Anti-Abuse Working Group Minutes RIPE 77

17 October 2018, 11:00-12:30
WG co-Chairs: Brian Nisbet, Tobias Knecht
Scribe: Ulka Athale
Status: Final

A. Administrative Matters

Brian Nisbet welcomed the group and addressed administrative matters. The minutes from the previous working group session at RIPE 76 were approved.

B. Update

B1. Working Group Chair Selection

Tobias Knecht was re-elected as WG co-Chair. Alireza Waziri was also elected as the third co-Chair of the WG.The video archive is available at:

https://ripe77.ripe.net/archives/video/2277/ 

B2. Recent List Discussion

The video archive is online at:
https://ripe77.ripe.net/archives/video/2280/

C. Policies

Brian summarised the discussions on the mailing list.

C1. RIPE NCC Update on 2017-02 - Angela dall'Ara

The video archive is available at:
https://ripe77.ripe.net/archives/video/2281/

Maksym Tulyev, NetAssist, asked about a problem he has with resources that he used to hold, that have now been transferred. The new holders have not updated the abuse-c, and he wanted to know what to do since the abuse-c validation email would go to him, although he is no longer responsible for those resources.

Andrea Cima, RIPE NCC, replied saying that in this particular case, a ticket should be opened with the RIPE NCC so that they can follow up with the new resource holder.

Liam Glover, National Cybercrime Unit, NCA, UK, said that he thought this was a very good initiative because they struggle to contact victims when they become aware of stolen private data and infection data.

Piotr Strzyżewski, RIPE NCC Executive Board, asked whether the automated system will close the ticket as soon as the link is clicked.

Angela confirmed that it would.

Piotr then asked if they had accounted for user agents that could click the link without a person checking it. He suggested adding a challenge like writing a word or clicking a button on a web page.

Brian recommended that the technical discussion be moved to a direct discussion with the RIPE NCC.

E. Presentations

E1. LIRs from Outside the RIPE NCC Service Region - Carlos Friacas

The video archive is available at:
https://ripe77.ripe.net/archives/video/2282/

Alexander Isavnin, Internet Protection Society, commented that he didn’t think it was the group’s job to make law-enforcement easier, nor did he think it was the RIPE NCC’s responsibility to check the validity of registrations.

Carlos clarified that he is not from a law enforcement agency.

Alexander reiterated that he is opposed to RIPE NCC checking legality of documents, and that the RIPE community’s main job is IP networking and not law enforcement.

Carlos replied that as a community member he felt that law enforcement can also be a part of the RIPE community.

Brian added that while opposing policy is one thing, opposing discussion is quite another.

Erik Bais, A2B Facilities, said that as a broker he finds it concerning that certain companies in the Seychelles are not going to AFRINIC, in whose region the Seychelles falls. Company registration in the Seychelles is often specifically used to avoid showing who the director is, and for him as a broker, that is an issue as he needs to check who actually holds the resources.

Andrea Cima added that he felt the discussion was fair and there could be multiple perspectives on this issue. One issue the RIPE NCC faces is the absence of proper due diligence for certain countries as documents cannot be verified. The week before the meeting, about 150 LIRs from out of the service region were closed because their documentation could not be verified, which creates a lot of internal difficulties. On the other hand, there are valid reasons to allow companies from outside the region to get resources from RIPE NCC such as an American company that might be contracted to do work in Iraq for example. RIPE NCC usually asks for proof that the resources are being used in the service region and that there is a network element, however this requires a lot of due diligence as well.

Carlos asked the RIPE NCC if the country code on the RegID was even relevant.

Alexander pointed out that sometimes on RIPEstat or RIPE Atlas the interface showed resources he used in Uzbekistan as Ukrainian and he has more examples. He also stated that some LIRs are registered in the database with a different name from the company or legal entity.

Oleg Muravskiy, RIPE NCC, replied that the country code in the RegID is just meant as an identifier, and it resembles a country code but is not a legal country code, and was never intended to be used as geolocation or to prove the location of any member.

Carlos pointed out that it is not possible to change a RegID and wondered if that was still the case.

Oleg replied that the RegID is really just an internal identifier and should not be considered beyond that.

Ingrid Wijte, RIPE NCC, added that she would be presenting on country codes in the RIPE Database WG and extended delegate stats in the Address Policy WG and invited those interested to join that discussion.

C2. abuse-c Validation Proposal: Status in Other RIRs and the Way Forward - Jordi-Palet Martinez

The video archive is available at:
https://ripe77.ripe.net/archives/video/2284/

Erik Bais asked if Jordi knew how many ISPs actually process their abuse automatically.

Jordi replied that he didn’t know.

Erik then asked why the process shouldn’t be fully automated. Manual validation could be done during ARCs. Sending an email randomly to an abuse mailbox could be counter-productive as they do fully automated abuse handling.

Jordi replied saying that the point is that sometimes he needs to fill a different form for every different abuse report instead of a standard one.

Brian said that that conversation could also take place at the IETF.Peter Koch, DENIC, suggested waiting to see how the abuse-c validation pilot works first. He also asked what place standardised submissions, collecting and triaging information have in a RIPE policy proposal.

Brian clarified that this was not a part of the RIPE discussion.

Peter then added that if the penalty included limiting access to the LIR Portal, then that affects NCC services and the proposal should move there.

Brian then suggested that once they look at the draft proposal, they would decide whether this was the appropriate working group for it to be discussed in. He then pointed out that the voices heard until then were not in favour of the proposed idea and asked if anyone did want to speak out in favour of it.

Jordi concluded by asking people to read the link, as he only had a short time to present to the group.

E2. Criminal Abuse in RIPE IP Space - Dhia Mahjoub

The video archive is available at:
https://ripe77.ripe.net/archives/video/2286/

Maksym Tulyev pointed out that in one slide, abusers and good players were placed side-by-side, and Dhia acknowledged the feedback.

Bengt Gorden, Resilans, asked from what perspective or jurisdiction was an activity considered unlawful – Russian, EU, or US.Dhia replied saying that these were mostly companies registered in offshore jurisdictions using space from the RIPE NCC or ARIN with operators in certain countries. There were arrests in some cases.Dhia was asked to confirm if these actors were taken down.

He confirmed that they were, adding that the recent cases involved eastern European actors using RIPE NCC or ARIN address space with businesses registered in offshore companies.Juri Bogdanov, IP4MARKET asked what the situation was in the United States, since it was easy to identify the company and IP space holder in the RIPE NCC service region thanks to its clean Whois. He clarified that he meant to ask what was going on with regions other than RIPE NCC. Brian said that in the interest of time that question should be answered outside the session.

Carlos asked what they should do about a Portuguese company, with which he has a peering relationship, that was mentioned in the presentation.Dhia replied that he couldn’t advise Carlos, but if the company is legitimate they should enquire into why a lot of toxic content is visible from them and that he would be happy to talk to Carlos further.

Alexander Isavnin asked if possible hijacks, rogue announcements and fake paths had been validated.

Dhia replied that he hadn’t imagined BGP hijacking problems.

X. A.O.B

There was no other business.

Z. Agenda for RIPE 78

Brian reminded the group that RIPE 78 would take place in Reykjavik in 2019 and that submissions could be sent to the working group. There was no other business.

The video archive is available at:
https://ripe77.ripe.net/archives/video/2288/

 

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum