[db-wg] [anti-abuse-wg] objection to RIPE policy proposal 2016-01

Dear Lu,

Your reasoning fails the logic test because you do not cognize  the mismatch
between the operation of "law to enforce things" and the spammer business
model.     The loss to no single victim rises above the threshold to initiate
either criminal or civil proceedings.   The spammers organize their business
model in this way expecting most people to have your attitude.

This is clearly explained in

 <http://www.jeffreyrace.com/nugget/spam_05.pdf>

Kind regards,

Dr. Jeffrey Race, President
Cambridge Electronics Laboratories
20 Chester Street, Somerville MA 02144-3005
Tel +1 617 629-2805 Fax +1 617 623-1882

 Avoid spinal damage from computer use! 
        Read "Cripples by Thirty?"

<http://www.camblab.com/nugget/nugget.htm>

--Original Message Text---
From: Lu Heng
Date: Fri, 4 Mar 2016 14:20:28 +1300

Hi there:

I think the whole notion about we are managing the internet though the policy are not correct.


We are not managing the internet, we are book keeping really.


Denis, your argument standing on a group that if we do not manage the internet, the gov will step
in and do it for us, but that is largely untrue.


The Gov are managing it now as we speak, they have something called law to enforce things, they
really don't need bother to go though policy here to block content they dislike, bust people they
think are bad, find people are responsible, if there is a seriou crime going on, with or without
abuse-c, gov will find them or not---abuse c does not change the outcome.


Take China for example, A 500 m user can not access Facebook, tell me they go though any sort of
APNIC policy to do that, same goes for some countries inA Middle East.


So my last point is. If you like their gov job, you can apply one, don't try to push community here
to do gov's job.


On Friday 4 March 2016, denis <ripedenis at yahoo.co.uk> wrote:
Hi Peter

OK lets cut to the bottom line. Does anyone NOT agree with these points:

-Internet abuse (in it's various forms) is considered both a nuisance and a danger by the publicA 
-Politicians will jump onto any band wagon that has popular public support and enhances their
careers
-Responsible internet resource management includes receiving and handling abuse complaints related
to the networks you manage

If we all supported these points, especially the last one, then in an ideal world all network
managers would be happy to provide abuse contact details and would take action on complaints
received.

Unfortunately we don't live in that ideal world. The fact that so many experienced technical
internet people are opposing this policy worries me. So many of you are fixating on this point
about 'mandatory', 'enforcing', 'justifying'. If everyone agreed with point 3 above then you would
all be willing to do this voluntarily anyway. So what difference does it make to those of you who
do this anyway if it is mandatory?

But we know some people simply can't be bothered to handle abuse complaints and we also know some
people make money by providing services to the abusers. There is no point pretending this does not
happen. If there is a lot of money to be made some people will want a slice of it. That is why this
has to be mandatory.

When abuse-c was first introduced it was made clear that this was the first step of a process. The
intention was for all IP addresses within the RIPE region to have one common way of documenting an
abuse contact that can be accessed programatically. It was also made clear that this first step had
nothing to do with whether anyone responds to reports sent to that contact. Because it was and
still is clear that some people don't want to publicise any abuse contact details it had to be and
still has to be mandatory. If you enter data into the RIPE Database you are required to ensure it
is correct. Dealing with whether anyone responds to the reports sent to this contact is a separate
issue and should not cloud the discussion on the abuse-c information in the RIPE Database. Neither
should the technical implementation of the abuse-c attribute.

I know there are policies about policies for legacy resources. Personally I think that is crazy.
All IP addresses are technically the same no matter how or when you acquired it. Abuse can come
from any one of them.

I don't know why we are making the policy side so complicated. The principle is simple. If you
manage IP addresses in the public domain, from where abuse can be generated, responsible management
requires you to provide abuse contact details!!!

cheers
denis

On 03/03/2016 23:30, Peter Koch wrote:
On Thu, Mar 03, 2016 at 11:46:45AM +0100, denis wrote:

In these days of political interest in how the internet is 'managed' the
RIRs need to do more than 'just maintain an accurate registry'. The


indeed. The community should be careful to maintain and improve the
credibility and legitimacy of its policy development process.
``Extra constitutional'' activity (imposing "abuse" handling procedures
camouflaged as syntax changes to database objects) and retroactive
changes to policy without an exceptional justification both aren't
helpful.

2016-01 claims "Better data quality", which is not backed with arguments.
2016-01 claims "More accurate data for abuse contact", which is not
A  A  A  A  A supported by arguments or evidence/precedent.

internet is a crucial part of modern life. Abuse is considered to be a
serious problem. What you are saying is that you don't give a dam about
abuse and are not interested in being part of the management of abuse.


The alleged correctness of data does not imply a "right to response" (cf ripe-563),
and rightfully so.A  Therefore the claims that refusal to add abuse-c
would imply refusal to deal with abuse reports are pointless, since
the sheer presence of the attribute does not imply anything, either.

Also, I have not heard RA¬diger (or anyone else) claim they would not
want to even add abuse-c - it's making this policy mandatory what is
being contested.A  ripe-639 re-establishes the 'special role' of
legacy resources as exempt from policy changes:

A  A  A  A  Any existing or future RIPE policy referring to resources shall not apply
A  A  A  A  to legacy resources unless the policy explicitly includes legacy resources in its
scope.

Now, if that was simply a matter of a boilerplate in any future policy
(xxx shall also apply to legacy resources), this clause would not make
the slightest sense.A  Consequently, a special consideration is needed.
2016-01 simply refers to inconsistency (obviously a simple consequence
of ripe-639 and thus not exceptional) and "better data quality" - without
justification.A  No indication is given of any harm caused by legacy
resources currently not subject to ripe-563.A  ripe-563/ripe-639
do not preclude use of abuse-c for legacy resources, either.

All in all, I understand the motivation behind 2016-01, but the reasoning
is far too poor to justify proceeding with the proposal.

-Peter







-- 
--
Kind regards.
Lu