Re: [ncc-services-wg] 2012-08 New Policy Proposal (Publication of Sponsoring LIR for Independent Number Resources)

< peanut gallery > this one seems a no brainer to me. it's just part of proper and open documentation of registration and allocation, the ncc's primary job. as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it. i just don't get this stuff. correct and open documentation is the ncc's primary job. randy

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17.10.2012 21:11, Randy Bush wrote:
< peanut gallery >
this one seems a no brainer to me. it's just part of proper and open documentation of registration and allocation, the ncc's primary job.
as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it.
That sounds reasonable, +1 from me.. best regards Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/DfMACgkQaWRHV2kMuALceACgjKAnGcUjIs33qNq02aQ3Z6cq 4/wAoMXtaGHNvlL8dxjtm8jn257t/C9H =j3hX -----END PGP SIGNATURE-----

On Wed, Oct 17, 2012 at 09:11:13AM -1000, Randy Bush wrote:
as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it. i just don't get this stuff.
Which neatly, if unintentionally, proves my point about chilling effects on PI sponsoring. rgds, Sascha Luck

as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it. i just don't get this stuff.
Which neatly, if unintentionally, proves my point about chilling effects on PI sponsoring.
and you think you can reconcile secret sponsoring with the principal goal of accuracy and open visibility of registry data? randy

On Wed, Oct 17, 2012 at 10:19:42AM -1000, Randy Bush wrote:
and you think you can reconcile secret sponsoring with the principal goal of accuracy and open visibility of registry data?
I don't consider absolute "openness" the principal goal. It may have been in 1992, when all participants were friendly academics and techies, unfortunately this is 2012 where every asshole with a grudge can use various websites to find out each and every business relationship a LIR has on a public, uncontrolled database. LIRs are pretty unique in having to, perforce, make publically available nearly all info about their business. There are other privacy issues with the database, however, these are off-topic in this context. rgds, Sascha Luck

and you think you can reconcile secret sponsoring with the principal goal of accuracy and open visibility of registry data? I don't consider absolute "openness" the principal goal.
this will simplify things greatly. if we can not see the data, then there is also no need for it to be accurate. membership costs can be greatly reduced. marvelous! </sarcasm> randy

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17.10.2012 22:44, Sascha Luck wrote:
On Wed, Oct 17, 2012 at 10:19:42AM -1000, Randy Bush wrote:
and you think you can reconcile secret sponsoring with the principal goal of accuracy and open visibility of registry data?
I don't consider absolute "openness" the principal goal. Sorry to disagree, as a LIR I do. When you do legal business here, I shouldn't be afraid of someone to be able to find out which customers I have.. there are other ways anyway.. If some LIR has sponsored X PI, he schould be noted and be able to get contacted IMHO.
It may have been in 1992, when all participants were friendly academics and techies, unfortunately this is 2012 where every asshole with a grudge can use various websites to find out each and every business relationship a LIR has on a public, uncontrolled database. LIRs are pretty unique in having to, perforce, make publically available nearly all info about their business. There are other privacy issues with the database, however, these are off-topic in this context.
For a working Internet I'd appreciate a definite, clear, confirmed, current contact for resources in case of abuse etc.. I know some PI-owners (and thats why I fully agree with Randy's position and refused to sponsor some of them over all of the years!) that have 10yrs outdated contacts in the database, no response on abuse for weeks - and no chance for the remaining 99,9% of the honest and simply acting trustworthy people (LIRs) out there to contact them. That's the point where I want to know, whom to contact "upstream" to clarify this.. Someone should be able to get contacted (not responsible!).. Just a suggestion: If its only about privacy, a tradeoff could be: only visible for LIRs in lirportal (?) best regards Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/Gq4ACgkQaWRHV2kMuAL/UACePuvG7gOwpQBhAox43whmbBsw og8An2DXRPBbC75NHGmlf+QFNlA8z4/+ =3p4J -----END PGP SIGNATURE-----

On Wed, Oct 17, 2012 at 10:53:02PM +0200, Michael Markstaller wrote:
For a working Internet I'd appreciate a definite, clear, confirmed, current contact for resources in case of abuse etc..
For the n-th time now in this thread: The LIR IS NOT RESPONSIBLE for abuse from a sponsored PI range. Same as the NCC IS NOT RESPONSIBLE for abuse from a PA range. As long as people will attempt to MAKE the LIRs responsible for their sponsored PI, I will oppose any such policy. Harassing a LIR for perceived abuse from a PI range wastes your time and pisses off the LIR.
I know some PI-owners (and thats why I fully agree with Randy's position and refused to sponsor some of them over all of the years!) that have 10yrs outdated contacts in the database, no response on abuse for weeks - and no chance for the remaining 99,9% of the honest and simply acting trustworthy people (LIRs) out there to contact them.
That, the sponsoring LIR *IS* responsible for since 2007-01, so any non-contactable PI holders should be shut down when the next payday comes around at the latest. Also the NCC can shutdown LIRs for incorrect information, I assume that to include PI information.
That's the point where I want to know, whom to contact "upstream" to clarify this.. Someone should be able to get contacted (not responsible!)..
A sponsoring LIR *may* be the upstream, in which case the ASPATH should show it. Many LIRs do not route their sponsored PI resources.
Just a suggestion: If its only about privacy, a tradeoff could be: only visible for LIRs in lirportal (?)
That may be acceptable, at least more so than making it uncontrolledly public. rgds, Sascha Luck

For a working Internet I'd appreciate a definite, clear, confirmed, current contact for resources in case of abuse etc..
For the n-th time now in this thread: The LIR IS NOT RESPONSIBLE for abuse from a sponsored PI range. Same as the NCC IS NOT RESPONSIBLE for abuse from a PA range.
why do you not try reading michael's message again? the LIR and the NCC may not be responsible for the abuse. but they are responsible for accurate and open publication of the information about who is responsible for the PI range. randy

On Wed, Oct 17, 2012 at 11:12:43AM -1000, Randy Bush wrote:
the LIR and the NCC may not be responsible for the abuse. but they are responsible for accurate and open publication of the information about who is responsible for the PI range.
Yes. If some LIR does not do that, contact the NCC. That is its function, it knows who sponsors the PI, and it has the powers to "convince" a LIR to keep its information current. Spam from self-appointed internet cops I can, as a LIR-contact, do without. rgds, Sascha Luck

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17.10.2012 23:31, Sascha Luck wrote:
On Wed, Oct 17, 2012 at 11:12:43AM -1000, Randy Bush wrote:
the LIR and the NCC may not be responsible for the abuse. but they are responsible for accurate and open publication of the information about who is responsible for the PI range.
Yes. If some LIR does not do that, contact the NCC. That is its function, it knows who sponsors the PI, and it has the powers to "convince" a LIR to keep its information current. Spam from self-appointed internet cops I can, as a LIR-contact, do without.
rgds, Sascha Luck
What I don't understand now: where is the need for the PI-owner to stay more or less anonymous and the NCC over three edges to follow up on that.. Just to keep a LIR's customers secret can't be the main argument - or again - is unfair - as if I remember policies right, as LIR with PA I have to tell in DB my customer.. Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/JHwACgkQaWRHV2kMuAJ3LQCgl0gR3viab9vzkGhA/3eUkhlR 4eYAoIcX7PirTsH5hO3k8oMkuU9WIlt0 =jiBQ -----END PGP SIGNATURE-----

On Wed, Oct 17, 2012 at 11:34:52PM +0200, Michael Markstaller wrote:
What I don't understand now: where is the need for the PI-owner to stay more or less anonymous and the NCC over three edges to follow up on that..
Nonono, the PI "owner" is never anonymous, they must be registered in the db, there has to be a contract and the NCC makes sure the user exists (the LIR can't even do that themselves!)
Just to keep a LIR's customers secret can't be the main argument - or again - is unfair - as if I remember policies right, as LIR with PA I have to tell in DB my customer..
Well, IMO that deserves some review as well from a privacy POV but is not part of this proposal. However, PA space is different as that is "owned" by the LIR and merely assigned to the end-user. That makes the LIR responsible for the actions of the assignee (via AUP etc). rgds, Sascha

Nonono, the PI "owner" is never anonymous, they must be registered in the db, there has to be a contract and the NCC makes sure the user exists (the LIR can't even do that themselves!)
they have no contract or direct contact with the ncc. and the lir is out of the loop as the pi owner has pied long ago. we have allowed a very ambiguous mess. instead of making things even more complex, how can we simplify it? randy

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17.10.2012 23:16, Sascha Luck wrote:
On Wed, Oct 17, 2012 at 10:53:02PM +0200, Michael Markstaller wrote:
For a working Internet I'd appreciate a definite, clear, confirmed, current contact for resources in case of abuse etc..
For the n-th time now in this thread: The LIR IS NOT RESPONSIBLE for abuse from a sponsored PI range. Same as the NCC IS NOT RESPONSIBLE for abuse from a PA range.
As long as people will attempt to MAKE the LIRs responsible for their sponsored PI, I will oppose any such policy. Harassing a LIR for perceived abuse from a PI range wastes your time and pisses off the LIR.
Who is it then? Sorry, thats a little unfair.. We as LIR and me as CTO have to be responsible for our resources. Lets say it a little drastic: If someone asks me for a /24 to spam the world, I'd tell him I won't do this as I'm responsible what happens there. Point. But would it be ok to tell: "Well, hmm, get a PI don't tell anybody it's from me and push out your shit over another provider so they just don't call up me?" Don't think so..
That, the sponsoring LIR *IS* responsible for since 2007-01, so any non-contactable PI holders should be shut down when the next payday comes around at the latest. Also the NCC can shutdown LIRs for incorrect information, I assume that to include PI information.
I don't see this to happen but I maybe wrong..
That's the point where I want to know, whom to contact "upstream" to clarify this.. Someone should be able to get contacted (not responsible!)..
A sponsoring LIR *may* be the upstream, in which case the ASPATH should show it. Many LIRs do not route their sponsored PI resources.
Thats clear but there IMHO must be some path to get hold of the user - either via sponsoring LIR or via upstream (which might be more complicated but also a way..)
Just a suggestion: If its only about privacy, a tradeoff could be: only visible for LIRs in lirportal (?)
That may be acceptable, at least more so than making it uncontrolledly public.
I could live with that, as long as abuse-mails don't end up in a fictious, never existing mailbox ;) Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/ITQACgkQaWRHV2kMuAJeIQCfdm0mXW8XFEGbGR5+gofBkXkq gNUAnROcA9zHsew0BTb9Tz5DgEL+PKBc =8AhU -----END PGP SIGNATURE-----

On Wed, Oct 17, 2012 at 11:20:53PM +0200, Michael Markstaller wrote:
Who is it then?
Sorry, thats a little unfair.. We as LIR and me as CTO have to be responsible for our resources. Lets say it a little drastic: If someone asks me for a /24 to spam the world, I'd tell him I won't do this as I'm responsible what happens there. Point.
They are not *your* resources, they are Provider-Independent. You can, of course, write in your PI contract what you want, but not all of us want to play internet police for some PI space we may not even route.
But would it be ok to tell: "Well, hmm, get a PI don't tell anybody it's from me and push out your shit over another provider so they just don't call up me?" Don't think so..
Yes, in the case of a politically controversial website or something like that (think mohammed videos or such) this may be the *only* way for someone to get PI and I'd like to keep it like that.
That, the sponsoring LIR *IS* responsible for since 2007-01, so any non-contactable PI holders should be shut down when the next payday comes around at the latest. Also the NCC can shutdown LIRs for incorrect information, I assume that to include PI information.
I don't see this to happen but I maybe wrong..
The shutdown clause is in the Service Agreement (albeit as a last resort if a LIR is uncooperative in the case of incorrect data) rgds, Sascha Luck

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17.10.2012 23:53, Sascha Luck wrote:
On Wed, Oct 17, 2012 at 11:20:53PM +0200, Michael Markstaller wrote:
Who is it then?
Sorry, thats a little unfair.. We as LIR and me as CTO have to be responsible for our resources. Lets say it a little drastic: If someone asks me for a /24 to spam the world, I'd tell him I won't do this as I'm responsible what happens there. Point.
They are not *your* resources, they are Provider-Independent. You can, of course, write in your PI contract what you want, but not all of us want to play internet police for some PI space we may not even route.
Hey, I didn't say that. The resources are lended and I dont want to play police (which is wrong, if then I'd want want to be a dictator ;)) I think we mean the same, I'm pro an open, legal system. But honestly, look at the PI-assigments: percentage with reachable eMails? Is it more than 10%?
But would it be ok to tell: "Well, hmm, get a PI don't tell anybody it's from me and push out your shit over another provider so they just don't call up me?" Don't think so..
Yes, in the case of a politically controversial website or something like that (think mohammed videos or such) this may be the *only* way for someone to get PI and I'd like to keep it like that.
I understand your point (see the discussion on the weird uani request), my answer as LIR is: I'm not responsible or accountable for ressouces but - IMHO when I lend them from RIPE to someone, still somewhat in charge - and therefore I have to take care of, otherwise I could stay consumer and take PA, isn't it ? So again the question: why should PI be more or less more anonymous while we as LIR have to be transparant and tell ? So very tightened said: Why should have the PI-owners have better rights than me as a LIR? Said another way: I want their data, I want to know where, who etc.. This is not about collecting data (which I refuse), its about knowing what I need in case.. regards Michael Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/WMEACgkQaWRHV2kMuAKQBwCdGotPHNGaegV7wj6JoqIdAh+4 XMcAoPCDn5fdGKDJuiqr6b3OeYSKPoIZ =5dsK -----END PGP SIGNATURE-----

On Wed, Oct 17, 2012 at 11:20:53PM +0200, Michael Markstaller wrote:
Thats clear but there IMHO must be some path to get hold of the user - either via sponsoring LIR or via upstream (which might be more complicated but also a way..)
I'm not actually concerned about your use-case of an uncontactable PI end-user, that is entirely legit. What worries me more is every internet muppet and their brother now being able to harass and threaten a LIR for any perceived wrong by a sponsored end-user (when the LIR could actually not even do anything about it).
Just a suggestion: If its only about privacy, a tradeoff could be: only visible for LIRs in lirportal (?)
This would at least mitigate against kooks and randomers. Most LIRs should know about the PI-sponsoring relationship. rgds, Sascha

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18.10.2012 00:10, Sascha Luck wrote:
I'm not actually concerned about your use-case of an uncontactable PI end-user, that is entirely legit. What worries me more is every internet muppet and their brother now being able to harass and threaten a LIR for any perceived wrong by a sponsored end-user (when the LIR could actually not even do anything about it).
So it makes more sense to speak about "the end of PI" - either LIR+AS or there is just no PI ? I'm with you on this hard fight ;) regards Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/WiIACgkQaWRHV2kMuAK2igCeIqVjWKmwa5xdgP06YtO9AT4P PowAoO19XorsVbrky9dFbwmyd2DH4kKN =4jx4 -----END PGP SIGNATURE-----

What worries me more is every internet muppet and their brother now being able to harass and threaten a LIR for any perceived wrong by a sponsored end-user (when the LIR could actually not even do anything about it).
like this is gonna be any noticeable increase in hell desk load?

On 17 Oct 2012, at 20:11, Randy Bush wrote:
this one seems a no brainer to me. it's just part of proper and open documentation of registration and allocation, the ncc's primary job.
as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it. i just don't get this stuff.
correct and open documentation is the ncc's primary job.
Although I've let the closing date of the Discussion Phase slip by, I hope it's not too late to say that this seems a no-brainer to me too, that I agree with Randy's remark about the NCC's "primary job", and that I hope the proposer will decide to advance this proposal to the Review Phase. /Niall

* Niall O'Reilly
On 17 Oct 2012, at 20:11, Randy Bush wrote:
this one seems a no brainer to me. it's just part of proper and open documentation of registration and allocation, the ncc's primary job.
as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it. i just don't get this stuff.
correct and open documentation is the ncc's primary job.
Although I've let the closing date of the Discussion Phase slip by, I hope it's not too late to say that this seems a no-brainer to me too, that I agree with Randy's remark about the NCC's "primary job", and that I hope the proposer will decide to advance this proposal to the Review Phase.
What Randy and Niall said. Support. -- Tore Anderson

On 17 Oct 2012, at 20:11, Randy Bush wrote:
this one seems a no brainer to me. it's just part of proper and open documentation of registration and allocation, the ncc's primary job.
as far as the lir not wanting to be known to have sponsored a pi site, if the lir is ashamed of doing something, maybe they should not have done it. i just don't get this stuff.
correct and open documentation is the ncc's primary job.
I'm surprised this hasn't been fixed before, supported. -- Roger Jorgensen | ROJO9-RIPE rogerj@gmail.com | - IPv6 is The Key! http://www.jorgensen.no | roger@jorgensen.no
participants (6)
-
Michael Markstaller
-
Niall O'Reilly
-
Randy Bush
-
Roger Jørgensen
-
Sascha Luck
-
Tore Anderson