Re: [anti-abuse-wg] 2019-03 and over-reach
On Mon, 25 Mar 2019 13:17:07 + Brian Nisbet wrote: > Sascha, all, > > -Original Message- > > From: Sascha Luck [ml] > > Sent: Monday 25 March 2019 12:24 > > I therefore argue that it is maybe time to have a discussion on > > what exactly RIPE and the NCC should be and what, if any, limits on > > their administrative power there should be. > > I hope, though, that everyone can at least agree that *this* is > > *not* the forum for that discussion. > > To confirm, the Anti-Abuse WG is absolutely not the right forum for > that discussion. > that administrative authority exists, is also not a "discussion" thing, it is a "it already exists" thing. in fact, even on this mailing list (also a resource), there exists rules and there exists administrative authority to remove people from this list. and, people are indeed blocked/banned/removed from this mailing list. So, just to be quite clear: Administrative authority exists and is used regularly and applied to all sorts of resources, all the time. Also, imo, the boundaries of administrative authority as it applies to RIPE is also more of a "legal" thing than a "discussion" thing. Andre
Re: [anti-abuse-wg] 2019-03 and over-reach
On Mon, 25 Mar 2019 12:24:13 + "Sascha Luck [ml]" wrote: > On Mon, Mar 25, 2019 at 12:44:47PM +0200, ac wrote: > >I frequently read someone saying "RIPE is not the Internet > >Police" (even I have said that a few times myself) but the hard > >truth is that any RIR has a duty to exercise administrative > >authority. > > Only as far as it pertains to the registration of > allocated/assigned resources. All membership of the RIPE NCC > since its foundation was entered into with the understanding that > the NCC is a *registry* not an *enforcer* and does not regulate > the operation or behaviour of member networks. exactly my point. for the purposes of discussing administrative authority and/or force, as it relates to abuse, we need to set aside 2019-03 specifically and focus on the core principles of administrative authority. do you agree that any registry has an administrative authority? any registry is an *enforcer* by default as the very act of registration implies force. (as, for example, a resource is assigned to you and not to me) how registration happens (the process), the criteria for registration, the criteria for de-registration, these are all examples of administrative authority. IF RIPE (or any RIR) should de-register/remove a resource registration it is acting administratively It is not forcing anyone to do anything, it is doing exactly that which it is supposed to be doing: Being a Registry.
Re: [anti-abuse-wg] 2019-03 and over-reach
On Mon, 25 Mar 2019 09:29:47 + Brian Nisbet wrote: > > and, more so: 2019-03 not proceeding would be counter to the ethical > > administration of resources, a dereliction of responsibility and a > > breach of trust implied in any such administration (as well as > > administrative authority) > A core part of the policy process in the RIPE Community is that > nothing is set in stone. A policy which is rejected one day may be > accepted another, or something which is put in place may be changed > or altered when new information comes to light. This is all part of > the PDP. > *If* 2019-03 does not reach consensus it in no way implies the RIPE > Community does not care about BGP hijacking (community pushes like > MANRS and general work on RPKI says otherwise), all it says is that > this proposal was not deemed to be the right way to go about it. > the point was not that arguments against 2019-03 means that the PDP is flawed or that anyone in opposition does not care about BGP hijacking, but that those in strong opposition to the exercise of administrative authority should understand (or at least be aware), that there is a very powerful responsibility to do so (to apply administrative authority), in the first place. so, claiming over-reach, should address exactly that (an imbalance in the potential exercise of administrative authority) - and not simply present the easy "chicken little" type argument against any such exercise at all. I frequently read someone saying "RIPE is not the Internet Police" (even I have said that a few times myself) but the hard truth is that any RIR has a duty to exercise administrative authority. Finding the balance where this duty is an over-reach, as per the subject line of this hijacked thread, is an important discussion that I believe this wg should have sometime as this relates directly to abuse also... and, similarly, arguing that because Afrinic etc does not do this or does not do that, is hardly any great argument either, many interesting things, angles and points in these 2019-03 discussions and threads :) Andre
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Dear Cynthia, On Mon, 25 Mar 2019, Cynthia Revström wrote: Hi Carlos, On 2019-03-24 15:16, Carlos Friaças via anti-abuse-wg wrote: "It will not stop determined miscreants" -- even if it stops some, it's already something positive, anti-abuse-wise. :-)) The thing is that, if you look at it from another direction, if it just does one "false positive", I would argue that it outweighs 100 small hijacks. I can relate to that argument, while probaly 100 different victims would be a bit more hard to convince. Following mostly Toma's constructive arguments we understand the process needs a lot more detail hardwired into the proposal. Our best attempt to control "false positives" in version 1.0 was the last "ratification" knob. And then we have the other co-author, On Sat, Mar 23, 2019 at 10:42 PM JORDI PALET MARTINEZ via anti-abuse-wg wrote: I think is very obvious that the experts [..] will make sure that when a warning is sufficient How is that obvious? Answer: it is not obvious, you are just making assumptions. I think what Jordi meant (coming from the other direction) is a case will not reach the policy violation declaration stage. After looking at this in a bit more detail, my stance on this proposal has to be that I strongly object to it. Understood. I do feel like the better way to go about this is on a technical level, with more things like RPKI and IRR, not this stuff. This was already touched in the thread. RPKI deployment, unfortunately, is still in a very initial phase. When someone asks me -- how do you know this is an hijack? -- my usual answer is: "OK, if they are the rightful owners then ask them to add a ROA". If they can't... well... This is something which is not explicitely written, but it should be simple to dismiss a wrongfully submitted report -- if the ROA is not in place, then the "anomaly" could be fixed by creating one. So yes, we strongly support RPKI and we will try to embed in v2.0 clauses that will clearly support RPKI usage. On another note, unless all RIRs have a similar policy, then a hijacker wouldn't have to be from RIPE, or what if they have gotten hold of a legacy ASN. As i've stated before on this thread, the other four RIRs will also have a proposal on their tables. About legacy resources, the RIR can't de-register anything. The only angle i see where they could help contain hijackers is by refusing access to services. My point is that, no matter what the authors intended, I think this policy, would stop close to no determined hijackers, and We hope it might dissuade some of even trying (and we can't measure that...), but having *nothing* in place might work like an incentive for some. Gert already suggested a new BCP. I think we'll try that too :-) probably cause a few "false positives". That's something we want to erradicate. We need more work and more text. Any input is welcome! Best Regards, Carlos - Cynthia
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Colleagues, > -Original Message- > From: anti-abuse-wg On Behalf Of > Ronald F. Guilmette > Sent: Friday 22 March 2019 21:43 > > > A vote in favor of the proposal is in fact a vote in favor of *true* > neutrality > and impartiality and *against* the unilateral decisions and actions of > individual actors which themselves have personalized motives that are often > both unseen and also often more than a little suspect. To clarify, the discussion on this proposal is a discussion, not a vote. When judging consensus the Co-Chairs will look at the points made during the discussion, not count the +1s. Of course it is useful to get a feeling for general agreement, so simple statements of support or dissent are very useful, but they are not the core of the thing. Thanks, Brian Co-Chair, RIPE AAWG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nis...@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Hi Carlos, On 2019-03-24 15:16, Carlos Friaças via anti-abuse-wg wrote: "It will not stop determined miscreants" -- even if it stops some, it's already something positive, anti-abuse-wise. :-)) The thing is that, if you look at it from another direction, if it just does one "false positive", I would argue that it outweighs 100 small hijacks. And then we have the other co-author, On Sat, Mar 23, 2019 at 10:42 PM JORDI PALET MARTINEZ via anti-abuse-wg wrote: I think is very obvious that the experts [..] will make sure that when a warning is sufficient How is that obvious? Answer: it is not obvious, you are just making assumptions. After looking at this in a bit more detail, my stance on this proposal has to be that I strongly object to it. I do feel like the better way to go about this is on a technical level, with more things like RPKI and IRR, not this stuff. On another note, unless all RIRs have a similar policy, then a hijacker wouldn't have to be from RIPE, or what if they have gotten hold of a legacy ASN. My point is that, no matter what the authors intended, I think this policy, would stop close to no determined hijackers, and probably cause a few "false positives". - Cynthia
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
On Sun, Mar 24, 2019 at 01:16:59AM +0100, Töma Gavrichenkov wrote: > On Sat, Mar 23, 2019 at 10:42 PM JORDI PALET MARTINEZ via > anti-abuse-wg wrote: > > I think is very obvious that the experts [..] will make sure that when a > > warning is sufficient > > NO IT'S NOT > > The process is not clear. No guidelines for the "experts" are defined. > No selection process for "experts" is drafted. That's just wishful > thinking as of now, where the best candidate for the experts' panel is > probably Albus Dumbledore himself. Well said. +1 Piotr -- Piotr Strzyżewski Silesian University of Technology, Computer Centre Gliwice, Poland