[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

In message <sIJ4kBCqwOocFAf1 at highwayman.com>, 
Richard Clayton <richard at highwayman.com> wrote:

>In message <74227.1553972836 at segfault.tristatelogic.com>, Ronald F.
>Guilmette <rfg at tristatelogic.com> writes
>>In the summer of last year, 2018, I took steps to point out, in a very public
>>way, on the NANOG mailing list, two notable hijacking situations that came
>>to my attention *and* also to identify, by name, the actors that were quite
>>apparently behind each of those.  In neither of those instances was there
>>ever even any serious attempt, by either of the relevant parties, to refute
>>-any- of my very public allegations.
>
>If they had refuted the allegations then it would have become rather
>complicated and it would have come down to one entities word against
>another and perhaps the examination of documentary evidence of what
>arrangements had been authorised (and then perhaps forensic assessment
>of the authenticity of those documents).

I am not persuaded that such complexity would ever actuall arise, in
practice, although I do confess that my view may be colored by the
facts of the specific cases I have personally looked at.  (In one of
the two cases I cited, an allegedly "Ukranian" entity was quite
obviously... and quite blatantly... hijacking a block of ARIN-issued
IPv4 addresses that were officially registered to the United States
Air Force, thus leaving no ambiguity whatsoever.)

>Some BGP hijacking cases have been prosecuted on the basis of the
>forging of documents rather than on the hijack per se.

Perhaps you could share references to such incidents (?)  I don't doubt
your assertion here, but I, for one, am always interested to look at the
details of additional cases.

>I agree that it can be pretty clear what has gone on and the accused
>then helpfully acts in such a way as to make it clear to everyone that
>they were "guilty"...

Yes.  It is certainly the case that, on some occasions, at least, the
crooks have been most helpful in their own downfalls.

>However, it is not necessarily clear at all and writing a policy which
>assumes that it will always be clear is in my view unwise.
>
>Assuming that experts will always be able to determine who is at fault
>(along with deciding whether an event they know little of is accidental
>or deliberate) is to live in a world that I do not recognise.

I disagree completely.  The world would be one that you most certainly
*would* recognize.

Your argument basically boils down to the following unsustainable
assertion:  We cannot assume that we will always, and in 100% of all
cases, be able to accurately recognize "crime" when we see it.  Therefore
we should have -no- criminal laws.

That is the undeniable fundamental logic of your position.

There *is* a world that you would not recognize, and it is one that would
be guided by this very principal that you are espousing.  What would the
world be like if we all just shrugged and said "Oh, well, we cannot be
absolutely sure that we will be 100% accurate when we prosecute shoplifters,
or murderers, and therfore we will never even try to do so" ?  *That* would
be the world that you would not recognize.  But we already have a living,
breathing example of that world, and the effects of such a guiding principal,
when put into actual practice... and it is NOT a pretty picture.  The world
in question is called RIPE, where scofflaws roam free, and where, at worst,
those same scofflaws are only subjected to some rather modest public
embarassement.

I would be the first to agree that something less than 100% of all shoplifting
cases and also something less than 100% of all murder cases are so abundantly
clear as to leave no doubts whatsoever.  In my own country, several murder
cases have been overturned, upon further review, sometimes even decades
after an innocent man has been incarcerated.  These cases are quite
obviously problematic for anyone with any semblance of a conscience.  But
I have yet to hear even the most liberal of defense attorneys argue in
favor of legalizing murder... or shoplifting for that matter.. as an
appropriate or well reasoned response to the vagaries and vissitudes of
our imperfect justice system... as you appear to be doing.  (Because that
*is* really the inescapable end-point of your position.)

>If the policy stopped at the statement that unauthorised BGP hijacking
>was unacceptable behaviour then I would be happy with it.

I have no idea what country you live in, but would you likewise find it
equally acceptable if your local national legislature also and likewise
passed a resolution calling for murder to be entirely decriminalized,
while adding that it is the sense of the legislature that murder shall
nontheless, and henceforth, be deemed "unacceptable behaviour" deserving
of public derision and scorn, but no further penalties whatsoever?

If so, I would suggest to you that anarchy and chaos would ensue.   If a
concrete example is needed, then I can and will simply point to what's
been going on in the RIPE region, specifically with respect to the number
resources that RIPE allegedly "manages".

>Adding all the
>procedural stuff about how BGP hijacking will be (easily of course)
>detected and exotic details about experts and report forms and time
>periods is (a) irrelevant to establishing the principle and (b)
>cluttered with false assumptions and unhelpful caveats and (c) way too
>formalised to survive dealing with some real examples.

While I agree with the general thrust of your comments here, I would hasten
to point out that every one of these same criticism can be, and has been,
leveled also at literally *every* criminal justice system in literally
*every* civilized country on the face of the earth.  And despite that,
no one in any of these countries seems either ready or eager to discard
centuries of codified law or procedure in favor of abject and unbridled
lawlessness.  To do so would be self-evident madness.


Regards,
rfg