[anti-abuse-wg] New Abuse Information on RIPE NCC Website

On Tue, Jun 18, 2013 at 07:10:03AM +0200, Wilfried Woeber wrote:
> [...]
> May I suggest this description:
> 
> 	http://www.ripe.net/ripe/groups/wg/anti-abuse
> 
> On a more general aspect, please try to relate to the general raos traffic:
> In most countries, I presume, the unique license plates are managed and issued
> by one or even more entities. Those entities do not accept any responsibility
> for the behaviour of the person using a uniquely identified vehicle.
> 
> It is a task for the police or traffic wardens or whatever applies to your
> jurisdiction, to oversee the use of the vehicle according to *local* law.
> 
> If a violation is observed or reported, it is the job of the regular legal
> system to follow up. If "someone" shouts to the maintainer of the unique
> license plate numbers "stop what I don't like", instead of getting in touch
> with the police, you will have see limited success.
> 
> Is this something you can relate to?

I think it is quite safe to assume that most readers here are well aware 
of what a RIR is, certainly including Ron who has been fighting
network abuse for about two decades now - and I take this opportunity to 
thank him for working tirelessly during all this time.

During this time, we all have learnt that criminals are getting more
and more organized, that their creativity and ability should not be
underestimated, that we can contribute to defend the Internet from
their destructive behavior in many different ways and that, last but
not least, that 'reporting to the police' does not scale well, due to
a chronic lack of resources (time, skills, adequate international
cooperation) on the law enforcement side.

I do not believe that anybody is asking RIPE NCC to take actions
that are pertinence of law enforcement.  I do believe, however,
that the RIPE area has a problem with respect to other RIRs, and
that some changes (in policies, enforcement of rules, etc) could be
made to mitigate the problem somehow, still remaining within the limits
of the RIR mandate.

One could have a fairly good idea of 'The Problem' by looking
at the Spamhaus SBL listings attributed to the RIRs (as far as I
understood, Spamhaus does that when the resources are directly
allocated by the RIR to criminal groups and therefore no ISP
can be accounted for them - the resources are freely moved from
one ISP to another). Today:

http://www.spamhaus.org/sbl/listings/AFRINIC ......   4 listings  [13]
http://www.spamhaus.org/sbl/listings/APNIC ........  19 listings  [55]
http://www.spamhaus.org/sbl/listings/ARIN ......... 289 listings  [84]
http://www.spamhaus.org/sbl/listings/LACNIC .......  10 listings  [20]
http://www.spamhaus.org/sbl/listings/RIPE ......... 307 listings  [49]

The number in brackets is the approximate total allocation size of the RIR 
in units of /8, extracted from http://labs.apnic.net/ipv4/report.html .

ARIN clearly has a serious problem too, but when the number of 
problem is normalized with the allocation size we obtain (number
of problems per /8):

AFRINIC ..... 0.31
APNIC ....... 0.35
ARIN ........ 3.44
LACNIC ...... 0.50
RIPENCC ..... 6.27

Certainly one could argue that this is not the best possible metrics
as it reflects the point of view of a single actor, and I am sure one
could find better metrics.  Yet, the normalized result is a factor 2 worse 
than ARIN, and more than an order of magnitude worse than APNIC.
I would doubt that other data could change the RIR order.

It may be that this result is simply due to a higher concentration
of criminals in the RIPE area than in other areas.  In all cases,
as an european and a RIPE community member I feel ashamed of this outcome,
knowing that I am also in part responsible for it for not having
dedicated enough time and thought to this problem.

If you look at those Spamhaus listings, you will notice that a good fraction 
of them is due to 'snowshoe' spamming, where thousands of IP addresses
are used as cannons to send unsolicited mail.  There are networks as
large as /14's used for this purpose.  Is anyone here really thinking
that this is a valid usage of scarce resources, considering that
a well-behaved, opt-in based ESP can usually carry on its activity
out of a /24 ? If snowshoe spamming is not an acceptable motivation to 
get an assignment when asking for it - and I really hope this to be the
case - then people could use a network to do that only if they make a 
false statement when asking for the assignment.

Now, RIPE-582 (February 2013) contains the following text:

"6.6 Validity of an Assignment
 All assignments are valid as long as the original criteria on which the 
 assignment was based are still valid and the assignment is properly 
 registered in the RIPE Database. If an assignment is made for a specific 
 purpose and that purpose no longer exists, the assignment is no longer 
 valid."

Therefore, if the above premises are correct, spamming ranges are
classified "not valid" - simply because snowshoe spam was not the 
motivation given to get the assignment.

Then the RIPENCC problem, it seems to me, is that "no longer valid"
ranges remain in use for a long period of time.  This seems to
indicate that there is no effective mechanism to enforce the rules.  
Indeed, what is the semantic meaning of "no longer valid" if people 
continue to use those ranges for extended periods of time ?
"Invalid" with respect to what ?  RIPE-582 does not seem to address this
point.  If it does, please point me to the relevant section, or to
another document that discuss this point.

At the end, the problem seems to boil down to these questions:

"Does the RIPE Community really want to have resources defined as
 "invalid", yet live without a real working mechanism to have these 
 invalid resources claimed back and reassigned ?  If not, would the 
 introduction of such an enforcement mechanism go against the acceptable 
 operational limits for a RIR ? And if yes, what is the purpose of defining 
 rules that can not be enforced, and hence resulting in bad guys getting 
 as much resources as they like by making false statements ?"

Investigation on what other RIRs are doing in terms of reclaiming
invalid resources could perhaps also be of help.

Thanks for the attention

furio ercolessi