This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Richard Clayton
richard at highwayman.com
Sat Mar 30 13:11:31 CET 2019
In message <1F2FDFE3-4929-4D3F-8334-8D7755E94D19 at consulintel.es>, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg at ripe.net> writes >If you want to have an idea of "what" we have captured during the discussion in >this mailing list, we have also submitted the "improved" version to ARIN (and >working on the same for APNIC and AfriNIC). > >You can read that (in English) here: >https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/ I am disappointed that little has been done to address the technical misconceptions / pious hopes in the RIPE proposal. <quote> There are already enough sources of historic and almost real-time routing data which function as a worldwide observatory. From these sources it is possible to accurately evaluate who is performing BGP Hijacks and harming (or trying to harm) third party networks by doing so. </quote> It is not necessarily the case that BGP hijacks will be visible in the globally collected datasets. what then ? Also, where the resources of defunct companies are hijacked then it is not the routing table which will be key evidence but rather the paperwork on file at the RIR or elsewhere. There is no discussion of this aspect of the issue at all (despite it being a major component of hijack events over the past five years) <quote> The external experts are mere evaluators, who can use available sets of routing data to determine whether BGP hijacking events have taken place, and whether were intentional. </quote> It is NOT possible (for experts or almost anyone else) to accurately evaluate who is performing BGP hijacks -- for every announcement there will be at least two networks (AS numbers) who might have done it and the experts will be using their skill and judgment to guess which of them is culpable. Although in many cases it is "obvious" who did it, there is always at least one other AS on the path who is able to "frame" the suspect and so the experts are mainly deciding how plausible it is that someone is being framed <quote> The direct upstreams of the suspected hijacker, which facilitate the hijack through their networks, may receive a warning the first time. Nevertheless, in successive occasions they could be considered by the experts, if intentional cases are reproduced, as an involved party. </quote> This is pretty opaque ... but if it is meant to be read as "global transit providers are responsible for the behaviour of their customers" then this is what Sir Humphrey would call a "courageous" approach. <quote> The expert’s investigation, will be able to value relationships between LIRs/end users, of the same business groups. </quote> How ? <quote> Accidental cases or those that can’t be clearly classified as intentional, will receive a warning, which may be considered if repeated. </quote> this is incoherent -- and there does not seem to be any clarity about what a "warning" means from a consequences point of view <quote> As soon as the policy implementation is completed, a transition period of 6 months will be established, so that organizations that announce unassigned address space or autonomous systems numbers, due to operational errors or other non-malicious reasons, receive only a warning. </quote> This section of the text is presumably meant to address the "bogons" issue -- the long-standing disputes between various networks and the RIRs as to whether or not they are entitled to announce various prefixes or use particular AS numbers. It seems optimistic to assume these issues will be addressed in six months. Or perhaps you are expecting ARIN (and all the other RIRs) to void contracts with the US Department of Defence, with Level 3, with CenturyLink, with Hewlett Packard, with Verizon, with Comcast, with AT&T and with Rogers ?? <nonquote> crickets </nonquote> There is no discussion of the mis-use of AS numbers. Arguably this would be merely a clarification, but it would I think be a useful one to assist the experts in their proposed work. >Actually, question for the chairs and Marco. Do you think it makes sense to >continue the discussion with the current version before improving it, or already >sending a new one? Sending RIPE the ARIN version which hardly addresses key technical points which have been made to you does not seem especially valuable Also, of recent days there has been some (ill-informed) discussion about RPKI and the use of ROAs to settle disputes about hijacking. There is no mention of this in the ARIN document so it is not possible to identify whatever technical implausibility will be put forward. (Hint: RPKI is great for reducing the incidence of "fat fingering", it merely provides a slight (if that) impediment to an intentional hijacker) >There is a lot of improvement already, the discussion has >been extremely useful for the authors. However, we are missing some NCC inputs, >for example, regarding legal questions that we raised several times, so if >sending a new version means we can't get those inputs, then is not good ... This relates to the part of the document where, having established that in intentional hijack (or some vaguely defined never-ending series of fat fingers) has occurred then there are consequences for the organisation found at fault. it's pretty clear to me that the majority of the objections made to the proposed policy address this issue (maybe because it is thought you might eventually address the detailed technical objections). I don't think (but this is not really my expertise) that a legal opinion (on what exactly?) is going to address most of the objections being made which relate to the whether it is appropriate for a technical transgression to result in resources being withdrawn. The lack of clarity over the bogons issue doubtless makes everyone think "that might be me" To assist the authors -- your view that "experts" can decide what is or is not a hijack is aspirational. It is also not how technical experts are used in the real world -- they generally assist adjudicators to make fair decisions, they do not make those decisions themselves. It would be far better to have the NCC Board decide whether hijacking has occurred but suggest that they should call upon experts as needed To assist the chairs -- if the ARIN document was brought to RIPE I would not be in favour of it being adopted by RIPE. I say this as someone with extensive experience of tracking down and dealing with BGP hijacks by criminal groups.. my technical points come from experience. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: </ripe/mail/archives/anti-abuse-wg/attachments/20190330/f1dcdc37/attachment.sig>
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]