Hi, I would like to volunteer to help with bullet two: “DDoS mitigation. BCP38, communities for RTBH, packet scrubbing, etc. What can we do collectively?”. -Rich From: NANOG <nanog-bounces+rich_compton=comcast.com@nanog.org> on behalf of Howard, Lee via NANOG <nanog@nanog.org> Date: Friday, August 2, 2024 at 12:05 PM To: NANOG list <nanog@nanog.org> Subject: Norms and Standards Last October at NANOG89 in San Diego, John Curran exhorted us to work together<https://urldefense.com/v3/__https:/youtu.be/U1Ip39Qv-Zk?feature=shared__;!!CQl3mcHX2A!CvvxNrHPzj7sjlrV8-3YxEA2AbO8sy-5tG4p2CFqz-PvU2jJTkdbz4Ag3lNojuxp5O9PagUfwH2LFVMcXQ$> to document best practices before governments developed their own. John pointed out that in many industries, technical requirements and standards inform public policy goals, and vice versa. Then, when regulation is enacted, it refers to the standards developed by those technical experts. For example, the policy goal of protecting people from house fires is promoted through building codes (laws) which reference fire and electrical codes developed by standards bodies. Governments are instituted by people to provide national defense, perform public services, protect children and vulnerable people, safeguard privacy and freedom, and prosecute those who transgress the above[1]. However, governments don’t operate the Internet, so when there are threats to or violations of the governmental role, they look to us. As John notes, they are increasingly looking at their roles with respect to the Internet. If we don’t work together to provide tools to enable governments to fulfill their legitimate role, they will do what they think is best. If we have agreed on some norms and standards, then they can point to those and say, “This looks like best practice.” In many cases, that gives us a safe harbor against additional action from governments—if I can show I’m following accepted best practices, I’m less of a target than my non-compliant competitors. What should we work on together? * We already have MANRS, KINDNS, some anti-spam (no open relays, block port 25, etc.). * DDoS mitigation. BCP38, communities for RTBH, packet scrubbing, etc. What can we do collectively? * Infrastructure protection. Best practices for protecting your devices and services. * Critical infrastructure protection. Do we have a role in protecting power plants, hospitals, etc., more than others? * Net neutrality. Is there more than just “don’t inspect above L3”? Do CDNs or caches privilege some content unfairly? * IPv6? The government angle is mostly anti-CGN, but this is a greater problem outside this region. * Other ideas? If a group of people can pick one topic and start documenting best practices, we may be able to do something good. I’m not worried about process yet: content first. Is there a topic above, or another one, on which folks would like to collaborate to describe best practices? Lee [1] Even if you disagree that there is a legitimate role for governments, they think they have these roles, and they have the power to compel.