Hi Töma, El 23/3/19 13:25, "anti-abuse-wg en nombre de Töma Gavrichenkov" <anti-abuse-wg-bounces@ripe.net en nombre de ximaera@gmail.com> escribió: Hi all, > A new RIPE Policy proposal, 2019-03, "BGP Hijacking is > a RIPE Policy Violation", is now available for discussion. Sorry if the issues I'm raising were already addressed somewhere around the thread. As of now, I believe it's the size of an average fiction book, and I don't quite have enough time to read that. I also apologize now in advance for abstaining from the discussion at some point in future, because in quite the same fashion I won't be able to read unnecessarily (and sometimes I believe deliberately) long responses. Whoever is planning to win a consensus through exhaustion is going to win that anyway. With that in mind, 1. As of now, the draft looks like a nice example of "document designed by a committee". It's too strict where there's no real need to be strict, and at the same time too weak where you don't expect it to be weak. E.g. 4 weeks to report + 4 weeks to investigate + 2 weeks for an appeal give us solid 10 weeks for an attack to stay there, which is, to put it gently, a substantial amount of time. Our intent is to "stop" the attack with the claim (not efficient at all), but to allow to be reviewed in order to avoid it, in the future, if possible from the same actors. The timing that we described is "maximum", may be need to add that word in every part of the text that talks about timing. I think this provides sufficient time to cover even complex cases. Now, if the community believe that 4 weeks is too much to investigate even a more complex case and 2 weeks too much for the hijacker response, I'm happy to drop both by half, if Carlos agree as well. 2. OTOH the ultimate result (membership cancellation) may be seen as a very heavy punishment. I mention this before in a couple of emails and I'm more and more convinced that a warning is needed, at least, in doubtful cases, before reporting for a membership cancellation. In fact in theory this policy could make things worse. Most of the ISPs are very slow in applying security updates to their equipment, including border routers. (Also, vendors themselves are not quite keeping up as well) Now, say, I'm an ISP who really wants to push my competitor out of business. With this policy here's a sequence of steps that will win you the market: - hire a script kiddie who will break into that company's Mikrotik; - announce roughly half of IPv4 address space through that breach just for it to be surely on the news; - relax and enjoy watching your competition disappearing in no later than 2,5 months. While I would, in my perfect dream, personally support the idea of cancelling an LIR membership for not updating one's devices at least on a weekly basis, I don't really think this is what the authors of the draft were going to propose, and I know quite a few people, Randy Bush for starters, whom the authors, to put it mildly, won't probably be able to convince. The example by Warren also deserves attention, and I personally don't really anticipate that "won't be too hard to figure out", because frankly we're in fact yet to see the hijacking attempts where an attacker would be deliberately trying hard to hide their identity. 3. If I were to design that process, I'd put it in a different way, e.g.: - 2 business days to find experts. Really, four weeks for that?! Yes, we know that NCC isn't the most dynamic organization out there, but with a pre-populated pool of experts at the current rate of hijacking incidents reported to public that shouldn't really be an issue. In the actual text there is no time to find the experts. The 4 first weeks are to select the experts (from a pool already known), and provide the report. - 3 business days to investigate and prepare a preliminary report. Another 5 business days to continue investigation if necessary, with another report at the end. Maybe a third iteration if necessary. Immediate membership suspension at the end if the experts decide it's necessary to do so now. So, it is in total up the here what I just said, about 2 weeks instead of 4. - A grace period of 8 weeks for the suspected hijacker to collect further evidence and provide additional arguments to justify their position. I think that's too much. He will get a notice once the case is being reported, so he got already the same time as the experts to collect whatever information, and then either 1 or 2 additional weeks after the expert's report. - An appeal phase of another 8 weeks with ultimate decision and, where necessary, membership termination in the end. We have now in total 6 weeks here (2 weeks to file an appeal, 4 more weeks for the next group or experts to reply) All the numbers above are rough estimations, they are only there to showcase the idea: - the reaction to *mitigate* should be immediate; - the reaction to *penalize* should allow for a large enterprise — or a large ISP! — to keep up. If once the report is filed the suspected hijacker get a notification, he has the chance (if the hijack is still "live") to mitigate it. -- Töma ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.