[anti-abuse-wg] RIPE 67 AA-WG Meeting Minutes
Brian Nisbet brian.nisbet at heanet.ie
Tue May 6 15:49:00 CEST 2014
Colleagues, More minutes! Here are the minutes from RIPE 67 for your approval. Anti-Abuse Working Group Date: 17 October 2013, 14:00-15:30 Chairs: Brian Nisbet and Tobias Knecht Scribe: Anand Buddhdev A. Administrative Matters Brian Nisbet, Working Group Chair, welcomed the attendees and the minutes from RIPE 66 were approved. B. Policies RIPE Policy 2011-06 Update, RIPE NCC Denis Walker, RIPE NCC This presentation is available at: https://ripe67.ripe.net/presentations/335-RIPE67abuseCv2.pdf Piotr Strzyzewski, Silesian University of Technology, Poland, requested advance notice of the addition of abuse-c attributes to PI address space objects. Brian suggested that would be appreciated. Gilles Massen, Fondation RESTENA, questioned the practice of duplicating data in the RIPE Database. Denis agreed that duplication is a bad idea, but that this database was designed with duplication in mind – not just for abuse-c but in other areas as well. He said there was no good solution yet and asked the audience to let the RIPE NCC think about this and come back with some ideas. Bill Boughton asked via chat whether the tool being developed for PI holders will work with PGP-signed objects. Denis replied that it probably will not, because it’s difficult signing web forms and PGP works best with email, but said he will think about it. Peter Koch, DENIC eG, said he agreed with Gilles, and couldn't see why the RIPE Database was designed with duplication in mind. He said that changing to a more specific object will confuse people, and the main point is figuring out who the target audience is for the whole abuse-c project, such as end users, automated systems, tool writers, etc. Denis responded that there are tools to find the abuse contact information. The problem with putting these contacts in different places is that it will become difficult to maintain and will make it more difficult for the exiting finder tools to find the abuse contacts. Peter thanked Denis for his explanation, but said that attaching the abuse-c attribute to the organisation object is a serious breach of the RIPE Database paradigm. He said that, if that’s confusing the maintainers, maybe it’s time to rethink the strategy and, if end users are confused, maybe tools are required to help them, which he said the RIPE NCC is already implementing. Denis suggested that there may be a need to take a step forward with the admin-c and tech-c and others. Brian said that there was not time to discuss that idea in the session, or in the working group. He said that there’s more for the RIPE NCC to consider when it comes to the implementation of abuse-c. Brian Nisbet asked about a message from the Database Working Group Mailing List about contradictory abuse contacts and statistics. Denis said that, before abuse-c existed, abuse contacts were allowed in five different object types, and that these references still exist, so it’s possible that the 4,000 members who have added abuse-c haven’t removed the old abuse mailboxes. He said things are now in a confusing transition period because of this. He said that there is no easy answer, and that mass emails asking people to clean up their old references might not be the best solution. He asked those in attendance to please clean up their old references. Brian agreed that more emails might not be the answer but added that, at some time in the future, the strategy should be revisited and discussed on the mailing list. Denis explained that an automatic cleanup of the RIPE Database is not possible because of the complexity involved. Brian thanked Denis for his presentation. Update: RIPE Policy Proposal 2013-01 Sander Steffan, SJM Steffann Sander Stefann said that there have been no comments on the mailing list about the latest version of RIPE Policy Proposal 2013-01, “Openness about Policy Violation”. He stated that he will ask for a final call for comments and that if he doesn’t see any within a few weeks, he will assume that there’s no support and will withdraw the proposal. Brian encouraged participants to provide feedback. C. Updates C1. Recent List Discussion Brian Nisbet talked about ongoing mailing list discussions. He noted that there were hardly any messages about specific issues that needed solving. He said that there were often messages to the list from people with problems, who aired them hoping for someone to propose a policy or do some other work on it, but that's not how things work. Wilfried Wöber, UniVie/ACOnet, said that it was actually a good thing that messages to the list did not automatically turn into actions for someone else. Brian agreed, noting that there were procedures in place to start work. He stressed that the chairs do read all the messages, and hear peoples' concerns. C2. Anti-Abuse Working Group Charter Brian Nisbet said that the new text for the Anti-Abuse Working Group Charter had not yet been written, but that no major changes were planned. It will be prepared well before RIPE 68 in Warsaw and circulated on the mailing list. D. Interactions D1. Working Groups Brian Nisbet said that nothing had been written yet regarding interacting with other working groups. He said that he and Tobias Knecht have some ideas about certain policies, which may be better suited to the Database Working Group. D2. RIPE NCC Government/LEA Interactions Update Brian noted that the RIPE NCC was continuing to interact with law enforcement agencies (LEAs), and that there was nothing new lately. He noted that it was good to see LEAs attend meetings. E. Presentation E1. ACDC (Advanced Cyber Defence Center) Project Thorsten Kraft, eco e.V. This presentation is available at: https://ripe67.ripe.net/presentations/347-ACDC_Presentation_RIPE_67.pdf Alexander Lyamin (HLL) asked whether the main source of data was end user reports. Thorsten said it wasn't just end user reports but also notifications from ISPs and server operators. Alexander was happy to see that this project was not only focused on end user PCs. He asked what ACDC would do about things like set-top boxes and DSL modems whose firmware is not easy to update, and which are often used in DDoS attacks. Thorsten said that they would talk to the CERT closest to the vendor to pass on the information. He said currently there were no vendors (except Cisco) participating in ACDC. Alexander asked about ACDC's strategy in the face of new-generation botnets without command and control servers, and Thorsten said that, since it was funded by the EU, they will not be shooting any updates on the boxes because it's not permitted by law. Brian Nisbet asked what the end goal of this project is and what happens after the initial funding period. Thorsten said the project is here to stay and that they want to develop more tools and let others run this kind of project independently. He also said he wants to develop a proposal for the European Commission about running this project themselves after the funding period, and find business models to keep the project running. He said the project is open and welcomes ideas from everyone. Patrick Tarpey, Ofcom, asked whether this data can be shared with other people, and Thorsten confirmed that the data can be shared. Brian asked about the definition of legitimate parties, and Thorsten said that most data would be open unless a contributor requests that it be restricted. Brian asked how open this project was going to be, and Thorsten said it would be totally open, so others can also use it. An audience speaker noted that there were more initiatives like this, such as SpamHaus, and asked how ACDC is better than them. Thorsten said they do not want to be better, but just want something that is open and community driven. Brian asked about the target users of this project and whether they would be end users, companies or law enforcement. Thorsten said that it is for everyone. Thorsten said this is a very important project, and needs data. He appealed to participants for help. E2. x-arf (Extended Abuse Reporting Format) Tobias Knecht, abusix GmbH The presentation is available at: https://ripe67.ripe.net/presentations/342-abusix_RIPE.pdf Brian Nisbet asked how stable the x-arf specification was. Tobias said that it is quite standard now, and being used by large companies. He added that he was talking to people within the IETF to make it a standard within the next two to three years. Brian asked Tobias to come back and talk more about it when changes have been made to it. Brian asked the room if many people were using this, and Bengt Gördén, Resilans AB, said they were “sort of” using it. Bengt added that he was looking for ways to standardise abuse reporting, and was looking at x-arf, but is not quite there yet. Brian asked one of the participants, Richard Leaning, Europol, about the automation of these kinds of tools and information, and if anything fits in with what Europol is doing. Richard responded that they were using tools at Europol, but not x-arf. He stated that he didn’t know much about it and would therefore talk to Brian about it. X. AOB Bengt Gördén, Resilans, talked about issues with American ISPs blacklisting PI address space, and failing to delist it or delisting it very slowly. He asked how the working group or the RIPE NCC can help. Tobias Knecht replied that it's a known problem, especially with ISPs such as AOL. He said that addresses that were clean end up on blacklists because of botnet command and control servers, for example, and hosting and VPS providers have the same problem. He explained that their addresses change hands frequently and can easily become blacklisted. Tobias said the issue of detecting whether address space is clean is an important one, but not easy to solve. He said it was not enough to just have a flag in the RIPE Database to indicate that IP address space had changed hands. Bengt said that the IP addresses were not bad, but had a poorer reputation because someone had blocked them. Thomas cited examples of hosting providers who had to change customers' IP addresses because their old addresses were unusable. Thomas asked how IP address reputation could be measured. Brian Nisbet said that, in this context, the accuracy of the registry is very important. He mentioned RIPEstat as producing good information about when address space changes hands. He said that if users wanted the RIPE NCC to help more with this, they could talk to the RIPE NCC about it. Z. Agenda for RIPE 68 Brian Nisbet urged participants to think about agenda items for RIPE 68, to be held in May, in Warsaw. He thanked the RIPE NCC staff, stenographers and participants before closing the session.