Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Isn't the whole point of route registries generally and RIPE's in particular supposed to be to make it easy for pretty much any arbitrary outsider to look at a given block and a given route to that block and conclude that the two -do- in fact properly go together, or conversely, that they do not?
That could be obviously only done after BGPSec and RPKI are fully deployed, in which case we won't be needing the proposal in question. See the "hypothetical example" in https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/2019-March/004601.html | Töma Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58
there has been a trend in recent years to make RIPE policy that transforms the NCC from a resource registry into a political agency...
I am a resident and citizen of the United States
Do you have any plans on proposing the same policy for ARIN? | Töma Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58
Hi, We (the co-authors of 2019-03) are planning to do that. The set of co-authors for those 4 proposals will probably be expanded in the other regions. Those proposals will also benefit from input from the discussion started here 3 days ago. Best Regards, Carlos On Fri, 22 Mar 2019, Töma Gavrichenkov wrote:
there has been a trend in recent years to make RIPE policy that transforms the NCC from a resource registry into a political agency...
I am a resident and citizen of the United States
Do you have any plans on proposing the same policy for ARIN?
| Töma Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58
Hi Töma, It has been already proposed/discussed in every RIR, which appropriate changes, and in some cases, there is a need for editorial review, etc., so not sure when it will be published at each one (LACNIC probably the first, ARIN next, and so on), and we already considered some of the issues discussed and in some cases some local co-authors. We do not aim for a global policy (we had considered it), because if a single region fails, all the process will fall down. But that doesn't precludes in the future to try to align the text. Regards, Jordi El 22/3/19 17:16, "anti-abuse-wg en nombre de Töma Gavrichenkov" <anti-abuse-wg-bounces@ripe.net en nombre de ximaera@gmail.com> escribió: >> there has been a trend in recent years to make RIPE policy that >> transforms the NCC from a resource registry into a political >> agency... > I am a resident and citizen of the United States Do you have any plans on proposing the same policy for ARIN? | Töma Gavrichenkov | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191 | mailto: ximaera@gmail.com | fb: ximaera | telegram: xima_era | skype: xima_era | tel. no: +7 916 515 49 58 ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Fri, Mar 22, 2019 at 5:24 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
It has been already proposed/discussed in every RIR
This is thrilling. What's the idea about dealing with the nine NIRs? You cannot just deny them membership, right? -- Töma
On Fri, 22 Mar 2019, Töma Gavrichenkov wrote:
On Fri, Mar 22, 2019 at 5:24 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
It has been already proposed/discussed in every RIR
This is thrilling. What's the idea about dealing with the nine NIRs? You cannot just deny them membership, right?
Luckly that's an exception we don't need to add to the RIPE proposal :-)) Regards, Carlos
-- Töma
In most of the cases the NIRs are bound by the same policies as the relevant RIR, so this is not a big problem. We believe this policy is important for all the RIR communities (including NIRs), however, in general, when I find a problem that requires to draft a policy proposal for a given RIR, I usually check how it is solved or if it exist the same problem or also needs to be resolved in the other 4 RIRs, which, in many cases, means a single policy proposal turns into 3-4 (average). Not always same text as sometimes the existing text already solved it (even if only partially), or there are other differences (other policies affected, service agreements, membership by-laws, etc.), even cultural differences, etc. Regards, Jordi El 22/3/19 17:33, "Töma Gavrichenkov" <ximaera@gmail.com> escribió: On Fri, Mar 22, 2019 at 5:24 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: > It has been already proposed/discussed in every RIR This is thrilling. What's the idea about dealing with the nine NIRs? You cannot just deny them membership, right? -- Töma ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
In message <CALZ3u+bPpyTzTXjZQPwp2iqa8M+fq3yF0rg9bBPPnLokPCrb4A@mail.gmail.com>, =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <ximaera@gmail.com> wrote:
I am a resident and citizen of the United States
Do you have any plans on proposing the same policy for ARIN?
Me?? Not really. I barely have time to support this one in the RIPE region. I certainly would support anyone who, in the ARIN region, proposed a substantially similar policy. I just don't have time to do that myself. Regards, rfg
Peace,
A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy Violation", is now available for discussion.
Alright, folks, what I'm trying to do now is to stress the conditions. Let's say it's 2021 and IPv6 is fully deployed, and IPv4 is no more. [now no one could say I'm pessimistic, right?] How's that policy supposed to work then? E.g. I'm the attacker, I start the hijacking, I continue that for 10 weeks until I'm denied membership. I don't lose any valuable address space at the time because it's just IPv6 which is totally disposable. I then switch to another LIR account I've obtained before, and start doing the same thing, at a cost of a generous sign-up fee. What's the value of the 2019-03 proposal then? -- Töma
Hi, On Sun, Mar 24, 2019 at 02:08:53AM +0100, Töma Gavrichenkov wrote:
E.g. I'm the attacker, I start the hijacking, I continue that for 10 weeks until I'm denied membership. I don't lose any valuable address space at the time because it's just IPv6 which is totally disposable. I then switch to another LIR account I've obtained before, and start doing the same thing, at a cost of a generous sign-up fee.
What's the value of the 2019-03 proposal then?
This is one of the aspects that makes me really sceptic of the value of this proposal as written. It will not stop determined miscreants, because the reaction time is WAY too long, and the sanctions are irrelevant for someone who does this on purpose. So it does not stop, and does not deter, and as such, does not achieve the stated purpose. On the other hand, it brings the RIPE NCC into difficult legal territory, for all the reasons Nick and Sascha have written. As such, I have decided that I can not support the policy as written, and change my stance from "neutral" to "object". Now, I do share the wish to "do something!!" against BGP hijacking. So, maybe a more workable way forward would be to change this into a BCP ("the RIPE anti-abuse community states with full backing from the RIPE community that BGP hijacking, as defined in <reference>, is considered unwanted behaviour") - and *then* use that on a commercial/peering basis among transit ISPs to strengthen the message "we want *you* to filter your customer BGP sessions, because that's the proper way to run a network!". Sometimes just agreeing on a written-down message already helps on other fronts. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Gert,
Now, I do share the wish to "do something!!" against BGP hijacking.
So, maybe a more workable way forward would be to change this into a BCP ("the RIPE anti-abuse community states with full backing from the RIPE community that BGP hijacking, as defined in <reference>, is considered unwanted behaviour") - and *then* use that on a commercial/peering basis among transit ISPs to strengthen the message "we want *you* to filter your customer BGP sessions, because that's the proper way to run a network!".
+1 Cheers, Sander
On 24/03/2019 14:48, Sander Steffann wrote:
Hi Gert,
Now, I do share the wish to "do something!!" against BGP hijacking.
So, maybe a more workable way forward would be to change this into a BCP ("the RIPE anti-abuse community states with full backing from the RIPE community that BGP hijacking, as defined in <reference>, is considered unwanted behaviour") - and *then* use that on a commercial/peering basis among transit ISPs to strengthen the message "we want *you* to filter your customer BGP sessions, because that's the proper way to run a network!". +1
Cheers, Sander
Nice but probably as effective as MANRS. Regards, Hank
Gert, Töma, All, "It will not stop determined miscreants" -- even if it stops some, it's already something positive, anti-abuse-wise. :-)) "sanctions are irrelevant for someone who does this on purpose" -- sanctions are not specified in 2019-03, but if there are will be any at some point, the impact will depend on the size of assets that "someone" already has gathered (and which part of it can be associated with him/her). "it brings the RIPE NCC into difficult legal territory" -- i will leave this for the impact analysis (by the RIPE NCC). More important than the three details above: Creating a BCP along the lines you describe is something i can definitely support! I haven't consulted with Jordi about this yet, but i think the BCP is something that can be worked in paralell with 2019-03's due course. To be clear: it wouldn't be "change 2019-03 into a BCP", but "creating a new BCP in addition to 2019-03". Best Regards, Carlos On Sun, 24 Mar 2019, Gert Doering wrote:
Hi,
On Sun, Mar 24, 2019 at 02:08:53AM +0100, Töma Gavrichenkov wrote:
E.g. I'm the attacker, I start the hijacking, I continue that for 10 weeks until I'm denied membership. I don't lose any valuable address space at the time because it's just IPv6 which is totally disposable. I then switch to another LIR account I've obtained before, and start doing the same thing, at a cost of a generous sign-up fee.
What's the value of the 2019-03 proposal then?
This is one of the aspects that makes me really sceptic of the value of this proposal as written.
It will not stop determined miscreants, because the reaction time is WAY too long, and the sanctions are irrelevant for someone who does this on purpose. So it does not stop, and does not deter, and as such, does not achieve the stated purpose.
On the other hand, it brings the RIPE NCC into difficult legal territory, for all the reasons Nick and Sascha have written.
As such, I have decided that I can not support the policy as written, and change my stance from "neutral" to "object".
Now, I do share the wish to "do something!!" against BGP hijacking.
So, maybe a more workable way forward would be to change this into a BCP ("the RIPE anti-abuse community states with full backing from the RIPE community that BGP hijacking, as defined in <reference>, is considered unwanted behaviour") - and *then* use that on a commercial/peering basis among transit ISPs to strengthen the message "we want *you* to filter your customer BGP sessions, because that's the proper way to run a network!".
Sometimes just agreeing on a written-down message already helps on other fronts.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Carlos, On 2019-03-24 15:16, Carlos Friaças via anti-abuse-wg wrote:
"It will not stop determined miscreants" -- even if it stops some, it's already something positive, anti-abuse-wise. :-))
The thing is that, if you look at it from another direction, if it just does one "false positive", I would argue that it outweighs 100 small hijacks. And then we have the other co-author, On Sat, Mar 23, 2019 at 10:42 PM JORDI PALET MARTINEZ via anti-abuse-wg<anti-abuse-wg@ripe.net> wrote:
I think is very obvious that the experts [..] will make sure that when a warning is sufficient
How is that obvious? Answer: it is not obvious, you are just making assumptions. After looking at this in a bit more detail, my stance on this proposal has to be that I strongly object to it. I do feel like the better way to go about this is on a technical level, with more things like RPKI and IRR, not this stuff. On another note, unless all RIRs have a similar policy, then a hijacker wouldn't have to be from RIPE, or what if they have gotten hold of a legacy ASN. My point is that, no matter what the authors intended, I think this policy, would stop close to no determined hijackers, and probably cause a few "false positives". - Cynthia
Dear Cynthia, On Mon, 25 Mar 2019, Cynthia Revström wrote:
Hi Carlos,
On 2019-03-24 15:16, Carlos Friaças via anti-abuse-wg wrote: "It will not stop determined miscreants" -- even if it stops some, it's already something positive, anti-abuse-wise. :-))
The thing is that, if you look at it from another direction, if it just does one "false positive", I would argue that it outweighs 100 small hijacks.
I can relate to that argument, while probaly 100 different victims would be a bit more hard to convince. Following mostly Toma's constructive arguments we understand the process needs a lot more detail hardwired into the proposal. Our best attempt to control "false positives" in version 1.0 was the last "ratification" knob.
And then we have the other co-author,
On Sat, Mar 23, 2019 at 10:42 PM JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
I think is very obvious that the experts [..] will make sure that when a warning is sufficient
How is that obvious? Answer: it is not obvious, you are just making assumptions.
I think what Jordi meant (coming from the other direction) is a case will not reach the policy violation declaration stage.
After looking at this in a bit more detail, my stance on this proposal has to be that I strongly object to it.
Understood.
I do feel like the better way to go about this is on a technical level, with more things like RPKI and IRR, not this stuff.
This was already touched in the thread. RPKI deployment, unfortunately, is still in a very initial phase. When someone asks me -- how do you know this is an hijack? -- my usual answer is: "OK, if they are the rightful owners then ask them to add a ROA". If they can't... well... This is something which is not explicitely written, but it should be simple to dismiss a wrongfully submitted report -- if the ROA is not in place, then the "anomaly" could be fixed by creating one. So yes, we strongly support RPKI and we will try to embed in v2.0 clauses that will clearly support RPKI usage.
On another note, unless all RIRs have a similar policy, then a hijacker wouldn't have to be from RIPE, or what if they have gotten hold of a legacy ASN.
As i've stated before on this thread, the other four RIRs will also have a proposal on their tables. About legacy resources, the RIR can't de-register anything. The only angle i see where they could help contain hijackers is by refusing access to services.
My point is that, no matter what the authors intended, I think this policy, would stop close to no determined hijackers, and
We hope it might dissuade some of even trying (and we can't measure that...), but having *nothing* in place might work like an incentive for some. Gert already suggested a new BCP. I think we'll try that too :-)
probably cause a few "false positives".
That's something we want to erradicate. We need more work and more text. Any input is welcome! Best Regards, Carlos
- Cynthia
Hi Töma, All, Again i think i understand the need to describe each and every detail in the next version. I'm not going to deeply discuss "2021 & IPv6" -- it's something i would personnally love to see (i think Jordi might even prefer 2020 & IPv6), but unfortunately that is almost impossible... :/ About the "another LIR account I've obtained before" bit: Again, i think a clarification is needed on the proposal -- the complaint/report filing mechanism should enable the person filing the report to state the actor and all it's identifiable "under control" companies and resources, meaning: [LIR list] <country_code_1>.<company_name_z> <country_code_2>.<company_name_y> <country_code_3>.<company_name_x1> <country_code_3>.<company_name_x2> <country_code_3>.<company_name_x3> ...could all be referenced within a single report. This, logically, is easier to spot when the actor uses the same name in several companies' registrations (even if in different countries' registries). Then, if such actors prefer to use registrations in offshore places, spotting anything becomes obviously quite difficult. :-( Regards, Carlos On Sun, 24 Mar 2019, Töma Gavrichenkov wrote:
Peace,
A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy Violation", is now available for discussion.
Alright, folks, what I'm trying to do now is to stress the conditions.
Let's say it's 2021 and IPv6 is fully deployed, and IPv4 is no more. [now no one could say I'm pessimistic, right?]
How's that policy supposed to work then?
E.g. I'm the attacker, I start the hijacking, I continue that for 10 weeks until I'm denied membership. I don't lose any valuable address space at the time because it's just IPv6 which is totally disposable. I then switch to another LIR account I've obtained before, and start doing the same thing, at a cost of a generous sign-up fee.
What's the value of the 2019-03 proposal then?
-- Töma
participants (8)
-
Carlos Friaças -
Cynthia Revström -
Gert Doering -
Hank Nussbacher -
JORDI PALET MARTINEZ -
Ronald F. Guilmette -
Sander Steffann -
Töma Gavrichenkov