On Sat, 23 Mar 2019, Töma Gavrichenkov wrote:
Hi all,
Hi, (will try to keep it short) (...)
1. As of now, the draft looks like a nice example of "document designed by a committee".
It's too strict where there's no real need to be strict, and at the same time too weak where you don't expect it to be weak. E.g. 4 weeks to report + 4 weeks to investigate + 2 weeks for an appeal give us solid 10 weeks for an attack to stay there, which is, to put it gently, a substantial amount of time.
Just two co-authors. The set will grow for proposals in other RIRs. And we'll gladly accept help, as Jordi is doing the most of heavy lifting. If your issue is timescales they can be adapted in subsequent versions. What we tried to design here was "due process" with enough "checks & balances" embedded. (...)
2. OTOH the ultimate result (membership cancellation) may be seen as a very heavy punishment.
In fact in theory this policy could make things worse.
The scenarios you and others mentioned should be run through the process and what you call "the ultimate result" should only happen if there is absolutely no doubt about the intent and about the 'who'. If company A takes control of company B's router (or hires someone to do it) is already doing something which in most jurisdictions could fall onto "crime". If company A could be identified, then they could/should be the 'who', and not company B. I won't expect this proposal will stop *all* intentional hijackers. Firstly it will depend on a complaint/report, then it must be crystal clear (with all the checks & balances in place) that is was intentional, and the hijack was made by person/org X. So if you see bogus routes from <big company name here>'s ASN coming from somewhere in the world where they have no business, that's because someone else is (ab)using their ASN... (I would also like to hear Randy's take on 2019-03, even now before version 2) (...)
3. If I were to design that process, I'd put it in a different way, e.g.:
It's not explicitely written down, but yes, the idea was to have a (pre-existing) worldwide pool of experts. The timescales were mostly designed expecting it would be possible to build that pool on a voluntary basis. So 4 weeks was for a set of experts to agree on the report, possibly on their own free time... :-) Best Regards, Carlos