objection to RIPE policy proposal 2016-01
Dear colleagues, I object to passing the policy as proposed. There is no serious need for the policy, and at this time and under curent circumstance it would actually be harmful. I believe that the supposed good intentions would be better served by other actions, and the policy focussing on enforcement is ill advised. I understand that the current implementation of the RIPE database allows legacy holders to enter abuse-c attributes for their legacy resources if that's currently not possible the required extension of the database should be discussed (in the approprioate wg) and implementation would NOT require the PDP (as more drastic changes have been done to the database - and that extension hardly would contradict existing policy). No PDP is needed to send friendly invitations to legacy holders to populate their data objects with abuse-c information; I'm sure asking the RIPE NCC to do this would not create an undue burden or serious problem. Enhancing the invitations with some additional information potentially helpful to the recipients could be considered too: - some hints/guidance about expected use and support of that mailbox (active members of the abuse handling community probably will NOT be the typical recipient! and no injuries are expected if any community member sees that information:-) - specific suggestions what to put into the abuse-c field (whatever the RIPE NCC might use to extrapolate abuse-c from existing data) The working group should contribute helpful information to be included. I'm quite certain running a second invitation campaign would be even less of a problem and effort for RIPE NCC; I cannot predict how much the information provided in a later campaign can be improved based on feedback and experience from an earlier one. You may argue, that such more friendly approach could have been used also earlier - and I would very much agree and I certainly complained and suggested that at least the forced population of missing abuse-c should be postponed until friendly information was made available. Now we do NOT HAVE TO repeat past errors... Specifically with legacy resource holders it would be a good idea for RIPE community and NCC to address them with an inviting and helpful approach; as there is a sad history of seemingly coercive and unfriendly communications towards legacy holders. REPEATING the error now - even considering the much lower number of relevant records - is however actually MORE SERIOUS in DAMAGING the CREDIBILITY of the working group (and as a consequence the RIPE NCCs position) because of the accumulated history. Repeated requests for information on supposed use und handling of abuse-c has been answered by pointing out that it is required by a policy that was consciously created without any such information. The new policy proposal painfully fits into the sad observation that the anti-abuse working group as a community has constantly put effort into enforcing creation and population of abuse-c data but not (even tried) to provide to the rest of the world helpful explanations on requirements and expected handling at the requested mailboxes. That observations leads to the question whether the community is not able to come up with some helpful explanation or whether it does not care... :-( In both cases asking for enforcement does seem neither appropriate nor acceptable and means that the request cannot be taken serious - bad for the perception of RIPE and RIPE NCC activety by parties that are not heavily involved in the community processes. Consider the typical person confronted with a request to define abuse-c: how deeply is he involved with the anti-abuse working group (where a common understanding might exist - I consider myself only occassional observer and not a member and don't know)? Trying to close more quickly and on a more constructive perspective let me skip to elaborate here on my judgement: at close inspection the rationale and arguments look quite broken. The policy content does actually not matter that much - look for a sketch of a potential harmless implementation approach above in this message. What matters is appropriate use of the PDP (it can be abused!!!) and what are good goals of the working group and good ways of achieving them. The assumed good goals (as I understand it) are (a) improving quality of abuse-c information in order to (b) improve abuse reporting and report handling processes and (c) extending the abuse-c coverage for Internet number resources in the RIPE NCC registry The policy proposal references (a) and (b) quite explicitly; I took the liberty to interpolate (b) which actually seems to be the primary goal, and it looks like the working group decided that this will be helped by means of creating distinctly identified mailbox information to be put into abuse-c. The criterium for gauging (a) seems to be whether "improved data" actually helps "improve processing" (b) - what else? Creating abuse-c entries of better/good quality obviously depends on the recipient being appropriate and informed about expected potential messages and preparing to deal with them. Forcing creation of abuse-c in any other way is not going to create better quality but actually looses information (you loose track of which entries have the "quality of informed and [potentially] prepared recipient"). We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-) - in many cases are not members of the anti-abuse working (and unlikely to have insight into undocumented potential consensus views of the working group or the larger abuse-c activist community) - in general willing to cooperate (we really should care for those and help them! ... yes, there are others - from "don't care" to "evil") For making a reasoned decision about the recipient for abuse-c and preparing for handling messages one obviously needs some understanding/explanation of what is expected. If no such helpful information is offered at the time of requesting abuse-c setup, many well intentioned parties will *something* (not really good "quality") to fill required fields and little motivation to followup will remain. If they care to ask for helpful information and the answer stays "this is required by policy, and it consciously declines to explain", they are likely to conclude that they have to submit to RIPE policies and the policy makers+process that cannot be taken serious... I note that for goal (b) of course some common understanding of expected use and handling for the abuse-c mailbox is a prerequisite on BOTH sides (senders also!) I do not expect to see formal, precise, and exhaustive definition of requirements and intended/expected use of abuse-c use - that would seem fairly impossible and certainly would not provide a practical answer to the issue. The working group needs to followup it previous abuse-c policy by starting to create practically useful explanations, before considering more "enforcement" (actually IMHO all enforcement activety should [have] be[en] postponed - potentially replaced by friendly invitations). It may take considerable effort to develope consensus on such documentation - but is it reasonable to rely on all relevant outside parties to have the first contact figure out completely on his own and explain to his management, consultants, service providers, etc... what needs to be done? (what aggregated cost and what "quality" implications do you expect?) It's ok to have working groups that just have internal fun between some birds of a feather. If a working group feels like making demands (e.g. policies) to a larger community it should also consider what support it needs to provide to serve the purposes of that larger community. Thanks for your attention and consideration. Ruediger Volk P.S.: Sorry, for a painfully long message. Trust me I had more painful time writing - and making it shorter would have been worse - with termination not secure:-) I hope that the painful length does not obscure - valid concern - constructive suggestions
On 29-Feb-2016, at 12:08 AM, Ruediger Volk <rv@NIC.DTAG.DE> wrote:
We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-)
With all due respect - assume that the number resource holder is a corporation engaged in, for example, brewing beer. Admittedly their core business is not providing internet access or managing abuse. Wouldn’t they have a corporate IT team tasked with looking at compromises on their network that are causing abuse / DDoS issues (which might further lead to data leaks from their company etc)? With abuse-c an external reporter can reach out to the appropriate team, which might possibly be a third party vendor, rather than having to call or email the brewery’s corporate HQ and then have the message work through several layers of staff and possibly just get lost. This merely provides a standard format to contact the relevant team - which may well be the same corporate IT team for them that manages their IP space and routing. Reporters are simply spared the decision tree of whether to mail a tech contact for a ddos issue where he / she may be totally different from the security department that handles it. Or an ISP providing services and allocating a range to their customer may want their information in the abuse-c.
On 2/29/2016 3:09 AM, Suresh Ramasubramanian wrote:
On 29-Feb-2016, at 12:08 AM, Ruediger Volk <rv@NIC.DTAG.DE> wrote:
We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-)
With all due respect - assume that the number resource holder is a corporation engaged in, for example, brewing beer. ... Wouldn’t they have a corporate IT team tasked with looking at compromises on their network that are causing abuse / DDoS issues ... With abuse-c an external reporter can reach out to the appropriate team, ...
+1 d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
+2 Jerry Upton Executive Director M3AAWG.org -----Original Message----- From: Dave Crocker <dhc@dcrocker.net> To: Suresh Ramasubramanian <ops.lists@gmail.com>; Ruediger Volk <rv@NIC.DTAG.DE> Cc: aa-wg-chairs <aa-wg-chairs@ripe.net>; db-wg-chairs <db-wg-chairs@ripe.net>; db-wg <db-wg@ripe.net>; anti-abuse-wg <anti-abuse-wg@ripe.net> Sent: Mon, Feb 29, 2016 9:10 am Subject: Re: [anti-abuse-wg] objection to RIPE policy proposal 2016-01 On 2/29/2016 3:09 AM, Suresh Ramasubramanian wrote:
On 29-Feb-2016, at 12:08 AM, Ruediger Volk <rv@NIC.DTAG.DE> wrote:
We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-)
With all due respect - assume that the number resource holder is a corporation engaged in, for example, brewing beer. ... Wouldn’t they have a corporate IT team tasked with looking at compromises on their network that are causing abuse / DDoS issues ... With abuse-c an external reporter can reach out to the appropriate team, ...
+1 d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
[ i may be totally misunderstanding things here, but i never bought mandatory abuse-c in the first place ] so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response? i am hesitant to mandate behavior beyond that necessary for the ncc to maintain accurate records of resource 'ownership'. beyond that is me telling someone else how to run their network. i suspect they will listen to their management before they listen to me, and rightly so. randy
On Thu, Mar 03, 2016 at 08:10:33AM +0900, Randy Bush wrote:
i am hesitant to mandate behavior beyond that necessary for the ncc to maintain accurate records of resource 'ownership'. beyond that is me telling someone else how to run their network. i suspect they will listen to their management before they listen to me, and rightly so.
I don't like the whole concept of "if there is no response, we will use some random email that was, at one stage, involved in creating the org object. If you put an address that does not handle abuse in abuse-c: you have just inserted incorrect data into the database. IMO that should not be the job of the NCC... rgds, Sascha Luck
If you put an address that does not handle abuse in abuse-c: you have just inserted incorrect data into the database. IMO that should not be the job of the NCC...
if you force folk to put in abuse-c, there will be non-responsive email addresses. get over it.
On 03/03/2016 01:44, Randy Bush wrote:
If you put an address that does not handle abuse in abuse-c: you have just inserted incorrect data into the database. IMO that should not be the job of the NCC...
if you force folk to put in abuse-c, there will be non-responsive email addresses. get over it.
As long as you know it is the email address intended to receive abuse complaints, if there is no response that in itself is a statement from the network manager. cheers denis
On Thu, 3 Mar 2016 04:14:18 +0100 denis <ripedenis@yahoo.co.uk> wrote:
On 03/03/2016 01:44, Randy Bush wrote:
If you put an address that does not handle abuse in abuse-c: you have just inserted incorrect data into the database. IMO that should not be the job of the NCC...
if you force folk to put in abuse-c, there will be non-responsive email addresses. get over it.
As long as you know it is the email address intended to receive abuse complaints, if there is no response that in itself is a statement from the network manager. cheers denis
there has to be accurate records for abuse-c (and accurate other public records) for specially ipv4 numbers. ipv4 numbers are a public / planet resource and belong to humanity (and the Singularity) - not a country, person or region. many network managers do not respond/reply to abuse, this does not mean that the complaints are not actioned, for example *abuse@google.com is a black hole 1c Andre -- * [sometimes though the spam does stop from Google (although these days, spam on my mail servers from Micorosoft, Google (and Yahoo :) ) is on the rise.]
there has to be accurate records for abuse-c
really? and how does abuse-c affect the effective operation of the ncc resource registry. abuse-c is a convenience for ops.
many network managers do not respond/reply to abuse, this does not mean that the complaints are not actioned, for example *abuse@google.com is a black hole
great idea. i will make my abuse-c:s be blackhole@bogus.com randy
On Thu, 03 Mar 2016 18:51:03 +0900 Randy Bush <randy@psg.com> wrote:
there has to be accurate records for abuse-c really? and how does abuse-c affect the effective operation of the ncc resource registry.
it makes iet easier for the ncc to know who deals with abuse issues which includes, but is not limited to: law enforcement (kiddie porn, etc etc), the sync of warrants for courts and a few others
abuse-c is a convenience for ops.
no, not just ops, .... and, sometimes abuse is a pain (well, it is for some and sometimes end up forwarding up and down and being a project manager and/or in cc and bcc where one really do not care to be in)
many network managers do not respond/reply to abuse, this does not mean that the complaints are not actioned, for example *abuse@google.com is a black hole great idea. i will make my abuse-c:s be blackhole@bogus.com
great, as you said - this is your freedom :)
randy
really? and how does abuse-c affect the effective operation of the ncc resource registry.
it makes iet easier for the ncc to know who deals with abuse issues which includes, but is not limited to: law enforcement (kiddie porn, etc etc), the sync of warrants for courts and a few others
they use the real contact information for real contact i guess it's a different world down there in za randy
On Thu, 03 Mar 2016 19:10:06 +0900 Randy Bush <randy@psg.com> wrote:
really? and how does abuse-c affect the effective operation of the ncc resource registry. it makes iet easier for the ncc to know who deals with abuse issues which includes, but is not limited to: law enforcement (kiddie porn, etc etc), the sync of warrants for courts and a few others they use the real contact information for real contact i guess it's a different world down there in za randy
I may be in za physically, but the infrastructure of my current employers are in EU, anyway, as you said already it is a convenience for ops to have abuse-c but the point is that it is actually convenient for a whole lot of others (incl me) If your abuse = your person - then you may as well add that person role to abuse-c
I may be in za physically, but the infrastructure of my current employers are in EU, anyway, as you said already it is a convenience for ops to have abuse-c but the point is that it is actually convenient for a whole lot of others (incl me)
it would be a convenience to me for you to send me €1000/mo, and i am sure many other sould line up. let's make it mandatory. if you want to tell others how to run their networks, go to arin. randy
Randy Bush wrote:
it would be a convenience to me for you to send me €1000/mo, and i am sure many other sould line up. let's make it mandatory.
can we agree to leave the straw men out of this discussion? They're not helping. Nick
it would be a convenience to me for you to send me €1000/mo, and i am sure many other sould line up. let's make it mandatory.
can we agree to leave the straw men out of this discussion? They're not helping.
no. even you seem to confuse what is necessary for the ncc to maintain a rigorously correct resource allocation registry and what is convenient for operators. i understamd the former being mandatory. while i occasionally find a good abuse-c: useful, it is not my prerogative to mandate that another operator have one for my convenience. the ncc's job is a rigorous registry, not a convenience store for ops. randy
On 03/03/2016 11:35, Randy Bush wrote:
it would be a convenience to me for you to send me €1000/mo, and i am sure many other sould line up. let's make it mandatory.
can we agree to leave the straw men out of this discussion? They're not helping.
no. even you seem to confuse what is necessary for the ncc to maintain a rigorously correct resource allocation registry and what is convenient for operators.
i understamd the former being mandatory. while i occasionally find a good abuse-c: useful, it is not my prerogative to mandate that another operator have one for my convenience.
the ncc's job is a rigorous registry, not a convenience store for ops.
In these days of political interest in how the internet is 'managed' the RIRs need to do more than 'just maintain an accurate registry'. The internet is a crucial part of modern life. Abuse is considered to be a serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse. The more people who hold and publish this view, the more likely politicians are to get involved. cheers denis
randy
In these days of political interest in how the internet is 'managed' the RIRs need to do more than 'just maintain an accurate registry'. The internet is a crucial part of modern life. Abuse is considered to be a serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse. The more people who hold and publish this view, the more likely politicians are to get involved.
your characterization of my argument is egregiously false. and i would rather govt regulation than regulation by a bunch of amateur policy weenies. at least i get to vote on the former and have courts. but i have nothing new to say and a plane to catch. enjoy. randy
On 03/03/2016 11:49, Randy Bush wrote:
In these days of political interest in how the internet is 'managed' the RIRs need to do more than 'just maintain an accurate registry'. The internet is a crucial part of modern life. Abuse is considered to be a serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse. The more people who hold and publish this view, the more likely politicians are to get involved.
your characterization of my argument is egregiously false.
and i would rather govt regulation than regulation by a bunch of amateur policy weenies. at least i get to vote on the former and have courts.
I was not aware that the UN was elected :) cheers denis
but i have nothing new to say and a plane to catch. enjoy.
randy
Randy Bush wrote:
and i would rather govt regulation than regulation by a bunch of amateur policy weenies. at least i get to vote on the former and have courts.
The international government regulation tool of choice for handling this would be the ITU, which - unless you are a government - lacks both courts and functional stakeholder voting. Be careful what you ask for. Nick
On Thu, Mar 03, 2016 at 11:46:45AM +0100, denis wrote:
In these days of political interest in how the internet is 'managed' the RIRs need to do more than 'just maintain an accurate registry'. The
indeed. The community should be careful to maintain and improve the credibility and legitimacy of its policy development process. ``Extra constitutional'' activity (imposing "abuse" handling procedures camouflaged as syntax changes to database objects) and retroactive changes to policy without an exceptional justification both aren't helpful. 2016-01 claims "Better data quality", which is not backed with arguments. 2016-01 claims "More accurate data for abuse contact", which is not supported by arguments or evidence/precedent.
internet is a crucial part of modern life. Abuse is considered to be a serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse.
The alleged correctness of data does not imply a "right to response" (cf ripe-563), and rightfully so. Therefore the claims that refusal to add abuse-c would imply refusal to deal with abuse reports are pointless, since the sheer presence of the attribute does not imply anything, either. Also, I have not heard Rüdiger (or anyone else) claim they would not want to even add abuse-c - it's making this policy mandatory what is being contested. ripe-639 re-establishes the 'special role' of legacy resources as exempt from policy changes: Any existing or future RIPE policy referring to resources shall not apply to legacy resources unless the policy explicitly includes legacy resources in its scope. Now, if that was simply a matter of a boilerplate in any future policy (xxx shall also apply to legacy resources), this clause would not make the slightest sense. Consequently, a special consideration is needed. 2016-01 simply refers to inconsistency (obviously a simple consequence of ripe-639 and thus not exceptional) and "better data quality" - without justification. No indication is given of any harm caused by legacy resources currently not subject to ripe-563. ripe-563/ripe-639 do not preclude use of abuse-c for legacy resources, either. All in all, I understand the motivation behind 2016-01, but the reasoning is far too poor to justify proceeding with the proposal. -Peter
Hi Peter OK lets cut to the bottom line. Does anyone NOT agree with these points: -Internet abuse (in it's various forms) is considered both a nuisance and a danger by the public -Politicians will jump onto any band wagon that has popular public support and enhances their careers -Responsible internet resource management includes receiving and handling abuse complaints related to the networks you manage If we all supported these points, especially the last one, then in an ideal world all network managers would be happy to provide abuse contact details and would take action on complaints received. Unfortunately we don't live in that ideal world. The fact that so many experienced technical internet people are opposing this policy worries me. So many of you are fixating on this point about 'mandatory', 'enforcing', 'justifying'. If everyone agreed with point 3 above then you would all be willing to do this voluntarily anyway. So what difference does it make to those of you who do this anyway if it is mandatory? But we know some people simply can't be bothered to handle abuse complaints and we also know some people make money by providing services to the abusers. There is no point pretending this does not happen. If there is a lot of money to be made some people will want a slice of it. That is why this has to be mandatory. When abuse-c was first introduced it was made clear that this was the first step of a process. The intention was for all IP addresses within the RIPE region to have one common way of documenting an abuse contact that can be accessed programatically. It was also made clear that this first step had nothing to do with whether anyone responds to reports sent to that contact. Because it was and still is clear that some people don't want to publicise any abuse contact details it had to be and still has to be mandatory. If you enter data into the RIPE Database you are required to ensure it is correct. Dealing with whether anyone responds to the reports sent to this contact is a separate issue and should not cloud the discussion on the abuse-c information in the RIPE Database. Neither should the technical implementation of the abuse-c attribute. I know there are policies about policies for legacy resources. Personally I think that is crazy. All IP addresses are technically the same no matter how or when you acquired it. Abuse can come from any one of them. I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!! cheers denis On 03/03/2016 23:30, Peter Koch wrote:
On Thu, Mar 03, 2016 at 11:46:45AM +0100, denis wrote:
In these days of political interest in how the internet is 'managed' the RIRs need to do more than 'just maintain an accurate registry'. The
indeed. The community should be careful to maintain and improve the credibility and legitimacy of its policy development process. ``Extra constitutional'' activity (imposing "abuse" handling procedures camouflaged as syntax changes to database objects) and retroactive changes to policy without an exceptional justification both aren't helpful.
2016-01 claims "Better data quality", which is not backed with arguments. 2016-01 claims "More accurate data for abuse contact", which is not supported by arguments or evidence/precedent.
internet is a crucial part of modern life. Abuse is considered to be a serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse.
The alleged correctness of data does not imply a "right to response" (cf ripe-563), and rightfully so. Therefore the claims that refusal to add abuse-c would imply refusal to deal with abuse reports are pointless, since the sheer presence of the attribute does not imply anything, either.
Also, I have not heard Rüdiger (or anyone else) claim they would not want to even add abuse-c - it's making this policy mandatory what is being contested. ripe-639 re-establishes the 'special role' of legacy resources as exempt from policy changes:
Any existing or future RIPE policy referring to resources shall not apply to legacy resources unless the policy explicitly includes legacy resources in its scope.
Now, if that was simply a matter of a boilerplate in any future policy (xxx shall also apply to legacy resources), this clause would not make the slightest sense. Consequently, a special consideration is needed. 2016-01 simply refers to inconsistency (obviously a simple consequence of ripe-639 and thus not exceptional) and "better data quality" - without justification. No indication is given of any harm caused by legacy resources currently not subject to ripe-563. ripe-563/ripe-639 do not preclude use of abuse-c for legacy resources, either.
All in all, I understand the motivation behind 2016-01, but the reasoning is far too poor to justify proceeding with the proposal.
-Peter
Hi there: I think the whole notion about we are managing the internet though the policy are not correct. We are not managing the internet, we are book keeping really. Denis, your argument standing on a group that if we do not manage the internet, the gov will step in and do it for us, but that is largely untrue. The Gov are managing it now as we speak, they have something called law to enforce things, they really don't need bother to go though policy here to block content they dislike, bust people they think are bad, find people are responsible, if there is a seriou crime going on, with or without abuse-c, gov will find them or not---abuse c does not change the outcome. Take China for example, 500 m user can not access Facebook, tell me they go though any sort of APNIC policy to do that, same goes for some countries in Middle East. So my last point is. If you like their gov job, you can apply one, don't try to push community here to do gov's job. On Friday 4 March 2016, denis <ripedenis@yahoo.co.uk> wrote:
Hi Peter
OK lets cut to the bottom line. Does anyone NOT agree with these points:
-Internet abuse (in it's various forms) is considered both a nuisance and a danger by the public
-Politicians will jump onto any band wagon that has popular public support
and enhances their careers -Responsible internet resource management includes receiving and handling abuse complaints related to the networks you manage
If we all supported these points, especially the last one, then in an ideal world all network managers would be happy to provide abuse contact details and would take action on complaints received.
Unfortunately we don't live in that ideal world. The fact that so many experienced technical internet people are opposing this policy worries me. So many of you are fixating on this point about 'mandatory', 'enforcing', 'justifying'. If everyone agreed with point 3 above then you would all be willing to do this voluntarily anyway. So what difference does it make to those of you who do this anyway if it is mandatory?
But we know some people simply can't be bothered to handle abuse complaints and we also know some people make money by providing services to the abusers. There is no point pretending this does not happen. If there is a lot of money to be made some people will want a slice of it. That is why this has to be mandatory.
When abuse-c was first introduced it was made clear that this was the first step of a process. The intention was for all IP addresses within the RIPE region to have one common way of documenting an abuse contact that can be accessed programatically. It was also made clear that this first step had nothing to do with whether anyone responds to reports sent to that contact. Because it was and still is clear that some people don't want to publicise any abuse contact details it had to be and still has to be mandatory. If you enter data into the RIPE Database you are required to ensure it is correct. Dealing with whether anyone responds to the reports sent to this contact is a separate issue and should not cloud the discussion on the abuse-c information in the RIPE Database. Neither should the technical implementation of the abuse-c attribute.
I know there are policies about policies for legacy resources. Personally I think that is crazy. All IP addresses are technically the same no matter how or when you acquired it. Abuse can come from any one of them.
I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!!
cheers denis
On 03/03/2016 23:30, Peter Koch wrote:
On Thu, Mar 03, 2016 at 11:46:45AM +0100, denis wrote:
In these days of political interest in how the internet is 'managed' the
RIRs need to do more than 'just maintain an accurate registry'. The
indeed. The community should be careful to maintain and improve the credibility and legitimacy of its policy development process. ``Extra constitutional'' activity (imposing "abuse" handling procedures camouflaged as syntax changes to database objects) and retroactive changes to policy without an exceptional justification both aren't helpful.
2016-01 claims "Better data quality", which is not backed with arguments. 2016-01 claims "More accurate data for abuse contact", which is not supported by arguments or evidence/precedent.
internet is a crucial part of modern life. Abuse is considered to be a
serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse.
The alleged correctness of data does not imply a "right to response" (cf ripe-563), and rightfully so. Therefore the claims that refusal to add abuse-c would imply refusal to deal with abuse reports are pointless, since the sheer presence of the attribute does not imply anything, either.
Also, I have not heard Rüdiger (or anyone else) claim they would not want to even add abuse-c - it's making this policy mandatory what is being contested. ripe-639 re-establishes the 'special role' of legacy resources as exempt from policy changes:
Any existing or future RIPE policy referring to resources shall not apply to legacy resources unless the policy explicitly includes legacy resources in its scope.
Now, if that was simply a matter of a boilerplate in any future policy (xxx shall also apply to legacy resources), this clause would not make the slightest sense. Consequently, a special consideration is needed. 2016-01 simply refers to inconsistency (obviously a simple consequence of ripe-639 and thus not exceptional) and "better data quality" - without justification. No indication is given of any harm caused by legacy resources currently not subject to ripe-563. ripe-563/ripe-639 do not preclude use of abuse-c for legacy resources, either.
All in all, I understand the motivation behind 2016-01, but the reasoning is far too poor to justify proceeding with the proposal.
-Peter
-- -- Kind regards. Lu
Dear Lu, Your reasoning fails the logic test because you do not cognize the mismatch between the operation of "law to enforce things" and the spammer business model. The loss to no single victim rises above the threshold to initiate either criminal or civil proceedings. The spammers organize their business model in this way expecting most people to have your attitude. This is clearly explained in <http://www.jeffreyrace.com/nugget/spam_05.pdf> Kind regards, Dr. Jeffrey Race, President Cambridge Electronics Laboratories 20 Chester Street, Somerville MA 02144-3005 Tel +1 617 629-2805 Fax +1 617 623-1882 Avoid spinal damage from computer use! Read "Cripples by Thirty?" <http://www.camblab.com/nugget/nugget.htm> --Original Message Text--- From: Lu Heng Date: Fri, 4 Mar 2016 14:20:28 +1300 Hi there: I think the whole notion about we are managing the internet though the policy are not correct. We are not managing the internet, we are book keeping really. Denis, your argument standing on a group that if we do not manage the internet, the gov will step in and do it for us, but that is largely untrue. The Gov are managing it now as we speak, they have something called law to enforce things, they really don't need bother to go though policy here to block content they dislike, bust people they think are bad, find people are responsible, if there is a seriou crime going on, with or without abuse-c, gov will find them or not---abuse c does not change the outcome. Take China for example, A 500 m user can not access Facebook, tell me they go though any sort of APNIC policy to do that, same goes for some countries inA Middle East. So my last point is. If you like their gov job, you can apply one, don't try to push community here to do gov's job. On Friday 4 March 2016, denis <ripedenis@yahoo.co.uk> wrote: Hi Peter OK lets cut to the bottom line. Does anyone NOT agree with these points: -Internet abuse (in it's various forms) is considered both a nuisance and a danger by the publicA -Politicians will jump onto any band wagon that has popular public support and enhances their careers -Responsible internet resource management includes receiving and handling abuse complaints related to the networks you manage If we all supported these points, especially the last one, then in an ideal world all network managers would be happy to provide abuse contact details and would take action on complaints received. Unfortunately we don't live in that ideal world. The fact that so many experienced technical internet people are opposing this policy worries me. So many of you are fixating on this point about 'mandatory', 'enforcing', 'justifying'. If everyone agreed with point 3 above then you would all be willing to do this voluntarily anyway. So what difference does it make to those of you who do this anyway if it is mandatory? But we know some people simply can't be bothered to handle abuse complaints and we also know some people make money by providing services to the abusers. There is no point pretending this does not happen. If there is a lot of money to be made some people will want a slice of it. That is why this has to be mandatory. When abuse-c was first introduced it was made clear that this was the first step of a process. The intention was for all IP addresses within the RIPE region to have one common way of documenting an abuse contact that can be accessed programatically. It was also made clear that this first step had nothing to do with whether anyone responds to reports sent to that contact. Because it was and still is clear that some people don't want to publicise any abuse contact details it had to be and still has to be mandatory. If you enter data into the RIPE Database you are required to ensure it is correct. Dealing with whether anyone responds to the reports sent to this contact is a separate issue and should not cloud the discussion on the abuse-c information in the RIPE Database. Neither should the technical implementation of the abuse-c attribute. I know there are policies about policies for legacy resources. Personally I think that is crazy. All IP addresses are technically the same no matter how or when you acquired it. Abuse can come from any one of them. I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!! cheers denis On 03/03/2016 23:30, Peter Koch wrote: On Thu, Mar 03, 2016 at 11:46:45AM +0100, denis wrote: In these days of political interest in how the internet is 'managed' the RIRs need to do more than 'just maintain an accurate registry'. The indeed. The community should be careful to maintain and improve the credibility and legitimacy of its policy development process. ``Extra constitutional'' activity (imposing "abuse" handling procedures camouflaged as syntax changes to database objects) and retroactive changes to policy without an exceptional justification both aren't helpful. 2016-01 claims "Better data quality", which is not backed with arguments. 2016-01 claims "More accurate data for abuse contact", which is not A A A A A supported by arguments or evidence/precedent. internet is a crucial part of modern life. Abuse is considered to be a serious problem. What you are saying is that you don't give a dam about abuse and are not interested in being part of the management of abuse. The alleged correctness of data does not imply a "right to response" (cf ripe-563), and rightfully so.A Therefore the claims that refusal to add abuse-c would imply refusal to deal with abuse reports are pointless, since the sheer presence of the attribute does not imply anything, either. Also, I have not heard RA�diger (or anyone else) claim they would not want to even add abuse-c - it's making this policy mandatory what is being contested.A ripe-639 re-establishes the 'special role' of legacy resources as exempt from policy changes: A A A A Any existing or future RIPE policy referring to resources shall not apply A A A A to legacy resources unless the policy explicitly includes legacy resources in its scope. Now, if that was simply a matter of a boilerplate in any future policy (xxx shall also apply to legacy resources), this clause would not make the slightest sense.A Consequently, a special consideration is needed. 2016-01 simply refers to inconsistency (obviously a simple consequence of ripe-639 and thus not exceptional) and "better data quality" - without justification.A No indication is given of any harm caused by legacy resources currently not subject to ripe-563.A ripe-563/ripe-639 do not preclude use of abuse-c for legacy resources, either. All in all, I understand the motivation behind 2016-01, but the reasoning is far too poor to justify proceeding with the proposal. -Peter -- -- Kind regards. Lu
Hi there: I think the whole notion about we are managing the internet though the policy are not correct. We are not managing the internet, we are book keeping really. Denis, your argument standing on a group that if we do not manage the internet, the gov will step in and do it for us, but that is largely untrue. The Gov are managing it now as we speak, they have something called law to enforce things, they really don't need bother to go though policy here to block content they dislike, bust people they think are bad, find people are responsible, if there is a seriou crime going on, with or without abuse-c, gov will find them or not---abuse c does not change the outcome. Take China for example, 500 m user can not access Facebook, tell me they go though any sort of APNIC policy to do that, same goes for some countries in Middle East. So my last point is. If you like their gov job, you can apply one, don't try to push community here to do gov's job. Lu Sorry, but I totally disagree with you. If you run a network you are responsible for making resources available on the internet. That is a responsibility. If you don’t want to deal with abuse complaints then you’ll find a lot of other network operators will start either blocking your network or blocking traffic to / from certain ports or via particular protocols. The serious crime argument is total rubbish. What we all see on a daily basis is abuse of various types covering the full scope of “nasty” behaviour. As for governments – just look what’s being going on in multiple jurisdictions. If industry doesn’t act responsibly we will be forced to and governments do a terrible job of handling internet related issues. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
On Fri, 4 Mar 2016 17:55:16 +0000 Michele Neylon - Blacknight <michele@blacknight.com> wrote: <snip>
We are not managing the internet, we are book keeping really.
[...] If you are correct (and imho you are) the whole point of book keeping is to have accurate data and records so, pick your poison. All POV leads to exactly the same thing: the ncc needs accurate abuse-c as much as any of the other data.
Hi Michele:
On 4 Mar 2016, at 21:55, Michele Neylon - Blacknight <michele@blacknight.com> wrote:
Hi there:
I think the whole notion about we are managing the internet though the policy are not correct.
We are not managing the internet, we are book keeping really.
Denis, your argument standing on a group that if we do not manage the internet, the gov will step in and do it for us, but that is largely untrue.
The Gov are managing it now as we speak, they have something called law to enforce things, they really don't need bother to go though policy here to block content they dislike, bust people they think are bad, find people are responsible, if there is a seriou crime going on, with or without abuse-c, gov will find them or not---abuse c does not change the outcome.
Take China for example, 500 m user can not access Facebook, tell me they go though any sort of APNIC policy to do that, same goes for some countries in Middle East.
So my last point is. If you like their gov job, you can apply one, don't try to push community here to do gov's job. Lu
Sorry, but I totally disagree with you.
If you run a network you are responsible for making resources available on the internet. That is a responsibility.
I totally agree with you, as matter of evidence, if you look our range, we have very clear abuse reporting instructions.
If you don’t want to deal with abuse complaints then you’ll find a lot of other network operators will start either blocking your network or blocking traffic to / from certain ports or via particular protocols.
That's very true.
The serious crime argument is total rubbish. What we all see on a daily basis is abuse of various types covering the full scope of “nasty” behaviour.
As for governments – just look what’s being going on in multiple jurisdictions. If industry doesn’t act responsibly we will be forced to and governments do a terrible job of handling internet related issues.
I think we have misunderstanding in this part, as I have explained in my last email, i don't think abuse c makes no difference for none crime abuse(spam for example is legal in some country). The operators cares has dealt with it already, the ops don't care, I really don't think ask them fill one extra line changes anything.
Regards
Michele
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
the whole point of book keeping is to have accurate data and records
so, pick your poison. All POV leads to exactly the same thing: the ncc needs accurate abuse-c as much as any of the other data.
and it needs an accurate record of my blood type.
On Mon, 07 Mar 2016 05:56:54 -0800 Randy Bush <randy@psg.com> wrote:
the whole point of book keeping is to have accurate data and records
so, pick your poison. All POV leads to exactly the same thing: the ncc needs accurate abuse-c as much as any of the other data.
and it needs an accurate record of my blood type.
no, just a record of what you say it is ;) (if you have public resources that belong to the world, so we all can openly and freely see that you are really pumping blood and are not a fake person) seriously though, with all the comments it is clear that the policy is controversial, although it should not be. I have not seen one opinion clearly stating that abuse is not an issue and that they do not care about abuse. this is simply because it is an issue and it is problematic and it is controversial, a mess and causes some people a lot of stress
[ contains question to NCC ]
I have not seen one opinion clearly stating that abuse is not an issue and that they do not care about abuse.
the american idiom is "primrose path." it looks good at the start but you end up regretting walking it. there are many issues of concern to operators. i would love to see a *usable* way to report a vulnerability in your network, a routing issue, ... but i know this ain't gonna work. what data do the ncc need to do its job. tech and admin. but, let's not make assertions of others' needs. NCC, to run the registry, do you need/want more than admin and tech? randy
Randy Bush wrote:
NCC, to run the registry, do you need/want more than admin and tech?
to run a registry, all you need is a billing address. Check out the IEEE OUI database. Their web page is great: http://standards-oui.ieee.org/ The internet community accepted a very long time ago indeed that it would be useful to have extra information in the RIR registries, beyond the baseline admin-c and tech-c, neither of which is strictly necessary. On a wholly unrelated issue, abuse happens on the Internet. When it does, people feel the need to be able to communicate with the people who have an management interest in the address blocks implicated in the abuse. In the absence of an abuse contact mailbox attached to address registration data, can you make some constructive suggestions about how a recipient of internet abuse can get in contact with the people who manage the address block and who, by implication, are likely to have some form of contractual relationship with whoever is instigating the abuse? Nick
In the absence of an abuse contact mailbox attached to address registration data, can you make some constructive suggestions about how a recipient of internet abuse can get in contact with the people who manage the address block and who, by implication, are likely to have some form of contractual relationship with whoever is instigating the abuse?
i am not against having an abuse-c: field. i am against making it mandatory. all that'll get us is black holes. rady
Hi Randy On 07/03/2016 16:49, Randy Bush wrote:
In the absence of an abuse contact mailbox attached to address registration data, can you make some constructive suggestions about how a recipient of internet abuse can get in contact with the people who manage the address block and who, by implication, are likely to have some form of contractual relationship with whoever is instigating the abuse?
i am not against having an abuse-c: field. i am against making it mandatory. all that'll get us is black holes.
What you are really saying here is that you are willing to accept that many network managers don't want to handle abuse complaints. So make it optional and let them leave it blank. As a community are we willing to accept that many networks simply don't want to handle abuse complaints? Or do we want it mandatory and then as a next stage tackle these black holes with devnull. cheers denis
rady
On Mon, Mar 07, 2016 at 09:17:00PM +0100, denis wrote:
On 07/03/2016 16:49, Randy Bush wrote:
In the absence of an abuse contact mailbox attached to address registration data, can you make some constructive suggestions about how a recipient of internet abuse can get in contact with the people who manage the address block and who, by implication, are likely to have some form of contractual relationship with whoever is instigating the abuse?
i am not against having an abuse-c: field. i am against making it mandatory. all that'll get us is black holes.
What you are really saying here is that you are willing to accept that many network managers don't want to handle abuse complaints. So make it optional and let them leave it blank.
As a community are we willing to accept that many networks simply don't want to handle abuse complaints? Or do we want it mandatory and then as a next stage tackle these black holes with devnull.
there are other ways to handle abuse on both reporting & resolving side. what seems to be the populair way these days is publishing abuse in feeds and subscribing to those feeds, no email involved. example: https://abuse.io/
Hi Job Interesting but I don't think this is for Joe Public who receives spam or phishing emails and wants to complain about them. I can't see your average non techie internet user downloading software to make a complaint. cheersdenis From: Job Snijders <job@ntt.net> To: denis <ripedenis@yahoo.co.uk> Cc: Randy Bush <randy@psg.com>; Nick Hilliard <nick@inex.ie>; andre@ox.co.za; RIPE DB WG <db-wg@ripe.net> Sent: Monday, 7 March 2016, 21:19 Subject: Re: [db-wg] [anti-abuse-wg] objection to RIPE policy proposal 2016-01 On Mon, Mar 07, 2016 at 09:17:00PM +0100, denis wrote:
On 07/03/2016 16:49, Randy Bush wrote:
In the absence of an abuse contact mailbox attached to address registration data, can you make some constructive suggestions about how a recipient of internet abuse can get in contact with the people who manage the address block and who, by implication, are likely to have some form of contractual relationship with whoever is instigating the abuse?
i am not against having an abuse-c: field. i am against making it mandatory. all that'll get us is black holes.
What you are really saying here is that you are willing to accept that many network managers don't want to handle abuse complaints. So make it optional and let them leave it blank.
As a community are we willing to accept that many networks simply don't want to handle abuse complaints? Or do we want it mandatory and then as a next stage tackle these black holes with devnull.
there are other ways to handle abuse on both reporting & resolving side. what seems to be the populair way these days is publishing abuse in feeds and subscribing to those feeds, no email involved. example: https://abuse.io/
Hi Denis,
What you are really saying here is that you are willing to accept that many network managers don't want to handle abuse complaints. So make it optional and let them leave it blank.
As a community we have to accept that, whether we like it or not. The only way to force someone (unless you come from the 'shoot first, ask questions later' fraction) is via the legal system.
As a community are we willing to accept that many networks simply don't want to handle abuse complaints? Or do we want it mandatory and then as a next stage tackle these black holes with devnull.
Let's extrapolate that line of thought, from the point of view of the one wanting to ignore reports (which is, btw, not the same as ignoring abuse...): - I need abuse-c? fine: devnull@example.com - oh, it has to exist? abuse@<lir.eu>, FWD to /dev/null - and now I have to answer? auto-reply is cheap. - human answer? Wally, please take care of that. And with each step the life of the *reporter* becomes more frustrating. Again, as a reporter I prefer no data (which is also data...) over wrong data any time. So the only part that might deserve attention is the people that is not aware of the abuse-c. Lobby them, inform them, harass them until they make a choice, whatever it is. And then respect the choice. best, Gilles -- Fondation RESTENA - DNS-LU 2, avenue de l'Université LU-4365 Esch-sur-Alzette tel: +352.4244091 fax: +352.422473
HI Randy On 07/03/2016 15:47, Randy Bush wrote:
[ contains question to NCC ]
I have not seen one opinion clearly stating that abuse is not an issue and that they do not care about abuse.
the american idiom is "primrose path." it looks good at the start but you end up regretting walking it. there are many issues of concern to operators.
This is NOT about concerns for operators. It is about concerns for uses of the internet who feel abused. You are looking at it from the wrong side.
i would love to see a *usable* way to report a vulnerability in your network, a routing issue, ... but i know this ain't gonna work.
what data do the ncc need to do its job. tech and admin.
but, let's not make assertions of others' needs.
NCC, to run the registry, do you need/want more than admin and tech?
I think you are confusing RIPE with RIPE NCC. In this thread we are discussing a RIPE policy. If the community decides they want abuse-c on all resources, the RIPE NCC will implement the policy. To some extent the views of the RIPE NCC at this stage are not relevant. They don't decide on the policy. This question you are asking is a policy question to be decided by the community not the RIPE NCC. cheers denis
randy
Hi, On Fri, Mar 04, 2016 at 01:21:04AM +0100, denis wrote:
OK lets cut to the bottom line. Does anyone NOT agree with these points:
-Internet abuse (in it's various forms) is considered both a nuisance and a danger by the public -Politicians will jump onto any band wagon that has popular public support and enhances their careers -Responsible internet resource management includes receiving and handling abuse complaints related to the networks you manage
All totally true. The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"? [..]
I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!!
Will making "providing a mail address in a specific field" mandatory for people the RIPE NCC doesn't currently have a contract with (and that do not particularily frequently show up on the "evil boys list") help achieve your goals? Why? You should know that I'm quite active in working to work against network abuse, but at the same time, I'm not willing to accept every potential measure of the anti-spam community as "THIS MUST BE DONE! NOW!". As in all policy decisions, every change needs to answer the questions "is we are changing *effective* in reaching the goal?", "what are the side effects?" and "are there other ways towards the common goal?" (and potentially "is the goal actually something the community agrees upon"). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Fri, 4 Mar 2016 09:00:27 +0100 Gert Doering <gert@space.net> wrote:
Hi, On Fri, Mar 04, 2016 at 01:21:04AM +0100, denis wrote:
OK lets cut to the bottom line. Does anyone NOT agree with these points: -Internet abuse (in it's various forms) is considered both a nuisance and a danger by the public -Politicians will jump onto any band wagon that has popular public support and enhances their careers -Responsible internet resource management includes receiving and handling abuse complaints related to the networks you manage All totally true. The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"?
no. it is not up to the ncc to decide what constitutes abuse on a network and to even have a goal of 'combatting abuse' it is however of the utmost importance, as important as being able to deliver accurate physical address data, to deliver accurate abuse data. this is an absolute minimum for a modern day rigorously correct resource allocation registry it is not just a convenience for ops, it is a data/consumer/person/world/peoples driven demand.
[..]
I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!!
Will making "providing a mail address in a specific field" mandatory for people the RIPE NCC doesn't currently have a contract with (and that do not particularily frequently show up on the "evil boys list") help achieve your goals? Why?
it aids in so many ways, for starters, establishing the level of trust in a network, it provides a single point of contact for a range of issues. if you decide to add devnull@example.com to your abuse-c I already have a good idea what to do with abuse complaints - (simply do not bother sending them anywhere as you do not want them and do not care)
You should know that I'm quite active in working to work against network abuse, but at the same time, I'm not willing to accept every potential measure of the anti-spam community as "THIS MUST BE DONE! NOW!".
it is a large problem and maintaining an up to date data about abuse records - as I am doing now - is actually not my job - but that of the ncc. by up to date i mean: a record of ops that want / act on abuse and a record of ops and ranges that do not. (many of those are simply now dropped at borders)
As in all policy decisions, every change needs to answer the questions "is we are changing *effective* in reaching the goal?", "what are the side effects?" and "are there other ways towards the common goal?" (and potentially "is the goal actually something the community agrees upon").
the changes are demanded so that the ncc can meet it's obligations. and be a correct resource allocation registry ac -- not even a padawan ;)
Gert Doering -- NetMaster
On Fri, Mar 04, 2016 at 09:00:27AM +0100, Gert Doering wrote:
The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"?
In its current implementation, abuse-c: is not only useless, it's potentially harmful. -Either abuse-c: is nothing but a convenience for ops, in which case it shouldn't be mandatory or -abuse-c: is an important part of registry documentation in which case the NCC should ensure that whatever information in there points to someone who *handles abuse* The latter would actually amount to NCC telling registries how to manage their network - they MUST have abuse-handlers and they MUST publish their contact data. Where does it say that in the contract and how would it be enforced towards ERX holders who don't *have* a contract? In either case, "We will put in any old email address we have in our records for your org unless you fill it in yourself" is not good enough. rgds, Sascha Luck
On Sat, 5 Mar 2016 11:50:06 +0000 "Sascha Luck [ml]" <dbwg@c4inet.net> wrote:
The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"? In its current implementation, abuse-c: is not only useless, it's
On Fri, Mar 04, 2016 at 09:00:27AM +0100, Gert Doering wrote: potentially harmful.
-Either abuse-c: is nothing but a convenience for ops, in which case it shouldn't be mandatory or -abuse-c: is an important part of registry documentation in which case the NCC should ensure that whatever information in there points to someone who *handles abuse*
no. it is not up to the ncc to guarantee that the abuse-c "handles abuse" But very good point - maybe the ncc should ensure that (important accounting) data is accurate.
The latter would actually amount to NCC telling registries how to manage their network - they MUST have abuse-handlers and they
not at all. otherwise the same argument would also fit the requirement to provide a physical address, a name, or, any data actually. insisting that registries MUST have a name, an address, etc. the rest of your post flows from your prior assumption
MUST publish their contact data. Where does it say that in the contract and how would it be enforced towards ERX holders who don't *have* a contract? In either case, "We will put in any old email address we have in our records for your org unless you fill it in yourself" is not good enough.
rgds, Sascha Luck
Hi Sascha On 05/03/2016 12:50, Sascha Luck [ml] wrote:
On Fri, Mar 04, 2016 at 09:00:27AM +0100, Gert Doering wrote:
The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"?
In its current implementation, abuse-c: is not only useless, it's potentially harmful.
Don't make emotive, vague comments like this....explain with facts.
-Either abuse-c: is nothing but a convenience for ops, in which case it shouldn't be mandatory or -abuse-c: is an important part of registry documentation in which case the NCC should ensure that whatever information in there points to someone who *handles abuse*
The latter would actually amount to NCC telling registries how to manage their network - they MUST have abuse-handlers and they MUST publish their contact data.
I love it when people make comments like this without thinking the argument through. For an INETNUM object "admin-c:" and "tech-c:" are both mandatory. So they are both considered "an important part of registry documentation". So by your argument the NCC should ensure someone *handles administrative and technical issues*. How do you propose the NCC does that? When you work that one out they can apply the same principle to "abuse-c:". Problem solved... cheers denis
Where does it say that in the contract and how would it be enforced towards ERX holders who don't *have* a contract?
In either case, "We will put in any old email address we have in our records for your org unless you fill it in yourself" is not good enough.
rgds, Sascha Luck
On 7 Mar 2016, at 10:29, denis wrote:
Don't make emotive, vague comments like this....explain with facts.
and a little further on:
When you work that one out they can apply the same principle to "abuse-c:". Problem solved...
Pot, kettle, etc. /Niall
On 07-Mar-2016, at 4:22 PM, Niall O'Reilly <niall.oreilly@ucd.ie> wrote:
When you work that one out they can apply the same principle to "abuse-c:". Problem solved...
Pot, kettle, etc. /Niall
It still leaves this question Denis posed unanswered
How do you propose the NCC does that?
Other than abuse-c and a record cleanup. I’m glad to see various people step up and reject abuse-c but is there a workable suggestion? Or anything other than Sascha’s blanket dismissal of the entire aawg? —srs
On 7 Mar 2016, at 11:30, Suresh Ramasubramanian wrote:
On 07-Mar-2016, at 4:22 PM, Niall O'Reilly <niall.oreilly@ucd.ie> wrote:
When you work that one out they can apply the same principle to "abuse-c:". Problem solved...
Pot, kettle, etc. /Niall
It still leaves this question Denis posed unanswered
How do you propose the NCC does that?
Other than abuse-c and a record cleanup.
I’m glad to see various people step up and reject abuse-c but is there a workable suggestion?
I think Peter Koch, Gert Doering, and Gilles Massen have answered this question adequately already. Best regards, Niall
On 07-Mar-2016, at 5:44 PM, Niall O'Reilly <niall.oreilly@ucd.ie> wrote:
I think Peter Koch, Gert Doering, and Gilles Massen have answered this question adequately already.
Gert followed a rather socratic method - answering a question with another :) The current method is absolutely not useful in that the lack of standardization means people (including me) who are stuck with large amounts of phish to report have no other alternative but do a substantial part of the process manually. —srs Quoting Gert -
The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"?
[..]
I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!!
Will making "providing a mail address in a specific field" mandatory for people the RIPE NCC doesn't currently have a contract with (and that do not particularily frequently show up on the "evil boys list") help achieve your goals? Why?
Hi Suresh On 07/03/2016 13:19, Suresh Ramasubramanian wrote:
On 07-Mar-2016, at 5:44 PM, Niall O'Reilly <niall.oreilly@ucd.ie> wrote:
I think Peter Koch, Gert Doering, and Gilles Massen have answered this question adequately already.
Gert followed a rather socratic method - answering a question with another :)
The current method is absolutely not useful in that the lack of standardization means people (including me) who are stuck with large amounts of phish to report have no other alternative but do a substantial part of the process manually.
As I said in previous replies, abuse-c is standardised and is fully deployed for RIPE NCC resources. You should not need to do any manual lookups. cheers denis
—srs
Quoting Gert -
The relevant question for the PDP is "does 2016-01 help achieve the goal of better combatting Internet abuse"?
[..]
I don't know why we are making the policy side so complicated. The principle is simple. If you manage IP addresses in the public domain, from where abuse can be generated, responsible management requires you to provide abuse contact details!!!
Will making "providing a mail address in a specific field" mandatory for people the RIPE NCC doesn't currently have a contract with (and that do not particularily frequently show up on the "evil boys list") help achieve your goals? Why?
Hi, On Mon, Mar 07, 2016 at 12:14:36PM +0000, Niall O'Reilly wrote:
I???m glad to see various people step up and reject abuse-c but is there a workable suggestion?
I think Peter Koch, Gert Doering, and Gilles Massen have answered this question adequately already.
Admittedly, I just stated my dislike for abuse-c: in its current implementation and did not suggest alternatives. But seems I should so :-) I would like abuse-c: much more if it were changed in two ways: - permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role: my main issue is the forced indirection through organisation: objects which might not exist ("because there is no need to create a separate organisation: object just to earmark a specific inetnum: so abuse could go somewhere else"). The requirement for role: objects is also annoying if all there is is just a single person - so admin-c:, tech-c: point to "the person that is responsible for everything", while abuse-c: needs a new object. All in all, these requirements force me to add and maintain extra objects for every abuse-c: I want to register, which annoys me enough to just not do so - for the PI stuff, I just let the NCC go ahead and create needless role: objects that point to the e-mail of the admin-c/tech-c, and for our allocations I registered a "master" abuse-c: and do not bother to register more-specifics even if that would make sense for certain projects. As for determinism, I do not see this as much different from today - the sequence for finding the abuse contact for a specific IP address could be: - if the inet(6)num has an abuse-c:, use that - if it has an org: object, and that one has an abuse-c:, use it - find the closest less specific inet(6)num: object that either has its own abuse-c: or has an org: object with an abuse-c: - if the topmost inet(6)num: object has status: LEGACY, point to admin-c:/tech-c: (objects that the NCC has assigned/allocated would always have an org: and abuse-c:-in-org:, so this is the fallback clause for legacy objects) - stop there (DO NOT RETURN ARBITRARY CONTACTS OF MAINTAINER OBJECTS THAT HAVE BEEN USED FOR MAINTENANCE OF REFERENCED PERSON: OBJECTS ETC.) As for legacy object holders: I think "more talking to them" is more useful than mandating stuff that there is no contractual authority backing it - and with the flow suggested above, you'd get a contact back that at some point in time was accepting responsibility for the network in question. If that contact is stale, mandating a new database field ("abuse-c:") is not going to make it less stale. Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 07-Mar-2016, at 6:03 PM, Gert Doering <gert@space.net> wrote:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
[…] I’m actually +1 with these. And in fact even with the current spec there isn’t anything that says a person object can’t be abuse-c - though an outfit of any significant size might prefer to add a role account just so that multiple people can receive and handle abuse complaints. —srs
Hi, On Mon, Mar 07, 2016 at 06:06:04PM +0530, Suresh Ramasubramanian wrote:
On 07-Mar-2016, at 6:03 PM, Gert Doering <gert@space.net> wrote:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
[???]
I???m actually +1 with these. And in fact even with the current spec there isn???t anything that says a person object can???t be abuse-c - though an outfit of any significant size might prefer to add a role account just so that multiple people can receive and handle abuse complaints.
Yeah, for our LIR abuse contact, this totally makes sense - there is a department handling this (SPCA-RIPE), so the *option* of having a role: here is good. OTOH for my personal PI /24, the only abuse-c: ever will be me personally, so not being able to reference my person: object but having to create a role: for myself is a bit silly. gert -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Gert On 07/03/2016 13:42, Gert Doering wrote:
Hi,
On Mon, Mar 07, 2016 at 06:06:04PM +0530, Suresh Ramasubramanian wrote:
On 07-Mar-2016, at 6:03 PM, Gert Doering <gert@space.net> wrote:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
[???]
I???m actually +1 with these. And in fact even with the current spec there isn???t anything that says a person object can???t be abuse-c
yes there is. It must be a ROLE object. - though an outfit of any significant size might prefer to
add a role account just so that multiple people can receive and handle abuse complaints.
Yeah, for our LIR abuse contact, this totally makes sense - there is a department handling this (SPCA-RIPE), so the *option* of having a role: here is good.
OTOH for my personal PI /24, the only abuse-c: ever will be me personally, so not being able to reference my person: object but having to create a role: for myself is a bit silly.
It is called standardisation. Although I am sure you will not believe me it does actually simplify the data model if you do things in a standard way :) cheers denis
gert
Hi Gert On 07/03/2016 13:33, Gert Doering wrote:
Hi,
On Mon, Mar 07, 2016 at 12:14:36PM +0000, Niall O'Reilly wrote:
I???m glad to see various people step up and reject abuse-c but is there a workable suggestion?
I think Peter Koch, Gert Doering, and Gilles Massen have answered this question adequately already.
Admittedly, I just stated my dislike for abuse-c: in its current implementation and did not suggest alternatives.
But seems I should so :-)
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects
This could be done, although I think there are other ways to improve the implementation of abuse-c. I specified some options on RIPE Labs 2 years ago https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling
- permit abuse-c: to point to a normal person: object, not only role:
my main issue is the forced indirection through organisation: objects which might not exist ("because there is no need to create a separate organisation: object just to earmark a specific inetnum: so abuse could go somewhere else").
The reason I proposed this implementation is because I expected, at the time, we would go on to do a review of the data model. At that time many people were interested in doing that. But, alas, not now it seems.
The requirement for role: objects is also annoying if all there is is just a single person - so admin-c:, tech-c: point to "the person that is responsible for everything", while abuse-c: needs a new object.
Please learn from past mistakes. When this database was first deployed in 2001 it lacked a lot of important business rules that should have constrained some functions to work in the way they were designed to work. A PERSON object was/is intended to define a real person. It should ONLY be referenced in a ROLE object. PERSON objects should never be referenced from anywhere else. Most 'functions' in an organisation equate better to a 'role' than a single 'person'. Often an abuse desk or tech support has several people 'behind' the contact details. Usually someone asking for help or making a complaint does not care who the person is as long as they solve the issue. So it is better to define a single ROLE object and not define any PERSON objects. This maps the database more closely to reality.
All in all, these requirements force me to add and maintain extra objects for every abuse-c: I want to register, which annoys me enough to just not do so - for the PI stuff, I just let the NCC go ahead and create needless role: objects that point to the e-mail of the admin-c/tech-c, and for our allocations I registered a "master" abuse-c: and do not bother to register more-specifics even if that would make sense for certain projects.
As for determinism, I do not see this as much different from today - the sequence for finding the abuse contact for a specific IP address could be:
- if the inet(6)num has an abuse-c:, use that - if it has an org: object, and that one has an abuse-c:, use it - find the closest less specific inet(6)num: object that either has its own abuse-c: or has an org: object with an abuse-c:
- if the topmost inet(6)num: object has status: LEGACY, point to admin-c:/tech-c: (objects that the NCC has assigned/allocated would always have an org: and abuse-c:-in-org:, so this is the fallback clause for legacy objects)
- stop there (DO NOT RETURN ARBITRARY CONTACTS OF MAINTAINER OBJECTS THAT HAVE BEEN USED FOR MAINTENANCE OF REFERENCED PERSON: OBJECTS ETC.)
Yes this can be done. My argument against this is you may end up with lots of useless, redundant information in the database that will not be used by the tools the NCC provides (they use the proper search sequence) but may well be 'found' by people like Suresh who seems to think he has to dig into the database manually looking for contact details.
As for legacy object holders: I think "more talking to them" is more useful than mandating stuff that there is no contractual authority backing it - and with the flow suggested above, you'd get a contact back that at some point in time was accepting responsibility for the network in question.
If everything to do with legacy resources has to be done by "more talking to them" why did you bother to create policy ripe-639 RIPE NCC Services to Legacy Resource Holders? I thought one of the points of that was to be able to do things by general agreement with representatives of the collective of legacy resource holders rather than talk to each one individually.
If that contact is stale, mandating a new database field ("abuse-c:") is not going to make it less stale.
Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them.
2007-01? cheers denis
Gert Doering -- NetMaster
Hi, On Mon, Mar 07, 2016 at 09:02:26PM +0100, denis wrote:
The requirement for role: objects is also annoying if all there is is just a single person - so admin-c:, tech-c: point to "the person that is responsible for everything", while abuse-c: needs a new object.
Please learn from past mistakes.
Yes, please *do so*. Do not design something that is going to win a price at a computer scientist conference - design something that is easy to work with. The current abuse-c: design is annoying, because it requires extra work to get to the point of documenting what you want to document. So people (remember: we want *people* to use that, and put useful information in there) are annoyed, and stop bothering. I'm a bit more verbose about this, but if you ever wondered *why* abuse-c: isn't the huge success people expected: this is part of the "why". It is way too annoying to use. [..]
Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them.
2007-01?
One of the early version of 2007-01 indeed covered legacy resource holders, and was killed in WG chairs last call - for precisely that reason. The final proposal that was accepted only covered resources given out by the RIPE NCC. Precisely my point. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
I'm just going to go "+1" on that as I couldn't have said it any better. rgds, Sascha Luck On Mon, Mar 07, 2016 at 10:31:51PM +0100, Gert Doering wrote:
Hi,
On Mon, Mar 07, 2016 at 09:02:26PM +0100, denis wrote:
The requirement for role: objects is also annoying if all there is is just a single person - so admin-c:, tech-c: point to "the person that is responsible for everything", while abuse-c: needs a new object.
Please learn from past mistakes.
Yes, please *do so*. Do not design something that is going to win a price at a computer scientist conference - design something that is easy to work with.
The current abuse-c: design is annoying, because it requires extra work to get to the point of documenting what you want to document. So people (remember: we want *people* to use that, and put useful information in there) are annoyed, and stop bothering.
I'm a bit more verbose about this, but if you ever wondered *why* abuse-c: isn't the huge success people expected: this is part of the "why". It is way too annoying to use.
[..]
Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them.
2007-01?
One of the early version of 2007-01 indeed covered legacy resource holders, and was killed in WG chairs last call - for precisely that reason. The final proposal that was accepted only covered resources given out by the RIPE NCC.
Precisely my point.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 07/03/2016 23:37, Sascha Luck [ml] wrote:
I'm just going to go "+1" on that as I couldn't have said it any better.
rgds, Sascha Luck
On Mon, Mar 07, 2016 at 10:31:51PM +0100, Gert Doering wrote:
Hi,
On Mon, Mar 07, 2016 at 09:02:26PM +0100, denis wrote:
The requirement for role: objects is also annoying if all there is is just a single person - so admin-c:, tech-c: point to "the person that is responsible for everything", while abuse-c: needs a new object.
Please learn from past mistakes.
Yes, please *do so*. Do not design something that is going to win a price at a computer scientist conference - design something that is easy to work with.
I think you have made that comment as many times as I have suggested a review of the data model. If we had followed through with the other changes I proposed at the time it would have been much easier to work with. But trying to get any major improvements to this massively over complicated database on these mailing lists is as hopeless as asking Bush, Blair and Putin to make the world a better place. The same small group of people who dominate these mailing lists are not interested in making the database easy to use for new (and old) members. Why should you, many of you have been using it for 10+ years and know how it works. If you saw the way new members struggle to understand just the basics of using this database on a training course you would realise how crazy it is not to modernise it. And that is just the data input. Understanding the algebra that comes out of it is another can of worms. This data model and the issues of raw data vs information seriously needs a revolution.... ...and yes I know changing the data model does not stop people from entering emails as devnull but trust and responsibility is a separate thread from easy usage. Anyway, that is my rant for the night :) cheers denis
The current abuse-c: design is annoying, because it requires extra work to get to the point of documenting what you want to document. So people (remember: we want *people* to use that, and put useful information in there) are annoyed, and stop bothering.
I'm a bit more verbose about this, but if you ever wondered *why* abuse-c: isn't the huge success people expected: this is part of the "why". It is way too annoying to use.
[..]
Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them.
2007-01?
One of the early version of 2007-01 indeed covered legacy resource holders, and was killed in WG chairs last call - for precisely that reason. The final proposal that was accepted only covered resources given out by the RIPE NCC.
Precisely my point.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Mon, Mar 7, 2016 at 1:33 PM, Gert Doering <gert@space.net> wrote:
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
This boils down to what I thought would have been the better implementation all along. Strong +1. Richard
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
This boils down to what I thought would have been the better implementation all along.
Strong +1.
Ditto. - Håvard
On 09/03/2016 12:05, Havard Eidnes wrote:
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
This boils down to what I thought would have been the better implementation all along.
Better is a relative word. It would be better to improve the operational usability and solve the problems you have without breaking the design. I have worked on the design, development and support of this database for 15 years. I know it inside out. I know what problems it has. I have seen the mistakes both new and old users have made. I have seen the crazy things users have done because the database semantics, syntax, business rules allowed it. If you make the changes you are asking for I guarantee within 2 or 3 years people will be saying abuse-c is a failure, lets invent something new to fix the mess. The trouble with these technical mailing lists is it is the same very very small number of people out of the 12k members and other interested parties who keep pushing the same ideas to fix your problems regardless of the consequences. As long as it works OK for you, everything must be fine. None of you are willing to think out of the box. I proposed some options for fixing these problems 2 years ago on RIPE Labs. I am not saying they are the best solutions, but no one has even commented on them in 2 years. This is not an open, bottom up process. This is a cartel of old timers who make all the decisions so they get their own way. This needs to be fixed. cheers denis
Strong +1.
Ditto.
- Håvard
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
This boils down to what I thought would have been the better implementation all along.
Better is a relative word. It would be better to improve the operational usability and solve the problems you have without breaking the design.
I have worked on the design, development and support of this database for 15 years. I know it inside out. I know what problems it has. I have seen the mistakes both new and old users have made. I have seen the crazy things users have done because the database semantics, syntax, business rules allowed it.
Frankly, I fail to see how that is that relevant to the above suggestion.
If you make the changes you are asking for I guarantee within 2 or 3 years people will be saying abuse-c is a failure, lets invent something new to fix the mess.
What sort of mess? Can you please be a bit more explicit?
The trouble with these technical mailing lists is it is the same very very small number of people out of the 12k members and other interested parties who keep pushing the same ideas to fix your problems regardless of the consequences. As long as it works OK for you, everything must be fine. None of you are willing to think out of the box. I proposed some options for fixing these problems 2 years ago on RIPE Labs. I am not saying they are the best solutions, but no one has even commented on them in 2 years.
This is not an open, bottom up process. This is a cartel of old timers who make all the decisions so they get their own way. This needs to be fixed.
"Thanks" for the ad hominem. Instead of discussing the merits of the above suggestion in a reasoned manner, I get told that I'm part of an old-mans-club or worse. I may be old, but that was nevertheless uncalled for, IMHO. Best regards, - Håvard
Hi Havard On 09/03/2016 22:02, Havard Eidnes wrote:
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
This boils down to what I thought would have been the better implementation all along.
Better is a relative word. It would be better to improve the operational usability and solve the problems you have without breaking the design.
I have worked on the design, development and support of this database for 15 years. I know it inside out. I know what problems it has. I have seen the mistakes both new and old users have made. I have seen the crazy things users have done because the database semantics, syntax, business rules allowed it.
Frankly, I fail to see how that is that relevant to the above suggestion.
Because when you have a long term perspective on how people have used this database, the above suggestions fit into the category of those crazy things, imo.
If you make the changes you are asking for I guarantee within 2 or 3 years people will be saying abuse-c is a failure, lets invent something new to fix the mess.
What sort of mess? Can you please be a bit more explicit?
First of all references to PERSON objects. The original design, from old documents I have read over the years, was that a PERSON object is for holding personal information about a real person. These should only be referenced in ROLE objects and the ROLE objects should be referenced every where else in the database. But the constraints were never implemented and PERSON and ROLE just became a fuzzy mess. The RIPE NCC has spent a lot of time over the years helping people out when a person leaves an organisation and HIS PERSON object is referenced in 10s or 100s of thousands of objects. I know Gert is particularly upset that he has to create a ROLE object. But having some standardisation in how things work, in the long term, leads to more efficient usage and better understanding of how the database works. But this also highlights one of my issues with the people who discuss these points on these mailing lists. Most of these people have used this database for so long they 'just know' how it works. They don't seem to understand the problems new users face when trying to understand this thing. It is a case of decimalisation vs imperial measurements. Once you know the imperial measurements you never forget them, but it takes a long time to learn them. Then there is the issue of allowing abuse-c in multiple places some of which will override others. Over time this will get confused, more specific values will be missed and reports will be sent to the wrong addresses. Also some people will still dig into the database manually thinking they know how it works and will inevitably find the wrong values.
The trouble with these technical mailing lists is it is the same very very small number of people out of the 12k members and other interested parties who keep pushing the same ideas to fix your problems regardless of the consequences. As long as it works OK for you, everything must be fine. None of you are willing to think out of the box. I proposed some options for fixing these problems 2 years ago on RIPE Labs. I am not saying they are the best solutions, but no one has even commented on them in 2 years.
This is not an open, bottom up process. This is a cartel of old timers who make all the decisions so they get their own way. This needs to be fixed.
"Thanks" for the ad hominem. Instead of discussing the merits of the above suggestion in a reasoned manner, I get told that I'm part of an old-mans-club or worse. I may be old, but that was nevertheless uncalled for, IMHO.
I hit reply but this was intended as a generalised comment. However you cannot argue against the facts. Ignoring the AP WG, where half the people are trying to maximise the value of IP addresses and the other half are trying to minimise costs in the crazy IP gold mine, for the technical mailing lists it is the same small group of people who make the decisions. In many cases they already know each others viewpoints. They can choose to blank out discussions they don't want to even acknowledge, like the data model. I have been trying to start a discussion on having a review to see if anything would be improved by a change. That is so far removed from actually changing anything. But still no one will even acknowledge my points. Only Shane and one other person have ever commented on any point I have made about the data model in the last 8 months. Some 'senior'/'elders'/'long established' people on these lists, who respond to other points I make, noticeably cut out the bit where I mentioned the data model in the reply. So nothing I said about the data model gets perpetuated in any discussion. But now I don't think there is any point in having that discussion. It will be the same people who discuss it and I already know their views...leave it alone, change nothing, 'we' don't need it simplifying. It will help new members more than established ones, although it could benefit all members. And there aren't many new members on these lists. Two years ago when I used to go to all RIPE Meetings and talk to people about the data model and explain some ideas there was quite a bit of interest. But those people don't talk on mailing lists....except the previous co-chairs of the DB WG who all liked some of my ideas when I presented to them. The mailing list archives are there for anyone to analyse. I did this once and the number of individuals (excluding chairs and NCC staff who you expect to be on the lists) who commented on the technical lists over a year was very small indeed. I don't expect much to change in the near future... cheers denis
Best regards,
- Håvard
On Tue, Mar 8, 2016 at 9:14 AM, Richard Hartmann <richih.mailinglist@gmail.com> wrote:
On Mon, Mar 7, 2016 at 1:33 PM, Gert Doering <gert@space.net> wrote:
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
This boils down to what I thought would have been the better implementation all along.
Strong +1.
If I can chip in with a -1 here, and maybe shed some light on this... It's not enough to state "let's add abuse-c here and here and here". Also think about how one is supposed to return the abuse contact afterwards. It should be algorithmically feasible to fetch the abuse contact from the RIPE DB. Should inet(6)num take precedence? Should the role object? or the organisation? or maybe a route? Or a combination of these, with their parents involved? And one more thing. As far as data quality goes, users are not known to keep their data up to date (sorry for the few exceptions - you're not the rule). Then you will have to start to figure out which abuse-c is outdated and which isn't; which one is still relevant and which is not. That's NOT a database, that's a job for google. If there is a data you want to store and retrieve, there should be one and exactly one way to do that. You make more, there will be confusion. I agree the current way abuse-c is done is complicated. We knew that when we implemented it. But it IS a single place to store that data, and that is very important. Because changing data format is easy. Adding a new API to return abuse contact is easy. What is extremely hard is to gather data that is simply not present in the database. The real problem with the RIPE DB is that it is vastly outdated. A lot of maintenance has been neglected over the years, because it's costly for everyone. Abuse-c is a breaking point - having to choose between data quality and ease of use. Cheers, Agoston
Hi, On Wed, Mar 09, 2016 at 11:36:48PM +0100, Horváth Ágoston János wrote:
It's not enough to state "let's add abuse-c here and here and here". Also think about how one is supposed to return the abuse contact afterwards. It should be algorithmically feasible to fetch the abuse contact from the RIPE DB. Should inet(6)num take precedence? Should the role object? or the organisation? or maybe a route? Or a combination of these, with their parents involved?
This is why I've detailed a possible and very well-defined search order in my proposal.
And one more thing. As far as data quality goes, users are not known to keep their data up to date (sorry for the few exceptions - you're not the rule). Then you will have to start to figure out which abuse-c is outdated and which isn't; which one is still relevant and which is not. That's NOT a database, that's a job for google.
So, why is "require indirection via a organisation: and role: object" going to help with stale data? Except by making it so complicated that nobody is willingly going to use it to document abuse-handling exception for more specific subnets - in which case you've succeeded... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Gert, I agree with you that the implementation of abuse-c was 'poor'. On 3/10/16 1:57 AM, Gert Doering wrote:
Hi,
On Wed, Mar 09, 2016 at 11:36:48PM +0100, Horváth Ágoston János wrote:
It's not enough to state "let's add abuse-c here and here and here". Also think about how one is supposed to return the abuse contact afterwards. It should be algorithmically feasible to fetch the abuse contact from the RIPE DB. Should inet(6)num take precedence? Should the role object? or the organisation? or maybe a route? Or a combination of these, with their parents involved? This is why I've detailed a possible and very well-defined search order in my proposal.
And one more thing. As far as data quality goes, users are not known to keep their data up to date (sorry for the few exceptions - you're not the rule). Then you will have to start to figure out which abuse-c is outdated and which isn't; which one is still relevant and which is not. That's NOT a database, that's a job for google. So, why is "require indirection via a organisation: and role: object" going to help with stale data?
Except by making it so complicated that nobody is willingly going to use it to document abuse-handling exception for more specific subnets - in which case you've succeeded... abuse-c should have been implemented just like admin-c and tech-c is, as an attribute to the resource (inet(6)num and aut-num) objects.
It is easier for the LIR to have it in one place only, but you need to register an organisation and role object for each customer... if you want them to handle the abuse themselves. or if you have different departments handling abuse for different (parts of your) resources. Maybe we should talk about changing the implementation of abuse-c such that you can not register a resource (allocation or assignment) unless you use the mandatory abuse-c (person or role) object, just as you do with admin-c and tech-c today.
Gert Doering -- NetMaster regards, elvis
HI Elvis On 10/03/2016 11:39, Elvis Daniel Velea wrote:
Hi Gert,
I agree with you that the implementation of abuse-c was 'poor'.
Sorry Elvis but you are neither a software engineer nor a regular user inputting data into the RIPE Database. So your unsubstantiated statement of 'poor' does not carry much weight.
On 3/10/16 1:57 AM, Gert Doering wrote:
Hi,
On Wed, Mar 09, 2016 at 11:36:48PM +0100, Horváth Ágoston János wrote:
It's not enough to state "let's add abuse-c here and here and here". Also think about how one is supposed to return the abuse contact afterwards. It should be algorithmically feasible to fetch the abuse contact from the RIPE DB. Should inet(6)num take precedence? Should the role object? or the organisation? or maybe a route? Or a combination of these, with their parents involved? This is why I've detailed a possible and very well-defined search order in my proposal.
And one more thing. As far as data quality goes, users are not known to keep their data up to date (sorry for the few exceptions - you're not the rule). Then you will have to start to figure out which abuse-c is outdated and which isn't; which one is still relevant and which is not. That's NOT a database, that's a job for google. So, why is "require indirection via a organisation: and role: object" going to help with stale data?
Except by making it so complicated that nobody is willingly going to use it to document abuse-handling exception for more specific subnets - in which case you've succeeded... abuse-c should have been implemented just like admin-c and tech-c is, as an attribute to the resource (inet(6)num and aut-num) objects.
As a massive over duplicated pile of repetitive data in 3+ million objects. Really good idea Elvis. That is good database design...No one ever checks if the admin-c and tech-c point to the right objects in their 10s of thousands of resource objects.
It is easier for the LIR to have it in one place only, but you need to register an organisation and role object for each customer... if you want them to handle the abuse themselves. or if you have different departments handling abuse for different (parts of your) resources.
I will say it again, again, again....I wrote a labs article with some ideas on this 2 years ago which may not be the best ideas, but as no one has even commented on them in 2 years who knows....
Maybe we should talk about changing the implementation of abuse-c such that you can not register a resource (allocation or assignment) unless you use the mandatory abuse-c (person or role) object, just as you do with admin-c and tech-c today.
Maybe we should talk about making admin-c and tech-c work like abuse-c. That would be a step in the right direction. cheers denis
Gert Doering -- NetMaster regards, elvis
Hi, On Thu, Mar 10, 2016 at 06:50:52PM +0100, denis wrote:
Maybe we should talk about making admin-c and tech-c work like abuse-c. That would be a step in the right direction.
So you want to add millions of unmaintained organization: objects to the millions of unmaintained admin-c:/tech-c: references? Sounds like a very good plan to improve data quality! What?! (I wouldn't mind the hierarchical lookup capability that abuse-c: has, so "if an inetnum has no tech-c:, find the next less specific and use that", but the indirection via org and mandatory role is way too silly to be extended further. Maybe you should start *using* the database for a while, like, "work at an ISP", so you can see which ideas are just not practical from a user point of view?) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Gert I know we have a fundamental difference of opinion here but I will try to be constructive. On 10/03/2016 19:00, Gert Doering wrote:
Hi,
On Thu, Mar 10, 2016 at 06:50:52PM +0100, denis wrote:
Maybe we should talk about making admin-c and tech-c work like abuse-c. That would be a step in the right direction.
So you want to add millions of unmaintained organization: objects to the millions of unmaintained admin-c:/tech-c: references?
For a start there would not be millions of unmaintained admin-c and tech-c references if they were used hierarchically. The problem here is that they are both mandatory in the inet(6)num objects. But for many organisations they don't need a different reference for every resource. This just generates massive amounts of unmaintained references. It gets even worse when the reference PERSON objects instead of ROLE objects. So for many organisations to define just one admin-c and one tech-c in their ORGANISATION object would be all they need. I know there are power uses who don't follow the simple model. But so many members (who don't seem to be represented on these mailing lists) would benefit from such simplifications. Secondly you would only need more ORGANISATION objects for these power uses who have more complex business models.
Sounds like a very good plan to improve data quality!
What?!
(I wouldn't mind the hierarchical lookup capability that abuse-c: has, so "if an inetnum has no tech-c:, find the next less specific and use that", but the indirection via org and mandatory role is way too silly to be extended further. Maybe you should start *using* the database for a while, like, "work at an ISP", so you can see which ideas are just not practical from a user point of view?)
There must be a middle ground here between my desire to simplify the data model and use a lot more inheritance and your desire not to have to duplicate ORGANISATION objects. But no one is willing to talk about the bigger picture. This database design is almost 20 years old. The abuse-c and irt object are the only things that use inheritance in this hierarchical structure. The majority of the 12k+ members are not like many of the people on these mailing lists. They have not been using this database for the last 20 years. They really do struggle to understand it and use it. Technology that gets stuck in a time warp is bad technology. But there is no vision about what to do with this registry database. The RIPE NCC has had, has and will have some very good engineers, analysts and designers. You are paying for them. But they are too scared to propose a big change in case the 'community' just says NO. So instead they try to slip in little changes to nudge it along in a better direction. Changes they hope won't rock any boats and will get approved. That is why abuse-c works the way it does. I had a much bigger vision at the time but was not able to say it. So it is a little bit of a bigger plan which on its own may not be the best solution. This is why I keep banging my head against the wall about the data model. I have nothing personally to gain or lose either way. But professionally I want to see this product move forward for the good of the internet community. The data model is way past the stage of little changes and tweaks now. What it needs now is a revolution...even if that is done in small backwards compatible steps....at least have a vision about where it is going. The last revolution was 17 years ago and deployed in a big bang 15 years ago....it is time for another one. cheers denis
Gert Doering -- NetMaster
denis wrote: 1.
Sorry Elvis but you are neither a software engineer nor a regular user inputting data into the RIPE Database. So your unsubstantiated statement of 'poor' does not carry much weight.
2.
This is not an open, bottom up process. This is a cartel of old timers who make all the decisions so they get their own way. This needs to be fixed.
Denis, you can't have it both ways. Nick
Hello Denis,
Sorry Elvis but you are neither a software engineer nor a regular user inputting data into the RIPE Database. So your unsubstantiated statement of 'poor' does not carry much weight.
Excuse me, but you do not get to decide that a fellow working group member's contribution does not carry much weight. That is the working group chairs' job when deciding on consensus, and from experience I know that even the chairs only do that in very rare circumstances. Consensus is based on content and supporting arguments, not on whether you judge somebody worthy... Cheers, Sander
On 07/03/16 13:33, Gert Doering wrote:
I would like abuse-c: much more if it were changed in two ways:
- permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
+many.
my main issue is the forced indirection through organisation: objects which might not exist ("because there is no need to create a separate organisation: object just to earmark a specific inetnum: so abuse could go somewhere else").
+many, again. This is what is expected by anyone working with the RIPE DB. [...]
Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them.
Entirely reasonable. Gilles -- Fondation RESTENA - DNS-LU 2, avenue de l'Université LU-4365 Esch-sur-Alzette tel: +352.4244091 fax: +352.422473
On 08-Mar-2016, at 2:10 PM, Gilles Massen <gilles.massen@restena.lu> wrote:
Maybe some extended outreach activity could be started to actually ensure that some human is alive at ERX holders that the NCC had no contact anymore since <x> years - but friendly, not pushy. They have been here first, we have no authority over them.
Entirely reasonable.
Even more reasonable because some kind souls are hijacking and announcing quite a lot of such IP space, and using it for malicious purposes.
I would like abuse-c: much more if it were changed in two ways: - permit abuse-c: in inet(6)num: objects - permit abuse-c: to point to a normal person: object, not only role:
wfm
Hi Niall On 07/03/2016 11:52, Niall O'Reilly wrote:
On 7 Mar 2016, at 10:29, denis wrote:
Don't make emotive, vague comments like this....explain with facts.
and a little further on:
When you work that one out they can apply the same principle to "abuse-c:". Problem solved...
Not at all. the rest of the paragraph you edited out were the facts in this case. cheers denis
Pot, kettle, etc. /Niall
On Mon, Mar 07, 2016 at 11:29:11AM +0100, denis wrote:
In its current implementation, abuse-c: is not only useless, it's potentially harmful.
Don't make emotive, vague comments like this....explain with facts.
As it is implemented now, for existing resources, if a LIR does not set the abuse-c:, the NCC will create an object for it, using whatever contact data they happen to have around for the LIR. This is not improving the data quality of the ripedb and it is potentially directing the attention of every "concerned citizen" with an email account and potentially even that of law enforcement towards people whose business it simply isn't to handle abuse.
I love it when people make comments like this without thinking the argument through. For an INETNUM object "admin-c:" and "tech-c:" are both mandatory. So they are both considered "an important part of registry documentation". So by your argument the NCC should ensure someone *handles administrative and technical issues*. How do you propose the NCC does that? When you work that one out they can apply the same principle to "abuse-c:". Problem solved...
So maybe admin-c: and tech-c: are just conveniences and shouldn't be mandatory either. It would be preferrable to a proliferation of contact objects, all mandatory, and it would be preferrable to having this data but it being mostly bullshit. rgds, Sascha Luck
On Thu, 03 Mar 2016 19:35:49 +0900 Randy Bush <randy@psg.com> wrote:
it would be a convenience to me for you to send me €1000/mo, and i am sure many other sould line up. let's make it mandatory. can we agree to leave the straw men out of this discussion? They're not helping. no. even you seem to confuse what is necessary for the ncc to maintain a rigorously correct resource allocation registry and what is convenient for operators. i understamd the former being mandatory. while i occasionally find a good abuse-c: useful, it is not my prerogative to mandate that another operator have one for my convenience. the ncc's job is a rigorous registry, not a convenience store for ops. randy
it is actually very simple: any rigorously correct resource allocation registry data must include accurate abuse records. otherwise it is hardly: a rigorously correct resource allocation registry but more: just a sort of a correct resource allocation registry
On Thu, 03 Mar 2016 19:26:18 +0900 Randy Bush <randy@psg.com> wrote:
I may be in za physically, but the infrastructure of my current employers are in EU, anyway, as you said already it is a convenience for ops to have abuse-c but the point is that it is actually convenient for a whole lot of others (incl me) it would be a convenience to me for you to send me €1000/mo, and i am sure many other sould line up. let's make it mandatory. if you want to tell others how to run their networks, go to arin.
I think the point you are missing is that nobody is telling anyone how to manage their allocated resources. You seem to be stuck on this that someone is trying to tell you how to do something. This is not the case. What I am saying is that that the responsible people/person/group/company/organization should be easy to identify in terms of abuse And, that ALL your data is accurate on the ncc db, otherwise, what is the point of any data anyway?
* Randy Bush:
there has to be accurate records for abuse-c
really? and how does abuse-c affect the effective operation of the ncc resource registry.
They can point law enforcement to a more reliable self-service tool, I assume.
Hi Randy On 03/03/2016 00:10, Randy Bush wrote:
[ i may be totally misunderstanding things here, but i never bought mandatory abuse-c in the first place ]
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
The RIPE Database is full of email addresses. If I don't know which one is intended to receive abuse complaints by responsible network managers would you prefer I spam every email address I can find? That was the previous behaviour before we introduced abuse-c.
i am hesitant to mandate behavior beyond that necessary for the ncc to maintain accurate records of resource 'ownership'. beyond that is me telling someone else how to run their network.
No it is telling someone to manage their networks in a responsible manner. cheers denis i suspect they will
listen to their management before they listen to me, and rightly so.
randy
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
The RIPE Database is full of email addresses. If I don't know which one is intended to receive abuse complaints by responsible network managers would you prefer I spam every email address I can find? That was the previous behaviour before we introduced abuse-c.
if the LIR does not want your shotgun blast, they can publish and abuse-c: and maybe you will use it instead. or maybe you won't.
i am hesitant to mandate behavior beyond that necessary for the ncc to maintain accurate records of resource 'ownership'. beyond that is me telling someone else how to run their network.
No it is telling someone to manage their networks in a responsible manner.
where you define responsibility. the ncc is not a regulator, it is a coordinator. if you want to be told how to run your network by weenie vigilantes, go to arin. randy
On Thu, 03 Mar 2016 15:25:50 +0900 Randy Bush <randy@psg.com> wrote: <snip>
where you define responsibility. the ncc is not a regulator, it is a coordinator. if you want to be told how to run your network by weenie vigilantes, go to arin. randy
whahahaha I think the take away here is that abuse-c should contain accurate data. What is the point if that any/all of the data could be fake or is empty? Who decides what/which data fields is/are relevant/important and could be fake/non existent etc? How/if/or/whatever the specific receiver of the data responds (/dev/null - etc) is perfectly up to that network...
On 3 Mar 2016, at 19:25, Randy Bush <randy@psg.com> wrote:
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
The RIPE Database is full of email addresses. If I don't know which one is intended to receive abuse complaints by responsible network managers would you prefer I spam every email address I can find? That was the previous behaviour before we introduced abuse-c.
if the LIR does not want your shotgun blast, they can publish and abuse-c: and maybe you will use it instead. or maybe you won't.
i am hesitant to mandate behavior beyond that necessary for the ncc to maintain accurate records of resource 'ownership'. beyond that is me telling someone else how to run their network.
No it is telling someone to manage their networks in a responsible manner.
where you define responsibility. the ncc is not a regulator, it is a coordinator. if you want to be told how to run your network by weenie vigilantes, go to arin.
Made my day:) I think abuse c is about to clear the confusion which email sent abuse to, but of course whether the network responds to the abuse report it not, or even care to put an useful email there, are totally up to them, end of the day, it's their network and they the one responsible and running it.
randy
Randy Bush wrote:
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
you could just as easily make the same arguments about admin-c or tech-c. Nick
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
you could just as easily make the same arguments about admin-c or tech-c.
no. being able to contact them is necessary for the ncc to maintain the registry. randy
On 03/03/2016 11:32, Randy Bush wrote:
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
you could just as easily make the same arguments about admin-c or tech-c.
no. being able to contact them is necessary for the ncc to maintain the registry.
It is not necessary to have either an admin-c or tech-c for the NCC to maintain the registry. The NCC has it's own internal details of how to contact resource holders. The admin-c and tech-c are a convenience for other network managers to contact each other. So even you are now confused over what is operationally useful and what is for registry accuracy. cheers denis
randy
Hi, On Thu, Mar 03, 2016 at 10:30:27AM +0000, Nick Hilliard wrote:
Randy Bush wrote:
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
you could just as easily make the same arguments about admin-c or tech-c.
But that's not half as botched as abuse-c: (I do think that having well-defined abuse contacts are useful, but the idea that the indirection has to go through an organization: object is a computer scientists' idea on how the world has to work, and that annoys me enough to hate the whole abuse-c: stuff) Hierarchical inheritance is great. Put abuse-c: in your top-level inetnum, and all is good. Put it into your org if you *want*. But if you have one particular inetnum that wants a different abuse-c:, having to add a new object to be able to do so is just... *argh* Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Gert I published some ideas almost 2 years ago on how we could improve abuse-c https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling I am not saying these are a perfect solution either, but no one was interested in discussing ways forward... ...dare I also say this clumsiness is partly due to the data model 'design'....which no one wants to discuss either. cheers denis On 03/03/2016 11:38, Gert Doering wrote:
Hi,
On Thu, Mar 03, 2016 at 10:30:27AM +0000, Nick Hilliard wrote:
Randy Bush wrote:
so the idea is we mandate that there be an abuse-c: so that there is an email address where we can send mail to which there will be no response?
you could just as easily make the same arguments about admin-c or tech-c.
But that's not half as botched as abuse-c:
(I do think that having well-defined abuse contacts are useful, but the idea that the indirection has to go through an organization: object is a computer scientists' idea on how the world has to work, and that annoys me enough to hate the whole abuse-c: stuff)
Hierarchical inheritance is great. Put abuse-c: in your top-level inetnum, and all is good. Put it into your org if you *want*. But if you have one particular inetnum that wants a different abuse-c:, having to add a new object to be able to do so is just... *argh*
Gert Doering -- NetMaster
Reedier I disagree A standardised abuse-c contact was introduced by RIPE some time ago based on the anti-abuse WG’s work. This was communicated via various media and via RIPE staff and at RIPE meetings etc., The “new” policy that is being proposed improves the overall ecosystem for all users and any delay in implementing it is ill advised. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
* Ruediger Volk:
No PDP is needed to send friendly invitations to legacy holders to populate their data objects with abuse-c information; I'm sure asking the RIPE NCC to do this would not create an undue burden or serious problem.
How is 2016-01 different from sending such notices? The net effect seems to be about the same. The interesting question (with either approach) is what RIPE NCC should do if it has proof that the contact information in the RIPE database is incorrect.
Hi Ruediger I have to say this was a very long winded way to say, as a legacy resource holder, you don't want to handle abuse complaints. Which planet have you been living on for the last 20 years (since you got your legacy resources)? RIPE/RIPE NCC have tried so many times over these years to encourage people to do things voluntarily. The caring professionals with a social responsibility will always do the right thing whether it is voluntary or enforced. As for the rest, some will go to any length to avoid doing the right thing (for their own reasons) and the others will not find time to do anything until you threaten them with enforcement. The latter are spending their time running genuine businesses and trying to make profits (which is why you run a business) and just need the enforcement kick to make them prioritise some action. I am sure some people will be offended by what I am about to say, although it is not my intention to be offensive, but I am going to do a Donald Trump and say what many others are too scared to say. There is nothing special about legacy resources or legacy resource holders. They are IP addresses just like all the others. You just got in early and got massive amounts of address space that is now (stupidly) worth a fortune. From a moral, ethical and community point of view there should be no difference in the way either is treated. Abuse can come from any IP address. In general 'abuse' does not care about the nature of the address space. But it is useful if the address space is private and the public has no way to contact the holder or user. I am very suspicious of anyone who wants to keep legacy space outside the scope of sensible and responsible IP address management. What do you have to hide? The whole purpose of abuse-c was to provide one standardised method of documenting abuse contacts for ALL address space. If you insist on keeping some address space 'special' and separate from the rest and not engage in responsible management then the whole system breaks down. Your argument about legacy resource holders not understanding anything about abuse-c is just crazy talk. Are these people so out of touch they have never heard of google? If they know what an IP address is and what to do with it (besides sell it) then they know how to find out about abuse-c. If you google for 'abuse-c' the first 4 hits are RIPE NCC documentation on 'abuse-c'. The fact that you are going to such lengths to oppose this policy implies to me that you don't want to set up an abuse contact for your legacy address space. That is the reason this policy is needed and enforcement is the only way forward. cheers denis On 28/02/2016 19:38, Ruediger Volk wrote:
Dear colleagues,
I object to passing the policy as proposed. There is no serious need for the policy, and at this time and under curent circumstance it would actually be harmful. I believe that the supposed good intentions would be better served by other actions, and the policy focussing on enforcement is ill advised.
I understand that the current implementation of the RIPE database allows legacy holders to enter abuse-c attributes for their legacy resources if that's currently not possible the required extension of the database should be discussed (in the approprioate wg) and implementation would NOT require the PDP (as more drastic changes have been done to the database - and that extension hardly would contradict existing policy). No PDP is needed to send friendly invitations to legacy holders to populate their data objects with abuse-c information; I'm sure asking the RIPE NCC to do this would not create an undue burden or serious problem.
Enhancing the invitations with some additional information potentially helpful to the recipients could be considered too: - some hints/guidance about expected use and support of that mailbox (active members of the abuse handling community probably will NOT be the typical recipient! and no injuries are expected if any community member sees that information:-) - specific suggestions what to put into the abuse-c field (whatever the RIPE NCC might use to extrapolate abuse-c from existing data) The working group should contribute helpful information to be included.
I'm quite certain running a second invitation campaign would be even less of a problem and effort for RIPE NCC; I cannot predict how much the information provided in a later campaign can be improved based on feedback and experience from an earlier one.
You may argue, that such more friendly approach could have been used also earlier - and I would very much agree and I certainly complained and suggested that at least the forced population of missing abuse-c should be postponed until friendly information was made available.
Now we do NOT HAVE TO repeat past errors... Specifically with legacy resource holders it would be a good idea for RIPE community and NCC to address them with an inviting and helpful approach; as there is a sad history of seemingly coercive and unfriendly communications towards legacy holders.
REPEATING the error now - even considering the much lower number of relevant records - is however actually MORE SERIOUS in DAMAGING the CREDIBILITY of the working group (and as a consequence the RIPE NCCs position) because of the accumulated history. Repeated requests for information on supposed use und handling of abuse-c has been answered by pointing out that it is required by a policy that was consciously created without any such information. The new policy proposal painfully fits into the sad observation that the anti-abuse working group as a community has constantly put effort into enforcing creation and population of abuse-c data but not (even tried) to provide to the rest of the world helpful explanations on requirements and expected handling at the requested mailboxes. That observations leads to the question whether the community is not able to come up with some helpful explanation or whether it does not care... :-( In both cases asking for enforcement does seem neither appropriate nor acceptable and means that the request cannot be taken serious - bad for the perception of RIPE and RIPE NCC activety by parties that are not heavily involved in the community processes. Consider the typical person confronted with a request to define abuse-c: how deeply is he involved with the anti-abuse working group (where a common understanding might exist - I consider myself only occassional observer and not a member and don't know)?
Trying to close more quickly and on a more constructive perspective let me skip to elaborate here on my judgement: at close inspection the rationale and arguments look quite broken.
The policy content does actually not matter that much - look for a sketch of a potential harmless implementation approach above in this message. What matters is appropriate use of the PDP (it can be abused!!!) and what are good goals of the working group and good ways of achieving them.
The assumed good goals (as I understand it) are (a) improving quality of abuse-c information in order to (b) improve abuse reporting and report handling processes and (c) extending the abuse-c coverage for Internet number resources in the RIPE NCC registry
The policy proposal references (a) and (b) quite explicitly; I took the liberty to interpolate (b) which actually seems to be the primary goal, and it looks like the working group decided that this will be helped by means of creating distinctly identified mailbox information to be put into abuse-c. The criterium for gauging (a) seems to be whether "improved data" actually helps "improve processing" (b) - what else? Creating abuse-c entries of better/good quality obviously depends on the recipient being appropriate and informed about expected potential messages and preparing to deal with them. Forcing creation of abuse-c in any other way is not going to create better quality but actually looses information (you loose track of which entries have the "quality of informed and [potentially] prepared recipient").
We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-) - in many cases are not members of the anti-abuse working (and unlikely to have insight into undocumented potential consensus views of the working group or the larger abuse-c activist community) - in general willing to cooperate (we really should care for those and help them! ... yes, there are others - from "don't care" to "evil")
For making a reasoned decision about the recipient for abuse-c and preparing for handling messages one obviously needs some understanding/explanation of what is expected. If no such helpful information is offered at the time of requesting abuse-c setup, many well intentioned parties will *something* (not really good "quality") to fill required fields and little motivation to followup will remain. If they care to ask for helpful information and the answer stays "this is required by policy, and it consciously declines to explain", they are likely to conclude that they have to submit to RIPE policies and the policy makers+process that cannot be taken serious...
I note that for goal (b) of course some common understanding of expected use and handling for the abuse-c mailbox is a prerequisite on BOTH sides (senders also!)
I do not expect to see formal, precise, and exhaustive definition of requirements and intended/expected use of abuse-c use - that would seem fairly impossible and certainly would not provide a practical answer to the issue. The working group needs to followup it previous abuse-c policy by starting to create practically useful explanations, before considering more "enforcement" (actually IMHO all enforcement activety should [have] be[en] postponed - potentially replaced by friendly invitations). It may take considerable effort to develope consensus on such documentation - but is it reasonable to rely on all relevant outside parties to have the first contact figure out completely on his own and explain to his management, consultants, service providers, etc... what needs to be done? (what aggregated cost and what "quality" implications do you expect?)
It's ok to have working groups that just have internal fun between some birds of a feather. If a working group feels like making demands (e.g. policies) to a larger community it should also consider what support it needs to provide to serve the purposes of that larger community.
Thanks for your attention and consideration. Ruediger Volk
P.S.: Sorry, for a painfully long message. Trust me I had more painful time writing - and making it shorter would have been worse - with termination not secure:-)
I hope that the painful length does not obscure - valid concern - constructive suggestions
denis wrote:
There is nothing special about legacy resources or legacy resource holders. They are IP addresses just like all the others. [...] From a moral, ethical and community point of view there should be no difference in the way either is treated.
These are good principals. I support 2016-01 for these reasons and because the abuse-c mechanism, while not perfect, is a good deal better than not having it. Nick
On Sun, 28 Feb 2016, Ruediger Volk wrote: As someone with legacy space (and who takes issue with RIPE NCC about certain policies) I have no problem with abuse-c. I defined it ages ago on all inetnums because that is the right thing to do. -Hank
Dear colleagues,
I object to passing the policy as proposed. There is no serious need for the policy, and at this time and under curent circumstance it would actually be harmful. I believe that the supposed good intentions would be better served by other actions, and the policy focussing on enforcement is ill advised.
I understand that the current implementation of the RIPE database allows legacy holders to enter abuse-c attributes for their legacy resources if that's currently not possible the required extension of the database should be discussed (in the approprioate wg) and implementation would NOT require the PDP (as more drastic changes have been done to the database - and that extension hardly would contradict existing policy). No PDP is needed to send friendly invitations to legacy holders to populate their data objects with abuse-c information; I'm sure asking the RIPE NCC to do this would not create an undue burden or serious problem.
Enhancing the invitations with some additional information potentially helpful to the recipients could be considered too: - some hints/guidance about expected use and support of that mailbox (active members of the abuse handling community probably will NOT be the typical recipient! and no injuries are expected if any community member sees that information:-) - specific suggestions what to put into the abuse-c field (whatever the RIPE NCC might use to extrapolate abuse-c from existing data) The working group should contribute helpful information to be included.
I'm quite certain running a second invitation campaign would be even less of a problem and effort for RIPE NCC; I cannot predict how much the information provided in a later campaign can be improved based on feedback and experience from an earlier one.
You may argue, that such more friendly approach could have been used also earlier - and I would very much agree and I certainly complained and suggested that at least the forced population of missing abuse-c should be postponed until friendly information was made available.
Now we do NOT HAVE TO repeat past errors... Specifically with legacy resource holders it would be a good idea for RIPE community and NCC to address them with an inviting and helpful approach; as there is a sad history of seemingly coercive and unfriendly communications towards legacy holders.
REPEATING the error now - even considering the much lower number of relevant records - is however actually MORE SERIOUS in DAMAGING the CREDIBILITY of the working group (and as a consequence the RIPE NCCs position) because of the accumulated history. Repeated requests for information on supposed use und handling of abuse-c has been answered by pointing out that it is required by a policy that was consciously created without any such information. The new policy proposal painfully fits into the sad observation that the anti-abuse working group as a community has constantly put effort into enforcing creation and population of abuse-c data but not (even tried) to provide to the rest of the world helpful explanations on requirements and expected handling at the requested mailboxes. That observations leads to the question whether the community is not able to come up with some helpful explanation or whether it does not care... :-( In both cases asking for enforcement does seem neither appropriate nor acceptable and means that the request cannot be taken serious - bad for the perception of RIPE and RIPE NCC activety by parties that are not heavily involved in the community processes. Consider the typical person confronted with a request to define abuse-c: how deeply is he involved with the anti-abuse working group (where a common understanding might exist - I consider myself only occassional observer and not a member and don't know)?
Trying to close more quickly and on a more constructive perspective let me skip to elaborate here on my judgement: at close inspection the rationale and arguments look quite broken.
The policy content does actually not matter that much - look for a sketch of a potential harmless implementation approach above in this message. What matters is appropriate use of the PDP (it can be abused!!!) and what are good goals of the working group and good ways of achieving them.
The assumed good goals (as I understand it) are (a) improving quality of abuse-c information in order to (b) improve abuse reporting and report handling processes and (c) extending the abuse-c coverage for Internet number resources in the RIPE NCC registry
The policy proposal references (a) and (b) quite explicitly; I took the liberty to interpolate (b) which actually seems to be the primary goal, and it looks like the working group decided that this will be helped by means of creating distinctly identified mailbox information to be put into abuse-c. The criterium for gauging (a) seems to be whether "improved data" actually helps "improve processing" (b) - what else? Creating abuse-c entries of better/good quality obviously depends on the recipient being appropriate and informed about expected potential messages and preparing to deal with them. Forcing creation of abuse-c in any other way is not going to create better quality but actually looses information (you loose track of which entries have the "quality of informed and [potentially] prepared recipient").
We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-) - in many cases are not members of the anti-abuse working (and unlikely to have insight into undocumented potential consensus views of the working group or the larger abuse-c activist community) - in general willing to cooperate (we really should care for those and help them! ... yes, there are others - from "don't care" to "evil")
For making a reasoned decision about the recipient for abuse-c and preparing for handling messages one obviously needs some understanding/explanation of what is expected. If no such helpful information is offered at the time of requesting abuse-c setup, many well intentioned parties will *something* (not really good "quality") to fill required fields and little motivation to followup will remain. If they care to ask for helpful information and the answer stays "this is required by policy, and it consciously declines to explain", they are likely to conclude that they have to submit to RIPE policies and the policy makers+process that cannot be taken serious...
I note that for goal (b) of course some common understanding of expected use and handling for the abuse-c mailbox is a prerequisite on BOTH sides (senders also!)
I do not expect to see formal, precise, and exhaustive definition of requirements and intended/expected use of abuse-c use - that would seem fairly impossible and certainly would not provide a practical answer to the issue. The working group needs to followup it previous abuse-c policy by starting to create practically useful explanations, before considering more "enforcement" (actually IMHO all enforcement activety should [have] be[en] postponed - potentially replaced by friendly invitations). It may take considerable effort to develope consensus on such documentation - but is it reasonable to rely on all relevant outside parties to have the first contact figure out completely on his own and explain to his management, consultants, service providers, etc... what needs to be done? (what aggregated cost and what "quality" implications do you expect?)
It's ok to have working groups that just have internal fun between some birds of a feather. If a working group feels like making demands (e.g. policies) to a larger community it should also consider what support it needs to provide to serve the purposes of that larger community.
Thanks for your attention and consideration. Ruediger Volk
P.S.: Sorry, for a painfully long message. Trust me I had more painful time writing - and making it shorter would have been worse - with termination not secure:-)
I hope that the painful length does not obscure - valid concern - constructive suggestions
Ruediger, (And everyone else!) First off, thank you for stimulating lots of useful discussion on 2016-01! I apologise for my delay in responding to this. On 28/02/2016 18:38, Ruediger Volk wrote:
Dear colleagues,
I object to passing the policy as proposed. There is no serious need for the policy, and at this time and under curent circumstance it would actually be harmful. I believe that the supposed good intentions would be better served by other actions, and the policy focussing on enforcement is ill advised.
Thank you for your comments. I will admit that I'm unsure on why it would be harmful, per se, rather than something you don't quite see the point of.
I understand that the current implementation of the RIPE database allows legacy holders to enter abuse-c attributes for their legacy resources if that's currently not possible the required extension of the database should be discussed (in the approprioate wg) and implementation would NOT require the PDP (as more drastic changes have been done to the database - and that extension hardly would contradict existing policy). No PDP is needed to send friendly invitations to legacy holders to populate their data objects with abuse-c information; I'm sure asking the RIPE NCC to do this would not create an undue burden or serious problem.
Yes, friendly reminders can be sent and obviously many Legacy Resource Holders have already added an abuse-c: but a policy not only mandates it (which I do believe is useful in pushing things up everyone's very crowded priority stack), but it also signals intent more widely. I admit I'm one of the people who believes that legacy resources are just numbers and while I have some sympathy for Randy's point of view on the operation of the registry, I do think we're past the point of only doing that now.
Enhancing the invitations with some additional information potentially helpful to the recipients could be considered too: - some hints/guidance about expected use and support of that mailbox (active members of the abuse handling community probably will NOT be the typical recipient! and no injuries are expected if any community member sees that information:-) - specific suggestions what to put into the abuse-c field (whatever the RIPE NCC might use to extrapolate abuse-c from existing data) The working group should contribute helpful information to be included.
There is an outstanding DB-WG action on the AA-WG that we have not completed. This is my fault. My previous commitment was to have a draft of this out before Copenhagen. I will further commit to having this issued before the end of March 2016. It will be light, but at least if we have that we can see what else is needed. We've agreed to this, but I honestly have difficulty seeing how this is really a blocker. Yes, more discussion is good, more detail is good, but is there really that much confusion over what is generally expected when an abuse complaint is sent to your company?
Now we do NOT HAVE TO repeat past errors... Specifically with legacy resource holders it would be a good idea for RIPE community and NCC to address them with an inviting and helpful approach; as there is a sad history of seemingly coercive and unfriendly communications towards legacy holders.
We're proposing policy here, that needs to be proposed specifically for this group. I think we should be nice and polite to everyone in the community, I'm not convinced we need to be more polite to one group than another at this point. Should all policies now be proceeded by polite invitations?
REPEATING the error now - even considering the much lower number of relevant records - is however actually MORE SERIOUS in DAMAGING the CREDIBILITY of the working group (and as a consequence the RIPE NCCs position) because of the accumulated history.
More serious?
Repeated requests for information on supposed use und handling of abuse-c has been answered by pointing out that it is required by a policy that was consciously created without any such information. The new policy proposal painfully fits into the sad observation that the anti-abuse working group as a community has constantly put effort into enforcing creation and population of abuse-c data but not (even tried) to provide to the rest of the world helpful explanations on requirements and expected handling at the requested mailboxes. That observations leads to the question whether the community is not able to come up with some helpful explanation or whether it does not care... :-( In both cases asking for enforcement does seem neither appropriate nor acceptable and means that the request cannot be taken serious - bad for the perception of RIPE and RIPE NCC activety by parties that are not heavily involved in the community processes. Consider the typical person confronted with a request to define abuse-c: how deeply is he involved with the anti-abuse working group (where a common understanding might exist - I consider myself only occassional observer and not a member and don't know)?
abuse-c: leads to abuse complaints. There is quite a lot of documentation out there on how to deal with them. abuse-c: generated complaints are no different. However, yes, this will be worked on, see above.
The policy content does actually not matter that much - look for a sketch of a potential harmless implementation approach above in this message. What matters is appropriate use of the PDP (it can be abused!!!) and what are good goals of the working group and good ways of achieving them.
The assumed good goals (as I understand it) are (a) improving quality of abuse-c information in order to (b) improve abuse reporting and report handling processes and (c) extending the abuse-c coverage for Internet number resources in the RIPE NCC registry
The policy proposal references (a) and (b) quite explicitly; I took the liberty to interpolate (b) which actually seems to be the primary goal, and it looks like the working group decided that this will be helped by means of creating distinctly identified mailbox information to be put into abuse-c.
Well, yes, we already did. This policy was discussed and it reached consensus. This is not a new policy, it's an attempt to extent the policy to as many of the resources in the DB as possible. The implementation details need to be discussed, but is there an issue with the core idea here?
We have to assume that Internet number resource holders requested to establish abuse-c - usually are NOT focussed an abuse handling (different core business:-) - in many cases are not members of the anti-abuse working (and unlikely to have insight into undocumented potential consensus views of the working group or the larger abuse-c activist community) - in general willing to cooperate (we really should care for those and help them! ... yes, there are others - from "don't care" to "evil")
I think the percentage of resource holders who are aware of the existence of the AA-WG is vanishingly small. I wonder, however, if the number who are aware of the AP-WG or RIPE in general is much bigger? We're in a bubble here, but I'm not sure what the alternative is?
If they care to ask for helpful information and the answer stays "this is required by policy, and it consciously declines to explain", they are likely to conclude that they have to submit to RIPE policies and the policy makers+process that cannot be taken serious...
Has this been said? If so it's certainly not the stance of the Co-Chairs, nor should it, imo, be the stance of the working group.
I do not expect to see formal, precise, and exhaustive definition of requirements and intended/expected use of abuse-c use - that would seem fairly impossible and certainly would not provide a practical answer to the issue. The working group needs to followup it previous abuse-c policy by starting to create practically useful explanations, before considering more "enforcement" (actually IMHO all enforcement activety should [have] be[en] postponed - potentially replaced by friendly invitations). It may take considerable effort to develope consensus on such documentation - but is it reasonable to rely on all relevant outside parties to have the first contact figure out completely on his own and explain to his management, consultants, service providers, etc... what needs to be done? (what aggregated cost and what "quality" implications do you expect?)
I will slightly repeat my question from above, is abuse-c: really seen as something different to other ways in which people have been sending/receiving abuse complaints for years and years?
It's ok to have working groups that just have internal fun between some birds of a feather. If a working group feels like making demands (e.g. policies) to a larger community it should also consider what support it needs to provide to serve the purposes of that larger community.
I think that's veering into being more than a little unfair, albeit I am, of course biased!
Thanks for your attention and consideration.
Thank you for your feedback! Brian Co-Chair, RIPE AA-WG Brian Nisbet, Network Operations Manager HEAnet Limited, Ireland's Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin 1 Registered in Ireland, no 275301 tel: +35316609040 fax: +35316603666 web: http://www.heanet.ie/
participants (27)
-
andre@ox.co.za
-
Brian Nisbet
-
Dave Crocker
-
denis
-
Elvis Daniel Velea
-
Florian Weimer
-
Gert Doering
-
Gilles Massen
-
h.lu@anytimechinese.com
-
Hank Nussbacher
-
Havard Eidnes
-
Horváth Ágoston János
-
Jeffrey Race
-
Jerry Upton
-
Job Snijders
-
Lu Heng
-
Michele Neylon - Blacknight
-
Niall O'Reilly
-
Nick Hilliard
-
Peter Koch
-
Randy Bush
-
Richard Hartmann
-
ripedenis@yahoo.co.uk
-
Ruediger Volk
-
Sander Steffann
-
Sascha Luck [ml]
-
Suresh Ramasubramanian