possible this type of
> "work-around the policy", at least it was my original intent to
> avoid it. If I've broken something across more than 20 versions
> that I edited internally since started, I will make sure to fix it
> in the next version.

Who said that this is automated?  If enough LIRs give me 50 EUR/month,
I can hire a few students who will sit there all day waiting for
confirmation requests and dutifully do (as humans) what they are
expected to do.

You do not seem to be willing to listen: what you propose is sheer and 
uncalled-for extra annoyance for the vast majority of LIRs, and will 
do *nothing* to improve abuse handling.  All it will do is ensure that 
someone wastes a few minutes of human lifetime on your challenge.

And *that* can be nicely outsourced.


Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Gert,

Yeah, I definitively should go to school, never went when I was a child.

However, this is not a matter of math's, it is just a matter of responding too 
fast while sleeping only a couple of hours. Anyway, nobody knows how much will 
be the % at the end of the year, as this is not necessarily linear.

Regards,
Jordi
 
 

El 18/5/19 19:07, "Gert Doering"  escribió:

Hi,

On Sat, May 18, 2019 at 10:43:11AM +0200, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> My team has nearly sent out 6000 abuse reports (only about intrusion 
> attempts and brute force attacks) since Jan 1st this year.
> I've just checked, and only 2.5% bounced. 2018's bounces were around 
4.5%.
> 
> I guess that means that it is increasing. 2.5% is only for 5 first months 
of this year, so it may end up in 2019 you have 5-6% ?

Learn math.  Percentages are not added up.  Absolutes numbers are, but there
is no indication why the *relative* number would be any different in the
second half of 2019.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Rich,



El 21/5/19 9:31, "anti-abuse-wg en nombre de Rich Kulawiec" 
 escribió:


This is a bad idea and should be abandoned.

The goal is fine: everyone/everything should have a valid abuse@ address
per RFC 2142, decades of best practices, and inherent accountability to
the entire Internet community.  Everybody should pay attention to what
shows up there, conduct investigations, mitigate problems, report/apologize
as necessary, and so on.  I've been on the record for a long time
supporting this goal and that hasn't changed.

However:

1. Sending UBE to abuse mailboxes is bad.  Think about it.

We have no other way, unless we have a standard widely adopted. Is also 
something being done today, with most of the abuse cases. What is wrong is to 
have a different form for every possible LIR/end-user in the world. Not 
workable.

2. Expecting people to follow URLs contained in messages to abuse

If you read the example procedure in the proposal, this has been sorted out.

mailboxes is a horrible idea.  Penalizing them for not doing it is worse.

Penalizing member of an RIR that don't follow policies, is the right thing to 
do.

(Best practice for abuse handlers is to not use a mail client that parses
HTML or a mail client with a GUI, for what I trust are obvious reasons.)


3. Whatever response mechanism is devised, it WILL be automated.
I note the reference to "captchas" and suggest reading my recent
comment on those in another recent thread here: briefly, they have long
since been quite thoroughly beaten.  They are worthless, and anyone
using them or suggesting their use is woefully ignorant.

It is up to the implementation to decide what is best, and I guess it will 
evolve along the time.

4. Knowing that abuse reports are accepted and read is nice, but not
terribly useful.  What matters is what's done with them, and that
ranges from "investigated promptly and acted on decisively if they're
shown to be accurate" to "ignored and discarded" to "forwarded to the
abusers".

I've preferred not to go into the fine line if there must be properly 
investigated and properly acted on, but this is something that the community 
can decide as well. I don't think is coherent to have a business providing 
Internet services and not have an AUP, or even worst, having an AUP not acting 
against that. This is a business that doesn't impact only in your own customers 
if you allow criminals in your network, it impacts the rest of the world, very 
different level of responsibility than any other business.

And we (for a vague value of "we") already know this: we know because
we've submitted abuse reports and observed outcomes for years.  We know
which operations never respond in any way and we know which ones hand
data over to abusers (or *are* the abusers).  We know this by practice
and experience -- it's not something that can be automated.  It takes
time and effort and expertise to figure out.

As indicated already several times, ideally, we have a standard, and then open 
source or commercial tools that take care of that as much as possible. However, 
meanwhile we need to act.

5. This approach fails the "what if everybody did it?" test quite badly.

Sorry, not sure to understand your point here.

6. Of course, the moment something like this is deployed -- if not
before -- bad actors will realize that copycatting it may well be
an effective tactic to directly attack abuse desk operations and/or
gather intelligence on them and/or compromise them.

Again, if you read the policy there is an example of things that can be done to 
avoid that, such as periodically changing domains, subjects, etc.

---rsk





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Gert,

El 21/5/19 14:37, "Gert Doering"  escribió:

Hi,

you cannot know if someone complies with the policy in good faith or not.


And this is exactly the same for any other policies that we have adopted, and 
that doesn't preclude us to adopt them, because in any membership organization, 
we presume good faith from members?


Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 21/5/19 15:32, "Gert Doering"  escribió:

Hi,

the whole point of your policy is the underlying assumption that people
are *not* acting in good faith, so why all of a sudden assume they are?

Is in the other way around. If you're acting in good faith, you should not have 
a problem to have a validation. The time you invest in a couple of validations 
per year, will be *much less* than the time that you *now* invest in unusable 
abuse contacts.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Gert,

 

El 21/5/19 16:07, "Gert Doering"  escribió:

Hi,

you are comparing the claimed cost savings on the side of the reporters
with the very real extra costs incurred on the side of the abuse handlers.

You can't do that, and come up with a positive result.

The cost of TWO human validations per year, is negligible compared with the 
cost of TWO manual processes to report abuses when the abuse contact is not 
valid.


(Well, you can, but that approach is very one-side and flawed at that)

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

If a single spammer (for example), once in the year, sends 50.000 spams 
messages (with is a ridiculous number in a single campaign, and we know that 
there are thousands of them every year), the cost for all the *15.000+* LIRs 
abuse desks is already compensated vs the cost of the TWO-yearly validations.

Note that the proposal is not telling that you must do a manual validation, 
only that even if you have your abuse-desk automated, you should make sure that 
after all the automation, if something can't be handled by the automated 
process, it should go to a human.
 

El 21/5/19 16:20, "Gert Doering"  escribió:

Hi,

it's nice how you can decide on your own how the (very real) extra costs 
incurred to *15.000+* LIR abuse desks plus the RIPE NCC are "negilible",
claiming that the (unfounded) saving on the costs on the side of abuse
reporters would outweigh that.

Please back with actual numbers.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-04 New Policy Proposal (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Tarass,
 

El 21/5/19 16:18, "Taras Heichenko"  escribió:



> On May 21, 2019, at 18:35, JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:
> 
> 
> 
> El 21/5/19 15:32, "Gert Doering"  escribió:
> 
>Hi,
> 
>the whole point of your policy is the underlying assumption that people
>are *not* acting in good faith, so why all of a sudden assume they are?
> 
> Is in the other way around. If you're acting in good faith, you should 
not have a problem to have a validation. The time you invest in a couple of 
validations per year, will be *much less* than the time that you *now* invest 
in unusable abuse contacts.

If you're acting in good faith you do not need the validation. So other 
people do not need to validate your abuse contact.
It just works. If you're acting in bad faith then additional validation 
will not change your behavior. You just check your

>>> Right, but those folks *then* are violating the policy.

mailbox to reply to the validation. Nothing more. But the people who are 
acting in good faith will have additional headache to not
miss the validation to make all good.

> 
>Gert Doering
>-- NetMaster
>-- 
>have you enabled IPv6 on something today...?
> 
>SpaceNet AG  Vorstand: Sebastian v. Bomhard, 
Michael Emmer
>Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. 
Grundner-Culemann
>D-80807 Muenchen HRB: 136055 (AG Muenchen)
>Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
> 
> 
> 
> 
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.
> 
> 
> 
> 
> 

--
Best regards

Taras Heichenko
ta...@hostmaster.ua










**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

[anti-abuse-wg] diff online 2019-03 v1 vs v2

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi all,

As v2 of  2019-03 is not yet published, according to the PDP, until the impact 
analysis is completed, I've published a diff online at:

https://www.diffchecker.com/Fy6z4VYH

Regards,
Jordi
 
 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] diff online 2019-03 v1 vs v2

[JORDI PALET MARTINEZ via anti-abuse-wg]

Just to clarify my comment in the presentation this morning.

We wanted to use for v2 "Resource hijacking is a RIPE policy violation" but 
this is already used by some other NCC docs to refer to "members account 
hijacking" ... so was not feasible.

It looks like simply "Hijacking is a RIPE policy violation" is a possible 
choice ?

Regards,
Jordi
 
 

El 23/5/19 14:02, "Carlos Friaças"  escribió:



Hi Michele, All,


On Thu, 23 May 2019, Michele Neylon - Blacknight wrote:

> As I said in the face to face meeting this morning, I both withdraw my 
> support for this proposal and would also urge you to completely withdraw 
> it. The name of the policy does not reflect its intent and that alone 
> should be reason enough for it to be removed

Is there any other detail that makes you withdraw your support besides the 
proposal's title...?


A proposal's title _can_ be changed... (recent) example:
https://www.ripe.net/participate/policies/proposals/2019-02/?version=1
https://www.ripe.net/participate/policies/proposals/2019-02/?version=2


Thanks,
Carlos



> Regards
>
> Michele
>
>
> --
> Mr Michele Neylon
> Blacknight Solutions
> Hosting, Colocation & Domains
> https://www.blacknight.com/
> http://blacknight.blog/
> Intl. +353 (0) 59  9183072
> Direct Dial: +353 (0)59 9183090
> Personal blog: https://michele.blog/
> Some thoughts: https://ceo.hosting/
> ---
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
Park,Sleaty
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>
>
> On 23/05/2019, 09:00, "anti-abuse-wg on behalf of JORDI PALET MARTINEZ 
via anti-abuse-wg"  wrote:
>
>Hi all,
>
>As v2 of  2019-03 is not yet published, according to the PDP, until 
the impact analysis is completed, I've published a diff online at:
>
>https://www.diffchecker.com/Fy6z4VYH
>
>Regards,
>Jordi
>
>
>
>
>
>**
>IPv4 is over
>Are you ready for the new Internet ?
>http://www.theipv6company.com
>The IPv6 Company
>
>This electronic message contains information which may be privileged 
or confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.
>
>
>
>
>
>
>
>



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

[anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi all,

I'm working in a new version of the proposal 2019-04 (Validation of 
"abuse-mailbox").

In the last discussion phase, the only detailed response to this proposal that 
I got was from Carlos Friacas (which I will respond in detail later-on, as this 
may also help to revive the discussion).

The main question/issue here is still that the actual policy is just a 
"technical validation". It confirms that there is a mailbox but it doesn't 
confirm that:
1) Accept emails for abuse reporting
2) The mailbox is the right one and not from someone else, not related to the 
abuse processing
3) The mailbox is attended and not a black-hole, so nobody pay attention to the 
abuse reports, or even worst, not full

Anything not fulfilling that is useless (as will not fulfil the mission for 
that mailbox), and then we don't need an abuse-c at all.

Even more, I think we can say that an invalid contact, it is against the role 
of the RIR for having accurate data.

It will be interesting if the staff can provide actual data from the existing 
policy (ripe-705), such as:
1) Has the validation already been performed in all the contacts or only a % of 
the LIRs and end-users?
2) How many have failed in the first run?
3) After that failure (for those that failed), have the contacts been updated, 
or only a % of them? Has this helped to located "not anymore existing LIRs or 
end-users"? How much time, average, takes for the invalid contacts to be 
corrected? Have them been validated again after some months?
4) How many (%) of those that didn't failed we know that are real abuse-c 
contacts and not just an existing mailbox that may be not from the right 
person/team, or even bouncing emails or nobody reading them?

I'm happy to hear other inputs, stats, data, etc.

Regards,
Jordi
@jordipalet
 
 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Leo,

 

 

El 13/1/20 18:16, "Leo Vegoda"  escribió:

 

Hi Jordi, all,

 

On Mon, Jan 13, 2020 at 6:58 AM JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi all,

I'm working in a new version of the proposal 2019-04 (Validation of 
"abuse-mailbox").

In the last discussion phase, the only detailed response to this proposal that 
I got was from Carlos Friacas (which I will respond in detail later-on, as this 
may also help to revive the discussion).

The main question/issue here is still that the actual policy is just a 
"technical validation". It confirms that there is a mailbox but it doesn't 
confirm that:
1) Accept emails for abuse reporting
2) The mailbox is the right one and not from someone else, not related to the 
abuse processing
3) The mailbox is attended and not a black-hole, so nobody pay attention to the 
abuse reports, or even worst, not full

Anything not fulfilling that is useless (as will not fulfil the mission for 
that mailbox), and then we don't need an abuse-c at all.

 

Can you please clarify what you mean by "fulfil the mission for that mailbox" 
and the "intended 

 

I was referring about the goal of the abuse-c (even without this policy 
proposal). Why we want it if is not a real one, able to get abuse reports, and 
so on?

 

purpose" you mention in section 3.1 of the new text? The reason I ask is that 
the purpose does not seem to be defined in an earlier section. My reading of 
what you have written is that this became policy it would require that reports 
can be made and that these reports must be acknowledged. But it seems that 
there would be no obligation for reports to be investigated or acted upon.

 

I will love to have in the policy that they must be investigated and acted 
upon, but what I heard from the inputs in previous versions is that having that 
in policy is too much and no way to reach consensus …

 

Have I misunderstood what is intended?

 

Thanks,

 

Leo Vegoda



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ronald,

 

El 13/1/20 22:34, "Ronald F. Guilmette"  escribió:

In message <6afc7d17-bac4-464c-8af8-2ad852d39...@consulintel.es>, 
 JORDI PALET MARTINEZ  wrote:

>I'm happy to hear other inputs, stats, data, etc.

Having only just read the proposal, my comments are few:

I do not understand parst of this, specifically:

Section 2.0 bullet point #2.  What's wrong with web forms?

If I need to use a web form, which is not standard, for every abuse report that 
I need to submit, there is no sufficient time in the world to fill all them. 
Every ISP has their own URL, forms with different fields, etc. You want to 
develop tools for each ISP in the world that decides to use a form to automate 
the abuse submission process?

Instead, ensuring that you are able to use, for example fail2ban, means that 
any abuse case is automatically reported via email (including the logs to probe 
the abuse).

Section 3.0 part 3.  Why on earth should it take 15 days for
anyone to respond to an email??  Things on the Internet happen
in millseconds.  If a provider is unable to respond to an issue
within 72 hours then they might as well be dead, because they
have abandoned all social responsibility.
 
I fully agree! My original proposal was only 3 working days, but the community 
told me "no way". This was the same input I got in APNIC and LACNIC (in both 
regions it reached consensus with 15 days).

So, I will keep 15 days ...


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Randy,

As I just said, ideally we should ask for abuse-c reports to be procesed, but I 
know many folks don't like it.

But at least, we need to make sure that if you have an abuse-c, it is a "real" 
and "working" one so you're able to actually send the reports there. If 
ignored, that's another problem.

I don't know if in Spain law say that you must have a post box, or if you are 
violating the law if is full and the extra post that you get is going to make 
the street dirty (in this case you're violating a different law). I'm not 
asking to go there. I'm asking to have a functional mailbox, not how you 
operate your abuse cases.

El 13/1/20 18:53, "anti-abuse-wg en nombre de Randy Bush" 
 escribió:

well, not exactly as i see it.  abuse-c: is the op's way of saying
"please send any abuse related information here."  it is not a legal or
social contract to act on it (and i suspect that next year the wannabe
net police will want to enumerate exactly *how* they must act in 93
different circumstances), read it, reply to it, ...

dunno about spain, but most juristictions i know say post is delivered
to my post box, but not what i must do with it.

randy





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Leo
 


El 14/1/20 0:11, "Leo Vegoda"  escribió:

On Mon, Jan 13, 2020 at 1:50 PM JORDI PALET MARTINEZ via anti-abuse-wg
 wrote:

[...]

> I will love to have in the policy that they must be investigated and 
acted upon, but what I heard from the inputs in previous versions is that 
having that in policy is too much and no way to reach consensus …

I don't understand the value of requiring organizations who do not
intend to investigate abuse reports to spend resources publishing an
address from which they can acknowledge the reports - only to then
delete those reports without doing anything.
  
This is not handled by this proposal. The existing policy already mandates that:

https://www.ripe.net/participate/policies/proposals/2017-02

  
It creates hope for reporters and wastes the RIPE NCC's and the
reporters' resources by forcing unwilling organizations to spend
cycles on unproductive activity.

Why not give networks two options?

1. Publish a reliable method for people to submit abuse reports - and act 
on it
2. Publish a statement to the effect that the network operator does
not act on abuse reports

This would save lots of wasted effort and give everyone more reliable
information about the proportion of networks/operators who will and
won't act on abuse reports.
 
Even if I think that the operators MUST process abuse cases, if the community 
thinks otherwise, I'm happy to support those two options in the proposal. For 
example, an autoresponder in the abuse-c mailbox for those that don't intend to 
process the abuse cases to option 2 above?

   
There might be some value in having the RIPE NCC cooperate with
networks who want help checking that their abuse-c is working. But
this proposal seems to move the RIPE NCC from the role of a helpful
coordinator towards that of an investigator and judge.

No, I don't think so, but I'm happy to modify the text if it looks like that.





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ronald,


El 14/1/20 0:17, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message <55d65bf8-a430-4bdc-ae58-63ff3dca4...@consulintel.es>, 
JORDI PALET MARTINEZ  wrote:

>Section 2.0 bullet point #2.  What's wrong with web forms?
>
>If I need to use a web form, which is not standard, for every abuse 
report...

OHHH!  Your proposal did not make it at all clear that the
web forms you were making reference to were ones that the resource
holder might put in place in order to provide a way for abuse 
victims to file a report.

I agree completely that those things are intolerable, and I will go
further and say that any resoirce holder who puts such a form online
should properly be consigned to the fifth ring of hell.

Sorry!  I had misconstrued.  When your proposal mentioned web forms
I had assumed that you were making reference to some form that the
RIPE NCC might put online and that the resources holders would need
to type something into (e.g. a unique magic cookei) in order to
fully confirm that they are in fact receiving emails to their
documented abuse reporting email addresses.

No worries. I will tidy up the text to make it clearer! Thanks!

I think that the verification email messages that RIPE NCC sends out
resource holders should indeed contain a link to web form, on the RIPE
web site, where the recipient resource holder should be required to
make at least some minimal demonstration that it has at least one
actual conscious and sentient human being looking at the inbound
emails that are sent to its abuse address.

Please clarify in your proposal what exactly your use of the term
"web form" was intended to convey.  TYhank you.

>Section 3.0 part 3.  Why on earth should it take 15 days for
>anyone to respond to an email??  Things on the Internet happen
>in millseconds.  If a provider is unable to respond to an issue
>within 72 hours then they might as well be dead, because they
>have abandoned all social responsibility.
>
>I fully agree! My original proposal was only 3 working days, but the
>community told me "no way". This was the same input I got in APNIC
>and LACNIC (in both regions it reached consensus with 15 days).
>
>So, I will keep 15 days ...

I think this is provable, and also transparently obvious and colossal
bullshit, but that's just my opinion.

And mine!, but as a proposal author, I need to try to match as much as possible 
the wishes of the community.

I say again.  Things happen on the Internet in milliseconds.  Any
service provider that can't react to an email within 72 hours should
be removed from the Internet of Responsible Adults and relegated to
the agricultural industry, or to the study of geology, or at any rate
to some profession where things are calm and leisurely, perhaps
including the delivery of regular postal mail.

If anyone wants to make his fortune by being an absentee landlord,
just gathering in revenue and not taking any day to day responsibility
for anything, let them get into the vacation rentals business and get
the  off the Internet.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

I think if we try to agree on those ratings, we will never reach consensus ...

So it is not just easier to ask the abuse-c mailboxes that don't want to 
process to setup an autoresponder with an specific (standard) text about that, 
for example:

"This is an automated convirmation that you reached the correct abuse-c 
mailbox, but we don't process abuse cases, so your reports will be discarded."

This will be still in line with the actual policy (and the proposal 
modifications) and will allow the operators to decide if they want to be good 
netcitizens or not, and the victims to decide if they want to block them.

Regards,
Jordi
@jordipalet
 
 

El 14/1/20 2:46, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message 
, 
=?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?=  
wrote:

>Well, I do see the value of an option (a magic email value?) meaning "this
>entity supports the use of its network for abusive purposes and will take 
no
>action on any abuse report".
>
>That would save time for everyone involved, and would allow to easily block
>those networks from accesing ours!

These are pretty much my sentiments exactly.

The only questions remaining are:

   1)   Should there just be a simple yes/no one-bit flag published for
each resource holder, or would a scale and a range of possible
"rating" values be more useful?

   2)   How shall the "ratings" be computed and by whom?

I have provided my personal opinions on both of these points in my
prior posting.


Regards,
rfg






**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Looks fine to me.

If we really think that the operators should be free from taking abuse reports, 
then let's make it optional.

As said, I personally think that an operator responsibility is to deal with 
abuse cases, but happy to follow what we all decide.

Regards,
Jordi
@jordipalet
 
 

El 14/1/20 10:47, "Gert Doering"  escribió:

Hi,

On Tue, Jan 14, 2020 at 10:38:28AM +0100, Gert Doering wrote:
> On Tue, Jan 14, 2020 at 10:36:10AM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> > So it is not just easier to ask the abuse-c mailboxes that don't want 
to process to setup an autoresponder with an specific (standard) text about 
that, for example:
> > 
> > "This is an automated convirmation that you reached the correct abuse-c 
mailbox, but we don't process abuse cases, so your reports will be discarded."
> 
> I would support that.

... but it's actually way too complicated to implement.

A much simpler approach would be to make abuse-c: an optional attribute
(basically, unrolling the "mandatory" part of the policy proposal that 
introduced it in the first place)

 - If you want to handle abuse reports, put something working in.

 - If you do not want to handle abuse reports, don't.

The ARC could be extended with a question "are you aware that you are
signalling 'we do not not care about abuse coming from our network'?"
and if this is what LIRs *want* to signal, the message is clear.

The NCC could still verify (as they do today) that an e-mail address,
*if given*, is not bouncing (or coming back with a human bounce "you have
reached the wrong person, stop sending me mail" if someone puts in the
e-mail address of someone else).

MUCH less effort.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Nick,

Not really, I think you're reading a different text ... I'm not intending to 
ask RIPE to verify if the operators resolve the abuse cases.

The point here is to amend the existing policy to do a *good* validation of the 
abuse mailbox.

The actual policy only makes a "technical" validation, so it checks that the 
mailbox exists and is the right one and allows sending abuse reports, and 
that's it.

If the mailbox is full, if it is never read, if it belongs to a /dev/null or 
not the right person or team, even if it if you have my email in your abuse-c, 
all that, passes the validation.

Regards,
Jordi
@jordipalet
 
 

El 15/1/20 13:14, "anti-abuse-wg en nombre de Nick Hilliard" 
 escribió:

Serge Droz via anti-abuse-wg wrote on 15/01/2020 08:24:
> So the extra work is what, 10 minutes / year, if the system is setup
> properly?

Serge,

The policy proposal here is: if the registry doesn't comply, then it is 
in explicit violation of RIPE policies.

According to the "Closure of Members, Deregistration of Internet 
Resources and Legacy Internet Resources" document (currently RIPE 
716), if you don't comply with RIPE policies or RIPE NCC procedures, 
then the RIPE NCC is obliged to follow up with the resource holder and 
if they continue not to comply, then the number resources will be withdrawn.

The purpose behind RIPE-716 is to ensure accurate registration of number 
resources, which the core function of the RIPE registry.

Jordi has confirmed that the intention behind 2019-04 is to force 
resource holders to comply with the abuse handling procedures defined in 
his policy, and that if they don't comply for whatever reason, that 
their number resources are withdrawn under the terms of RIPE-716.

To be clear, deregistration of resources would make it difficult or 
impossible for almost any holder of addresses to continue their business.

So what's being proposed here is that RIPE-716 - whose purpose was to 
ensure integrity and accuracy of the the RIPE registry - should now be 
repurposed as a mechanism to enforce social behaviour practices on the 
Internet.

There are some pretty serious and fundamental problems with this.

Many of these problems were discussed in the context of RIPE policy 
2019-03 ("Resource Hijacking is a RIPE Policy Violation"), and some of 
them were formally addressed in the RIPE NCC review of that policy.

Nick





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

This is the key point.

We already agreed to have a mandatory abuse-c.

We can change our mind and make it optional.

But one way or the other, should be a *real* one. A validation that can be 
faked just using (for example) Carlos email, is not a good procedure. It 
doesn't make sense at all.

We are not saying the RIR will need to verify that an abuse case is 
investigated or resolved. This is not the point.

El 14/1/20 12:28, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:



On Tue, 14 Jan 2020, Nick Hilliard wrote:

> Gert Doering wrote on 14/01/2020 10:19:
>> And if it's not going to have the desired effect, do not waste time on 
it.
>
> More to the point, the RIPE number registry should not be used as a stick 
for 
> threatening to beat people up if they don't comply with our current 
favourite 
> ideas about how to manage social policy on the internet.
>
> It is a registry, not a police truncheon.

Hello,

(Going perhaps a bit off-topic...)

If people are not able to follow the rules of the registry, maybe they 
shouldn't be allowed inside the system... :-)

[Fact 1]
If someone provides falsified documents to the registry, that someone goes 
off the wagon.

[Fact 2]
If someone doesn't pay the registry in due time (after several warnings), 
that someone goes off the wagon.




I would also feel comfortable if someone who indicates a 3rd party e-mail 
address as the abuse-mailbox for their _OWN_ address space, goes off the 
wagon (after some warnings, of course...).
BTW, some years ago our physical address was added in whois to someone 
else's address space in a different RIR and that was _NOT_ a nice 
experience...


Regards,
Carlos


> Nick
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

I couldn't stop laughing for more than 30 minutes ... this is what they call 
(and they pay for) laughter therapy ?

Tks!
 
 

El 14/1/20 12:52, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message <671286eb-7fad-4d70-addd-efa0a680b...@consulintel.es>, 
    JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>>Section 3.0 part 3.  Why on earth should it take 15 days for
>>anyone to respond to an email??  Things on the Internet happen
>>in millseconds.  If a provider is unable to respond to an issue
>>within 72 hours then they might as well be dead, because they
>>have abandoned all social responsibility.
>>
>>I fully agree! My original proposal was only 3 working days, but the
>>community told me "no way". This was the same input I got in APNIC
>>and LACNIC (in both regions it reached consensus with 15 days).
>>
>>So, I will keep 15 days ...
>
>I think this is provable, and also transparently obvious and colossal
>bullshit, but that's just my opinion.
>
>And mine!, but as a proposal author, I need to try to match as much as 
poss=
>ible the wishes of the community.

You are hereby officially absolved from all guilt in the matter.

In nomine patri et fili spiritu sancte.

Go in peace my son, and do what you have to do.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Ronald,


El 14/1/20 13:10, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message <30174d32-225f-467e-937a-5bc42650f...@consulintel.es>, 
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>I think if we try to agree on those ratings, we will never reach consensus

Right, and that was a part of my point about eBay-like feedback ratings
for resource holders, i.e. "Let's not even try."

Instead, let the people decide.  Let anyone register a feedback point,
positive or negative, against any resource holder, with the proviso
that if they are registering a negative feedback point, they should assert
exactly *why* they are unhappy (e.g. "mail to abuse address bounced as
undeliverable", "no response for eight days" etc.) and if possible,
provide some context also, e.g. a copy of the spam, a copy of some
logs showing hack attempts, etc.


This may have legal consequences for RIPE NCC, as somebody could use the system 
to publish untrue information for competitors ... not a good idea.


>So it is not just easier to ask the abuse-c mailboxes that don't want to
>process to setup an autoresponder with an specific (standard) text about
that, for example:...

In the "eBay feedback" model I am proposing there is no need for *RIPE NCC*
to ask anybody about anything.  People will register negative points
against any resource holder with an undeliverable abuse address.  (I know
I will!)

I'm sorry Jordi, if this idea sounds like it is undermining everything
you have been trying to do, which is all very very admirable.  But I have
only just realized what you said above, i.e. if we really start to try
to design a system where RIPE NCC will do 100% of the work of "reviewing"

No ... this is an automated process. It is working already in ARIN, in APNIC 
and now will be also implemented in LACNIC.

It is just an email sent to each abuse-c twice a year, and they have 15 days to 
click in the link to verify that this mailbox is working.

RIPE NCC will only take care of the failed emails. It may mean some extra work 
at the beginning, but after a pass will be less and less work. Some of those 
emails that fail, have already been escalated by RIPE NCC with the existing 
policy, so it means even less work.

all one zillion RIPE resource holders, the size of the task will almost
be the least of the worries.   The first order problem, as you already
know since you have been doing yeoman's work on this for awhile now, is
just getting people in the various RIRs to agree on the numerous fine
details.  (Hell! You can't even get *me* to agree that a 15 day turn-
around is in any sense "reasonable", and apparently I'm not alone in
that regard.)

So, my solution is just don't.  Let the whole planet vote on whether
they think this provider or that provider are ***heads, and let the
chips fall where they may.

I'm not saying that even this idea would neessarily be piece-of-cake easy.
The first problem would be working out a way to prevent the system from
being gamed by bad actors for malicious purposes, or for positive "PR"
purposes.  (Don't get me started about the fake positive review over on
TripAdvisor.)  But I am not persuaded that these are in any sense
insoluable problems.


Regards,
rfg





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

In my opinion, the actual situation is the worst. We are validating over 
"nothing". We don't know how many of the "validated" mailboxes are real, or 
even read, full, etc.

I will prefer a mandatory abuse-c which is validated in the way I'm proposing, 
as it is being done in ARIN and APNIC and soon in LACNIC.

If this can't reach consensus, I prefer to know in advance "this operator 
doesn't handle abuses" that wasting time in reporting them. I will have the 
choice to just block their network and when several folks block them and their 
customers complain, then they may change their mind.

Better 50% of good and *real* validated abuse contacts than 100% from which I 
don't know how may are for real.
 

El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" 
 escribió:


Hi,

I obviously don't speak for the incident handling community, but i think 
this (making it optional) would be a serious step back. The current 
situation is already very bad when in some cases we know from the start 
that we are sending (automated) messages/notices to blackholes.

To an extreme, there should always be a known contact responsible for 
any network infrastructure. If this is not the case, what's the purpose 
of a registry then?

Regards,
Carlos



On Tue, 14 Jan 2020, Leo Vegoda wrote:

> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
>
> [...]
>
>> A much simpler approach would be to make abuse-c: an optional attribute
>> (basically, unrolling the "mandatory" part of the policy proposal that
>> introduced it in the first place)
>
> This seems like a simple approach for letting network operators
> indicate whether or not they will act on abuse reports. If there's no
> way of reporting abuse then the operators clearly has no processes for
> evaluating reports, or acting on them. This helps everyone save time.
>
> Regards,
>
> Leo Vegoda
>





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Exactly 2 minutes a year (1 minute each time you click the link in the email 
from RIPE NCC).

And because you invest 2 minutes a year, you will save a lot of time (many 
hours/days) yourself, trying to report abuses to invalid mailboxes!
 

El 15/1/20 9:24, "anti-abuse-wg en nombre de Serge Droz via anti-abuse-wg" 
 escribió:

Hi Gert

Sorry I misunderstood you then. But honestly, this does not really place
a burden on you.

RIPE can automate this, and you simply reply to a message. We do this,
e.g. in TF-CSIRT twice a year, and it does help, event the good guys,
that realize they have an issue and did not receive their mail.

In fact, it's become a bit of a competition to be the first to reply to
the challenge.

So the extra work is what, 10 minutes / year, if the system is setup
properly?

So I think the balance is hugely positive.

Just my two cents.

Serge


On 15/01/2020 09:18, Gert Doering wrote:
> Hi,
> 
> On Wed, Jan 15, 2020 at 09:14:59AM +0100, Serge Droz via anti-abuse-wg 
wrote:
>> I kind of don't buy into "There is no point on placing a burden on orgs
>> that choose not to act".
> 
> This is not what I said.  My stance on this is: placing extra burdens on
> orgs *that do the right thing today* (with extra verification hoops)
> should be balanced against "will it change the situation wrt orgs that
> do not care".
> 
> And I think the balance is negative - extra work for the good guys, and
> no relevant incentive for the bad guys to actually *act on* their abuse
> reports.
> 
> Gert Doering
> -- NetMaster
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

What we do today is not a validation if I can use Gert or Serge or any "null" 
email in all my abuse contacts and nobody notice it, and then you start getting 
abuse reports from other folks ... This is creating lots of wasted time to both 
you and the abuse case reporters.
 

El 15/1/20 9:59, "anti-abuse-wg en nombre de Gert Doering" 
 escribió:

Hi,

On Wed, Jan 15, 2020 at 09:24:21AM +0100, Serge Droz wrote:
> Sorry I misunderstood you then. But honestly, this does not really place
> a burden on you.

It does.  Even if it's just 5 minutes per Mail - I need to train abuse 
handlers what to do with this sort of message, etc.

> So I think the balance is hugely positive.

Nobody has been able to demonstrate why it would have a positive effect
at all.  So how can the balance be "hugely positive"?

E-Mail addresses *are* validated today.  Just not in an as labour-intensive
way on the receipient like the proposers want to install.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael 
Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Leo,


El 15/1/20 18:09, "anti-abuse-wg en nombre de Leo Vegoda" 
 escribió:

On Wed, Jan 15, 2020 at 12:16 AM Serge Droz via anti-abuse-wg
 wrote:

[...]

> - Lastly: It makes our life as Incident responders easier to have a
> uniform way of sending reports, even if not all of them are followed up.

This is an excellent point but e-mail is probably not the right medium
for that. Standardizing protocols for reporting abuse - and therefore
acting on those reports more quickly - would be far more helpful. But
only organizations don't want abuse on their networks will invest in
the people, processes, and systems, whatever the reporting medium.

This is an additional step. Do you think it may be better to include in the 
proposal, instead of plain email for the reporting, to mandate the use of XARF?

http://xarf.org/index.html

I've been tempted several times to go that path ... so may be is time for it?


> I kind of don't buy into "There is no point on placing a burden on orgs
> that choose not to act".

It's not about the burden on the organizations that don't want to act.
It's about providing a clear signal to the reporting organizations
that there is no point reporting. That should allow reporting
organizations to decide on next steps more quickly.





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Warren,

When some operators aren't responding to abuse cases, or when they are bouncing 
emails, or you get a response from someone telling "sorry I'm not the right 
contact for this, the email is mistaken", and many other similar situations ... 
the operator is telling you "we don't care about abuse from our customer to 
other networks".

There is not different to say that explicitly by making the abuse-c optional, 
so those that don't want to handle the abuse reports, just don't have it.

There is no difference in having the email bouncing than having an 
autoresponder saying "we don't care" ... 
 

El 15/1/20 21:15, "anti-abuse-wg en nombre de Warren Kumari" 
 escribió:

On Wed, Jan 15, 2020 at 2:46 PM Leo Vegoda  wrote:
>
> On Wed, Jan 15, 2020 at 11:02 AM Jeffrey Race  
wrote:
>
> [...]
>
> > Aside from the reciprocity issue, it's a basic engineering rule
> > that systems target their goal only when a corrective
> > feedback path exists.
>
> That feedback path does not need to be a personally written e-mail.
> Instead, it is possible to use signals like the absence of a reliable
> reporting mechanism to make decisions about not accepting some or all
> traffic from an abusing network.
>
> My main concern with proposal 2019-04 is that it would make everyone
> look the same. It then takes time and effort to distinguish the
> networks that will actually use abuse reports to fix problems from
> those that won't or just don't have the ability to do so.
>
> While I would accept Gert's proposal for making abuse-c an optional
> attribute, the reason I offered a counter proposal for publishing "a
> statement to the effect that the network operator does not act on
> abuse reports" is to add clarity at a high level.
>
> In the first case, it avoids wasting resources lodging reports that
> will be ignored. Secondly, it provides reliable statistical
> information about the networks whose operators claim to use abuse
> reports to clean things up. This would provide a metric that could be
> used both by other network operators to guide operational policies and
> governments or regulators to set theirs.

I suspect I'm somewhat confused / have lost the thread somewhere.

I really don't think that any network is likely to advertise that they
are not dealing with abuse -- it gives a bad impression, and the
marketing droids will likely want *something* listed. The same goes
for legal - saying "Meh, don't bother sending us abuse reports, we
ignore them" doesn't seem to have any PR / marketing / legal upside,
and has many downsides...

Pretend that you are a network that (largely) ignores abuse reports --
your current solution of throwing these mails away costs you nothing;
what's the upside to telling everyone that you are doing this?

I suspect that people will continue to have abuse@, hostmaster@,
abuse-c,and any other conventions filled in -- and many will just
continue to shuffle these into self-closing ticket systems / mailboxes
which never get read and / or /dev/null...

W


>
> Finally, we don't yet know what the RIPE Database Requirements TF will
> recommend. But I think that building a new business process on the
> existing model for publishing contact information assumes they won't
> recommend changes. Let's wait until they report before asking the RIPE
> NCC to build new workflows on a model that the community might want to
> change.
>
> Kind regards,
>
> Leo Vegoda
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Job,

You need to have that process already for ARIN and APNIC, and once implemented 
LACNIC.

The process is the same. You implement it once (I'm not counting the minutes 
that can take to implement it) and it seems simple to me: the abuse-mailbox get 
twice a year a verification email, a responsible guy in the abuse-team must act 
on it, clicking on the verification link.

So, if you have already the process for other RIRs, what is the extra cost? (2 
minutes)

I think is much less that the time you can save, and this is the balance that 
we need to look for.


El 15/1/20 22:56, "Job Snijders"  escribió:

On Wed, Jan 15, 2020 at 10:41:54PM +0100, JORDI PALET MARTINEZ via 
anti-abuse-wg wrote:
> Exactly 2 minutes a year (1 minute each time you click the link in the
> email from RIPE NCC).
> 
> And because you invest 2 minutes a year, you will save a lot of time
> (many hours/days) yourself, trying to report abuses to invalid
> mailboxes!

I am not sure it is just two minutes a year, it is desiging and
monitoring an additional work process to be executed in corporations. I
am of course not sure how much it is, but certainly more than two
minutes.

Kind regards,

Job




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Carlos,
 
 

El 15/1/20 22:58, "Carlos Friaças"  escribió:



Hi,



On Wed, 15 Jan 2020, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

> In my opinion, the actual situation is the worst. We are validating over 
"nothing". We don't know how many of the "validated" mailboxes are real, or 
even read, full, etc.
>
> I will prefer a mandatory abuse-c which is validated in the way I'm 
proposing, as it is being done in ARIN and APNIC and soon in LACNIC.

This detail is interesting...

In my opinion it reached consensus also in the last AFRINIC meeting, but chairs 
didn't agree, and I don't want to start an appeal. So, I will retry in the next 
meeting.

> If this can't reach consensus, I prefer to know in advance "this 
> operator doesn't handle abuses" that wasting time in reporting them. I 
> will have the choice to just block their network and when several folks 
> block them and their customers complain, then they may change their 
> mind.

I was wondering if this "block" would mean blocking all prefixes announced 
by the same ASN, or just the prefix where the abuse originated from.

Well, this is up to each operator ... If it is my network, I will definitively 
block the complete ASN, because a network that doesn't process abuse, is not 
something I want to get traffic from. But is just my personal view.


> Better 50% of good and *real* validated abuse contacts than 100% from 
which I don't know how may are for real.

As i already stated, i'm more worried about someone using real e-mail 
addresses of real unrelated people than the /dev/null or unattended 
mailboxes.

When someone uses a 3rd party address without authorization+knowledge, i 
think it's reasonable to allow for a fix, instead of directly running to 
ripe-716.


Cheers,
Carlos





> El 15/1/20 8:24, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:
>
>
>Hi,
>
>I obviously don't speak for the incident handling community, but i 
think
>this (making it optional) would be a serious step back. The current
>situation is already very bad when in some cases we know from the start
>that we are sending (automated) messages/notices to blackholes.
>
>To an extreme, there should always be a known contact responsible for
>any network infrastructure. If this is not the case, what's the purpose
>of a registry then?
>
>Regards,
>Carlos
>
>
>
>On Tue, 14 Jan 2020, Leo Vegoda wrote:
>
>> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
>>
>> [...]
>>
>>> A much simpler approach would be to make abuse-c: an optional 
attribute
>>> (basically, unrolling the "mandatory" part of the policy proposal 
that
>>> introduced it in the first place)
>>
>> This seems like a simple approach for letting network operators
>> indicate whether or not they will act on abuse reports. If there's no
>> way of reporting abuse then the operators clearly has no processes 
for
>> evaluating reports, or acting on them. This helps everyone save time.
>>
>> Regards,
>>
>> Leo Vegoda
>>
>
>
>
>
>
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.
>
>
>
>
>



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains infor

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sara,

 

While I fully agree with Sergio and yourself, the issue here is that this part 
of your text

 

“Complete, accurate information goes hand in hand with a duty of care, of 
promptly taking actions against abuse, and should be accompanied by a social 
responsibility of trying to make the Internet a safe and secure place for 
everyone, thus not enabling actively DDoS, spammers, and criminals in general”

 

Is not documented, so not “obvious” (as legal text) to everyone or I’m missing 
something?

 

Of course, I fail to see that any operator can deny that … but is not in the 
text.

 

Regards,

Jordi

@jordipalet

 

 

 

El 16/1/20 14:24, "anti-abuse-wg en nombre de Marcolla, Sara Veronica" 
 
escribió:

 

Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a 
part of) the community.

 

We should not forget that, according to the provisions of RIPE NCC audits, 
“every party that has entered into an agreement with the RIPE NCC is 
contractually obliged to provide the RIPE NCC with complete, updated and 
accurate information necessary for the provision of the RIPE NCC services and 
to assist the RIPE NCC with audits and security checks”.  Complete, accurate 
information goes hand in hand with a duty of care, of promptly taking actions 
against abuse, and should be accompanied by a social responsibility of trying 
to make the Internet a safe and secure place for everyone, thus not enabling 
actively DDoS, spammers, and criminals in general.  

 

If the community does not agree that everyone has the right to a safe, spam 
free, crime free Internet, maybe we have some issue to solve here first. 

 

 

Kind regards,

 

Sara 

 

Europol - O3 European Cyber Crime Centre (EC3)

 

Eisenhowerlaan 73, 2517 KK

The Hague, The Netherlands

www.europol.europa.eu

 

 

From: anti-abuse-wg  On Behalf Of Sérgio Rocha
Sent: 16 January 2020 13:38
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

 

Hi,

 

Agree, This anti-abuse list seems the blocking group to any anit-abuse response 
measure.

It's amazing that nobody cant propose anything without receiving a shower of 
all sorts of arguments against

 

There is an idea that everyone has to hold, if as a community we cannot 
organize a policy, one of these days there will be a problem that will make 
governments take the opportunity to legislate and we will no longer have the 
free and open internet.

 

There are a feew ideas that is simple to understand:

 

1 - If you have been assigned a network you have responsibilities, paying 
should not be the only one.

2 - There is no problem with email, since ever are made solutions to integrate 
with emails. There is no need to invent a new protocol. Who has a lot of abuse, 
invests in integrating these emails.

3 - If you have no ability to manage abuse should not have addressing, leave it 
to professionals.

 

The internet is critical for everyone, the ability for actors to communicate 
with each other to respond to abuse must exist and RIPE must ensure that it 
exists.

It’s like the relation with local governments, there is a set of information 
that has to be kept up to date to avoid problems, in RIPE it must be the same.

 

Sergio

 

 

 

From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of Fi 
Shing
Sent: 16 de janeiro de 2020 04:55
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

 

 

>> Best not to judge the race until it has been fully run.

 

I just do not understand how anyone on this list (other than a criminal or a 
business owner that wants to reduce over heads by abolishing an employee who 
has to sit and monitor an abuse desk) could be talking about making it easier 
for abuse to flourish.

 

It is idiotic and is not ad hominem.

 

This list is filled with people who argue for weeks, perhaps months, about the 
catastrophic world ending dangers of making an admin verify an abuse address 
ONCE a year  and then someone says "let's abolish abuse desk all together" 
and these idiots emerge from the wood work like the termites that they are and 
there's no resistance?

 

The good news is that nothing talked about on this list is ever implemented, so 
.. talk away you criminals.

 

 

 

 

 

- Original Message - 

Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")
From: "Ronald F. Guilmette" 
Date: 1/16/20 11:47 am
To: "anti-abuse-wg@ripe.net" 

In message <20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@
email19.asia.godaddy.com>, "Fi Shing"  wrote:

>That is the most stupid thing i've read on this list.

Well, I think you shouldn't be quite so harsh in your judgement. It is
not immediately apparent that you have been on the list for all that long.
So perhaps you should stick around for awhile longer before ma

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Let’s try to see it from another perspective.

 

If you’re an electricity provider, and one of your customers injects 1.000 v 
into the network and thus create damages to other customers (even from other 
electricity providers), the electricity provider must have the means to resolve 
the problem, disconnect that customer if needed, and pay the damages if the 
customer creating them don’t do that.

 

When this happens, most of the time, the customer insurance will cover it, 
initially, and then claim to the electricity provider insurance, which in turn, 
can claim to the customer creating the trouble.

 

If insurance doesn’t work, most of the time, law will make the electricity 
provider responsible at the same level of the defaulting customer (especially 
if this one doesn’t pay the damages).

 

I’m sure that this is the same in every EU country. Can we agree on that?

 

This is totally symmetric to the Internet. An operator provides a service. If a 
customer is creating damages, even to customers of other operators, the minimum 
that the provider of the defaulting customer should be able to do is:
Receive the abuse report (it can be automated)
Investigate the abuse (it can be automated in many cases, especially if we 
mandate a format for the reporting, and there are open source tools that do 
that for most of the cases)
If it is against the AUP which its customers, take actions, warnings to the 
customer the first time, etc., even disconnecting the customer (of course, this 
means losing customers such as spammers that pay a lot …)
 

I don’t expect to respond to the abuse, but it’s nice to do. There are many 
open source ticket systems that do most of this.

 

I don’t expect to compensate the victims, but I’m sure it can be done if the 
victims go to the courts. No difference with the electricity example, just we 
don’t have (as I know) this kind of insurance for Internet abuses.

 

Actually, it will be very nice to have those insurances, because insurance 
companies have the power to put together many claims in the courts, so 
operators that don’t care about abuse pay for it.

 

Saludos,

Jordi

@jordipalet

 

 

 

El 16/1/20 15:03, "anti-abuse-wg en nombre de Volker Greimann" 
 
escribió:

 

Hi Sara,

isn't making the world (and the internet) first and foremost a job of law 
enforcement agencies like the police and Europol? While I agree that everyone 
has a role to play, crime prevention and protection of the public is part of 
the LEA job description, right? Civil society entities certainly have a role to 
play, but it does not help trying to deputize them into a role they do not 
carry. 

I disagree that the contract language you quote puts any duty of care regarding 
the abuse of any networks by third parties on the parties to the agreement. 
That duty may arise from other sources, but this language is directed at its 
own information the party provides to RIPE NCC and the cooperation with any 
audits. Just because it includes the word security does not mean it refers to 
all thinkable security issues. 

The ability of any part of the internet infrastructure to curtail abuse that 
somehow touches services it providers is usually severely curtailed and its 
ability to review abuse complaints is usually limited to the resources it 
provides. In many cases, that is simply not enough information to go on when 
dealing with many common forms of abuse.

Best,

Volker

Am 16.01.2020 um 14:23 schrieb Marcolla, Sara Veronica:

Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a 
part of) the community.

 

We should not forget that, according to the provisions of RIPE NCC audits, 
“every party that has entered into an agreement with the RIPE NCC is 
contractually obliged to provide the RIPE NCC with complete, updated and 
accurate information necessary for the provision of the RIPE NCC services and 
to assist the RIPE NCC with audits and security checks”.  Complete, accurate 
information goes hand in hand with a duty of care, of promptly taking actions 
against abuse, and should be accompanied by a social responsibility of trying 
to make the Internet a safe and secure place for everyone, thus not enabling 
actively DDoS, spammers, and criminals in general.  

 

If the community does not agree that everyone has the right to a safe, spam 
free, crime free Internet, maybe we have some issue to solve here first. 

 

 

Kind regards,

 

Sara 

 

Europol - O3 European Cyber Crime Centre (EC3)

 

Eisenhowerlaan 73, 2517 KK

The Hague, The Netherlands

www.europol.europa.eu

 

 

From: anti-abuse-wg  On Behalf Of Sérgio Rocha
Sent: 16 January 2020 13:38
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

 

Hi,

 

Agree, This anti-abuse list seems the blocking group to any anit-abuse response 
measure.

It's amazing that nobody cant propose anything without receiving a shower of 
all sorts of arg

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

El 16/1/20 15:25, "anti-abuse-wg en nombre de Ronald F. Guilmette" 
 escribió:

In message , 
JORDI PALET MARTINEZ via anti-abuse-wg  wrote:

>I'm sure that this is the same in every EU country. Can we agree on that?

Quite certainly not!  Doing so would break ALL established precedent!
 

I used EU on purpose here. I didn't want to say every RIPE NCC country.

I really think the electricity case I've described works that way in EU 
countries. Anyone believes not?

Any lawyer in the list can provides hints why yes or why not?
   
When was the last time this working group agreed on *anything*?


Regards,
rfg


P.S.  And anyway, as I myself have just been reminded, RIPE != EU.





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Volker,

 

I don’t agree with that, because:
I believe the electricity sample I provided proves otherwise. My contract is 
with the electricity provider (the Internet provider), so I need to complain to 
them and they need to follow the chain.
For a victim, to complain directly to the customer (not the operator), will 
need to know the data of the “abuser” which may be protected by GDPR.
Customers sign a contract with the operator. The contract must have clear 
conditions (AUP) about the appropriate use of the network. If you act against 
that contract, the problem is with the operator, not victims.
 

By the way, if an operator has a badly designed AUP, either they are doing a 
bad job, or they have *no interest* in acting against abuses.

 

Regards,

Jordi

@jordipalet

 

 

 

El 16/1/20 15:44, "anti-abuse-wg en nombre de Volker Greimann" 
 
escribió:

 

Obviously every user should lock their doors / protect themselves against 
fraud. I am just saying that the ability of many service providers to curtail 
abuse of their system (without impacting legitimate uses) is very limited as it 
may not their customers doing the abusing and any targeted action against those 
customers themselvesd would be inappropriate and affect many legitimate users 
of their services. 

At what point should a network service provider remove privileges from a 
customer that is himself being abused but is technically unable to deal with it 
properly? Would the complaint not be better directed at that customer, not the 
provider, since they are the ones that can resolve this issue in a more 
targetted and appropriate manner? How does the service provider differentiate 
between a customer that is abusing vs one that is being abused?  Deputising the 
service providers will not necessarily solve the problems, and possibly create 
many new ones. 

In the domain industry, we were required to provide an abuse contact, however 
the reports we get to that address usually deal with issues we cannot do much 
about other than pulling or deactivating the domain name, which is usually the 
nuclear option. So we spend our time forwarding abuse mails to our customers 
that the complainant should have sent to the customer directly. 

Best,

volker

 

Am 16.01.2020 um 15:16 schrieb Serge Droz via anti-abuse-wg:
Hi Volker
 
On 16/01/2020 15:03, Volker Greimann wrote:
isn't making the world (and the internet) first and foremost a job of
law enforcement agencies like the police and Europol?
Law enforcement's job primarily is arresting criminals. And yes they do
prevention. But you can't stop locking your door or walk by fight just
ignoring it, because it's LEA's job.
 
This is even more true on the internet, where CERT's have long been
working together fighting cybercrime etc.
 
While there obviously is an appeal to the notion of "The best problems
are some one else's problem" my believe is we don't want to have an
internet or a world, for that matter, where this is how things run. The
internet is a bottom up thing, it is so cool because people follow
protocols, that are not law.
 
There was a time whn this wasn't a given: During the "Browser wars"
different producer leveraged ambiguities in the HTML standard, and the
end result was horrible.
 
We don't want this. If we delegate the problem, we've already lost.
 
Best
Serge
 
 
 
-- 
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, 
Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England 
and Wales with company number 8576358.



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Volker,

 

 

El 16/1/20 16:03, "anti-abuse-wg en nombre de Volker Greimann" 
 
escribió:

 

Hi Jordi, 

your example seems a bit off though. If your contract is with your ISP and you 
need to complain to them, why would you complain to another ISP you have no 
contract with?

Text was not clear … I’m the victim. My ISP is A. The abuser ISP is B. I can 
complain to A, so he can complain to B.

I also don’t see any issue anyway, for me to complain directly to B.

I agree that current GDPR implementations may impact the contactibility of the 
customer, but that can be improved in GDPR-compliant manners that do not 
require playing chinese whispers down the chain. 

Not objecting to your 3. but you need to consider it may not be the contractual 
partner acting against the contract. They may be a victim as well, and 
therefore enforcing any actions against them may be unproductive. Would you 
shut down Google.com because of one link to a site violating third party rights?

Agree. I’m a family. I know nothing about IT. My wireless is open, or somehow 
my network has been hacked and is being used for sending spam or DDoS. The ISP 
is still responsible for making sure that the problem is resolved, either 
warning the user, helping them, or blocking (until the user solves the problem) 
the relevant ports (even the connection if needed). It is up to the local 
legislation if the user has any responsibility or not. This is probably out of 
scope for our policy, right? But if the ISP is not reacting at all, he is 
risking that other operators block him, right?

That’s why I still believe that abuse-c must be mandatory, unless you clearly 
state that you ignore abuse cases.

Best,

Volker

Am 16.01.2020 um 15:52 schrieb JORDI PALET MARTINEZ via anti-abuse-wg:

Hi Volker,

 

I don’t agree with that, because:

1)  I believe the electricity sample I provided proves otherwise. My 
contract is with the electricity provider (the Internet provider), so I need to 
complain to them and they need to follow the chain.

2)  For a victim, to complain directly to the customer (not the operator), 
will need to know the data of the “abuser” which may be protected by GDPR.

3)  Customers sign a contract with the operator. The contract must have 
clear conditions (AUP) about the appropriate use of the network. If you act 
against that contract, the problem is with the operator, not victims.

 

By the way, if an operator has a badly designed AUP, either they are doing a 
bad job, or they have *no interest* in acting against abuses.

 

Regards,

Jordi

@jordipalet

 

 

 

El 16/1/20 15:44, "anti-abuse-wg en nombre de Volker Greimann" 
 
escribió:

 

Obviously every user should lock their doors / protect themselves against 
fraud. I am just saying that the ability of many service providers to curtail 
abuse of their system (without impacting legitimate uses) is very limited as it 
may not their customers doing the abusing and any targeted action against those 
customers themselvesd would be inappropriate and affect many legitimate users 
of their services. 

At what point should a network service provider remove privileges from a 
customer that is himself being abused but is technically unable to deal with it 
properly? Would the complaint not be better directed at that customer, not the 
provider, since they are the ones that can resolve this issue in a more 
targetted and appropriate manner? How does the service provider differentiate 
between a customer that is abusing vs one that is being abused?  Deputising the 
service providers will not necessarily solve the problems, and possibly create 
many new ones. 

In the domain industry, we were required to provide an abuse contact, however 
the reports we get to that address usually deal with issues we cannot do much 
about other than pulling or deactivating the domain name, which is usually the 
nuclear option. So we spend our time forwarding abuse mails to our customers 
that the complainant should have sent to the customer directly. 

Best,

volker

 

Am 16.01.2020 um 15:16 schrieb Serge Droz via anti-abuse-wg:
Hi Volker
 
On 16/01/2020 15:03, Volker Greimann wrote:
isn't making the world (and the internet) first and foremost a job of
law enforcement agencies like the police and Europol?
Law enforcement's job primarily is arresting criminals. And yes they do
prevention. But you can't stop locking your door or walk by fight just
ignoring it, because it's LEA's job.
 
This is even more true on the internet, where CERT's have long been
working together fighting cybercrime etc.
 
While there obviously is an appeal to the notion of "The best problems
are some one else's problem" my believe is we don't want to have an
internet or a world, for that matter, where this is how things run. The
internet is a bottom up thing, it is so cool because people follow
protocols, that are not law.
 
There w

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alex, 

 

 

El 16/1/20 16:30, "anti-abuse-wg en nombre de Alex de Joode" 
 escribió:

 

Hi Sara,

 

The issue with your statement below is that RIPE NCC cannot (legally, under 
Dutch contract law) disconnect resources if a resource holder (or more likely 
his customer) does not (properly) deal with abuse complaints. (for instance due 
to reasons of proportionality)

​

Currently RIPE NCC mandates an email address for receiving abuse notices (which 
is good, as companies can specify a specific address that is monitored by 
people who can take action, and notifiers have a way to find out where to sent 
notices for speedy resolution).

 

The availability of this address is checked by RIPE. So the current system 
basically works to enhance the infrastructure for those that are willing to 
deal with abuse notices.

 

This is where we disagree: The current system doesn’t work. Only checks that “a 
mailbox” exist, but not that the mailbox works, isn’t full, bounces, or it has 
your email address for *your* abuse-c.

 

It seems a simple issue, but a policy amendment is required to make the RIPE 
NCC to change this and make it coherent same as in ARIN, APNIC and (as soon as 
implemented) LACNIC.

 

Some within this community do feel this is not enough. That as RIPE controls 
resources, RIPE should be put in a position to leverage these resources in such 
a way as to ensure all  it's resource holders deal with abuse notice in a 
proper way. This would then lead to a crime free internet and everybody is 
happy.

 

Implementing this is a fundament shift in the role and responsibility of RIPE. 
A large and vocal group here, do not believe this "deputisation" is the 
direction RIPE should pursue. That does not mean they are in favour of a 
"un-safe, spam infested, crime ridden internet", they just feel this issue 
should be address via leveraging RIPE resouces.

 

​-- 

IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode


On Thu, 16-01-2020 14h 23min, "Marcolla, Sara Veronica" 
 wrote:

Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a 
part of) the community.

 

We should not forget that, according to the provisions of RIPE NCC audits, 
“every party that has entered into an agreement with the RIPE NCC is 
contractually obliged to provide the RIPE NCC with complete, updated and 
accurate information necessary for the provision of the RIPE NCC services and 
to assist the RIPE NCC with audits and security checks”.  Complete, accurate 
information goes hand in hand with a duty of care, of promptly taking actions 
against abuse, and should be accompanied by a social responsibility of trying 
to make the Internet a safe and secure place for everyone, thus not enabling 
actively DDoS, spammers, and criminals in general.  

 

If the community does not agree that everyone has the right to a safe, spam 
free, crime free Internet, maybe we have some issue to solve here first. 

 

 

Kind regards,

 

Sara 

 

Europol - O3 European Cyber Crime Centre (EC3)

 

Eisenhowerlaan 73, 2517 KK

The Hague, The Netherlands

www.europol.europa.eu

 

 

From: anti-abuse-wg  On Behalf Of Sérgio Rocha
Sent: 16 January 2020 13:38
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

 

Hi,

 

Agree, This anti-abuse list seems the blocking group to any anit-abuse response 
measure.

It's amazing that nobody cant propose anything without receiving a shower of 
all sorts of arguments against

 

There is an idea that everyone has to hold, if as a community we cannot 
organize a policy, one of these days there will be a problem that will make 
governments take the opportunity to legislate and we will no longer have the 
free and open internet.

 

There are a feew ideas that is simple to understand:

 

1 - If you have been assigned a network you have responsibilities, paying 
should not be the only one.

2 - There is no problem with email, since ever are made solutions to integrate 
with emails. There is no need to invent a new protocol. Who has a lot of abuse, 
invests in integrating these emails.

3 - If you have no ability to manage abuse should not have addressing, leave it 
to professionals.

 

The internet is critical for everyone, the ability for actors to communicate 
with each other to respond to abuse must exist and RIPE must ensure that it 
exists.

It’s like the relation with local governments, there is a set of information 
that has to be kept up to date to avoid problems, in RIPE it must be the same.

 

Sergio

 

 

 

From: anti-abuse-wg [mailto:anti-abuse-wg-boun...@ripe.net] On Behalf Of Fi 
Shing
Sent: 16 de janeiro de 2020 04:55
To: anti-abuse-wg@ripe.net
Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of 
"abuse-mailbox")

 

 

>> Best not to judge the race until it has been fully run.

 

I just do not understand how anyone on this list (other than a criminal

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alex,

My reading of the eCommerce Directive 
(https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32000L0031) is 
different. Some points (most relevant text only):

(40) …  the provisions of this Directive relating to liability should not 
preclude the development and effective operation, by the different interested 
parties, of technical systems of protection and identification and of technical 
surveillance instruments …

(44) A service provider who deliberately collaborates with one of the 
recipients of his service in order to undertake illegal acts goes beyond the 
activities of "mere conduit" or "caching" and as a result cannot benefit from 
the liability exemptions established for these activities.

(46) In order to benefit from a limitation of liability, the provider of an 
information society service, consisting of the storage of information, upon 
obtaining actual knowledge or awareness of illegal activities has to act 
expeditiously to remove or to disable access to the information concerned ...

So, if I'm reading it correctly (not being a lawyer), a service provider not 
acting against abuse when it has been informed of so, is liable. I'm sure if 
the service provider tries to avoid being "informed" by not looking at 
notifications (email, postal, fax, etc.), they will also be liable in front of 
courts.

Regards,
Jordi
@jordipalet



El 16/1/20 16:40, "Alex de Joode" <mailto:a...@idgara.nl> escribió:

​Jordi,

Nice analogy, but when you add the eCommerce Directive into the mix, where a 
network provider (or hosting provider) is not liable for what their users do, 
the outcome changes. Only if you have knowledge there might be a possibility 
for liability, but if you do not accept abuse notices, and therefore do not 
have knowledge you are not liable. Also note there is no monitoring obligation, 
but if you do monitor you can gain knowledge and become liable for 
-everything-. So the current legal environment (in the EU) isn't very 'pro' 
abuse handling.
​-- 
IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode

On Thu, 16-01-2020 15h 18min, JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:
Let’s try to see it from another perspective.
 
If you’re an electricity provider, and one of your customers injects 1.000 v 
into the network and thus create damages to other customers (even from other 
electricity providers), the electricity provider must have the means to resolve 
the problem, disconnect that customer if needed, and pay the damages if the 
customer creating them don’t do that.
 
When this happens, most of the time, the customer insurance will cover it, 
initially, and then claim to the electricity provider insurance, which in turn, 
can claim to the customer creating the trouble.
 
If insurance doesn’t work, most of the time, law will make the electricity 
provider responsible at the same level of the defaulting customer (especially 
if this one doesn’t pay the damages).
 
I’m sure that this is the same in every EU country. Can we agree on that?
 
This is totally symmetric to the Internet. An operator provides a service. If a 
customer is creating damages, even to customers of other operators, the minimum 
that the provider of the defaulting customer should be able to do is:
1) Receive the abuse report (it can be automated)
2) Investigate the abuse (it can be automated in many cases, especially if we 
mandate a format for the reporting, and there are open source tools that do 
that for most of the cases)
3) If it is against the AUP which its customers, take actions, warnings to the 
customer the first time, etc., even disconnecting the customer (of course, this 
means losing customers such as spammers that pay a lot …)
 
I don’t expect to respond to the abuse, but it’s nice to do. There are many 
open source ticket systems that do most of this.
 
I don’t expect to compensate the victims, but I’m sure it can be done if the 
victims go to the courts. No difference with the electricity example, just we 
don’t have (as I know) this kind of insurance for Internet abuses.
 
Actually, it will be very nice to have those insurances, because insurance 
companies have the power to put together many claims in the courts, so 
operators that don’t care about abuse pay for it.
 
Saludos,
Jordi
@jordipalet
 
 
 
El 16/1/20 15:03, "anti-abuse-wg en nombre de Volker Greimann" 
<mailto:anti-abuse-wg-boun...@ripe.net en nombre de 
mailto:vgreim...@key-systems.net> escribió:
 
Hi Sara,
isn't making the world (and the internet) first and foremost a job of law 
enforcement agencies like the police and Europol? While I agree that everyone 
has a role to play, crime prevention and protection of the public is part of 
the LEA job description, right? Civil society entities certainly have a role to 
play, but it does not help trying to deputize them into a role they do not 
carry. 
I disagree tha

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Alex,

 

Undersood, and thanks a lot; it is very helpful to know that the ecommerce 
directive has a problem.

 

As said, I’m not advocating for RIPE to take actions if the operator doesn’t 
react on an abuse case.

 

What I’m trying to make sure, mainly, is that the abuse contact is a *real 
one*. The actual validation doesn’t ensure this. So the current situation 
(using your words) is not correct. I think this is the main problem. I believe 
most of the LIRs/end-users, don’t understand that there is a “small” problem 
here.

 

So a direct question. Do you think it is acceptable that RIPE NCC does a good 
validation (as done by ARIN, APNIC and soon LACNIC), or it is acceptable that 
any operator can use a fake email?

 

Regards,

Jordi

@jordipalet

 

 

 

El 16/1/20 18:04, "Alex de Joode"  escribió:

 

​Hi Jordi,

 

The inability based on the current ecommerce directive to adequately hold 
providers responsible when they ignore notices is the reason the Dutch 
government came up with some 'suggestions' on how to fix these. I'm involved in 
mitigating the adverse effects of these proposals. (I'm a lawyer and a 
lobbyist, so a double bad ;))

 

In my opinion RIPE should ensure those willing have an easy means of knowing 
who to contact. (that is the current situation) 

 

Full mailboxes/bounces etc is something the resource holder should take care of 
himself. Resource holders who are not interested in properly handling notices, 
and are striving for a 'McColo status' should be dealt with. However that 
should not be a role nor a responsibility of RIPE. Europol' EC3, JIT's, local 
police etc should primarily deal with this (yes takes time and effeort).  
Advocating for a role for RIPE basically is outsourcing policing (based on Term 
of Service, something advocated by "your local police" as this looks like a 
"quick fix" however expect them to insist your ToS needs to have an article "x" 
and "y" soon.), and removes a lot of due process safeguards you have under the 
criminal system. If the internet is a "wretched hive of scum and villainy" the 
powers that be should allocate enough resources to deal with the problem.

 

​-- 

IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode


On Thu, 16-01-2020 17h 17min, JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:

Hi Alex,

My reading of the eCommerce Directive 
(https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32000L0031) is 
different. Some points (most relevant text only):

(40) …  the provisions of this Directive relating to liability should not 
preclude the development and effective operation, by the different interested 
parties, of technical systems of protection and identification and of technical 
surveillance instruments …

(44) A service provider who deliberately collaborates with one of the 
recipients of his service in order to undertake illegal acts goes beyond the 
activities of "mere conduit" or "caching" and as a result cannot benefit from 
the liability exemptions established for these activities.

(46) In order to benefit from a limitation of liability, the provider of an 
information society service, consisting of the storage of information, upon 
obtaining actual knowledge or awareness of illegal activities has to act 
expeditiously to remove or to disable access to the information concerned ...

So, if I'm reading it correctly (not being a lawyer), a service provider not 
acting against abuse when it has been informed of so, is liable. I'm sure if 
the service provider tries to avoid being "informed" by not looking at 
notifications (email, postal, fax, etc.), they will also be liable in front of 
courts.

Regards,
Jordi
@jordipalet



El 16/1/20 16:40, "Alex de Joode"  escribió:

​Jordi,

Nice analogy, but when you add the eCommerce Directive into the mix, where a 
network provider (or hosting provider) is not liable for what their users do, 
the outcome changes. Only if you have knowledge there might be a possibility 
for liability, but if you do not accept abuse notices, and therefore do not 
have knowledge you are not liable. Also note there is no monitoring obligation, 
but if you do monitor you can gain knowledge and become liable for 
-everything-. So the current legal environment (in the EU) isn't very 'pro' 
abuse handling.
​-- 
IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode

On Thu, 16-01-2020 15h 18min, JORDI PALET MARTINEZ via anti-abuse-wg 
 wrote:
Let’s try to see it from another perspective.
 
If you’re an electricity provider, and one of your customers injects 1.000 v 
into the network and thus create damages to other customers (even from other 
electricity providers), the electricity provider must have the means to resolve 
the problem, disconnect that customer if needed, and pay the

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Richard,
 

El 16/1/20 21:37, "anti-abuse-wg en nombre de Richard Clayton" 
 escribió:

In message , JORDI
PALET MARTINEZ via anti-abuse-wg  writes

>So, if I'm reading it correctly (not being a lawyer), a service provider 
not 
>acting against abuse when it has been informed of so, is liable.

don't get confused between the "Hosting" and "Mere Conduit" provisions

> I'm sure if the 
>service provider tries to avoid being "informed" by not looking at 
notifications 
>(email, postal, fax, etc.), they will also be liable in front of courts.

correct, but that's a "Hosting" aspect and that's not necessarily the
issue when considering spam (which is certainly some of what is being
considered under the generic "abuse" label)

I'm not sure to understand what do you mean. In my opinion, if the hosting 
provider is the resource-holder of the addresses being used for any abuse 
(including spam), he is the responsible against the law and he is consequently 
liable of possible damages.


-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Denis,

 

 

El 17/1/20 0:30, "ripede...@yahoo.co.uk"  escribió:

 

Colleagues

 

I have just read this whole thread, it took a while (I should get sick more 
often and spend a day in bed reading emails). I have a few points to make. Some 
are similar to points already raised but I will reinforce them. I cut out the 
bits I want to respond to, but sorry I have not included the authors (you will 
know if it's you).

 

 

"If I need to use a web form, which is not standard, for every abuse report 
that I need to submit, there is no sufficient time in the world to fill all 
them."

 

So instead each resource holder must interpret randomly written emails and find 
any relevant information from within lots of junk.

 

There are open source tools to extract the logs from an automated abuse 
reporting system (for example fail2ban), and it very easy to configure them for 
your own needs. In any case, much easier than having a different web form 
non-standard for every ISP that requires that.

 

Of course, as said, ideally a standard system could be used. May be is time to 
specify it in the policy, and this is something that I’m already considering in 
the next version, depending on what I can interpret from all this discussion.

 

"ever since the day that RIPE NCC first

published an abuse reporting address in the data base, it has, in

effect, injected itself, even if only to a minimal degree, into

the relationship between a network abuse victim and the relevant

resource holders that have clear connections to the abuse source"

 

To be clear, the RIPE NCC is the data controller, not the data content 
provider. The RIPE NCC does not publish the abuse contacts, they facilitate 
resource holders to publish them.

 

 

"make abuse-c: an optional attribute

(basically, unrolling the "mandatory" part of the policy proposal that

introduced it in the first place)"

 

As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" 
attribute was to provide one single point of contact for a resource holder's 
abuse reports. If it is made optional, abuse reports would simply be sent to 
the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. 
People will simply search the database for any email address associated with 
the resource holder and spam them all. It won't stop abuse reports being sent 
'somewhere'. And once someone has had to go to the trouble of finding a list of 
email addresses to use for the resource holder who has no "abuse-c:", then they 
will probably do the same for all reports they send. So those of you who do 
respond to abuse complaints will find complaints being sent to a whole host of 
your email addresses from the RIPE Database. We lose the 'keep it in one well 
defined location' benefit.

 

I agree with you on this. I think the alternative is the autoresponder I 
mention. So keep the abuse-c mandatory, but tell the reporters “I will ignore 
your report”.

 

"at the very least, RIPE NCC could set

up and maintain just a basic review "platform" where the public at large

can at least make it known to all observers which networks are the assholes

and which ones aren't."

 

This would be an excellent way for a network operator to 'take out' their 
competitors.

 

 

"While I would accept Gert's proposal for making abuse-c an optional

attribute, the reason I offered a counter proposal for publishing "a

statement to the effect that the network operator does not act on

abuse reports" is to add clarity at a high level."

 

How many operators are going to make such a statement? It would become an 
invitation to block their traffic. If that was the alternative to any 
verification then they know if they don't make such a statement there will be 
no penalty. So just don't make a statement and still ignore the reports.

 

Yes and not. Money talks. But at least you know what you can expect from any 
operator, instead of insisting in sending reports and wasting time trying to 
contact them. May be the point to have in the policy is that if you don’t have 
a valid abuse-c (so it is mandatory), either you choose to respond to abuses, 
or you have an autoresponder to tell you are not taking care of them. If you 
don’t have one or the other, it is a policy violation.

 

"i'm more worried about someone using real e-mail

addresses of real unrelated people than the /dev/null or unattended

mailboxes."

 

Separately to this discussion we need to have a mechanism to say "Remove my 
email address from this resource", as Google has when someone uses your gmail 
address as a recovery address. (A service I use on a weekly basis)

 

I guess this is not needed. If someone is using my email in a non-related 
contact at the RIPE databases, and I notice it, clearly, I can tell to RIPE 
NCC: this is fake, please remove it. Otherwise RIPE NCC may be liable for the 
damages.

 

"Nice analogy, but when you add the eCommerce Directive into the mix, where a 
networ