[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

In message <CAFV686e9aa8xhACUz+ePfbELU74MPcE-2PiC2-kpU-1xAptxFA at mail.gmail.com>
Jacob Slater <jacob at rezero.org> wrote:

>... If everyone is allowed to {file reports}, we run several risks,
>namely that individuals with no knowledge of the situation (beyond that
>viewed in the public routing table) will file erroneous reports based on
>what they believe to be the situation (which may not be accurate, as some
>forms of permission for announcement are not documented in a way they could
>feasibly see). Allowing for competent complaints (with teeth) to be filed
>is a good idea; needlessly permitting internet vigilantes to eat management
>time based on a flawed view of the situation is not.

I have two issues with the quote above.

First, I'm not sure I either understand or am even aware of these alleged
"forms of permission for announcement {that} are not documented".  So perhaps
Mr. Slater could elaborate upon that, for my benefit, and perhaps also for
that of others who may also be similarly in the dark about what he's talking
about here.

All I know is that the RIPE WHOIS data base contains, among much other stuff,
route: object which generally document what is generally believed to be
information about properly authorized (by the affected resources holder)
routing permissions.  If there exists information about properly authorized
routing permissions that is -not- present in and among those data base route
objects, then I do have to wonder if some such routing permissions either
cannot be or should not be represented as route object in the official data
base, and if so, the reasons for that.

Second, although the word "vigilante" has, in the modern era, come to have
much negative connotation, there was quite certainly was a time and place
when and where that was not so.  I am speaking specifically of the
American West in the time before it became entirely civilized and in
the time before it had a full compliment of established legislatures,
established laws, established courts, established (and paid) law enforcement
agents, and all of the other bits, pieces, and accoutrements, of what
we all, in the modern era, think of as a properly functioning system of
justice.  In that time and place early settlers did often band together
in order to enforce at least some sense of community-backed justice.
It wasn't always pretty, and it wasn't always fair or just, but in the
absence of officially authorized systems of justice, it was often all
that those early settlers had to defend themselves from the unjust
tyrany of the strong against the weak.

To say that there are more than a few similarties between the current
Internet and the "Wild West" of ledgend and lore would neither be an
entirely inaccurate observation nor would it even be a particularly novel
one.  Many commentators have drawn this exact analogy at various times
over the past couple of decades.  A more interesting question is whether
or not the proposal on the table at the moment moves the Internet closer
to or further away from a morden "civilized" state of affairs.

I think the proposal moves us closer to a state of civility and civilization.
You might well claim, as you have, that it permits and carves out some
space still for "vigilantism" in the process, but it does so only with
respect to the submission of reports that would then, by design, be
reviewed and judged by others.  I have trouble seeing how this could
be harmful.  I do agree that it opens up the possibility of perhaps
having everyone's time wasted, perhaps even frequently, with meritless
and bogus reports, but I think that it is premature to assume that such
an outcome will, in practice, be common enough to merit serious concern.
Time will tell.

In sort, if the policy goes into effect and if it -then- becomes evident
that quite a lot of bogus reports are coming in as a result, I think that
some means of dealing with that problem can be devised and implemented
at that time.  I, however, do not anticipate any such troublesome flood
of bogosity.

>Additionally, while the policy does define a difference between accidental
>and intentional hijacking, it does not differentiate between the two...

If that's true, then it should certainly be fixed.


Regards,
rfg