Please excuse me for this rather naive question, but I really don't know the answer. (And in the present context, I would very much like to know.) Do the contracts that various entities, including but not limited to LiRs, sign with RIPE, in exchange for being issued RIPE number reources, include any sort of a stipulation or condition that the parties agree not to deliberately and with malice aforethought announce routes either (a) using AS numbers which have not been issued to them by one of the five Regional Internet Registries and/or (b) covering IP address space that has not been formally issued to them, or to any of their legitimate customers by one of the five Regional Internet Registries? I guess that another way of expressing this question would be: Do RIPE contracts allow anyone to announce whatever the hell they want, willy nilly, and with no concern whatsoever for the formal allocation process? I wouldn't ask, but it appears that certain RIPE members do not feel particularly constrained to avoid announcing routes to IP address space that they are clearly and deliberately stealing from other parties. Is this the accepted norm in the RIPE region? Is such behavior it contractually permissible, within the RIPE region?
On Tue, Jun 26, 2018 at 12:18:59AM -0700, Ronald F. Guilmette <rfg@tristatelogic.com> wrote a message of 28 lines which said:
Is this the accepted norm in the RIPE region?
This is certainly frowned upon. Now, is it forbidden explicitely by a legal text? I don't know (and didn't check) but the hijackers of resources in RIPEland are not always RIPE members and do not always have RIPE resources. Bonus: take into account not only "public" hijackings, such as BGP announces, but also "internal" ones such as the turkish governement hijacking 8.8.8.0/24 to substitute a lying DNS resolver to Google Public DNS. Interesting case for a lawyer :-}
Is such behavior it contractually permissible, within the RIPE region?
The NCC's contracts do not forbid individuals/organizations from hijacking prefixes that do not belong to them*. That isn't their job. The NCC is tasked with guaranteeing uniqueness. They are not tasked with enforcing implementation constraints on others, especially not on a legal basis. Doing so would be far too costly and would likely increase the amount of hijacking we see (can't enforce a contract with someone who hasn't signed it). This isn't unique. The ARIN RSA holds no such stipulations. While I've never seen their agreements, I'd be willing to bet the other regions are similar. Is this the accepted norm in the RIPE region?
It isn't the norm, nor is it considered acceptable. From the few times I've had to deal with hijacking, large ISPs are generally very willing to cooperate when prefix holders contact them. Ultimately, the solution is likely proper enforcement of RPKI and/or "trusted" route objects (those signed by a RIR with an authoritative database over the prefix who will not accept prefixes without authorization), not contractual enforcement by the RIRs. *A given LIR might include such a clause, though I've never seen it done. On Tue, Jun 26, 2018 at 12:18 AM, Ronald F. Guilmette <rfg@tristatelogic.com
wrote:
Please excuse me for this rather naive question, but I really don't know the answer. (And in the present context, I would very much like to know.)
Do the contracts that various entities, including but not limited to LiRs, sign with RIPE, in exchange for being issued RIPE number reources, include any sort of a stipulation or condition that the parties agree not to deliberately and with malice aforethought announce routes either (a) using AS numbers which have not been issued to them by one of the five Regional Internet Registries and/or (b) covering IP address space that has not been formally issued to them, or to any of their legitimate customers by one of the five Regional Internet Registries?
I guess that another way of expressing this question would be: Do RIPE contracts allow anyone to announce whatever the hell they want, willy nilly, and with no concern whatsoever for the formal allocation process?
I wouldn't ask, but it appears that certain RIPE members do not feel particularly constrained to avoid announcing routes to IP address space that they are clearly and deliberately stealing from other parties.
Is this the accepted norm in the RIPE region? Is such behavior it contractually permissible, within the RIPE region?
In message <CAFV686c9UFoCipkZGnm49zyf0wR07QyFFVpnHUDhwX37WCLfSw@mail.gmail.com> Jacob Slater <jacob@rezero.org> wrote:
The NCC's contracts do not forbid individuals/organizations from hijacking prefixes that do not belong to them*. That isn't their job. The NCC is tasked with guaranteeing uniqueness. They are not tasked with enforcing implementation constraints on others, especially not on a legal basis.
We are, I think, talking at cross purposes. My question did not entail or involve any kind of "enforcement". When it comes to issues of routing, e.g. the gibberish currently coming out of AS3266, I think that it is already well and widely understood that the the one and only "enforcement" mechanism that exists is what might simply be called "peer pressure". Contractual terms are not always enforced. If a contractual term existed today in any of the contracts that RIPE does (or has) entered into with any of its members, stipulating that the member shall not do X, and if any of those counterparties went ahead and did X anyway, it would quite obviously be up to RIPE's discression as to whether or not to enforce the relevant contractual term. And if the specific counterparty require- ment in question were along the lines of "Thou shalt not hijack other people's IP space" then I, for one, would certainly have -zero- expectation that RIPE would ever actually enforce such a provision... and it would certainly be RIPE's contractual right to never actually do so, if that was its preference... which it clearly is and would be. In short, I don't think that it takes all that much in the way of mental gymnastics to tease apart the intent and spirit of a contractual term and its enforcement. These are clearly two separate things. I suggest here what I hope will be a not very controversial notion, i.e. that an entity whose job it is to assign bits of IP space to various entities, in an orderly and disiplined fashion, might have an interest in fostering a clear and common understanding that various parties should make use of the space assigned to them, and not that which has been assigned to others. There are certainly innumerable ways in which this sort of common community understanding could be fostered, either more or less effectively. For example, purchasing a TV advertising slot in the middle of the SuperBowl would probably be a less than cost effective way of getting this message across, perticularly given that something well short of 100% of all RIPE members would be likely to see that. In contrast, I think that it is a reasonable assumption to say that very nearly 100% of all RIPE members do at least glance over the contracts they sign with RIPE before they sign them.
When it comes to issues of routing, e.g. the gibberish currently coming out of AS3266, I think that it is already well and widely understood that the the one and only "enforcement" mechanism that exists is what might simply be called "peer pressure".
Apologies for misinterpreting your original point. In short, I don't think that it takes all that much in the way of mental
gymnastics to tease apart the intent and spirit of a contractual term and its enforcement. These are clearly two separate things.
In contrast, I think that it is a reasonable assumption to say that
very nearly 100% of all RIPE members do at least glance over the contracts they sign with RIPE before they sign them.
Are you suggesting that the NCC should include a statement in the LIR account agreement (discouraging hijacking) that they will subsequently not intend to enforce (in most if not all cases)? While the threat of legal action might scare some off, I don't feel like it will convince the majority of hijackers to cease, less so if it is known that the NCC is unlikely to enforce it.
In message <CAFV686fiERyCQru9=bXp4+eATOsf9AF9jgEwnX+fhRbU1nfT3A@mail.gmail.com>, Jacob Slater <jacob@rezero.org> wrote:
Are you suggesting that the NCC should include a statement in the LIR account agreement (discouraging hijacking) that they will subsequently not intend to enforce (in most if not all cases)?
I am.
While the threat of legal action might scare some off, I don't feel like it will convince the majority of hijackers to cease, less so if it is known that the NCC is unlikely to enforce it.
As I noted, "enforcement" of rules, unspoken or otherwise, with respect to routing, is rather entirely a matter of peer pressure, and this is affected, I think, by personal reputation. I suspect that some entities would be marginally more reluctant to peer with certain bad actors if a clear cut case could be made that those specific bad actors have a habit and history of flaunting and/or ignoring explicit contractual commitments, even if those commitments are never enforced by the other party/parties to the relevant contract(s). (One might call this "The Trump Effect". Is has been reported in multiple places that Mr. Trump was in the habit of both breaking contracts and then also suing his contractual counterparts. After this pattern of behavior became widely know, Mr. trump allegedly found it rather more difficult to obtain new bank loans.)
I suspect that some entities would be marginally more reluctant to peer with certain bad actors if a clear cut case could be made that those specific bad actors have a habit and history of flaunting and/or ignoring explicit contractual commitments, even if those commitments are never enforced by the other party/parties to the relevant contract(s).
Most companies will not care about an alleged contract violation that was ultimately non detrimental to either party, especially when there were no consequences that were enacted by or befell upon either party.
I believe that there is one more way that concerns the confidences of numbers. Personally, I use https://ukareacodes.org/ If you consider it as an alternative method, then it is a completely acceptable solution. Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum
participants (4)
-
Jacob Slater -
Ronald F. Guilmette -
Stephane Bortzmeyer -
Walter Marshall