2019-03 and over-reach
The aim of the 2019-03 proposal, as far as I understand it, is to grant the RIPE NCC the authority to make formal judgements about alleged abuse of network resources with the implicit intention that unless the party involved ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the alleged infringer were a member, or refusal to provide service if the alleged infringer were not. There are several aspects of this proposal that are pretty disturbing, but the two that jump out are 1. over-reach by the RIPE Community, 2. encroachment into the arena of supranational law enforcement. I'm not going to go into the technical content of the proposal, despite the fact that I don't believe it would have any impact whatever on dealing with the problem of hijacking. Limited companies can be registered for tiny amounts of money, and it's naive to believe that any actor who is dishonest enough to engage in persistent bgp hijacking would think twice about switching from one company to another in a heartbeat, in order to avoid the consequences of a policy like 2019-03. Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document. The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement. Proposal 2019-03 goes well outside the scope of what the RIPE Community and the RIPE NCC were constituted to do, and I do not believe that the Anti Abuse working group has the authority to override this. The second point relates to the long term consequences of the proposal. If the RIPE Community were to pass this policy, then it would direct the RIPE NCC to act as both a judiciary and policing agency for internet abuse. Judgement and enforcement of behaviour are the competence of national governments, courts and law enforcement agencies, not of private companies. If the RIPE NCC starts encroaching in this territory, it should expect national governments and law enforcement agencies to start taking an active interest in taking control. This scenario would not be beneficial to the RIPE Community. There are other pile of other considerations here, not least whether the RIPE NCC would have any legal jurisdiction to deregister resources where it had determined "abuse", and what the legal liability of the company would be if it were determined that they didn't have jurisdiction to act. I don't question the motives of the authors of this proposal - neither of them has anything but the best of intentions in mind. Regarding BGP hijacking in general, I've been involved in attempting to deal with many hijackings over the years and am as frustrated as anyone. Like many other people in this community, I have also spent a lot of time and effort trying to deal with the problem from a practical point of view, both in terms of tooling and deployment standards for IXPs and service providers. But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of. Nick
Hi,
The aim of the 2019-03 proposal, as far as I understand it, is to grant the RIPE NCC the authority to make formal judgements about alleged abuse of network resources with the implicit intention that unless the party involved ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the alleged infringer were a member, or refusal to provide service if the alleged infringer were not.
There are several aspects of this proposal that are pretty disturbing, but the two that jump out are 1. over-reach by the RIPE Community, 2. encroachment into the arena of supranational law enforcement.
I'm not going to go into the technical content of the proposal, despite the fact that I don't believe it would have any impact whatever on dealing with the problem of hijacking. Limited companies can be registered for tiny amounts of money, and it's naive to believe that any actor who is dishonest enough to engage in persistent bgp hijacking would think twice about switching from one company to another in a heartbeat, in order to avoid the consequences of a policy like 2019-03.
Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document. The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement. Proposal 2019-03 goes well outside the scope of what the RIPE Community and the RIPE NCC were constituted to do, and I do not believe that the Anti Abuse working group has the authority to override this.
The second point relates to the long term consequences of the proposal. If the RIPE Community were to pass this policy, then it would direct the RIPE NCC to act as both a judiciary and policing agency for internet abuse. Judgement and enforcement of behaviour are the competence of national governments, courts and law enforcement agencies, not of private companies. If the RIPE NCC starts encroaching in this territory, it should expect national governments and law enforcement agencies to start taking an active interest in taking control. This scenario would not be beneficial to the RIPE Community.
There are other pile of other considerations here, not least whether the RIPE NCC would have any legal jurisdiction to deregister resources where it had determined "abuse", and what the legal liability of the company would be if it were determined that they didn't have jurisdiction to act.
I don't question the motives of the authors of this proposal - neither of them has anything but the best of intentions in mind. Regarding BGP hijacking in general, I've been involved in attempting to deal with many hijackings over the years and am as frustrated as anyone. Like many other people in this community, I have also spent a lot of time and effort trying to deal with the problem from a practical point of view, both in terms of tooling and deployment standards for IXPs and service providers.
But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of.
I fully agree with Nick. BGP hijacking has to be fought, but this is not the way… Cheers, Sander
On 23/03/2019 00:19, Sander Steffann wrote:
But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of. I fully agree with Nick. BGP hijacking has to be fought, but this is not the way… Exactly how successful has been MANRS - our attempt at self-regulation?
Regards, -Hank
Cheers, Sander
Hi Nick, El 22/3/19 18:13, "anti-abuse-wg en nombre de Nick Hilliard" <anti-abuse-wg-bounces@ripe.net en nombre de nick@foobar.org> escribió: The aim of the 2019-03 proposal, as far as I understand it, is to grant the RIPE NCC the authority to make formal judgements about alleged abuse of network resources with the implicit intention that unless the party involved ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the alleged infringer were a member, or refusal to provide service if the alleged infringer were not. The legal bindings of the NCC already have that for those that don’t follow existing policies, don’t pay bills, etc. So, the proposal is adding in the table a policy for confirming what is a hijack according to the community consensus. Same way we did for how we distribute resources, do transfers, etc. There are several aspects of this proposal that are pretty disturbing, but the two that jump out are 1. over-reach by the RIPE Community, 2. encroachment into the arena of supranational law enforcement. I'm not going to go into the technical content of the proposal, despite the fact that I don't believe it would have any impact whatever on dealing with the problem of hijacking. Limited companies can be registered for tiny amounts of money, and it's naive to believe that any actor who is dishonest enough to engage in persistent bgp hijacking would think twice about switching from one company to another in a heartbeat, in order to avoid the consequences of a policy like 2019-03. Yes, you can make a new company, but because the direct peers/transits will get a warning first, then a problem if cases are repeated (text that I’ve proposed in previous emails, which we will include in v2), they will not accept this kind of customers changing the company every few weeks or months. Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document. The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement. Proposal 2019-03 goes well outside the scope of what the RIPE Community and the RIPE NCC were constituted to do, and I do not believe that the Anti Abuse working group has the authority to override this. The second point relates to the long term consequences of the proposal. If the RIPE Community were to pass this policy, then it would direct the RIPE NCC to act as both a judiciary and policing agency for internet abuse. Judgement and enforcement of behaviour are the competence of national governments, courts and law enforcement agencies, not of private companies. If the RIPE NCC starts encroaching in this territory, it should expect national governments and law enforcement agencies to start taking an active interest in taking control. This scenario would not be beneficial to the RIPE Community. According to my view, laws in the EU allows organizations based on membership, to enforce their by-laws and rules. I don’t think the NCC is different to that. The NCC will be against law if we try to enforce a non-existing rule (policy). I guess we have no other way than waiting for a legal confirmation of those aspects from the NCC, but we really think we are on the right track. Of course, wording matters, and we may need to change some bits here and there. Regards, Jordi There are other pile of other considerations here, not least whether the RIPE NCC would have any legal jurisdiction to deregister resources where it had determined "abuse", and what the legal liability of the company would be if it were determined that they didn't have jurisdiction to act. I don't question the motives of the authors of this proposal - neither of them has anything but the best of intentions in mind. Regarding BGP hijacking in general, I've been involved in attempting to deal with many hijackings over the years and am as frustrated as anyone. Like many other people in this community, I have also spent a lot of time and effort trying to deal with the problem from a practical point of view, both in terms of tooling and deployment standards for IXPs and service providers. But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of. Nick ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
JORDI PALET MARTINEZ via anti-abuse-wg wrote on 22/03/2019 22:55:
The legal bindings of the NCC already have that for those that don’t follow existing policies, don’t pay bills, etc. So, the proposal is adding in the table a policy for confirming what is a hijack according to the community consensus. Same way we did for how we distribute resources, do transfers, etc.
Hi Jordi, couple of things: 1. it's not the job of the RIPE NCC to make up for a short-fall of civil legislation in this area, no matter how distasteful we might find the consequences of this; 2. you can throw anything into a contract, but that doesn't mean it's enforceable or even lawful. In other words, if the RIPE Community were to pass a particular policy, that wouldn't mean the policy would automatically be binding on the RIPE NCC membership, even if the RIPE NCC SSA includes a clause to state that a member will adhere to RIPE policies. In this particular case, the suggestion is for the RIPE NCC to start making judgements about potentially legal actions between second or third parties, potentially involving non-related resources and to deny and/or withdraw number registration services on that basis. This does not sound legally enforceable. What complicates things further is that the RIPE NCC has an effective monopoly for internet number registration services in this part of the world. If withdrawal of these monopoly services were found to be unlawful, this would be taken extremely seriously by any court or regulatory authority. Nick
Hi Nick, El 23/3/19 12:32, "Nick Hilliard" <nick@foobar.org> escribió: JORDI PALET MARTINEZ via anti-abuse-wg wrote on 22/03/2019 22:55: > The legal bindings of the NCC already have that for those that don’t > follow existing policies, don’t pay bills, etc. So, the proposal is > adding in the table a policy for confirming what is a hijack according > to the community consensus. Same way we did for how we distribute > resources, do transfers, etc. Hi Jordi, couple of things: 1. it's not the job of the RIPE NCC to make up for a short-fall of civil legislation in this area, no matter how distasteful we might find the consequences of this; And we aren't doing that. 2. you can throw anything into a contract, but that doesn't mean it's enforceable or even lawful. If our membership/SSA agreement includes a clause to allow that, yes, we can, unless a new law or court order come into force later that say that "this or that policy is against law". In other words, if the RIPE Community were to pass a particular policy, that wouldn't mean the policy would automatically be binding on the RIPE NCC membership, even if the RIPE NCC SSA includes a clause to state that a member will adhere to RIPE policies. Please read my previous examples of the beer or the swimming cap. Doesn't matter if those conditions where in the membership agreement since the beginning or have been adopted under the membership agreement rules. In this particular case, the suggestion is for the RIPE NCC to start making judgements about potentially legal actions between second or third parties, potentially involving non-related resources and to deny and/or withdraw number registration services on that basis. This does not sound legally enforceable. No, it is not a matter of parties. It is a matter of the membership rules. If somebody got resources from RIPE NCC using fake information, and there is a form for third parties (even if they aren't impacted at all by anything wrong with those resources) to report that case, it is clear that under our rules, those resources will be claimed back. Otherwise everybody will also be able to fake the information to repeat the same. Rule are to be followed when you sign a membership agreement. What complicates things further is that the RIPE NCC has an effective monopoly for internet number registration services in this part of the world. If withdrawal of these monopoly services were found to be unlawful, this would be taken extremely seriously by any court or regulatory authority. If the reason for the withdrawal is doing actions that are used to make or facilitate illegal activities (again spam, DDoS, child pornography, etc.), I doubt it will be the reason for courts or regulators to change the situation. In fact, it might happen that then new laws are made to support that BGP hijacking is a criminal activity. I can see that if there is any reason for a BGP hijacking to be done for a legitimate act (which I doubt), we can exclude it, and in fact that's why I suggested that in some cases the experts can consider a warning (for example, a student doing a research?). Nick ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Sat, Mar 23, 2019 at 12:52:36PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:
If the reason for the withdrawal is doing actions that are used to make or facilitate illegal activities (again spam, DDoS, child pornography, etc.), I doubt it will be the reason for courts or regulators to change the situation. In fact, it might happen that then new laws are made to support that BGP hijacking is a criminal activity.
And if and when that happens, the NCC could already terminate the membership. Section 1.2.2 (d) of ripe-697 The difference is that this has to be decided via the established procedure of (Dutch) law, including judicial review, appeals, etc. Another thing that might happen, and that is what I believe Nick is alluding to, is that someone takes a look at how internet resources are administered in the Service Region and decide that this sort of monopoly is untenable and that there needs to be a plurality of institutions to manage resources. Which rules they would have and what this means for the "internet community" is open to debate... rgds, SL
JORDI PALET MARTINEZ via anti-abuse-wg wrote on 23/03/2019 11:52:
El 23/3/19 12:32, "Nick Hilliard" <nick@foobar.org> escribió: 1. it's not the job of the RIPE NCC to make up for a short-fall of civil legislation in this area, no matter how distasteful we might find the consequences of this;
And we aren't doing that.
If there were legislation and enforcement in this area, we wouldn't be having this conversation.
2. you can throw anything into a contract, but that doesn't mean it's enforceable or even lawful. > [...] In this particular case, the suggestion is for the RIPE NCC to start making judgements about potentially legal actions between second or third parties, potentially involving non-related resources and to deny and/or withdraw number registration services on that basis. This does not sound legally enforceable.
No, it is not a matter of parties. It is a matter of the membership rules.
Jordi, you need to take legal advice on this before proceeding further. Nick
El 23/3/19 16:49, "Nick Hilliard" <nick@foobar.org> escribió: JORDI PALET MARTINEZ via anti-abuse-wg wrote on 23/03/2019 11:52: > El 23/3/19 12:32, "Nick Hilliard" <nick@foobar.org> escribió: > 1. it's not the job of the RIPE NCC to make up for a short-fall of civil > legislation in this area, no matter how distasteful we might find the > consequences of this; > > And we aren't doing that. If there were legislation and enforcement in this area, we wouldn't be having this conversation. > 2. you can throw anything into a contract, but that doesn't mean it's > enforceable or even lawful. > [...] > In this particular case, the suggestion is for the RIPE NCC to start > making judgements about potentially legal actions between second or > third parties, potentially involving non-related resources and to deny > and/or withdraw number registration services on that basis. This does > not sound legally enforceable. > > No, it is not a matter of parties. It is a matter of the membership rules. Jordi, you need to take legal advice on this before proceeding further. We hope to get it from the NCC, may be even a preliminary report instead of waiting for an impact analysis? Nick ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
In message <6179dc11-f299-c076-0ae1-2f2d22eb6115@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
If there were legislation and enforcement in this area, we wouldn't be having this conversation.
Yes, actually, we would. Does anybody really believe that if, for example, Moldova outlawed BGP hijacking tomorrow *and* if they even started arresting suspects, that the entire problem would utterly disappear from the entire RIPE region the day after that? I think not. France? The Neatherlands? Sweden? No. No. No. There isn't a single european country whose laws can bring this plague to an end, nor even any subset of european countries. The problem no more respects national boundaries than does the influenza virus. Furthermore, I very much look forward to the day when one or more BGP hijackers... or *any* kind of cybercriminal for that matter... will be extradited from Russia to stand trial in some less friendly jurisdiction. But today is not that day. Regards, rfg
El 23/3/19 23:40, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net en nombre de rfg@tristatelogic.com> escribió: In message <6179dc11-f299-c076-0ae1-2f2d22eb6115@foobar.org>, Nick Hilliard <nick@foobar.org> wrote: >If there were legislation and enforcement in this area, we wouldn't be >having this conversation. Yes, actually, we would. Agree Does anybody really believe that if, for example, Moldova outlawed BGP hijacking tomorrow *and* if they even started arresting suspects, that the entire problem would utterly disappear from the entire RIPE region the day after that? I think not. France? The Neatherlands? Sweden? No. No. No. There isn't a single european country whose laws can bring this plague to an end, nor even any subset of european countries. The problem no more respects national boundaries than does the influenza virus. There is one more reason for that. There is no way LEA can act against every hijack in a timely fashion (I'm thinking in making sure that cases are taking no more than 2-3 months average), same way that massive spam or data protection cases, are most of the time even *not* actually prosecuted by DPAs. Furthermore, I very much look forward to the day when one or more BGP hijackers... or *any* kind of cybercriminal for that matter... will be extradited from Russia to stand trial in some less friendly jurisdiction. But today is not that day. Regards, rfg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Hi, It's probably best to state examples using "country X" and "region Y" instead of using countries' concrete names. I think i already used concrete country names at least once during this thread and i apologize for that. ps: if we ackowledge there is a gap in legislation and enforcement why shouldn't we engineer something to try to minimize/reduce this gap's effects? Best Regards, Carlos On Sat, 23 Mar 2019, Ronald F. Guilmette wrote:
In message <6179dc11-f299-c076-0ae1-2f2d22eb6115@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
If there were legislation and enforcement in this area, we wouldn't be having this conversation.
Yes, actually, we would.
Does anybody really believe that if, for example, Moldova outlawed BGP hijacking tomorrow *and* if they even started arresting suspects, that the entire problem would utterly disappear from the entire RIPE region the day after that? I think not. France? The Neatherlands? Sweden? No. No. No. There isn't a single european country whose laws can bring this plague to an end, nor even any subset of european countries. The problem no more respects national boundaries than does the influenza virus.
Furthermore, I very much look forward to the day when one or more BGP hijackers... or *any* kind of cybercriminal for that matter... will be extradited from Russia to stand trial in some less friendly jurisdiction. But today is not that day.
Regards, rfg
On 23/03/2019 13:31, Nick Hilliard wrote:
JORDI PALET MARTINEZ via anti-abuse-wg wrote on 22/03/2019 22:55:
The legal bindings of the NCC already have that for those that don’t follow existing policies, don’t pay bills, etc. So, the proposal is adding in the table a policy for confirming what is a hijack according to the community consensus. Same way we did for how we distribute resources, do transfers, etc.
Hi Jordi,
couple of things:
1. it's not the job of the RIPE NCC to make up for a short-fall of civil legislation in this area, no matter how distasteful we might find the consequences of this; Purity of concept will result in massive gov't intervention since we will have shown that we don't know how to self-regulate. The voices are already there: https://hackernoon.com/why-the-internet-must-be-regulated-9d65031e7491 If you have an alternative solution, not even a better one, please suggest it.
Regards, Hank
Hank Nussbacher wrote on 23/03/2019 17:23:
Purity of concept will result in massive gov't intervention since we will have shown that we don't know how to self-regulate. The voices are already there: https://hackernoon.com/why-the-internet-must-be-regulated-9d65031e7491 If you have an alternative solution, not even a better one, please suggest it.
There is no quick or single solution because this is a complex problem which involves people and peoples' interactions with the internet. MANRS is beginning to make a difference and will continue to gain support. Several of the major global IXPs have implemented strict route-server filtering over the last 12-18 months. There is a good deal of pressure being put on transit service providers to implement prefix filtering on their customer network handoff points. RPKI adoption is now taking off in a big way - see AT&T's recent announcement and NTT's plans. Commoditisation of RPKI support for IXP route servers will be available within weeks. RPKI will help a good deal, and it shows more promise than IRR DB based filtering due to long term quality issues with IRRDBs in some areas (e.g. US, LATAM). Nick
In message <be3751fd-3b12-b73b-71ec-8f012191161f@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
RPKI adoption is now taking off in a big way - see AT&T's recent announcement and NTT's plans. Commoditisation of RPKI support for IXP route servers will be available within weeks.
The AT&T announcement was indeed heartening. Can you see if you can drag a few IXP people into this conversation (please)? If they all say that this proposal is pointless, and that the problem will be essentially solved in time for Vappu, then it probably would then be a reasonable choice to set this on the back burner, just for a bit, to see how things really shake out. I think we all understand that just because RPKI support may be available, that doesn't mean that anybody who hasn't already done so is actually going to deploy it. So it would be Good to hear what the actual plans are. Regards, rfg
Hi, (please see inline) On Sat, 23 Mar 2019, Ronald F. Guilmette wrote:
In message <be3751fd-3b12-b73b-71ec-8f012191161f@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
RPKI adoption is now taking off in a big way - see AT&T's recent announcement and NTT's plans. Commoditisation of RPKI support for IXP route servers will be available within weeks.
The AT&T announcement was indeed heartening.
Can you see if you can drag a few IXP people into this conversation (please)?
Nick is part of "IXP people" afaik for a long time. I am too, although i'm more into the "IXP security people" set nowadays :-) In general, i think IXP people will do everything they can to minimize hijacker's goals, especially if they receive a complaint from customer X saying customer Z is hijacking a prefix and they are announcing it to customer X (and possibly other customers). That's where RPKI and route servers get into the picture -- if hijacked prefix announcements were not made directly, RPKI on route servers might stop those announcements, and even if RPKI is not applied on route servers, they could hold the proof that an hijack was made. But the main point here about 2019-03 is that RPKI on route servers, or even recording all announcements through route servers will not happen overnight, and it will not solve hijacks made through direct peerings where the receiving end is not discarding the "bad prefix" through RPKI. Again, there are tools with enough maturity than can be used to protect each and every of the 60000+ ASNs from hijacks, but the "issue" between the chair and a keyboard makes something in the line of 2019-03 still needed.
If they all say that this proposal is pointless, and that the problem will be essentially solved in time for Vappu, then it probably would then be a reasonable choice to set this on the back burner, just for a bit, to see how things really shake out.
I think we all understand that just because RPKI support may be available, that doesn't mean that anybody who hasn't already done so is actually going to deploy it. So it would be Good to hear what the actual plans are.
Essentially agreeing with Ronald, i think anyone could also argue that people without the ability to use RPKI shouldn't be playing the BGP game, but i certainly prefer to think that intentional and persistens hijackers shouldn't be allowed (by the community) to keep playing the BGP game. :-) Best Regards, Carlos
Regards, rfg
In message <b178ce96-b36f-b04f-ad9f-666fad9e8acb@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
1. it's not the job of the RIPE NCC to make up for a short-fall of civil legislation in this area, no matter how distasteful we might find the consequences of this;
OK. I'll bite! Whose job is it then? It would appear, based on your statement, that EVEN IF everyone on planet earth... or at least everyone in the european part of it... were to agree tomorrow that BGP hijacks are a massively serious problem requiring a speedy and stern response in all cases, your "solution" would be to have each and every legislative body in each and every country in europe set aside any and all of the other important work that they are doing so that each and every one of them can debate and pass legislation which would impose penalties for BGP hijacking. Is that really your proposed "solution"? To say that this "solution" is no solution at all would be a gigantic understatement. Are you, Nick, going to be the one who goes around to all of the legislatures of each and every one of the countries of europe and in each case demands that they immediately stop whatever elese they were doing and instead immediately take up legislation to make BGP hijacking an offense under law? I would like it noted for the record, that regardless of who among us would or could do this job... trying to convince all european national legislatures that they should each make BGP hijacking illegal... the actual likelihood of that actually happening, in practice, *even if* BGP hijacking were resulting in *deaths* every day, is virtually nill. Hell! There is a proven and well-known connection between money laundering and terrorist financing, and there are EU regulations already on the books that positively REQUIRE national legislatures to adopt anti-money-laundering legislation, AND YET THAT STILL HASN'T HAPPENED IN SEVERAL OF EU THE COUNTRIES THAT ARE COVERED BY THE DIRECTIVE! Reference: http://europa.eu/rapid/press-release_IP-18-4491_en.htm So, have I understood you correctly? Is it really your contention that even though european legislatures... or even just EU legislatures... still can't even get their acts together to outlaw money laundering and terrorist financing, nontheless, it is your position that we should leave it to them to outlaw BGP hijacking? Really?? Even if we set aside the total and self-evident absurdity of waiting around and hoping that all european national legislatures will step in and fix the problems that we, the technologists, have created for ourselves, I would still come back to the point I made earlier about self-reliance. Why should we be going, cap in hand, to national legislatures, begging them to fix a problem that *we* have created? Why shouldn't *we* take some responsibility for cleaning up our own dogpiles? I would argue that we have not only the moral, ethical, and legal right to do so, but also that we have the moral, ethical, and legal *responsibility* to so. Render therefore unto Caesar the things which are Caesar's, and unto God the things that are God's. We made the mess, and we can unmake it for ourselves. And we should. Trying to foist off the responsibility for solving problems of our own making onto national legislatures, is both improper and unseemly. Not only will it simply not work, as explained above, but worse, even the attempt will encourage various national legislatures to become more active and agressive in attempting to pass various bits of stupid "Internet" legislation, as they attempt to control the very thing that they, the politicians, least understand.
2. you can throw anything into a contract, but that doesn't mean it's enforceable or even lawful.
That is quite so. In my own country, any contractual provision which makes reference to a person's race would likely to tossed out. But if it is your contention that RIPE cannot make contractual stipulations about the use of IP addresses, then you are going to have to justify that entirely surprising claim.
In this particular case, the suggestion is for the RIPE NCC to start making judgements about potentially legal actions between second or third parties, potentially involving non-related resources and to deny and/or withdraw number registration services on that basis. This does not sound legally enforceable.
I agree. The party that should be held responsible for a hijack *must* only be the party that engineered it. Anything beyond that strays into very dangerous waters indeed.
What complicates things further is that the RIPE NCC has an effective monopoly for internet number registration services in this part of the world. If withdrawal of these monopoly services were found to be unlawful, this would be taken extremely seriously by any court or regulatory authority.
The withdrawal of resources granted under the terms of a contract BY DEFINITION cannot be unlawful if such withdrawal is done in accordance with, and under the explicit terms of the contract. If I rent you a car and there is a "no smoking" clause in the contract that allows for termination of the contract if you smoke in the car, and if I catch you smoking in the car, then I have the right to terminate the contract FOR CAUSE and in accordance with the contract. None of this is either new or unique or novel. In fact, exactly such contractual provisions are enforced every day, all around the world. Regards, rfg
On Fri, Mar 22, 2019 at 05:13:20PM +0000, Nick Hilliard wrote:
The aim of the 2019-03 proposal, as far as I understand it, is to grant the RIPE NCC the authority to make formal judgements about alleged abuse of network resources with the implicit intention that unless the party involved ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the alleged infringer were a member, or refusal to provide service if the alleged infringer were not.
It is actually worse than this, as I understand it. Based on recent contributions in this discussion, I now understand that it is proposed to make the determination of "network abuse" entirely outside the NCC and then to give this determination to the NCC Board to rubber-stamp and enforce it (and, implicitly assume the legal liability, one would presume)
There are other pile of other considerations here, not least whether the RIPE NCC would have any legal jurisdiction to deregister resources where it had determined "abuse", and what the legal liability of the company would be if it were determined that they didn't have jurisdiction to act.
I am also somewhat worried about the possible fall-out for the members if the NCC were to be found to have acted incorrectly and be liable for the damages to the business of a member that was shut down... I would be very interested in NCC Legal's opinion on this.
But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of.
Much better put than I could hope to do, I fully endorse this statement. rgds, SL
Nick
It would be a much needed thing if ripe legal were to chime in here so that they can issue an opinion on the proposal. This amateur theorizing isn't getting the discussion anywhere. --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Sascha Luck [ml] <aawg@c4inet.net> Sent: Saturday, March 23, 2019 5:07 AM To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] 2019-03 and over-reach On Fri, Mar 22, 2019 at 05:13:20PM +0000, Nick Hilliard wrote:
The aim of the 2019-03 proposal, as far as I understand it, is to grant the RIPE NCC the authority to make formal judgements about alleged abuse of network resources with the implicit intention that unless the party involved ends the alleged abuse, the RIPE NCC would enforce the judgement by LIR shutdown if the alleged infringer were a member, or refusal to provide service if the alleged infringer were not.
It is actually worse than this, as I understand it. Based on recent contributions in this discussion, I now understand that it is proposed to make the determination of "network abuse" entirely outside the NCC and then to give this determination to the NCC Board to rubber-stamp and enforce it (and, implicitly assume the legal liability, one would presume)
There are other pile of other considerations here, not least whether the RIPE NCC would have any legal jurisdiction to deregister resources where it had determined "abuse", and what the legal liability of the company would be if it were determined that they didn't have jurisdiction to act.
I am also somewhat worried about the possible fall-out for the members if the NCC were to be found to have acted incorrectly and be liable for the damages to the business of a member that was shut down... I would be very interested in NCC Legal's opinion on this.
But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of.
Much better put than I could hope to do, I fully endorse this statement. rgds, SL
Nick
In message <20190322233739.GK99066@cilantro.c4inet.net>, "Sascha Luck [ml]" <aawg@c4inet.net> wrote:
I am also somewhat worried about the possible fall-out for the members if the NCC were to be found to have acted incorrectly and be liable for the damages to the business of a member that was shut down...
I only wish that I had a dollar for every time I had heard this exact lame excuse from some ISP who I had asked to disconnect a spammer over the past 20 years. If I did, I'd have enough money to run for President. This excuse isn't as popular now as it was in the old days, but one often used to get messages from ISPs saying "Oh, gee, we literally CAN'T unplug that spammer, because we have a contract, and he might sue us!" (Yea, yea, yea. Tell it to the hand.) Simple solution: Stop being an idiot and write better contracts. Every contract has some "out" clauses... you know like force majure, etc. etc., etc. If RIPE cannot afford or cannot find an attorney with sufficient skill to draft and include such "outs" I can refer it to some excellent practioners with emminently modest rates. Regards, rfg
Exactly! If customers, employees, visitors, students, etc., are misusing the network (for example using it for spam, DDoS, child pornography, etc.), they are typically acting against the contract arrangements (AUP). If you've a bad contract that's a different problem, but even in that case, I'm sure that if you're taken to the courts because you cancel the contract, in most of the cases the court will recognize it as a correct action, because using the network for illegal actions is part of the illegal act itself. In fact, if you don't bring down that "customer", you are actually a cooperator of those illegal acts if anyone can probe that you were aware of it. That's why I think the text that I had presented a couple of times in the last days about simple warnings in case of doubt or the first time for direct peers, make a lot of sense. To put that in the extreme: You will not be jailed or punished because the court considers you as a "censor". If you're member of a sports club (RIPE NCC for us), and the rules (our policy proposal) say that you must use swimming cap (adequate BGP filters) and you don't do so, you can, depending on the rules, get a warning, or directly get your membership cancel and even not get a reimbursement. Note that there isn't any law that enforces using a swimming cap, however, I'm 100% sure the court will agree that the rule is lawful and enforceable. Regards, Jordi El 23/3/19 6:29, "anti-abuse-wg en nombre de Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net en nombre de rfg@tristatelogic.com> escribió: In message <20190322233739.GK99066@cilantro.c4inet.net>, "Sascha Luck [ml]" <aawg@c4inet.net> wrote: >I am also somewhat worried about the possible fall-out for the >members if the NCC were to be found to have acted incorrectly and >be liable for the damages to the business of a member that was >shut down... I only wish that I had a dollar for every time I had heard this exact lame excuse from some ISP who I had asked to disconnect a spammer over the past 20 years. If I did, I'd have enough money to run for President. This excuse isn't as popular now as it was in the old days, but one often used to get messages from ISPs saying "Oh, gee, we literally CAN'T unplug that spammer, because we have a contract, and he might sue us!" (Yea, yea, yea. Tell it to the hand.) Simple solution: Stop being an idiot and write better contracts. Every contract has some "out" clauses... you know like force majure, etc. etc., etc. If RIPE cannot afford or cannot find an attorney with sufficient skill to draft and include such "outs" I can refer it to some excellent practioners with emminently modest rates. Regards, rfg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
In message <f1d02b78-49fa-0b62-d84c-578b30d1c4b7@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
There are several aspects of this proposal that are pretty disturbing, but the two that jump out are 1. over-reach by the RIPE Community, 2. encroachment into the arena of supranational law enforcement.
I seriously don't know how one could make such a large leap in logic. "Law enforcement" has the power to put handcuffs on people, to deny them liberty for extended periods of time, and in the case of both individuals and companies, to substantially penalize them monitarily. The proposal at hand neither suggests nor contemplates any such actions or remedies, nor even anything that could be construed as such, even in the most wild-eyed interpretation. 2019-03 is not an exercise in law enforcement, either supranational or otherwise. It is, rather, a simple refinement and extension of current and existing private contractual relationships, where the harshest possible outcome would be for the parties to agree to disagree about what each owes to the other, under the terms of the written contract(s), and then perhaps to go their separate ways, having terminated their private contractual relationship. If you trash a rental car, and return it trashed, and if the company that rented the car to you thus makes the reasonable and utterly defensible decision not to rent cars to you in the future, is that an exercise in "law enforcement"? I think not.
Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document. The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement.
I say again what I have previously said, which this that 2019-03, even if accepted and ratified by the community, would not give RIPE any more power to "enforce" its will over anyone's -routers- than RIPE would have had the day before such ratification. I therefore find this use of the term "enforcement" in this context somewhat foreign and strange. Given its mandate to facilitate and foster "coordination" in the use of RIPE-assigned number resources, are you ernestly suggesting that RIPE is constitutionally prohibited from even holding sway over its own WHOIS data base and the entries therein, in accordance with the clear guidance and wishes of the community? Does RIPE not already "enforce" the removal of some such WHOIS entries in response to the non-payment of dues? If it does, then please point me at the specific provision or provisions of RIPE's charter that explicitly prohibit it from doing likewise in other circumstances that also, arguably, represent a clear and present threat to RIPE's ability to carry out its assigned "coordination" duties... duties which, we both agree, it has been tasked to persue and foster. I, for one, find it both endlessly humorous and also endlessly sad that RIPE has been given the -responsibility- for coordinating the use of resources, even as it has been consistantly denied any and every tool that it might employ to assert its -authority- to do so. 2019-03 represents at least a small step towards righting that colossal and damaging imbalance between RIPE's responsibility and its near utter lack of actual authority. (And I can only hope that at least a few of the people reading these words will have, at some point in their professional lives, likewise been stuck in a position where they were given a mountain of responsibily and a pee-shooter's worth of actual authority. Those folks, at least, will have a clear understanding of why this never works out very well.)
Proposal 2019-03 goes well outside the scope of what the RIPE Community and the RIPE NCC were constituted to do, and I do not believe that the Anti Abuse working group has the authority to override this.
RIPE was chartered to "keep the books" as it were... to maintain the giant ledger of who has been assigned what. Why? What was the purpose... what *is* the purpose of maintaining one big colossal ledger of who has been assigned what if everyone just thumbs their noses at it, and if they all then go around, willy-nilly, ignoring the assigments that have been so carefully recorded in that giant community ledger? If the ledger itself is to have any meaning, then it must be adhered to. If it is not adhered to, then let's just terminate it, once and for all, and be done this whole charade that is called RIPE. Let's go back to the Internet stone age, to a time even before Jon Postel, and let's just have an every-man-for-himself free-for-all. It would be a lot cheaper. Everybody could stop paying RIPE membership dues and RIPE fees. But I don't think that's what anybody really wants. I cannot and will not argue whether this working group or that working group, specifically, has the right or authority to choose whether RIPE should be allowed to use the tools it has to do the job it has been assigned. That is for others to pass judgement on, not me. I will only say that this authority, the authority to notice and take action when parties flaunt the entire assignment system, should be granted, and that doing so would not be in any way inconsistant with any RIPE mandate or with what RIPE was chartered to do from day one. Quite the opposite. It would be supoportive of RIPE's fundamental mission. RIPE keeps a set of public books, and the very existance of those public ledger books, it is hoped, will ensure peace, stability, order, and at least some measure of mutual security. The overriding goal is *not* the books themselves, or their continued slavish maintenance, for their own sakes, into the comming centuries. These are not sacred texts being copied and recopied by a cadre of devoted monks, for posterity, in some candle-lit monastic sanctum. These are the land deeds of the Internet. And they have long since been accepted as such by virtually everyone. What we have seen, time and again now, and what cannot now be reasonably denied, is that every so often, one of the lanholders who is a registrant in, and himself a direct beneficiary of this established system of public order and security, has gathered unto himself a modest force of servants, slaves, waifs, concubines, and mercenaries, and has then ridden out to some nearby defenseless village, and has then laid siege to and ultimately laid claim to lands that are not his. So the question arises -- What shall we do with such scoundrels? Shall we welcome them to our tables, break bread with them, share our wine, laugh at their jokes, slap them on the back and congratulate them for their pluck, wit, courage and boldness? Or should we instead cast them out from among the company of civilized men and from the system of order that they themselves, and by their own hands, have so explicitly violated and to which they themselves would no doubt appeal when and if some even bolder robber barron were to come down upon them and their own holdings? I can only answer for myself, but to me the choice is clear. Those who have, with malice aforethought, violated the system of rules that we, as a community, have accepted should not subsequently be permitted to call upon that same set of rules, or the community's ledgers, in defense of their own interests. To allow this would be unarguably both unjust and self-defeating of the social contract to which each and all of us have already suordinated ourselves and our individual private interests. RIPE does not have and should not have the power to put anyone in irons. But it damn well isn't obliged, I think, to act as either a reference for or a guarantor of the legitimacy of the holdings of any party that, by its own acts, has declined to likewise and in turn endorse RIPE and its ledger and its assignments. Regards, rfg
On 23 Mar 2019, at 3:12, Ronald F. Guilmette wrote:
These are the land deeds of the Internet. And they have long since been accepted as such by virtually everyone.
Precisely. I believe that a condition for their continued acceptance as such is that the RIPE NCC avoid amalgamating quasi-judicial functions to its "land-registry" function. In my country, we have an agency called the Registry of Deeds, which performs a land-registry function and acts as an agency of record. I expect that most other countries have each their own agency with similar functions. I am not aware of any which also has a judicial or disciplinary function. Best regards, Niall O'Reilly
Hi Niall, Ronald, All, (please see inline) On Sun, 24 Mar 2019, Niall O'Reilly wrote:
On 23 Mar 2019, at 3:12, Ronald F. Guilmette wrote:
These are the land deeds of the Internet. And they have long since been accepted as such by virtually everyone.
Precisely.
I believe that a condition for their continued acceptance as such is that the RIPE NCC avoid amalgamating quasi-judicial functions to its "land-registry" function.
In my country, we have an agency called the Registry of Deeds, which performs a land-registry function and acts as an agency of record. I expect that most other countries have each their own agency with similar functions. I am not aware of any which also has a judicial or disciplinary function.
I'm not sure on how "Registries of Deeds/Land" work in different countries, but usually those Registries are not an Association which has (all?) its "customers" as members/shareholders. So, while i think i understand why some people choose to use this analogy, RIPE NCC, as a registry has that different characteristic, apart from having also a distribution function/role (which land registries don't have). And while a member can feel it shouldn't be part of the same org/company/association than (bad?) actors, it doesn't feel right that it is that said member that should quit his/her membership. Also, i have read allegations about a "monopoly" regarding the service region. Afaik, there is a transfer market which contradicts the concept of said "monopoly" (i.e. can't get more addresses from the RIR, then go to the market).
Best regards,
Niall O'Reilly
Great to hear from you Niall! Best Regards, Carlos
On Sun, Mar 24, 2019 at 02:32:23PM +0000, Carlos Friaas via anti-abuse-wg wrote:
And while a member can feel it shouldn't be part of the same org/company/association than (bad?) actors, it doesn't feel right that it is that said member that should quit his/her membership.
What do feelings have to do with NCC membership? There are many members of the RIPE NCC I'd rather not share the organisation with but that is not reason to deny them membership. :feelsbadman:
Also, i have read allegations about a "monopoly" regarding the service region. Afaik, there is a transfer market which contradicts the concept of said "monopoly" (i.e. can't get more addresses from the RIR, then go to the market).
that's not an "allegation", it is a STATEMENT OF FACT. The "ip address market" rgument is wholly invalid because the transfer policy clearly states that transfers can only happen to a RIR member. The only exception is legacy space that was never brought under RIR authority. rgds, SL
On Sun, 24 Mar 2019, Sascha Luck [ml] wrote: (...)
What do feelings have to do with NCC membership? There are many members of the RIPE NCC I'd rather not share the organisation with but that is not reason to deny them membership. :feelsbadman:
It was only a small point about "membership" -- which land registries don't have.
Also, i have read allegations about a "monopoly" regarding the service region. Afaik, there is a transfer market which contradicts the concept of said "monopoly" (i.e. can't get more addresses from the RIR, then go to the market).
that's not an "allegation", it is a STATEMENT OF FACT. The "ip address market" rgument is wholly invalid because the transfer policy clearly states that transfers can only happen to a RIR member. The only exception is legacy space that was never brought under RIR authority.
There you have it...... legacy space is part of that address market, hence no "monopoly". :-)) Regards, Carlos
rgds, SL
Carlos Friaças via anti-abuse-wg wrote on 24/03/2019 14:32:
Also, i have read allegations about a "monopoly" regarding the service region. Afaik, there is a transfer market which contradicts the concept of said "monopoly" (i.e. can't get more addresses from the RIR, then go to the market).
Hi Carlos, Competition legislation talks about concepts like "dominant position", not just strict monopolies. The RIPE NCC is the registry for the addressing market in the RIPE NCC service area, so you can't easily avoid dealing with the RIPE NCC if your business is located in the RIPE NCC service area and involves something to do with internet number resources and you want to exercise your fundamental right to conduct business. Also, this is only a complicating factor on top of the objections I raised to 2019-03 - although from a practical point of view, it likely causes catastrophic and inescapable problems for the principals behind the proposal. Nick
Hi, On Sun, 24 Mar 2019, Nick Hilliard wrote: (...)
Competition legislation talks about concepts like "dominant position", not just strict monopolies.
I sincerely hope the EU doesn't go after RIPE NCC due to this "dominant position".
The RIPE NCC is the registry for the addressing market in the RIPE NCC service area,
...and beyond, it seems. :-)) Something i need to find out is if the other four RIRs allow companies from outside their service region to request resources (IPv6 and ASNs mostly, nowadays...) on their region like RIPE NCC does.
so you can't easily avoid dealing with the RIPE NCC if your business is located in the RIPE NCC service area and involves something to do with internet number resources
Hmmmm... i do think you can also go to a LIR........ but then you don't get true "independence", which is a downside but it shouldn't be a complete show-stopper. I mean, *today* if company X stops paying RIPE NCC and loses assets (an IPv4 /22 and an IPv6 /32 maybe?) they can still go to any LIR that has that space available to rent an IPv4 /24 and a bunch of IPv6 /48s through a contract, right?
and you want to exercise your fundamental right to conduct business.
In the above case they would still exercise it, but not directly with the RIPE NCC.
Also, this is only a complicating factor on top of the objections I raised to 2019-03 - although from a practical point of view, it likely causes catastrophic and inescapable problems for the principals behind the proposal.
I need to re-read all your objections. Thanks for the reminder. Best Regards, Carlos
Nick
On Fri, 22 Mar 2019 17:13:20 +0000 Nick Hilliard <nick@foobar.org> wrote:
Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document. The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement. Proposal 2019-03 goes well outside the scope of what the RIPE Community and the RIPE NCC were constituted to do, and I do not believe that the Anti Abuse working group has the authority to override this.
the wg is not overriding anything. 2019-03 is about removing resources, in much the same way as same resources would have been removed for payment. (RIPE NCC accounts person would "judge" that there was no payment and resources would be affected) Just because there is a decision it does not mean that such a decision is "law enforcement" or judicial. 2019-03 is administrative and not legal/law/judicial
The second point relates to the long term consequences of the proposal. If the RIPE Community were to pass this policy, then it would direct the RIPE NCC to act as both a judiciary and policing agency for internet abuse. Judgement and enforcement of behaviour are the competence of national governments, courts and law
No. You are saying the same thing, though eloquently, in a different way and trying to link it to some future potential hijacking by gov of RIR. It is not much of a decision that RIPE NCC has to make either as: 1. There was hijacking OR 2. There was no hijacking Whether it was accidental, ongoing for long period of time and all the other technical and scientific facts, this may require some sort of interpretation of facts. But, not whether it actually happened or not.
But, this is not how to handle the problem of BGP hijacking. Even if it had the slightest possibility of making any difference at a technical level (which it won't), the proposal would set the RIPE Community and the RIPE NCC down a road which I believe would be extremely unwise to take from a legal and political point of view, and which would be difficult, if not impossible to manoeuver out of.
ianal, NCC legal will surely evaluate the legal aspects, but practically every new shell company that has to deal with compliance and other issues is just another layer in the onion.
On Fri, 22 Mar 2019, Nick Hilliard wrote: (...)
Regarding over-reach, the RIPE NCC was instituted as a numbering registry and as a supporting organisation for the RIPE Community, whose terms of reference are described in the RIPE-1 document. The terms of reference make it clear that the purpose of the RIPE Community and the RIPE NCC is internet co-ordination and - pointedly - not enforcement.
Hi Nick, All, I understand you are talking about https://www.ripe.net/publications/docs/ripe-001 The word "enforcement" is not part of ripe-001. So, it's not explicitely written as something which is completely out of scope. The RIPE NCC (as a supporting organization) is already "enforcing" that people abide by rules (i.e. it's against the rules to provide falsified information, and even unresponsiveness may lead to a LIR closure -- that's what i read from RIPE-716, just to name a few). Best Regards, Carlos
participants (10)
-
ac -
Carlos Friaças -
Hank Nussbacher -
JORDI PALET MARTINEZ -
Niall O'Reilly -
Nick Hilliard -
Ronald F. Guilmette -
Sander Steffann -
Sascha Luck [ml] -
Suresh Ramasubramanian