[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

In message <1F2FDFE3-4929-4D3F-8334-8D7755E94D19 at consulintel.es>, JORDI
PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg at ripe.net> writes

>If you want to have an idea of "what" we have captured during the discussion in 
>this mailing list, we have also submitted the "improved" version to ARIN (and 
>working on the same for APNIC and AfriNIC).
>
>You can read that (in English) here:
>https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/

I am disappointed that little has been done to address the technical
misconceptions / pious hopes in the RIPE proposal.

    <quote>
    There are already enough sources of historic and almost real-time
    routing data which function as a worldwide observatory. From these
    sources it is possible to accurately evaluate who is performing BGP
    Hijacks and harming (or trying to harm) third party networks by
    doing so. 
    </quote>

It is not necessarily the case that BGP hijacks will be visible in the
globally collected datasets. what then ?

Also, where the resources of defunct companies are hijacked then it is
not the routing table which will be key evidence but rather the
paperwork on file at the RIR or elsewhere. There is no discussion of
this aspect of the issue at all (despite it being a major component of
hijack events over the past five years)

    <quote>
    The external experts are mere evaluators, who can use available sets
    of routing data to determine whether BGP hijacking events have taken
    place, and whether were intentional.
    </quote>

It is NOT possible (for experts or almost anyone else) to accurately
evaluate who is performing BGP hijacks -- for every announcement there
will be at least two networks (AS numbers) who might have done it and
the experts will be using their skill and judgment to guess which of
them is culpable.

Although in many cases it is "obvious" who did it, there is always at
least one other AS on the path who is able to "frame" the suspect and so
the experts are mainly deciding how plausible it is that someone is
being framed

    <quote>
    The direct upstreams of the suspected hijacker, which facilitate the
    hijack through their networks, may receive a warning the first time.
    Nevertheless, in successive occasions they could be considered by
    the experts, if intentional cases are reproduced, as an involved
    party. 
    </quote>

This is pretty opaque ... but if it is meant to be read as "global
transit providers are responsible for the behaviour of their customers"
then this is what Sir Humphrey would call a "courageous" approach.

    <quote>
    The expert’s investigation, will be able to value relationships
    between LIRs/end users, of the same business groups.
    </quote>

How ?

    <quote>
    Accidental cases or those that can’t be clearly classified as
    intentional, will receive a warning, which may be considered if
    repeated.
    </quote>

this is incoherent -- and there does not seem to be any clarity about
what a "warning" means from a consequences point of view

    <quote>
    As soon as the policy implementation is completed, a transition
    period of 6 months will be established, so that organizations that
    announce unassigned address space or autonomous systems numbers, due
    to operational errors or other non-malicious reasons, receive only a
    warning.
    </quote>

This section of the text is presumably meant to address the "bogons"
issue -- the long-standing disputes between various networks and the
RIRs as to whether or not they are entitled to announce various prefixes
or use particular AS numbers.

It seems optimistic to assume these issues will be addressed in six
months. Or perhaps you are expecting ARIN (and all the other RIRs) to
void contracts with the US Department of Defence, with Level 3, with
CenturyLink, with Hewlett Packard, with Verizon, with Comcast, with AT&T
and with Rogers ??

    <nonquote>
    crickets
    </nonquote>

There is no discussion of the mis-use of AS numbers. Arguably this would
be merely a clarification, but it would I think be a useful one to
assist the experts in their proposed work.

>Actually, question for the chairs and Marco. Do you think it makes sense to 
>continue the discussion with the current version before improving it, or already 
>sending a new one? 

Sending RIPE the ARIN version which hardly addresses key technical
points which have been made to you does not seem especially valuable

Also, of recent days there has been some (ill-informed) discussion about
RPKI and the use of ROAs to settle disputes about hijacking. There is no
mention of this in the ARIN document so it is not possible to identify
whatever technical implausibility will be put forward.  (Hint: RPKI is
great for reducing the incidence of "fat fingering", it merely provides
a slight (if that) impediment to an intentional hijacker)

>There is a lot of improvement already, the discussion has 
>been extremely useful for the authors. However, we are missing some NCC inputs, 
>for example, regarding legal questions that we raised several times, so if 
>sending a new version means we can't get those inputs, then is not good ...

This relates to the part of the document where, having established that
in intentional hijack (or some vaguely defined never-ending series of
fat fingers) has occurred then there are consequences for the
organisation found at fault.

it's pretty clear to me that the majority of the objections made to the
proposed policy address this issue (maybe because it is thought you
might eventually address the detailed technical objections).

I don't think (but this is not really my expertise) that a legal opinion
(on what exactly?) is going to address most of the objections being made
which relate to the whether it is appropriate for a technical
transgression to result in resources being withdrawn. The lack of
clarity over the bogons issue doubtless makes everyone think "that might
be me"

To assist the authors -- your view that "experts" can decide what is or
is not a hijack is aspirational. It is also not how technical experts
are used in the real world -- they generally assist adjudicators to make
fair decisions, they do not make those decisions themselves. It would be
far better to have the NCC Board decide whether hijacking has occurred
but suggest that they should call upon experts as needed

To assist the chairs -- if the ARIN document was brought to RIPE I would
not be in favour of it being adopted by RIPE. I say this as someone with
extensive experience of tracking down and dealing with BGP hijacks by
criminal groups.. my technical points come from experience.

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20190330/f1dcdc37/attachment.sig>