Re: [ncc-services-wg] [policy-announce] 2012-08 New Policy Proposal (Publication of Sponsoring LIR for Independent Number Resources)
Strong support. This could help curb, or at least detect and react to, abuse once IPv4 PI is hopefully allowed once again. -- Richard
On Mon, Oct 15, 2012 at 04:23:56PM +0200, Richard Hartmann wrote:
This could help curb, or at least detect and react to, abuse once IPv4 PI is hopefully allowed once again.
That is exactly why I strongly oppose this proposal. Publishing the sponsoring LIR for a PI assignment creates an appearance of responsibility on the part of the sposoring LIR, for the actions of the PI assignee, *that does not exist*. Prima facie, all that a LIR does is handle paperwork for the NCC - many LIRs do not even route the PI space they sponsor. No relationship beyond the administration of documents necessarily exists. Registering this administrative relationship creates an attack surface for harassment and extortion of sponsoring LIRs by copyright trolls, anti-spam extortionists and others of that ilk and infringes on the right of a business (such as a LIR is) not to reveal any and all commercial relationships they may have with other parties. The arguments in detail: "The RIPE resource allocation and assignment policy documents require that Internet number resources be registered 'via a public registry documenting address space allocation and assignment' and notes that 'this is necessary to ensure uniqueness and to provide information for Internet troubleshooting at all levels'." Invalid, the resources are registered with the RIR, not the sponsoring LIR. "This mechanism provides a simple means for End Users to identify with which sponsoring organisation they have a contractual link, in the case this information is unknown to the End User." Accepted, but the end-user can easily find this information by contacting the RIPE NCC. "This policy simplifies the mechanism for verification and co-ordination between sponsoring organisations when an End User wishes to transfer resources from one sponsoring organisation to another." Unneccessary, as the actual decision and verification is done by the NCC anyway. "Publishing this information provides an additional means for tackling abuse issues on the Internet." Invalid, see above. Regards, Sascha Luck
Hi Sascha, On 15/10/2012 16:27, Sascha Luck wrote:
That is exactly why I strongly oppose this proposal. Publishing the sponsoring LIR for a PI assignment creates an appearance of responsibility on the part of the sposoring LIR, for the actions of the PI assignee, *that does not exist*.
thanks for your comments. Can you explain how this link doesn't exist if the sponsoring LIR has requested RPKI certification on behalf of the PI end user, and why this contractual link is invalid in this situation?
Registering this administrative relationship creates an attack surface for harassment and extortion of sponsoring LIRs by copyright trolls, anti-spam extortionists and others of that ilk and infringes on the right of a business (such as a LIR is) not to reveal any and all commercial relationships they may have with other parties.
Much the same argument could be made about the requirement to register PA address space assignees in the RIPE DB. Yet we accept that this is a good thing. Nick
Nick, On Mon, Oct 15, 2012 at 05:11:33PM +0100, Nick Hilliard wrote:
thanks for your comments. Can you explain how this link doesn't exist if the sponsoring LIR has requested RPKI certification on behalf of the PI end user, and why this contractual link is invalid in this situation?
That is an argument against RPKI rather than one in favour of sponsoring-LIR registration, IMO. To whit, the imposition of a hierarchical structure on a non-hierarchical internet and the creation of "chains-of-responsibility" from thin air where none exist (and shouldn't exist). It would be better to have the end-user rpki-register their own resources with the RIR (who can easily verify their validity) [disclosure of commercial relationships]
Much the same argument could be made about the requirement to register PA address space assignees in the RIPE DB. Yet we accept that this is a good thing.
Not all of these relationships are actually registered, viz DSL or wireless broadband dynamic ranges. The relationship of end-user and PA holder is far more obvious by its nature, so I'm not sure much is gained by trying to keep it secret. Even so, privacy issues *have* arisen out of this situation... With PI it's not the same situation *at all*. PI space is provider-*independent* and thus may be one last way to prevent a LIR becoming collateral damage in an attack on the end-user (eg a politically controversial organisation) rgds, Sascha Luck
On 15/10/2012 17:48, Sascha Luck wrote:
That is an argument against RPKI rather than one in favour of sponsoring-LIR registration, IMO. To whit, the imposition of a hierarchical structure on a non-hierarchical internet and the creation of "chains-of-responsibility" from thin air where none exist (and shouldn't exist). It would be better to have the end-user rpki-register their own resources with the RIR (who can easily verify their validity)
Nevertheless, we are where we are and although you may not like RPKI, it exists and we have to deal with. Part of this is to put sensible policies in place to handle it. Regarding PI resources, a contractual link between the RIPE NCC and the end user exists, and the NCC has implemented RPKI using this chain of contracts. Changing this would require a direct contractual link between the end user and the RIPE NCC. If you want to change it, then why not fly a policy proposal in that direction? Or if you feel strongly enough, float a policy proposal to drop rpki? But as it is, my point stands: there is no easy visibility into the rpki contractual side of things according to current RIPE policy, and this is a weakness which harms abuse handling. This, btw, is separate to the general abuse issue noted in the "Arguments For" section of the proposal for providing a mechanism for being able to contact a LIR to apply their AUP to an abusing End User. Not sure why you're arguing that there is a problem with it. Abusing end users exist and hide where they can.
Not all of these relationships are actually registered, viz DSL or wireless broadband dynamic ranges.
No, not all, but every one where the address range is >= /29. This is a very large number of assignments indeed.
With PI it's not the same situation *at all*. PI space is provider-*independent* and thus may be one last way to prevent a LIR becoming collateral damage in an attack on the end-user (eg a politically controversial organisation)
This makes very little sense. If there's a perceived issue with a PI resource End User, then their legal name and contact details are already in the RIPE database so for the most part, it will be the end user who gets the flack. And if for some reason their LIR ends up with collateral damage and feels they need to drop them as clients (I'm sure this happens from time to time), then there are 8000 other LIRs in the RIPE service region who can take the transfer. Nick
On Mon, Oct 15, 2012 at 07:35:33PM +0100, Nick Hilliard wrote:
Regarding PI resources, a contractual link between the RIPE NCC and the end user exists, and the NCC has implemented RPKI using this chain of contracts. Changing this would require a direct contractual link between the end user and the RIPE NCC. If you want to change it, then why not fly
It ain't necessarily so. A requirement for a contract *may* arise if the end-user has to pay the NCC for the service. This could probably be solved via a pay portal or even be made free to end-users. All information necessary is already held by the NCC, indeed even the decision whether to allow this contract is made there.
a policy proposal in that direction? Or if you feel strongly enough, float a policy proposal to drop rpki?
I would, but since rpki does not exist qua policy, a policy to abolish it would not be effective.
But as it is, my point stands: there is no easy visibility into the rpki contractual side of things according to current RIPE policy, and this is a weakness which harms abuse handling.
To re-iterate, a LIR is *not* responsible for "abuse" perpetrated by the end-user, your proposal is merely trying to create this responsibility out of thin air and ex post facto. (I assume this requirement is intended to apply to existing contracts)
This, btw, is separate to the general abuse issue noted in the "Arguments For" section of the proposal for providing a mechanism for being able to contact a LIR to apply their AUP to an abusing End User. Not sure why you're arguing that there is a problem with it. Abusing end users exist and hide where they can.
Firstly, "abuse" is in the eye of the beholder. Secondly, a LIR has no more call to cancel a contract for resources than the NCC has in case of PA space. ISTR it being mentioned at a meeting that "spamming is a perfectly valid use of resources as far as the NCC is concerned". I checked the NCC end-user template and some actual contracts I handled and *nowhere* do these make reference to AUPs. The only requirements on the end-user are to pay and to use the resources according to policy. In fact Article 6.3 states clearly that the end-user accepts all liability for the use of the resource(s). Your contention that the sponsoring LIR should be held in some way accountable for the behaviour of the end-user, is thus not supported by the existing contract. This proposal is, by this argument, working into the hands of certain parties (you know who you are) whose mission in business is to impose their political and moral beliefs on the internet in general and will most certainly use this information to put pressure on LIRs to cancel their contracts with, or refuse to sponsor, "unwelcome" end-users.
With PI it's not the same situation *at all*. PI space is provider-*independent* and thus may be one last way to prevent a LIR becoming collateral damage in an attack on the end-user (eg a politically controversial organisation)
This makes very little sense. If there's a perceived issue with a PI resource End User, then their legal name and contact details are already in the RIPE database so for the most part, it will be the end user who gets the flack.
And that is as should be, since the end-user is solely responsible for what they do with their resources. Unfortunately, I am not quite as naive as to believe that an attack would stop there, on the contrary; the attacker might very well pursue the LIR which probably has deeper pockets and is therefore more at risk.
And if for some reason their LIR ends up with collateral damage and feels they need to drop them as clients (I'm sure this happens from time to time), then there are 8000 other LIRs in the RIPE service region who can take the transfer.
Again, I disagree. This policy would have a chilling effect on LIRs signing up end-users as it creates the appearance (if not the fact) of a legal responsibility on the part of the LIR for the behaviour of an end-user, much as is already the case with the deplorable and amoral practice, by certain entities, of harassing transit providers for the behaviour of their downstreams. I also refer the recent "Dutch Police Order" and the pamphlet by that UANI crowd as evidence of attacks in a similar vein as described above. rgds, Sascha
On 15/10/2012 20:38, Sascha Luck wrote:
To re-iterate, a LIR is *not* responsible for "abuse" perpetrated by the end-user, your proposal is merely trying to create this responsibility out of thin air and ex post facto. (I assume this requirement is intended to apply to existing contracts)
My goodness, I have no idea where you pulled that one from. :-)
This proposal is, by this argument, working into the hands of certain parties (you know who you are) whose mission in business is to impose their political and moral beliefs on the internet in general and will most certainly use this information to put pressure on LIRs to cancel their contracts with, or refuse to sponsor, "unwelcome" end-users.
Ok, I'm going to call a halt at this stage. I'm really not interested in arguing against scary conspiratorial hand-waving and defending this policy proposal against allegations that the sky is going to fall. I don't think that the sky is going to fall, or that the policy is going to cause sinister attacks to occur with chilling effects. In fact, I can't see even a single black helicopter. For the record let me state that I do think that this proposal is a generally sensible clarification of the current policy which is fully consistent with other similar current policies concerning information availability and IETF recommended practices and all that sort of thing. Nick
On Mon, Oct 15, 2012 at 11:12:21PM +0100, Nick Hilliard wrote:
On 15/10/2012 20:38, Sascha Luck wrote:
I don't think that the sky is going to fall, or that the policy is going to cause sinister attacks to occur with chilling effects. In fact, I can't see even a single black helicopter.
Well, you're thinking wrong - such (attempted) attacks have already happened against the NCC, including one that is currently pending judicial review. While the NCC may well be able to fend these off, I'm not convinced that all LIRs have the resources or the willingness. rgds, Sascha Luck
2012-10-16 00:42, Sascha Luck skrev:
On Mon, Oct 15, 2012 at 11:12:21PM +0100, Nick Hilliard wrote:
On 15/10/2012 20:38, Sascha Luck wrote:
I don't think that the sky is going to fall, or that the policy is going to cause sinister attacks to occur with chilling effects. In fact, I can't see even a single black helicopter.
Well, you're thinking wrong - such (attempted) attacks have already happened against the NCC, including one that is currently pending judicial review. While the NCC may well be able to fend these off, I'm not convinced that all LIRs have the resources or the willingness.
First. I'm in favor of this proposal if the sponsoring LIR is clearly stated in the resource. Would it be to much to ask if the record in the db would reflect the relationship between sponsering LIR and the object maintainer? It could be as lightweight as "databasehelper-mnt" or something more suitable. Secondly. We have done this for a number of years now, but in a slightly different way. We are transparent with our resources in RIPE. I would say that the sky will not fall down. At least not in Sweden. We get about 0.8% "DMCA take down requests" or similar in proportion to the number of assignment resources in the RIPE database that we have. We just have to politely respond to them and explain the situation. I think the average "take down" requester does not know how things work for the RIR/LIR. I can see a problem in a country where the law is in favor of "take down" requester. At least in Sweden, we see this much like National Land Survey. They have the responsibility for registering property, but not the operational responsibility for what happens there. If this is a problem for the RIPE region at large, I think we have to consider the proposal again. If not, see the first paragraph. /Bengt Gorden
Hi Bengt On 16/10/2012 09:44, Bengt Gördén wrote:
First. I'm in favor of this proposal if the sponsoring LIR is clearly stated in the resource. Would it be to much to ask if the record in the db would reflect the relationship between sponsering LIR and the object maintainer? It could be as lightweight as "databasehelper-mnt" or something more suitable.
Kaveh Ranjbar presented some ideas at the last RIPE meeting which may be relevant to this: https://ripe65.ripe.net/programme/meeting-plan/db-wg/
that the sky will not fall down. At least not in Sweden. We get about 0.8% "DMCA take down requests" or similar in proportion to the number of assignment resources in the RIPE database that we have. We just have to politely respond to them and explain the situation. I think the average "take down" requester does not know how things work for the RIR/LIR. I can see a problem in a country where the law is in favor of "take down" requester. At least in Sweden, we see this much like National Land Survey. They have the responsibility for registering property, but not the operational responsibility for what happens there. If this is a problem for the RIPE region at large, I think we have to consider the proposal again.
To be honest I really don't see how this is substantially different to open registration for any other details. The principals of open registration are very well established and we all agree that it is a good thing. Nick
2012-10-16 12:14, Nick Hilliard skrev:
Hi Bengt
On 16/10/2012 09:44, Bengt Gördén wrote:
First. I'm in favor of this proposal if the sponsoring LIR is clearly stated in the resource. Would it be to much to ask if the record in the db would reflect the relationship between sponsering LIR and the object maintainer? It could be as lightweight as "databasehelper-mnt" or something more suitable. Kaveh Ranjbar presented some ideas at the last RIPE meeting which may be relevant to this:
Thank you. That saved me some time digging through the "have not seen" sessions. I was at the EIX session at that time.
that the sky will not fall down. At least not in Sweden. We get about 0.8% "DMCA take down requests" or similar in proportion to the number of assignment resources in the RIPE database that we have. We just have to politely respond to them and explain the situation. I think the average "take down" requester does not know how things work for the RIR/LIR. I can see a problem in a country where the law is in favor of "take down" requester. At least in Sweden, we see this much like National Land Survey. They have the responsibility for registering property, but not the operational responsibility for what happens there. If this is a problem for the RIPE region at large, I think we have to consider the proposal again. To be honest I really don't see how this is substantially different to open registration for any other details. The principals of open registration are very well established and we all agree that it is a good thing.
Agreed. I'm a firm believer in openness and transparency. This was just a reservation that if the proposal don't get approved I think we need to have another discussion about it. Sorry if that wasn't clear. I need to know the sponsoring LIR for my daily work. /bengt
Hi Bengt, On Tue, Oct 16, 2012 at 12:51:24PM +0200, Bengt G?rd?n wrote:
I need to know the sponsoring LIR for my daily work.
Can you go into more detail on this? I'd be really interested in seeing an actual use-case for this information. As is, I can't think of one as it really only signifies that a LIR, at some stage, handled paperwork for an end-user... Regards, Sascha Luck
2012-10-16 13:25, Sascha Luck skrev:
Hi Bengt,
On Tue, Oct 16, 2012 at 12:51:24PM +0200, Bengt G?rd?n wrote:
I need to know the sponsoring LIR for my daily work.
Can you go into more detail on this? I'd be really interested in seeing an actual use-case for this information. As is, I can't think of one as it really only signifies that a LIR, at some stage, handled paperwork for an end-user...
Mostly others benefits from this because of our policy to be open. We have a few thousand assigned objects so I think our openness today gives us a lot more in return than the reverse. I think it would work for others too. And now the other way around, which happens. A customer (not our) to a sponsoring LIR (unknown) contacts us to say that they need to change something (route, ipv6 domain, what have you). The first question is "what sponsoring LIR do you have". Typical answer is "what?". Next question is "what upstream provider do you have". ISP XYZ. Still not the sponsoring LIR. I have to start explaining to them what it is. Often they still don't know. They have to ask "someone". When they have asked "someone" the best case scenario is that it's actually a LIR and the case is sorted out. Often in a day or two. Worst case scenario is that we bounce mail back and forth a few days up to several weeks with no outcome. If I could have seen the sponsoring LIR from the start it would have been sorted out in hours/day. The sponsoring LIR is also responsible for updating the RIPE db and knows how to do that. So talking to a person that actually knows what their doing is much more efficient than to be a teacher in the "University of Internet" to person X. /bengt
Sascha On 15/10/2012 20:38, Sascha Luck wrote:
a policy proposal in that direction? Or if you feel strongly enough, float a policy proposal to drop rpki?
I would, but since rpki does not exist qua policy, a policy to abolish it would not be effective.
Whilst RPKI does not exist qua policy, neither do a lot of other things (remember the PDP is fairly recent). Furthermore it was explicitly said during the discussions on RPKI that if the community passed a policy abolishing RPKI then the RIPE NCC would abide by this. Nigel
On 15/10/2012 16:27, Sascha Luck wrote:
"The RIPE resource allocation and assignment policy documents require that Internet number resources be registered 'via a public registry documenting address space allocation and assignment' and notes that 'this is necessary to ensure uniqueness and to provide information for Internet troubleshooting at all levels'."
Invalid, the resources are registered with the RIR, not the sponsoring LIR.
'this is necessary to ensure uniqueness and to provide information for Internet troubleshooting at all levels' means that if some information is hiding, then information is not being provided for Internet troubleshooting at all levels. Look, the point of BCP12 is good housekeeping and one of the ways we have on the Internet of implementing good housekeeping is to keep stuff out in the open, not hiding away information in a back room. BCP12 is not a BCP because it contains a whole pile of bad practice, or because that advice is in any way out of date. This is current recommended policy for all Internet object registration.
"This mechanism provides a simple means for End Users to identify with which sponsoring organisation they have a contractual link, in the case this information is unknown to the End User."
Accepted, but the end-user can easily find this information by contacting the RIPE NCC.
Last time I looked, the RIPE NCC service region contained about a billion people, and there were 28000 PI blocks. This doesn't scale. Let's automate it and get a cheaper RIPE NCC which isn't spending money answering stupid questions which can just as easily be answered by a computer.
"This policy simplifies the mechanism for verification and co-ordination between sponsoring organisations when an End User wishes to transfer resources from one sponsoring organisation to another."
Unneccessary, as the actual decision and verification is done by the NCC anyway.
Knowing which organisation you're going to be dealing with in advance will cut down significantly on time and general overhead when dealing with transfers. I.e. you can make prior contact with the remote LIR and have stuff arranged in advance and things will go smoothly. Again: this proposal is about making life easy and better and more consistent with the existing policies which we use. Manual intervention is a pain and inconsistent with this improvement. Nick
Nick,
Last time I looked, the RIPE NCC service region contained about a billion people, and there were 28000 PI blocks. This doesn't scale. Let's automate it and get a cheaper RIPE NCC which isn't spending money answering stupid questions which can just as easily be answered by a computer.
I certainly hope that not all 28k end-users forget who sponsored their PI... Anyway, I accept your argument but the price of setting up the LIR as an easy, automatic target for attacks against the end-user is too high for me and so I still oppose the proposal.
Knowing which organisation you're going to be dealing with in advance will cut down significantly on time and general overhead when dealing with transfers. I.e. you can make prior contact with the remote LIR and have stuff arranged in advance and things will go smoothly.
That's almost another argument against the proposal, as another unintended consequence could be the poisoning of relations between LIRs in such cases... (FWIW, I myself don't care if a PI user moves away, the 50 Euro are really not worth the hassle, in fact if this proposal passes I'm going to recommend the cancellation of all PI contracts. YMMV, though)
Again: this proposal is about making life easy and better and more consistent with the existing policies which we use. Manual intervention is a pain and inconsistent with this improvement.
It will make life easier for a variety of good and evil entities, I can't see what advantage a LIR could have out of it, though. rgds, Sascha
Hi Sasha,
That is exactly why I strongly oppose this proposal. Publishing the sponsoring LIR for a PI assignment creates an appearance of responsibility on the part of the sposoring LIR, for the actions of the PI assignee, *that does not exist*.
That is not completely correct... RIPE-452 contains the requirement that the contract between the end-user and the LIR must contain: - Notice that the LIR is responsible for liaising with the resource holder to keep registration records up-to-date So if there is something wrong with the registration records / RIPE database then there is a responsibility for the LIR. - Sander
Hi Sander, On Mon, Oct 15, 2012 at 11:56:55PM +0200, Sander Steffann wrote:
So if there is something wrong with the registration records / RIPE database then there is a responsibility for the LIR.
OK, but no responsibility for the use of the resources, just the administrative details. rgds, Sascha
participants (6)
-
Bengt Gördén -
Nick Hilliard -
Nigel Titley -
Richard Hartmann -
Sander Steffann -
Sascha Luck