Re: [anti-abuse-wg] Co-Chair selection
Hi, > Brian is willing to accept his nomination. Tobias and I are happy to continue > to work with him. It would be great to hear from you if you support Brian as > well. Definitely! Sander -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] RIPE NCC Anti-Abuse Training A Reality!
Hi, Amazing! Thanks to all involved ❤️ Cheers, Sander > On 3 Feb 2023, at 11:13, Brian Nisbet wrote: > > Colleagues, > > After much hard work by both the RIPE NCC Learning and Development Team and > members of this Working Group, the Anti-Abuse training is now a reality! The > training is primarily intended for new LIRs and those who are planning to set > up an abuse desk, but there's likely something in there for a lot of people. > > The first webinar was held recently and the whole thing is now available here: > > https://www.ripe.net/support/training/webinar-recordings/webinar-anti-abuse-training/ > > The content has undergone a couple of slight revisions since then and it will > be rerun in Q2 of this year. We would encourage you all to spread the word to > those for whom it would be useful to try to make the world a better place for > Internet users! > > Thanks again to all who were involved! > > Brian > Co-Chair, RIPE AA-WG > > Brian Nisbet (he/him) > Service Operations Manager > HEAnet CLG, Ireland's National Education and Research Network > 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland > +35316609040 brian.nis...@heanet.ie www.heanet.ie > Registered in Ireland, No. 275301. CRA No. 20036270 > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Potential New Chair: Introduction & Next Steps
Hi Markus, > Thank you Brian for the introduction and thank you all for supporting Brian's > "out of cycle" proposal. > > My name is Markus de Brün and I am a computer scientist working for the > Federal Office for Information Security in Germany (better known as BSI). > BSI is home of the national CERT and one of the main distributors of abuse > reports in Germany. Though I am not part of the CERT itself, my job involves > establishing contacts to internet operators and discussing current topics of > interest. This - from time to time - includes discussions on abuse handling, > e.g. how ISPs relay our abuse reports to their customers. > Some of you may know me or at least have seen me at a RIPE meeting of which I > attended most since RIPE62. > > If you as a working group do not have any objections, I would be happy to > support Brian and Tobias. I have no objection at all :) I'm happy to see people volunteering to share the workload of chairs! Cheers, Sander -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] About "consensus" and "voting"...
Hi Randy, >> Otherwise we change the way the working Groups works it will remain >> unchanged for ever. I agree that we must get a way to vote or another >> democratic way to get decisions. > > the goals of the ripe community are stewardship and cooperation, not > voting, deciding, and "getting things done." you can look at the > current us govt for a great example of why not. > > if we can not come to consensus on something, then we are patient. > and that's ok. we move as a cooperative community and that takes > time. > > yes, this becomes more complex as the community scales and becomes > more diverse. and we want diversity and wide representation. so > ever more patience is needed; not the means to rush to judgment. > > for a large segment of the community, and that which was pretty much > the original population, there is an underlying physics and shared > experience of moving packets, routing, circuits, bgp, ixen, ... that > gives us a common experience and understanding. > > as we become more diverse, the physics of that shared experience and > understanding weakens. so cooperative/consensus decision making is > more complex and takes longer. welcome to a larger and mode diverse > community. this is good. > > but we are stewards of one internet. > > it took eight, yes eight, years for me to get the ietf to change a > constant from 4k to 64k (rfc 8654). so my sense of urgency may be a > little different than that of others. Thank you for writing this down so clearly, Sander signature.asc Description: Message signed with OpenPGP
Re: [anti-abuse-wg] RIPE NCC Report: Law Enforcement Agency Requests 2019
Hi, > We have published a transparency report that details the nature > of the requests we received from Law Enforcement Agencies in 2019. > > You can find the report at: > https://www.ripe.net/publications/docs/ripe-740/ I see a small contradiction in there. At the beginning it is stated that "The number of requests increased slightly from 2018 due to mainly the fact that the RIPE NCC received repeated requests for the same type of information from the same party in the United States.". However, when looking at the numbers per country at the bottom the United States submitted 38 requests in 2019 and 39 in 2019. So that doesn't seem to explain the slight increase. It looks more like the 6 requests from Germany (compared to 1 the year before) and some other requests from different places have caused the increase. Not that it's that important, but I feel it would be more appropriate to just state "The number of requests increased slightly from 2018" and leave it at that. Cheers, Sander signature.asc Description: Message signed with OpenPGP
Re: [anti-abuse-wg] Periodic Reminder: List Conduct
Hi, > I understand perfectly the concerns of those colleagues who actually want to > promote a better responsible behaviour and ensure the resources allocated to > the LIR-s are not abused or there is an effective mechanism to stop abuse. > However, as the chair kindly pointed, RIPE policy development follows certain > rules: https://www.ripe.net/publications/docs/ripe-710 which in first part of > the document clearly states: "Conclusions are reached by consensus." > According to Oxford Dictionary, consensus means an opinion that all members > of a group agree with. It's "rough consensus", and it is all about the arguments. 1000 people supporting something doesn't imply rough consensus, and neither does a single person make or break rough consensus. It's the arguments that count, not the number of people expressing them. > I standby my previous comment: the community (of RIPE) has grown encompassing > legitimate business but also abusers who have become part of that community. Abusing the process would be to ignore or distort other people's arguments. Anybody who is debating arguments for or against a proposal is a perfectly valid participant. > Given the previous two points, it is rather clear that we have, in effect, > lost the control. Only if you don't keep track of each other's arguments and respect that not everybody has the same ideas :) Sander signature.asc Description: Message signed with OpenPGP
Re: [anti-abuse-wg] On +1s and Policy Awareness AND Astro... something...
Hi Ronald, > Given what you've just said, I don't think that it would be accurate > to say that I am an uneuqivocal supporter of the present -process- > for adopting RIPE policy proposals. In fact, quite the contrary. > My hope would be that if working group `X' endorses some policy which > could potentially have far ranging implications for the whole membership > then -all- of the parties affected should have some voice in the policy > adoption process. And if that is not currently how things work, then > it is, in my estimation, sub-optimal. There are several moments in the process where the world outside the working group is notified. There is a dedicated mailing list for that: https://www.ripe.net/ripe/mail/archives/policy-announce/. And although the RIPE NCC doesn't have any special status in policy development, they do provide the working group with an impact analysis at the beginning of the review phase of the PDP. Any potential problems can then be addressed in the working group. So instead of the working group sending a recommendation to the NCC, we do it the other way around. I personally strongly prefer this model because it bases consensus on the arguments from the wider community. Cheers, Sander signature.asc Description: Message signed with OpenPGP
Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Hi Gert,
> Now, I do share the wish to "do something!!" against BGP hijacking.
>
> So, maybe a more workable way forward would be to change this into a BCP
> ("the RIPE anti-abuse community states with full backing from the RIPE
> community that BGP hijacking, as defined in , is considered
> unwanted behaviour") - and *then* use that on a commercial/peering basis
> among transit ISPs to strengthen the message "we want *you* to filter
> your customer BGP sessions, because that's the proper way to run a network!".
+1
Cheers,
Sander
signature.asc
Description: Message signed with OpenPGP
Re: [anti-abuse-wg] 2019-03 and over-reach
Hi, > The aim of the 2019-03 proposal, as far as I understand it, is to grant the > RIPE NCC the authority to make formal judgements about alleged abuse of > network resources with the implicit intention that unless the party involved > ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR > shutdown if the alleged infringer were a member, or refusal to provide > service if the alleged infringer were not. > > There are several aspects of this proposal that are pretty disturbing, but > the two that jump out are 1. over-reach by the RIPE Community, 2. > encroachment into the arena of supranational law enforcement. > > I'm not going to go into the technical content of the proposal, despite the > fact that I don't believe it would have any impact whatever on dealing with > the problem of hijacking. Limited companies can be registered for tiny > amounts of money, and it's naive to believe that any actor who is dishonest > enough to engage in persistent bgp hijacking would think twice about > switching from one company to another in a heartbeat, in order to avoid the > consequences of a policy like 2019-03. > > Regarding over-reach, the RIPE NCC was instituted as a numbering registry and > as a supporting organisation for the RIPE Community, whose terms of reference > are described in the RIPE-1 document. The terms of reference make it clear > that the purpose of the RIPE Community and the RIPE NCC is internet > co-ordination and - pointedly - not enforcement. Proposal 2019-03 goes well > outside the scope of what the RIPE Community and the RIPE NCC were > constituted to do, and I do not believe that the Anti Abuse working group has > the authority to override this. > > The second point relates to the long term consequences of the proposal. If > the RIPE Community were to pass this policy, then it would direct the RIPE > NCC to act as both a judiciary and policing agency for internet abuse. > Judgement and enforcement of behaviour are the competence of national > governments, courts and law enforcement agencies, not of private companies. > If the RIPE NCC starts encroaching in this territory, it should expect > national governments and law enforcement agencies to start taking an active > interest in taking control. This scenario would not be beneficial to the > RIPE Community. > > There are other pile of other considerations here, not least whether the RIPE > NCC would have any legal jurisdiction to deregister resources where it had > determined "abuse", and what the legal liability of the company would be if > it were determined that they didn't have jurisdiction to act. > > I don't question the motives of the authors of this proposal - neither of > them has anything but the best of intentions in mind. Regarding BGP > hijacking in general, I've been involved in attempting to deal with many > hijackings over the years and am as frustrated as anyone. Like many other > people in this community, I have also spent a lot of time and effort trying > to deal with the problem from a practical point of view, both in terms of > tooling and deployment standards for IXPs and service providers. > > But, this is not how to handle the problem of BGP hijacking. Even if it had > the slightest possibility of making any difference at a technical level > (which it won't), the proposal would set the RIPE Community and the RIPE NCC > down a road which I believe would be extremely unwise to take from a legal > and political point of view, and which would be difficult, if not impossible > to manoeuver out of. I fully agree with Nick. BGP hijacking has to be fought, but this is not the way… Cheers, Sander signature.asc Description: Message signed with OpenPGP
Re: [anti-abuse-wg] regarding proposal 2017-02
Hi Jasper, > Furthermore: > Since you are stating in the rationale “If organisations are not cooperative, > the RIPE NCC ultimately has the possibility to close their RIPE NCC > membership and deregister their Internet number resources”. This ultimate > possibility is not described in the current policy (ripe-563) and maybe part > of the overarching agreements. > Do the overarching agreements contain notification standards and timelines? > If not, do these need to be incorporated in the amended ripe-563? That would be https://www.ripe.net/publications/docs/ripe-676: "Closure of Members, Deregistration of Internet Resources and Legacy Internet Resources". A short summary by a non-legal person (me): Violating a policy would be covered under "1.2.1. Termination with a Three-Month Notice Period" which includes "1.2.1.1 Violation of RIPE Policies and RIPE NCC Procedures". The procedure includes sending an email to the registered contacts every 30 days until the problem has been resolved. If it hasn't been resolved after 60 days a postal notification is also sent. If it hasn't been resolved after 90 days the LIR is closed. Cheers, Sander signature.asc Description: Message signed with OpenPGP
Re: [anti-abuse-wg] AS201133
Hi Ronald, > Which LIR issued AS201133? > > Is this supposed to be some sort of a secret? Not really, it is documented in the RIPE database. Here is how you can find it: First search the database for the AS: https://apps.db.ripe.net/search/query.html?searchtext=AS201133 There you see the AS with the sponsoring LIR: sponsoring-org: ORG-LE44-RIPE If you look up that organisation you get the LIR: https://apps.db.ripe.net/search/lookup.html?source=ripe=ORG-LE44-RIPE=organisation Which is "Lir.bg EOOD" in Bulgaria. > If so, could someone please tell me where I need to go, or who I > need to talk to in order to learn the secret handshake necessary > to find out how this AS came into being and/or who vouches for the > legitimacy and authenticity of its current owner? No secret handshake required :) > P.S. I've never been very good on geography, so maybe someone can straighten > me out on that score also. > > The last time I looked, Belieze was not actually within the RIPE geographic > region. Was there some rather significant continental drift while I was > sleeping? Not that I can see, but maybe that company from Belize has some presence in our service region. The AS seems to be maintained by Verdina LTD in Belize. What I can see from their website suggests they offer dedicated server hosting with up to 10Gbit/s dedicated connectivity. Maybe they host part of their servers in Bulgaria? I don't know, but that isn't impossible. Cheers, Sander signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [anti-abuse-wg] [db-wg] objection to RIPE policy proposal 2016-01
Hello Denis, > Sorry Elvis but you are neither a software engineer nor a regular user > inputting data into the RIPE Database. So your unsubstantiated statement of > 'poor' does not carry much weight. Excuse me, but you do not get to decide that a fellow working group member's contribution does not carry much weight. That is the working group chairs' job when deciding on consensus, and from experience I know that even the chairs only do that in very rare circumstances. Consensus is based on content and supporting arguments, not on whether you judge somebody worthy... Cheers, Sander signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [anti-abuse-wg] [routing-wg] [db-wg] Solving the issue of rogue ROUTE objects in the RIPE Database
Hi Tim, >> STEP 3: continiously check if the block is allocated in the foreign RIR >> database, if no longer, delete the route-object from RIPE's IRR db. > > We share concerns raised by Job. We believe this adds a lot of complexity to > the implementation, and introduces an unacceptable risk of deleting the wrong > objects. Furthermore we believe that this step is not necessary if we > implement step 5 (below). So what happens to route objects referring to de-registered stuff in other databases? If nobody cleans it up manually we keep objects with dangling pointers in our database? I understand that automatically deleting them would be risky as e.g. an unexpected change in a remote database might cause us to think the object has been deleted there etc. Maybe a nice idea if all RIRs publish a timestamped list of de-registered/reclaimed resources in a common format? :) Anyway: maybe something to look into to prevent garbage from accumulating in our own database. > It will obviously require work. Very rough initial estimates indicate it can > take up to a few months. We can refine these estimates if and when we have a > clear consensus on a go-ahead. Thanks, always good to get an estimate from the authoritative source ;) Cheers! Sander
Re: [anti-abuse-wg] WHOIS (AS204224)
Hi Roland, > The old saying is "The best is the enemy of the good". Validation and/or > verification of RIPE WHOIS data can be improved, even though any system > which attempts to do so most probably cannot be made foolproof. Ok > No. You're still thinking in terms of constructing an iron-clad and > absolutely foolproof system that utterly prevents all fraud. I'm > suggesting a system with vastly less ambitious goals, one which would > simply check that the voice phone number for a given person or entity > listed in the RIPE WHOIS db *isn't* simply disconnected, out-of-service, > the number of a FAX machine, the number of a company or individual whose > identity has been stolen, or the number of an unrelated brothel in > Amsterdam. That alone would be a vast improvement over the current > status quo, I think. Agreed > Similarly, in the case of mailing addresses, either RIPE NCC or the LIRs > could check the data base of one of the aforementioned service bureaus > that serve that mailing industry, to see if the addresses in RIPE WHOIS > records even exist. A clever crook will still put in the address of > some vacant lot somewhere, or maybe his local meat market or police > station, but at least we wouldn't be looking at "123 Galaxy St., Mars, > The Universe" and such utter nonsense as that. NASA is going to be so disappointed ;) But seriously: I agree >> My apologies. I didn't mean to imply that accuracy of the RIPE DB is a >> mere detail. That accuracy has been the reason behind quite a few >> policies! I meant to say that policy doesn't contain implementation >> details. The way a policy is implemented is left to the RIPE NCC. The >> policy just says that contact information has to be up to date. > > I want to understand. Are you saying that RIPE NCC could unilaterally > just decide to start performing phone verification of contact points > listed in the WHOIS data base? It probably would need a mandate from its members to approve the extra budget for implementing those checks etc. But I don't see why they couldn't. > Even for amateur sleuths such as myself, every additional data point > helps during an investigation. The example of AS204224 is illustrative. > If I knew for certain that someone had positively validated the phone > number when that AS has been assigned in July, then I would also know, > almost to a moral certainty, that the company itself, and not some > identity thief, was the party engaged in the recent routing hanky > panky. Understood > You are thinking about formal, government-held business records. I myself > am not. Official government business records, when available, are helpful > to investigations. But if they aren't available, then they aren't, and > that's all there is to it. You work with what you have. +1 > OK. I promise not to attach too much value to a validated phone > number. Seriously, I agree with you that checking the phone number > isn't a panacea, but it's better than nothing. Glad we're agreeing :) > I apologize. You are correct, That comment on my part was utterly > uncalled for, and I would very much like to retract it. Consider it retracted :) > But I hope that you understand my sensitivity. I do. Sometimes when discussing difficult subjects the wording can get a bit too strong. I can deal with that, and I know you have good intentions. I now understand your ideas better, and understand that you are looking for a first step in improving the database accuracy. Not looking for a complete solution as I was :) I think we reached the point where we should ask the RIPE NCC on their opinion on this and to see what they think is doable. Cheers, Sander
