On Mon, Oct 15, 2012 at 07:35:33PM +0100, Nick Hilliard wrote:
Regarding PI resources, a contractual link between the RIPE NCC and the end user exists, and the NCC has implemented RPKI using this chain of contracts. Changing this would require a direct contractual link between the end user and the RIPE NCC. If you want to change it, then why not fly
It ain't necessarily so. A requirement for a contract *may* arise if the end-user has to pay the NCC for the service. This could probably be solved via a pay portal or even be made free to end-users. All information necessary is already held by the NCC, indeed even the decision whether to allow this contract is made there.
a policy proposal in that direction? Or if you feel strongly enough, float a policy proposal to drop rpki?
I would, but since rpki does not exist qua policy, a policy to abolish it would not be effective.
But as it is, my point stands: there is no easy visibility into the rpki contractual side of things according to current RIPE policy, and this is a weakness which harms abuse handling.
To re-iterate, a LIR is *not* responsible for "abuse" perpetrated by the end-user, your proposal is merely trying to create this responsibility out of thin air and ex post facto. (I assume this requirement is intended to apply to existing contracts)
This, btw, is separate to the general abuse issue noted in the "Arguments For" section of the proposal for providing a mechanism for being able to contact a LIR to apply their AUP to an abusing End User. Not sure why you're arguing that there is a problem with it. Abusing end users exist and hide where they can.
Firstly, "abuse" is in the eye of the beholder. Secondly, a LIR has no more call to cancel a contract for resources than the NCC has in case of PA space. ISTR it being mentioned at a meeting that "spamming is a perfectly valid use of resources as far as the NCC is concerned". I checked the NCC end-user template and some actual contracts I handled and *nowhere* do these make reference to AUPs. The only requirements on the end-user are to pay and to use the resources according to policy. In fact Article 6.3 states clearly that the end-user accepts all liability for the use of the resource(s). Your contention that the sponsoring LIR should be held in some way accountable for the behaviour of the end-user, is thus not supported by the existing contract. This proposal is, by this argument, working into the hands of certain parties (you know who you are) whose mission in business is to impose their political and moral beliefs on the internet in general and will most certainly use this information to put pressure on LIRs to cancel their contracts with, or refuse to sponsor, "unwelcome" end-users.
With PI it's not the same situation *at all*. PI space is provider-*independent* and thus may be one last way to prevent a LIR becoming collateral damage in an attack on the end-user (eg a politically controversial organisation)
This makes very little sense. If there's a perceived issue with a PI resource End User, then their legal name and contact details are already in the RIPE database so for the most part, it will be the end user who gets the flack.
And that is as should be, since the end-user is solely responsible for what they do with their resources. Unfortunately, I am not quite as naive as to believe that an attack would stop there, on the contrary; the attacker might very well pursue the LIR which probably has deeper pockets and is therefore more at risk.
And if for some reason their LIR ends up with collateral damage and feels they need to drop them as clients (I'm sure this happens from time to time), then there are 8000 other LIRs in the RIPE service region who can take the transfer.
Again, I disagree. This policy would have a chilling effect on LIRs signing up end-users as it creates the appearance (if not the fact) of a legal responsibility on the part of the LIR for the behaviour of an end-user, much as is already the case with the deplorable and amoral practice, by certain entities, of harassing transit providers for the behaviour of their downstreams. I also refer the recent "Dutch Police Order" and the pamphlet by that UANI crowd as evidence of attacks in a similar vein as described above. rgds, Sascha