The aim of the 2019-03 proposal, as far as I understand it, is to grant the RIPE NCC the authority to make formal judgements about alleged abuse of network resources with the implicit intention that unless the party involved ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the alleged infringer were a member, or refusal to provide service if the alleged infringer were not.

The legal bindings of the NCC already have that for those that don’t follow existing policies, don’t pay bills, etc. So, the proposal is adding in the table a policy for confirming what is a hijack according to the community consensus. Same way we did for how we distribute resources, do transfers, etc.

There are several aspects of this proposal that are pretty disturbing, but the two that jump out are 1. over-reach by the RIPE Community, 2. encroachment into the arena of supranational law enforcement. 

I'm not going to go into the technical content of the proposal, despite the fact that I don't believe it would have any impact whatever on dealing with the problem of hijacking.  Limited companies can be registered for tiny amounts of money, and it's naive to believe that any actor who is dishonest enough to engage in persistent bgp hijacking would think twice about switching from one company to another in a heartbeat, in order to avoid the consequences of a policy like 2019-03.

Yes, you can make a new company, but because the direct peers/transits will get a warning first, then a problem if cases are repeated (text that I’ve proposed in previous emails, which we will include in v2), they will not accept this kind of customers changing the company every few weeks or months.

Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document.  The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement.  Proposal 2019-03 goes well outside the scope of what the RIPE Community and the RIPE NCC were constituted to do, and I do not believe that the Anti Abuse working group has the authority to override this.

The second point relates to the long term consequences of the proposal.  If the RIPE Community were to pass this policy, then it would direct the RIPE NCC to act as both a judiciary and policing agency for internet abuse.  Judgement and enforcement of behaviour are the competence of national governments, courts and law enforcement agencies, not of private companies.  If the RIPE NCC starts encroaching in this territory, it should expect national governments and law enforcement agencies to start taking an active interest in taking control.  This scenario would not be beneficial to the RIPE Community.

According to my view, laws in the EU allows organizations based on membership, to enforce their by-laws and rules. I don’t think the NCC is different to that.

The NCC will be against law if we try to enforce a non-existing rule (policy).

I guess we have no other way than waiting for a legal confirmation of those aspects from the NCC, but we really think we are on the right track. Of course, wording matters, and we may need to change some bits here and there.

Regards,

Jordi

There are other pile of other considerations here, not least whether the RIPE NCC would have any legal jurisdiction to deregister resources where it had determined "abuse", and what the legal liability of the company would be if it were determined that they didn't have jurisdiction to act.

I don't question the motives of the authors of this proposal - neither of them has anything but the best of intentions in mind.  Regarding BGP hijacking in general, I've been involved in attempting to deal with many hijackings over the years and am as frustrated as anyone.  Like many other people in this community, I have also spent a lot of time and effort trying to deal with the problem from a practical point of view, both in terms of tooling and deployment standards for IXPs and service providers.

But, this is not how to handle the problem of BGP hijacking.  Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of.

Nick