In message <alpine.LRH.2.21.1903192318300.2343@gauntlet.corp.fccn.pt>, Carlos Friaças <cfriacas@fccn.pt> writes

The misuse of AS numbers was not seen (maybe until now...) as a frequent event (and thus a priority),

Then you have not been looking at various announcements of Chinese address space and asking yourself whether or not you think that it is plausible or not that a large Chinese ISP would be buying transit for a small subset of their space from this small out-of-region hosting company :-(

but if someone is (mis)using an AS number that belongs to a third party, then it should also be stated in writing that this practice is a violation of RIPE policy -- and of course, allow a path for the affected party to issue a report about that.

AIUI the current discussion is intended to allow the proposer to refine what they are proposing... ... in a world where RPKI is gaining some traction, the misuse of AS numbers (to tag onto hijacked prefixes) is going to become more common. I can see no reason to separate out this wickedness. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

In message <uCmYWiCn6UkcFAeG@highwayman.com>, you wrote:

This is going to be somewhat challenging ... since there are a substantial number of well-known (and generally non-abusive entities) who are announcing unallocated address space, and in many cases they have been doing so for years on end.

Yea. Ya know, this guy was also carrying on, "legitimately" for years and years, and everybody believed that what he was doing was perfectly legitimate, right up until the day when nobody did: https://en.wikipedia.org/wiki/Bernie_Madoff If it's not your assigned space, then it's not your assigned space. This isn't, like, complicated or anything. For anyone who ernestly believes that coloring outside of the lines is in some cases acceptable, I'd like to see you try that by driving on the Wrong Side of the autobahn sometime. The lines are there for a reason. Regards, rfg P.S. In my own country, there was in fact lots and lots of "open" land, about a century and a half ago or so, and cattlemen of that era did in fact graze, water and walk their heards on and across such lands routinely, and without paying anyone or anything for the privilege. If a majority of the RIPE community wants to have an IP equivalent of such "open range" grazing land, then so be it. I would just suggest that before deciding to support this, you all watch the movie "Open Range" with Kevin Kostner and Robert Duvall and take note of the potential for homicidal conflict over the rights to use such open real estate before you decide to support this sort of thing. If nobody owns it but everyone is allowed to use it, havoc and mayhem have historically ensued.

On Wed, 20 Mar 2019, Gert Doering wrote:

Hi,

On Wed, Mar 20, 2019 at 09:06:11AM +0200, Hank Nussbacher wrote:

...

On Tue, 19 Mar 2019, Marco Schmidt wrote:

More or less I agree with the proposal. But what happens after a LIR is found to be violation of the policy? RIPE NCC puts out a statement "LIR X is in violation of Policy nnnn"? So what? How does this policy assist stopping the BGP hijack from taking place, even if it takes 1-2 months to handle the paperwork?

Well, that's a subtle twist of the proposal not actually spelled out - a LIR found to be in violation of RIPE policies is breaking their contract with the NCC (the SSA) and as such can be closed and their resources withdrawn.

So that's a fairly effective way to sanction abusive behaviour.

The amount of time that will transpire from the time of abuse and a LIR closed and their resources withdrawn can well be in excess of a year if not two years. Is that the end result we are looking for? -Hank

(I haven't decided whether I think this is going to work or do harm, so I'm not voicing support or opposition on the proposal itself)

Gert Doering -- NetMaster

I agree two years are long. But if we assume it's always the same few black sheep that engage in this activety, then it's worth going that route. If that is not the case, then I would suggest to change the termination process in a second step. We would then have good arguments supporting this. Typically trying to pack too much in one change triggers rejection. Cheers Serge On 20.03.19 08:57, Gert Doering wrote:

Hi,

On Wed, Mar 20, 2019 at 09:53:02AM +0200, Hank Nussbacher wrote:

...

...

So that's a fairly effective way to sanction abusive behaviour.

The amount of time that will transpire from the time of abuse and a LIR closed and their resources withdrawn can well be in excess of a year if not two years.

Is that the end result we are looking for?

I would hope that *having* a way to sanction abusive behaviour would deter criminals from doing so in the first place. Today, not enough people care, and playing havoc with BGP (intentional or accidentially) has hardly any consequences at all.

OTOH, these are the questions that make me undecided on the proposal :-)

Gert Doering -- NetMaster

-- Dr. Serge Droz Member of the FIRST Board of Directors Senior Advisor https://www.first.org https://www.ict4peace.org

On Wed, 20 Mar 2019 10:15:06 +0200 (IST) Hank Nussbacher <hank@efes.iucc.ac.il> wrote:

I think we have different expections from criminals. I view the criminals as ones who analyze every RFC and every standard to determine where they can be abused or manipulated for their benefit. A sanction that would be implemented 18 months later would allow the evil LIR enough time to sell their resources to some other LIR such that they would not lose such resources. -Hank

+1 see this with many other types of abuse for example email abuse: DKIM means nothing (is a complete waste of time) and SPF is useless (unless the TXT contains an "-") etc etc.

...

people care, and playing havoc with BGP (intentional or accidentially) has hardly any consequences at all.

OTOH, these are the questions that make me undecided on the proposal :-)

+1

...

Gert Doering -- NetMaster

Hi Hank, El 20/3/19 9:15, "anti-abuse-wg en nombre de Hank Nussbacher" <anti-abuse-wg-bounces@ripe.net en nombre de hank@efes.iucc.ac.il> escribió: On Wed, 20 Mar 2019, Gert Doering wrote: > Hi, > > On Wed, Mar 20, 2019 at 09:53:02AM +0200, Hank Nussbacher wrote: >>> So that's a fairly effective way to sanction abusive behaviour. >> >> The amount of time that will transpire from the time of abuse and a LIR >> closed and their resources withdrawn can well be in excess of a year if >> not two years. >> >> Is that the end result we are looking for? > > I would hope that *having* a way to sanction abusive behaviour would > deter criminals from doing so in the first place. Today, not enough I think we have different expections from criminals. I view the criminals as ones who analyze every RFC and every standard to determine where they can be abused or manipulated for their benefit. A sanction that would be implemented 18 months later would allow the evil LIR enough time to sell their resources to some other LIR such that they would not lose such resources. I can figure several possible ways to avoid that. 1) Contractual (not sure if this can be done in a policy) changes to indicate than in case of a policy violation, the account becomes frozen immediately, until actions to close the account are completed. 2) A modification to the transfers policy that indicates that no transfers can be initiated if the any of the parties are involved in an investigation for policy violation. 3) A specific policy about implications of policy violations. If instead of that we want explicit text about that in this policy proposal, that means possibly a way for slowing down the process, which at the time being it seems to me there is a major agreement of favor of doing something. Furthermore, having explicit text here means that other policy violations need to have their own way, and I think we must have a single path for resolving those issues, not one for each possible policy violation case. Does that make sense ? Can we agree that it will be better to have this discussion in a separate thread/policy proposal, in order to avoid this to be a show-stopper for this policy proposal? Would the chairs allow that thread in this list or suggest an alternative WG for a possible policy proposal? If we reach the conclusion that we should go for an specific policy proposal kind of "sanctions in case of policy violations", I will be happy to work on that, but I will prefer not being alone and have other co-authors involved as well. -Hank > people care, and playing havoc with BGP (intentional or accidentially) > has hardly any consequences at all. > > OTOH, these are the questions that make me undecided on the proposal :-) > > Gert Doering > -- NetMaster > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Jordi,

-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of

I can figure several possible ways to avoid that. 1) Contractual (not sure if this can be done in a policy) changes to indicate than in case of a policy violation, the account becomes frozen immediately, until actions to close the account are completed. 2) A modification to the transfers policy that indicates that no transfers can be initiated if the any of the parties are involved in an investigation for policy violation. 3) A specific policy about implications of policy violations.

If instead of that we want explicit text about that in this policy proposal, that means possibly a way for slowing down the process, which at the time being it seems to me there is a major agreement of favor of doing something. Furthermore, having explicit text here means that other policy violations need to have their own way, and I think we must have a single path for resolving those issues, not one for each possible policy violation case.

Does that make sense ?

Can we agree that it will be better to have this discussion in a separate thread/policy proposal, in order to avoid this to be a show-stopper for this policy proposal?

Would the chairs allow that thread in this list or suggest an alternative WG for a possible policy proposal?

Good question, but I think that any policy dealing with changing how the NCC should react to policy violations will be... complex. I also don't think AA-WG is the right place for such a general policy. So if you, as the author, don't wish to insert it into your policy (and I can understand your reasoning fully), then I think a separate policy, likely pointed towards somewhere like NCC Services would be more apt. I would caution that such things are likely to have a large interaction with/involvement of the NCC Membership, where such discussions have been very divided in the past. I think you and many other people are aware of this, but I just wanted to flag it. Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270

I agree to keep it separate. -- Pavel On 20. 03. 19 10:45, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

Hi Brian,

I'm fine moving that thread to NCC Services and I know how complex that will be.

So, repeating my question to all the participants here:

Can we agree at least that we should not have text regarding that in the policy proposal under discussion (also considering Brian input)?

I hope everybody understands my insistence on this as the authors need to have a clear community feeling on that for our new version.

Regards, Jordi

El 20/3/19 10:27, "anti-abuse-wg en nombre de Brian Nisbet" <anti-abuse-wg-bounces@ripe.net en nombre de brian.nisbet@heanet.ie> escribió:

Jordi,

> -----Original Message----- > From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of

> I can figure several possible ways to avoid that. > 1) Contractual (not sure if this can be done in a policy) changes to indicate > than in case of a policy violation, the account becomes frozen immediately, > until actions to close the account are completed. > 2) A modification to the transfers policy that indicates that no transfers can > be initiated if the any of the parties are involved in an investigation for policy > violation. > 3) A specific policy about implications of policy violations. > > If instead of that we want explicit text about that in this policy proposal, that > means possibly a way for slowing down the process, which at the time being > it seems to me there is a major agreement of favor of doing something. > Furthermore, having explicit text here means that other policy violations > need to have their own way, and I think we must have a single path for > resolving those issues, not one for each possible policy violation case. > > Does that make sense ? > > Can we agree that it will be better to have this discussion in a separate > thread/policy proposal, in order to avoid this to be a show-stopper for this > policy proposal? > > Would the chairs allow that thread in this list or suggest an alternative WG for > a possible policy proposal?

Good question, but I think that any policy dealing with changing how the NCC should react to policy violations will be... complex. I also don't think AA-WG is the right place for such a general policy. So if you, as the author, don't wish to insert it into your policy (and I can understand your reasoning fully), then I think a separate policy, likely pointed towards somewhere like NCC Services would be more apt.

I would caution that such things are likely to have a large interaction with/involvement of the NCC Membership, where such discussions have been very divided in the past. I think you and many other people are aware of this, but I just wanted to flag it.

Brian Co-Chair, RIPE AA-WG

Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270

********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <alpine.LRH.2.21.1903201011190.23614@noc.ilan.net.il>, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:

I view the criminals as ones who analyze every RFC and every standard to determine where they can be abused or manipulated for their benefit. A sanction that would be implemented 18 months later would allow the evil LIR enough time to sell their resources to some other LIR such that they would not lose such resources.

That's a good (and non-obvious) point! So, during any "review" process for any accused/alleged hijacker, the resources of that (alleged) hijacker must be frozen... with respect to transfers... until the matter has been adjudicated, one way or the other. Regards, rfg

In message <2EE0A058-8601-4A14-A87A-675B8AC94521@consulintel.es>, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:

If we believe that this is an excessive period of time, we can always draft another policy that allows reclaiming resources in case of policy violation in a faster way.

In LACNIC there is one for that, I think following that policy will take less than 6 months, and of course than can be improved/tailored to our wishes as a community.

However, I think it is a separated discussion.

Could some kind soul please poke me in the ribs and wake me up when it is time for THAT discussion? Because I really would like to participate in that one. In all of the apartments I've ever rented in my life, if you violated the rules then you would be out on your ear in three days. I've always felt that was fair and appropriate. Regards, rfg

On Wed, 20 Mar 2019, Sascha Luck [ml] wrote:

On Wed, Mar 20, 2019 at 01:00:24PM -0700, Ronald F. Guilmette wrote:

...

In all of the apartments I've ever rented in my life, if you violated the rules then you would be out on your ear in three days.

This is a horrible analogy.

Allow me to disagree. It's an excellent analogy. Rules broken = finito. But this is not what is being proposed. We are trying to propose due process, allowing for any claim to be looked into, confirmed, appealed and ratified. However, the main point is that _today_ hijacking is NOT against any RIPE active policy -- so there is absolutely no consequence.

If there was only one provider of apartments in your region and every violation of "the rules" would result in homelessness, I would be willing to bet that whoever made that policy would be swinging from a street lamp in very short order.

Or people would move to a different region. <irony> Perhaps to a region where contracts were just something useless, and rules are written just for the fun of it -- because their purpose is to be worthless anyway... </irony> Regards, Carlos

rgds, SAscha Luck

On Wed, Mar 20, 2019 at 05:09:42PM -0700, Ronald F. Guilmette wrote:

I'm not persuaded that it is. Here on this side of the pond we do not, in general, suffer fools gladly -or- coddle troublemakers, especially when it comes to private commercial contractual arrangements, which is, after all, what all of the relations between RIPE and its members actually are.

Inevitably followed by a multi-year, multi-instance lawsuit. Assuming you have the wherewhithal to afford the law. We, in the RIPE NCC Service Region, have so far avoided this and the relations between the NCC and the members have been mostly congenial. If the NCC gets turned into a drumhead court-martial, this will change and I, for one, would not welcome this change.

...

If there was only one provider of apartments in your region...

Fortunately this hypothetical does not actually apply, either to apartments in my local community or to IP addresses on planet earth, and thus it does not seem worthy of further exploration.

Am I writing in Old Enochian that even the simplistic concept of Service Regions is not understood? In the RIPE NCC Service Region, the RIPE NCC is the only provider for internet resources. Full Stop. An Alphabet Inc. or Facebook can get resources all over the world. Joe Bloggs ISP Ltd can NOT. rgds, SL

Regards, rfg

On Thu, 21 Mar 2019, Sascha Luck [ml] wrote: (...)

Am I writing in Old Enochian that even the simplistic concept of Service Regions is not understood? In the RIPE NCC Service Region, the RIPE NCC is the only provider for internet resources. Full Stop. An Alphabet Inc. or Facebook can get resources all over the world. Joe Bloggs ISP Ltd can NOT.

Oh, but they can. Through the transfer market. Carlos

rgds, SL

On Wed, 20 Mar 2019, Carlos Friaças wrote:

Hi,

To me, 1 year or even two is way better than "infinite". (i.e. nothing happens. ever.)

True. Agreed. -Hank

The current lack of policy in this regard is allowing for (intentional) hijackers to remain associated (through the RIPE NCC Association) with other members.

Isn't this something we should try to change?

I honestly don't see "speed" as a critical factor, and i also hope that if this gets in place more networks will be able to export their routing view, so that global routing security improves a bit.

Of course there is RPKI, MANRS and so on, but i do believe something should be in place at policy level.

Best Regards, Carlos

On Wed, 20 Mar 2019, Hank Nussbacher wrote:

...

On Wed, 20 Mar 2019, Gert Doering wrote:

...

Hi,

On Wed, Mar 20, 2019 at 09:06:11AM +0200, Hank Nussbacher wrote:

...

On Tue, 19 Mar 2019, Marco Schmidt wrote:

More or less I agree with the proposal. But what happens after a LIR is found to be violation of the policy? RIPE NCC puts out a statement "LIR X is in violation of Policy nnnn"? So what? How does this policy assist stopping the BGP hijack from taking place, even if it takes 1-2 months to handle the paperwork?

Well, that's a subtle twist of the proposal not actually spelled out - a LIR found to be in violation of RIPE policies is breaking their contract with the NCC (the SSA) and as such can be closed and their resources withdrawn.

So that's a fairly effective way to sanction abusive behaviour.

The amount of time that will transpire from the time of abuse and a LIR closed and their resources withdrawn can well be in excess of a year if not two years.

Is that the end result we are looking for?

-Hank

...

(I haven't decided whether I think this is going to work or do harm, so I'm not voicing support or opposition on the proposal itself)

Gert Doering -- NetMaster

In message <alpine.LRH.2.21.1903200903330.23614@noc.ilan.net.il>, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:

More or less I agree with the proposal. But what happens after a LIR is found to be violation of the policy? RIPE NCC puts out a statement "LIR X is in violation of Policy nnnn"? So what? How does this policy assist stopping the BGP hijack from taking place, even if it takes 1-2 months to handle the paperwork?

I've been trying to think about how the mechanics of a truly effective and efficient policy addressing hijacking would, could, or should work, in practice. As I've already said, I'm very much in favor of the general idea of introducing some disipline, so that deliberate hijackers don't get get a free pass. Beyond that however there's an awful lot to think about when it comes to how to make this all work, in practice. Two obvious considerations are (1) how to make the process as expeditious as possible while still providing accused parties with due process and a fair chance to be heard, and (2) how to make the process cost effictent... because I don't see there as being any "white knight" who is going to show up to pay for any of this. It occurred to me last night that one possible pre-existing model of a speedy and efficient dispute resolution policy that might serve as a model of how all this could be done, quickly and cheaply, is ICANN's Uniform Domain Name Dispute Resolution Policy (UDRP): https://en.wikipedia.org/wiki/Uniform_Domain-Name_Dispute-Resolution_Policy The whole point of this policy was to provide a quick and efficient way to resolve disputes, at least those relating to domain names, short of actually going into court. From the Wikipedia page: The goal of the UDRP is to create a streamlined process for resolving such disputes. It was envisioned that this process would be quicker and less expensive than a standard legal challenge. The costs to hire a UDRP provider to handle a complaint often start around US$1,000 to $2,000. When considering cases of IP block hijacking, I need to say that I don't actually see a need for "experts" per se. In most of the actual cases I've seen, the facts are fairly plain and apparent. Property is property, and ownership is ownership, even when it comes to the intangible real estate of the Internet, and if someone comes to your house, bulldozes it, and puts a freeway where it used to be, then you have a pretty clear basis for complaint. In short, I do believe that the arbitrarion panels used in cases where the ICANN UDRP process is employed would be adequate to the task of sorting out whether some RIPE member had or had not been deliberately hijacking IP space. It's just not really that technically complicated to see what's really going on in these instances. Other than that, the only thing standing in the way of using a process modeled on the UDRP process for quickly and efficiently adjudicating a case of alleged IP block hijacking is the cost. Who would pay? I've found and brought to public attention a few hijacks in my time, and in most or all of these cases, I would have been happy to have been the "prosecutor" presenting the case (and in effect, I actually was) but I'm not at all keen on the notion of -me- shelling out $1,000-$2,000 (USD) to expeditiously resolve any such case. And I don't know anyone else who would be easger to do this either. So obviously, that's a rather big fly in the ointment. Justice is good. Justice is admirable. But like many good things, it may have a finite and non-zero cost. So who would pay for the justice sought, assuming that a policy based on UDRP were adopted (using outside arbitrators) for adjudicating these matters? I have no answer to that, but felt that it might be of value to put forward the general idea, and the question. Regards, rfg

Hello, Warren, thanks for your input. What you described also crossed my mind, but as you said "it won't be too hard to figure out". And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-) I also want to stress out the main idea is to have a proper set of checks & balances, so an appeal is always possible, and as a last safeguard the RIPE NCC Board can decide not to ratify experts' conclusions. Also, routing data from last year, 2 years ago and so on (or from today...) will not be eligible to draw conclusions about any case, so if the policy is approved, the initial workload will depend on received reports with a very short timeframe of routing datasets. Best Regards, Carlos On Wed, 20 Mar 2019, Warren Kumari wrote:

On Tue, Mar 19, 2019 at 1:42 PM Marco Schmidt <mschmidt@ripe.net> wrote: Dear colleagues,

A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy Violation", is now available for discussion.

The goal of this proposal is to define that BGP hijacking is not accepted as normal practice within the RIPE NCC service region.

You can find the full proposal at: https://www.ripe.net/participate/policies/proposals/2019-03

From the policy: "The RIPE NCC will define a pool of worldwide experts who can assess whether reported BGP hijacks constitute policy violations. Experts from this pool will provide a judgement regarding each reported case, no later than four weeks from the moment the report was received."

This seems like a reasonable approach, but I still worry about the possibility of abuse of the policy.

As a hypothetical example:  I'm AS1. I'm in a feud with Job (he called my hat ugly...) who runs AS2, and is a peer of mine. I decide to get even by announcing all sorts of address space, and prepending AS2 to the announcements. I then report Job as a hijacker. 

?Networks Affected?: AS1, AS17, AS1234 ?Offender ASN?: AS2  ?Hijacked Prefixes?: [ long list of things ] ?Timespan?: last Thursday, 8:00AM.

Yes, in this case it won't be too hard to figure out it was me, but I do see that this could be abused in various ways. 

Please note, I *really* support the proposal, but care will need to be taken to watch for false-flag operations, and the experts should take care to watch for this possibility. I'm also a bit concerned about the initial workload for the experts... 

W

  As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and provide feedback to the proposer.

At the end of the Discussion Phase, the proposers, with the agreement of the Anti-Abuse WG co-chairs, decide how to proceed with the proposal.

We encourage you to review this proposal and send your comments to <anti-abuse-wg@ripe.net> before 17 April 2019.

Kind regards,

Marco Schmidt Policy Officer RIPE NCC

Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

-- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.    ---maf

On Wed, 20 Mar 2019, Andrey Korolyov wrote:

And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-)

Out of interest, take an AS1 with single malicious upstream AS2, what stops AS2 to pretend that AS1 has made bogus announcements and make them for its own purposes? This situation looks pretty real without RPKI or other advertisement strengthening methods, as I could see. How experts are supposed to behave in this situation?

That's an extra incentive for AS1 to create its ROAs properly...? :-)) What you describe is a supplier/customer relation. If the supplier is malicious, the customer can also file a report about the supplier's actions, and of course, if they are in conflict, AS1 can declare through it's aut-num that it has no relation with AS2 anymore, and that should catch the expert's eye... Cheers, Carlos

This policy is a trifle late though This same setup kept getting used to route whole /14s a few years back. I wonder what poor soul has those ranges now. --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of furio ercolessi <furio+as@spin.it> Sent: Wednesday, March 20, 2019 4:30 PM To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation) On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:

...

And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-)

Out of interest, take an AS1 with single malicious upstream AS2, what stops AS2 to pretend that AS1 has made bogus announcements and make them for its own purposes? This situation looks pretty real without RPKI or other advertisement strengthening methods, as I could see. How experts are supposed to behave in this situation?

This has been seen many times, even chain situations like <upstreams and peers> - AS X \ AS 3 - AS 2 - AS 1 / <upstreams and peers> - AS Y where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue entity - or a set of rogue entities closely working together with a common criminal goal. In such a setup, AS 1 should be considered as the most "throw-away" resource, while AS 3 would play the "customer of customer, not my business" role, and AS 2 would play the "i notified my customer and will disconnect them if they continue" role. When AS 1 is burnt, a new one is made - with new people as contacts, new IP addresses, etc, so that no obvious correlation can be made. Most of the bad guys infrastructure is in AS 3 and that remains pretty stable because their bad nature can not be easily demonstrated. Whatever set of rules is made against hijacking, it should be assumed that these groups will do everything to get around those rules, and many AS's can be used to this end. Since there is no shortage of AS numbers, I assume that anybody can get one easily so they can change them as if they were underwear. And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, have also been seen. Those are even easier to get :-) So the ideal scheme to counteract BGP hijacking should be able to climb up the BGP tree in some way, until "real" ISPs are reached. Nice discussion! furio ercolessi

In message <842FCFC4-B8E0-49CA-829A-4A5CDF44C7BD@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> writes

This has been seen many times, even chain situations like

<upstreams and peers> - AS X \ AS 3 - AS 2 - AS 1 / <upstreams and peers> - AS Y

by the way, when I see AS 2 or 3 at the end of path I immediately assume that someone has been confused by the syntax of their router and meant to generate 64496 64496 64496 but instead generated 64496 3 the opposite error tends to create very long (but non-hijacking) AS paths which occasionally cause operational problems. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Hi Ricardo, I've the feeling that if you're attacked, you will have some forensic info about that, or at least you will need to place a claim to authorities to probe it and try to minimize your responsibilities, like in the case of GDPR breach, etc.. In fact, if you haven't realized it and still under attack, this kind of policy will help you to: 1) Know that your network is being misused by others 2) Engage with the community about that 3) Take the opportunity to learn about how to avoid it I'm convinced there are sufficient oportunities, thru the process to avoid creating a trouble to innocents: 1st initial NCC validation of the info provided 2nd experts evaluation 3rd your response to the expert's report 4th appeal 5th Board ratification I also believe that when what you describe happens, it will happen to several folks (not neccesarily at the same time), so experts will consider it. You don't think so? Remember that in the extreme case (this is just life, we like it or not), if you are responsible for a network and is being missused "because you did your job incorrectly", you are still reponsible for the harm caused and even legal consecuences and damages to third parties. If it was a vulnerabilty from the vendor, you can sue him as well. Regards, Jordi El 20/3/19 14:36, "anti-abuse-wg en nombre de Ricardo Patara" <anti-abuse-wg-bounces@ripe.net en nombre de ricpatara@gmail.com> escribió: On this line of one ISP trying to make damage to other. One might abuse a vulnerable router (thousand out there), create a tunnel to it and announce hijacked blocks originated from victims ASN. Both, victim ASN and vulnerable router owner, would be damaged and no traces of criminal. How could they defend themselves to the so called group of experts? And things in this line had happened already. Regards, On 20/03/2019 07:46, furio ercolessi wrote: > On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote: >>> >>> >>> And when everything is made clear, if a report is filed against AS1, AS1's >>> holder might have a problem, so i see a strong reason for not even trying >>> :-) >>> >>> >> Out of interest, take an AS1 with single malicious upstream AS2, what stops >> AS2 to pretend that AS1 has made bogus announcements and make them for its >> own purposes? This situation looks pretty real without RPKI or other >> advertisement strengthening methods, as I could see. How experts are >> supposed to behave in this situation? > > This has been seen many times, even chain situations like > > <upstreams and peers> - AS X > \ > AS 3 - AS 2 - AS 1 > / > <upstreams and peers> - AS Y > > where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue > entity - or a set of rogue entities closely working together with a common > criminal goal. > > In such a setup, AS 1 should be considered as the most "throw-away" resource, > while AS 3 would play the "customer of customer, not my business" role, > and AS 2 would play the "i notified my customer and will disconnect them > if they continue" role. When AS 1 is burnt, a new one is made - with > new people as contacts, new IP addresses, etc, so that no obvious correlation > can be made. Most of the bad guys infrastructure is in AS 3 and that remains > pretty stable because their bad nature can not be easily demonstrated. > > Whatever set of rules is made against hijacking, it should be assumed that > these groups will do everything to get around those rules, and many AS's > can be used to this end. Since there is no shortage of AS numbers, I > assume that anybody can get one easily so they can change them as if they > were underwear. > > And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, > have also been seen. Those are even easier to get :-) > > So the ideal scheme to counteract BGP hijacking should be able to climb up > the BGP tree in some way, until "real" ISPs are reached. > > Nice discussion! > > furio ercolessi > > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <5B88D40A-EFA2-41ED-831E-B9FD14F3637E@consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> writes

I've the feeling that if you're attacked, you will have some forensic info about that,

That may not be the case -- I saw a number of hijacks last summer of US university address space where the university was entirely unaware of the issue until I told them, and even when I did there was no data that they could usefully gather about the event from their own systems. Might I ask how many BGP hijacks of your own prefixes have you (a) identified or (b) investigated ?

In fact, if you haven't realized it and still under attack, this kind of policy will help you to: 1) Know that your network is being misused by others 2) Engage with the community about that 3) Take the opportunity to learn about how to avoid it

I don't think any of those three things are true :-(

I also believe that when what you describe happens, it will happen to several folks (not neccesarily at the same time), so experts will consider it. You don't think so?

For some types of hijack yes, for others no.

Remember that in the extreme case (this is just life, we like it or not), if you are responsible for a network and is being missused "because you did your job incorrectly", you are still reponsible for the harm caused and even legal consecuences and damages to third parties. If it was a vulnerabilty from the vendor, you can sue him as well.

An aspect of this which has not been discussed is how the policy should be worded so as to make clear that one-off fat-finger events, however newsworthy (and they often are) are not going to be treated in the same way as deliberate hijacks of address space by actors who know exactly what they are doing and why. Or should fat-fingering now cause you to put into the RIPE dock ? The more I think about this proposal, the less I think that the RIR is the place to enforce it -- a similar (but far better thought through) initiative in the IXP space would I think be far more useful; and indeed we have seen a number of bad actors dealt with by IXPs over the past years and this has put a significant dent into their operations. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Definitively, authors will try to draft something for that, but specific text suggestions to the list are always very welcome ! (actually … please do so) At the moment I can think in the line: “Direct peers allowing the hijack thru their networks will be warned the first time, but may be considered by the experts evaluation to be a party involved in case of subsequent deliberated hijacks cases” Regards, Jordi El 20/3/19 14:58, "anti-abuse-wg en nombre de Andrey Korolyov" <anti-abuse-wg-bounces@ripe.net en nombre de andrey@xdel.ru> escribió: On Wed, Mar 20, 2019 at 4:36 PM Ricardo Patara <ricpatara@gmail.com> wrote: On this line of one ISP trying to make damage to other. One might abuse a vulnerable router (thousand out there), create a tunnel to it and announce hijacked blocks originated from victims ASN. Both, victim ASN and vulnerable router owner, would be damaged and no traces of criminal. How could they defend themselves to the so called group of experts? And things in this line had happened already. Regards, That's exactly my point from above for distributing responsibility over things that AS may do over its direct peers :) With example from Furio all ASNs in proposed topology could be blamed at once, for example. Determining exact topology may be somewhat not trivial, but not as hard as paper relations where both sides are claiming their innocence. So, for this version of proposal, I rather NAK it because it brings more potential mess than the usefulness against bad actors. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

On Wed, 20 Mar 2019, Ricardo Patara wrote: If you are a victim (someone has abused your network), then just prove it and the policy won't apply and the hivemind will even assist you in cleaning your router. Regards, -Hank

On this line of one ISP trying to make damage to other.

One might abuse a vulnerable router (thousand out there), create a tunnel to it and announce hijacked blocks originated from victims ASN.

Both, victim ASN and vulnerable router owner, would be damaged and no traces of criminal. How could they defend themselves to the so called group of experts?

And things in this line had happened already.

Regards,

On 20/03/2019 07:46, furio ercolessi wrote:

...

On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:

...

...

And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-)

Out of interest, take an AS1 with single malicious upstream AS2, what stops AS2 to pretend that AS1 has made bogus announcements and make them for its own purposes? This situation looks pretty real without RPKI or other advertisement strengthening methods, as I could see. How experts are supposed to behave in this situation?

This has been seen many times, even chain situations like

<upstreams and peers> - AS X \ AS 3 - AS 2 - AS 1 / <upstreams and peers> - AS Y

where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue entity - or a set of rogue entities closely working together with a common criminal goal.

In such a setup, AS 1 should be considered as the most "throw-away" resource, while AS 3 would play the "customer of customer, not my business" role, and AS 2 would play the "i notified my customer and will disconnect them if they continue" role. When AS 1 is burnt, a new one is made - with new people as contacts, new IP addresses, etc, so that no obvious correlation can be made. Most of the bad guys infrastructure is in AS 3 and that remains pretty stable because their bad nature can not be easily demonstrated.

Whatever set of rules is made against hijacking, it should be assumed that these groups will do everything to get around those rules, and many AS's can be used to this end. Since there is no shortage of AS numbers, I assume that anybody can get one easily so they can change them as if they were underwear.

And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, have also been seen. Those are even easier to get :-)

So the ideal scheme to counteract BGP hijacking should be able to climb up the BGP tree in some way, until "real" ISPs are reached.

Nice discussion!

furio ercolessi

If you are a victim (someone has abused your network), then just prove it and the policy won't apply and the hivemind will even assist you in cleaning your router.

LOL, two of the oldest lies in history neatly rolled into one statement: "If you have done nothing wrong you have nothing to fear" and "I'm from $agency, I'm here to help you" rgds, Sascha Luck

Regards, -Hank

...

On this line of one ISP trying to make damage to other.

One might abuse a vulnerable router (thousand out there), create a tunnel to it and announce hijacked blocks originated from victims ASN.

Both, victim ASN and vulnerable router owner, would be damaged and no traces of criminal. How could they defend themselves to the so called group of experts?

And things in this line had happened already.

Regards,

On 20/03/2019 07:46, furio ercolessi wrote:

...

On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:

...

...

And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-)

Out of interest, take an AS1 with single malicious upstream AS2, what stops AS2 to pretend that AS1 has made bogus announcements and make them for its own purposes? This situation looks pretty real without RPKI or other advertisement strengthening methods, as I could see. How experts are supposed to behave in this situation?

This has been seen many times, even chain situations like

<upstreams and peers> - AS X \ AS 3 - AS 2 - AS 1 / <upstreams and peers> - AS Y

where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue entity - or a set of rogue entities closely working together with a common criminal goal.

In such a setup, AS 1 should be considered as the most "throw-away" resource, while AS 3 would play the "customer of customer, not my business" role, and AS 2 would play the "i notified my customer and will disconnect them if they continue" role. When AS 1 is burnt, a new one is made - with new people as contacts, new IP addresses, etc, so that no obvious correlation can be made. Most of the bad guys infrastructure is in AS 3 and that remains pretty stable because their bad nature can not be easily demonstrated.

Whatever set of rules is made against hijacking, it should be assumed that these groups will do everything to get around those rules, and many AS's can be used to this end. Since there is no shortage of AS numbers, I assume that anybody can get one easily so they can change them as if they were underwear.

And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, have also been seen. Those are even easier to get :-)

So the ideal scheme to counteract BGP hijacking should be able to climb up the BGP tree in some way, until "real" ISPs are reached.

Nice discussion!

furio ercolessi

Folks, We were doing so well! There is a difference between expressing opposition to the statements and the manner of doing so. I've called this out before, but please remember that a) this is all text, a medium infamous for being awful at nuance and conveying meaning and b) there are members on the list from many places and cultures and we should all be very considered in our reactions. I will admit, I do not interpret Sascha's remark as calling Hank a liar, but there are reasons for that of language and context as well. So right now, I will leave the points above where they are and ask everyone to choose their words carefully. Thanks, Brian Co-Chair, RIPE AAWG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 From: Suresh Ramasubramanian <ops.lists@gmail.com> Sent: Wednesday 20 March 2019 16:45 To: Sascha Luck [ml] <aawg@c4inet.net>; Hank Nussbacher <hank@efes.iucc.ac.il> Cc: Ricardo Patara <ricpatara@gmail.com>; anti-abuse-wg@ripe.net; Brian Nisbet <brian.nisbet@heanet.ie> Subject: Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation) + Brian - how appropriate is it to call other posters liars like this? --srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net<mailto:anti-abuse-wg-bounces@ripe.net>> on behalf of Sascha Luck [ml] <aawg@c4inet.net<mailto:aawg@c4inet.net>> Sent: Wednesday, March 20, 2019 8:42 PM To: Hank Nussbacher Cc: Ricardo Patara; anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

If you are a victim (someone has abused your network), then just prove it and the policy won't apply and the hivemind will even assist you in cleaning your router.

LOL, two of the oldest lies in history neatly rolled into one statement: "If you have done nothing wrong you have nothing to fear" and "I'm from $agency, I'm here to help you" rgds, Sascha Luck

Regards, -Hank

...

On this line of one ISP trying to make damage to other.

One might abuse a vulnerable router (thousand out there), create a tunnel to it and announce hijacked blocks originated from victims ASN.

Both, victim ASN and vulnerable router owner, would be damaged and no traces of criminal. How could they defend themselves to the so called group of experts?

And things in this line had happened already.

Regards,

On 20/03/2019 07:46, furio ercolessi wrote:

...

On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:

...

...

And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-)

Out of interest, take an AS1 with single malicious upstream AS2, what stops AS2 to pretend that AS1 has made bogus announcements and make them for its own purposes? This situation looks pretty real without RPKI or other advertisement strengthening methods, as I could see. How experts are supposed to behave in this situation?

This has been seen many times, even chain situations like

<upstreams and peers> - AS X \ AS 3 - AS 2 - AS 1 / <upstreams and peers> - AS Y

where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue entity - or a set of rogue entities closely working together with a common criminal goal.

In such a setup, AS 1 should be considered as the most "throw-away" resource, while AS 3 would play the "customer of customer, not my business" role, and AS 2 would play the "i notified my customer and will disconnect them if they continue" role. When AS 1 is burnt, a new one is made - with new people as contacts, new IP addresses, etc, so that no obvious correlation can be made. Most of the bad guys infrastructure is in AS 3 and that remains pretty stable because their bad nature can not be easily demonstrated.

Whatever set of rules is made against hijacking, it should be assumed that these groups will do everything to get around those rules, and many AS's can be used to this end. Since there is no shortage of AS numbers, I assume that anybody can get one easily so they can change them as if they were underwear.

And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, have also been seen. Those are even easier to get :-)

So the ideal scheme to counteract BGP hijacking should be able to climb up the BGP tree in some way, until "real" ISPs are reached.

Nice discussion!

furio ercolessi

On Thu, Mar 21, 2019 at 07:06:40AM +0530, Suresh Ramasubramanian wrote:

The discussion does seem to be going in circles. A series of objections from Sascha and then various people countering it – none of whom appear to be lawyers of any stripe, discussing the legality (or not) of this proposal.

Please state *precisely* where I've questioned the legality (under Dutch or any other law) of this proposal, or kindly refrain from misrepresenting my statements. rgds, SL

On Thu, Mar 21, 2019 at 08:36:01AM +0530, Suresh Ramasubramanian wrote:

In my opinion we are long past the stage of rough consensus on this list. Take it to the WG and see if it gets consensus there and please spare the rest of the list some very pointless discussion.

Fortunately it is not in your power to determine consensus on this list so kindly leave this determination to the chairs. And Do Not EVER propose to silence me again. [profanity redacted] SL

On 21/03/19, 8:27 AM, "Sascha Luck [ml]" <aawg@c4inet.net> wrote:

On Thu, Mar 21, 2019 at 07:06:40AM +0530, Suresh Ramasubramanian wrote:

...

The discussion does seem to be going in circles. A series of objections from Sascha and then various people countering it – none of whom appear to be lawyers of any stripe, discussing the legality (or not) of this proposal.

Please state *precisely* where I've questioned the legality (under Dutch or any other law) of this proposal, or kindly refrain from misrepresenting my statements.

rgds, SL

Hi, On Thu, Mar 21, 2019 at 08:36:01AM +0530, Suresh Ramasubramanian wrote:

In my opinion we are long past the stage of rough consensus on this list. Take it to the WG and see if it gets consensus there and please spare the rest of the list some very pointless discussion.

Uh. "This list" is "the WG" - RIPE working group consensus building happens on the lists, because otherwise only people with deep enough pockets to attend RIPE meetings can participate in policy making. The WG meetings are good for face-to-face discussions with quicker turnaround times and possibly easier to sort out language misunderstandings - but at least for APWG, only statements on the list are considered relevant wrt RIPE policy making. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

In message <alpine.LRH.2.21.1903200737280.5937@gauntlet.corp.fccn.pt>, Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net> writes

What you described

Which was (tedious this top posting approach isn't it!) that in any AS path you cannot determine externally which of a pair of adjacent AS's is being wicked [that would change in a world with BGPSEC, but that is not the world in which we live]

also crossed my mind, but as you said "it won't be too hard to figure out".

Yes it will -- the left hand AS will say that the right hand AS announced the path to them. The right hand AS will deny it. Both will produce logs from routers and (if the non-genuine log is expertly forged) the experts will have to guess which AS is being bad

And when everything is made clear, if a report is filed against AS1, AS1's holder might have a problem, so i see a strong reason for not even trying :-)

In the real world at present, we deduce which AS is wicked from either a pattern of wickedness (we assume that multiple AS's are not ganging on someone to frame them) or by assessing the probity of the two ASs from personal knowledge of their staff, or their business. I write this (and my earlier remarks about AS numbers) from the perspective of someone who has spent some considerable time over the past few years dealing with BGP hijacks[*]. It is generally simple to work out who the bad guy is sufficiently to put pressure on them to reform... but it is often the case that you have to say that on balance it is more likely to be this AS rather than that one. [*] people may have heard me talk about this at LINX and there is another opportunity to listen at FIRST in June. I hope to be able to make the material I have more generally available, but there are {DAYJOB} constraints on that at present. For clarity (and such vote counting as may occur) I am very much in favour or a policy that says that theft of resources is seen as unacceptable by the RIPE community (it's also illegal, so this is perhaps somewhat unnecessary!) but I am concerned that people think that assessing what is going on will be a trivial process and that is very far from the truth. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Hi Sascha, El 20/3/19 15:14, "anti-abuse-wg en nombre de Sascha Luck [ml]" <anti-abuse-wg-bounces@ripe.net en nombre de aawg@c4inet.net> escribió: All, On Tue, Mar 19, 2019 at 01:41:22PM +0100, Marco Schmidt wrote: >A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy Violation", is now available for discussion. >The goal of this proposal is to define that BGP hijacking is not accepted as normal practice within the RIPE NCC service region. > >You can find the full proposal at: >https://www.ripe.net/participate/policies/proposals/2019-03 there has been a trend in recent years to make RIPE policy that transforms the NCC from a resource registry into a political agency to monitor and prescribe the behaviour of the internet industry in the RIPE Service Region by weaponising the NCC Service Agreement. This I consider harmful to the standing of the RIPE NCC as an impartial, non-political resource registry. This has been one of our main concerns while developing the text, and this is why we decided to find the right wording that ensures that is up to external experts, not the NCC. The major point, even if you accept that the NCC has a mandate to act as a regulatory authority - which I want to state unequivocally here that I do NOT - against this proposal is that it is ineffective and a waste of time and membership funding: 1. The procedures for policy violations in the RIPE NCC are restorative rather than retributive. If the NCC determines that a policy violation has occurred, the "offender" is given an opportunity to rectify the situation, if they do so the case is closed. Only if the "offender" refuses to cooperate or is not contactable is any further action taken. I think this can be reconducted in other instances (NCC Services, membership agreement, etc.), in order to ensure that you're waived from the first violation, but not in subsequent ones. 2. "Resource hijacks" are transient in nature. They persist, generally, only until the "offender's" neighbours take action. Yet, 2019-03 proposes a long, convoluted, costly process involving "experts", reports, appeals and the NCC Board. By the time this process has run its course, the "resource hijack" in question will have long faded from memory. So the end result of this proposed process is that the "offender" gets a report which it will, in all likelihood, consign to the round archive (ie the recycling bin). 3. The time of the NCC staff and the Board will have been wasted. So will have NCC funding which we, as the Membership have to provide. The "experts" will in all likelihood not work for free either, indeed a cynic could argue that the main effect of this proposal is to let some "experts" dip their beak into NCC funds. 4. I want to forestall the inevitable argument here that "we can make policy to have those evildoers thrown out of the NCC later!". No, you can't. The SSA and its contents are solely the domain of the NCC Membership and I sincerely hope that that body will refuse to ratify any proposal that opens themselves to the loss of the services of a monopoly provider on the say-so of some activist randomers on a mailing list. I know which way I would vote. I'm not sure if he membership will really will not accept a change as the "1st waiver, not 2nd one" that I introduced above. Why membership will support even if is a 10% (just to put an exaggerated figure here) of membership acting against all the community, which means extra cost for all (including the members but not only)? Regards, Jordi 5. If there is still any doubt, the above constitutes strenuous opposition to 2019-03. rgds, Sascha Luck ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Sascha, El 20/3/19 16:09, "Sascha Luck [ml]" <aawg@c4inet.net> escribió: Hi Jordi, On Wed, Mar 20, 2019 at 03:45:24PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote: > Service Agreement. This I consider harmful to the standing of > the RIPE NCC as an impartial, non-political resource registry. > >This has been one of our main concerns while developing the text, and this is why we decided to find the right wording that ensures that is up to external experts, not the NCC. Fallacious. The fact that some expert provides a finding does not change that it is the NCC that is tasked with "doing something about it". The fact that the bank confirms that a member doesn't pay the invoice, doesn't mean the NCC is the "police" they are just following the members/community orders, which is the task they are mandated to. > 1. The procedures for policy violations in the RIPE NCC are > restorative rather than retributive. If the NCC determines that a > policy violation has occurred, the "offender" is given an > opportunity to rectify the situation, if they do so the case is > closed. Only if the "offender" refuses to cooperate or is not > contactable is any further action taken. > >I think this can be reconducted in other instances (NCC Services, membership agreement, etc.), in order to ensure that you're waived from the first violation, but not in subsequent ones. FWIW, I would prefer this entire discussion to take place in ncc-services. The entire effect of this proposal pivots on using the NCC SSA to achieve some goal and I consider having part of this debate in aawg and another part in ncc-services a not very subtle divide-and-conquer approach. I agree for the "actions" but not the policy proposal itself. Otherwise, ANY policy proposal will end up in the same WG, and then we don't need any other WG. >I'm not sure if he membership will really will not accept a change as the "1st waiver, not 2nd one" that I introduced above. Why membership will support even if is a 10% (just to put an exaggerated figure here) of membership acting against all the community, which means extra cost for all (including the members but not only)? I would hope that the Membership would be able to see that a change in nature of the NCC frm (restorative) registry to (retributive) enforcment agency would be fundamental and very dangerous and would *inevitably* fall back on themselves. But that is for the membership to decide. rgds, Sascha Luck ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

On Wed, Mar 20, 2019 at 02:26:28PM -0700, Ronald F. Guilmette wrote:

countinue to make, the exact same mistake that Mr. Luck has made here, i.e. failing to note the clear distinction between things that are "political" and things that are abjectly and abundantly criminal,

I don't think that word means what you think it does. "criminal" has a very precise legal meaning. If you think that advertisement of numbers is a criminal act, please provide jurisdiction, act and article under which it is. [much incoherent and, in this context irrelevant, rambling about U.S. politics omitted]

The one important difference, of course, is that 2019-03 calls for the hijackers to be deprived not only of whatever they have stolen, but also and additionally, of every number resource that they were ever legitimately granted, after a due process.

You must have read a different verion of this proposal than what I have read. The proposal calls for a "finding" to be made and a report submitted. Any consequences are not even within the mandate of RIPE policy.

I would just like it noted, for the record, that RIPE is actually not a "monopoly provider", and that the four other RIRs might reasonably take umbrage at the very suggestion.

And, like so often, you are wrong here too. Each RIR is a monopoly provider for its own service region. Some RIRs even mandate that the resources they allocate and assign must not be used outside their service region. rgds, Sascha Luck

On Wed, Mar 20, 2019 at 11:04:53PM +0000, Carlos Friaas wrote:

...

I don't think that word means what you think it does. "criminal" has a very precise legal meaning. If you think that advertisement of numbers is a criminal act, please provide jurisdiction, act and article under which it is.

Three words: "dutch", "court", "order" -- that's jurisdiction over RIPE NCC.

Please state, precisely under which Dutch law advertisement of numbers not assigned to you is a criminal offence (Who knows, there might be one...) rgds, SL

On Wed, Mar 20, 2019 at 11:04:53PM +0000, Carlos Friaas wrote:

...

I don't think that word means what you think it does. "criminal" has a very precise legal meaning. If you think that advertisement of numbers is a criminal act, please provide jurisdiction, act and article under which it is.

Three words: "dutch", "court", "order" -- that's jurisdiction over RIPE NCC.

To amplify: my comment centers on the use of the term "criminal" for someone who commits $something_i_don't_like_but_isn't_actually_illegal. Somewhat dangerous terrain in Europe because slander, ironically, *is* a criminal offence in some jurisdictions. I should propbably excuse Ronald because to a, first-amendment-protected, American the concept must seem ludicrous. Although I hear Trump wants to change that... sncr, SL

(...)

...

You must have read a different verion of this proposal than what I have read. The proposal calls for a "finding" to be made and a report submitted. Any consequences are not even within the mandate of RIPE policy.

And ratified (you may have missed that bit!)

I also don't see any immediate or automatic consequence(s).

However, if the policy was indeed violated, then the door is open for subsequent action(s) -- which can take its due time as already established. This proposal doesn't even try to touch that, and i hope this is completely clear by now.

...

...

I would just like it noted, for the record, that RIPE is actually not a "monopoly provider", and that the four other RIRs might reasonably take umbrage at the very suggestion.

And, like so often, you are wrong here too.

Allow me to disagree (again).

...

Each RIR is a monopoly provider for its own service region. Some RIRs even mandate that the resources they allocate and assign must not be used outside their service region.

Have you heard about legacy resources? Do you know they can be subject to transfers?

Additionally, please note you wrote "Some RIRs", not "All RIRs" :-)

Question: if that mandate is not comploed, is it enough for the NCC to terminate the SSA?

Regards, Carlos

...

rgds, Sascha Luck

In message <20190320222915.GT99066@cilantro.c4inet.net>, "Sascha Luck [ml]" <aawg@c4inet.net> wrote:

On Wed, Mar 20, 2019 at 02:26:28PM -0700, Ronald F. Guilmette wrote:

...

countinue to make, the exact same mistake that Mr. Luck has made here, i.e. failing to note the clear distinction between things that are "political" and things that are abjectly and abundantly criminal,

I don't think that word means what you think it does. "criminal" has a very precise legal meaning. If you think that advertisement of numbers is a criminal act, please provide jurisdiction, act and article under which it is.

I anticipated that this question/issue might come up, so I did a small bit of backgound research in anticipation. I understand tnat the material I quote here may be deemed insufficient to fully or adequately answer the question, but quite certainly there is a wealth of other and relevant reference material available online, and I will be more than happy to provide further references, as required, in addition to those noted below, even though this isn't really my field. The biblical narrative of the revelation at Sinai begins in Exodus 19 after the arrival of the children of Israel at Mount Sinai (also called Horeb). On the morning of the third day of their encampment, "there were thunders and lightnings, and a thick cloud upon the mount, and the voice of the trumpet exceeding loud", and the people assembled at the base of the mount. After "the LORD[37] came down upon mount Sinai", Moses went up briefly and returned and prepared the people, and then in Exodus 20 "God spoke" to all the people the words of the covenant, that is, the "ten commandments" as it is written. Moder biblical scholarship differs as to whether Exodus 19-20 describes the people of Israel as having directly heard all or some of the decalogue, or whether the laws are only passed to them through Moses. Refs: https://en.wikipedia.org/wiki/Ten_Commandments https://en.wikipedia.org/wiki/Thou_shalt_not_steal

...

The one important difference, of course, is that 2019-03 calls for the hijackers to be deprived not only of whatever they have stolen, but also and additionally, of every number resource that they were ever legitimately granted, after a due process.

You must have read a different verion of this proposal than what I have read. The proposal calls for a "finding" to be made and a report submitted. Any consequences are not even within the mandate of RIPE policy.

Well, I was misinformed then. My bad.

...

I would just like it noted, for the record, that RIPE is actually not a "monopoly provider", and that the four other RIRs might reasonably take umbrage at the very suggestion.

And, like so often, you are wrong here too. Each RIR is a monopoly provider for its own service region. Some RIRs even mandate that the resources they allocate and assign must not be used outside their service region.

That's a very interesting contention. All I can see is that if these are indeed the rules then my eyes must havd deceived me when I thought that I saw WHOIS records for various IP blocks from each of the RIPE, ARIN, and Afrinic regions, all of which seemed to me at the time to have been assigned to various legal entities, all of which were themselves purportedly located in Seychelles Islands. Regards, rfg

On Wed, Mar 20, 2019 at 10:41:00PM +0000, Carlos Friaas wrote:

...

there has been a trend in recent years to make RIPE policy that transforms the NCC from a resource registry into a political agency to monitor and prescribe the behaviour of the internet industry

Do you actually have any reference about that?

Read the address-policy and particularly the aawg archives. There have been a number of proposals such as the Europol one and the endless saga of the abuse-c: verification...

...

in the RIPE Service Region by weaponising the NCC Service Agreement.

Isn't that a contract? If a party breaches a contract, isn't it normal for the other party to terminate it?

Not for the RIPE NCC. The NCC aims to restore compliance with the SSA and not to punish the member unless as a last resort.

...

This I consider harmful to the standing of the RIPE NCC as an impartial, non-political resource registry.

What i consider harmful is abuse against the RIPE NCC and the RIPE NCC Membership at large.

Please state exactly how advertising someone else's resources constitutes "abuse against the RIPE NCC" unless the offender also registers wrong data in the ripedb.

The RIPE NCC has proven several times it is impartial, and it is not influenced by political or geo-political events/constraints. The RIPE NCC acts according to Dutch court orders, as is supposed. Do you have any evidence that the RIPE NCC has acted beyond Dutch court orders? I don't.

I have not claimed that it has.

...

The major point, even if you accept that the NCC has a mandate to act as a regulatory authority

If it has, please point me out to where i can find it in writing. The NCC is a Regional Internet Registry. Its purpose (as i see it) is to distribute Internet resources. So, if it distributes resource X to party Y, then if party Z takes over the resource without party Y's consent, the whole concept and purpose of having a registry is broken.

No. The purpose of a registry is to keep a *register* of data (in this case, resources). This aids members and others in finding out who the rightful "owner" of a resource is. The Land Registry records who owns a bit of land, it does not enforce who can live on it. If someone takes over someone else's land, the *courts* deal with it.

...

- which I want to state unequivocally here that I do NOT - against this proposal is that it is ineffective and a waste of time and membership funding:

So you already have the Impact Analysis done two days after the discussion phase has started? But isn't the role of the NCC to perform such I.A.?

I'm stating an oinion on the proposal which I am entitled to do.

...

1. The procedures for policy violations in the RIPE NCC are restorative rather than retributive.

I agree with this. The proposal aims to restore "normality", where only a legitimate holder is able to use/announce the resource. :-) Just out of curiosity, this restorative vs. retributive is written exactly where?

In the SSA. The SSA describes exactly what happens in case of policy violations and it is crystal clear that these steps are intended to rectify the situation rather than to punish the offender after the fact.

...

If the NCC determines that a policy violation has occurred,

This proposal suggests clearly it is NOT the NCC who is determining if a policy violation has occurred.

Pretty sure it is the NCC only who can determine that. Others may state opinions as to whether or not something is a policy violation but it's the NCC's *job* to make that determination.

...

the "offender" is given an opportunity to rectify the situation, if they do so the case is closed. Only if the "offender" refuses to cooperate or is not contactable is any further action taken.

So, where exactly do you see in the suggested process, the lack of opportunity (or opportunities) for the presumed "offender" to cooperate?

Not my claim. I was paraphrasing the terms of the SSA

...

2. "Resource hijacks" are transient in nature. They persist, generally, only until the "offender's" neighbours take action. Yet, 2019-03 proposes a long, convoluted, costly process involving "experts", reports, appeals and the NCC Board.

From what i read from you, a speedy process will be undesirable, but a process with all the checks & balances will also be undesirable. Understood.

A due process is ineffective as the hijack will be long over by the time anyone makes a determination. A speedy process (terminate the member on some expert's say-so?) is unacceptable (I hope, the membership may feel suicidal). So, the proposal makes no sense either way.

...

By the time this process has run its course, the "resource hijack" in question will have long faded from memory. So the end result of this proposed process is that the "offender" gets a report which it will, in all likelihood, consign to the round archive (ie the recycling bin).

I'm confused. So you think a fast track process will better serve the community's interests?

see above.

...

3. The time of the NCC staff and the Board will have been wasted. So

Which time of the NCC staff? Just drawing which expert will be associated with Case#N? I suggest letting an algorithm work :-) The NCC staff doesn't need to be involved, really. The Board's time -- why not let them think about it? (i.e. the impact analysis?)

Again, I'm stating an opinion on the process, I do not propose to prevent the Board from thinking about it.

...

will have NCC funding which we, as the Membership have to provide. The "experts" will in all likelihood not work for free either, indeed a cynic could argue that the main effect of this proposal is to let some "experts" dip their beak into NCC funds.

So, if a set of people agrees do this on a voluntary basis, you would consider to support the idea?

If so, I'll concede *this* point, it won't make me support this proposal.

...

4. I want to forestall the inevitable argument here that "we can make policy to have those evildoers thrown out of the NCC later!". No, you can't. The SSA and its contents are solely the domain of the NCC Membership

My employer is also part of the NCC Membership. I wouldn't mind discussing this during an AGM, if the Board allows it.

I suspect at some point in time it will come to this. Not least because the membership will have to vote on any changes to the SSA.

"activist randomers on a mailing list", just for sake of clarity, is aimed only at the two co-authors, or also at other people which have already expressed support for the idea/proposal? :-))

It is a somewhat jesting term for the RIPE community in general. Because at the end of the day, that's what it is. Some email accounts on a list. Some people I know, most I don't, some use pseudonyms, others I suspect of being sockpuppets for the same person... Generally not a forum I would want to make decisions on punishment for the fee-paying members. But that is a discussion for another day. rgds, Sascha Luck

Hi, On Wed, 20 Mar 2019, Sascha Luck [ml] wrote: (...)

...

Isn't that a contract? If a party breaches a contract, isn't it normal for the other party to terminate it?

Not for the RIPE NCC. The NCC aims to restore compliance with the SSA and not to punish the member unless as a last resort.

If the member keeps breaking compliance........ Where do you exactly see in 2019-03 the suggestion that anyone will get a red card at first time? (...)

Please state exactly how advertising someone else's resources constitutes "abuse against the RIPE NCC" unless the offender also registers wrong data in the ripedb.

The RIPE NCC is a RIR. If its own members *repeateadly* don't respect the RIR's distribution of resources, then the RIR's usefulness quickly tends to zero. (...)

...

If it has, please point me out to where i can find it in writing. The NCC is a Regional Internet Registry. Its purpose (as i see it) is to distribute Internet resources. So, if it distributes resource X to party Y, then if party Z takes over the resource without party Y's consent, the whole concept and purpose of having a registry is broken.

No. The purpose of a registry is to keep a *register* of data (in this case, resources).

And also do distribute resources, according to a specific set of rules.

This aids members and others in finding out who the rightful "owner" of a resource is. The Land Registry records who owns a bit of land, it does not enforce who can live on it. If someone takes over someone else's land, the *courts* deal with it.

A "Land Registry" is NOT distributing land. Question: So, forgetting about that bit (distribution) and introducing the need to go to courts is a stalling mechanism by design? (...)

In the SSA. The SSA describes exactly what happens in case of policy violations and it is crystal clear that these steps are intended to rectify the situation rather than to punish the offender after the fact.

Although (as you stated before) if rectification is not possible then SSA termination (punishment?) is possible.

...

...

If the NCC determines that a policy violation has occurred,

This proposal suggests clearly it is NOT the NCC who is determining if a policy violation has occurred.

Pretty sure it is the NCC only who can determine that. Others may state opinions as to whether or not something is a policy violation but it's the NCC's *job* to make that determination.

At some point it *might* be the NCC's Board, through the ratification phase. The proposal doesn't suggest NCC staff to be involved other than providing the means to allow anyone to file a report. (...)

...

So, where exactly do you see in the suggested process, the lack of opportunity (or opportunities) for the presumed "offender" to cooperate?

Not my claim. I was paraphrasing the terms of the SSA

2019-03 doesn't try to change the SSA. I thought this thread was about 2019-03. It should be abundantly clear that any presumable offender will have several occasions to cooperate. (...)

...

From what i read from you, a speedy process will be undesirable, but a process with all the checks & balances will also be undesirable. Understood.

A due process is ineffective as the hijack will be long over by the time anyone makes a determination.

2019-03 doesn't aim to stop intentional hijacks while they are happenning. The proposal is intended to show everyone that consequences might happen if they engage in these practices, and also reduce the amounts of hijacks from the same source. (...)

A speedy process (terminate the member on some expert's say-so?) is unacceptable (I hope, the membership may feel suicidal).

So, the proposal makes no sense either way.

I already understood "speed" is irrelevant for you. But if you are happy that intentional hijacks keep going on a daily basis, and RIPE and RIPE NCC's reputation going down the drain, others are not. :-) (...)

...

So, if a set of people agrees do this on a voluntary basis, you would consider to support the idea?

If so, I'll concede *this* point, it won't make me support this proposal.

Understood. You will not support 2019-03, regardless of the "speed" or the "cost" axis, or depending on any other variable. (...)

...

My employer is also part of the NCC Membership. I wouldn't mind discussing this during an AGM, if the Board allows it.

I suspect at some point in time it will come to this. Not least because the membership will have to vote on any changes to the SSA.

But again, 2019-03 is not proposing any changes to the current SSA. (...)

...

"activist randomers on a mailing list", just for sake of clarity, is aimed only at the two co-authors, or also at other people which have already expressed support for the idea/proposal? :-))

It is a somewhat jesting term for the RIPE community in general. Because at the end of the day, that's what it is. Some email accounts on a list. Some people I know, most I don't, some use pseudonyms, others I suspect of being sockpuppets for the same person... Generally not a forum I would want to make decisions on punishment for the fee-paying members. But that is a discussion for another day.

If so, i really don't understand why do you spend your time participating :-) Best Regards, Carlos

rgds, Sascha Luck

Hi, please see inline, On Thu, 21 Mar 2019, Sascha Luck [ml] wrote:

What I really, really want to know is what do you envision the consequences for such a breach of compliance to be... Say, a member advertises ASnnnnn which they are are not assigned. After a day or so its neighbours stop accepting that, possibly due to complaints. 6 months later a report issues stating that the member has violated RIPE policy. The member goes: "yeah, whatever, this was 6 months ago and is long 'fixed'" What happens?

It's somewhat more difficult to be get your own ASN wrong (the other party must accept your ASN..). If it was fixed (and there should be some documented proof about the fix) then i would say it could be accidental. (...)

I can see how advertising resources which are rightfully allocated/assigned to someone else infringes on the rights of the rightful "owner", I can not see how it is abuse against the registry.

Abuse against the registry's usefulness. (...)

No, it is a conflict resolution procedure to prevent a dispute over land escalating into violence. To extend the analogy to the internet resource realm, the "owner" of a resource is of course free to procure a court order demanding that the "hijacker" stop using it. The owner is not (at least here) entitled to take an armed mob to the 'hijacker's' NOC and disconnect their routers.

But the owner can broadcast to everyone who is the hijacker and which resources are being hijacked as a way of warning to everyone. The registry seems to me to be an excellent place to get the message through... (...)

If a 'hijacker' refuses to stop advertising hijacked resources or refuses to cooperate and the ripe-697 procedure has run its course, yes. How realistic is this? Are there any actual cases where someone is long-term camping resources that are not theirs and refuses to relinquish them even after being contacted?

Yes, there are. But obviously the resources are not always the same. You can easily see this through stat.ripe.net and the routing tab, knowing who has done this...... The point here is that RIPE NCC doesn't even has any mandate to ask. And 2019-03 doesn't try to change that, but it tries to provide a way so anyone can complain about the situation, without the need to go to courts. (...)

Staff, Board, whatever. My point is that the *NCC* -AND ONLY THE NCC- gets to make a determination that a breach has occurred and, more importantly, whether it still pertains. It sounds to me as if you propose to simply use the NCC as the enforcement arm of the "Will Of The Community".

Staff and Board are not the same. As i said, it is reasonable to me to replace "RIPE Board" for "RIPE Chair" (Hans-Peter please feel free to comment). The RIPE Chair (and if it comes to that a Vice-Chair too) represents the community, not the association. (...)

Same question as above: Is a persistent hijacker who refuses to cooperate a valid threat?

Yes, it is. Clearly. The hijack is a tool, it's not the endgame. (...)

...

2019-03 doesn't aim to stop intentional hijacks while they are happenning. The proposal is intended to show everyone that consequences might happen if they engage in these practices, and also reduce the amounts of hijacks from the same source.

And this is where you contradict yourself. The SSA and ripe-697 contain procedures to deal with and repair policy violations and termination of membership only in case of refusal or non-cooperation. A "resource hijack" that has ended means that compliance is restored, so what are the "consequences"?

You mean, until the next hijack starts from the same source? Because if the hijacker is the same, and events (with different prefixes) are repeated, the problem is still there... (...)

Please provide evidence for the claim that "RIPE and RIPE NCC's reputation going down the drain". I've not heard that.

Just to state one: Google for "Criminal Abuse in RIPE IP Space". It was presented at RIPE 77, on the anti-abuse WG. While the presentation is not about hijacks, it shows how someone from outside the region sees where a significant amount of rubbish is coming from. (...)

...

Understood. You will not support 2019-03, regardless of the "speed" or the "cost" axis, or depending on any other variable.

Correct. I disagree with the fundamental concept of turning the RIPE NCC from a registry into a regulator.

Industry self-regulation, yes. Turning RIPE NCC in a regulator, no, that's not really 2019-03's aim. (...)

...

...

But that is a discussion for another day.

If so, i really don't understand why do you spend your time participating :-)

There are times when I ask myself the same question. I guess someone has to provide the adult view...

I will decline answering this one. :-) Regards, Carlos

rgds, SL

Hi Marco, On Thu, Mar 21, 2019 at 04:30:21PM +0000, CSIRT.UMINHO Marco Teixeira wrote:

While i understand this concern, i must say that communities that do not self-regulate, tend to be regulated from above, and that is (usually) not desirable. I think no one is sugesting that RIPE be a regulator, but it should contribute to help the community self-regulate.

I am no longer convinced that political regulation is undesirable. Historically, regulation through governments came about wherever self-regulation got out of hand and turned into abuse - and I believe that is what is starting to happen here. rgds, SL

In message <20190321130927.GA99066@cilantro.c4inet.net>, "Sascha Luck [ml]" <aawg@c4inet.net> wrote:

It sounds to me as if you propose to simply use the NCC as the enforcement arm of the "Will Of The Community".

I confess to being rather muddled and confused, because of having not gotten enough sleep last night. So I will just ask my question, in all ernestness, because at this particularly muddled moment, I honestly do not know the answer. If we set aside any emotional (negative) connotations and baggage that may be associated with the word "enforcement", isn't the above basically an accurate description of what the NCC already does, and what it already has been doing for lo these many years? Doesn't NCC merely giveth and taketh away formal allocations (as recorded in the big black book that we call the WHOIS data base) in accordance with the "Will Of The Community"? Isn't that precisely what it (NCC) was meant to do? And if so, then is there anything really new or different being suggested with the present proposal? I don't believe that anyone is proposing that NCC should take control of anyone's routers... right? They just make entries, written with e-pencil, in the Big Black Book, and then sometimes, they use the correspsonding e-eraser to remove some of those same entries, again, all in accordance with and at the pleasure of the "Will Of The Community"... right? Regards, rfg

On Thu, Mar 21, 2019 at 09:18:02AM +0000, Carlos Friaças wrote: Dear Carlos,

What would be reasonable for you?

2 or 3 years before the date when the report is filed?

I was thinking more about weeks not years. Mostly due to the nature of the incident(s) itself. However, I'm not strongly opposed to 2y term. Piotr -- Piotr Strzyżewski Silesian University of Technology, Computer Centre Gliwice, Poland

Sorry a bit congested with work overload since yesterday (I will try to respond to other emails later/tomrorow, but this one caught my attention). I've the feeling that Piotr is looking for a much shorter time frame, and I think I will agree. I'm not ever sure if this is related to Retroactivity, so will need to look if it fits better in the previous section. "A hijacking event will be only considered as a case for the experts while persisting or within a maximum period of 6 months since ceased." Of course, because they will be still in the BGP historical data, and the reporting form has recorded them in a database (so to make it clear, I think we should allow reporting them, but not opening a case), it helps to determine, if they were not reported in time and they get repeated, that either somebody really needs help to avoid "fat fingers" again or it is a real/repetitive hijack (same folks involved somehow). This will help also be very helpful, I think, for the overall community, and may solve some of the other issues that have been discussed up to now. Regards, Jordi El 21/3/19 11:38, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: Thanks for the input! Trying to "retouch" 5.0: ======== 5.0 Retroactivity Only hijacking events that occur after this policy has been implemented are eligible to be considered. Evidence older than 18 months (counted from the date where a report is filed) should be disregarded by experts. ======== Best Regards, Carlos On Thu, 21 Mar 2019, Piotr Strzyzewski wrote: > On Thu, Mar 21, 2019 at 09:18:02AM +0000, Carlos Friaças wrote: > > Dear Carlos, > >> What would be reasonable for you? >> >> 2 or 3 years before the date when the report is filed? > > I was thinking more about weeks not years. Mostly due to the nature of > the incident(s) itself. However, I'm not strongly opposed to 2y term. > > Piotr > > -- > Piotr Strzy?ewski > Silesian University of Technology, Computer Centre > Gliwice, Poland > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi, Answering directly: No, it is not the goal. See 5.0, if the proposal gets to be approved, that date will be the initial date where any evidence will be admissible to be considered regarding any reported case. So, thanks for the opportunity to clarify this. Today, an intentional hijack is NOT a RIPE policy violation, so anyone doing it _today_, under the current set of policies, is not doing (formally) anything wrong. And that's exactly what 2019-03 pretends to correct -- only and exclusively for the future. Regards, Carlos On Thu, 21 Mar 2019, Sascha Luck [ml] wrote:

On Thu, Mar 21, 2019 at 01:56:11PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

...

I'm not ever sure if this is related to Retroactivity, so will need to look if it fits better in the previous section.

"A hijacking event will be only considered as a case for the experts while persisting or within a maximum period of 6 months since ceased."

I'd actually like a straight answer to the following question (so far what I've read is contradictory and somewhat evasive):

Is it, or is it not, the goal of this proposal to change the RIPE NCC's processes for dealing with policy violations to enable the RIPE NCC to punish historical policy violations as opposed to repairing ongoing policy violations?

rgds, SL

...

Regards, Jordi

???El 21/3/19 11:38, "anti-abuse-wg en nombre de Carlos Fria??as via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribi??:

Thanks for the input!

Trying to "retouch" 5.0: ======== 5.0 Retroactivity

Only hijacking events that occur after this policy has been implemented are eligible to be considered.

Evidence older than 18 months (counted from the date where a report is filed) should be disregarded by experts. ========

Best Regards, Carlos

On Thu, 21 Mar 2019, Piotr Strzyzewski wrote:

...

On Thu, Mar 21, 2019 at 09:18:02AM +0000, Carlos Fria??as wrote:

Dear Carlos,

...

What would be reasonable for you?

2 or 3 years before the date when the report is filed?

I was thinking more about weeks not years. Mostly due to the nature of the incident(s) itself. However, I'm not strongly opposed to 2y term.

Piotr

-- Piotr Strzy?ewski Silesian University of Technology, Computer Centre Gliwice, Poland

********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <CAFV686e9aa8xhACUz+ePfbELU74MPcE-2PiC2-kpU- 1xAptxFA@mail.gmail.com>, Jacob Slater <jacob@rezero.org> writes

While the idea of an a complaint form (with teeth) sounds appealing, I do not believe submission should be open to everyone. Only the party holding rights (as registered in a RIR) should be able to file a report regarding their own IP space.

there are two practical problems with that: first: historically anyway, large Chinese providers have not seemed to take much notice if their prefixes are hijacked... this may be because they are not using the IP space, or that they consider the class of user for that space to have no business accessing resources outside of China (the latter seems a bit unlikely, but the "Great Firewall of China" is a complex set of devices so there may be a lot of proxying going on) second: many hijackers have used space (and AS numbers) that was allocated to entities that almost certainly don't exist any more. Determining who holds the rights to this space (a question for the liquidators of the companies involved I expect) is almost certainly impossible to establish which taken together mean that quite a number of the hijackers I have chased down over the years would not be affected by this proposal :( Also of course the proposed policy does cover unallocated space (large chunks of which are currently announced as I pointed out earlier, which still doesn't seem to be worrying many people). Would you expect IANA or the RIRs to lodge complaints here ?

If everyone is allowed to do so, we run several risks, namely that individuals with no knowledge of the situation (beyond that viewed in the public routing table) will file erroneous reports based on what they believe to be the situation (which may not be accurate, as some forms of permission for announcement are not documented in a way they could feasibly see).

I entirely agree -- this just adds to the list of practical complexities that I (and a few others) have been pointing out. Yes hijacks can be simple to understand -- but they can be very complex and perfectly legitimate activity can look like a hijack until a lot of detail has been considered. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

In message <Hb1CgOCoY9kcFAKS@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:

Yes hijacks can be simple to understand -- but they can be very complex and perfectly legitimate activity can look like a hijack until a lot of detail has been considered.

I'm a simple minded man, and I guess I'm perplexed by this. Isn't the whole point of route registries generally and RIPE's in particular supposed to be to make it easy for pretty much any arbitrary outsider to look at a given block and a given route to that block and conclude that the two -do- in fact properly go together, or conversely, that they do not? I really did believe (and do believe) that this is/was the whole point of creating and maintaining such route registries. But your comment makes it sound as if there are some dark black arts that must be conjured up, perhaps on a level of complexity on a par with integral calculus or protein folding, in order to just simply know that some route `R' has been properly authorized by the legitimate registrant of block `B', or conversely, that the route in quiestion is -not- authorized by the relevant resource registrant. So, I guess I must be missing something. To the extent that you would educate me on what I'm mising, I would be greatful. Regards, rfg

On Thu, 21 Mar 2019, Jacob Slater wrote:

Hello All,

Hi, Thanks for your input.

While I am in general support of the proposal?s ideas, I have several concerns with regards to the specific implementation.

While the idea of an a complaint form (with teeth) sounds appealing, I do not believe submission should be open to everyone. Only the party holding rights (as registered in a RIR) should be able to file a report regarding their own IP space.

I had thought about that too. The problem is hijackers tend to hijack space from: - unallocated space - companies which are unreachable (bankrupt/closed?) - networks in conflict (war) zones A variation of this will be allowing anyone _receiving_ the announcement of an hijacked prefix to file a complaint/report. Hijacks don't have to be seen by every network on the planet to be an hijack... And those receiving an hijacked prefix are (according to my dictionary) also victims.

If everyone is allowed to do so, we run several risks, namely that individuals with no knowledge of the situation (beyond that viewed in the public routing table) will file erroneous reports based on what they believe to be the situation (which may not be accurate, as some forms of permission for announcement are not documented in a way they could feasibly see).

Well, yes. That's one point... the IRR system is kind of broken. And RPKI, unfortunately is still taking baby steps. I would say that in case of doubt, then a rightful owner will be able to create a ROA for the suspected hijack....... Some might say NCC staff might act as a filter, before anything reaches expert's hands. I personally wish that NCC staff is not involved at all.

Allowing for competent complaints (with teeth) to be filed is a good idea; needlessly permitting internet vigilantes to eat management time based on a flawed view of the situation is not.

Maybe some automated checks? The reported prefix has a valid ROA, it matches, so, the complaint is most likely bogus? :-))

Additionally, while the policy does define a difference between accidental and intentional hijacking, it does not differentiate between the two with regards to policy violations.

I thought it did, by stating that accidental events are out of scope.

While some discretion should be left up to the expert, it seems odd to include this differentiation without simultaneously explicitly stating that accidental hijacking should generally be treated less severely.

Accidental hijacking should never be treated as a policy violation. It thought that was clear, but probably isn't -- despite section 3.0 and the summary. Sorry for that. Needs to be addressed in the next version.

I am by no means attempting to state that constant, unlearned-from mistakes should be overlooked; I am merely stating that the odd one-off event should be explicitly prohibited from bringing down an entire LIR. Fat fingering happens.

Yes, thus "This proposal aims to clarify that an intentional hijack is indeed a policy violation." Section 3.0 can be improved.

Finally, how does the proposed policy apply to sponsored resources (ASNs and PI space)? Is an entire LIR to be held accountable for sponsoring the resources for users who are otherwise supposed to be independent?

In short, no. Unless the "customer" is the LIR itself. Thanks. Best Regards, Carlos  

Jacob Slater

On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

3) We may need to refine the text, but the suspected hijacker, in case of sponsored resources, is the suspected hijacker, not the sponsoring LIR (which may not even have relation to it). However, some people indicated that the direct peer should be also accountable. I think I also mention this before, one possible option is to tell the direct peer the first time "this is a warning report", please make sure to improve your filters.

Now I'm confused. In another post, Carlos indicated that someone who receives a hijacked prefix is a victim and here they are also Bad People. I'm not sure what to think about a retributive proposal that can't even keep the "victims" and the "offenders" apart. In this case ("neighbours are bad") it reminds me of a UK law that punishes not only an illegal immigrant but also the landlord who fails to refuse to rent them a flat. rgds, SL

Regards, Jordi

El 21/3/19 22:40, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió:

On Thu, 21 Mar 2019, Jacob Slater wrote:

...

Hello All,

Hi,

Thanks for your input.

...

While I am in general support of the proposal?s ideas, I have several concerns with regards to the specific implementation.

While the idea of an a complaint form (with teeth) sounds appealing, I do not believe submission should be open to everyone. Only the party holding rights (as registered in a RIR) should be able to file a report regarding their own IP space.

I had thought about that too. The problem is hijackers tend to hijack space from: - unallocated space - companies which are unreachable (bankrupt/closed?) - networks in conflict (war) zones

A variation of this will be allowing anyone _receiving_ the announcement of an hijacked prefix to file a complaint/report.

Hijacks don't have to be seen by every network on the planet to be an hijack...

And those receiving an hijacked prefix are (according to my dictionary) also victims.

...

If everyone is allowed to do so, we run several risks, namely that individuals with no knowledge of the situation (beyond that viewed in the public routing table) will file erroneous reports based on what they believe to be the situation (which may not be accurate, as some forms of permission for announcement are not documented in a way they could feasibly see).

Well, yes. That's one point... the IRR system is kind of broken. And RPKI, unfortunately is still taking baby steps. I would say that in case of doubt, then a rightful owner will be able to create a ROA for the suspected hijack.......

Some might say NCC staff might act as a filter, before anything reaches expert's hands. I personally wish that NCC staff is not involved at all.

...

Allowing for competent complaints (with teeth) to be filed is a good idea; needlessly permitting internet vigilantes to eat management time based on a flawed view of the situation is not.

Maybe some automated checks? The reported prefix has a valid ROA, it matches, so, the complaint is most likely bogus? :-))

...

Additionally, while the policy does define a difference between accidental and intentional hijacking, it does not differentiate between the two with regards to policy violations.

I thought it did, by stating that accidental events are out of scope.

...

While some discretion should be left up to the expert, it seems odd to include this differentiation without simultaneously explicitly stating that accidental hijacking should generally be treated less severely.

Accidental hijacking should never be treated as a policy violation. It thought that was clear, but probably isn't -- despite section 3.0 and the summary. Sorry for that. Needs to be addressed in the next version.

...

I am by no means attempting to state that constant, unlearned-from mistakes should be overlooked; I am merely stating that the odd one-off event should be explicitly prohibited from bringing down an entire LIR. Fat fingering happens.

Yes, thus "This proposal aims to clarify that an intentional hijack is indeed a policy violation."

Section 3.0 can be improved.

...

Finally, how does the proposed policy apply to sponsored resources (ASNs and PI space)? Is an entire LIR to be held accountable for sponsoring the resources for users who are otherwise supposed to be independent?

In short, no. Unless the "customer" is the LIR itself.

Thanks.

Best Regards, Carlos

...

Jacob Slater

********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Clearly it is a matter of wording and also introducing warnings in some cases. I have sent a text about this before: “Direct peers allowing the hijack thru their networks will be warned the first time, but may be considered by the experts evaluation to be a party involved in case of subsequent deliberated hijacks cases“ Regards, Jordi El 22/3/19 12:19, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: On Fri, 22 Mar 2019, Sascha Luck [ml] wrote: > On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via > anti-abuse-wg wrote: >> 3) We may need to refine the text, but the suspected hijacker, in case of >> sponsored resources, is the suspected hijacker, not the sponsoring LIR >> (which may not even have relation to it). However, some people indicated >> that the direct peer should be also accountable. I think I also mention >> this before, one possible option is to tell the direct peer the first time >> "this is a warning report", please make sure to improve your filters. > > Now I'm confused. In another post, Carlos indicated that someone > who receives a hijacked prefix is a victim and here they are also > Bad People. I'm not sure what to think about a retributive > proposal that can't even keep the "victims" and the "offenders" > apart. In this case ("neighbours are bad") it reminds me of a UK law > that punishes not only an illegal immigrant but also the landlord > who fails to refuse to rent them a flat. Hi, The issue here might be the difference between a peering and a transit relationship. If hijacker Z announces prefix Y to network X. Then network X will route packets towards the hijacker, even if X doesn't propagate prefix Y any further to any other 3rd party networks. An hijacker can join an IXP and announce an hijacked prefix to one, some or all of the IXP's membership. In that case we will have one, some or many victims. Hope it is clear now. Regards, Carlos > rgds, > SL ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Hi Sascha, El 22/3/19 12:07, "anti-abuse-wg en nombre de Sascha Luck [ml]" <anti-abuse-wg-bounces@ripe.net en nombre de aawg@c4inet.net> escribió: On Thu, Mar 21, 2019 at 11:12:02PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote: >3) We may need to refine the text, but the suspected hijacker, in case of sponsored resources, is the suspected hijacker, not the sponsoring LIR (which may not even have relation to it). However, some people indicated that the direct peer should be also accountable. I think I also mention this before, one possible option is to tell the direct peer the first time "this is a warning report", please make sure to improve your filters. Now I'm confused. In another post, Carlos indicated that someone who receives a hijacked prefix is a victim and here they are also Bad People. I'm not sure what to think about a retributive proposal that can't even keep the "victims" and the "offenders" apart. I don't think I've said that if it is really a victim. I know my English is bad, but not so terrible! A direct peer I mean here is the provider of the hijacker. Should you verify and filter anything that doesn't belong to your customer? If your customer has been able to hack the information so it appears as the valid resource-holder, and you configure your prefixes based on that, then you are also a victim, as you have no way (the information has been hacked) to know in advance that. In this case ("neighbours are bad") it reminds me of a UK law that punishes not only an illegal immigrant but also the landlord who fails to refuse to rent them a flat. rgds, SL > > >Regards, >Jordi > > > >El 21/3/19 22:40, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribiÓ: > > > > On Thu, 21 Mar 2019, Jacob Slater wrote: > > > Hello All, > > Hi, > > Thanks for your input. > > > > While I am in general support of the proposal?s ideas, I have several > > concerns with regards to the specific implementation. > > > > While the idea of an a complaint form (with teeth) sounds appealing, I > > do not believe submission should be open to everyone. Only the party > > holding rights (as registered in a RIR) should be able to file a report > > regarding their own IP space. > > I had thought about that too. > The problem is hijackers tend to hijack space from: > - unallocated space > - companies which are unreachable (bankrupt/closed?) > - networks in conflict (war) zones > > A variation of this will be allowing anyone _receiving_ the announcement > of an hijacked prefix to file a complaint/report. > > Hijacks don't have to be seen by every network on the planet to be an > hijack... > > And those receiving an hijacked prefix are (according to my dictionary) > also victims. > > > > If everyone is allowed to do so, we run > > several risks, namely that individuals with no knowledge of the > > situation (beyond that viewed in the public routing table) will file > > erroneous reports based on what they believe to be the situation (which > > may not be accurate, as some forms of permission for announcement are > > not documented in a way they could feasibly see). > > Well, yes. That's one point... the IRR system is kind of broken. And RPKI, > unfortunately is still taking baby steps. I would say that in case of > doubt, then a rightful owner will be able to create a ROA for the > suspected hijack....... > > Some might say NCC staff might act as a filter, before anything reaches > expert's hands. I personally wish that NCC staff is not involved at all. > > > > > Allowing for competent complaints (with teeth) to be filed is a good > > idea; needlessly permitting internet vigilantes to eat management time > > based on a flawed view of the situation is not. > > Maybe some automated checks? The reported prefix has a valid ROA, it > matches, so, the complaint is most likely bogus? :-)) > > > > Additionally, while the policy does define a difference between > > accidental and intentional hijacking, it does not differentiate between > > the two with regards to policy violations. > > I thought it did, by stating that accidental events are out of scope. > > > > > While some discretion should be left up to the expert, it seems odd to > > include this differentiation without simultaneously explicitly stating > > that accidental hijacking should generally be treated less severely. > > Accidental hijacking should never be treated as a policy violation. It > thought that was clear, but probably isn't -- despite section 3.0 and the > summary. Sorry for that. Needs to be addressed in the next version. > > > > I am by no means attempting to state that constant, unlearned-from > > mistakes should be overlooked; I am merely stating that the odd one-off > > event should be explicitly prohibited from bringing down an entire LIR. > > Fat fingering happens. > > Yes, thus "This proposal aims to clarify that an intentional hijack is > indeed a policy violation." > > Section 3.0 can be improved. > > > > Finally, how does the proposed policy apply to sponsored resources > > (ASNs and PI space)? Is an entire LIR to be held accountable for > > sponsoring the resources for users who are otherwise supposed to be > > independent? > > In short, no. Unless the "customer" is the LIR itself. > > Thanks. > > > Best Regards, > Carlos > > > > > > Jacob Slater > > > > > >********************************************** >IPv4 is over >Are you ready for the new Internet ? >http://www.theipv6company.com >The IPv6 Company > >This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. > > > > > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

On Fri, 22 Mar 2019, Sascha Luck [ml] wrote:

On Fri, Mar 22, 2019 at 12:21:43PM +0100, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

...

I don't think I've said that if it is really a victim. I know my English is bad, but not so terrible!

not you, that was Carlos and he has since clarified what he meant.

...

A direct peer I mean here is the provider of the hijacker. Should you verify and filter anything that doesn't belong to your customer?

I do because my customers are small-ish and mostly personally known to me and I can use manual prefix filters. I don't want to presume as to what is possible or scalable for other networks, nor even what they should do.

Please let me add this: Someone filing a report must identify the source of an hijack. Sometimes hijackers "simulate" customers, to be able to shake-off any queries. If you can prove you and "your customer" are not the one and the same party, the consequence should be zero, because you as a transit provider are also being a victim. And here i would explicitely exclude any "warnings". 3rd parties can't be minimially liable for others' wrongdoings -- and currently to some people, hijacking is not even part of "wrongdoings". Regards, Carlos

rgds, SL

First, I'm not sure I either understand or am even aware of these alleged "forms of permission for announcement {that} are not documented". So perhaps Mr. Slater could elaborate upon that, for my benefit, and perhaps also for that of others who may also be similarly in the dark about what he's talking about here.

Route objects are not always required. While route objects are generally preferred and should be used, letters of authorization are still in use today. You certainly wouldn't see them in a public database (though you might see objects which claim to be tied to them). Even if you do, they may well be stale and no longer accurate. and if so, the reasons for that.

Because they have had no valid reason to do so yet. Making it a policy violation doesn't seem like the right way to encourage them to do so. It is not the job of the NCC to tell users how to run their network. As annoying as it is at times, this includes how users choose to authenticate their announcements. I think the proposal moves us closer to a state of civility and

civilization. You might well claim, as you have, that it permits and carves out some space still for "vigilantism" in the process, but it does so only with respect to the submission of reports that would then, by design, be reviewed and judged by others. I have trouble seeing how this could be harmful. I do agree that it opens up the possibility of perhaps having everyone's time wasted, perhaps even frequently, with meritless and bogus reports, but I think that it is premature to assume that such an outcome will, in practice, be common enough to merit serious concern. Time will tell.

I agree that it may be presumptuous to guess at how much time will be wasted without any justification. That said, I have seen a significant number of recent reports on various mailing lists of accused hijackers. While some of them have been accurate, some of them definitively jump to premature conclusions. I, for one, would like to at the very least minimize the impact (in both stress and time) that such users would have on the time of all involved. Given your comments (along with some of the others mentioned), perhaps the best way to approach the issue is with explicitly stated guidelines for how hijacking reports should be processed and treated on the basis of both credibility (i.e. bogon/prefix holder) and bulk in a holistic sense. If done properly, it would minimize the risk for noncredible reports to cause impact for a given entity (based on the beliefs of a particular expert) while allowing groups beyond the specific prefix holder to make complaints (which have the potential to be taken seriously).

Additionally, while the policy does define a difference between accidental

...

and intentional hijacking, it does not differentiate between the two...

If that's true, then it should certainly be fixed.

Reading through the exact text, the only mention of the distinction appears to be a definition. On Thu, Mar 21, 2019 at 9:34 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message < CAFV686e9aa8xhACUz+ePfbELU74MPcE-2PiC2-kpU-1xAptxFA@mail.gmail.com> Jacob Slater <jacob@rezero.org> wrote:

...

... If everyone is allowed to {file reports}, we run several risks, namely that individuals with no knowledge of the situation (beyond that viewed in the public routing table) will file erroneous reports based on what they believe to be the situation (which may not be accurate, as some forms of permission for announcement are not documented in a way they could feasibly see). Allowing for competent complaints (with teeth) to be filed is a good idea; needlessly permitting internet vigilantes to eat management time based on a flawed view of the situation is not.

I have two issues with the quote above.

First, I'm not sure I either understand or am even aware of these alleged "forms of permission for announcement {that} are not documented". So perhaps Mr. Slater could elaborate upon that, for my benefit, and perhaps also for that of others who may also be similarly in the dark about what he's talking about here.

All I know is that the RIPE WHOIS data base contains, among much other stuff, route: object which generally document what is generally believed to be information about properly authorized (by the affected resources holder) routing permissions. If there exists information about properly authorized routing permissions that is -not- present in and among those data base route objects, then I do have to wonder if some such routing permissions either cannot be or should not be represented as route object in the official data base, and if so, the reasons for that.

Second, although the word "vigilante" has, in the modern era, come to have much negative connotation, there was quite certainly was a time and place when and where that was not so. I am speaking specifically of the American West in the time before it became entirely civilized and in the time before it had a full compliment of established legislatures, established laws, established courts, established (and paid) law enforcement agents, and all of the other bits, pieces, and accoutrements, of what we all, in the modern era, think of as a properly functioning system of justice. In that time and place early settlers did often band together in order to enforce at least some sense of community-backed justice. It wasn't always pretty, and it wasn't always fair or just, but in the absence of officially authorized systems of justice, it was often all that those early settlers had to defend themselves from the unjust tyrany of the strong against the weak.

To say that there are more than a few similarties between the current Internet and the "Wild West" of ledgend and lore would neither be an entirely inaccurate observation nor would it even be a particularly novel one. Many commentators have drawn this exact analogy at various times over the past couple of decades. A more interesting question is whether or not the proposal on the table at the moment moves the Internet closer to or further away from a morden "civilized" state of affairs.

I think the proposal moves us closer to a state of civility and civilization. You might well claim, as you have, that it permits and carves out some space still for "vigilantism" in the process, but it does so only with respect to the submission of reports that would then, by design, be reviewed and judged by others. I have trouble seeing how this could be harmful. I do agree that it opens up the possibility of perhaps having everyone's time wasted, perhaps even frequently, with meritless and bogus reports, but I think that it is premature to assume that such an outcome will, in practice, be common enough to merit serious concern. Time will tell.

In sort, if the policy goes into effect and if it -then- becomes evident that quite a lot of bogus reports are coming in as a result, I think that some means of dealing with that problem can be devised and implemented at that time. I, however, do not anticipate any such troublesome flood of bogosity.

...

Additionally, while the policy does define a difference between accidental and intentional hijacking, it does not differentiate between the two...

If that's true, then it should certainly be fixed.

Regards, rfg

On Thu, Mar 21, 2019 at 10:46:08PM -0700, Jacob Slater wrote:

Route objects are not always required. While route objects are generally preferred and should be used, letters of authorization are still in use today. You certainly wouldn't see them in a public database (though you might see objects which claim to be tied to them). Even if you do, they may well be stale and no longer accurate.

In my world, these authorisations are largely informal (phone calls, emails, sometimes personal meetings). The people involved know and trust each other, there is no need for bureaucratic exercises.

Because they have had no valid reason to do so yet. Making it a policy violation doesn't seem like the right way to encourage them to do so. It is not the job of the NCC to tell users how to run their network. As annoying as it is at times, this includes how users choose to authenticate their announcements.

Agreed, and I refuse to accept the NCC's authority to do so. rgds, SL

In message <CAFV686d+rHrTrevDm8sL9h+Nu6TPi8x+jHBv2pL+w-M9gyBgpg@mail.gmail.com>, Jacob Slater <jacob@rezero.org> wrote:

Route objects are not always required. While route objects are generally preferred and should be used, letters of authorization are still in use today. You certainly wouldn't see them in a public database (though you might see objects which claim to be tied to them). Even if you do, they may well be stale and no longer accurate.

Well, one could view such situations as being analogous to placing an ad in the personals section of Craigslist which only says that one is "into rough encounters". If some Craigslist editor/moderator or some third party comes along and asks you to explain exactly what you meant by that, well then (a) explaning your meaning seems like a very tiny burden to bear and also (b) it doesn't seem like an unfair or undue burden, given that you could pretty easily have made your intentions clear from the outset. (And likewise, it is apparently pretty easy for anyone to register a route object in the RIPE DB.)

I agree that it may be presumptuous to guess at how much time will be wasted without any justification. That said, I have seen a significant number of recent reports on various mailing lists of accused hijackers. While some of them have been accurate, some of them definitively jump to premature conclusions.

In the process of explaining the problem, you may very well have put forward its solution also. Perhaps somebody... I won't suggest who... should set up a mailing list to allow anybody and everybody to present and pre-discusss allegations of hijacking, with an eye toward providing a gentle and helpful education to those folks who may misjudge certain specific situations. It's just an idea. Probably worth what you paid for it. My hope and belief is that reasonable persons of good will can and will discuss allegations and seek the facts and clarity, eevn if left to themselves to do so on a privately run mailing list. Are any of the mailing lists you have referred to already appropriate for such early discussions? Are any of them already open to the general public? Regards, rfg

On Thu, Mar 21, 2019 at 01:35:54PM -0400, Jacob Slater wrote:

While I am in general support of the proposal’s ideas, I have several concerns with regards to the specific implementation.

Sadly, we don't know about the implementation details yet and that is another problem with this proposal. - Who are these "experts" that are supposed to make a determination of policy violation? Who picks them? Whom are they accountable to? - What powers will they have to "subpoena" data from "suspect" parties (and their neighbours and their neighbour's neighbours according to the desires voiced in this discussion)? What happens if one refuses to engage with or provide sensitive data to them?

Additionally, while the policy does define a difference between accidental and intentional hijacking, it does not differentiate between the two with regards to policy violations.

FWIW, neither does the NCC with regards to current policy violations. Incorrect data is a policy violation, whether it resulted from a typo or an intent to defraud. The (current) aim of the NCC's "policy enforcement" is to repair such incorrect data, not to punish those responsible. rgds, SL

In message <B9295EF6-D574-4D52-BD44-C0A9312FC3D6@a2b-internet.com>, Erik Bais <ebais@a2b-internet.com> wrote:

So even if they would get the Bulgarian spammer/hijackers in front of a Dutch judge .. the change was that ... they would walk, because there was no harm done .. No law was broken, no system invaded and nothing stopped working . . .

This sound like an argument IN FAVOR of the proposal that you have said you are opoposing! Ordinary civil and criminal counrts are still operating on rules from the last century, or more often, from the century before that. Neither they nor the applicable laws even know what the hell a "route" is! This general lack of technical savvy has been a problem, and is likely to remain a problem for a long long time. Legislators and legislation in -every- country just cannot keep up with the pace of technological change in the 21st century. Why then should it not be the case that we ourselves clean up our own messes, and our own dogpiles, especially as -we-, i.e. the Internet community, and the RIPE community, are vastly more qualified to do that job than some luddite politicians? If we wait for -them- to introduce some rules and some sanity, then we may all be waiting for that still in the 22nd century. And even if they do impose some rules on our community before then, those rules are quite likely to create more harm that good. I'm a big believer in self-reliance, and I don't think that the technical community which created the possibility of such problems should either expect, or wait for, or defer to some -other- set of folks to solve the problems that we ourselves, the technologists, have created.

So in this case, the Italian Police (ROS) used (forced??) an Italian ISP to hijack some IP space to regain control of their lost RAT C&C server.. (endpoint for RAT infected machines.) This wasn't an accident .. but was it criminal by the ISP to assist their local police ? And what would have been the impact if they didn't . . ?

I am sooooooo glad that Erik Bais brought up the case of Hacking Team, because this case totally undermines Eric's argument in opposition to the proposal. Hacking Team is itself a malevolent and well known Bad Actor, and I do encourage everyone on this list to familiarize themselves with the history and known facts regarding this sinister company: https://en.wikipedia.org/wiki/Hacking_Team To say that Hacking Team is a set of dirty tricksters would be an under- statement. What kinds of folks do we know who routinely use 0-days? Yet Erik Bais is arguing that RIPE policy decisions should be driven by a desire to accomodate the needs of exactly such Bad Actors. That is ridiculous on the face of it! These people are neither respectable nor are they our friends, and just because they might have some secret and sinister customers in and among the ministers or ministries of some (or many) unethical and criminal governments, that does not make them any less repugnant, or their actions any more deserving of our respect, let alone our actve accomodation. While he is suggesting that RIPE policy should be driven by the needs or desires of one of the most widely reviled companies on the Internet, Erik Bais goes on to -speculate- ... without offering a single shread of supporting evidence... that that company, in combination with Italian law enforcement, somehow held a gun to the head of the Italian ISP "Aruba" and "forced" them to engage in a a delibrate BGP hijack. It is my claim that this unsubstantiated claim on the part of Erik Bais is entirely without merit, or evidence, and that it should thus carry no weight whatsoever in the deliberations on the proposal before us. But I encourage all members to consider also the alternative view on this, because a rational analysis of THAT possibility must lead us all to an even more forceful support of the present proposal. What if Erik Bais is actually correct and that Italian Police, working in conjunction with Hacking Team, actually -forced- the Italian ISP Aruba to engineer a deliberate hijack? Is this kind of unilateral action on the part of just one agency of just one national government really the kind of thing that the RIPE community desires, by its inaction, to effectively encourage and endorse, worldwide, and by arbitrary agencies of any and all governments, at all times and for any arbitrary reason that suits that agency and that government?? I believe that the answer should be a clear "no", and that the RIPE community should use the present proposal to make a clear statement and send a clear message that the global routing table is *not* a playground in which arbitrary agencies of arbitrary governments may play games, as and when they like. As the royality of England might put it "We are not amused" by these private games, nor even by any such games that might be played with the endorsement of some specific part of some specific (and transient) government or another. I will go even further and say that it is a bit remarkable that it should fall to me, an American to make this rather obvious point. I mean hasn't it been you folks in Europe that have been working -ahead of- us, your American cousins, in enacting legislation to try to rid yourselves of the pernicious effects of electronic spying on the part of a foreign government, namely my own? Do you now wish, by inaction on the present proposal, to actually -endorse- the notion that governments may play as they please with the global routing table?? If so, then it will be a self-evident inconsistancy on the part of europe and europeans, and one of historic proportions. Note that even Erik Bais himself has neither condoned nor endorsed that which he seems to say should be a factor in the present deliberations, saying, with respect to the misuse of the Italian ISP Aruba to carry out a deliberate hijack "These are your/our tax dollars at work ... They either don't care or are the bad actor themselves." That is Erik Bais' personal opinion. And it happnes to be one that I share, along with quite a lot of other people. Hijackers are Bad. The present proposal merely seeks to convert our shared private sentiments on hijacking into a community-endorsed sentiment. And this conversion is long overdue. Erik Bais' final and "biggest" objection is as follows:

The biggest issue what I see in this policy, is that the RIPE NCC ( either themselves or the Exec Board. ) is desired / aimed to pull the trigger on a membership or contractual relationship.

I state the obvious question: Who ELSE is empowered, under law, to "pull the trigger" on one of RIPE's contractual relationships? Obvious answer: Nobody. The member can himself/herself/itself terminate the contract, but the only other party that may do so, under law, and in accordance with the contract itself, is RIPE. Erik Bais seems to be suggesting that there are, or should be, -no- situations in which RIPE should be the one to terminate a member contract. I doubt that this is what he means, but this is what he seems to be saying. And he goes on to assert that RIPE should at all times remain "neutral". That's an admirable sentiment, but like it or not, RIPE does and must judge cases where its contract terms have been violated, and must (and does) then act accordingly. Impartiality and neutrality are, and rightly should be halmarks of RIPE's every action, but it is a bit difficult to take a position of complete neutrality when and if a given member's dues are not paid, or with respect to the question of whether or not Poland was invaded in 1939. Facts are facts, and there has never been a case of IP block hijacking that I have seen where the facts were not abundantly clear, once all of those facts were laid out on the table. These things are never even close calls. In short, I think that Eric's reasonable concerns about the neutrality of RIPE are misplaced in this instance, and that the proposal should be endorsed, if for no other reason, then at least so that we will have, going forward, an entity which has both impartiality and neutrality in its very veins and DNA, i.e. RIPE, making the necessary impartial and well-reasoned judgements about the correspondance between routes and the allocations it has issued, or the lack thereof, in contrast to the current state of affairs which leaves these determinations entirely in the -biased- hands of often untrustworthy individuals and governments. A vote in favor of the proposal is in fact a vote in favor of *true* neutrality and impartiality and *against* the unilateral decisions and actions of individual actors which themselves have personalized motives that are often both unseen and also often more than a little suspect. Regards, rfg

In message <20190322230602.GJ99066@cilantro.c4inet.net>, "Sascha Luck [ml]" <aawg@c4inet.net> wrote:

On Fri, Mar 22, 2019 at 02:43:14PM -0700, Ronald F. Guilmette wrote:

...

Yet Erik Bais is arguing that RIPE policy decisions should be driven by a desire to accomodate the needs of exactly such Bad Actors. That is ... ... Erik is in no way arguing Hacking Team's case...

You could have fooled me! If he didn't want to use that case to try to make a point -against- the proposal, then why did he even bring up this old case in that kind of a context? In any case, as the -full- posting that you snipped from made clear, it doesn't really make any difference, one way or the other, to the point that -I- tried to make. I will try this again... EVEN IF we accept, even just for the sake of argument, the highly dubious and totally unsubstantiated allegation that the proprietors of the Italian ISP Aruba were forced, threatened, cajoled, browbeat, bribed, or tortured into doing the bidding of the Italian Police, and specifically to perform a BGP hijack, then what lesson or message should we all take from that? The qustion is this: Does the RIPE community want to continue to effectively endorse... as it is now doing, by default, by failing to condemn... the "rights" of the Italian Police, the British Police, the German Police, the French Police, the Polish Police, the Serbian Police, the Macedonian Ministry of Public Affairs, and maybe even the entire Estonian Royal Navy Marching Band to perform BGP hijacks whenever it suits the perceived purposes of each and every one of these organizations or any of their constituent parts or departments? If so, then I'd just like to point out that this is a VERY slippery slope, and one that is quite likely to come back to haunt this organization in the years ahead. Is there a government anywhere in all of europe that would NOT like to exercise more control over what its own people and/or those of other nations hear, see, read, or think about? Did the people of Spain have any say whatsoever in the election of the Italian Police? Given that they did not, does this community really want to continue endorsing the notion that various parts and pieces of individual national, regional, or local governments have some sort of a soverign "right" to engineer BGP hijacks, as the Italian Police are alleged to have done, at their own unilateral whim? Or should this body instead take arms against this brewing sea of troubles and by opposing end them? It cannot be both ways. Either RIPE turns a deliberately blind eye to hijacks or else it formally denounces them as being against policy. I, for one, would be -glad- if indeed it was or could be proven that the Italian Police were responsible for the hijacking incident in question, because that fact, once proven, would hopefully make everyone here wake up and smell the coffee. It is fine for all of us here to sit around in our comfortable arm- chairs and debate the finer points of the philosophical pros and cons of the separation of church and state, or the separation of RIPE from "enforcement", but while we are all sitting around having our high- minded philosophical debates, out there in the real world, things are happening, and not always good things. If an Italian Police Lieutenant can order the hijacking of a block of IP addreses today, and if there are -zero- repercussions from that, then what is there to prevent a Belarusian Minister of Information from doing the same thing tomorrow, but with significantly more sinister intent? Is this REALLY the future that the RIPE community wants? A future where every junior-league despot sitting in some cramped and dimly-lit ministerial office in any country in europe can order a hijack, and then no matter what the reasons or context, everyone will just shrug and say "Oh, well, that's OK then", because it was done "under color of law" in that specific country? I am honestly flummoxed that I even need to point out how insane this is. And yet this is the exact indefensible status quo favored by the conservatives who insist that RIPE must remain NOT the master in its own house. Regards, rfg

In message <14BEE352-AC12-43A4-86D2-6F1426253C8D@consulintel.es>, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:

Of course, unless there is a court order. However, I really can't believe that in most of our countries a judge will allow a court order for a massive hijack affecting many people and organizations, unless there is an emergency risk for the population, and this is done in those cases by declaring a "national emergency situation".

I think you have missed my point rather entirely, and also you may perhaps be unaware of history. Governments and courts in specific countries and jurisdictions may not always do things that the majority of us would think of as being "approporiate". https://www.cnet.com/news/how-pakistan-knocked-youtube-offline-and-how-to-ma... "Kim Davies, ICANN's manager of route zone services, says ICANN isn't able to revoke the AS number of a misbehaving network provider." So I ask again: Does the RIPE community REALLY want to give carte blanche to every little tin-pot small-time government official in *every* country of europe to do perfectly stupid and harmful things, such as the thing that is documented in the news story above? Because that's what you are all doing right now. By failing to say, clearly, that hijacking is against policy, you are effectively endorsing and supporting and allowing it. Regards, rfg

On 22/03/2019, 22:43, "anti-abuse-wg on behalf of Ronald F. Guilmette" <anti-abuse-wg-bounces@ripe.net on behalf of rfg@tristatelogic.com> wrote:

In message <B9295EF6-D574-4D52-BD44-C0A9312FC3D6@a2b-internet.com>, Erik Bais <ebais@a2b-internet.com> wrote:

...

So even if they would get the Bulgarian spammer/hijackers in front of a Dutch judge .. the change was that ... they would walk, because there was no harm done .. No law was broken, no system invaded and nothing stopped working . . .

This sound like an argument IN FAVOR of the proposal that you have said you are opoposing! Ordinary civil and criminal counrts are still operating on rules from the last century, or more often, from the century before that.

I find it interesting how you try to twist the wording. In case of the Bulgarian spammers hijacking the IP space of the Dutch Ministry of Foreign Affairs, where the IP space was hijacked but not actually used (for sending spam or other stuff), it wasn't deemed illegal. Frowned up on and undesirable.. but not illegal. Similar as if you 'loaned' a chair from your neighbour without consent and put it back without damage isn't regarded as stealing. If one country proved that they have capable laws for IT related issues, I think that the Netherlands has some very good reputation. Kudos here to the Dutch High Tech Crime Team Units work in the past years.

...

So in this case, the Italian Police (ROS) used (forced??) an Italian ISP to hijack some IP space to regain control of their lost RAT C&C server.. (endpoint for RAT infected machines.) This wasn't an accident .. but was it criminal by the ISP to assist their local police ? And what would have been the impact if they didn't . . ?

I am sooooooo glad that Erik Bais brought up the case of Hacking Team, because this case totally undermines Eric's argument in opposition to the proposal.

Again you are wrong on the interpretation .. The reason why I brought up, is that it may not be clear why something happened.

Yet Erik Bais is arguing that RIPE policy decisions should be driven by a desire to accomodate the needs of exactly such Bad Actors.

Again you are so wrong here .. and I'm beginning to feel I'm feeding someone here .. I was the author of the RIPE policy to include RPKI for non-members. ( to include PI holders and Legacy holder their resources into the RPKI system ) I'm not stating with that that RPKI is perfect, but it is one of the best ways to protect yourself against bgp hijacking. If everyone would sign their own prefixes, it will reduce the impact of hijacks. There is a lot of momentum at this moment for RPKI and more and more networks are already dropping invalid's. I'm not going into the allegation that you made on my person.

Erik Bais' final and "biggest" objection is as follows:

...

The biggest issue what I see in this policy, is that the RIPE NCC ( either themselves or the Exec Board. ) is desired / aimed to pull the trigger on a membership or contractual relationship.

I state the obvious question: Who ELSE is empowered, under law, to "pull the trigger" on one of RIPE's contractual relationships? Obvious answer: Nobody. The member can himself/herself/itself terminate the contract, but the only other party that may do so, under law, and in accordance with the contract itself, is RIPE.

Let me first educate you on the difference between RIPE and the RIPE NCC. RIPE is the community. Everyone can be a community member and it is for free and RIPE doesn't give or take resources. RIPE defines the policies. The RIPE NCC is the member organisation (Association) and a legal entity. The member organisation has elected certain people to act as the Executive Board.. Among others, to act as the organising group to have oversight over the finances and the execution of the legal entity (the RIPE NCC) . Changes in the Articles of Association (that go among things over how a membership can be terminated ) are to be proposed in the General Meeting (GM), that only members (LIR's) can vote on. The members of the Executive Board are volunteers with a private responsibility on how the association is run and is done correctly. And each year we need to discharge the Exec. Board for their responsibilities (by member vote.) during the AGM. That is why there every year the following resolution to vote on during a GM. - "The General Meeting discharges the Executive Board with regard to its actions as they appear from the Annual Report <year>" So if we want the Executive board to do something like this, this needs to go to the GM. Second, I would STRONGLY object to proceed on that, because it will bring the Executive Board AND the RIPE NCC in a position as the sole RIR in the region to become liable for damages. If the intent for the authors is that there should be a reference that the community doesn't like hijacking (And I'm fully sympathetic to that idea..) and want to describe how to a member should proceed to get the hijacker kicked of the internet and get their resources revoked.. Great !!. But leave the Executive Board AND the RIPE NCC (and staff) out of the judging seat ... That they act after a signed court order and merely act as the operational/administrative institute, it leaves them protected as they are not the ruling and judging entity. Please keep in mind the differences between RIPE and the RIPE NCC and the procedures that are already in place and use them correctly in your postings.. Even the postings where you are trying to twist the truth or bending in your own favour. I would also like it if you would refrain from making ANY comments about the WWII and apologize to the people on the list. It has NOTHING to do with the topic at hand. And if you can't somehow I'll ask the moderators of the list to kindly ask you again or block you from posting again. Regards, Erik Bais

-----Original Message----- From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Ronald F. Guilmette Sent: Saturday 23 March 2019 23:47

In message <C262A3C0-C4ED-4BDC-A287-433EEAAD4642@a2b- internet.com>, Erik Bais <ebais@a2b-internet.com> wrote:

...

So if we want the Executive board to do something like this, this needs to go to the GM.

I have no reason to doubt that.

It is still, I believe,. within the prerogative of this WG to pass a non- binding resolution -recommending- that the GM take up the matter, and that it accept the proposal. Would you agree?

I ask the Chair for clarification.

The WG can do all sorts of things. 😊 Should this proposal reach consensus, and remember that part of that process includes an impact assessment report from the NCC, there will have to be extensive discussions on how it might be approached and implemented. Non-binding resolutions are tricky things at the best of times.

...

I would also like it if you would refrain from making ANY comments about the WWII and apologize to the people on the list.

My apologies. I confess that I utterly negelected to consider the possibility that some in Europe might be extremely sensitive about a reference to a well-documented historical event which, I hoped, everyone might at least be familiar with, even if it only occurred in a time before even most of your parents were born.

It is generally best to avoid reference to avoid references to any such acts of reprehensible evil when making comparisons, whether they are within living memory or not. This list is not a good place to get into who did what, to whom, when. I can summon many examples of things that one group might feel is a fine thing to say, while another may, completely justifiably, be greatly upset by a reference. If comparisons or proofs, to say that a fact is a fact, then maybe science might be a safer port. Thanks all, Brian Co-Chair, RIPE AAWG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270

If you want to have an idea of "what" we have captured during the discussion in this mailing list, we have also submitted the "improved" version to ARIN (and working on the same for APNIC and AfriNIC). You can read that (in English) here: https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/ Actually, question for the chairs and Marco. Do you think it makes sense to continue the discussion with the current version before improving it, or already sending a new one? There is a lot of improvement already, the discussion has been extremely useful for the authors. However, we are missing some NCC inputs, for example, regarding legal questions that we raised several times, so if sending a new version means we can't get those inputs, then is not good ... Note: As said this already before, I think. We aren't - the co-authors- coordinating our responses, so we may have different opinions in all what we say, and I think this is good because it helps with the responses of the community to build-out our own positions and clear our "internal" differences (which we have, don't have any doubt on it!) and reach consensus "among ourselves". Regards, Jordi El 30/3/19 10:54, "anti-abuse-wg en nombre de Carlos Friaças via anti-abuse-wg" <anti-abuse-wg-bounces@ripe.net en nombre de anti-abuse-wg@ripe.net> escribió: On Fri, 29 Mar 2019, Sergey Myasoedov via anti-abuse-wg wrote: > Hello community, Hi Sergey, All, > I strongly oppose to this proposal. The proposal gives a power for > misuse to the RIR I fail to understand how. The main concept of 2019-03 is that it isn't the RIR's role to evaluate if an intentional hijack was performed -- that should be the role of external, independent experts. Btw, a similar policy proposal was published yesterday in LACNIC. > and does not protect members against setup. We aim to refine the proposal, so can you please specify exactly where the members might become "unprotected"? The proposal was built with checks & balances in mind. If they are not enough, let's work towards solving that, so noone will feel "unprotected". > I believe this policy have nothing to do in RIPE. Quoting: ========= > -----Original Message----- > From: Sascha Luck [ml] <aawg@c4inet.net> > Sent: Monday 25 March 2019 12:24 > > I therefore argue that it is maybe time to have a discussion on what > exactly RIPE and the NCC should be and what, if any, limits on their > administrative power there should be. > I hope, though, that everyone can at least agree that *this* is > *not* the forum for that discussion. To confirm, the Anti-Abuse WG is absolutely not the right forum for that discussion. Thanks, Brian Co-Chair, RIPE AA-WG ========= I understood this as "the Anti-Abuse WG is not the right forum to discuss the RIPE NCC's charter, the PDP or if any given proposal is admissible or not". > It's better to issue it as a BCP document or an informational RFC. I agree a BCP document can also be useful, so we'll start that as soon as possible. However, having a clear statement within RIPE policies sends a much stronger message to anyone thinking about engaging in such practices. Again, i want to point out the detail that anyone performing intentional hijacks _today_ (or last month or the previous year) is *not* within the proposal's scope -- if it happens to get accepted. There are absolutely no rules *today* against (IP address space/ASN) hijacks, and this is precisely the gap 2019-03 aims to fix. Best Regards, Carlos Friaças > -- > Sergey > > Tuesday, March 19, 2019, 1:41:22 PM, you wrote: > > MS> Dear colleagues, > > MS> A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE > MS> Policy Violation", is now available for discussion. > > MS> The goal of this proposal is to define that BGP hijacking is not > MS> accepted as normal practice within the RIPE NCC service region. > > MS> You can find the full proposal at: > MS> https://www.ripe.net/participate/policies/proposals/2019-03 > > MS> As per the RIPE Policy Development Process (PDP), the purpose of > MS> this four-week Discussion Phase is to discuss the proposal and > MS> provide feedback to the proposer. > > MS> At the end of the Discussion Phase, the proposers, with the > MS> agreement of the Anti-Abuse WG co-chairs, decide how to proceed with the proposal. > > MS> We encourage you to review this proposal and send your comments > MS> to <anti-abuse-wg@ripe.net> before 17 April 2019. > > MS> Kind regards, > > MS> Marco Schmidt > MS> Policy Officer > MS> RIPE NCC > > MS> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum > > > > ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

In message <qjgJ+XCzz1ncFA0a@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:

It is NOT possible (for experts or almost anyone else) to accurately evaluate who is performing BGP hijacks...

I did not intend to participate any further in this discussion, above and beyond what I already have done, but I fell compelled to at least point out the intellectual dishonesty of the above assertion. In the summer of last year, 2018, I took steps to point out, in a very public way, on the NANOG mailing list, two notable hijacking situations that came to my attention *and* also to identify, by name, the actors that were quite apparently behind each of those. In neither of those instances was there ever even any serious attempt, by either of the relevant parties, to refute -any- of my very public allegations. One of those was BitCanal, which was widely recognized as having participated in hijackings for literally years on end. Subsequent to my public allegations, various outher parties took it upon themselves to actually reduce the connectivity of this rogue company, with the ultimate effect being that the company had trouble finding any connectivity anywhere. These are historical facts and easily verifiable by anyone taking the time to look into the full historical record. The other situation involved a company calld D2 International Investment Ukraine, Ltd. and its apparent alter ego, Universal IP Solution Corp. Both companies were later revealed to have been performing hijacks in the service of a complex criminal enterprise which had as its goal a great deal of so-called "ad fraud". This entire complex scheme purportedly netted the perpetrators in excess of $29 million (USD) and resulted in numerous international criminal indictments: https://arstechnica.com/information-technology/2018/12/how-3ves-bgp-hijacker... Neither of these two situations were in any sense ambiguous, and it is the very height of intellectual dishonesty to suggest otherwise. I understand that various people do not approve of the current propsal as written. That is their right. I would ask however that the opposition not marshall provably bogus arguments to support what I feel, equally strongly, is a totally wrong-headed view of the present proposal. Regards, rfg

On Sat, Mar 30, 2019, 8:07 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

...

It is NOT possible (for experts or almost anyone else) to accurately evaluate who is performing BGP hijacks...

[..] intellectual dishonesty of the above assertion.

[..]

Neither of these two situations were in any sense ambiguous, and it is the very height of intellectual dishonesty to suggest otherwise.

Survivorship bias, y'know. -- Töma

On Sun, 31 Mar 2019, Richard Clayton wrote: (...)

I meant that the experts cannot ever be absolutely certain that their evaluation is correct -- though of course they can be correct in their nuanced assessment.

I've been thinking about Cynthia Revstrom's argument, and now i'm thinking if unanimity between all experts in every case is a needed "feature".

...

In the summer of last year, 2018, I took steps to point out, in a very public way, on the NANOG mailing list, two notable hijacking situations that came to my attention *and* also to identify, by name, the actors that were quite apparently behind each of those. In neither of those instances was there ever even any serious attempt, by either of the relevant parties, to refute -any- of my very public allegations.

If they had refuted the allegations then it would have become rather complicated and it would have come down to one entities word against another and perhaps the examination of documentary evidence of what arrangements had been authorised (and then perhaps forensic assessment of the authenticity of those documents).

Afaik, some allegations were made in response to Mr.Krebs questions, however, as far as i've seen ASNs sourcing hijacks and the direct transit ASN kind of vanished some days later.

Some BGP hijacking cases have been prosecuted on the basis of the forging of documents rather than on the hijack per se.

Really? in courts? i'll be very interested to know in which jurisdictions. I don't have any doubt that if someone hijacks a prefix or sub-prefix from a mobile operator, consequences in justice should be unavoidable... But regarding Internet prefixes (or ASN) i'm really unaware of any case.

I agree that it can be pretty clear what has gone on and the accused then helpfully acts in such a way as to make it clear to everyone that they were "guilty" (or individual peers assess the situation from their own standpoint and decide that they do not have an obligation to carry the traffic).

If peers share their routing view publicly (i.e. peering with RIS) then anyone should be able to assess :-)

However, it is not necessarily clear at all and writing a policy which assumes that it will always be clear is in my view unwise.

I don't think this is the case of 2019-03. Cases/reports where there is unsufficient evidence or where there is any kind of doubts should be dismissed. 2019-03 aims to create an inexistent rule, that could lead to consequences, but it isn't trying to define those consequences are mandatory to be implemented in a 1st instance, 2nd instance, 3rd instance and so on. That should be left to the already existing concept of "repeateadly policy violations"

Assuming that experts will always be able to determine who is at fault (along with deciding whether an event they know little of is accidental or deliberate) is to live in a world that I do not recognise.

If they are not able, then a case should be dismissed. Simple as that.

If the policy stopped at the statement that unauthorised BGP hijacking was unacceptable behaviour then I would be happy with it. Adding all the procedural stuff about how BGP hijacking will be (easily of course)

We can rephrase/review it in version 2.0.

detected and exotic details about experts and report forms and time periods is (a) irrelevant to establishing the principle and (b) cluttered with false assumptions and unhelpful caveats and (c) way too formalised to survive dealing with some real examples.

Some people seem to want the exact some opposite, a process to be detailed in its every aspect. Thanks. Best Regards, Carlos

-- richard Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

Hi, On Sun, Mar 31, 2019 at 01:54:42PM -0700, Ronald F. Guilmette wrote:

To say that any such funds now being paid to RIPE are "tainted" would be a rather gross understatement.

This is the elephant in the room that none of the opponents of 2019-03 wants to talk about, i.e. the rather inconvenient fact that RIPE, due to its intransigent lethargy, is quite apparently doing business, even as we speak, with known and well-identified cyber-criminals.

So, your local supermarket is also not allowed to sell anything to a convicted criminal? Sorry, this is getting ridiculous. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Hi, On Mon, Apr 01, 2019 at 04:01:53PM +0200, Nick Hilliard wrote:

Let's start with political dissent

Now, I disagree on this. Disagreeing with the voice of reason in the anti-abuse WG should certainly be reason for public flogging, and possibly instant LIR closure. Gert Doering -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Carlos Friaças wrote on 01/04/2019 16:51:

But let's also focus on two words:

"punishing" -- no, that's not the goal, the goal is to close a clear gap and make people understand that hijacking is not tolerated.

The explicit aim of this proposal is that if the expert panel judges that you have hijacked prefixes, you will be punished by the RIPE NCC. https://en.oxforddictionaries.com/definition/punish "Inflict a penalty or sanction on (someone) as retribution for an offence, especially a transgression of a legal or moral code."

"weaponises" -- how?

"weaponises" == turns the registry into something to beat people with, i.e. punishment by withdrawal of resources.

...

So, rather than talking about how much we want to do something about BGP hijacking, maybe we should discuss what grounds we'd have for refusing to deregister resources for things that other people in the RIPE NCC service region feel constitutes abuse, and where the line would be drawn? Let's start with political dissent and gay rights.

None. But 2019-03 is exclusively about BGP hijacking.

Ok, so you accept that this is the thin end of the wedge and that if the RIPE community were to accept this proposal, we would have no grounds - none - to argue against other people who propose withdrawal of resources for things that they find offensive. Thank you for clarifying this. Nick

On Mon, Apr 01, 2019 at 05:06:37PM +0100, Carlos Friaas via anti-abuse-wg wrote:

The same way it happens with lack of payment,

explicitly part of the contract (SSA).

or delivering false/forged information to the NCC.

explicitly part of the contract. You are trying to change the contract. You can't do that here.

...

with, i.e. punishment by withdrawal of resources.

It shouldn't be their decision, it should be the experts' decision.

It gets better. By *what* authority does your expert get to decide that a LIR should be punished? Deo gratias? It can't be a contractual obligation, I have no damn contract with some expert...

It's possibly my fault, but (in this long thread) i still fail to read from someone that hijacking is not offensive, and thus it should be tolerated by the community. I understand you are trying to take this into a grey area by comparison with other examples/abuse.

It is quite possible to find "hijacking" offensive and yet to oppose a dangerous and totalitarian policy. rgds, SL

Carlos Friaças wrote on 01/04/2019 18:06:

<< Here you might have forgot to comment about "weaponized IXPs" :-) >>

Hi Carlos, No, this was deliberate. I didn't comment because a lot of people are throwing analogies into this discussion which aren't directly relevant to 2019-03. If you want to discuss IXP abuse and why it's not directly relevant to this proposal, let's do that offline. Nick

All, In message <92716.1554145980@segfault.tristatelogic.com>, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

So, your local supermarket is also not allowed to sell anything to

...

a convicted criminal?

That analogy is a poor one. It would however be accurate to say that my local GUN STORE is not allowed to sell firearms to a convicted criminal.

I would argue this analogy itself is poor. The gun store is directly supporting the convicted criminal in potentially committing further acts. The criminal in this instance has (presumably, at least in the jurisdiction you are referencing) been convicted through a given legal process. There is substantial risk of abuse and little barrier to entry to purchasing firearms. You do not need a firearm to survive in most regions today. In summary: high risk of danger (given their conviction), low potential benefit to allowing it, and low risk of causing harm to the individual or entity you have denied. In the case of IP addresses and ASNs, the "convicted individual" has been, under the current policy draft, convicted in the mind of one - perhaps two upon appeal - experts (a term which has yet to be defined in policy). Such an opinion, no matter how professional, is a very low bar to be taking as objective. Having access to content online (which inherently requires either your ISP or you to hold resources from the NCC or another RIR) is significantly more necessary. In summary: medium (perhaps low, depending on the expert selection) risk of danger, substantial potential benefit to allowing it, and high risk of causing harm to the individual or entity you have denied. Should RIPE be selling them more? Apparently, as of right now, there is no

rule in place to prevent this. And as I have already noted, the company known as Universal IP Solution Corp. is still a member in good standing of the RIPE association. ...

If you are arguing that that is in any sense justifiable, either

morally, ethically, or even legally, please say so explicitly.

Should the NCC be allocating them more addresses? It is justified (morally, ethically, and perhaps even legally) to continue treating all entities as equals by allocating resources for their use unless they have been determined to be a distinct threat by a trustworthy system, such as a board of peers (as in the case of a criminal conviction). Keeping to my earlier discussion of the gun store analogy, I do not believe that the opinion of a single expert (with the possibility of appeal) is enough to determine their state. A multi-step process is needed in which an individual has many opportunities to prove their innocence. While I understand the goal of the policy in being expedient, I do not believe this process should be compromised in the name of expediency. A single appeal is not appropriate. The IP addresses they have are not directly aiding in hijacking. While their ASN may be, they could just as simply hijack another ASN. If IP space was to be revoked, they could simply hijack more as well. In my country, there is now at least one lawsuit, progressing through

the courts, against gun manufacturers for their supportive role in some of our recent mass shootings. I hope that it does not take a similar legal action against RIPE before RIPE adopts some rational policies to prevent itself from being the handmadien of online cyber-criminal enterprises and from then being reasonably and properly held to legal account for this exact supportive role on ongoing cyber-crime schemes

It is pointless to speculate about the outcome of such a legal proceeding before it has been decided. In message <92972.1554148548@segfault.tristatelogic.com>, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

...

BGP hijacking is just the start, but there is an endless list of things which are considered offensive or illegal in some or all jurisdictions in the RIPE NCC service area, e.g. spam, porn, offending political leaders, gambling, drugs, other religions, political dissent, blasphemy and so on.

As I have already pointed out, this "slippery slope" argument is a smokescreen, and only being used to justify the inexcusible status quo.

The proposal on the table doesn't deal with any matters which are in any way even remotely tied to mere offenses against any local or localize sensibilities. It doesn't even remotely have anything at all to do with either (a) any actions or offenses in "meatspace" nor (b) any actions or offenses having anything at all to do with -content- in any sense. The present proposal only has to do with the outright THEFT of IP addresses, i.e. the very commodity which RIPE is supposed to the responsible shepard of.

Within your jurisdiction, I can think of several cases which show this to not be the case (ALS Scan, Inc. v. Cloudflare, Inc., et al. being one of them). It would seem so, at least when the "slippery slope" arguments is

clearly being made in order to falsely try to scare people with the bogeyman of "censorship". That is clearly not what the proposal is about, and anyone who claims otherwise needs to go back to school until he, she or it fully grasps the difference between content and the IP addresses that provide the technical means to distribute it.

Blocking content distribution methods is effectively blocking the content itself. If your newspaper was unable to print and distribute their news because their electricity had been shut off (for anything outside of nonpayment), it would still be considered censorship. Whst this *is* actually all about is just this: You steal IPs and

then you lose your IPs.

I've still yet to be convinced that this would substantially cut down on hijacking; additionally, I've yet to be convinced that such a policy would not sweep up innocents due to its allowance of reports by the general public and incredibly low bar for labeling someone a hijacker. Jacob Slater On Mon, Apr 1, 2019 at 3:56 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message <b5c5ab11-5ad4-3489-dd76-ec10d5a16f88@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:

...

BGP hijacking is just the start, but there is an endless list of things which are considered offensive or illegal in some or all jurisdictions in the RIPE NCC service area, e.g. spam, porn, offending political leaders, gambling, drugs, other religions, political dissent, blasphemy and so on.

As I have already pointed out, this "slippery slope" argument is a smokescreen, and only being used to justify the inexcusible status quo.

The proposal on the table doesn't deal with any matters which are in any way even remotely tied to mere offenses against any local or localize sensibilities. It doesn't even remotely have anything at all to do with either (a) any actions or offenses in "meatspace" nor (b) any actions or offenses having anything at all to do with -content- in any sense. The present proposal only has to do with the outright THEFT of IP addresses, i.e. the very commodity which RIPE is supposed to the responsible shepard of.

Given all of the supposed experience and intelligence of the people on this list, I seriously have no idea why it should be necessary for me to explain the abundantly clear distinction between content and the wires and IP infrastructure that carries that content. Is this a really difficult concept to understand?

It would seem so, at least when the "slippery slope" arguments is clearly being made in order to falsely try to scare people with the bogeyman of "censorship". That is clearly not what the proposal is about, and anyone who claims otherwise needs to go back to school until he, she or it fully grasps the difference between content and the IP addresses that provide the technical means to distribute it.

As those of us who have actually spent years opposing Internet abuse like to say, our concern is not about abuse "on the Internet" but rather it has to do with abuse "of the Internet". Since this distinction has obviously traveled slowly to the far side of the pond, I am forced to provide some (hopefully educational) illustrations.

If someone sends you a highly offensive email, or makes a highly offensive Farcebook post, saying that your paternal grandmother is a actually a closet Visigoth, then that constitutes abuse -on- the Internet.

If, on the other hand, some hacker infects your machines, and thousands like it, and then uses his entire collection of infescted machines to DDoS you, presumably because you just beat him in a game of League of Legends, then that is abuse -of- the Internet, because in this case, it is the infrastructure itself that is being misused and abused... and -that- kind of abuse affects all of us.

I seriously would have hoped that it would not have been necessary for me to provide people on this mailing list, in particular, with examples to illustrate the clear conceptual differences betwen abuse "on" the Internet and abuse "of' the Internet, but apparently I hoped in vain, and this rather critical and key distinction is still being either throughly misunderstood or else throughly ignored when it comes to these bogus "slippery slope" arguments.

Let me say it more clearly. Nobody wants to take away your porn. That's not what this is about, as any fair-minded reader of the propsal can easily see. The idea is simple: Those who steal IP addresses shall not be allowed to keep those and shall not in fact be alowed to keep any IP addresses. Nobody is proposing reclaiming IP space from anyone who has the audacity to say. on the Internet, that Stalin may have been, um, suboptimal. Nobody is even proposing that the worst Internet child porn purveyor ever detected by law enforcement should have his IPs taken away. Because this is not about content and never will be.

Whst this *is* actually all about is just this: You steal IPs and then you lose your IPs. I honestly don't understand why otherwise intelligent people should have such a hard time grasping this rather simple concept. This is really not rocket science.

Regards, rfg

P.S. My sincere apologies, in advance, to any and all parties who may be offended by my reference to Visigoths. I meant no offense, either to them or to any of their descendants who may be present here. I'm quite sure that some among the Visigoth were very fine people, even though I never had the privilege of meeting any of them personally.

I agree, but to avoid throwing the baby out with the bathwater, I would suggest to you that it would be best if you could suggest to the proposal's author and sponsor some different language with respect to the procedure for judging such matters... some different process that would address your reasonable concerns about process... rather than just saying that the whole proposal is unacceptable.

In short, it appears that yur objection here is about implementation details, and that you do not object to the over-arching concept, assuming of course that the process of adjudicating such matters may be made substantially more reliable and fool-proof.

Perhaps. I've spoken with at least one of the authors and am still not entirely convinced the wording can be done such that it reasonably addresses the issues I've presented. I'll reserve judgement until version 2.0 is released for discussion. see last line So you do agree that there is a -possibility- that a threat exists and that

it might, in theory, and under some appropriate circumstances, be diminished or eliminated by the termination of the RIPE contract with certain well proven and accurately identified "rogue" members, yes?

If a NCC member is actively and willfully, after having been notified and given ample opportunity to resolve the issue, engaged in widespread hijacking such that RIR/NIR members have complained about their ability to use their own resources, yes. That case has nothing at all to do with the theft OF IP ADDRESSES, and thus,

it is rather entirely irrelevant to this discussion.

The case does deal with the slippery slope argument in that it demonstrates at least one instance of modern law where removing content from an online service (at all) resulted in an opening for legal liability. While not an issue specific to policy discussion, I do believe it is worth consideration when determining potential breadth of the policy. Action should be well backed with evidence. see last line My apologies for not quoting the relevant section properly. I disagree, and apparently, so does Cloudflare. And they should know.

Cloudflare's blog post on the subject has comments on the matter. One of their staff members is known for stating "Is this the day the Internet dies?", a reference to the fact that they acknowledge they (at the time) were about to take content offline for what were non-required reasons. https://blog.cloudflare.com/why-we-terminated-daily-stormer/ That isn't to say that I think this is an inherently bad option. I just think it needs to be balanced such that it is clearly justified when action is taken. see last line The question is whether or not this proposal is a demonstrably bad way to

-try- to begin to address the problem, at least in part. I remind you that right now there is essentially -zero- disincentive to the act of deliberate hijacking.

Getting depeered by transits, losing IX memberships, and having gear seized by authorities all seem like potential disincentives. Having a bunch of NCC-allocated IP space doesn't matter when you are unable to use it. Again, I am in agreement with you, but I do believe that this is a matter

of fine-tuning the procedural aspects of the propsal, rather than simply opposing or abandoning it wholesale.

Agreed so far as being open to revisions. see last line Given the number of references I've made to rev 2.0, I'll likely hold additional comments until it is released, as they are quite possibly irrelevant. Jacob Slater On Mon, Apr 1, 2019 at 11:24 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message < CAFV686cUaBmPiQ1e6oWD2oVwNA4X6otVbFxsHd0BjosMDLeT+Q@mail.gmail.com>, Jacob Slater <jacob@rezero.org> wrote:

...

In the case of IP addresses and ASNs, the "convicted individual" has been, under the current policy draft, convicted in the mind of one - perhaps two upon appeal - experts (a term which has yet to be defined in policy). Such an opinion, no matter how professional, is a very low bar to be taking as objective.

I agree, but to avoid throwing the baby out with the bathwater, I would suggest to you that it would be best if you could suggest to the proposal's author and sponsor some different language with respect to the procedure for judging such matters... some different process that would address your reasonable concerns about process... rather than just saying that the whole proposal is unacceptable.

In short, it appears that yur objection here is about implementation details, and that you do not object to the over-arching concept, assuming of course that the process of adjudicating such matters may be made substantially more reliable and fool-proof.

...

Should the NCC be allocating them more addresses? It is justified (morally, ethically, and perhaps even legally) to continue treating all entities as equals by allocating resources for their use unless they have been determined to be a distinct threat by a trustworthy system, such as a board of peers (as in the case of a criminal conviction).

So you do agree that there is a -possibility- that a threat exists and that it might, in theory, and under some appropriate circumstances, be diminished or eliminated by the termination of the RIPE contract with certain well proven and accurately identified "rogue" members, yes?

...

Keeping to my earlier discussion of the gun store analogy, I do not believe that the opinion of a single expert (with the possibility of appeal) is enough

I agree.

...

...

The proposal on the table doesn't deal with any matters which are in any way even remotely tied to mere offenses against any local or localize sensibilities. It doesn't even remotely have anything at all to do with either (a) any actions or offenses in "meatspace" nor (b) any actions or offenses having anything at all to do with -content- in any sense. The present proposal only has to do with the outright THEFT of IP addresses, i.e. the very commodity which RIPE is supposed to the responsible shepard of.

Within your jurisdiction, I can think of several cases which show this to not be the case (ALS Scan, Inc. v. Cloudflare, Inc., et al. being one of them).

That case has nothing at all to do with the theft OF IP ADDRESSES, and thus, it is rather entirely irrelevant to this discussion. But I am glad that you brough it up anyway, because one one the points made by the *defendant* in that case, Cloudflare, actually underscores a point that I have tried to make here, i.e. that the act of disiplining any one RIPE member, or even several of them, as is contemplated by 2019-03, is quite clearly *not* equivalent to some kind of totalitarian banning, from the entire Internet, of any particular piece of content. But I will let Cloudflare's own legal argument make the point for me:

https://torrentfreak.com/cloudflares-cache-can-substantially-assist-copyrigh...

"One of Cloudflare's arguments was that it did not substantially assist copyright infringements because the sites would remain online even if they were terminated from the service. It can't end the infringements entirely on its own, the company argued."

So, as you see, even Cloudflare itself made the point that simply eliminating any one (bad) provider does virtually nothing at all to remove from the entire Internet any given piece of -content-. And this certainly matches up with my own experience.

...

Blocking content distribution methods is effectively blocking the content

I disagree, and apparently, so does Cloudflare. And they should know.

...

I've still yet to be convinced that this would substantially cut down on hijacking;

Maybe it wouldn't. The question isn't whether it would or not. The question is whether or not this proposal is a demonstrably bad way to -try- to begin to address the problem, at least in part. I remind you that right now there is essentially -zero- disincentive to the act of deliberate hijacking.

Maybe it is time to try something different and see if it will help. If it doesn't, then it can be discarded, and then some other approach can be tried instead.

...

additionally, I've yet to be convinced that such a policy would not sweep up innocents due to its allowance of reports by the general public and incredibly low bar for labeling someone a hijacker.

Again, I am in agreement with you, but I do believe that this is a matter of fine-tuning the procedural aspects of the propsal, rather than simply opposing or abandoning it wholesale.

Regards, rfg

I support 2019-03 Luís Morais On Tue, Apr 2, 2019 at 6:32 PM Ronald F. Guilmette <rfg@tristatelogic.com> wrote:

In message <CAFV686dzExAoZs16zZb=767BdMy-MY= 7HvmbNdO92qh0Q8ir6Q@mail.gmail.com>, Jacob Slater <jacob@rezero.org> wrote:

...

If a NCC member is actively and willfully, after having been notified and given ample opportunity to resolve the issue, engaged in widespread hijacking such that RIR/NIR members have complained about their ability to use their own resources, yes.

I don't see why that last part should even be a considration.

Who cares whether or not some RIR members has complained about "their inability to use their own resources"? Theft is theft.

...

That case has nothing at all to do with the theft OF IP ADDRESSES, and

{re: ALS Scan v. Cloudflare} thus,

...

...

it is rather entirely irrelevant to this discussion.

The case does deal with the slippery slope argument in that it demonstrates at least one instance of modern law where removing content from an online service (at all) resulted in an opening for legal liability.

Wait. So are you suggestng that the discontinuance of Cloudflare caching for some pirate porn sites -created- a lgeal liability for those sites where none had existed before? If so, then you're going to have to explain that to me very very slowly.

...

... Action should be well backed with evidence.

We agree.

...

Cloudflare's blog post on the subject has comments on the matter. One of their staff members is known for stating "Is this the day the Internet dies?",

Yes, well, as far as Cloudflare is concerned, -anything- that stands in the way of them doing absolutely anything, and whatever the f**k they want, MUST necessarily be the End Of The World As We Know It. It would not be wise for anyone to take any of Cloudflare's ludicrous hyperbole seriously, especially while they are, one the one hand, -selling- DDoS protection, even as they are also -providing- DDoS protection to DDoS gerenation services... as they routinely do, and as they routinely claim it is their God-given right to do (e.g. www.0x-booter.pw).

...

... a reference to the fact that they acknowledge they (at the time) were about to take content offline for what were non-required reasons.

I, for one, would like to know just what in the hell Cloudflare considers to be "required reasons" for them ceasing their HTTP reverse proxy service to some particular FQDN. As far as I have been able to tell, over the years, Cloudflare has been very insistant that there are -no- reasons that would -ever- require them to cease providing services, even to terrorist and child porn sites... at least nothing shourt of an outright court order.

But this is all a digression from the issue here, which is just 2019-03, a proposal that only deals with the use and misuse of Internet number resources, PERIOD.

...

Getting depeered by transits, losing IX memberships, and having gear seized by authorities all seem like potential disincentives. Having a bunch of NCC-allocated IP space doesn't matter when you are unable to use it.

I refer you again to the unescapable fact that, even as we speak, the company called Universal IP solution Corp. is still a RIPE member in good standing. It is lying low, for now, but could be back in business and undertaking new hijacks -tomorrow-, all with the air of perfect legitimacy which is conferred upon it by its ongoing formal RIPE membership.

Regards, rfg

Hi, On Mon, Apr 01, 2019 at 03:29:16PM +0000, Ángel González Berdasco wrote:

Gert Doering writes:

...

On Sun, Mar 31, 2019 at 01:54:42PM -0700, Ronald F. Guilmette wrote:

...

To say that any such funds now being paid to RIPE are "tainted" would be a rather gross understatement.

This is the elephant in the room that none of the opponents of 2019-03 wants to talk about, i.e. the rather inconvenient fact that RIPE, due to its intransigent lethargy, is quite apparently doing business, even as we speak, with known and well-identified cyber-criminals.

So, your local supermarket is also not allowed to sell anything to a convicted criminal?

Sorry, this is getting ridiculous.

Actually, if someone came to your local supermarket attempting to pay with a stolen good, it would probably be illegal for the supermarket to knowingly perform such transaction.

But the RIPE NCC isn't paid in stolen IP addresses. The argument was "they are making money out of evil things, and if the RIPE NCC is taking these moneyz, they are making themselves liable for the original crime". Of course if someone tries to pay their LIR fees with a stolen /16, the RIPE NCC should better not accept this :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

In message <sIJ4kBCqwOocFAf1@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:

In message <74227.1553972836@segfault.tristatelogic.com>, Ronald F. Guilmette <rfg@tristatelogic.com> writes

...

In the summer of last year, 2018, I took steps to point out, in a very public way, on the NANOG mailing list, two notable hijacking situations that came to my attention *and* also to identify, by name, the actors that were quite apparently behind each of those. In neither of those instances was there ever even any serious attempt, by either of the relevant parties, to refute -any- of my very public allegations.

If they had refuted the allegations then it would have become rather complicated and it would have come down to one entities word against another and perhaps the examination of documentary evidence of what arrangements had been authorised (and then perhaps forensic assessment of the authenticity of those documents).

I am not persuaded that such complexity would ever actuall arise, in practice, although I do confess that my view may be colored by the facts of the specific cases I have personally looked at. (In one of the two cases I cited, an allegedly "Ukranian" entity was quite obviously... and quite blatantly... hijacking a block of ARIN-issued IPv4 addresses that were officially registered to the United States Air Force, thus leaving no ambiguity whatsoever.)

Some BGP hijacking cases have been prosecuted on the basis of the forging of documents rather than on the hijack per se.

Perhaps you could share references to such incidents (?) I don't doubt your assertion here, but I, for one, am always interested to look at the details of additional cases.

I agree that it can be pretty clear what has gone on and the accused then helpfully acts in such a way as to make it clear to everyone that they were "guilty"...

Yes. It is certainly the case that, on some occasions, at least, the crooks have been most helpful in their own downfalls.

However, it is not necessarily clear at all and writing a policy which assumes that it will always be clear is in my view unwise.

Assuming that experts will always be able to determine who is at fault (along with deciding whether an event they know little of is accidental or deliberate) is to live in a world that I do not recognise.

I disagree completely. The world would be one that you most certainly *would* recognize. Your argument basically boils down to the following unsustainable assertion: We cannot assume that we will always, and in 100% of all cases, be able to accurately recognize "crime" when we see it. Therefore we should have -no- criminal laws. That is the undeniable fundamental logic of your position. There *is* a world that you would not recognize, and it is one that would be guided by this very principal that you are espousing. What would the world be like if we all just shrugged and said "Oh, well, we cannot be absolutely sure that we will be 100% accurate when we prosecute shoplifters, or murderers, and therfore we will never even try to do so" ? *That* would be the world that you would not recognize. But we already have a living, breathing example of that world, and the effects of such a guiding principal, when put into actual practice... and it is NOT a pretty picture. The world in question is called RIPE, where scofflaws roam free, and where, at worst, those same scofflaws are only subjected to some rather modest public embarassement. I would be the first to agree that something less than 100% of all shoplifting cases and also something less than 100% of all murder cases are so abundantly clear as to leave no doubts whatsoever. In my own country, several murder cases have been overturned, upon further review, sometimes even decades after an innocent man has been incarcerated. These cases are quite obviously problematic for anyone with any semblance of a conscience. But I have yet to hear even the most liberal of defense attorneys argue in favor of legalizing murder... or shoplifting for that matter.. as an appropriate or well reasoned response to the vagaries and vissitudes of our imperfect justice system... as you appear to be doing. (Because that *is* really the inescapable end-point of your position.)

If the policy stopped at the statement that unauthorised BGP hijacking was unacceptable behaviour then I would be happy with it.

I have no idea what country you live in, but would you likewise find it equally acceptable if your local national legislature also and likewise passed a resolution calling for murder to be entirely decriminalized, while adding that it is the sense of the legislature that murder shall nontheless, and henceforth, be deemed "unacceptable behaviour" deserving of public derision and scorn, but no further penalties whatsoever? If so, I would suggest to you that anarchy and chaos would ensue. If a concrete example is needed, then I can and will simply point to what's been going on in the RIPE region, specifically with respect to the number resources that RIPE allegedly "manages".

Adding all the procedural stuff about how BGP hijacking will be (easily of course) detected and exotic details about experts and report forms and time periods is (a) irrelevant to establishing the principle and (b) cluttered with false assumptions and unhelpful caveats and (c) way too formalised to survive dealing with some real examples.

While I agree with the general thrust of your comments here, I would hasten to point out that every one of these same criticism can be, and has been, leveled also at literally *every* criminal justice system in literally *every* civilized country on the face of the earth. And despite that, no one in any of these countries seems either ready or eager to discard centuries of codified law or procedure in favor of abject and unbridled lawlessness. To do so would be self-evident madness. Regards, rfg

In message <XF$mHQJz$RocFAJG@highwayman.com>, Richard Clayton <richard@highwayman.com> wrote:

Instead, experts are used by those who are charged with dispensing justice as a means of understanding what is likely to have gone on, and these people then weigh the various opinions of the experts (or indeed their unanimity) in coming to their decision.

I agree completely that this is the way the process -should- indeed work (when "hijacking" charges are being adjudicated). And in fact, I have previously stated exactly that position in private email to the main sponsor/author of 2019-03.

So a policy which said that unauthorised BGP hijacking was unacceptable behaviour and charged RIPE NCC with addressing the problem if it was caused by anyone who used RIPE resources would I think be helpful.

Once again, we are in perfect agreement.

Telling RIPE NCC exactly how to recognise and deal with BGP hijacking (and specifying exactly how experts and no one else will determine what has occurred) is I think unhelpful and attempts to move forward this way are likely to be counterproductive.

I agree that subject-matter experts should not themselves be the adjudicators but rather that they should merely be resources that are available to the actual adjudicators. If, hypothetically, that change were made to 2019-03 would it then be something that you'd support? Or did you see other issues? Regards, rfg