Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet

[Hank Nussbacher]

On 17/01/2024 23:05, Tomás Oliveira Valente Leite de Castro via 
anti-abuse-wg wrote:


I believe RIPE NCC's job is not to police the internet, but to provide 
registration services. However RIPE should guarantee that the 
registrant's data is correct and up to date. This includes a proper 
abuse contact.


I have heard so often that RIPE NCC's job is to *not* police the 
Internet.  Then I heard John Curran's keynote at NANOG in October:
The Expanding Landscape of Internet Governance:​ Why Network Operators 
Need a Global View

https://www.youtube.com/watch?v=U1Ip39Qv-Zk
and realize that over the next decade we will be handed EU edicts that 
will far exceed anything we thought possible.  Take the 45 minutes and 
listen to John.


Regards,
Hank

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Hijacking and Blocking of Business Users Profiles on Meta Platforms

[Hank Nussbacher]

On 17/02/2023 13:32, Michele Neylon - Blacknight wrote:

Sure.

From: https://www.ripe.net/participate/ripe/wg/active-wg/anti-abuse

"While areas such as hosting illegal content or copyright infringement 
are not seen as a central part of the working group's remit, they are 
unquestionably bound up in other aspects of network abuse and, as such, 
may be areas of interest."


Regards,
Hank



Hank

I’m a little confused.

This is the RIPE anti-abuse WG.

I don’t see how this issue is related to this group.

Could you please explain?

Thanks and regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/ <https://www.blacknight.com/>

https://blacknight.blog/ <https://blacknight.blog/>

Personal blog: https://michele.blog/ <https://michele.blog/>

Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


I have sent this email at a time that is convenient for me. I do not 
expect you to respond to it outside of your usual working hours.


*From: *anti-abuse-wg  on behalf of Hank 
Nussbacher 

*Date: *Friday, 17 February 2023 at 09:23
*To: *anti-abuse-wg@ripe.net 
*Subject: *[anti-abuse-wg] Hijacking and Blocking of Business Users 
Profiles on Meta Platforms


*[EXTERNAL EMAIL]*Please use caution when opening attachments from 
unrecognised sources.


Hijacking and Blocking of Business Users Profiles on Meta Platforms

https://en.isoc.org.il/netica/hijacking-and-blocking-of-business-users-profiles-on-meta-platforms
 
<https://en.isoc.org.il/netica/hijacking-and-blocking-of-business-users-profiles-on-meta-platforms>

ISOC-IL wishes to raise the issue that Meta is not taking sufficient 
actions to curtail hijacking of business profiles.  In the attached 
paper ISOC-IL shows countless examples (actually 170 cases in the past 
year) of targeted attacks that are designed to block and hijack specific 
business accounts.  These customers are paying customers yet due to 
Facebook's automatic blocking of planted pedophilia or terrorist videos, 
these customers have no recourse to even open a complaint with Meta.  
Paying customers should not have to threaten legal action for the issue 
to be dealt with.


Meta must develop tools that can distinguish between systematic, 
deliberate publication of offensive and destructive content, and the 
publication of damaging content on hijacked, innocent profiles for the 
purpose of blocking those profiles.  Meta needs to establish customer 
service that responds to business account owners wronged by hacking and 
fraud.


Regards,
Hank




--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] What todo when a registrar doe snot respond to babuse form an IP

[Hank Nussbacher]

On 23/06/2022 10:24, Jeroen Massar via anti-abuse-wg wrote:


Use block lists like https://www.spamhaus.org/xbl/ to make your life a bit 
easier; but, do not outright block, use them ala Spamassassin as one of many 
inputs to rank if an IP is likely to be good or bad.

For Tor, there is https://check.torproject.org/api/bulk ; though in the end Tor 
is just noise; compromised hosts are a bigger issue.
For Internet, there is a very harsh: https://www.spamhaus.org/drop/ (you might 
also accidentally possibly block good people using those ISPs)

Whatever list you use, be it those from Spamhaus or other providers, do verify 
what you block and maybe whitelist what you never want to block.
Making a baseline of "normal clients" can also be useful: eg, no sense in 
processing packets from a IP in Antartica when you normally do not get traffic from 
there. Your Network, Your Policy... but also your pain when a user gets accidentally 
blocked...


If you raised the issue, what do others think of https://www.crowdsec.net/

Thanks,
Hank




--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] RIPE NCC Anti-Abuse Training: Next Steps & WG Input!

[Hank Nussbacher]

On 23/02/2022 20:39, Gert Doering wrote:

This takes me back 50+ years to US Supreme Court Justice Stewart's 
definition of obscenity:

https://en.wikipedia.org/wiki/I_know_it_when_I_see_it

Regards,
Hank



Hi,

On Wed, Feb 23, 2022 at 07:20:48PM +0100, Tobias Knecht via anti-abuse-wg wrote:

I disagree with the idea of defining what abuse is for 3 reasons.


I do understand your arguments, but I'm not agreeing with the conclusion.

If we can't agree on "this is abuse" and "that is not", how can we ever
agree on "we should do something against abuse!"?

More extreme wording: why would I, as an ISP, need an abuse handling
department if I can just declare "ah, no, this is all normal customer
activity" instead?

So, yes, defining abuse is very hard - but if we ever want to reach
a good level of common abuse squashing, we should find a common
understanding.  Like "using other people's resources (bandwidth,
money, time) without at least implicit permission, for personal gain".

(I, for one, consider half the web sites out there abusive, with
cookie banners, insanely big graphics, and weird scrolling stuff - but
I guess most web developers would not agree to that)

Gert Doering
 -- NetMaster





--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Fw: Re: @EXT: RE: RIPE NCC Executive Board election

[Hank Nussbacher]

On 17/04/2020 16:31, Brian Nisbet wrote:

Brian is correct.  "...it is up to the membership of the NCC to decide 
who they wish to see on that Board.".
Just like in any country (and as we have seen over the past number of 
years), the citizens get a leadership they deserve not what they want.

Unfortunately, so too it will be in RIPE.

-Hank


Vittorio,

All of the candidates who have been nominated for the Exec Board at present 
have met the criteria set down by the NCC and its members. My point here is 
that it is not up to the AA-WG to interfere in that, rather it is up to the 
membership of the NCC to decide who they (we in my case as I do work for a 
member organisation, but I do not usually post here in that specific capacity) 
wish to see on that Board.

Changes to those criteria are similarly decided by NCC members.

So, where is the right place to discuss this? The RIPE NCC Members Discuss 
list, which is limited to members only, is certainly a forum:

https://www.ripe.net/participate/mail/ripe-ncc-mailing-lists/members-discuss

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270



From: anti-abuse-wg  on behalf of Vittorio Bertola 
via anti-abuse-wg 
Sent: Friday 17 April 2020 12:02
To: furio ercolessi; anti-abuse-wg
Subject: Re: [anti-abuse-wg] Fw: Re: @EXT: RE: RIPE NCC Executive Board election

CAUTION[External]: This email originated from outside of the organisation. Do 
not click on links or open the attachments unless you recognise the sender and 
know the content is safe.



Il 17/04/2020 12:33 furio ercolessi  ha scritto:

Good morning,

as everybody is certainly aware, the antiabuse scenario has become rather 
complex,

Apologies if I jump into this discussion - I do not work for a RIPE member, I 
lurk this list to stay up to date with general abuse trends.

But there is one thing that escapes me: if, as Ron asserts (and this needs to 
be proven), there is an ongoing attempt to put into the RIPE NCC Board one or 
more individuals that are connected with theft of IP space and other abuse, 
isn't this attempt a gigantic form of abuse in itself, with potential 
consequences that could go well beyond RIPE and its members and affect the 
European Internet community as a whole? Why should it not be in topic for the 
abuse list, and where is it in topic then?

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy

Re: [anti-abuse-wg] RIPE NCC Executive Board election

[Hank Nussbacher]

On 17/04/2020 10:09, Tõnu Tammer via anti-abuse-wg wrote:

Dear friends,

Every member of the community, who is on the receiving end of abuse,
feels that something should be done!

I reiterate what I have said before: this is just one example of how
todays' approach in handling abuse or designing anti-abuse policy is not
really working. I am not the only one who has realised that this
community seems not to agree anything. That is perfectly understandable.
When once there was just academia who drove the development of internet,
now the community has grown encompassing legitimate business but also
abusers who have become part of that community. We can always find
reasons (justified or not) on why not to do anything or change anything
but we have to understand that impact of not doing anything will
continue to grow.

Already number of countries argue rightly that the multi-stakeholder
approach is not working. And that is all too true. The reasons why they
want to change are likely not driven by the fact current approach is not
working but something more serious. We have to stop fuelling the
arguments that decentralised model is not delivering. If we continue as
we have, we will have changes forced upon us (thing we have turned down
so far) but its likely that more will come and things, we would not be
happy to see at all.


Tõnu nailed it.  Print it and frame it.

-Hank

Re: [anti-abuse-wg] RIPE NCC Executive Board election

[Hank Nussbacher]

On 17/04/2020 09:55, Serge Droz via anti-abuse-wg wrote:

Serge,

Your post brought a smile to my face.

When bank robber Willie Sutton was asked "why do you rob banks?" he 
answered "because that is where the money is".
So too with the Internet.  Criminals and miscreants (a term coined and 
favored by Team Cymru), have long ago realized that Internet resources 
are worth money and where else can you be close to these resources than 
inside any RIR.   Some events make it to the news and probably many 
others will never see the light of day.


Ronald's overly long tomes with a tone I disapprove of yet the content I 
do approve of, are scoffed at by many and yet I am reminded of Danish 
author Hans Christian Andersen tale "The Emperor's New Clothes".  And we 
are the emperor.


I have long ago stopped trying to make the Internet a safer place.   Not 
gonna happen.  I protect my resources as best I can.  I protect my 
little pond as best I can.


A smile appears on my face when I realize there are still naive and 
idealistic people out there who still think they can make a difference.  
Not gonna happen.


Regards,
Hank


Hello List

I've been, mostly passive, on this list for quite a while. I must say we
really excel in terms of abusing each other. And I agree with Ronald, we
seem to fail coming forward with even partial solutions to prevent
abuse. I am disappointed by the tone on this list. One can, and should
disagree on topics, but one should not loose the common goal, reduce
abuse in our case. I fear we are doing just that.

Maybe the striving for a perfect solution, that has no side effects is
not the right approach. Criminals don't mind side effects, and maybe
rather than avoiding them we should try to control and minimize them.

While I'm not the right person to determine what topics are appropriate
for the list, I don't see any harm in asking people to maybe consider
viable candidates for board positions. We can discuss the tone. This
group repeatedly pointed out the importance of a bottom up, democratic
governance structure for RIPE. I'd argue, that a good selection of
candidates for such a position is the basis for this.

I would hope for the abuse WG to become a little more pragmatic and
positive thinking when trying to come up with solutions to fight abuse.
"Divide and conquer" is a concept criminals thrive on too.

Having said that, I wish everyone good health and and a hopefully
enjoyable weekend.

Best
Serge

Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider

[Hank Nussbacher]

On 13/12/2019 13:38, Ronald F. Guilmette wrote:

In message <9c7d5885-f4e5-5c00-9523-bcc3a3b6a...@efes.iucc.ac.il>, you wrote:


Again, great work Ron!

Thanks much Hank.

I wish that I could get some journo in Israel to cover this, and maybe
go and put some questions to the man who ended up with most of this
looted IPv4 address space, i.e. a certain Mr. Elad Cohen (netstyle.co.il /
netstyleservers.com), a member in good standing of RIPE, of course.

and now standing for the Executive Board:
https://www.ripe.net/participate/meetings/gm/meetings/may-2020/confirmed-candidates 



-Hank



I tried to make that happen, but got nowhere.
:-(

Oh well, I gues that there are some different corruption stories that
are getting all of the ink these days in Israel... just as there are
here in the U.S., at present, I'm sorry to say.

There's yet another member in good standing of RIPE whose fingerprints
are also all over this mess.  I'll just have to hope that eventually
Interpol or Europol might take an interest in this case and maybe start
asking these guys some rather pointed questions about it all.

That's the only hope, I'm afraid.  I'm frankly not in the least bit
persuaded that RIPE will ever demonstratably give a shit about any of
this.  The last time I looked, the various folks, mostly Russian, who
were running the networks responsible for the massive `3ve' clickfraud
scam... which I had also publicly outted before LE caught up to them...
were also all still members in good standing of RIPE, and those guys
were formally indicted by the U.S. DoJ:

https://www.whiteops.com/press-releases/3ve-google-whiteops-online-fraud
https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing


Regards,
rfg


P.S.  This stuff that took place down in the AFRINIC region arguably
isn't even on-topic for this list and/or this WG.  It's kind-of like
"meta-abuse", or some such thing.  Anyway, this isn't our usual spammers
and/or hackers story.

Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider

[Hank Nussbacher]

On 13/12/2019 11:10, Fi Shing wrote:

Again, great work Ron!

-Hank


https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/

- Original Message -
Subject: Re: [anti-abuse-wg] Massive prefix theft in AFRINIC -
attributed to an insider
From: "Michele Neylon - Blacknight" 
Date: 12/6/19 1:14 am
To: "Suresh Ramasubramanian" ,
"anti-abuse-wg@ripe.net" 

Great work from Ron

Sad to see this happen, though it was to be expected considering
how much IPs are now worth



--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
http://blacknight.blog/
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845


On 04/12/2019, 19:43, "anti-abuse-wg on behalf of Suresh
Ramasubramanian"  wrote:

Congratulations, Ron Guilmette. You’ve been doing this for years
and this is your biggest success yet.


https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html

tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC
employee #2, and he has now separated from AFRINIC

--srs

Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider

[Hank Nussbacher]

On 04/12/2019 21:42, Suresh Ramasubramanian wrote:

Congratulations, Ron Guilmette.  You’ve been doing this for years and this is 
your biggest success yet.

https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html

tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC employee #2, and 
he has now separated from AFRINIC

--srs


Kudos Ron!  Just a shame the RIRs themselves don't have each an 
investigative arm to do this kind of research.


-Hank

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

In regards to:
A.3.2. Pool of Experts
there should be some sort of insurance policy available provided by RIPE 
NCC just as Board members cannot be held personally responsible, so too 
the pool of experts need to be insured so that the "hijacker" doesn't 
drag them into court on trumped up charges.


Regards,
Hank

Re: [anti-abuse-wg] 2019-03 Review Phase (Resource Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On 05/09/2019 16:23, Marco Schmidt wrote:

"A.3.1. Reporting
Only persons directly affected by a suspected hijack can report to the 
RIPE NCC that another party has announced resources registered to or 
used by the reporter without their consent. "


This thereby precludes any national CERT from reporting to the RIPE NCC 
any suspected hijacks since they are not directly affected.  Can this 
text be modified?


Regards,
Hank


Dear colleagues,

Policy proposal 2019-03, "Resource Hijacking is a RIPE Policy 
Violation" is now in the Review Phase.


The goal of this proposal is to define that BGP hijacking is not 
accepted as normal practice within the RIPE NCC service region.


The proposal has been updated following the last round of discussion 
and is now at version v2.0. Some of the changes made to version v1.0 
include:
- Includes procedural steps for reporting and evaluation of potential 
hijacks

- Provides guidelines for external experts
- Adjusted title

The RIPE NCC has prepared an impact analysis on this latest proposal 
version to support the community’s discussion. You can find the full 
proposal and impact analysis at:

https://www.ripe.net/participate/policies/proposals/2019-03
https://www.ripe.net/participate/policies/proposals/2019-03#impact-analysis 



And the draft documents at:
https://www.ripe.net/participate/policies/proposals/2019-03/draft

As per the RIPE Policy Development Process (PDP), the purpose of this 
four week Review Phase is to continue discussion of the proposal, 
taking the impact analysis into consideration, and to review the full 
draft RIPE Policy Document.


At the end of the Review Phase, the Working Group (WG) Chairs will 
determine whether the WG has reached rough consensus. It is therefore 
important to provide your opinion, even if it is simply a restatement 
of your input from the previous phase.


We encourage you to read the proposal, impact analysis and draft 
document and send any comments to  before 4 
October 2019.



Kind regards,

Marco Schmidt
Policy Officer
RIPE NCC

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15

[Hank Nussbacher]

On 04/04/2019 21:36, Gert Doering wrote:

Hi,

On Thu, Apr 04, 2019 at 08:32:39PM +0200, Karl-Josef Ziegler wrote:

Also I would to remind all the community that usually what happens to
communities that cannot regulate themselves is that some outsider comes
and regulated them...

Yes, this is also my opinion. The community should do something against this 
abusive behavior.
If it isn't done by the community there might be some regulation coming from 
outside, i.e.
political entities. And I doubt that this will be the better way to handle this 
problem.

Still targeting the wrong crowd.  A few willing Tier1 ISPs would have way
more effect than all policies we do in RIPE land against a rogue ISP that
might not even *be* a RIPE member (or a member of any LIR).


Back in 2014 when I ran down a BGP hijack and approached the tier-1 
(CAIDA top 5) that enabled the hijack to take place, their response was:


"/But  as you point out - we are x. There needs to be //
//a degree of trust between us and our customer.  Also it would be highly //
//impractical to have proactive monitoring on all route changes.  But 
there //
//are certain things we block and others that we monitor of interest.  
This //

//situation is now one of them. /"

Less than a year ago I approached a tier-1 that ranked in the top 25 
about another BGP hijack.  I approached them 36 hours *after *the hijack 
took place and the response I received from their NOC was that they 
approached the hijacker (a direct customer of theirs) and the response 
from the hijacker which they forwarded to me was:


/We checked the prefixes mentioned in our network and we do not seen 
these prefixes and do not advertise to ASN  [HN: tier-1 ASN].//
//Also these prefixes are not seen in internet from our network (ASN : 
x ). [HN: ASN of hijacker]/


Of course the prefixes are not seen, since the hijack was for a few 
hours.  The tier-1 closed the case.


So if the Internet (5xRIR) could guarantee me that within a year, the 
top 100 ASNs in the Internet were filtering properly and stopping BGP 
hijacking from occurring, I would pull my support for this proposal and 
agree with you.


Regards,

Hank









Gert Doering
 -- NetMaster

Re: [anti-abuse-wg] 2019-03

[Hank Nussbacher]

On 02/04/2019 18:48, GEANTY Damien (RIC-CH) wrote:

To the moderators,

It could be that numerous people just don't want to get sucked up into 
an endless discussion about the pros and cons of this proposal and just 
want to weigh in with their feelings about whether they support the 
proposal or not.


Regards,
Hank


I support 2019-03.

Regards,

Damien Geanty
Cyber Specialist | Richemont International SA



Chemin de la Chênaie 50 | CP30 | 1293 Bellevue, Genève | Switzerland
(tel) +41227213000 | (direct) +41225811161 | (mobile) +41791385643
(email) damien.gea...@richemont.com 


© 2019 Richemont International SA. All Rights Reserved
The information contained in this e-mail message is confidential - 
please do not cross-post. This communication is intended for the use 
of the addressee(s) only. If you are not the intended recipient, you 
are hereby notified that any review, reliance, disclosure, 
distribution or copying of this communication may be prohibited by law 
and might constitute a breach of confidence. If you have received this 
communication in error, please notify us immediately and delete it and 
all copies (including attachments) from your system.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On 24/03/2019 14:48, Sander Steffann wrote:

Hi Gert,


Now, I do share the wish to "do something!!" against BGP hijacking.

So, maybe a more workable way forward would be to change this into a BCP
("the RIPE anti-abuse community states with full backing from the RIPE
community that BGP hijacking, as defined in , is considered
unwanted behaviour") - and *then* use that on a commercial/peering basis
among transit ISPs to strengthen the message "we want *you* to filter
your customer BGP sessions, because that's the proper way to run a network!".

+1

Cheers,
Sander


Nice but probably as effective as MANRS.


Regards,

Hank

Re: [anti-abuse-wg] 2019-03 and over-reach

[Hank Nussbacher]

On 23/03/2019 13:31, Nick Hilliard wrote:

JORDI PALET MARTINEZ via anti-abuse-wg wrote on 22/03/2019 22:55:
The legal bindings of the NCC already have that for those that don’t 
follow existing policies, don’t pay bills, etc. So, the proposal is 
adding in the table a policy for confirming what is a hijack 
according to the community consensus. Same way we did for how we 
distribute resources, do transfers, etc.


Hi Jordi,

couple of things:

1. it's not the job of the RIPE NCC to make up for a short-fall of 
civil legislation in this area, no matter how distasteful we might 
find the consequences of this;
Purity of concept will result in massive gov't intervention since we 
will have shown that we don't know how to self-regulate.

The voices are already there:
https://hackernoon.com/why-the-internet-must-be-regulated-9d65031e7491
If you have an alternative solution, not even a better one, please 
suggest it.


Regards,
Hank

Re: [anti-abuse-wg] 2019-03 and over-reach

[Hank Nussbacher]

On 23/03/2019 00:19, Sander Steffann wrote:

But, this is not how to handle the problem of BGP hijacking.  Even if it had 
the slightest possibility of making any difference at a technical level (which 
it won't), the proposal would set the RIPE Community and the RIPE NCC down a 
road which I believe would be extremely unwise to take from a legal and 
political point of view, and which would be difficult, if not impossible to 
manoeuver out of.

I fully agree with Nick. BGP hijacking has to be fought, but this is not the 
way…

Exactly how successful has been MANRS - our attempt at self-regulation?

Regards,
-Hank


Cheers,
Sander

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On 22/03/2019 14:17, Piotr Strzyzewski wrote:

On Fri, Mar 22, 2019 at 11:09:24AM +, Carlos Friaças via anti-abuse-wg 
wrote:

Dear Carlos,


8. "So Legacy holders (resources with a legacy status) are for obvious
reasons, excluded for penalties and out of reach. Also according to the
policy that specifies services to Legacy holders, as this policy doesn't
state that it wants to include and impact legacy holders."

I don't agree. If you check i was one of the co-authors of 2012-07 :-)
In my initial drafts for 2019-03, there was a line about legacy holders. It
seems now clear it needs to be recovered for version 2.0 :-)

Although I have mixed feelings about this policy and haven't made my
mind yet, I wish you good luck with that one thing.
As a large legacy holder, I do not want to be excluded or exempted from 
this new policy, if accepted.


I can understand that if the legacy holder has not filed any paperwork 
with the NCC, then there is little one could do t penalized the offender.


That is where I think Jordi's comment about the direct peer also comes 
in.  Just as today when confronted with a BGP hijack and no response 
from the hijacking ASN, one approaches the direct upstream, so too the 
policy will have to set a policy on how to deal with the direct upstream 
that enables the hijack, whether it be from a legacy or a regular holder.


Regards,

Hank





Piotr

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On 22/03/2019 13:33, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

Clearly it is a matter of wording and also introducing warnings in some cases.

I have sent a text about this before:

“Direct peers allowing the hijack thru their networks will be warned the first 
time, but may be considered by the experts evaluation to be a party involved in 
case of subsequent deliberated hijacks cases“


Excellent!

-Hank





Regards,
Jordi
  
  


El 22/3/19 12:19, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" 
 escribió:

 
 On Fri, 22 Mar 2019, Sascha Luck [ml] wrote:
 
 > On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via

 > anti-abuse-wg wrote:
 >> 3) We may need to refine the text, but the suspected hijacker, in case 
of
 >> sponsored resources, is the suspected hijacker, not the sponsoring LIR
 >> (which may not even have relation to it). However, some people indicated
 >> that the direct peer should be also accountable. I think I also mention
 >> this before, one possible option is to tell the direct peer the first 
time
 >> "this is a warning report", please make sure to improve your filters.
 >
 > Now I'm confused. In another post, Carlos indicated that someone
 > who receives a hijacked prefix is a victim and here they are also
 > Bad People. I'm not sure what to think about a retributive
 > proposal that can't even keep the "victims" and the "offenders"
 > apart. In this case ("neighbours are bad") it reminds me of a UK law
 > that punishes not only an illegal immigrant but also the landlord
 > who fails to refuse to rent them a flat.
 
 Hi,
 
 The issue here might be the difference between a peering and a transit

 relationship.
 
 If hijacker Z announces prefix Y to network X. Then network X will

 route packets towards the hijacker, even if X doesn't propagate prefix Y
 any further to any other 3rd party networks.
 
 An hijacker can join an IXP and announce an hijacked prefix to one, some

 or all of the IXP's membership. In that case we will have one, some or
 many victims.
 
 Hope it is clear now.
 
 Regards,

 Carlos
 
 
 
 > rgds,

 > SL
 
 




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Wed, 20 Mar 2019, Ricardo Patara wrote:

If you are a victim (someone has abused your network), then just prove it 
and the policy won't apply and the hivemind will even assist you in 
cleaning your router.


Regards,
-Hank


On this line of one ISP trying to make damage to other.

One might abuse a vulnerable router (thousand out there), create a tunnel to 
it and announce hijacked blocks originated from victims ASN.


Both, victim ASN and vulnerable router owner, would be damaged and no traces 
of criminal.

How could they defend themselves to the so called group of experts?

And things in this line had happened already.

Regards,

On 20/03/2019 07:46, furio ercolessi wrote:

On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:



And when everything is made clear, if a report is filed against AS1, 
AS1's

holder might have a problem, so i see a strong reason for not even trying
:-)


Out of interest, take an AS1 with single malicious upstream AS2, what 
stops

AS2 to pretend that AS1 has made bogus announcements and make them for its
own purposes? This situation looks pretty real without RPKI or other
advertisement strengthening methods, as I could see. How experts are
supposed to behave in this situation?


This has been seen many times, even chain situations like

 - AS X
  \
AS 3 - AS 2 - AS 1
  /
 - AS Y

where X and Y are legitimate ISPs, while {1,2,3} is basically a single 
rogue

entity - or a set of rogue entities closely working together with a common
criminal goal.

In such a setup, AS 1 should be considered as the most "throw-away" 
resource,

while AS 3 would play the "customer of customer, not my business" role,
and AS 2 would play the  "i notified my customer and will disconnect them
if they continue" role.  When AS 1 is burnt, a new one is made - with
new people as contacts, new IP addresses, etc, so that no obvious 
correlation
can be made.  Most of the bad guys infrastructure is in AS 3 and that 
remains

pretty stable because their bad nature can not be easily demonstrated.

Whatever set of rules is made against hijacking, it should be assumed that
these groups will do everything to get around those rules, and many AS's
can be used to this end.  Since there is no shortage of AS numbers, I
assume that anybody can get one easily so they can change them as if they
were underwear.

And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs,
have also been seen.  Those are even easier to get :-)

So the ideal scheme to counteract BGP hijacking should be able to climb up
the BGP tree in some way, until "real" ISPs are reached.

Nice discussion!

furio ercolessi

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Wed, 20 Mar 2019, JORDI PALET MARTINEZ via anti-abuse-wg wrote:


Hi Brian,

I'm fine moving that thread to NCC Services and I know how complex that will be.

So, repeating my question to all the participants here:

Can we agree at least that we should not have text regarding that in the policy 
proposal under discussion (also considering Brian input)?


+1.

-Hank



I hope everybody understands my insistence on this as the authors need to have 
a clear community feeling on that for our new version.

Regards,
Jordi


El 20/3/19 10:27, "anti-abuse-wg en nombre de Brian Nisbet" 
 escribió:

   Jordi,

   > -Original Message-
   > From: anti-abuse-wg  On Behalf Of


   > I can figure several possible ways to avoid that.
   > 1) Contractual (not sure if this can be done in a policy) changes to 
indicate
   > than in case of a policy violation, the account becomes frozen immediately,
   > until actions to close the account are completed.
   > 2) A modification to the transfers policy that indicates that no transfers 
can
   > be initiated if the any of the parties are involved in an investigation 
for policy
   > violation.
   > 3) A specific policy about implications of policy violations.
   >
   > If instead of that we want explicit text about that in this policy 
proposal, that
   > means possibly a way for slowing down the process, which at the time being
   > it seems to me there is a major agreement of favor of doing something.
   > Furthermore, having explicit text here means that other policy violations
   > need to have their own way, and I think we must have a single path for
   > resolving those issues, not one for each possible policy violation case.
   >
   > Does that make sense ?
   >
   > Can we agree that it will be better to have this discussion in a separate
   > thread/policy proposal, in order to avoid this to be a show-stopper for 
this
   > policy proposal?
   >
   > Would the chairs allow that thread in this list or suggest an alternative 
WG for
   > a possible policy proposal?

   Good question, but I think that any policy dealing with changing how the NCC 
should react to policy violations will be... complex. I also don't think AA-WG 
is the right place for such a general policy. So if you, as the author, don't 
wish to insert it into your policy (and I can understand your reasoning fully), 
then I think  a separate policy, likely pointed towards somewhere like NCC 
Services would be more apt.

   I would caution that such things are likely to have a large interaction 
with/involvement of the NCC Membership, where such discussions have been very 
divided in the past. I think you and many other people are aware of this, but I 
just wanted to flag it.

   Brian
   Co-Chair, RIPE AA-WG

   Brian Nisbet
   Service Operations Manager
   HEAnet CLG, Ireland's National Education and Research Network
   1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
   +35316609040 brian.nis...@heanet.ie www.heanet.ie
   Registered in Ireland, No. 275301. CRA No. 20036270




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Wed, 20 Mar 2019, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

Anything that advances the current situation is better than what we have 
now.  Don't let any warts I raise be seen as a showstopper.


-Hank


Hi Hank,

El 20/3/19 9:15, "anti-abuse-wg en nombre de Hank Nussbacher" 
 escribió:

   On Wed, 20 Mar 2019, Gert Doering wrote:

   > Hi,
   >
   > On Wed, Mar 20, 2019 at 09:53:02AM +0200, Hank Nussbacher wrote:
   >>> So that's a fairly effective way to sanction abusive behaviour.
   >>
   >> The amount of time that will transpire from the time of abuse and a LIR
   >> closed and their resources withdrawn can well be in excess of a year if
   >> not two years.
   >>
   >> Is that the end result we are looking for?
   >
   > I would hope that *having* a way to sanction abusive behaviour would
   > deter criminals from doing so in the first place.  Today, not enough

   I think we have different expections from criminals.  I view the criminals
   as ones who analyze every RFC and every standard to determine where they
   can be abused or manipulated for their benefit.  A sanction that would be
   implemented 18 months later would allow the evil LIR enough time to sell
   their resources to some other LIR such that they would not lose such
   resources.

I can figure several possible ways to avoid that.
1) Contractual (not sure if this can be done in a policy) changes to indicate 
than in case of a policy violation, the account becomes frozen immediately, 
until actions to close the account are completed.
2) A modification to the transfers policy that indicates that no transfers can 
be initiated if the any of the parties are involved in an investigation for 
policy violation.
3) A specific policy about implications of policy violations.

If instead of that we want explicit text about that in this policy proposal, 
that means possibly a way for slowing down the process, which at the time being 
it seems to me there is a major agreement of favor of doing something. 
Furthermore, having explicit text here means that other policy violations need 
to have their own way, and I think we must have a single path for resolving 
those issues, not one for each possible policy violation case.

Does that make sense ?

Can we agree that it will be better to have this discussion in a separate 
thread/policy proposal, in order to avoid this to be a show-stopper for this 
policy proposal?

Would the chairs allow that thread in this list or suggest an alternative WG 
for a possible policy proposal?

If we reach the conclusion that we should go for an specific policy proposal kind of 
"sanctions in case of policy violations", I will be happy to work on that, but 
I will prefer not being alone and have other co-authors involved as well.

   -Hank

   > people care, and playing havoc with BGP (intentional or accidentially)
   > has hardly any consequences at all.
   >
   > OTOH, these are the questions that make me undecided on the proposal :-)
   >
   > Gert Doering
   >-- NetMaster
   >





**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Wed, 20 Mar 2019, Carlos Friaças wrote:



Hi,

To me, 1 year or even two is way better than "infinite".
(i.e. nothing happens. ever.)


True.  Agreed.

-Hank



The current lack of policy in this regard is allowing for (intentional) 
hijackers to remain associated (through the RIPE NCC Association) with other 
members.


Isn't this something we should try to change?

I honestly don't see "speed" as a critical factor, and i also hope that if 
this gets in place more networks will be able to export their routing view, 
so that global routing security improves a bit.


Of course there is RPKI, MANRS and so on, but i do believe something should 
be in place at policy level.


Best Regards,
Carlos






On Wed, 20 Mar 2019, Hank Nussbacher wrote:


On Wed, 20 Mar 2019, Gert Doering wrote:


Hi,

On Wed, Mar 20, 2019 at 09:06:11AM +0200, Hank Nussbacher wrote:

On Tue, 19 Mar 2019, Marco Schmidt wrote:

More or less I agree with the proposal.  But what happens after a LIR is
found to be violation of the policy?  RIPE NCC puts out a statement "LIR 
X

is in violation of Policy "?  So what?  How does this policy assist
stopping the BGP hijack from taking place, even if it takes 1-2 months to
handle the paperwork?


Well, that's a subtle twist of the proposal not actually spelled out - a
LIR found to be in violation of RIPE policies is breaking their contract
with the NCC (the SSA) and as such can be closed and their resources
withdrawn.

So that's a fairly effective way to sanction abusive behaviour.


The amount of time that will transpire from the time of abuse and a LIR 
closed and their resources withdrawn can well be in excess of a year if not 
two years.


Is that the end result we are looking for?

-Hank


(I haven't decided whether I think this is going to work or do harm, so
I'm not voicing support or opposition on the proposal itself)

Gert Doering
   -- NetMaster

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Wed, 20 Mar 2019, Gert Doering wrote:


Hi,

On Wed, Mar 20, 2019 at 09:53:02AM +0200, Hank Nussbacher wrote:

So that's a fairly effective way to sanction abusive behaviour.


The amount of time that will transpire from the time of abuse and a LIR
closed and their resources withdrawn can well be in excess of a year if
not two years.

Is that the end result we are looking for?


I would hope that *having* a way to sanction abusive behaviour would
deter criminals from doing so in the first place.  Today, not enough


I think we have different expections from criminals.  I view the criminals 
as ones who analyze every RFC and every standard to determine where they 
can be abused or manipulated for their benefit.  A sanction that would be 
implemented 18 months later would allow the evil LIR enough time to sell 
their resources to some other LIR such that they would not lose such 
resources.


-Hank


people care, and playing havoc with BGP (intentional or accidentially)
has hardly any consequences at all.

OTOH, these are the questions that make me undecided on the proposal :-)

Gert Doering
   -- NetMaster

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Tue, 19 Mar 2019, Marco Schmidt wrote:

More or less I agree with the proposal.  But what happens after a LIR is 
found to be violation of the policy?  RIPE NCC puts out a statement "LIR X 
is in violation of Policy "?  So what?  How does this policy assist 
stopping the BGP hijack from taking place, even if it takes 1-2 months to 
handle the paperwork?


Regards,
Hank


Dear colleagues,

A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy 
Violation", is now available for discussion.

The goal of this proposal is to define that BGP hijacking is not accepted as 
normal practice within the RIPE NCC service region.

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-03

As per the RIPE Policy Development Process (PDP), the purpose of this four-week 
Discussion Phase is to discuss the proposal and provide feedback to the 
proposer.

At the end of the Discussion Phase, the proposers, with the agreement of the 
Anti-Abuse WG co-chairs, decide how to proceed with the proposal.

We encourage you to review this proposal and send your comments to 
 before 17 April 2019.

Kind regards,

Marco Schmidt
Policy Officer
RIPE NCC

Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Tue, 19 Mar 2019, Ronald F. Guilmette wrote:

+1.

-Hank



In message ,
Marco Schmidt  wrote:


You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-03


Anyway who knows the first thing about me will know that I'm
strongly in favor of the general thrust of this proposal,
generally speaking.  In fact I would only want to quibble
with a few of the finer points of the implementation details.

With respect to those, I'd like to see there be a bit more
formality (in the specification of the adhjudication procedures),
and a bit less (mandated) fooling around before any particular
"deliberate" hijacker can be formally and finally kicked to
the curb.

I have a lot of thoughts about how all this could be and should
be structured and operated, but I don't want to bring in too
much of that fine detail at this point in the discussion for
fear that it might obscure the more fundamental question on the
table, which is simply whether or not this is a good idea gnerally.
(I personally think that it is.)  So for now I'll just say that
I think this proposal is on the Right Track generally, and that
I think that it can be and should be revised and evolved to make
all of the adjuducation procedures transparent, faster, and yet
still unarguably fair to those accused.

Mostly, I personally would like to see the time frames specified
in the current draft tightened up (i.e. reduced) generally, and
the entire process streamlined somewhat.  These are not capital
murder cases we are talking about after all!

Specifically, I think that it should be adequate to have there
be a period of *no more than* two weeks, during which the case is
argued, by both the accused and (perhaps) by an NCC staff member
presenting the case for the prosecution, all in front (via email)
of a smallish set of adjuducators (perhaps five, chosen by random
lots) after which there should be a period of *no more than* one
week of deliberation, and then a final judgement and report.  And
lastly, after that, I think that it would be more than sufficient
if there were only one avenue of appeal, which would be to the
RIPE Board, which would be required to decide any appeal within
*no more than* four weeks.

In practice, I think that even these time frames will, in the end,
be seen to have been excessively and pointlessly generous in virtually
all actual cases.  I am thinking back on all of the cases I have seen
of deliberate hijacks, and there have been many of those.  None of
those cases was really very ambiguous at all, and none of them would
have required more than a day or two, once all of the facts were
gathered, to persuade any reasonable and knowledgable observer of
the truth of what had happened and/or its clearly deliberate nature.
Nor would any of those who had been caught red handed pulling this
kind of nonsense ever be at all likely to appeal from the obvious
facts.  But due proces is never something to be dispensed with lightly,
and we should not do so in this instance.  Thus, I agree that it *is*
necessary to have a formal and fair process, including a right of
appeal.  I just hope that it can be moved along at a rather more
rapid pace (even in the worst case) than what the proposal at hand
is currently calling for.


Regards,
rfg

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Hank Nussbacher]

On Tue, 19 Mar 2019, Richard Clayton wrote:

I see this as a start.  This is proposing a radical change in our way of 
handling IP hijacking from today.  Perhaps after a few years where people 
see that the Internet hasn't died and there is a vast reduction in BGP 
hijacks, we can then go to handle AS hijacking as well as unallocated IP 
address hijacking.  Maybe what is being proposed will not work and will 
have no affect of the hijackers.  Lets try it for 2 years in a limited 
capacity and if successfull, we can always have a v2 or v3 which expands 
the scope to cover other issues.


Regards,
Hank



In message , Marco Schmidt
 writes


The goal of this proposal is to define that BGP hijacking is not accepted as
normal practice within the RIPE NCC service region.

You can find the full proposal at:
https://www.ripe.net/participate/policies/proposals/2019-03




The announcement of unallocated address space to third parties is also
considered a policy violation and is evaluated according to the same
parameters.



This is going to be somewhat challenging ... since there are a
substantial number of well-known (and generally non-abusive entities)
who are announcing unallocated address space, and in many cases they
have been doing so for years on end.

I understand there is a mixture of long term disputes about allocations;
failures to keep contact addresses up-to-date (so that allocations are
withdrawn) and doubtless also intentional usage of resources that have
not been allocated.

Geoff Huston publishes a list on a daily basis:

   http://www.cidr-report.org/as2.0/#Bogons

For the avoidance of doubt, I think it is most undesirable that any
prefix appears on the list -- but I am pragmatic enough to accept that
there are significant difficulties in dealing with the complexities
which are behind those announcements.


BTW: Geoff Huston's data gathering exercise also identifies the usage of
AS numbers that are not currently allocated. Again, much of this usage
is very long standing and failure to "grandfather it in" in some manner
is likely to cause a substantial workload and the deeming of many
legitimate companies to be in breach of RIPE norms -- which is going to
tend to make the impact of the policy rather less than might be hoped.

That all said -- why does the proposed policy not address the misuse of
AS numbers as well as the misuse of prefixes ?

Re: [anti-abuse-wg] [db-wg] objection to RIPE policy proposal 2016-01

[Hank Nussbacher]

On Sun, 28 Feb 2016, Ruediger Volk wrote:

As someone with legacy space (and who takes issue with RIPE NCC about 
certain policies) I have no problem with abuse-c.  I defined it ages ago 
on all inetnums because that is the right thing to do.


-Hank



Dear colleagues,

I object to passing the policy as proposed.
There is no serious need for the policy,
and at this time and under curent circumstance it would
actually be harmful.
I believe that the supposed good intentions would be better
served by other actions, and the policy focussing on enforcement
is ill advised.

I understand that the current implementation of the RIPE database allows
legacy holders to enter abuse-c attributes for their legacy resources
if that's currently not possible the required extension of the database
should be discussed (in the approprioate wg) and implementation would NOT
require the PDP (as more drastic changes have been done to the database
- and that extension hardly would contradict existing policy).
No PDP is needed to send friendly invitations to legacy holders to populate
their data objects with abuse-c information;
I'm sure asking the RIPE NCC to do this would not create an undue burden
or serious problem.

Enhancing the invitations with some additional information potentially
helpful to the recipients could be considered too:
- some hints/guidance about expected use and support of that mailbox
 (active members of the abuse handling community probably will NOT be the
 typical recipient! and no injuries are expected if any community member sees
 that information:-)
- specific suggestions what to put into the abuse-c field
 (whatever the RIPE NCC might use to extrapolate abuse-c from existing data)
The working group should contribute helpful information to be included.

I'm quite certain running a second invitation campaign would be even less
of a problem and effort for RIPE NCC; I cannot predict how much the information
provided in a later campaign can be improved based on feedback and experience
from an earlier one.

You may argue, that such more friendly approach could have been used also
earlier - and I would very much agree and I certainly complained and
suggested that at least the forced population of missing abuse-c should
be postponed until friendly information was made available.

Now we do NOT HAVE TO repeat past errors...
Specifically with legacy resource holders it would be a good idea
for RIPE community and NCC to address them with an inviting and
helpful approach; as there is a sad history of seemingly coercive
and unfriendly communications towards legacy holders.

REPEATING the error now - even considering the much lower number of
relevant records - is however actually MORE SERIOUS in DAMAGING
the CREDIBILITY of the working group (and as a consequence the RIPE NCCs
position) because of the accumulated history.
Repeated requests for information on supposed use und handling of abuse-c
has been answered by pointing out that it is required by a policy
that was consciously created without any such information.
The new policy proposal painfully fits into the sad observation that
the anti-abuse working group as a community has constantly
put effort into enforcing creation and population of abuse-c data
but not (even tried) to provide to the rest of the world helpful
explanations on requirements and expected handling at the requested mailboxes.
That observations leads to the question whether the community is not able to
come up with some helpful explanation or whether it does not care... :-(
In both cases asking for enforcement does seem neither appropriate
nor acceptable and means that the request cannot be taken serious
- bad for the perception of RIPE and RIPE NCC activety by parties
that are not heavily involved in the community processes.
Consider the typical person confronted with a request to define abuse-c:
how deeply is he involved with the anti-abuse working group
(where a common understanding might exist - I consider myself only occassional
observer and not a member and don't know)?

Trying to close more quickly and on a more constructive perspective
let me skip to elaborate here on my judgement:
at close inspection the rationale and arguments look quite broken.

The policy content does actually not matter that much - look for a sketch of
a potential harmless implementation approach above in this message.
What matters is appropriate use of the PDP (it can be abused!!!)
and what are good goals of the working group and good ways of achieving them.

The assumed good goals (as I understand it) are
(a) improving quality of abuse-c information in order to
(b) improve abuse reporting and report handling processes and
(c) extending the abuse-c coverage for Internet number resources
   in the RIPE NCC registry

The policy proposal references (a) and (b) quite explicitly;
I took the liberty to interpolate (b) which actually seems to be the
primary goal, and it looks like the working group decided that this