Colleagues, The RIPE NCC staff have put together the draft minutes from RIPE75. I would appreciate if you could take a look and let me know of any errors, issues or required corrections. RIPE 75 Anti-Abuse Working Group Minutes Wednesday, 25 October 2017, 11:00 - 12:30 WG Co-Chair: Brian Nisbet Scribe: Nathalie Trenaman, RIPE NCC Status: Draft A. Administrative Matters Brian Nisbet opened the meeting and welcomed the working group. There was one addition to the agenda: Jan Žorž will do a brief presentation about the BCOP work. The minutes for the RIPE 74 meeting were approved. B. Update B1. Recent list Discussion Brian mentioned that there was nothing much to reference content-wise on the mailing list apart from the usual discussions. The RIPE community Code of Conduct is extended and includes the mailing list. There was positive feedback about this development. C. Policies C1. Policies: 2017-02 (Regular Abuse-C Validation) - Gregory Mounier and Hervé Clemens The presentation is available at: https://ripe75.ripe.net/presentations/119-Policy-change-proposal-RIPE-75-Dub... Jan Žorž, ISOC, said he liked the idea of an auto-responder and wanted to give RIPE NCC the mandate to validate contacts, but he was not sure about the frequency of once-a-year for validation. Jan thinks that over 90% of the contacts are probably correct. Ruediger Volk, Deutsche Telekom, stressed his point that he would like to see a guideline document for abuse-c contact information. Brian Nisbet pointed out that this has been a discussion before and that more input was then requested and not received. Ruediger Volk added that the RIPE NCC already has the mandate to keep the registry accurate and that there is no need for a separate policy to enforce that. A repercussion of closing an LIR from this policy violates the Standard Service Agreement (SSA). Nigel Titley, RIPE NCC Executive Board, stated that if this becomes a policy, it becomes automatically part of the SSA. Piotr Strzyžewski, Silesian University of Technology, Computer Centre, said he missed the financial impact slide in this presentation. Gregory Mounier, Europe, explained that it would be in the impact analysis, produced by the RIPE NCC. Piotr Strzyžewski said that in the General Meeting yesterday, it was discussed that there should not be an increase of more RIPE NCC staff members. He added that he feared robots and automation will be set up by members to deal with the process. Andrew de la Haye, RIPE NCC, explained that there would be an impact analysis published in the next phase of the policy process. If the policy would reach consensus, they would not include the cost factor. The cost factor will be discussed in the General Meeting. Erik Bais, A2B Internet, said that he thought the ARC (Assisted Registry Check) process was the right process for this and that the RIPE NCC had enough issues chasing members for ARCs. He added that he was strongly against the part of this policy proposal that mentions closing members. Andrea Cima, RIPE NCC, commented that the RIPE NCC wouldn’t be able to contact all the members through ARCs on a yearly basis, but they can partially use ARCs to prioritise those members where they think the abuse-c information is incorrect. He added that they do not know the numbers yet, so ARCs may not be enough to fulfil. ARCs can help but it's not the full solution. Peter Hessler, Hostserver GmbH, stated that he is very much against this policy. He said it was a waste of resources in all areas and he is extremely against the closure clause of this policy proposal. Alexander Isavin, Internet Protection Society, said that what is sad about this policy proposal, was that is comes from law enforcement. He added that RIPE is not about helping law enforcement, but to support networks. Brian Nisbet says that they should not forget that law enforcement is part of their community. Gregory Mounier said that by monitoring an email address, law enforcement would not be able to investigate criminals and that this policy proposal is for the good of the community. William Sylvester, Addrex, asked if this policy proposal excluded legacy space holders. Brian replied that it did because they have no ability to impose policy on legacy address space. William said he opposes policies that reclaim any space. Brian added that this raised an interesting point because it's been said a couple of times and this is something for the community to consider, not specifically to this. If people don't support a policy which may lead potentially to the revocation of resources (speaking purely as himself here), it puts the community in a very interesting position in regards to what they may or may not be able to do in the future and the policies which currently exist which can lead to closure of members and revocation of resources. It is a very general comment, that is an interesting thing because it was referenced during the General Meeting last time as well. Gregory commented that he would also like to include the legacy space, but he was told not to. Jordi Palet Martinez, The IPv6 Company, said that he was in favour of this proposal because it improved contact information. He said that a form is not a good idea, because it is a waste of resources. An email should be answered in a certain amount of days. Brian added that version two of this policy proposal would be sent to the mailing list soon. D. Interactions D1. Working Groups - RIPE Database and Implementation of “abuse-c" Brian encouraged everyone to look at the conversations on the Database mailing list and to attend the Database Working Group session if they wanted to discuss this topic. He said he was not going to go into it here because it was a piece of work on the database but it was worth referencing because it's about the abuse‑c. E. Presentation E1. Netflow Based Botnet Detection - Alireza Vaziri The presentation is available at: https://ripe75.ripe.net/presentations/89-Botnet-V3.pdf There were no questions or comments. E2. Pre-Transfer Clean-Up of Abused Prefixes - Erik Bais The presentation is available at: https://ripe75.ripe.net/wp-content/uploads/presentations/45-Prefix-Broker-pr... Brian asked how to make contact with the larger RBLs (Real-Time Blackhole Lists) and how to persuade them to update their information. Erik said they had some experience with them because of GRUMbot, but the people from Shadowserver have very good contacts. Typically is wasn’t that hard to get them to update their information. Gregory Mounier asked if he knew how the bad guys got the IPs, was it hijacking. Erik replied that the IP space was from a Dutch hosting provider that was a member of the RIPE NCC. So it was customers that were in this space that were using it for this type of activity and hiding their command and control servers. X. AOB Jan Žorž presented about a new idea from the BCOP (Best Current Operational Practice) Task Force. It is about IPv6 and mail servers; how to protect them, including DKIM, DMARC etc. Jan asked if there were any volunteers in the WG to help write this document. Jan will send a mail to the mailing list as well. Peter Koch, DENIC, asked about the scope of this best practice document and if there was a guideline for these operational best practices. Jan Žorž replied that Franck Martin from LinkedIn wrote something already, but he wants a BCOP document for a broader audience. Z. Agenda for RIPE 76 Brian closed the meeting and reminded people to submit topics for the RIPE 76 agenda. -- Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
Hi, Looking forward to version 2 of policy proposal :) Wanted to thank those that serve on @anti-abuse for their service, dedication and valuable time. I also want to generally thank everyone for everything I learned here in 2017. I wish everyone an amazing 2018 Thank you Andre On Thu, 7 Dec 2017 12:17:25 +0000 Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Colleagues,
The RIPE NCC staff have put together the draft minutes from RIPE75. I would appreciate if you could take a look and let me know of any errors, issues or required corrections.
RIPE 75 Anti-Abuse Working Group Minutes
Wednesday, 25 October 2017, 11:00 - 12:30 WG Co-Chair: Brian Nisbet Scribe: Nathalie Trenaman, RIPE NCC Status: Draft
A. Administrative Matters
Brian Nisbet opened the meeting and welcomed the working group.
There was one addition to the agenda: Jan Žorž will do a brief presentation about the BCOP work. The minutes for the RIPE 74 meeting were approved.
B. Update B1. Recent list Discussion
Brian mentioned that there was nothing much to reference content-wise on the mailing list apart from the usual discussions.
The RIPE community Code of Conduct is extended and includes the mailing list.
There was positive feedback about this development.
C. Policies
C1. Policies: 2017-02 (Regular Abuse-C Validation) - Gregory Mounier and Hervé Clemens
The presentation is available at: https://ripe75.ripe.net/presentations/119-Policy-change-proposal-RIPE-75-Dub...
Jan Žorž, ISOC, said he liked the idea of an auto-responder and wanted to give RIPE NCC the mandate to validate contacts, but he was not sure about the frequency of once-a-year for validation. Jan thinks that over 90% of the contacts are probably correct.
Ruediger Volk, Deutsche Telekom, stressed his point that he would like to see a guideline document for abuse-c contact information.
Brian Nisbet pointed out that this has been a discussion before and that more input was then requested and not received.
Ruediger Volk added that the RIPE NCC already has the mandate to keep the registry accurate and that there is no need for a separate policy to enforce that. A repercussion of closing an LIR from this policy violates the Standard Service Agreement (SSA).
Nigel Titley, RIPE NCC Executive Board, stated that if this becomes a policy, it becomes automatically part of the SSA.
Piotr Strzyžewski, Silesian University of Technology, Computer Centre, said he missed the financial impact slide in this presentation.
Gregory Mounier, Europe, explained that it would be in the impact analysis, produced by the RIPE NCC.
Piotr Strzyžewski said that in the General Meeting yesterday, it was discussed that there should not be an increase of more RIPE NCC staff members. He added that he feared robots and automation will be set up by members to deal with the process.
Andrew de la Haye, RIPE NCC, explained that there would be an impact analysis published in the next phase of the policy process. If the policy would reach consensus, they would not include the cost factor. The cost factor will be discussed in the General Meeting.
Erik Bais, A2B Internet, said that he thought the ARC (Assisted Registry Check) process was the right process for this and that the RIPE NCC had enough issues chasing members for ARCs. He added that he was strongly against the part of this policy proposal that mentions closing members.
Andrea Cima, RIPE NCC, commented that the RIPE NCC wouldn’t be able to contact all the members through ARCs on a yearly basis, but they can partially use ARCs to prioritise those members where they think the abuse-c information is incorrect. He added that they do not know the numbers yet, so ARCs may not be enough to fulfil. ARCs can help but it's not the full solution.
Peter Hessler, Hostserver GmbH, stated that he is very much against this policy. He said it was a waste of resources in all areas and he is extremely against the closure clause of this policy proposal.
Alexander Isavin, Internet Protection Society, said that what is sad about this policy proposal, was that is comes from law enforcement. He added that RIPE is not about helping law enforcement, but to support networks.
Brian Nisbet says that they should not forget that law enforcement is part of their community.
Gregory Mounier said that by monitoring an email address, law enforcement would not be able to investigate criminals and that this policy proposal is for the good of the community.
William Sylvester, Addrex, asked if this policy proposal excluded legacy space holders.
Brian replied that it did because they have no ability to impose policy on legacy address space.
William said he opposes policies that reclaim any space.
Brian added that this raised an interesting point because it's been said a couple of times and this is something for the community to consider, not specifically to this. If people don't support a policy which may lead potentially to the revocation of resources (speaking purely as himself here), it puts the community in a very interesting position in regards to what they may or may not be able to do in the future and the policies which currently exist which can lead to closure of members and revocation of resources. It is a very general comment, that is an interesting thing because it was referenced during the General Meeting last time as well.
Gregory commented that he would also like to include the legacy space, but he was told not to.
Jordi Palet Martinez, The IPv6 Company, said that he was in favour of this proposal because it improved contact information. He said that a form is not a good idea, because it is a waste of resources. An email should be answered in a certain amount of days.
Brian added that version two of this policy proposal would be sent to the mailing list soon.
D. Interactions D1. Working Groups - RIPE Database and Implementation of “abuse-c"
Brian encouraged everyone to look at the conversations on the Database mailing list and to attend the Database Working Group session if they wanted to discuss this topic. He said he was not going to go into it here because it was a piece of work on the database but it was worth referencing because it's about the abuse‑c.
E. Presentation E1. Netflow Based Botnet Detection - Alireza Vaziri The presentation is available at: https://ripe75.ripe.net/presentations/89-Botnet-V3.pdf
There were no questions or comments.
E2. Pre-Transfer Clean-Up of Abused Prefixes - Erik Bais The presentation is available at: https://ripe75.ripe.net/wp-content/uploads/presentations/45-Prefix-Broker-pr...
Brian asked how to make contact with the larger RBLs (Real-Time Blackhole Lists) and how to persuade them to update their information.
Erik said they had some experience with them because of GRUMbot, but the people from Shadowserver have very good contacts. Typically is wasn’t that hard to get them to update their information. Gregory Mounier asked if he knew how the bad guys got the IPs, was it hijacking.
Erik replied that the IP space was from a Dutch hosting provider that was a member of the RIPE NCC. So it was customers that were in this space that were using it for this type of activity and hiding their command and control servers.
X. AOB
Jan Žorž presented about a new idea from the BCOP (Best Current Operational Practice) Task Force. It is about IPv6 and mail servers; how to protect them, including DKIM, DMARC etc.
Jan asked if there were any volunteers in the WG to help write this document. Jan will send a mail to the mailing list as well.
Peter Koch, DENIC, asked about the scope of this best practice document and if there was a guideline for these operational best practices.
Jan Žorž replied that Franck Martin from LinkedIn wrote something already, but he wants a BCOP document for a broader audience.
Z. Agenda for RIPE 76
Brian closed the meeting and reminded people to submit topics for the RIPE 76 agenda.
participants (2)
-
Brian Nisbet
-
ox