[acm-tf] Determining a sanction is the primary issue
Wilfried Woeber, UniVie/ACOnet Woeber at CC.UniVie.ac.at
Wed May 4 00:39:27 CEST 2011
Alessandro Vesely wrote:
[...]
> If found guilty (for some sense of "guilty" that we will also
> determine) then sanction will be applied.
I am pretty worried by both the choice of words and terms, as well as
by the general mindset behind.
The RIPE NCC has no mandate to determine "guilt" in a general sense.
We do have more than enough self-appointed policemen and vigilantes on the
'net. As laudable as their individual or organisational goals may be, just
as dangerous for the well-being and the stability of the network they
sometimes are.
Determining "guilt" in a formal sense, or serious infraction of laws and
regulations is the job of a court. It cannot be a fuzzy notion of "having
outstanding abuse reports".
With regard to the NCC, it can enforce compliance with policy, based on
actions or facts that are well-definced and agreed in a commercial contract,
and that equally apply throughout its service region. E.g. supplying a bogus
identity or claiming to reside in a non-existent location or making up a
bugus network and addressing plan, and the like.
Expecting the legitimate user(s) of IP resources to block packets within their
network, or to interfere with operational aspects, like requiring a particular
handling of ports or protocols, is definitely out of scope.
I may add here, that some of those self-appointed vigilantes have themselves
tried already to use mechanisms to "force" other entities by applying pressure
mechanisms that would render them "guilty" in general terms. There is a good
reason whay at least one of those organisations has already been taken to court
for that, and has been publicly shamed for their activities and "reasoning".
The last thing I would like to see is the RIPE NCC becoming one of "those"
organisations, too. As bad as some stuff on the Internet is (I am well aware
of that fact[1]) the stability and impartiality of the RIPE NCC is by far more
important, imho.
Regarding the aspect of trying to motivate operators to "do the right thing",
as well as users, there are mechanisms and organsisations around, already,
which can be (and already are!) involved and deployed. Amongst others, in the
framework of RIPE, there's the mechanism of BCPs. However, the "enforcement"
of such BCPs usually relies on peer pressure, halls of shame, or the like.
But not on arbitrarily shouting "guilty" and imposing "sanctions".
Sorry for the rant and the use of strong words, but I think this TF has to
stay on the ground and SHOULD, or rather MUST, respect its mandate and the
basis of existence of the RIPE NCC.
Regards,
Wilfried.
[1] I was instrumental in setting up the 1st CERT Team in Austria (ACOnet-CERT),
which became the 1st Austrian team to acquire FIRST Membership status and
TI Accreditation, I am for the 2nd time on the Review Board of the Trusted
Introducer Service in Europe, and I "happen" to be on the Advisory Board for
the Austrian National CERT/Government CERT.
Incidentally, I also served on the initial executive board of the RIPE NCC
and on ICANN's Address Council since its inception.
[ Acm-tf Archives ]