Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd)
Hi, Just to let everybody know that a petition was started in order to try to enable a policy discussion about "BGP Hijacking is an ARIN Policy Violation". If you would like to read the proposal, it is available at: https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/ Discussions are already ongoing at RIPE and LACNIC. Best Regards, Carlos (sorry for the duplicates, if you also receive arin-ppml@arin.net) ---------- Forwarded message ---------- Date: Fri, 26 Apr 2019 17:13:12 From: ARIN <info@arin.net> To: arin-ppml@arin.net Subject: [arin-ppml] Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation A petition has been initiated for the following: ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation This proposal was rejected due to scope at the 10 April meeting of the Advisory Council. Anyone may take part in this petition. Per the Policy Development Process (PDP), a successful petition against a rejected Proposal requires the support of ten individuals from ten organizations. To support this petition, simply send a response to the Public Policy Mailing list stating your support, name, and organization. This petition window will remain open for five days, closing 1 May. If successful, the petition will result in the Board of Trustees considering the Proposal's scope at their next meeting. For more information on the PDP, visit: https://www.arin.net/participate/policy/pdp/ Regards, Sean Hopkins Policy Analyst American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact info@arin.net if you experience any issues.
On Fri, Apr 26, 2019 at 11:28 AM Carlos Friaças via NANOG <nanog@nanog.org> wrote:
Hi,
Just to let everybody know that a petition was started in order to try to enable a policy discussion about "BGP Hijacking is an ARIN Policy Violation".
If you would like to read the proposal, it is available at: https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/
Discussions are already ongoing at RIPE and LACNIC.
Best Regards, Carlos
Hey Carlos, Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? What were the arguments in favor of rejecting the proposal? This seems like an interesting idea to me, and one that I can't immediately come up with any arguments against from my own perspective. There's probably some room for discussing and tuning specifics, but ultimately the concept seems reasonable to me. What am I missing here? Thanks, Matt
On Fri, Apr 26, 2019 at 11:41:18AM -0500, Matt Harris wrote: [snip]
Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? What were the arguments in favor of rejecting the proposal? This seems like an interesting idea to me, and one that I can't immediately come up with any arguments against from my own perspective. There's probably some room for discussing and tuning specifics, but ultimately the concept seems reasonable to me. What am I missing here?
Speaking solely for myself, it would be reasonable to start any discussion based upon the on-record rationales for its rejection. As such I would direct interested parties to the Draft Advisory Council Meeting minutes from April 10 https://www.arin.net/about/welcome/ac/meetings/2019_0410/ and most specifically on that page "16. ARIN-Prop-266: BGP Hijacking is an ARIN Policy Violation" Cheers, Joe -- Posted from my personal account - see X-Disclaimer header. Joe Provo / Gweep / Earthling
There are factual errors in the ARIN meeting minutes. It really is a disservice that people on the AC don’t have facts about ARIN and the function of their routing registry (for example). It would be good if the ARIN AC had people that were more aware of the functions ARIN provides. If you control vote of resources by ARIN I encourage you to use this as part of your process. Sent from my iCar
On Apr 26, 2019, at 12:47 PM, Joe Provo <nanog-post@rsuc.gweep.net> wrote:
On Fri, Apr 26, 2019 at 11:41:18AM -0500, Matt Harris wrote: [snip] Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? What were the arguments in favor of rejecting the proposal? This seems like an interesting idea to me, and one that I can't immediately come up with any arguments against from my own perspective. There's probably some room for discussing and tuning specifics, but ultimately the concept seems reasonable to me. What am I missing here?
Speaking solely for myself, it would be reasonable to start any discussion based upon the on-record rationales for its rejection. As such I would direct interested parties to the Draft Advisory Council Meeting minutes from April 10 https://www.arin.net/about/welcome/ac/meetings/2019_0410/
and most specifically on that page "16. ARIN-Prop-266: BGP Hijacking is an ARIN Policy Violation"
Cheers,
Joe
-- Posted from my personal account - see X-Disclaimer header. Joe Provo / Gweep / Earthling
Not only that. I really think they have not invested enough time to read the proposal, check with the authors and then take a decision. We have got some email exchange, but clearly not sufficient. I also must state that the staff has been very helpful and diligent to clarify and support the petition process. Just the point is, should have never been needed, it exposes how bad (in my opinion) is the ARIN AC model. Some details: This is absolutely fake: "AP stated that at the LACNIC meeting has discussed it and they dismissed it as out of scope." LACNIC will have the first meeting where this topic will be discussed in two weeks from now. How come an AC member can lie such way? If I'm an AC member, or any other similar team, I will make sure to inform myself before stating something like that. In this case there is no excuse, you just need to visit a web page for the LACNIC policy proposals, similar in every RIR. Then I continue reading this: "AP stated that she believed that the author was using ARIN to solve their problem." How come somebody that doesn't know me, can state that? In my country, at least, this is an illegal (criminal) act (slander, ad hominem, etc.), unless you can prove that what you're suggesting is *actually true*. I don't want to make a problem with that or even consider to go to courts with the case, but I really think that before saying that from someone, you must talk to him before. I'm a very open and transparent guy, and I *never ever* did a policy proposal for *any* personal or even business motivation. I did that because if I discover an issue, and I believe I can contribute to resolve it and it will be good for the community, I just go for it. Even in several occasions my own proposal has been ***against*** my personal point of view and when I presented those policies I *clearly* stated that (for example when I was presenting policy proposals in all the 5 RIRs for IPv6 PI and I can find the videos if somebody doubt what I'm saying). And by the way, I'm not new on this. A month ago, during the IETF meeting in Prague, somebody asked me how many proposals I've submitted to all the RIRs (since my first one around 2003 or so). I didn't know, no idea at all, so I decided to count them, and then I discovered that I authored over 75 (a few of them with other co-authors). And this isn't including an average of 3-4 versions of each one, or many other documents in IETF (and the "n" number of versions of each one as well). I do this at the cost of my own personal pocket for traveling to the RIR meetings, I contribute as much as I can with tutorials, workshops, presentations, all kind of documents, articles, sharing my *own* time. So, reading that is really exasperating and frustrating. And just to be clear, let me state that I don't have anything against anyone in the AC or ARIN. In fact, I've been always convinced that the AC model for the PDP in ARIN is a bad one, and this is demonstrating that. Authors and comminity lose the control on a policy proposal at some point (and in this case is even rejected before starting). Speaking in general, even if a proposal don't reach consensus, I'm sure any open discussion is always very productive and can bring new ideas, or new approaches to the problem. In the Internet RIRs system, I don't think we need a kind of "representative democracy". The community is able to use, in any of the 5 RIRs, a very simple process to work on achieving (or not) consensus in policy proposals: a mailing list. Regards, Jordi El 26/4/19 22:35, "NANOG en nombre de Jared Mauch" <nanog-bounces@nanog.org en nombre de jared@puck.nether.net> escribió: There are factual errors in the ARIN meeting minutes. It really is a disservice that people on the AC don’t have facts about ARIN and the function of their routing registry (for example). It would be good if the ARIN AC had people that were more aware of the functions ARIN provides. If you control vote of resources by ARIN I encourage you to use this as part of your process. Sent from my iCar > On Apr 26, 2019, at 12:47 PM, Joe Provo <nanog-post@rsuc.gweep.net> wrote: > >> On Fri, Apr 26, 2019 at 11:41:18AM -0500, Matt Harris wrote: >> [snip] >> Can you (or someone else on the list, perhaps even someone who was involved >> in voting this down) provide some more details as to why it was rejected? >> What were the arguments in favor of rejecting the proposal? This seems >> like an interesting idea to me, and one that I can't immediately come up >> with any arguments against from my own perspective. There's probably some >> room for discussing and tuning specifics, but ultimately the concept seems >> reasonable to me. What am I missing here? > > Speaking solely for myself, it would be reasonable to start > any discussion based upon the on-record rationales for its > rejection. As such I would direct interested parties to the > Draft Advisory Council Meeting minutes from April 10 > https://www.arin.net/about/welcome/ac/meetings/2019_0410/ > > and most specifically on that page > "16. ARIN-Prop-266: BGP Hijacking is an ARIN Policy Violation" > > Cheers, > > Joe > > -- > Posted from my personal account - see X-Disclaimer header. > Joe Provo / Gweep / Earthling ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Apr 26, 2019, at 5:49 PM, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:
"AP stated that at the LACNIC meeting has discussed it and they dismissed it as out of scope."
LACNIC will have the first meeting where this topic will be discussed in two weeks from now. How come an AC member can lie such way?
If I'm an AC member, or any other similar team, I will make sure to inform myself before stating something like that. In this case there is no excuse, you just need to visit a web page for the LACNIC policy proposals, similar in every RIR.
Then I continue reading this: "AP stated that she believed that the author was using ARIN to solve their problem."
How come somebody that doesn't know me, can state that?
I’m not going to go in depth on the above comments. I’ve received at least one off-list inquiry and I’ll also assume no explicit malice here, but as you point out, it doesn’t smell tide fresh :) The linked AC minutes page does say "These minutes are DRAFT. They have been reviewed by the ARIN Advisory Council prior to posting. These minutes will remain draft until they are reviewed and approved by the ARIN Advisory Council at their next regularly scheduled meeting.” I have pointed out another area that I consider suspect off-list, I will set a calendar item to watch for new minutes to see if they are approved with revisions. Hopefully there’s misunderstandings here, but I’m also not confident as much of the conversation seems to have a disjoint with operational realities. (This isn’t anything new with ARIN btw, they’ve long been concerned about interacting with systems that are operational as doing that may mean staffing for on call or other functions). I’m hoping to see some updates/corrections to the text, so taking a snapshot may be useful to watch for the corrections to the draft minutes. I’m also debating if I spend the weekend with family or pinging everyone I know on the AC (which is more than one) about these issues. Either way, I’ll pick this up “soon” on my side. I do consider that abuse of ARIN allocated resources (coke/pepsi for numbering or other integers for AS4_PATH) something that ARIN can efforts to enforce revocation in the case of violation of the RSA. - Jared
Hi, El 27/4/19 1:35, "Jared Mauch" <jared@puck.nether.net> escribió: > On Apr 26, 2019, at 5:49 PM, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote: > > "AP stated that at the LACNIC meeting has discussed it and they dismissed it as out of scope." > > LACNIC will have the first meeting where this topic will be discussed in two weeks from now. How come an AC member can lie such way? > > If I'm an AC member, or any other similar team, I will make sure to inform myself before stating something like that. In this case there is no excuse, you just need to visit a web page for the LACNIC policy proposals, similar in every RIR. > > Then I continue reading this: "AP stated that she believed that the author was using ARIN to solve their problem." > > How come somebody that doesn't know me, can state that? I’m not going to go in depth on the above comments. I’ve received at least one off-list inquiry and I’ll also assume no explicit malice here, but as you point out, it doesn’t smell tide fresh :) -> And I'm also convinced there is not any malice, but is wrong doing this kind of accusations or providing such false information. The linked AC minutes page does say "These minutes are DRAFT. They have been reviewed by the ARIN Advisory Council prior to posting. These minutes will remain draft until they are reviewed and approved by the ARIN Advisory Council at their next regularly scheduled meeting.” I have pointed out another area that I consider suspect off-list, I will set a calendar item to watch for new minutes to see if they are approved with revisions. Hopefully there’s misunderstandings here, but I’m also not confident as much of the conversation seems to have a disjoint with operational realities. (This isn’t anything new with ARIN btw, they’ve long been concerned about interacting with systems that are operational as doing that may mean staffing for on call or other functions). I’m hoping to see some updates/corrections to the text, so taking a snapshot may be useful to watch for the corrections to the draft minutes. -> If this is changed in the final minutes, then it will be very suspicious that the AC is empowered to change something that in reality happened. I call this manipulation and the community need to be aware of such things if it happen. Minutes should reflect the reality of what happened in the meeting. I really thing the right way is that they use a side note or whatever to ack it was mistakes, lack of knowledge, lack of chat with the authors, whatever, but never an alternation of the minutes. I’m also debating if I spend the weekend with family or pinging everyone I know on the AC (which is more than one) about these issues. Either way, I’ll pick this up “soon” on my side. I do consider that abuse of ARIN allocated resources (coke/pepsi for numbering or other integers for AS4_PATH) something that ARIN can efforts to enforce revocation in the case of violation of the RSA. - Jared ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 26 Apr 2019, at 5:49 PM, JORDI PALET MARTINEZ via NANOG <nanog@nanog.org> wrote:
... Not only that. I really think they have not invested enough time to read the proposal, check with the authors and then take a decision. We have got some email exchange, but clearly not sufficient. I also must state that the staff has been very helpful and diligent to clarify and support the petition process. Just the point is, should have never been needed, it exposes how bad (in my opinion) is the ARIN AC model.
Jordi - I have no views on the particular policy proposal or the petition action, but want to be clear regarding some of your characterizations of the ARIN Policy Development Process (ARIN PDP). It is correct that the ARIN Advisory Council (a body elected by the ARIN membership) is in charge of administering the policy development process, including working with submitters to get their proposals accepted as draft policies and revising draft policies based on the community discussion. In general, policy proposals are discussed at length between the submitter and the assigned ARIN Advisory Council (ARIN AC) members, with the goal of making a clear and understandable statement of the problem in number resource policy that is to be addressed – as that is the required criteria for a Draft Policy. Once a policy proposal has a clear problem statement, the ARIN AC accepts it as a Draft Policy and it is discussed (often at length) on the ARIN Public Policy Mailing List. The ARIN AC works diligently with submitters to make sure that their proposals are clear and adopted as Draft Policies, and this occurs even when the assigned AC members don’t necessarily support the merits of the particular proposal. The strength of the ARIN PDP process is that nearly anyone can submit an idea for changes to our number resource policy (even with no knowledge of ARIN's policy development process) and the ARIN AC becomes their advocate in getting a clear draft policy put before the community for discussion. We have had policy proposals made by several segments of the Internet community that are not deeply involved in the RIR system or the network operator community, but have insight into specific problems in number resource policy that they were able to get addressed. There is an exception to this process, i.e. a case where the ARIN AC doesn’t work on a policy proposal, and it occurs with proposals which lie outside the scope of number resource policy. The ARIN AC does make an initial determination of whether the policy proposal is within scope – the reason for such an evaluation is to make sure that the community doesn’t spend its time working on proposals which aren’t germane to how ARIN administers number resources, and I will note the overwhelming majority of policy proposals meet this criteria with ease. Additionally, ARIN’s Policy Development Process contains many “checks and balances” to provide for the development of fair and impartial policy, and as you are aware, in the case of a policy proposal out of scope, there is a petition with a very low threshold (10 supporters) to provide for referral to ARIN’s Board of Trustees for review and final determination. Having the Board of Trustees handle such determinations makes perfect sense, as they are ultimately responsible for determining the scope of ARIN’s mission. I understand that your policy proposal has been deemed out of scope, but I’d like to point of that such events are a very rare occurrence, and do not reflect the circumstances that the vast majority of submitters face when working with the ARIN AC and the ARIN Policy Development Process. You might not see the merits of the ARIN Advisory Council administration of ARIN’s policy development process, but their efforts are almost universally in support of those submitting policy proposals, and the effectiveness of their advocacy demonstrated by the long line of clear, technically sound and useful policy changes in the ARIN region. Thanks! /John John Curran President and CEO American Registry for Internet Numbers
On Fri, 26 Apr 2019, Matt Harris wrote:
On Fri, Apr 26, 2019 at 11:28 AM Carlos Friaças via NANOG <nanog@nanog.org> wrote:
Hi,
Just to let everybody know that a petition was started in order to try to enable a policy discussion about "BGP Hijacking is an ARIN Policy Violation".
If you would like to read the proposal, it is available at: https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/
Discussions are already ongoing at RIPE and LACNIC.
Best Regards, Carlos
Hey Carlos,Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? What were the arguments in favor of rejecting the proposal? This seems like an interesting idea to me, and one that I can't immediately come up with any arguments against from my own perspective. There's probably some room for discussing and tuning specifics, but ultimately the concept seems reasonable to me. What am I missing here?
Hi, Sure... https://www.arin.net/about/welcome/ac/meetings/2019_0410 (Meeting of the ARIN Advisory Council - 10 April 2019) You can also find the RIPE and LACNIC URLs here: + https://www.ripe.net/participate/policies/proposals/2019-03 + https://politicas.lacnic.net/politicas/detail/id/LAC-2019-5?language=en Best Regards, Carlos
Thanks, Matt
On Fri, Apr 26, 2019 at 9:41 AM Matt Harris <matt@netfire.net> wrote:
Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected?
Hi Matt, As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn't decide how they're allowed to be routed. ISPs do that. I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope. I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that role. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Fri, Apr 26, 2019 at 12:49 PM William Herrin <bill@herrin.us> wrote:
I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.
I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that role.
A couple of things spring to mind here now that I've given this a few more minutes' thought. I agree with your reasoning as to why it makes sense for this to be considered in scope for ARIN. As far as expanding roles goes... Over the past few decades, we've all watched as the internet became less and less "wild wild west" and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily today. It may be the case that this problem will be "solved" in some way by someone, but that "someone" may end up being a less engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of one which may be ultimately less democratic and more problematic? One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by Carlos, but I prepend Bill's ASN to my announcement, how does Carlos know that I'm the bad actor and not Bill? Having good communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn't always happen. When we talk about leveraging ARIN's authority or potentially applying penalties of any sort to bad behavior, we have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or innocent third party. Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is "hijacking" address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN's region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that's a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation. Ultimately, I don't think I can support a proposal this vague, either. For something like this I think we need a lot more objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the concept may seem to us on the outset. Take care, Matt
Hi, (please see inline) On Fri, 26 Apr 2019, Matt Harris wrote: (...)
As far as expanding roles goes... Over the past few decades, we've all watched as the internet became less and less "wild wild west" and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily today. It may be the case that this problem will be "solved" in some way by someone, but that "someone" may end up being a less engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of one which may be ultimately less democratic and more problematic?
Good point. The same goes for RIPE NCC, LACNIC, AFRINIC and APNIC...
One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by Carlos, but I prepend Bill's ASN to my announcement, how does Carlos know that I'm the bad actor and not Bill? Having good communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn't always happen. When we talk about leveraging ARIN's authority or potentially applying penalties of any sort to bad behavior, we have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or innocent third party.
There are various sources of public routing data. But yes, sharing more routing views will increase the capacity to look at cases... An uninvolved innocent third party should be able to show it was uninvolved (either by pointing out to public routing data, or by providing their own routing views if needed...) In any case, if there is reasonable doubt, a case should always be dismissed.
Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is "hijacking" address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN's region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that's a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation.
Yes, this needs to be in place in every RIR to maximize efectiveness. The idea of a "pool of worldwide experts" was to allow any RIR to use people from the same (larger) pool.
Ultimately, I don't think I can support a proposal this vague, either. For something like this I think we need a lot more objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the concept may seem to us on the outset.
Your comment in pretty much inline with some comments opposing version 1.0 in RIPE. Hopefully version 2.0 will be published next week. And it's a bit more "extensive" regarding details... :-) Regards, Carlos
Take care, Matt
El 26/4/19 20:25, "NANOG en nombre de Matt Harris" <nanog-bounces@nanog.org en nombre de matt@netfire.net> escribió: On Fri, Apr 26, 2019 at 12:49 PM William Herrin <bill@herrin.us> wrote: I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope. I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that role. A couple of things spring to mind here now that I've given this a few more minutes' thought. I agree with your reasoning as to why it makes sense for this to be considered in scope for ARIN. As far as expanding roles goes... Over the past few decades, we've all watched as the internet became less and less "wild wild west" and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily today. It may be the case that this problem will be "solved" in some way by someone, but that "someone" may end up being a less engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of one which may be ultimately less democratic and more problematic? Exactly, one of our thoughts (as co-authors) is: if we do nothing, some other governmental bodies will take care of it, even courts, taking irrational judgments. One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by Carlos, but I prepend Bill's ASN to my announcement, how does Carlos know that I'm the bad actor and not Bill? Having good communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn't always happen. When we talk about leveraging ARIN's authority or potentially applying penalties of any sort to bad behavior, we have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or innocent third party. The proposal is “guarantor”, or at least that’s our intent. Is not ARIN taking the decision, is the community by means of experts. We have improved it in the v2 that will be posted in a matter of days in RIPE, but we can’t improve it in ARIN because simply discussing it is not allowed by the AC decision. One thing to clarify, is that the policy is basically saying something that is written in all the RIRs documents: “if you get resources from us, you have the exclusive right to use them or your authorized customers”. Now if another ARIN member is misusing your resources (not by an operational mistake, but repeatedly), ARIN is not going to do anything about it? In any membership association, members are bound to the rules (policies in the case of RIRs), and members can’t act against the rights of OTHER members. If you don’t follow the rules, you can get a warning, or even lose your membership. If you go to courts because you lost your membership, courts will confirm “you have not followed the rules, so the association has the right to get you out”. Is not a problem or ARIN becoming the “routing police”. This has been completely misunderstood by the AC. Is about ARIN making sure that the rights of the members are respected by other members. And again, it must be clear that it is intentional, not a mistake, not fat fingers. Without clear rules, other members can do whatever they want with resources allocated to another member. Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is "hijacking" address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN's region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that's a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation. This has been clarified in v2 that I mention before, to be publish in RIPE. The idea is that the claim is done in the region where the hijacker is a member (assuming that we get the policy going thru all the regions). Note that we are submitting the same policy proposal adapted to each of the 5 RIRs. Ultimately, I don't think I can support a proposal this vague, either. For something like this I think we need a lot more objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the concept may seem to us on the outset. Right, we have a more complete v2 with many procedural details, which we can’t even discuss in ARIN, and obviously the idea of the PDP is to allow the policy proposals to be discussed until we reach a text that we can agree. So please, if you want to get this discussion going on in the right place subscribe to ARIN PPML (https://lists.arin.net/mailman/listinfo/arin-ppml) and respond to the attached email, just to support the discussion (no need to agree at all now with the text). Thanks! Jordi Take care, Matt ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
The proposal is “guarantor”, or at least that’s our intent. Is not ARIN taking the decision, is the community by means of experts. We have improved it in the v2 that will be posted in a matter of days in RIPE, but we can’t improve it in ARIN because simply discussing it is not allowed by the AC decision.
This isn’t entirely correct as I understand it. Any policy or potential policy can be discussed on PPML even if it is not actually on the Advisory Council Docket. You are certainly free to discuss the proposal as well as the petition there.
Now if another ARIN member is misusing your resources (not by an operational mistake, but repeatedly), ARIN is not going to do anything about it?
Do you honestly believe that hijackings are being committed by ARIN members or even ARIN resource holders that have signed RSAs with ARIN?
Is not a problem or ARIN becoming the “routing police”. This has been completely misunderstood by the AC. Is about ARIN making sure that the rights of the members are respected by other members.
Please provide some evidence that this has happened. My understanding is that the intentional repetitive hijackings to which you refer are almost always (possibly always) committed by people using not only fraudulent address space, but also fraudulent ASNs.
Without clear rules, other members can do whatever they want with resources allocated to another member.
I’m pretty certain that’s already clear from the RSA… Section 2 of RSA version 12.0 / LRSA Version 4.0 covers this reasonably well: 2. CONDITIONS OF SERVICE (a) Compliance. In receiving or using any of the Services, Holder must comply with the Service Terms. (b) Provision of Services and Rights. Subject to Holder’s on-going compliance with its obligations under the Service Terms, including, without limitation, the payment of the fees (as set forth in Section 4), ARIN shall (i) provide the Services to Holder in accordance with the Service Terms and (ii) grant to Holder the following specified rights: (1) The exclusive right to be the registrant of the Included Number Resources within the ARIN database; (2) The right to use the Included Number Resources within the ARIN database; and (3) The right to transfer the registration of the Included Number Resources pursuant to the Policies. Holder acknowledges that other registrants with ARIN have rights that intersect or otherwise impact Holder’s rights and/or use of the Included Number Resources, including, but not limited to, other registrants benefiting from visibility into the public portions of registrations of the Included Number Resources as further described in the Policies. (c) redacted — not relevant here and long (d) Prohibited Conduct By Holder. In using any of the Services, Holder shall not: (i) disrupt or interfere with the security or use of any of the Services; (ii) violate any applicable laws, statutes, rules, or regulations; or (iii) assist any third party in engaging in any activity prohibited by any Service Terms. What does the policy proposal offer in terms of rules that aren’t already enshrined in the above text? Your claim is that without clear rules, there is a problem. I claim we have clear rules that go as far as your policy and that the problem isn’t RIR members in general anyway, but bad actors who are generally NOT RIR members.
Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is "hijacking" address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN's region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that's a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation.
This has been clarified in v2 that I mention before, to be publish in RIPE. The idea is that the claim is done in the region where the hijacker is a member (assuming that we get the policy going thru all the regions).
And also assuming that the hijacker is a member of any RIR at all… A dubious claim, IMHO.
Right, we have a more complete v2 with many procedural details, which we can’t even discuss in ARIN, and obviously the idea of the PDP is to allow the policy proposals to be discussed until we reach a text that we can agree.
To the best of my knowledge, you are free to discuss any policy or potential policy in the ARIN region regardless of AC action on any particular proposal. To be clear, the AC’s action does not preclude discussion (to the best of my knowledge). The decision made by the AC was not to accept it on to the AC docket as a draft policy because as written it was out of scope. (See official announcement from AC and ARIN staff for a more nuanced and detailed description). This does not preclude discussing further work on the subject on PPML and it does not preclude submission of a different proposal that addresses a problem within ARIN’s scope.
So please, if you want to get this discussion going on in the right place subscribe to ARIN PPML (https://lists.arin.net/mailman/listinfo/arin-ppml <https://lists.arin.net/mailman/listinfo/arin-ppml>) and respond to the attached email, just to support the discussion (no need to agree at all now with the text).
That’s not actually what the current petition will do. I quote from the ARIN Policy Development Process: 2.1. Petition against Abandonment, Delay, or Rejection due to Scope The Advisory Council’s decision to abandon a Policy Proposal, Draft Policy or Recommended Draft Policy may be petitioned. Petitions may be initiated within the 5 days following the announcement date of an Advisory Council abandonment of a specific Policy Proposal or any Draft Policy. For sake of clarity, the “announcement date” of an action shall be the publication date of the action in the ARIN AC draft minutes. Additionally, Policy Proposals that have not been accepted as a Draft Policy after 60 days may also be petitioned to Draft Policy status at anytime. For a Policy Proposal that has been rejected due to being out of scope of the PDP, a successful petition will refer the question of whether the Policy Proposal is in scope to the ARIN Board of Trustees for consideration. For all other petitions against abandonment or delay, a successful petition will result in the Draft Policy being placed back on the Advisory Council docket under control of the petitioner and scheduled for public policy consultation at the next PPM. After the public consultation, control returns to the Advisory Council and subsequently may be revised or abandoned per the normal Policy Development Process. Emphasis of the third paragraph is mine since it is the relevant section to this discussion. Thus, your petition, as I understand the above text is to get the board to make a ruling on whether or not the proposal is within scope of the ARIN Policy Development Process. Owen
On Fri, Apr 26, 2019 at 7:48 PM Owen DeLong <owen@delong.com> wrote:
Do you honestly believe that hijackings are being committed by ARIN members or even ARIN resource holders that have signed RSAs with ARIN?
Wasn't Softlayer (an ARIN resource holder) called out on this list about 14 hours ago for hijacking a couple /24s? And honest mistake no doubt but come on man, the hijackings happen. -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
The policy specifically states that it’s not intended towards honest mistakes, but repeated deliberate persistent behavior. Do you know of any such case involving resource holders that have signed RSAs with ARIN or any other RIR for that matter? Owen
On Apr 26, 2019, at 20:44 , William Herrin <bill@herrin.us> wrote:
On Fri, Apr 26, 2019 at 7:48 PM Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
Do you honestly believe that hijackings are being committed by ARIN members or even ARIN resource holders that have signed RSAs with ARIN?
Wasn't Softlayer (an ARIN resource holder) called out on this list about 14 hours ago for hijacking a couple /24s? And honest mistake no doubt but come on man, the hijackings happen.
-Bill
-- William Herrin ................ herrin@dirtside.com <mailto:herrin@dirtside.com> bill@herrin.us <mailto:bill@herrin.us> Dirtside Systems ......... Web: <http://www.dirtside.com/ <http://www.dirtside.com/>>
On 27/04/2019 06:44, William Herrin wrote:
On Fri, Apr 26, 2019 at 7:48 PM Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:
Do you honestly believe that hijackings are being committed by ARIN members or even ARIN resource holders that have signed RSAs with ARIN?
Wasn't Softlayer (an ARIN resource holder) called out on this list about 14 hours ago for hijacking a couple /24s? And honest mistake no doubt but come on man, the hijackings happen.
I don't think the proposal is talking about valid mistakes. The proposal is talking about active, repetitive, BGP hijacking. If you disagree with the proposal, can you state what your proposed solution is for BGP hijacks? What should we as a community do to prevent them from happening before some government/int'l agency mandates what they consider would be their solution? Or do we just continue to drumbeat MANRS, post major BGP hijacks on NANOG and carry-on as we have for the past decade? -Hank
On Fri, 26 Apr 2019, William Herrin wrote:
On Fri, Apr 26, 2019 at 9:41 AM Matt Harris <matt@netfire.net> wrote: Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected?
Hi Matt,
As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn't decide how they're allowed to be routed. ISPs do that.
I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.
I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that role.
Maybe I missed it in the proposal, but I don't see that it actually says what ARIN will do other than produce a report "Yep, our expert panel says this is hijacked.". What's the expected result (other than the report)? i.e. What action is ARIN expected to take after it's determined a route advertisement is a hijacking that will make a difference? Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. Many years ago, during an acquisition that went sour at the last minute, the renegging seller went to ARIN complaining that we were hijacking his IP space. ARIN contacted our upstreams and pressured them to pressure us to stop advertising the IP space. Perhaps there's no official policy, and perhaps they wouldn't do this today without one? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Fri, Apr 26, 2019 at 4:37 PM Jon Lewis <jlewis@lewis.org> wrote:
Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. Many years ago, during an acquisition that went sour at the last minute, the renegging seller went to ARIN complaining that we were hijacking his IP space. ARIN contacted our upstreams and pressured them to pressure us to stop advertising the IP space. Perhaps there's no official policy, and perhaps they wouldn't do this today without one?
I would argue that action without an explicit official policy that outlines the circumstances under which what action is taken is just asking for awkward situations to arise. - Matt
The intent is to clearly state that this is a violation of the policies. The membership documents/bylaws or the RSA, your account may be closed. I looked at it when adapting the policy from RIPE to ARIN, don't have this information right in my mind, but I'm sure it was there. Otherwise, if needed another policy should state something like "if you keep violating policies" this and that may happen. This should be something generic for *any* policy violation not in general. We have this in RIPE and LACNIC, and I'm also convinced that in APNIC and AFRINIC (still working on those versions). Regards, Jordi El 26/4/19 23:41, "NANOG en nombre de Jon Lewis" <nanog-bounces@nanog.org en nombre de jlewis@lewis.org> escribió: On Fri, 26 Apr 2019, William Herrin wrote: > On Fri, Apr 26, 2019 at 9:41 AM Matt Harris <matt@netfire.net> wrote: > Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? > > > Hi Matt, > > As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn't > decide how they're allowed to be routed. ISPs do that. > > I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the > routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope. > > I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that > role. Maybe I missed it in the proposal, but I don't see that it actually says what ARIN will do other than produce a report "Yep, our expert panel says this is hijacked.". What's the expected result (other than the report)? i.e. What action is ARIN expected to take after it's determined a route advertisement is a hijacking that will make a difference? Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. Many years ago, during an acquisition that went sour at the last minute, the renegging seller went to ARIN complaining that we were hijacking his IP space. ARIN contacted our upstreams and pressured them to pressure us to stop advertising the IP space. Perhaps there's no official policy, and perhaps they wouldn't do this today without one? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
By the way, even if ARIN (or the community) decides to do *nothing* in case of a policy violation, clearly the victim will have a better situation to defend the case in courts, and not rely in the judgement of inexperienced folks that will know nothing about what is an Internet Resource, BGP, etc., etc. Regards, Jordi El 27/4/19 0:03, "NANOG en nombre de JORDI PALET MARTINEZ via NANOG" <nanog-bounces@nanog.org en nombre de nanog@nanog.org> escribió: The intent is to clearly state that this is a violation of the policies. The membership documents/bylaws or the RSA, your account may be closed. I looked at it when adapting the policy from RIPE to ARIN, don't have this information right in my mind, but I'm sure it was there. Otherwise, if needed another policy should state something like "if you keep violating policies" this and that may happen. This should be something generic for *any* policy violation not in general. We have this in RIPE and LACNIC, and I'm also convinced that in APNIC and AFRINIC (still working on those versions). Regards, Jordi El 26/4/19 23:41, "NANOG en nombre de Jon Lewis" <nanog-bounces@nanog.org en nombre de jlewis@lewis.org> escribió: On Fri, 26 Apr 2019, William Herrin wrote: > On Fri, Apr 26, 2019 at 9:41 AM Matt Harris <matt@netfire.net> wrote: > Can you (or someone else on the list, perhaps even someone who was involved in voting this down) provide some more details as to why it was rejected? > > > Hi Matt, > > As I understand it (someone with better knowledge feel free to correct me) the proposal was ruled out of scope for ARIN because ARIN registers numbers, it doesn't > decide how they're allowed to be routed. ISPs do that. > > I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the > routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope. > > I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that > role. Maybe I missed it in the proposal, but I don't see that it actually says what ARIN will do other than produce a report "Yep, our expert panel says this is hijacked.". What's the expected result (other than the report)? i.e. What action is ARIN expected to take after it's determined a route advertisement is a hijacking that will make a difference? Anecdotally, ARIN has, in the past, gotten involved in this sort of thing. Many years ago, during an acquisition that went sour at the last minute, the renegging seller went to ARIN complaining that we were hijacking his IP space. ARIN contacted our upstreams and pressured them to pressure us to stop advertising the IP space. Perhaps there's no official policy, and perhaps they wouldn't do this today without one? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Fri, 26 Apr 2019, JORDI PALET MARTINEZ wrote:
The intent is to clearly state that this is a violation of the policies.
The membership documents/bylaws or the RSA, your account may be closed. I looked at it when adapting the policy from RIPE to ARIN, don't have this information right in my mind, but I'm sure it was there.
Otherwise, if needed another policy should state something like "if you keep violating policies" this and that may happen. This should be something generic for *any* policy violation not in general. We have this in RIPE and LACNIC, and I'm also convinced that in APNIC and AFRINIC (still working on those versions).
Not swip'ing your IPs is also a violation of the agreement, but until you go back to ARIN for more IPs (opps, they're out), that's not an issue. I see this policy as pointless as written because it doesn't say that ARIN will take any action other than publishing an opinion. I think you're also assuming there's a pool of experts standing by willing to investigate every alleged hijacking (for free?). Maybe there are. If there aren't, or once they get tired of investigating allegations, what then? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
A policy proposal typically is not perfect when submitted. However, not having the discussion, doesn't allow to improve it and maybe then, reach consensus. It may happen that the end of the discussion is, instead of a group of experts, we need something different, or may be a compensation for them is needed, or instead of a complex policy we need a simple one, in the line of: "The resources are allocated for the exclusive use of the recipient. Consequently, other members can't use them (unless authorized by the legitimate resource-holder) and not following this rule is a policy violation". El 27/4/19 0:08, "Jon Lewis" <jlewis@lewis.org> escribió: On Fri, 26 Apr 2019, JORDI PALET MARTINEZ wrote: > The intent is to clearly state that this is a violation of the policies. > > The membership documents/bylaws or the RSA, your account may be closed. > I looked at it when adapting the policy from RIPE to ARIN, don't have > this information right in my mind, but I'm sure it was there. > > Otherwise, if needed another policy should state something like "if you > keep violating policies" this and that may happen. This should be > something generic for *any* policy violation not in general. We have > this in RIPE and LACNIC, and I'm also convinced that in APNIC and > AFRINIC (still working on those versions). Not swip'ing your IPs is also a violation of the agreement, but until you go back to ARIN for more IPs (opps, they're out), that's not an issue. I see this policy as pointless as written because it doesn't say that ARIN will take any action other than publishing an opinion. I think you're also assuming there's a pool of experts standing by willing to investigate every alleged hijacking (for free?). Maybe there are. If there aren't, or once they get tired of investigating allegations, what then? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Even among the network security community the number of people who track bgp hijacks and gather data is quite small yet such people do exist and have been active in speaking for this proposal when the same thing was discussed on the ripe anti abuse wg to an expected chorus of "we are not the internet police" --srs ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of JORDI PALET MARTINEZ via NANOG <nanog@nanog.org> Sent: Saturday, April 27, 2019 3:58 AM To: Jon Lewis Cc: North American Network Operators' Group Subject: Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation It may happen that the end of the discussion is, instead of a group of experts, we need something different, or may be a compensation for them is needed, or instead of a complex policy we need a simple one, in the line of: "The resources are allocated for the exclusive use of the recipient. Consequently, other members can't use them (unless authorized by the legitimate resource-holder) and not following this rule is a policy violation".
On Fri, Apr 26, 2019 at 2:36 PM Jon Lewis <jlewis@lewis.org> wrote:
Maybe I missed it in the proposal, but I don't see that it actually says what ARIN will do other than produce a report "Yep, our expert panel says this is hijacked.". What's the expected result (other than the report)? i.e. What action is ARIN expected to take after it's determined a route advertisement is a hijacking that will make a difference?
Tough question! If the author's petition succeeds so he's not cut off at the knees by the Advisory Council's out-of-scope ruling, I'll look forward to hearing how he answers. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
RSA (https://www.arin.net/about/corporate/agreements/rsa.pdf) clearly state that the services are subject to the terms and conditions stated in the policy manual. There is explicit text in case of lack of payment. Not so clear what to do if there is a policy violation, but it looks like at a minimum, you will not get further services neither further resources. Bylaws (https://www.arin.net/about/corporate/bylaws/#bylaws-of-american-registry-for...) don’t explicitly talk about the obligations of members. This may be related to US law, that you don’t need to explicitly say that behavior against other members is forbidden. In some countries, it is evident that if a member of an association is not following the rules (policies) or is acting against the rights of other members, it can be expelled. As I said before, we may need another policy proposal to stated what to do. Why a different policy proposal? Because the same policy section must be related to other policy violations (may be with warnings in case of policy violations and resource recovery only in extreme cases or repetitive misbehavior – this is the case in RIPE), if that’s not clear already in the bylaws, US laws, or RSA. For me, it is obvious that an association MUST protect members about *any* misbehavior of other members. Regards, Jordi El 27/4/19 0:58, "NANOG en nombre de William Herrin" <nanog-bounces@nanog.org en nombre de bill@herrin.us> escribió: On Fri, Apr 26, 2019 at 2:36 PM Jon Lewis <jlewis@lewis.org> wrote: Maybe I missed it in the proposal, but I don't see that it actually says what ARIN will do other than produce a report "Yep, our expert panel says this is hijacked.". What's the expected result (other than the report)? i.e. What action is ARIN expected to take after it's determined a route advertisement is a hijacking that will make a difference? Tough question! If the author's petition succeeds so he's not cut off at the knees by the Advisory Council's out-of-scope ruling, I'll look forward to hearing how he answers. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/> ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope.
Speaking only for myself and not as a representative of the ARIN AC… I believe this is a distortion of the realities of the situation and of the history. ARIN actually led the charge to lengthen the maximum IPv6 prefix accepted by ISPs (from /32 all the way to /48). ARIN prefix size limits have almost always been equal to or longer than those accepted by a majority of providers on the internet and in almost all cases where those limits changed, ARIN changed first, with providers changing as a result of the pressure that created. As to how those were decided within the ARIN process, please note that it was community consensus that drove those changes (and resisted them in the earlier days). Nonetheless, the reason for having those limits had to do with how ARIN was managing the resources on behalf of the community. Any impact or lack thereof on the routing table was a secondary effect. The policy was in scope because it affected how ARIN managed the registry. The current proposal doesn’t actually affect any action ARIN takes in managing the registry. It attempts to expand the scope of ARIN’s mission to include some vague form of policing routing. It doesn’t provide any real information about how this new mission should be accomplished, nor does it take into account the fact that since ARIN controls only a small handful of routers, it has little to no ability to make any decisive or useful action in this regard. It seems to assume that those hijacking resources are ARIN members (or at least ARIN resource holders who signed an RSA subjecting them to ARIN policy). It is utterly untested waters as to whether ARIN has any ability to take any action against a party that hasn’t got a contract with ARIN for violating the rights of a party that does have a contract with ARIN. To be useful, this policy would, IMHO, need to somehow empower ARIN to do that. I am not a lawyer, but I doubt such empowerment can come from anything short of regulation, thus certainly out of scope of ARIN policy. I agree with Bill that such empowerment would not be a good thing anyway, so it’s not like I want to see that regulation come about, but until it does, I don’t see an in-scope effect from this proposal. Owen
Hi Everyone, Just a gentle reminder that May 1st is the last day to express support for this Open Petition at ARIN's Public Policy Mailing List (arin-ppml). Best Regards, Carlos On Fri, 26 Apr 2019, Carlos Friaças via NANOG wrote:
Hi,
Just to let everybody know that a petition was started in order to try to enable a policy discussion about "BGP Hijacking is an ARIN Policy Violation".
If you would like to read the proposal, it is available at: https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/
Discussions are already ongoing at RIPE and LACNIC.
Best Regards, Carlos
(sorry for the duplicates, if you also receive arin-ppml@arin.net)
---------- Forwarded message ---------- Date: Fri, 26 Apr 2019 17:13:12 From: ARIN <info@arin.net> To: arin-ppml@arin.net Subject: [arin-ppml] Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation
A petition has been initiated for the following:
ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation
This proposal was rejected due to scope at the 10 April meeting of the Advisory Council.
Anyone may take part in this petition. Per the Policy Development Process (PDP), a successful petition against a rejected Proposal requires the support of ten individuals from ten organizations.
To support this petition, simply send a response to the Public Policy Mailing list stating your support, name, and organization.
This petition window will remain open for five days, closing 1 May.
If successful, the petition will result in the Board of Trustees considering the Proposal's scope at their next meeting.
For more information on the PDP, visit: https://www.arin.net/participate/policy/pdp/
Regards,
Sean Hopkins Policy Analyst American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact info@arin.net if you experience any issues.
participants (11)
-
Carlos Friaças
-
Hank Nussbacher
-
Jared Mauch
-
Joe Provo
-
John Curran
-
Jon Lewis
-
JORDI PALET MARTINEZ
-
Matt Harris
-
Owen DeLong
-
Suresh Ramasubramanian
-
William Herrin