Hi Sascha, El 22/3/19 12:07, "anti-abuse-wg en nombre de Sascha Luck [ml]" <anti-abuse-wg-bounces@ripe.net en nombre de aawg@c4inet.net> escribió: On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote: >3) We may need to refine the text, but the suspected hijacker, in case of sponsored resources, is the suspected hijacker, not the sponsoring LIR (which may not even have relation to it). However, some people indicated that the direct peer should be also accountable. I think I also mention this before, one possible option is to tell the direct peer the first time "this is a warning report", please make sure to improve your filters. Now I'm confused. In another post, Carlos indicated that someone who receives a hijacked prefix is a victim and here they are also Bad People. I'm not sure what to think about a retributive proposal that can't even keep the "victims" and the "offenders" apart. I don't think I've said that if it is really a victim. I know my English is bad, but not so terrible! A direct peer I mean here is the provider of the hijacker. Should you verify and filter anything that doesn't belong to your customer? If your customer has been able to hack the information so it appears as the valid resource-holder, and you configure your prefixes based on that, then you are also a victim, as you have no way (the information has been hacked) to know in advance that. In this case ("neighbours are bad") it reminds me of a UK law that punishes not only an illegal immigrant but also the landlord who fails to refuse to rent them a flat. rgds, SL > > >Regards, >Jordi > > > >El 21/3/19 22:40, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribiÓ: > > > > On Thu, 21 Mar 2019, Jacob Slater wrote: > > > Hello All, > > Hi, > > Thanks for your input. > > > > While I am in general support of the proposal?s ideas, I have several > > concerns with regards to the specific implementation. > > > > While the idea of an a complaint form (with teeth) sounds appealing, I > > do not believe submission should be open to everyone. Only the party > > holding rights (as registered in a RIR) should be able to file a report > > regarding their own IP space. > > I had thought about that too. > The problem is hijackers tend to hijack space from: > - unallocated space > - companies which are unreachable (bankrupt/closed?) > - networks in conflict (war) zones > > A variation of this will be allowing anyone _receiving_ the announcement > of an hijacked prefix to file a complaint/report. > > Hijacks don't have to be seen by every network on the planet to be an > hijack... > > And those receiving an hijacked prefix are (according to my dictionary) > also victims. > > > > If everyone is allowed to do so, we run > > several risks, namely that individuals with no knowledge of the > > situation (beyond that viewed in the public routing table) will file > > erroneous reports based on what they believe to be the situation (which > > may not be accurate, as some forms of permission for announcement are > > not documented in a way they could feasibly see). > > Well, yes. That's one point... the IRR system is kind of broken. And RPKI, > unfortunately is still taking baby steps. I would say that in case of > doubt, then a rightful owner will be able to create a ROA for the > suspected hijack....... > > Some might say NCC staff might act as a filter, before anything reaches > expert's hands. I personally wish that NCC staff is not involved at all. > > > > > Allowing for competent complaints (with teeth) to be filed is a good > > idea; needlessly permitting internet vigilantes to eat management time > > based on a flawed view of the situation is not. > > Maybe some automated checks? The reported prefix has a valid ROA, it > matches, so, the complaint is most likely bogus? :-)) > > > > Additionally, while the policy does define a difference between > > accidental and intentional hijacking, it does not differentiate between > > the two with regards to policy violations. > > I thought it did, by stating that accidental events are out of scope. > > > > > While some discretion should be left up to the expert, it seems odd to > > include this differentiation without simultaneously explicitly stating > > that accidental hijacking should generally be treated less severely. > > Accidental hijacking should never be treated as a policy violation. It > thought that was clear, but probably isn't -- despite section 3.0 and the > summary. Sorry for that. Needs to be addressed in the next version. > > > > I am by no means attempting to state that constant, unlearned-from > > mistakes should be overlooked; I am merely stating that the odd one-off > > event should be explicitly prohibited from bringing down an entire LIR. > > Fat fingering happens. > > Yes, thus "This proposal aims to clarify that an intentional hijack is > indeed a policy violation." > > Section 3.0 can be improved. > > > > Finally, how does the proposed policy apply to sponsored resources > > (ASNs and PI space)? Is an entire LIR to be held accountable for > > sponsoring the resources for users who are otherwise supposed to be > > independent? > > In short, no. Unless the "customer" is the LIR itself. > > Thanks. > > > Best Regards, > Carlos > > > > > > Jacob Slater > > > > > >********************************************** >IPv4 is over >Are you ready for the new Internet ? >http://www.theipv6company.com >The IPv6 Company > >This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. > > > > > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.