[ncc-services-wg] [policy-announce] 2012-08 New Policy Proposal (Publication of Sponsoring LIR for Independent Number Resources)

On Mon, Oct 15, 2012 at 07:35:33PM +0100, Nick Hilliard wrote:
>Regarding PI resources, a contractual link between the RIPE NCC and the end
>user exists, and the NCC has implemented RPKI using this chain of
>contracts.  Changing this would require a direct contractual link between
>the end user and the RIPE NCC.  If you want to change it, then why not fly

It ain't necessarily so. A requirement for a contract *may* arise if the
end-user has to pay the NCC for the service. This could probably be
solved via a pay portal or even be made free to end-users. 
All information necessary is already held by the NCC, indeed even the
decision whether to allow this contract is made there.

>a policy proposal in that direction?  Or if you feel strongly enough, float
>a policy proposal to drop rpki?

I would, but since rpki does not exist qua policy, a policy to abolish
it would not be effective. 

>But as it is, my point stands: there is no easy visibility into the rpki
>contractual side of things according to current RIPE policy, and this is a
>weakness which harms abuse handling.

To re-iterate, a LIR is *not* responsible for "abuse" perpetrated by the
end-user, your proposal is merely trying to create this responsibility
out of thin air and ex post facto. (I assume this requirement is
intended to apply to existing contracts)

>This, btw, is separate to the general abuse issue noted in the "Arguments
>For" section of the proposal for providing a mechanism for being able to
>contact a LIR to apply their AUP to an abusing End User.  Not sure why
>you're arguing that there is a problem with it.  Abusing end users exist
>and hide where they can.

Firstly, "abuse" is in the eye of the beholder. Secondly, a LIR has no
more call to cancel a contract for resources than the NCC has in case of
PA space. ISTR it being mentioned at a meeting that "spamming is a
perfectly valid use of resources as far as the NCC is concerned".

I checked the NCC end-user template and some actual contracts I handled
and *nowhere* do these make reference to AUPs. The only requirements on
the end-user are to pay and to use the resources according to policy.
In fact Article 6.3 states clearly that the end-user accepts all
liability for the use of the resource(s).

Your contention that the sponsoring LIR should be held in some way
accountable for the behaviour of the end-user, is thus not supported by
the existing contract.

This proposal is, by this argument, working into the hands of certain 
parties (you know who you are) whose mission in business is to impose 
their political and moral beliefs on the internet in general and will
most certainly use this information to put pressure on LIRs to cancel
their contracts with, or refuse to sponsor, "unwelcome" end-users.

>> With PI it's not the same situation *at all*. PI space is
>> provider-*independent* and thus may be one last way to prevent a LIR
>> becoming collateral damage in an attack on the end-user (eg a
>> politically controversial organisation)

>This makes very little sense.  If there's a perceived issue with a PI
>resource End User, then their legal name and contact details are already in
>the RIPE database so for the most part, it will be the end user who gets
>the flack.

And that is as should be, since the end-user is solely responsible for
what they do with their resources. Unfortunately, I am not quite as 
naive as to believe that an attack would stop there, on the contrary;
the attacker might very well pursue the LIR which probably has deeper
pockets and is therefore more at risk. 

>And if for some reason their LIR ends up with collateral damage 
>and feels they need to drop them as clients (I'm sure this happens from
>time to time), then there are 8000 other LIRs in the RIPE service region
>who can take the transfer.

Again, I disagree. This policy would have a chilling effect on LIRs
signing up end-users as it creates the appearance (if not the fact) of a
legal responsibility on the part of the LIR for the behaviour of an
end-user, much as is already the case with the deplorable and amoral
practice, by certain entities, of harassing transit providers for the
behaviour of their downstreams.

I also refer the recent "Dutch Police Order" and the pamphlet by that
UANI crowd as evidence of attacks in a similar vein as described above.

rgds,
Sascha