https://torrentfreak.com/bein-says-issues-at-ripe-ncc-help-piracy-as-a-servi... https://torrentfreak.com/images/USTR-2025-0018-0029-beIN_Miramax_2025-Notori... We had a nice presentation from beIN (rightsholder) at the Lisbon RIPE meeting, unfortunately it seems they are not very happy with the KYC procedure that RIPE NCC applies to their customers (I believe they mean the subsequent KYC for letting/renting (sub)resources). (from the article) “Poor governance and a non-existent know your customer” In the case of off-shore/bulletproof providers, beIN says that identifying the owner of an ASN using information held by RIPE NCC can prove impossible. “RIPE NCC requests its members or those who use RIPE NCC resources to provide accurate contact information. Some rogue providers abuse this system by posting false or incomplete information. This prevents rights owners and authorities from reaching them or successfully sending takedown notices,” beIN explains. Inaccurate information can include fake or unmonitored email addresses, false business addresses or shared locations with many tenants. This ultimately makes it impossible for beIN to identify the owners of off-shore hosting companies. If it’s unable to do that, targeting the operators of the PaaS platforms becomes impossible too. “In other words, the very concept of an offshore or bulletproof hosting provider seeks to rely on the ease by which this registration system can be misused through the provision of false or incomplete information,” the company adds. If RIPE NCC gets added to the Notorious Markets list, their Public Affairs and Regulatory team will be busy and as RIPE NCC is a Dutch and European association pressure from those directions cannot be ruled out (then change will happen whether or not the members agree (even as membership organisation the RIPE policies must be inline with the law)). The above statement of beIN does signal a important issue that not only facilitates copyright infringement but a larger enablement of criminal internet infrastructure, that can and is used for support for various nefarious activities. Renting ASN, IP blocks and not chancing to registration to the correct user makes it difficult to find the bad apples. Now the RIPE members can change the policies that deal with this themselves (I would guess this should be started in Bucarest) otherwise the likelyhood of RIPE NCC receiving a 'gatekeeper' assignment (as banks have in the financial industry) and the need for extra (expensive !) lawyers by the NCC will increase the membership contribution. (In NL Dutch banks have approx. 25% of their employees commited to this gatekeeper role) Cheers, Alex -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221
Alex This kind of issue is something that was 100% inevitable. The IP lobby is strong and well organised. And industry is mostly not. I’d be interested in hearing how RIPE NCC views the assertions in the submission While I don’t agree with the broad sweeping statements that were made in their submission to the US government I do think that RIPE could probably do a better job of explaining what they are doing to mitigate the actions of bad actors. You suggest that the RIPE community needs to review policies, so I’d ask which ones exactly? I also agree that ignoring this is not the answer. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072<tel:+353599183072> Direct Dial: +353 (0)59 9183090<tel:+353599183090> Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 I have sent this email at a time that is convenient for me. I do not expect you to respond to it outside of your usual working hours. From: Alex de Joode <alex@idgara.nl> Date: Monday, 6 October 2025 at 08:10 To: ripe-list@ripe.net <ripe-list@ripe.net> Subject: [ripe-list] beIN && RIPE NCC && Notorious Markets [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. https://torrentfreak.com/bein-says-issues-at-ripe-ncc-help-piracy-as-a-servi... https://torrentfreak.com/images/USTR-2025-0018-0029-beIN_Miramax_2025-Notori... We had a nice presentation from beIN (rightsholder) at the Lisbon RIPE meeting, unfortunately it seems they are not very happy with the KYC procedure that RIPE NCC applies to their customers (I believe they mean the subsequent KYC for letting/renting (sub)resources). (from the article) “Poor governance and a non-existent know your customer” In the case of off-shore/bulletproof providers, beIN says that identifying the owner of an ASN using information held by RIPE NCC can prove impossible. “RIPE NCC requests its members or those who use RIPE NCC resources to provide accurate contact information. Some rogue providers abuse this system by posting false or incomplete information. This prevents rights owners and authorities from reaching them or successfully sending takedown notices,” beIN explains. Inaccurate information can include fake or unmonitored email addresses, false business addresses or shared locations with many tenants. This ultimately makes it impossible for beIN to identify the owners of off-shore hosting companies. If it’s unable to do that, targeting the operators of the PaaS platforms becomes impossible too. “In other words, the very concept of an offshore or bulletproof hosting provider seeks to rely on the ease by which this registration system can be misused through the provision of false or incomplete information,” the company adds. If RIPE NCC gets added to the Notorious Markets list, their Public Affairs and Regulatory team will be busy and as RIPE NCC is a Dutch and European association pressure from those directions cannot be ruled out (then change will happen whether or not the members agree (even as membership organisation the RIPE policies must be inline with the law)). The above statement of beIN does signal a important issue that not only facilitates copyright infringement but a larger enablement of criminal internet infrastructure, that can and is used for support for various nefarious activities. Renting ASN, IP blocks and not chancing to registration to the correct user makes it difficult to find the bad apples. Now the RIPE members can change the policies that deal with this themselves (I would guess this should be started in Bucarest) otherwise the likelyhood of RIPE NCC receiving a 'gatekeeper' assignment (as banks have in the financial industry) and the need for extra (expensive !) lawyers by the NCC will increase the membership contribution. (In NL Dutch banks have approx. 25% of their employees commited to this gatekeeper role) Cheers, Alex -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221
Irrespective of any view regarding rights holders, the lack of effective KYC procedures is also a problem in combating both malicious and illegal content. For example, you may be surprised that the Internet Watch Foundation finds a large percentage of illegal CSAM images hosted within Europe (here<https://www.iwf.org.uk/annual-data-insights-report-2024/data-and-insights/geographical-hosting-domains/>) – for transparency, I’m an IWF trustee. I am not a lawyer but I understand that KYC is a requirement under the EU’s NIS2 Directive. In my view, extending effective KYC processes across the ecosystem will add friction, making the life of malicious actors more difficult. Andrew From: Alex de Joode <alex@idgara.nl> Sent: 04 October 2025 16:36 To: ripe-list@ripe.net Subject: [ripe-list] beIN && RIPE NCC && Notorious Markets https://torrentfreak.com/bein-says-issues-at-ripe-ncc-help-piracy-as-a-servi... https://torrentfreak.com/images/USTR-2025-0018-0029-beIN_Miramax_2025-Notori... We had a nice presentation from beIN (rightsholder) at the Lisbon RIPE meeting, unfortunately it seems they are not very happy with the KYC procedure that RIPE NCC applies to their customers (I believe they mean the subsequent KYC for letting/renting (sub)resources). (from the article) “Poor governance and a non-existent know your customer” In the case of off-shore/bulletproof providers, beIN says that identifying the owner of an ASN using information held by RIPE NCC can prove impossible. “RIPE NCC requests its members or those who use RIPE NCC resources to provide accurate contact information. Some rogue providers abuse this system by posting false or incomplete information. This prevents rights owners and authorities from reaching them or successfully sending takedown notices,” beIN explains. Inaccurate information can include fake or unmonitored email addresses, false business addresses or shared locations with many tenants. This ultimately makes it impossible for beIN to identify the owners of off-shore hosting companies. If it’s unable to do that, targeting the operators of the PaaS platforms becomes impossible too. “In other words, the very concept of an offshore or bulletproof hosting provider seeks to rely on the ease by which this registration system can be misused through the provision of false or incomplete information,” the company adds. If RIPE NCC gets added to the Notorious Markets list, their Public Affairs and Regulatory team will be busy and as RIPE NCC is a Dutch and European association pressure from those directions cannot be ruled out (then change will happen whether or not the members agree (even as membership organisation the RIPE policies must be inline with the law)). The above statement of beIN does signal a important issue that not only facilitates copyright infringement but a larger enablement of criminal internet infrastructure, that can and is used for support for various nefarious activities. Renting ASN, IP blocks and not chancing to registration to the correct user makes it difficult to find the bad apples. Now the RIPE members can change the policies that deal with this themselves (I would guess this should be started in Bucarest) otherwise the likelyhood of RIPE NCC receiving a 'gatekeeper' assignment (as banks have in the financial industry) and the need for extra (expensive !) lawyers by the NCC will increase the membership contribution. (In NL Dutch banks have approx. 25% of their employees commited to this gatekeeper role) Cheers, Alex -- IDGARA | Alex de Joode | alex@idgara.nl<mailto:alex@idgara.nl> | +31651108221
I think that one entity's CSAM-hosting bullet-proof provider is another entities ransomware-proof business continuity system. Also thinking about the IETF DIEM WG problem. Andrew Campling <andrew.campling@419.consulting> wrote: > In my view, extending effective KYC processes across the ecosystem will > add friction, making the life of malicious actors more difficult. KYC for ASN and IPv6 address blocks would seem to be a much different situation than FQDNs. Unmonitored email addresses are a scourge across all sorts of operators. Fake ones are a different kettle of fish to me. At one point I heard about a SIP-based project where, with the right configuration on my SIP proxy, I could pick a phone, dial an *ASN*, and get connected to operations for that ISP... That was 15+ years ago, I think. I certainly never got that working, and I've no idea if it was real. What I liked about it is that it provided a sort of secret-decoder ring bypass so that one legitimate operator could reach another one quickly. While I don't know if voice-by-ASN is a good thing, a way to verify emails from one operator (including, the RIR itself) to another operator seems like a good thing. This is where I'd prefer that RIPE go. There are many ways to envision such a thing: from rebooting PGP-web-of-trust key-signing parties at RIR meetings, to having a RIR-operated walled-garden email+IMAP server. (i.e., email as26227@asemail.arin.net, but only via ARIN, RIPE, LACNIC, AFRINIC or APNIC's SMTP submit port. Port-25 is not open) And a dozen intermediate concepts. To using something that isn't SMTP. The carrot is that one can send more reliable reports, and receive reports without dealing with untraceable spam. The stick is that you'd lose your resource if you didn't monitor it. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
On Tue, 07 Oct 2025 10:24:51 -0400 Michael Richardson <mcr+ietf@sandelman.ca> wrote:
At one point I heard about a SIP-based project where, with the right configuration on my SIP proxy, I could pick a phone, dial an *ASN*, and get connected to operations for that ISP... That was 15+ years ago, I think. I certainly never got that working, and I've no idea if it was real.
It was real, I used it a few times, but I had heard of some who used it fairly extensively at the time. <https://en.wikipedia.org/wiki/INOC-DBA> John
Michael Richardson writes: [...]
At one point I heard about a SIP-based project where, with the right configuration on my SIP proxy, I could pick a phone, dial an *ASN*, and get connected to operations for that ISP... That was 15+ years ago, I think. I certainly never got that working, and I've no idea if it was real. What I liked about it is that it provided a sort of secret-decoder ring bypass so that one legitimate operator could reach another one quickly.
It was definitely real, PCH's "INOC-DBA" (Inter-NOC dial-by-ASN) system. We had this running on one of our (Cisco) VoIP phones, but those were phased out, and we lost the feature. Not sure what the general status is these days.
While I don't know if voice-by-ASN is a good thing, a way to verify emails from one operator (including, the RIR itself) to another operator seems like a good thing. This is where I'd prefer that RIPE go. [...] -- Simon.
At one point I heard about a SIP-based project where, with the right configuration on my SIP proxy, I could pick a phone, dial an *ASN*, and get connected to operations for that ISP.
it worked. but the participants were pretty much folk you already had on speed dial anyway. i suspect that this kyc thing is not as simple as one might think at first blush. consider, for example, issues such as getting solid id verification for sponsored lirs. how much bureaucrazy and privacy do we trade for stronger verification? how do we get community consensus in this trade-off space? randy
Andrew Campling wrote on 06/10/2025 15:27:
Irrespective of any view regarding rights holders, the lack of effective KYC procedures is also a problem in combating both malicious and illegal content. For example, you may be surprised that the Internet Watch Foundation finds a large percentage of illegal CSAM images hosted within Europe (here <https://www.iwf.org.uk/annual-data-insights-report-2024/data-and-insights/geographical-hosting-domains/>) – for transparency, I’m an IWF trustee. I am not a lawyer but I understand that KYC is a requirement under the EU’s NIS2 Directive.
In my view, extending effective KYC processes across the ecosystem will add friction, making the life of malicious actors more difficult.
the ripe ncc already implements kyc for its members and direct assignment resource holders. You can't get a PI assignment without validating your identity, and there are comparable processes for businesses who wish to become LIRs. These are hard-enforced. If you don't comply, your application will be rejected. In addition to this, all LIRs are subject to a periodic Assisted Registry Check. The BEIN letter seems to confuse data about RIPE members / direct assignees with general end users of ISPs. The confusion may be happening because the RIPE database is a mixture of several different categories of data. Some of the data is authoritative (i.e. RIPE LIR and Direct Assignments) and some is non-authoritative (i.e. LIR assignments). A good deal of the non authoritative data is of very poor quality, but the authoritative data is all subject to RIPE KYC processes and regularly audited. Mixing these two data sets up does not benefit anyone. It's the job of the ISP to ensure that they have KYC processes with their end users. Nick
Maybe it is finally time to make it *really obvious* even to the most ignorant which RIPE DB objects are authoritative info and which are not? --- Sent from a handheld device.
On 8. Oct 2025, at 19:49, Nick Hilliard <nick@foobar.org> wrote:
Andrew Campling wrote on 06/10/2025 15:27:
Irrespective of any view regarding rights holders, the lack of effective KYC procedures is also a problem in combating both malicious and illegal content. For example, you may be surprised that the Internet Watch Foundation finds a large percentage of illegal CSAM images hosted within Europe (here <https://www.iwf.org.uk/annual-data-insights-report-2024/data-and-insights/geographical-hosting-domains/>) – for transparency, I’m an IWF trustee. I am not a lawyer but I understand that KYC is a requirement under the EU’s NIS2 Directive. In my view, extending effective KYC processes across the ecosystem will add friction, making the life of malicious actors more difficult.
the ripe ncc already implements kyc for its members and direct assignment resource holders. You can't get a PI assignment without validating your identity, and there are comparable processes for businesses who wish to become LIRs. These are hard-enforced. If you don't comply, your application will be rejected.
In addition to this, all LIRs are subject to a periodic Assisted Registry Check.
The BEIN letter seems to confuse data about RIPE members / direct assignees with general end users of ISPs.
The confusion may be happening because the RIPE database is a mixture of several different categories of data. Some of the data is authoritative (i.e. RIPE LIR and Direct Assignments) and some is non-authoritative (i.e. LIR assignments). A good deal of the non authoritative data is of very poor quality, but the authoritative data is all subject to RIPE KYC processes and regularly audited. Mixing these two data sets up does not benefit anyone.
It's the job of the ISP to ensure that they have KYC processes with their end users.
Nick ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ripe-list.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
Hi, Just pitching in even though I am trying to stay out of the ASN stuff, I have two unanswered tickets about ASNs with no contact information since March 2025, I have personally spoken about them with IPRAs at RIPE90, we are now in October and there is no change, those networks are still very much anonymous. Additionally, I recently noticed a new South Korean out-of-region LIR (*RIPE NCC member*). Their website seems to be a generic template that isn't accessible over HTTPS, even though they're presenting themselves as an ISP. (for the more curious: ORG-NC150-RIPE) These I believe are considered members and/or direct assignees. Perhaps there is still room for improvement with the RIPE NCC KYC. Radu On 10/8/2025 6:51 PM, Nick Hilliard wrote:
the ripe ncc already implements kyc for its members and direct assignment resource holders. You can't get a PI assignment without validating your identity, and there are comparable processes for businesses who wish to become LIRs. These are hard-enforced. If you don't comply, your application will be rejected.
In addition to this, all LIRs are subject to a periodic Assisted Registry Check.
The BEIN letter seems to confuse data about RIPE members / direct assignees with general end users of ISPs.
The confusion may be happening because the RIPE database is a mixture of several different categories of data. Some of the data is authoritative (i.e. RIPE LIR and Direct Assignments) and some is non-authoritative (i.e. LIR assignments). A good deal of the non authoritative data is of very poor quality, but the authoritative data is all subject to RIPE KYC processes and regularly audited. Mixing these two data sets up does not benefit anyone.
It's the job of the ISP to ensure that they have KYC processes with their end users.
Nick
participants (10)
-
Alex de Joode -
Andrew Campling -
Daniel Karrenberg -
John Kristoff -
Michael Richardson -
Michele Neylon - Blacknight -
Nick Hilliard -
Radu Anghel -
Randy Bush -
Simon Leinen