Colleagues, These minutes are now online at: https://www.ripe.net/community/wg/active-wg/anti-abuse/minutes/anti-abuse-wo... Regards, Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network North Dock Two, 93-94 North Wall Quay, Dublin 1, D01 V8Y6 +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 ________________________________ From: Markus de Brün <markus@mxdomain.de> Sent: Friday 19 July 2024 13:07 To: anti-abuse-wg@ripe.net <anti-abuse-wg@ripe.net> Subject: [anti-abuse-wg] Draft minutes from RIPE 88 for your consideration CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe. Hi colleagues, please find below the draft minutes from the Anti-Abuse Working Group session at RIPE 88. If you have any comments, please email them to aa-wg-chair@ripe.net by the end of next week. Have a nice weekend, Markus de Brün Tuesday, 21 May 2024, 16:00 – 17:30 (UTC+2) Chairs: Brian Nisbet, Markus de Brün, Tobias Knecht Scribe: Bryce Verdier Status: Draft The recordings and presentations are available at: https://ripe88.ripe.net/programme/meeting-plan/aa-wg/ The stenography transcript is available at: https://ripe88.ripe.net/archives/steno/22/ # A. Administrative Matters Brian opened the session, welcomed the attendees and set the agenda. The minutes from RIPE 87 were approved. Markus stated that Brian’s term as Co-Chair was ending at the end of the meeting and that he was nominated to continue as Co-Chair. Markus asked if there were any objections and there were none. Brian was accepted as Co-Chair for another three year term and Markus thanked Brian. Jim Reed said that he was glad that Brian was reappointed as Co-Chair and asked if there were term limits and if the group should think about creating them. Markus answered that there weren’t any at the moment. Brian mentioned that Mirjam was talking to other group chairs about implementing them but there weren’t a lot of people willing to be WG Chairs. Jim Reed mentioned that during his time in the DNS WG, Co-Chairs gave a three year notice for the WG to come up with a succession plan. Fergus Maccay, Flex Optics, suggested they use a secret voting process for Co-Chair approval. Brian noted Fergus’s suggestion and added that the names of people stepping forward were not announced until after the nomination phase to encourage more people to come forward. Fergus responded that public voting was the problem and suggested a private vote. Jim Reed commented that decisions were made by consensus, not voting. Rüdiger Volk said that it was hard to have consensus with absolute privacy. Brian said that the WG rules state that if consensus couldn’t be reached, then it forced a vote. Malcom Hutty, LINX, mentioned that the consensus process was applicable to policy but didn’t have to apply to administrative matters. Brian reminded the room that the WG Chair selection process for the Anti-Abuse WG was a vote if consensus could not be reached. # D. Interactions ## D.1. Illegal Content Online: What's Our Role as a Regional Internet Registry Maria Stafyla, RIPE NCC The presentation is available at: https://ripe88.ripe.net/wp-content/uploads/presentations/58-RIPE-88-AntiAbus... Maria gave a high level summary of what the RIPE NCC’s role is as a Regional Internet Registry and its involvement in addressing illegal online content. She highlighted that they help identify holders of Internet resources but they do not host or control third-party content. Discussions with stakeholders, including the European Commission, focus on combating piracy and other illegal activities, with debates about increasing RIPE NCC's responsibilities. Malcom Hutty asked if it was still the RIPE NCC's policy to challenge and resist a court order being made in the first place. Maria answered that the situation would be evaluated on a case by case basis, depending on the situation and that if they thought there were reasons to do it, she believed that they would. Robert Carolina, General Counsel ISC, asked how, if at all, policy differed if the request came from a legal authority completely outside the European or Middle Eastern region. He questioned whether there would be no realistic chance of the requesting authority having legal jurisdiction over RIPE if they were farther afield. Maria said that the RIPE NCC took action against members and resources in cases where they may be breaking their membership obligations and the RIPE NCC did take action on legally binding orders. Hans Petter Hollen, Managing Director, RIPE NCC, commented on the questions being raised, noting that all cases would be treated on a case-by-case basis. He said that the primary objective was to keep an accurate registry and using the registry to take action against nation states, organisations for political means or other means was something that the Board had stated clearly they did not want to do. He stressed that when it came to individual organisations breaking the law, the RIPE NCC had to follow Dutch law and follow valid court orders. Alex Dioda, legal counsel OPL Six, asked whether the RIPE NCC would only abide by valid Dutch court orders or for court orders that have been transposed by Dutch courts. Maria said that the RIPE NCC has an obligation to comply if it was a legally binding order and recognised in the Netherlands. # E. Presentations ## E.1. Peering into the Darkness - The Use of UTRS in Combating DDoS Attacks Yury Zhauniarovich, TU Delft The presentation is available at: https://ripe88.ripe.net/wp-content/uploads/presentations/39-20240521_ripe88_... Yury presented on using UTRS (Universal Traffic Removal Service) to combat DDoS attacks, combining network measurements and cybersecurity. He explained how RTBH (Remotely Triggered Black Hole) and UTRS block traffic to IPs under attack via trusted third parties like Team Cymru . His study with Yokohama National University found UTRS underutilised, with only 124 of 75,000 autonomous systems using it. Few DDoS attacks trigger UTRS announcements, often due to attack duration and intensity, indicating the service's effectiveness but limited adoption. Brian asked why he thought nobody used the tool. Yury said that he thought there were two main reasons, one is that it was not a stable service and that BGP flowspec was only introduced two years ago. He also thought that a lot of ASes had their own solutions from their upstreams and because they charge fees for this service, they didn’t have incentive to use the global and free service. Lastly, he said that it might drive more participation if the service was run by the community and not a company. Rüdiger Volk, Retiree of Deutche Telekom, commented on the suspicions around network blackholing. He said that the number of those who actually implemented the blackholing seems to be unknown. Yury said that they had a follow up paper on this which will be presented on SIGMETRICS and he had also submitted a Lightning Talk on Friday to explain how they identified the members who actually abide by the blockings so they also know this number. Rüdiger followed up with a question on whether the numbers from the report had a high or low percentage of users. Yury said that around 600 ASes were actively blocking. Rüdiger noted that modern methods can filter attack traffic from legitimate traffic. He added that those using such protections won't issue UTRS signals unless an attack overwhelms their usual defences. Malcom Hutty asked about their data retention policy and whether they captured IP addresses for attack traffic and if so how long they kept them for and for what purposes. Yury said that the source IP addresses were not gathered as it was spoof traffic. # B. Update ## B.1 Recent List Discussion The presentation is available at: https://ripe88.ripe.net/wp-content/uploads/presentations/64-AA-WG-Slides-RIP... Brian and Markus presented a proposal to recharter the WG from Anti-Abuse to a broader security focus, addressing evolving cybersecurity concerns. The changes would cover emerging threats, best practices, and stakeholder collaboration. Mailing list feedback supported the transition but suggested explicitly mentioning RIPE NCC and clarifying the WG's policy role. They concluded by inviting further feedback to refine the draft charter. Rüdiger Volk, retiree of Deutsche Telekom, said that there was less of a need to regulate the process since the RIPE community provides guidelines to the NCC in one form or the other. He added that there were already established activities in RIPE that are traditionally tackling serious security issues such as RPKI in the Routing WG. Markus said that the idea was not to capture all topics related to security, but if there were security topics not falling under other WGs, then they could come under Anti-Abuse. Brian clarified that there were many overlapping topics in many of the WGs, for example IPv6 turned up in Address Policy and in Routing and many topics cropped up in NCC Services. He said that this wasn’t an attempt to take over 50% of the WG slots. Malcom Hutty raised concerns about the use of the word "policy" in the last bullet point, questioning whether it implies a formal RIPE community policy that would require a Policy Development Process (PDP). He highlighted the need to distinguish between best practices and policies and suggested that the term "policy" warranted careful consideration and scrutiny. Tobias acknowledged the comment and asked how writing policies in this WG would be different from other Working Groups. Malcom said that because security is more broad, the policy from Anti-Abuse might affect other WGs. Tobias acknowledged and agreed with the comment. He countered that the NCC Services WG functions in the same way as the proposed charter change and said that the community is made up of those who want to be part of it and that the policy process would be the same in this WG as in other WGs. Malcom said that expanding the community to be part of the rechartering might not be the best method. Brian acknowledged the comment and responded that removing the ability to write policy would limit the WG’s ability to function. Peter Koch, DeNIC, said that they needed to narrow the scope and broaden participation. He proposed explicitly stating in the charter that the group would be exempt from proposing policy due to the history of failure to reach consensus in the group. He said policies in RIPE WGs only make sense when they are enforceable and they are only enforceable if they are addressed by the RIPE NCC as its function as the secretariat. He added that this should be made clear so it attracts the right people and manages the expectations for this very necessary broadening of participation. Dmytro Kohmanyuk supported the idea of a security-focused working group but suggested rechartering the Anti-Abuse WG if it had reached a plateau. He proposed that if rechartering involved significant changes in focus and working items, the RIPE Chair Team should be involved in the group's lifecycle discussion. He emphasised the importance of reconfirming the Chair Collective to include those with a security focus, ensuring that new members feel they belong and can contribute, while staggering this process to maintain continuity of work. He suggested considering the immediate or potential impact on NCC staff, time, and budget in discussions. Alistair Woodman asked if any of the changes were predicated on what the EU was doing related to the Cyber Resiliency Act and other things in that area. Brian said no but they were aware of the increasing EU regulatory regime, such as the Digital Services Act, which has been discussed across various working groups. Alistair followed up by saying that they were leaning into the assumption that there's going to be more regulatory oversight from the EU. Brian confirmed this. Alistair said that they essentially wanted to throw their hat in the ring as an industry group that would actually be setting policies that would potentially deal with things at that European level. Tobias affirmed that the European Commission was developing directives without adequate industry input due to poor self-regulation. He highlighted past policy failures leading to current DSA regulations and emphasised the opportunity for industry involvement in shaping legislative outcomes that align better with industry needs. Tobias cautioned that Commission decisions might not align well with community expectations if not properly engaged. Alistair agreed, and said some folks in the room were potentially not comfortable with the idea of playing in the big leagues while some were which presented a challenge. He did agree with their thesis that if somebody didn’t step in, there would be a vacuum left there. Brian said there were multiple ways of a WG creating influence and clarified that they weren’t intending to rule the world with the charter. Niall O'Reilly, RIPE Vice Chair, said that at the beginning of the Policy Development Process, the most appropriate WG was identified to act as the vehicle for steering the process from proposal to consensus. He felt it was important that the exclusion of this WG as a potential vehicle for the PDP at this stage was inappropriate. Niall continued, this time as a community member, to refer attendees to the silent Lighting Talk at RIPE 66. A key facet of consensus development is not to exclude, by systematic blindness or by failure to communicate, any significant stakeholder group. One responsibility of the WG Chairs was to make sure that nobody was left unheard who had a stake in the eventual decision. Lastly, Niall noted that the last bullet point could be reworded as "develop guidance to improve security" since guidance might be better neutral terminology. Alex Dioda, AMS-IX, explained that he was a Board Member of EuroISPA which is a European association that lobbies in Brussels for the ISP industry and highlighted the lack of RIPE's presence in policy discussions at the EU level. He suggested more proactive engagement was needed. Rüdiger Volk, expressed concern over the emphasis on policy in the WG's charter and suggested that providing guidance and best practices might be more appropriate and effective. Peter Koch emphasised the need for improved engagement with broader security communities while highlighting the effective self-regulation within the community. He underscored the importance of clarifying the roles of this community and Regional Internet Registries (RIRs), citing the relevance of EU regulations like the Digital Services Act (DSA) to ISPs. Peter suggested exploring increased RIPE NCC presence in Brussels, subject to member support, and cautioned against mixing platform regulation with the group's primary objectives. Tobias agreed to disagree that the community is good at self regulation and stated that the DSA was not only about platforms. Jim Reid, community member, suggested renaming the WG to better reflect its focus, noting that "security" was too broad a term. He recommended simplifying the language in the charter and emphasising advisory roles rather than prescriptive policies. Malcom Hutty, LINX, stated that achieving inclusivity was a high bar. Failing to meet this standard would make acceptance unlikely and undeserved. Therefore, he proposed policies should focus on the expertise and practical knowledge of active community members, not on ideas from occasional outsiders. Brian Nisbet said feedback had been very useful and they needed to go and think about and come back in a nicely structured way on the mailing list. He said that attendees could find them on the list and to anyone who was worried, he added that they had been speaking extensively with Mirjam and Niall about this and they would continue to do so. Brian said that around 100 people had completed the Anti-Abuse training, with more sessions planned for this year, with initial feedback being positive. He also thanked the stenographer, AV, Meetecho and NCC staff. # X. AOB No AOB. # Z. Agenda for RIPE 89 No agenda items set for RIPE 89. ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/anti-abuse-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/