Re: [db-wg] RIPE Policy Proposal 2017-02 Validates Database Attributes
All, I will discuss this here as I do not accept the Anti-Abuse WG as a forum for this proposal. For one thing, this proposal affects every ripedb user - in fact, as this entails changes to how the NCC provides services, the services-wg would be an even better venue. For another, given the "population" and culture of "debate" on the AAWG, any "consensus" reached there would be so worthless as to be farcical. (If anyone wants amplification on this, https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/ provides ample evidence. To the meat of the proposal: Firstly, this proposal conflicts somewhat with NWI-7 in this very WG. (Another reason why it should have gone here in the first place) With the upcoming possibility of delegating abuse-c: to (customers') resource objects, who bears any consequences of these customers not replying to this proposed email?
Rationale a. Arguments supporting the proposal
Accurate and validated information in the RIPE Database is essential to establish a trusted and transparent environment in which all network operators can operate safely.
abuse-c: is a contact object, just as admin-c: or tech-c: and (correct me if I'm wrong) audited at the same time as the rest of the contact information. What makes it so unique that this verification is not enough?
Accurate and validated information helps Internet troubleshooting at all levels, but it also helps to attribute malicious online activities that undermine this trusted environment.
See above.
The lack of reliable accurate and validated information in the database negatively impacts legitimate uses of the RIPE Database, including:
An *email adress* that doesn't reply once a year does NOT equate to a "lack of reliable accurate and validated information". I find this statement somewhat insulting to the NCC team who do make the effort to keep the ripedb data accurate and do audit resource holders. There is an issue with the reliability of out-of-region and legacy resource data but as the NCC has no "enforcement" powers over these resource holders, in these cases this proposal snatches at thin air.
Assuring the security and reliability of the network by identifying points of contact for IP addresses for network operators, ISPs, and certified computer incident response teams;
"org:", "admin-c:", "tech-c:", "mnt-by:" and, yes, "abuse-c:" exist.
Ensuring that IP address holders are accountable, so individuals, consumers and the public are empowered to resolve abusive practices that impact safety and security; Assisting businesses, consumer groups, healthcare organisations and other organisations that are combating fraud (some of which have mandates to electronically save records) to comply with relevant legal and public safety safeguards;
The contact object that does (or *should*) stand for the person(s) who can speak for a LIR, legally, is "admin-c:". "abuse-c:" is some role account in a NOC or even a ticket system unlikely to have any decision-making power. An attempt to make these roles (perhaps even personally) responsible for the behaviour of a LIR and its customers is counter-productive. I for one would flatly refuse to do any abuse report handling under these circumstances.
Complying with national, civil and criminal due process laws in support of investigations and providing justice for victims.
Would the proposers please amplify exactly which law or due process is violated by the NCC not sending an email once a year to an abuse-c:? Myself, and I'm sure the NCC legal team, would be interested to know. On a technical note, email is neither a secure nor a reliable transport for such verification. In the day of blocklists and large email providers imposing arbitrary restrictions on email senders it is not guaranteed that a verification email reaches the intended address or that a reply reaches the sender. The NCC ARC procedure, however employs both email and personal contact via telephone to verify the accuracy of the ripedb information. In toto, this proposal would impose unneccessary work on LIRs and the NCC, using unsuitable means to rectify a non-existing issue, and I therefore oppose it.
Hi, On Thu, Sep 07, 2017 at 05:54:04PM +0100, Sascha Luck [ml] wrote:
I will discuss this here as I do not accept the Anti-Abuse WG as a forum for this proposal. For one thing, this proposal affects every ripedb user - in fact, as this entails changes to how the NCC provides services, the services-wg would be an even better venue. For another, given the "population" and culture of "debate" on the AAWG, any "consensus" reached there would be so worthless as to be farcical. (If anyone wants amplification on this, https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/ provides ample evidence.
Sascha, I sympathize with you on this, but this is not how the PDP works - a policy proposal has to be "anchored" on one working group (theoretically a "plenary" proposal would be possible, but I'm not sure how the mechanics of that would work out). The WG chairs usually speak to each other beforehand and see where it would fit "best" if multiple WGs are concerned - and then one WG takes it, and the other is sent a HEADS UP notice so folks not usually on the proposal's WG mailing list can make themselves heard. As we say over in APWG "if it's not on the list, it has not happened" - and this is valid here as well: if you oppose the proposal, please make yourself heard on the anti-abuse WG list. Everything else is just "noise in the hallway". Even if you and I know it could lead to insults of the sort "who opposes this proposal is really joining forces with spammers!"... (I haven't decided myself whether I think this is useful or not, but will make myself heard over there) Gert Doering -- Network citizen with some experience in policy making mechanics... -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
There are many points to address here, but from the point of view of the PDP I will address two. First off, this policy has been raised in the Anti-Abuse Working Group. This has been agreed between the relevant WG Chairs. While obviously people are free to discuss it wherever they want, only comments made on the AA-WG Mailing List (whether via email or via the RIPE Forum) will be taken into account during the various phases. Secondly, the NCC will report on amount of work involved etc. etc. during their Impact Analysis. The Discussion Phase is to discuss the merits or demerits of the proposal, not to assume things on behalf of the NCC. Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Network Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 On 07/09/2017 17:54, Sascha Luck [ml] wrote:
All,
I will discuss this here as I do not accept the Anti-Abuse WG as a forum for this proposal. For one thing, this proposal affects every ripedb user - in fact, as this entails changes to how the NCC provides services, the services-wg would be an even better venue. For another, given the "population" and culture of "debate" on the AAWG, any "consensus" reached there would be so worthless as to be farcical. (If anyone wants amplification on this, https://www.ripe.net/ripe/mail/archives/anti-abuse-wg/ provides ample evidence.
To the meat of the proposal:
Firstly, this proposal conflicts somewhat with NWI-7 in this very WG. (Another reason why it should have gone here in the first place) With the upcoming possibility of delegating abuse-c: to (customers') resource objects, who bears any consequences of these customers not replying to this proposed email?
Rationale a. Arguments supporting the proposal
Accurate and validated information in the RIPE Database is essential to establish a trusted and transparent environment in which all network operators can operate safely.
abuse-c: is a contact object, just as admin-c: or tech-c: and (correct me if I'm wrong) audited at the same time as the rest of the contact information. What makes it so unique that this verification is not enough?
Accurate and validated information helps Internet troubleshooting at all levels, but it also helps to attribute malicious online activities that undermine this trusted environment.
See above.
The lack of reliable accurate and validated information in the database negatively impacts legitimate uses of the RIPE Database, including:
An *email adress* that doesn't reply once a year does NOT equate to a "lack of reliable accurate and validated information". I find this statement somewhat insulting to the NCC team who do make the effort to keep the ripedb data accurate and do audit resource holders. There is an issue with the reliability of out-of-region and legacy resource data but as the NCC has no "enforcement" powers over these resource holders, in these cases this proposal snatches at thin air.
Assuring the security and reliability of the network by identifying points of contact for IP addresses for network operators, ISPs, and certified computer incident response teams;
"org:", "admin-c:", "tech-c:", "mnt-by:" and, yes, "abuse-c:" exist.
Ensuring that IP address holders are accountable, so individuals, consumers and the public are empowered to resolve abusive practices that impact safety and security; Assisting businesses, consumer groups, healthcare organisations and other organisations that are combating fraud (some of which have mandates to electronically save records) to comply with relevant legal and public safety safeguards;
The contact object that does (or *should*) stand for the person(s) who can speak for a LIR, legally, is "admin-c:". "abuse-c:" is some role account in a NOC or even a ticket system unlikely to have any decision-making power. An attempt to make these roles (perhaps even personally) responsible for the behaviour of a LIR and its customers is counter-productive. I for one would flatly refuse to do any abuse report handling under these circumstances.
Complying with national, civil and criminal due process laws in support of investigations and providing justice for victims.
Would the proposers please amplify exactly which law or due process is violated by the NCC not sending an email once a year to an abuse-c:? Myself, and I'm sure the NCC legal team, would be interested to know.
On a technical note, email is neither a secure nor a reliable transport for such verification. In the day of blocklists and large email providers imposing arbitrary restrictions on email senders it is not guaranteed that a verification email reaches the intended address or that a reply reaches the sender. The NCC ARC procedure, however employs both email and personal contact via telephone to verify the accuracy of the ripedb information.
In toto, this proposal would impose unneccessary work on LIRs and the NCC, using unsuitable means to rectify a non-existing issue, and I therefore oppose it.
On Thu, 7 Sep 2017 17:54:04 +0100 "Sascha Luck [ml]" <dbwg@c4inet.net> wrote: <snip>
The lack of reliable accurate and validated information in the database negatively impacts legitimate uses of the RIPE Database, including: An *email adress* that doesn't reply once a year does NOT equate to a "lack of reliable accurate and validated information". I
too many of the privileged "owners" of public resources sends email sent to abuse-c, to dev/null not only could that be seen as non ethical behavior, but it is a form of abuse in itself. there is also no point to have a phone number or an email address if the phone is never answered or the email address is heavily filtered and deleted.
find this statement somewhat insulting to the NCC team who do make the effort to keep the ripedb data accurate and do audit resource holders.
no. the NCC team is not responsible for the abusive behavior of resource holders. they want to have resources but they do not want to be responsible. it is my opinion that there has to be a balance found between rights and responsibility. and imnsho regular verification of responsive abuse-c is a step in the correct direction.
There is an issue with the reliability of out-of-region and legacy resource data but as the NCC has no "enforcement" powers over these resource holders, in these cases this proposal snatches at thin air.
sure, some legacy resources are not even in use and are "parked" so what?
Assuring the security and reliability of the network by identifying points of contact for IP addresses for network operators, ISPs, and certified computer incident response teams;
"org:", "admin-c:", "tech-c:", "mnt-by:" and, yes, "abuse-c:" exist.
Ensuring that IP address holders are accountable, so individuals, consumers and the public are empowered to resolve abusive practices that impact safety and security; Assisting businesses, consumer groups, healthcare organisations and other organisations that are combating fraud (some of which have mandates to electronically save records) to comply with relevant legal and public safety safeguards;
The contact object that does (or *should*) stand for the person(s) who can speak for a LIR, legally, is "admin-c:". "abuse-c:" is some role account in a NOC or even a ticket system unlikely to have any decision-making power. An attempt to make these roles (perhaps even personally) responsible for the behaviour of a LIR and its customers is counter-productive. I for one would flatly refuse to do any abuse report handling under these circumstances.
Complying with national, civil and criminal due process laws in support of investigations and providing justice for victims.
Would the proposers please amplify exactly which law or due process is violated by the NCC not sending an email once a year to an abuse-c:? Myself, and I'm sure the NCC legal team, would be interested to know.
fake abuse-c non responsive or non functional abuse-c automatic deletion of anything to abuse-c what is the point of having an object at all if it is faux?
On a technical note, email is neither a secure nor a reliable transport for such verification. In the day of blocklists and large email providers imposing arbitrary restrictions on email senders it is not guaranteed that a verification email reaches the intended address or that a reply reaches the sender. The NCC ARC procedure, however employs both email and personal contact via telephone to verify the accuracy of the ripedb information.
technical note for whom? technical note for technical illiterates? phones also do not work reliably, there are sunspots, tower outages, bad signal areas, signal blocks. Re: email, you are trying to argue that email deliverability to and from the NCC could be an issue? Do you have any proof of this? Example: If you are a spammer and you are blocked by the NCC email server, surely you would correct your abusive behavior and contact the NCC to lift your block? If the NCC refuses your communications you could always change your abuse-c to low_life_scumbag@ethical-example.com
In toto, this proposal would impose unneccessary work on LIRs and the NCC, using unsuitable means to rectify a non-existing issue, and I therefore oppose it.
It is work that should already be done and a 5 second confirm, is hardly "work" Andre
participants (4)
-
Brian Nisbet
-
Gert Doering
-
ox
-
Sascha Luck [ml]