Brian Nisbet wrote:
Well, this is where we keep on coming back to in this conversation. There are clearly those who wish for the validation to go much further and others who do not wish it to happen at all. Threading that line is proving tricky. I, personally, do not see how the ARC could scale for this process.
This goes back to fundamentals. What's happening here is that a set of metrics was talked about at previous RIPE meetings, namely a requirement for organisations wanting to be able to contact the actual holders of address space. This morphed into a more vague aspiration, described in the text as "improving the trust and safety of the IP address space". It was made clear that although this aspiration was binding on RIPE NCC resource holders, that the same standards wouldn't apply to ERX holders because: "Legacy resource holders they would of course not be directly impacted but our assumption is if you are a legacy resource holder you are also committed like any other members of the community to the same objective of safety accountability and trust in the IP space, therefore you would establish your IP ‑‑ abuse contact and you would monitor it. That is the only answer we could come back with." (From https://ripe75.ripe.net/archives/steno/37/) The RIPE NCC have proposed a solution which apparently performs basic validation of whether the email address looks valid and (I assume) whether the SMTP MX host immediately rejects it. If for some reason this test fails, then the RIPE NCC is being explicitly instructed by the community that it's ok to deregister resources. It would be fair to say that loss of ip addressing resources would for most companies create an immediate and fundamental threat to their continued ability to operate. There are several fundamental problems with this proposal: 1. poorly specified metrics 2. mismatch between the assumed background aims and the validation proposals 3. lack of proportionality I talked about the first two issues in my email of last week, but the proportionality issue is what really bothers me. Any reasonable policy should be defined on the basis that the punishment should match the crime, but this is jarringly not the case here. Instead what we have is: - the policy is based on a hazily defined objective. - the rationale for excluding ERX holders applies just as much, if not more, to RIPE resource holders. In other words, the authors of the policy have explicitly shot their own arguments in the foot. - the validation mechanism performs only a basic syntactic validation of the email address rather than a semantic validation of whether it ends up on the desk of an organisational contact who can act as an actual abuse management contact. - despite all of this, in the case of validation failure, the RIPE NCC is being explicitly told that it is being given the mandate to pursue a course of action which could result in an organisation ceasing to operate. This is not, as has been suggested at the last AAWG meeting in Dubai, a case of whether the RIPE community is able to determine RIPE community policy. The core issues here are proportionality and over-reach. I have no problem with abuse-c validation, either via ARC, or the mechanism proposed in this policy, and probably not via a range of other mechanisms either. But threatening to terminate the right of an organisation to continue to exist in the case of non compliance of the terms specified in 2017-02 is frankly absurd. Nick