[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

Dear WG, 

I've read the proposal and the discussion that has been posted in the last couple of days. 

In the current form, I would like to state that I wouldn't support the proposal. 

I would like to give some history about BGP hijacks and specifically 2 that have been widely published (at least in the Netherlands for 1 in particular..) and another one after people found out via Wikileaks (Hacking Team involvement). 

The first one was when Bulgarian spammers hijacked IP space of the Ministry of Foreign Affairs in the Netherlands..  for more than 10 days.. without the Dutch ministry noticing .. BTW. Spamhaus did .. and listed their prefixes along with other prefixes from the hijackers. 
The ministry stated the IP space wasn't in use or announced .. at least not announced in BGP by them ..  
After the hijack came to surface, a Dutch national newspaper published a story about it.. and questions to the responsible minister were asked how / why / who was responsible / why didn't anyone notice etc etc. 

https://www.volkskrant.nl/wetenschap/ip-adressen-ministerie-gekaapt-door-bulgaren~b75ad982/  ( Dutch article ) 
https://tweakers.net/nieuws/104975/ip-adressen-buza-gekaapt-via-bgp-hijacking.html  ( Dutch tech site article ) 

The official reaction to Dutch parliament was, that it was too hard to prosecute or even find the actual people behind the hijack and they decided not to go after them. 
While in fact there was the option to request the administrative information known at the RIPE NCC and the AMS-IX where they consumed services and had payment details and perhaps even more (both are Dutch entities and required to provide the information when asked by the Dutch authorities).   
But perhaps it was just not important enough to look into it and request the Bulgarian government to hand over some of their citizens.... as the Dutch government might needed the Bulgarian assistance in 2014/2015 during the refugee influx and their support in the EU.  #politics 

Even IF they would have proceeded .. under Dutch law, BGP Hijacking isn't a criminal offence and as a result, not directly illegal or criminal.. 
Performing a (D)DOS or breaking into a computer system is.. but BGP hijacking as such isn't.   Especially if the IP space wasn't in use.. so nothing broke or stopped working .. 

So even if they would get the Bulgarian spammer/hijackers in front of a Dutch judge .. the change was that ... they would walk, because there was no harm done .. No law was broken, no system invaded and nothing stopped working . . . 

( Full disclosure I'm not a lawyer, but this is the information that I was handed at the time.. )  

The Dutch cyber prosecutor wasn't even sure under which section of the Dutch Criminal law (Strafrecht) this might fall and he suggested 'perhaps .. Art. 161 sexies Sr - https://twitter.com/Byte_Fighter/status/625012729171025920 ) 
That can be found here :  (in Dutch ) https://maxius.nl/wetboek-van-strafrecht/artikel161sexies 

Where it mentions ( He who deliberately destroys, damages or disables any automated telecommunications work, causes a disturbance in the workings or operation of such work, or defeats a safety measure taken in relation to such work, shall be punished: ) - * Google Translate translation...  

The other version of a quite known BGP Hijack is the one of Hacking Team, who acted on behalf of the Italian government (Police) to re-activate a RAT Command and Controll server after a bulletproof hoster (Santrex) went down.  
And that particular C&C was important enough to regain control over,  as it was part of an active operation of the ROS.  ( https://en.wikipedia.org/wiki/Raggruppamento_Operativo_Speciale ) 

More insight on that BGP Hijack - https://arstechnica.com/information-technology/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/ 

So in this case, the Italian Police (ROS) used (forced??) an Italian ISP to hijack some IP space to regain control of their lost RAT C&C server.. (endpoint for RAT infected machines.) This wasn't an accident .. but was it criminal by the ISP to assist their local police ? 
And what would have been the impact if they didn't . . ? 

These are your/our tax dollars at work ...  They either don't care or are the bad actor themselves.

So the customers that hold an SSA or End-User Agreement (PI Holders for IP space and AS number) look to be the 'target' of the policy, however that leaves out the legacy resource holders..  
And with the current transfer policies in place, yes it is possible to obtain a legacy AS number and a legacy IPv4 prefix ...for yourself .. and those can't be 'retrieved' with this policy .. And even with the policy, it isn't the RIPE NCC that COULD de-register them as they are not allocated by the RIPE NCC in the first place ... 
So Legacy holders (resources with a legacy status) are for obvious reasons, excluded for penalties and out of reach. Also according to the policy that specifies services to Legacy holders, as this policy doesn't state that it wants to include and impact legacy holders.  

The biggest issue what I see in this policy, is that the RIPE NCC ( either themselves or the Exec Board. ) is desired / aimed to pull the trigger on a membership or contractual relationship. 
This is huge no no imho. These kind of actions or decisions should be kept out of the RIPE NCC office and the actual case and decision should be made by a court and court order. 
If the RIPE NCC would like to stay neutral, it can't be the executor or be held liable for any decisions like this, handed to them (even by an external 'expert' ) on these matters. 
If someone likes to make the case that someone is in violation, there should be a neutral judge that should review the case and the accuser can go to the RIPE NCC with the result .. And the RIPE NCC will just execute based on the outcome. 

Handing those kind of decisions to the RIPE NCC or the Exec Board is a sliding scale .. and open to scope creep.  I would be very careful with what we are wishing for ..  

I can understand the sentiment or intent of the policy, but I'm against any form of policy where the RIPE NCC or the Exec Board will be involved in the actual decision like this as it will impact their neutral status and the fact they are opening themselves for liability claims. 

Again I'm not a lawyer, but I have huge concerns about this. 

Kind regards,
Erik Bais 

- Sorry for the long read..  - 

On 19/03/2019, 13:41, "anti-abuse-wg on behalf of Marco Schmidt" <anti-abuse-wg-bounces at ripe.net on behalf of mschmidt at ripe.net> wrote:

    Dear colleagues,
    
    A new RIPE Policy proposal, 2019-03, "BGP Hijacking is a RIPE Policy Violation", is now available for discussion.
    
    The goal of this proposal is to define that BGP hijacking is not accepted as normal practice within the RIPE NCC service region.
    
    You can find the full proposal at:
    https://www.ripe.net/participate/policies/proposals/2019-03
    
    As per the RIPE Policy Development Process (PDP), the purpose of this four-week Discussion Phase is to discuss the proposal and provide feedback to the proposer.
    
    At the end of the Discussion Phase, the proposers, with the agreement of the Anti-Abuse WG co-chairs, decide how to proceed with the proposal.
    
    We encourage you to review this proposal and send your comments to <anti-abuse-wg at ripe.net> before 17 April 2019.
    
    Kind regards,
    
    Marco Schmidt
    Policy Officer
    RIPE NCC 
    
    Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum