Anti-Abuse Working Group Minutes RIPE 81

Thursday, 29 October 2020 10:00 - 10:45
Chairs: Alireza Vaziri, Brian Nisbet, Tobias Knecht
Scribe: Anje Roosjen
Status: Final

The recording of the session can be viewed at:
https://ripe81.ripe.net/archives/video/463/

A. Administrative Matters

Working Group co-Chair Brian Nisbet welcomed attendees to the session. The minutes from RIPE 80 were approved.

B. Update

Brian addressed the issue of content on the mailing list and said that it was unfortunate to have to put somebody into long-term moderation. He reminded the working group that the Chairs like to take the best intent in conversations and that it’s worth taking a moment to consider things before hitting send. He also said that it was unfortunate that there is still not much agreement on the definition of ‘abuse’.

He also thanked Petrit Hasani for his work as the Policy Development Officer (PDO) of the RIPE NCC and welcomed Angela dall’Ara as the new PDO.

C. Policies

C.1. Status of Policy Proposal 2019-04 - Validation of "abuse-mailbox"

Brian said the WG did not see any further need to work on policy proposal 2019-04. There was no consensus reached. The policy proposal 2019-04 is withdrawn.

Michele Neylon (Blacknight) commented this was the correct decision, there was no consensus. He reflected on the process: instead of the proposal being withdrawn in an earlier stage and proposing something new, there was an endless circle of discussions about the process itself. He thought the WG should have moved on earlier.

Brian commented that PDP allows appeals and it was the first time an appeal was used. For the next time the WG will try to be clearer on what is expected from each phase of the process. Brian also mentioned that this is not about voting, the WG discusses things and attempts to reach rough consensus.

C.2. Open discussion on abuse validation and next steps

Brian stated that some people are still unhappy with abuse-c validation. He invited to comments.

Michele commented that the introduction of abuse contacts is great. The thing is that people did not want to validate the abuse-c contact. In fact, responding to abuse reports is the issue. Maybe the WG needs to be looking at that. He suggested looking at what ISP’s require in a good abuse report and drafting basic principles based on that. He pointed out that a lot of abuse reports he sees are useless and inactionable because there isn’t enough information or they are not specific enough.

Brian asked if the WG were to publish such a document aimed at people making abuse reports, would people read that document and take it into account before contacting ISPs to make an abuse report?

Michele responded that based on his experience dealing with law enforcement and others, that law enforcement agencies do collate such guidelines. The people who use the correct portals and correct information do read documents and act on them. He added that if operators are not careful they will end up being regulated heavily, unless they can be seen to actually help people within the greater eco-system.

Erik Bais (A2B Internet) added to Michele’s comments, saying that it is more likely a problem of lack of automation of abuse handling. He suggested conducting more training and presentations on how to automate your IPAM system and link it to your abuse system. This way handling of abuse can be automated, and emails are forwarded to the correct person. There are open source tools available as well and that he would love to see more effort put into training and providing good tutorials.

Brian asked if that would mean technical documentation that someone has to write, or just some general principles and a list of people or businesses that can provide services.

Erik commented that trainings could be offered through workshops, webinars and/or online tutorials, in a manner similar to what was done for RPKI validation that really helped. People really have no idea how to get started now. RIPE NCC training department would probably be able to help with it. He also pointed to the Dutch anti abuse coalition consisting of industry, public and private sectors, ISPs, government and those working on responsible disclosures working together to further information sharing (abuse.nl).

Brian made note of an action on the co-Chairs to talk to the RIPE NCC training department about this. He added that it was likely that the RIPE NCC would require experts to help with this, to gather data.

Jordi Palet Martinez reacted to Brian’s comment that there was no accepted definition of abuse. He elaborated that he didn’t find the need to have a common definition because it varied as per jurisdiction and personal perceptions. He said that a definition of abuse could be as simple as anything he did not wish to see in his network because it creates problems for his customers or for himself. The real problem is not being able to contact a network, it should be possible to first talk before filtering them out. There is a standard way to report abuse defined in the IETF standard X-ARF, RFC 5965 and 6650. What is missing is the obligation forcing abuse reports to use that standard. First, we need a real, validated abuse contact, second, we need a standard format of reporting abuse and third, we need training.

Tobias Knecht pointed out that although X-ARF, the extended abuse reporting format is not IETF-approved and is not at this point an IETF standard, it is widely used and accepted. Work is ongoing towards making it a standard. It’s an open project that anyone can participate in. He added that he agreed that there is a lack of training and not much information that is helpful on how to start. The abuse desks and security teams in ISPs usually are unaware of abuse-c. He offered to help in this regard.

Hans Petter Holen (RIPE NCC) commented that the RIPE NCC training department can, of course, help out but encouraged the WG to work on the content, the best common practices, then the RIPE NCC can help facilitate. From his own work experience, he confirmed that abuse handling is considered a security incident, there is a need for documentation to be able to convince managers.

Brian responded that the WG will first find out what is needed before asking the RIPE NCC training department, and that the WG will be involved in the course content.

Interactions

X. A.O.B.

There were no AOBs.

Z. Agenda for RIPE 82

There were no comments.

End of the session.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum