[anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

Hi Nick,


El 8/5/20 23:58, "Nick Hilliard" <nick at foobar.org> escribió:

    JORDI PALET MARTINEZ via anti-abuse-wg wrote on 08/05/2020 12:07:
    > [Jordi] The job of the RIPE NCC is to implement the policies agreed
    > by the community. Different folks may consider different pieces of
    > all of our policies as "inappropriate" or "arbitrary"

    which is fine, mostly. Subject to usual discretion of the RIPE NCC to 
    ignore policy which is harmful to itself or others.  Various board 
    members have confirmed in the past that the RIPE NCC will not buy an 
    island if instructed to do so by the RIPE Community.

    > and the goal is
    > to find a point in the middle, which is what we call consensus.

    The goal is to try to find consensus.  There's nothing in the concept of 
    consensus about trying to find a point in the middle.

    If I make a policy proposal to demand that the RIPE NCC buy an island, 
    would it be reasonable to settle on a compromise which involved the RIPE 
    NCC buying only half an island?

    It's ok for consensus to be that a policy proposal be rejected entirely.

[Jordi] I guess there is a translation problem here. For us in Spain, something in the middle means a middle term or "compromise" to find an agreement, not to buy half of the island ;-) even less when I'm not trying to buy any island! Consensus is very well described in many nice sentences in RFC7282 (by the way, remember that is not just consensus, we use it for short, but actually it is "rough consensus"). For example:

"Coming to consensus is when everyone (including the person making the
   objection) comes to the conclusion that either the objections are
   valid, and therefore make a change to address the objection, or that
   the objection was not really a matter of importance, but merely a
   matter of taste.  Of course, coming to full consensus like that does
   not always happen.  That's why in the IETF, we talk about "rough
   consensus"."

*** See also "5. Consensus is the path, not the destination", it requires time and sometimes many cycles (many versions), is the only way we have, is slow, by in my opinion is the right way.


    > I believe is perfectly understandable the need to avoid using manual
    > forms which don't follow a single standard, which means extra work
    > for *everyone*.

    Couple of things on this:

    - if you want to standardise a mechanism for abuse reporting, then that 
    would be useful and by all means, go ahead with that idea first.  There 
    are many forums available for doing this.

[Jordi] The standard is already defined and this version of the proposal included it. Now we need to agree if we want to use it or not, and at the time being I wrote it as one choice. Maybe the community prefers making it as the only valid option. We do that very often in many other proposals. Why not for abuse reporting?

    - your proposal threatens to close down RIPE NCC members if they decline 
    to support abuse reports over email.  This is unhinged.

[Jordi] No, this is not my proposal, this is already *any policy violation* , and actually the actual policy already do that, but in an unclear way. I'm trying to expose it being more honest and transparent with the interpretation of the actual text:
"The RIPE NCC will validate the “abuse-mailbox:” attribute at least annually. Where the attribute is deemed incorrect, it will follow up in compliance with relevant RIPE Policies and RIPE NCC procedures."

    > [Jordi] The actual policy has a bigger level of micro-management, by
    > setting one year and not allowing the NCC to change that. I think it
    > is much better to explicitly allow it. One alternative, I will be
    > fine with that, is not define the time at all, and let the NCC to
    > adapt it to the needs. Would you thing this is more appropriate?

    The entire policy is poorly thought-through to start with.  You can't 
    fix bad policy with minor tweaks around the edges.

[Jordi] Well, we disagree here, many documents reached consensus thru contributions from people, even if it was a bad document (I don't think it is the case) from the start.


    > [Jordi] What I'm asking here is to make sure that we have stats. I'm
    > not changing what is an actual practice. You can always report to
    > *any* RIR, what you think is wrong and if you're a good internet
    > citizen, you should do that.

    If you're a good internet citizen, you have some moral obligation to 
    report abuse to an internet number resources registry?

[Jordi] This is my opinion, not just in the Internet community. If I see something wrong in "any community", I need to cooperate to make it better. Otherwise I can't complain. If you don't like the food in the restaurant, you either stop eating there or complain so they improve ... If you don't like how your city major does his job, you will complain, even provide suggestions, or not vote him anymore and convince others about that.

    You're completely putting the cart before the horse here.  The purpose 
    of the RIRs is number resource registration.

[Jordi] Which include reliable and usable database information.

    > I'm happy if you believe that my wording
    > is not good, and we agree on that goal, to find an alternative one.
    > Any suggestion?

    Firstly, if you propose to collect stats about anything, you need to 
    think about what sort of stats should be collected.

    Secondly, you need to make a credible argument about why the RIPE NCC 
    should be obliged to spend membership funds collecting these stats and 
    why the RIPE NCC is a more appropriate vehicle for collecting these 
    stats than other organisations which specialise in online security and 
    abuse issues, particularly those which already collect statistics about 
    online abuse.

[Jordi] What I understood from RIPE NCC, correct me please if I'm wrong, is that they have already those stats, but they aren't mandated to keep collecting them or even less, publish periodic reports. Regarding what stats, I was thinking that it is obvious, but seems not: Escalation cases for failed abuse mailboxes. We can then compare with the existing validation procedure and see if something is not really working or it is people that just don't handle abuse cases. By the way, this has been in place in APNIC for already around one year, and it is providing good results. 

    Nick



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.