Security Working Group Minutes RIPE 89
Tuesday, 29 October 16:00 - 17:30 (UTC+1)
Chairs: Brian Nisbet, Markus de Brün, Tobias Knecht (absent)
Scribe: Gerardo Viviers
Status: Draft
The recordings and presentations are available at:
https://ripe89.ripe.net/programme/meeting-plan/security-wg/
The stenography transcript is available at:
https://ripe89.ripe.net/archives/steno/25/
A. Administrative Matters
Brian opened the session, co-chairing with Markus de Brün, while Tobias was absent due to illness. Brian acknowledged the support staff's contributions and explained the hybrid meeting format. After reminding attendees about the RIPE Code of Conduct and feedback options, the RIPE 88 Anti-Abuse draft minutes were approved without objections.
B. Update
B.1. AA-WG Recharter and Mailing List Changes
Brian announced that following discussions in Krakow at RIPE 88 and subsequent mailing list consultations, the Working Group's recharter was approved in coordination with the RIPE Chair Team. He informed them that a new mailing list (security-WG) would be implemented the following week after the meeting, along with a new mailing list for communicating with working group chairs. He emphasised that the new charter maintained the group's ability to work on policies and covered all security areas, including network abuse and Internet infrastructure stability. He noted that while there might be overlap with other working groups on certain topics like routing security, the chairs would coordinate to find the appropriate mailing list for discussions.
B.2. Working Group Chair Selection
Brian reported on the working group chair selection process, noting that Tobias and Markus's terms had expired. As they were the only candidates who volunteered and received support with no dissent on the mailing list, they were reconfirmed as co-chairs alongside Brian. The selection was approved by the room with applause.
B.3. Recent List Discussion
Brian mentioned that while there had been some recent mailing list discussions about the charter, the chairs didn't identify any specific points that needed addressing during the session.
C. Policies
D. Interactions
D.1 Engaging with Governments - Handling Requests for Information
Hisham Ibrahim, RIPE NCC
Hisham stated that there are no slides for his presentation. He discussed emerging trends in government interest in Internet governance post Covid-19. He noted that his team, which specialised in public policy and Internet governance, had been receiving increased inquiries from various government entities including law enforcement agencies, regulators, and ministries.
Hisham mentioned how governments were interpreting community practices, such as the use of country codes in databases, which they viewed as national sovereign resources. He highlighted upcoming changes in European regulations that could impact RIPE NCC's operations.
Hisham specifically mentioned two regulatory developments: NIS-2, which examined supply chain considerations; and e-evidence regulations, which would facilitate greater information sharing among EU countries.
He expressed concern about the implications of increased European information sharing, given that 50 out of RIPE NCC's 70+ service region countries were non-European. Hisham sought to initiate a discussion about establishing principles for information sharing while maintaining compliance with GDPR and various jurisdictional data protection laws.
Eric van Uden suggested that under Dutch law the situation seemed straightforward to him. He believed that the Dutch people were likely regulating what should, must, or could be shared, but he acknowledged the possibility of being wrong.
Hisham pointed out that the RIPE document RIPE-675 outlined the conditions for sharing information with law enforcement agencies, which required obtaining a court order from the Netherlands. He noted that e-evidence regulations would expand this access to over 20 EU countries, creating an imbalance with the 50+ non-EU countries in the RIPE NCC service region that would still need to go through MLATs and Dutch courts. As part of a team assessing potential risks and regulatory implications, he indicated they needed to discuss with the community about possibly revising the document to incorporate additional principles.
Brian Nisbet pointed out that Hisham would do a related presentation in the Cooperation Working Group and invited everybody to engage in the discussion.
E. Presentation
E.1. Unveiling Domain Blocklist Performance - An Analysis over Four Years
Antonia Affinito, University of Twente
The presentation is available at:
https://ripe89.ripe.net/wp-content/uploads/presentations/68-Affinito-Presentation.pdf
Antonia Affinito, Assistant Professor at the University of Twente, presented a comprehensive analysis of domain blocklists, examining their performance and evolution over four years in collaboration with an Italian university. Blocklists, widely used for cybersecurity, are designed to protect users by identifying and blocking malicious or suspicious domains. The study analysed 13 blocklists from March 2020 to August 2024, exploring their composition, update frequency, and overlap between lists.
Affinito highlighted key findings, such as the variability in blocklist update rates, with some lists maintaining outdated entries while others frequently updated to reflect emerging threats. The research also revealed low overlap among blocklists, even those targeting the same categories, such as phishing. This suggests that relying on a single blocklist may leave users vulnerable to undetected threats. The study underscores the importance of using multiple blocklists to enhance protection and called for further investigation into improving their effectiveness for both research and cybersecurity applications.
Roy Arends, ICANN, mentioned that ICANN had conducted similar research, though he disagreed with the statement that this work hadn't been explored before. He inquired whether Antonia was aware of their reputation blocklist paper from the previous year.
Antonia indicated she wasn't familiar with it but expressed willingness to review it. Roy noted that their findings were similar despite using different sources - ICANN's study used 11 blocklists with only three overlapping, though conducted over a shorter time frame of a few months rather than four years. Roy offered to share the presentation by their research team and introduce Antonia to the researchers.
Antonia explained their approach of checking blocklist communications to identify means across different types of cyber threats, particularly when blocklists focused on single categories. Roy pointed out that despite using slightly different terminology, both studies employed similar methodology.
Paweł Pawliński, NASK / CERT PL, shared that his team had previously conducted similar research with a larger number of lists. He offered to share information about their aggregated sources and analysis with Antonia. Paweł noted that their research found that overlap typically increased with the number of sources analysed, and emphasised that overlap wasn't necessarily disadvantageous as long as each source provided unique value. He asked about Antonia's approach to evaluating the quality and usefulness of the lists, which they had found challenging to assess quantitatively.
Antonia asked if Paweł was referring to false positives, which Paweł confirmed was one aspect. Antonia explained they were still working on this issue, using external validation tools like up to 60 detectors to verify the malicious nature of domains. Regarding the overlap, Antonia acknowledged that analysing more blocklists would likely show higher overlap, but noted that their analysis of phishing blocklists, including Phishtank documentation, still revealed significant differences.
Paweł concluded by mentioning their consideration of list usefulness and relevance, pointing out that objectively true information might not necessarily be useful for protection or filtering purposes. He suggested this might be worth considering in the evaluation.
E.2. The hosting of Live Piracy, the good bad and not so ugly?
Lee Kent, BeIN & Andrew Willatt, Premier League
The presentation is available at:
https://ripe89.ripe.net/wp-content/uploads/presentations/72-Security_WG.pdf
Lee and Andrew highlighted challenges they face with IPv4 addresses being used to deliver unauthorised live streams of Premier League matches. The Premier League, a football organisation, broadcast matches in 189 territories. They detailed how repeat infringement often originates from the same IPv4 addresses announced by RIPE members or their sponsored entities.
While some cases allow for direct communication with responsible parties, others present significant barriers due to insufficient contact information or unreachable organisations. They emphasised the importance of collaboration with RIPE NCC and the broader community to address these issues. They expressed their willingness to adapt their processes, such as take-down notices, to meet specific requirements and to work with organisations to develop policies aimed at combating repeat infringers.
The team called on RIPE NCC to explore ways to improve transparency and communication, fostering an environment where intellectual property rights can be better protected while supporting a collaborative approach to tackling these ongoing challenges.
Peter Thomassen, deSEC e.V., asked about techniques for finding responsible parties. Lee responded that they used various databases, including RIPE and BGP data.
Hans Petter Hollen, RIPE NCC, asked for some clarification about the goals regarding IP address holder information. Andrew explained they needed accurate contact information when detecting IPv4 misuse.
Hans Petter then provided detailed information about the RIPE Database accuracy.
Farzaneh Badii, Digital Medusa, questioned the proportionality of IP-level takedowns versus domain-based approaches. Andrew explained that IPv4 addresses were crucial points for addressing online piracy, while Lee noted they filed approximately ten UDRP complaints weekly but found the process expensive and limited.
Leo Vegoda, And Polus LLC / PeeringDB, asked for clarification on whether they were seeking subscriber or network operator information. Lee confirmed they were interested in contacting network operators who could address issues.
Brian referenced previous working group discussions about the Abuse-C contact implementation. Hans Peter provided statistics about the Abuse-C project.
The presentation concluded with acknowledgments of the complexity of the issue and the importance of community dialogue.
X. A.O.B.
Farzaneh Badii asked for clarification about the Working Group's scope regarding copyright infringement within the security framework.
Brian explained that the working group had evolved from anti-spam to anti-abuse, and had previously discussed various topics including copyright abuse. He confirmed that these discussions fell within the working group's scope, noting that copyright abuse often involved the misuse of Internet resources. He emphasised that the charter and activities were owned by the working group members, not the co-chairs.
Marco d'Itri expressed concern that they were deviating from security issues, arguing that while illegal streaming operations were problematic, they represented paying customers rather than traditional network abuse.
Brian acknowledged the overlapping nature of these issues and referenced previous mailing list discussions about consensus-building when participants had varying interests. He noted that the rechartering process aimed to broaden the scope beyond just resource abuse. He concluded by emphasising the working group's openness to evolution and discussion, stating that the co-chairs rarely rejected proposed topics and encouraged continued dialogue.
Z. Agenda for RIPE 90
Brian mentioned the upcoming RIPE 90 meeting and said that the Working Group chairs will share a call for agenda points for the upcoming Security Working Group session. He also mentioned that people can contact the chairs or the RIPE NCC for support and help in developing the agenda points. He elaborated on all the topics that would fit within the charter of the Working Group.