Hi all,
A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy Violation", is now available for discussion.
Sorry if the issues I'm raising were already addressed somewhere around the thread. As of now, I believe it's the size of an average fiction book, and I don't quite have enough time to read that. I also apologize now in advance for abstaining from the discussion at some point in future, because in quite the same fashion I won't be able to read unnecessarily (and sometimes I believe deliberately) long responses. Whoever is planning to win a consensus through exhaustion is going to win that anyway. With that in mind, 1. As of now, the draft looks like a nice example of "document designed by a committee". It's too strict where there's no real need to be strict, and at the same time too weak where you don't expect it to be weak. E.g. 4 weeks to report + 4 weeks to investigate + 2 weeks for an appeal give us solid 10 weeks for an attack to stay there, which is, to put it gently, a substantial amount of time. 2. OTOH the ultimate result (membership cancellation) may be seen as a very heavy punishment. In fact in theory this policy could make things worse. Most of the ISPs are very slow in applying security updates to their equipment, including border routers. (Also, vendors themselves are not quite keeping up as well) Now, say, I'm an ISP who really wants to push my competitor out of business. With this policy here's a sequence of steps that will win you the market: - hire a script kiddie who will break into that company's Mikrotik; - announce roughly half of IPv4 address space through that breach just for it to be surely on the news; - relax and enjoy watching your competition disappearing in no later than 2,5 months. While I would, in my perfect dream, personally support the idea of cancelling an LIR membership for not updating one's devices at least on a weekly basis, I don't really think this is what the authors of the draft were going to propose, and I know quite a few people, Randy Bush for starters, whom the authors, to put it mildly, won't probably be able to convince. The example by Warren also deserves attention, and I personally don't really anticipate that "won't be too hard to figure out", because frankly we're in fact yet to see the hijacking attempts where an attacker would be deliberately trying hard to hide their identity. 3. If I were to design that process, I'd put it in a different way, e.g.: - 2 business days to find experts. Really, four weeks for that?! Yes, we know that NCC isn't the most dynamic organization out there, but with a pre-populated pool of experts at the current rate of hijacking incidents reported to public that shouldn't really be an issue. - 3 business days to investigate and prepare a preliminary report. Another 5 business days to continue investigation if necessary, with another report at the end. Maybe a third iteration if necessary. Immediate membership suspension at the end if the experts decide it's necessary to do so now. - A grace period of 8 weeks for the suspected hijacker to collect further evidence and provide additional arguments to justify their position. - An appeal phase of another 8 weeks with ultimate decision and, where necessary, membership termination in the end. All the numbers above are rough estimations, they are only there to showcase the idea: - the reaction to *mitigate* should be immediate; - the reaction to *penalize* should allow for a large enterprise — or a large ISP! — to keep up. -- Töma