[anti-abuse-wg] [db-wg] objection to RIPE policy proposal 2016-01

Hi Peter

OK lets cut to the bottom line. Does anyone NOT agree with these points:

-Internet abuse (in it's various forms) is considered both a nuisance 
and a danger by the public
-Politicians will jump onto any band wagon that has popular public 
support and enhances their careers
-Responsible internet resource management includes receiving and 
handling abuse complaints related to the networks you manage

If we all supported these points, especially the last one, then in an 
ideal world all network managers would be happy to provide abuse contact 
details and would take action on complaints received.

Unfortunately we don't live in that ideal world. The fact that so many 
experienced technical internet people are opposing this policy worries 
me. So many of you are fixating on this point about 'mandatory', 
'enforcing', 'justifying'. If everyone agreed with point 3 above then 
you would all be willing to do this voluntarily anyway. So what 
difference does it make to those of you who do this anyway if it is 
mandatory?

But we know some people simply can't be bothered to handle abuse 
complaints and we also know some people make money by providing services 
to the abusers. There is no point pretending this does not happen. If 
there is a lot of money to be made some people will want a slice of it. 
That is why this has to be mandatory.

When abuse-c was first introduced it was made clear that this was the 
first step of a process. The intention was for all IP addresses within 
the RIPE region to have one common way of documenting an abuse contact 
that can be accessed programatically. It was also made clear that this 
first step had nothing to do with whether anyone responds to reports 
sent to that contact. Because it was and still is clear that some people 
don't want to publicise any abuse contact details it had to be and still 
has to be mandatory. If you enter data into the RIPE Database you are 
required to ensure it is correct. Dealing with whether anyone responds 
to the reports sent to this contact is a separate issue and should not 
cloud the discussion on the abuse-c information in the RIPE Database. 
Neither should the technical implementation of the abuse-c attribute.

I know there are policies about policies for legacy resources. 
Personally I think that is crazy. All IP addresses are technically the 
same no matter how or when you acquired it. Abuse can come from any one 
of them.

I don't know why we are making the policy side so complicated. The 
principle is simple. If you manage IP addresses in the public domain, 
from where abuse can be generated, responsible management requires you 
to provide abuse contact details!!!

cheers
denis

On 03/03/2016 23:30, Peter Koch wrote:
> On Thu, Mar 03, 2016 at 11:46:45AM +0100, denis wrote:
>
>> In these days of political interest in how the internet is 'managed' the
>> RIRs need to do more than 'just maintain an accurate registry'. The
>
> indeed. The community should be careful to maintain and improve the
> credibility and legitimacy of its policy development process.
> ``Extra constitutional'' activity (imposing "abuse" handling procedures
> camouflaged as syntax changes to database objects) and retroactive
> changes to policy without an exceptional justification both aren't
> helpful.
>
> 2016-01 claims "Better data quality", which is not backed with arguments.
> 2016-01 claims "More accurate data for abuse contact", which is not
>          supported by arguments or evidence/precedent.
>
>> internet is a crucial part of modern life. Abuse is considered to be a
>> serious problem. What you are saying is that you don't give a dam about
>> abuse and are not interested in being part of the management of abuse.
>
> The alleged correctness of data does not imply a "right to response" (cf ripe-563),
> and rightfully so.  Therefore the claims that refusal to add abuse-c
> would imply refusal to deal with abuse reports are pointless, since
> the sheer presence of the attribute does not imply anything, either.
>
> Also, I have not heard Rüdiger (or anyone else) claim they would not
> want to even add abuse-c - it's making this policy mandatory what is
> being contested.  ripe-639 re-establishes the 'special role' of
> legacy resources as exempt from policy changes:
>
> 	Any existing or future RIPE policy referring to resources shall not apply
> 	to legacy resources unless the policy explicitly includes legacy resources in its scope.
>
> Now, if that was simply a matter of a boilerplate in any future policy
> (xxx shall also apply to legacy resources), this clause would not make
> the slightest sense.  Consequently, a special consideration is needed.
> 2016-01 simply refers to inconsistency (obviously a simple consequence
> of ripe-639 and thus not exceptional) and "better data quality" - without
> justification.  No indication is given of any harm caused by legacy
> resources currently not subject to ripe-563.  ripe-563/ripe-639
> do not preclude use of abuse-c for legacy resources, either.
>
> All in all, I understand the motivation behind 2016-01, but the reasoning
> is far too poor to justify proceeding with the proposal.
>
> -Peter
>