Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

[Carlos Friaças via anti-abuse-wg]

Hi,
(being a working group member from Portugal and also one of the 
co-authors)


Does the PDP specify that expressing support needs to include any specific 
reason for said support?


Do supporters need to specify which parts of the proposal's text are more 
meaningful for them?


Perhaps one of the Chairs can shed some light.

Best Regards,
Carlos

ps: I hope there isn't even a glimpse of discrimination against Portuguese 
members here. I've also seen support coming from people that live in US, 
CZ, IL, CH, IN, NL. But this WG in not ITU-T, thus not country-based...






On Fri, 29 Mar 2019, Sergey Myasoedov via anti-abuse-wg wrote:


Dear group members from Portugal stated your support for 2019-03,
Can you please provide some more arguments than your humble "+1" statement? 
This is a working group, not a voting.

Please.


--
Kind regards,
Sergey Myasoedov

  On 29 Mar 2019, at 18:33, Vitor Leitao  wrote:

I would like to manifest my support to the proposal 2019-03.

Rgds,

Vitor Leitao

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

On Fri, 29 Mar 2019, Sergey Myasoedov via anti-abuse-wg wrote:


Hello community,


Hi Sergey, All,



I strongly oppose to this proposal. The proposal gives a power for
misuse to the RIR


I fail to understand how. The main concept of 2019-03 is that it isn't the 
RIR's role to evaluate if an intentional hijack was performed -- that 
should be the role of external, independent experts.


Btw, a similar policy proposal was published yesterday in LACNIC.



and does not protect members against setup.


We aim to refine the proposal, so can you please specify exactly where 
the members might become "unprotected"?


The proposal was built with checks & balances in mind. If they are not 
enough, let's work towards solving that, so noone will feel "unprotected".




I believe this policy have nothing to do in RIPE.


Quoting:
=

-Original Message-
From: Sascha Luck [ml] 
Sent: Monday 25 March 2019 12:24

I therefore argue that it is maybe time to have a discussion on what 
exactly RIPE and the NCC should be and what, if any, limits on their 
administrative power there should be.

I hope, though, that everyone can at least agree that *this* is
*not* the forum for that discussion.


To confirm, the Anti-Abuse WG is absolutely not the right forum for that 
discussion.


Thanks,

Brian
Co-Chair, RIPE AA-WG
=

I understood this as "the Anti-Abuse WG is not the right forum to discuss 
the RIPE NCC's charter, the PDP or if any given proposal is admissible or 
not".





It's better to issue it as a BCP document or an informational RFC.


I agree a BCP document can also be useful, so we'll start that as soon as 
possible.
However, having a clear statement within RIPE policies sends a much 
stronger message to anyone thinking about engaging in such practices.


Again, i want to point out the detail that anyone performing intentional 
hijacks _today_ (or last month or the previous year) is *not* within the 
proposal's scope -- if it happens to get accepted.


There are absolutely no rules *today* against (IP address space/ASN) 
hijacks, and this is precisely the gap 2019-03 aims to fix.



Best Regards,
Carlos Friaças




--
Sergey

Tuesday, March 19, 2019, 1:41:22 PM, you wrote:

MS> Dear colleagues,

MS> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE
MS> Policy Violation", is now available for discussion.

MS> The goal of this proposal is to define that BGP hijacking is not
MS> accepted as normal practice within the RIPE NCC service region.

MS> You can find the full proposal at:
MS> https://www.ripe.net/participate/policies/proposals/2019-03

MS> As per the RIPE Policy Development Process (PDP), the purpose of
MS> this four-week Discussion Phase is to discuss the proposal and
MS> provide feedback to the proposer.

MS> At the end of the Discussion Phase, the proposers, with the
MS> agreement of the Anti-Abuse WG co-chairs, decide how to proceed with the 
proposal.

MS> We encourage you to review this proposal and send your comments
MS> to  before 17 April 2019.

MS> Kind regards,

MS> Marco Schmidt
MS> Policy Officer
MS> RIPE NCC

MS> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

[Gert Doering]

Hi,

On Sat, Mar 30, 2019 at 09:17:20AM +, Carlos Friaças via anti-abuse-wg 
wrote:
> Does the PDP specify that expressing support needs to include any specific 
> reason for said support?

This is a question that we have in AP regularily.

My stance as AP WG chair is that it is not required - if a comment is
basically a "I can support  as it is written, I see the need
to do something, and I agree with  as the method to do so",
a plain "I support " conveys the same message.

*OTOH*, if there is a heated discussion with strong counterarguments, 
and there is no clear consensus emerging, it certainly helps the chairs
and the discussion if the "+1" voices showing up later express why they 
think that "the proposal is good as it stands" while others are so
strongly disagreeing with that.

(And technically, we do not need to reach consensus in discussion phase
- there *should* be "some support from the community" and no "obvious 
killer argument" opposing the proposal, but consensus only needs to be 
reached at the end of the review phase)

So - up to the proposers and chairs to decide whether to move on, and
it certainly *helps* these to judge arguments if arguments are brought
forward...

Gert Doering
-- speaking from experience as AP chair, not positioned to 
   decide on an anti-abuse policy proposal
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

[Töma Gavrichenkov]

On Sat, Mar 30, 2019, 10:23 AM Carlos Friaças via anti-abuse-wg <
anti-abuse-wg@ripe.net> wrote:

> Do supporters need to specify which parts of the proposal's text are more
> meaningful for them?
>
> Perhaps one of the Chairs can shed some light.
>

They in fact have done that before. To quote:

 start 

From: *Brian Nisbet* 
Date: Mon, Mar 25, 2019, 10:12 AM
Subject: Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is
a RIPE Policy Violation)

[..] To clarify, the discussion on this proposal is a discussion, not a
vote. When judging consensus the Co-Chairs will look at the points made
during the discussion, not count the +1s. Of course it is useful to get a
feeling for general agreement, so simple statements of support or dissent
are very useful, but they are not the core of the thing.

 end 

--
Töma

>

Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

[JORDI PALET MARTINEZ via anti-abuse-wg]

Hi Sergey,

 

I think this is a completely different discussion and up to the chairs the PDP 
decision process, as we all know.

 

However, I want to point out, that from my perspective, supporting voices are 
perfectly valid, regardless of pointing out their motivations or not. This is 
my take on consensus.

 

On the other way around, non-supporting ones need to be motivated.

 

I agree that if I’m a proposal author (not speaking now about this one), and 
have more friends that somebody opposing and I convince all my friends to 
support it, is not fair. However, if those supporting voices aren’t “friends”, 
but colleagues working in the same area of work, and suffering the same 
problems as myself, it is fine asking them to support it.

 

I will love that all the policy proposals have this kind of support (or 
non-support), it makes easy for authors to improve the proposals, and I guess, 
to chairs to decide (even if it means extra work to track all the discussions).


Regards,

Jordi

 

 

 

El 29/3/19 23:01, "anti-abuse-wg en nombre de Sergey Myasoedov via 
anti-abuse-wg"  escribió:

 

Dear group members from Portugal stated your support for 2019-03,

 

Can you please provide some more arguments than your humble "+1" statement? 
This is a working group, not a voting.

 

Please.

 

 

--

Kind regards,

Sergey Myasoedov



On 29 Mar 2019, at 18:33, Vitor Leitao  wrote:

 

I would like to manifest my support to the proposal 2019-03.

 

Rgds,

 

Vitor Leitao

 



**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[JORDI PALET MARTINEZ via anti-abuse-wg]

If you want to have an idea of "what" we have captured during the discussion in 
this mailing list, we have also submitted the "improved" version to ARIN (and 
working on the same for APNIC and AfriNIC).

You can read that (in English) here:
https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

Actually, question for the chairs and Marco. Do you think it makes sense to 
continue the discussion with the current version before improving it, or 
already sending a new one? There is a lot of improvement already, the 
discussion has been extremely useful for the authors. However, we are missing 
some NCC inputs, for example, regarding legal questions that we raised several 
times, so if sending a new version means we can't get those inputs, then is not 
good ...

Note: As said this already before, I think. We aren't - the co-authors- 
coordinating our responses, so we may have different opinions in all what we 
say, and I think this is good because it helps with the responses of the 
community to build-out our own positions and clear our "internal" differences 
(which we have, don't have any doubt on it!) and reach consensus "among 
ourselves".

Regards,
Jordi
 
 

El 30/3/19 10:54, "anti-abuse-wg en nombre de Carlos Friaças via 
anti-abuse-wg"  escribió:


On Fri, 29 Mar 2019, Sergey Myasoedov via anti-abuse-wg wrote:

> Hello community,

Hi Sergey, All,


> I strongly oppose to this proposal. The proposal gives a power for
> misuse to the RIR

I fail to understand how. The main concept of 2019-03 is that it isn't the 
RIR's role to evaluate if an intentional hijack was performed -- that 
should be the role of external, independent experts.

Btw, a similar policy proposal was published yesterday in LACNIC.


> and does not protect members against setup.

We aim to refine the proposal, so can you please specify exactly where 
the members might become "unprotected"?

The proposal was built with checks & balances in mind. If they are not 
enough, let's work towards solving that, so noone will feel "unprotected".


> I believe this policy have nothing to do in RIPE.

Quoting:
=
> -Original Message-
> From: Sascha Luck [ml] 
> Sent: Monday 25 March 2019 12:24
>
> I therefore argue that it is maybe time to have a discussion on what 
> exactly RIPE and the NCC should be and what, if any, limits on their 
> administrative power there should be.
> I hope, though, that everyone can at least agree that *this* is
> *not* the forum for that discussion.

To confirm, the Anti-Abuse WG is absolutely not the right forum for that 
discussion.

Thanks,

Brian
Co-Chair, RIPE AA-WG
=

I understood this as "the Anti-Abuse WG is not the right forum to discuss 
the RIPE NCC's charter, the PDP or if any given proposal is admissible or 
not".



> It's better to issue it as a BCP document or an informational RFC.

I agree a BCP document can also be useful, so we'll start that as soon as 
possible.
However, having a clear statement within RIPE policies sends a much 
stronger message to anyone thinking about engaging in such practices.

Again, i want to point out the detail that anyone performing intentional 
hijacks _today_ (or last month or the previous year) is *not* within the 
proposal's scope -- if it happens to get accepted.

There are absolutely no rules *today* against (IP address space/ASN) 
hijacks, and this is precisely the gap 2019-03 aims to fix.


Best Regards,
Carlos Friaças



> --
> Sergey
>
> Tuesday, March 19, 2019, 1:41:22 PM, you wrote:
>
> MS> Dear colleagues,
>
> MS> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE
> MS> Policy Violation", is now available for discussion.
>
> MS> The goal of this proposal is to define that BGP hijacking is not
> MS> accepted as normal practice within the RIPE NCC service region.
>
> MS> You can find the full proposal at:
> MS> https://www.ripe.net/participate/policies/proposals/2019-03
>
> MS> As per the RIPE Policy Development Process (PDP), the purpose of
> MS> this four-week Discussion Phase is to discuss the proposal and
> MS> provide feedback to the proposer.
>
> MS> At the end of the Discussion Phase, the proposers, with the
> MS> agreement of the Anti-Abuse WG co-chairs, decide how to proceed with 
the proposal.
>
> MS> We encourage you to review this proposal and send your comments
> MS> to  before 17 April 2019.
>
> MS> Kind regards,
>
> MS> Marco Schmidt
> MS> Policy Officer
> MS> RIPE NCC
>
> MS> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
>
>
>
>

Re: [anti-abuse-wg] Welcome to the "anti-abuse-wg" mailing list

[Pedro Veiga]

I support 2019-03

Regards,

PV

Às 11:13 de 30/03/2019, anti-abuse-wg-requ...@ripe.net escreveu:
> Welcome to the anti-abuse-wg@ripe.net mailing list!
>
> To post to this list, send your email to:
>
>anti-abuse-wg@ripe.net
>
> General information about the mailing list is at:
>
>https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
>
> If you ever want to unsubscribe or change your options (eg, switch to
> or from digest mode, change your password, etc.), visit your
> subscription page at:
>
>
> https://lists.ripe.net/mailman/options/anti-abuse-wg/pedroveiga%40outlook.com
>
>
> You can also make such adjustments via email by sending a message to:
>
>anti-abuse-wg-requ...@ripe.net
>
> with the word `help' in the subject or body (don't include the
> quotes), and you will get back a message with instructions.
>
> You must know your password to change your options (including changing
> the password, itself) or to unsubscribe.  It is:
>
>s58ttw@Peter
>
> Normally, Mailman will remind you of your ripe.net mailing list
> passwords once every month, although you can disable this if you
> prefer.  This reminder will also include instructions on how to
> unsubscribe or change your account options.  There is also a button on
> your options page that will email your current password to you.
>
> The RIPE community's strength comes from its breadth of experience,
> diversity of views and an open, respectful exchange of ideas. These
> are values that we want all of our community members to uphold. Please
> take a moment to read the code of conduct
> 
> that applies to all RIPE mailing lists and the RIPE Forum.
> .
>

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Richard Clayton]

In message <1f2fdfe3-4929-4d3f-8334-8d7755e94...@consulintel.es>, JORDI
PALET MARTINEZ via anti-abuse-wg  writes

>If you want to have an idea of "what" we have captured during the discussion 
>in 
>this mailing list, we have also submitted the "improved" version to ARIN (and 
>working on the same for APNIC and AfriNIC).
>
>You can read that (in English) here:
>https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

I am disappointed that little has been done to address the technical
misconceptions / pious hopes in the RIPE proposal.


There are already enough sources of historic and almost real-time
routing data which function as a worldwide observatory. From these
sources it is possible to accurately evaluate who is performing BGP
Hijacks and harming (or trying to harm) third party networks by
doing so. 


It is not necessarily the case that BGP hijacks will be visible in the
globally collected datasets. what then ?

Also, where the resources of defunct companies are hijacked then it is
not the routing table which will be key evidence but rather the
paperwork on file at the RIR or elsewhere. There is no discussion of
this aspect of the issue at all (despite it being a major component of
hijack events over the past five years)


The external experts are mere evaluators, who can use available sets
of routing data to determine whether BGP hijacking events have taken
place, and whether were intentional.


It is NOT possible (for experts or almost anyone else) to accurately
evaluate who is performing BGP hijacks -- for every announcement there
will be at least two networks (AS numbers) who might have done it and
the experts will be using their skill and judgment to guess which of
them is culpable.

Although in many cases it is "obvious" who did it, there is always at
least one other AS on the path who is able to "frame" the suspect and so
the experts are mainly deciding how plausible it is that someone is
being framed


The direct upstreams of the suspected hijacker, which facilitate the
hijack through their networks, may receive a warning the first time.
Nevertheless, in successive occasions they could be considered by
the experts, if intentional cases are reproduced, as an involved
party. 


This is pretty opaque ... but if it is meant to be read as "global
transit providers are responsible for the behaviour of their customers"
then this is what Sir Humphrey would call a "courageous" approach.


The expert’s investigation, will be able to value relationships
between LIRs/end users, of the same business groups.


How ?


Accidental cases or those that can’t be clearly classified as
intentional, will receive a warning, which may be considered if
repeated.


this is incoherent -- and there does not seem to be any clarity about
what a "warning" means from a consequences point of view


As soon as the policy implementation is completed, a transition
period of 6 months will be established, so that organizations that
announce unassigned address space or autonomous systems numbers, due
to operational errors or other non-malicious reasons, receive only a
warning.


This section of the text is presumably meant to address the "bogons"
issue -- the long-standing disputes between various networks and the
RIRs as to whether or not they are entitled to announce various prefixes
or use particular AS numbers.

It seems optimistic to assume these issues will be addressed in six
months. Or perhaps you are expecting ARIN (and all the other RIRs) to
void contracts with the US Department of Defence, with Level 3, with
CenturyLink, with Hewlett Packard, with Verizon, with Comcast, with AT&T
and with Rogers ??


crickets


There is no discussion of the mis-use of AS numbers. Arguably this would
be merely a clarification, but it would I think be a useful one to
assist the experts in their proposed work.

>Actually, question for the chairs and Marco. Do you think it makes sense to 
>continue the discussion with the current version before improving it, or 
>already 
>sending a new one? 

Sending RIPE the ARIN version which hardly addresses key technical
points which have been made to you does not seem especially valuable

Also, of recent days there has been some (ill-informed) discussion about
RPKI and the use of ROAs to settle disputes about hijacking. There is no
mention of this in the ARIN document so it is not possible to identify
whatever technical implausibility will be put forward.  (Hint: RPKI is
great for reducing the incidence of "fat fingering", it merely provides
a slight (if that) impediment to an intentional hijacker)

>There is a lot of improvement already, the discussion has 
>been extremely useful for the authors. However, we are missing some NCC 
>inputs, 
>for example, regarding legal questions that we raised several times, so if 
>sending a new ve

Re: [anti-abuse-wg] Proposal 2019-03 BGP Hijacking

[Nick Hilliard]

Carlos Friaças via anti-abuse-wg wrote on 30/03/2019 09:17:

Perhaps one of the Chairs can shed some light.


Hi Carlos,

The approach by most if not all RIPE working groups is set out in 
rfc7282: "On Consensus and Humming in the IETF".  It's worth reading 
this document carefully to understand the process by which consensus is 
attained, section 6 in particular: "One hundred people for and five 
people against might not be rough consensus".


Nick

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On 24/03/2019 14:48, Sander Steffann wrote:

Hi Gert,


Now, I do share the wish to "do something!!" against BGP hijacking.

So, maybe a more workable way forward would be to change this into a BCP
("the RIPE anti-abuse community states with full backing from the RIPE
community that BGP hijacking, as defined in , is considered
unwanted behaviour") - and *then* use that on a commercial/peering basis
among transit ISPs to strengthen the message "we want *you* to filter
your customer BGP sessions, because that's the proper way to run a network!".

+1

Cheers,
Sander


Nice but probably as effective as MANRS.


Regards,

Hank

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Ronald F. Guilmette]

In message , 
Richard Clayton  wrote:

>It is NOT possible (for experts or almost anyone else) to accurately
>evaluate who is performing BGP hijacks...

I did not intend to participate any further in this discussion, above and
beyond what I already have done, but I fell compelled to at least point out
the intellectual dishonesty of the above assertion.

In the summer of last year, 2018, I took steps to point out, in a very public
way, on the NANOG mailing list, two notable hijacking situations that came
to my attention *and* also to identify, by name, the actors that were quite
apparently behind each of those.  In neither of those instances was there
ever even any serious attempt, by either of the relevant parties, to refute
-any- of my very public allegations.

One of those was BitCanal, which was widely recognized as having participated
in hijackings for literally years on end.  Subsequent to my public allegations,
various outher parties took it upon themselves to actually reduce the
connectivity of this rogue company, with the ultimate effect being that the
company had trouble finding any connectivity anywhere.  These are historical
facts and easily verifiable by anyone taking the time to look into the full
historical record.

The other situation involved a company calld D2 International Investment
Ukraine, Ltd. and its apparent alter ego, Universal IP Solution Corp.
Both companies were later revealed to have been performing hijacks in the
service of a complex criminal enterprise which had as its goal a great
deal of so-called "ad fraud".  This entire complex scheme purportedly netted
the perpetrators in excess of $29 million (USD) and resulted in numerous
international criminal indictments:

https://arstechnica.com/information-technology/2018/12/how-3ves-bgp-hijackers-eluded-the-internet-and-made-29m/

Neither of these two situations were in any sense ambiguous, and it is the
very height of intellectual dishonesty to suggest otherwise.

I understand that various people do not approve of the current propsal
as written.   That is their right.  I would ask however that the opposition
not marshall provably bogus arguments to support what I feel, equally
strongly, is a totally wrong-headed view of the present proposal.


Regards,
rfg

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Gert Doering]

Hi,

on Sat, Mar 30, 2019 at 12:07:16PM -0700, Ronald F. Guilmette wrote:
> 
> In message , 
> Richard Clayton  wrote:
> 
> >It is NOT possible (for experts or almost anyone else) to accurately
> >evaluate who is performing BGP hijacks...
> 
> I did not intend to participate any further in this discussion, above and
> beyond what I already have done, but I fell compelled to at least point out
> the intellectual dishonesty of the above assertion.

The fact that you found two examples of very clean and unambiguous nature
does not falsify Richard's general statement.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG  Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Töma Gavrichenkov]

On Sat, Mar 30, 2019, 8:07 PM Ronald F. Guilmette 
wrote:

> >It is NOT possible (for experts or almost anyone else) to accurately
> >evaluate who is performing BGP hijacks...
>
> [..] intellectual dishonesty of the above assertion.
>
> [..]
>
> Neither of these two situations were in any sense ambiguous, and it is the
> very height of intellectual dishonesty to suggest otherwise.
>

Survivorship bias, y'know.

--
Töma

>

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Carlos Friaças via anti-abuse-wg]

Hi Richard, All,

Thanks for your input. Please see inline.


On Sat, 30 Mar 2019, Richard Clayton wrote:


   
   There are already enough sources of historic and almost real-time
   routing data which function as a worldwide observatory. From these
   sources it is possible to accurately evaluate who is performing BGP
   Hijacks and harming (or trying to harm) third party networks by
   doing so.
   

It is not necessarily the case that BGP hijacks will be visible in the
globally collected datasets. what then ?


Then if there is no available proof related to a specific hijack, the case 
should be extremely hard to obtain confirmation from experts (or even 
reach the 2nd round of experts).




Also, where the resources of defunct companies are hijacked then it is
not the routing table which will be key evidence but rather the
paperwork on file at the RIR or elsewhere. There is no discussion of
this aspect of the issue at all (despite it being a major component of
hijack events over the past five years)


If that data is not public, then it could hardly be referenced within a 
report filed with the RIR.. if it is public (through a companies' 
register?), i think it could be referenced so the experts can check.
I think looking at BGP neighbors might also provide some insight. But 
anyway, if there isn't enough evidence, a complaint/report should be 
dismissed.


Do you have any suggestion to improve the process?




   
   The external experts are mere evaluators, who can use available sets
   of routing data to determine whether BGP hijacking events have taken
   place, and whether were intentional.
   

It is NOT possible (for experts or almost anyone else) to accurately
evaluate who is performing BGP hijacks -- for every announcement there
will be at least two networks (AS numbers) who might have done it and
the experts will be using their skill and judgment to guess which of
them is culpable.


I think a report should only point to _one_ specific party. If it points 
to the legitimate holder, then it's logical to dismiss it. If this is not 
the case, then it should be looked into by experts.





Although in many cases it is "obvious" who did it, there is always at
least one other AS on the path who is able to "frame" the suspect and so
the experts are mainly deciding how plausible it is that someone is
being framed


The keyword here should be *persistent*.
If you see several hijacks from the same source...
If not, anyone who is accused should have the opportunity to defend 
itself. The process could (and will) be more detailed, but the checks & 
balances already described were designed in a way that only after 
the ratification phase, an accused party is considered to have done an 
intentional hijack. It's not the accused party who has to prove that they 
didn't do it, it's the evidence that needs to be compelling enough so 
there are no doubts to (a significant amount of) experts that an 
intentional hijack had its origin on the accused party.


But again, let me remember you... a process will primarily depend on a 
report.





   
   The direct upstreams of the suspected hijacker, which facilitate the
   hijack through their networks, may receive a warning the first time.
   Nevertheless, in successive occasions they could be considered by
   the experts, if intentional cases are reproduced, as an involved
   party.
   

This is pretty opaque ... but if it is meant to be read as "global
transit providers are responsible for the behaviour of their customers"
then this is what Sir Humphrey would call a "courageous" approach.


No. Maybe a clarification is needed here, and possibly some rephrasing -- 
a transit provider should receive notices *after* an intentional hijack is 
determined and ratified. The spirit of the text above was to discourage 
people to "owning company A and B to Z, sourcing the hijacks at B and 
provide transit through A, then repeat replacing B with C, D, E, and so 
on... and keeping the transit through A".


We need to find the best wording possible, but "global transit providers" 
and "internet exchange providers" are not seen by the authors as possible 
"accused" parties.
I mean, it's possible that anyone will file a report including companies 
that fall under those categories, but those will most likely be easily 
dismissed by experts.





   
   The expert?s investigation, will be able to value relationships
   between LIRs/end users, of the same business groups.
   

How ?


Looking at public companies registries, for once...
"same business groups" could possibly be reworded into "same ownership".




   
   Accidental cases or those that can?t be clearly classified as
   intentional, will receive a warning, which may be considered if
   repeated.
   

this is incoherent -- and there does not seem to be any clarity about
what a "warning" means from a consequences point of view


Noted. The text needs more clarity. It means a message should be generated 
to the