Cooperation Working Group Minutes RIPE 79

Wednesday, 16 October, 14:00-15:30
WG co-Chairs: Johan (Julf) Helsingius and Achilleas Kemos
Scribe: Gergana Petrova
Status: Draft

1. Introduction

Julf / Achilleas

The two chairs welcomed attendees to the session, approved the minutes from RIPE 78 and invited the first presenter to the stage.

2. The Compelling Case for National Vulnerability Management Programs

Michiel Steltman, Stichting Digitale Infrastructuur Nederland     
Presentation available at: https://ripe79.ripe.net/archives/video/224

Max Tulyev (Net Assist) asked if using proactive methods for network scanning, like crawlers or scanners, to detect vulnerable hosts, is legal in the Netherlands. 

Michiel answered that it is public information, so anybody can collect it. It is allowed under the GDPR, since it is in the common interest and in the interest of your customers. He explained that you can forward the information because it doesn’t link the IP address to user. Next, since everyone can collect the information, when you forward it, it doesn’t make you an information processor, but it makes everyone in the chain responsible. DINL are still in discussions with the DPA.

Max summarised that scanning Dutch networks for vulnerable hosts is fully legal. Michiel agreed.

Tatiana Tropina (Leiden University) explained that, under the law, vulnerability disclosures and detection of abuse are about prevention, while child abuse material and illegal content are not. The two require a different set of policies and tools. In the latter case, in addition to removing said content, the perpetrators need to be brought to justice. She asked Michiel if there are different set of policies for technical prevention and disclosure on the one hand and mitigation and taking down content on the other.

Michiel responded that his presentation did not go too deeply into the legal differentiation between the different approaches. He answered that at the moment they try to stay away from dealing with the perpetrators and focus on content and technical abuse. They are working with legal advisers to see how best to progress with their work.

Alexander Isavnin (Internet Protection Society) asked if there is anything that RIPE NCC should be doing based on this presentation or if contacting other Dutch ISPs would be enough. Next, he explained that network operators are interested to move IP packets as fast as possible without other considerations. He shared that while working for an operator and filling out abuse reports, he was not allowed to easily contact his customers. Lastly, he mentioned the recent rise of “fake vulnerabilities”: designed to look like a vulnerability or illegal content, and when the operator takes it down, they get summoned in court or blamed publicly. He wondered, considering all this, why an operator would be interested to get involved.

Michiel responded that simply because operators focus on infrastructure shouldn’t mean they shouldn’t get involved. He expects that governments and law enforcement won’t appreciate such a mindset for long. He explained that while risk mitigation might not be in the mandate of operators, as they can still forward information upwards in the chain.

Liam Glover (NCA) commented that they’ve been doing successfully similar activities for the past few years in the UK and the operators are appreciative of this effort.

Peter Koch (DENIC eG) differentiated between an LIR, which is just a registry that deals with identifiers, and a provider.

Michiel took on board Peter’s remark, acknowledging that hosting companies are LIRs, but not all LIRs have infrastructure. They don't expect an internet exchange to act in this respect but do expect from somebody who runs infrastructure to be more proactive. The different functions and properties of companies can overlap.

Carlos Friacas (FCT|FCCN) mentioned that they (the Portuguese NREN) have already been distributing the feeds from free sources to their universities and members for years.

Michiel mentioned that some of these sources may not be available for companies. Different restrictions may apply to getting the feeds.

Tiberiu Gindu (ANISP) believes ISPs can help authorities to find the perpetrators and bring them to justice. He believes attackers should be punished, as it this will deter new attempts.

Michiel cautioned that dealing with perpetrators can be very tricky and could potentially kill the entire initiative, so he advised approaching the issue carefully.

3. Update on Internet Governance Issues

Chris Buckridge, RIPE NCC
Presentation available at: https://ripe79.ripe.net/archives/video/228

There were no questions.

4. Panel Discussion on Safety and Security

Co-hosted by Europol
Presentation available at: https://ripe79.ripe.net/archives/video/230

Panel:

  • (remotely) Cathrin Bauer Bulst, Deputy Head of Unit for the fight against cybercrime in EC DG Migration and Home Affairs
  • Tatiana Tropina, Assistant Professor in Cybersecurity governance, ISGA, Leiden University
  • Spencer Payton, Senior Internet Resource Analyst, RIPE NCC
  • Peter Koch, Senior Policy Advisor, DENIC eG
  • Chris Lewis-Evans, Manager of Internet and Infrastructure Investigations, National Crime Agency – UK

The panellists introduced themselves. The chair showed a slide outlining the issues in the field of safety and security that the panel discussed in preparation for this session. 

Chris Lewis-Evans spoke how e-crime has grown to be a profitable business. This necessitates the careful management of enabling services such as the IP space, ASNs and other technical infrastructure. Most often law enforcement sees: 1) the misuse of unallocated or reserved space 2) the use of fake or stolen credentials to gain services, resell or lease IPs and 3) forgetting to update the database. LIRs based in tax havens, not revealing their details, are extremely difficult for law enforcement to deal with. They also see the use of shell companies to bypass some of the protected measures that companies can put in place around geolocation details. Law enforcement is looking for ways to better cooperate with the RIPE Community, to help it better protect itself from bad actors.

Cathrin Bauer Bulst outlined several important challenges. Firstly, the lack of accuracy of certain entries in the RIPE Database. She explained that demanding accurate data makes a difference for the incentive structure of criminals using that IP space. For law enforcement, IP data is the basic information needed to serve legal process.

Secondly, the definition of the purpose of the RIPE Database is unclear. Some aspects in the RIPE policies speak to the various purposes of the database, but do not provide an exhaustive list. It is important for the RIPE Community to define and know exactly what the purpose of the Database is. In addition, when it comes to personal data, of which there is not too much in the Database, it is important to have the purpose clear from a data protection regulation perspective.

Thirdly, RIPE policies, particularly when it comes to delegating IP space further down the chain, are not always followed. While RIPE NCC members might be good at compliance, when the obligations are delegated down the chain, they are not fulfilled as diligently.

Fourth, she explained that not all actors who benefit from RIPE resources keep a clean space and follow due diligence when applying and implementing policy.

Fifth, she mentioned that there are limited tools for actual enforcement of the RIPE policies, including enforcement of the accuracy of the Database. In her view, this creates a challenge for properly implementing the policies. She believes this needs to be looked into.

She explained that the European Commission is looking to engage in this field and has followed Europol’s efforts for the past two years. They are fully committed to the multi-stakeholder model and want to find solutions together with the RIPE Community to these problems which have been around for quite some time.

Spencer Payton explained that the question of the accuracy of the RIPE database can be approached on many different levels. As a membership organisation, RIPE NCC has a mandate to cover certain amount of ground. They have process and procedures in place to verify what information is put in the Database. Members coming from outside our service region go through additional checks.

He went on the explain that once the RIPE NCC has issued resources, members are under certain obligations, as part of their membership, to manage those resources effectively. The RIPE NCC is relying on them to follow the rules and register correctly who is using the resources and how. There are audits in place to ensure this is taking place, as well as an extensive reporting procedure. Last year, the RIPE NCC received 350 reports about possibly incorrect information in the Database.

Spencer Payton questioned whether the mechanisms can ever be perfect. At the moment the system relies on a level of cooperation and the challenge is making sure everyone is involved.

Tatiana Tropina commented that trust creates vulnerability and can be abused by criminals. According to her, the first step might be realising that trust does not solve the problem. She recalled her first RIPE Meeting in London in 2014: there was a lot of resistance in the Community to regulation. She predicts that if the RIPE Community does not fix the Database accuracy problem, regulations from either national governments or the European Commission will start coming in. To avoid this, she recommends to the RIPE Community to implement additional checks concerning the accuracy of the Database. She expects that regulatory attempts from outside might not take into account everything that the RIPE Community would want to consider, while a policy coming from the RIPE Community would be technically sound.

Peter Koch explained that the RIPE Database is part of a threefold identifier system of names, numbers and protocol identifiers. The registries were built in a way that, in case of a dispute over resources, the information should be sufficient and precise enough to decide who “owns” that resource. At the same time, people move, entities change names, addresses, legal forms and so on. When people talk about accuracy, sometimes they mean different things. For a registry, the expectation for accuracy should be that in case of a dispute, the registry should be able to correctly determine who is the actual holder of the resource. The procedures and processes of the Database were designed to tolerate slight mistakes, but not the systematic introduction of false information.

Peter Koch added that there are ways to inject and receive packets on the Internet without being the registered holder for that address space. What matters to law enforcement is who is having the operational control of the resource identified by the identifier and not who is registered as the holder in the database.

Cathrin Bauer Bulst cautioned that members with incorrect information on the operator level are likely to have incorrect information downstream as well. She reiterated that from law enforcement’s perspective, the RIPE Database should provide an address they can use to serve legal process. As such it is an important and vital first step towards identifying the actual user of the resource.

Tatiana Tropina remarked that the technical community and law enforcement appear to have divergent views of what the RIPE Database should do and what purpose it should serve. She argued that any step we take towards improving the accuracy of the Database, such as new checks or know-your-customer techniques, would discourage potential criminals to some extent. She remarked law enforcement does not expect a 100% accurate database, but they do want to meet in the middle by taking steps towards improvement.

Peter Koch added that it is important to distinguish between use cases and purposes. The use cases that law enforcement have in mind today (of using the Database as a first step towards identifying who is using the resource) is not what people had in mind when designing the Database, which was to keep a register for identification system. He suggested that other tools, such as the routing system or peering agreements, could be better suited for this, rather than the decentralised RIPE Database.

Cathrin Bauer Bulst responded that Peter’s point only reiterates the need to clarify the purpose of the RIPE Database. She believes the use cases mentioned above should be included. Since RIPE NCC is administering a public resource, it needs to be administered in the public interest, which includes a certain level of crime prosecution.

Daniel Karrenberg (RIPE NCC) mentioned he is not aware of any real, good study of the accuracy of the RIPE Database or its fitness for purpose, but only anecdotal evidence. He is afraid that by repeating that the RIPE Database is inaccurate many times in different fora, it will become an established fact, without any evidence supporting this.

Secondly, he explained that the RIPE NCC and its membership have already put a lot of effort in knowing their customers. In the RIPE NCC’s service region, there are many different national jurisdictions and thousands of local jurisdictions about how a company should be registered. Despite this, today the RIPE NCC and its members know the people with registered resources much better than 5-10 years ago.

Thirdly, he reminded that RIPE NCC is already taking steps to clarify the purpose of the RIPE Database by setting up a Task Force that will look into this. He also expressed his personal opinion that the primary purpose of the RIPE Database is for the membership of the RIPE NCC. It is a good idea to recognise society’s needs at large, but they should remain secondary.

Tatiana Tropina responded that talking about the accuracy of the RIPE Database is a completely different discussion that talking about who can have access to the RIPE Database and how law enforcement can use it.

Peter Koch clarified that what he meant in his initial comment with differentiating between purpose and use is that just because law enforcement has begun using the RIPE Database in the last few years and it doesn’t fulfil their needs 100%, it doesn’t mean the RIPE Database is not fulfilling its initial purpose. He reiterated Daniel’s point, that there is a Task Force currently looking into repurposing of the Database.

Spencer Payton added that RIPE NCC makes themselves available in cases a party notices that something is wrong, or in cases someone needs publicly available information. He suggested that, in addition to regretting the lack of accuracy in some cases, we should also celebrate the beneficial information that the RIPE Database is currently providing.

Chris Lewis-Evans agreed that the purpose of the RIPE Database should be clarified or re-defined to better reflect the public interest, as it seems to have changed considerably from when it was first created. Next, the issue of Database accuracy can be discussed. He agreed with Tatiana that 100% accuracy can never be achieved, but that we should strive to raise the bar to make it more difficult for at least the lower-level actors to get in.

Hans Petter Holen (RIPE Chair/ Visma) supported calls for successfully cooperating with police by having open and understandable information available publicly in the RIPE Database. Secondly, he mentioned that the RIPE NCC is responsible for keeping the Registry accurate so that we have unique IP addresses in a similar way that regulators register batches of phone numbers to phone companies but don’t actually have a database linking the individual phone numbers with customers. The RIPE Database is analogous to taking the customer list of all the phone companies and putting it in one database - similar to the yellow pages. He suggested that maybe the RIPE Community does not need a RIPE Database anymore and the police will have to go to the respective telco to get the customer data, which they will keep according to the national laws and regulations. The difficulty will arise in case of international investigations, which will require the use of MLATs [Mutual Legal Assistance Treaties].

Alexander Isavnin said that police should not just rely on the RIPE Database to get their information, but should approach the telcos themselves. They should not expect the RIPE Community to do policework. He cautioned that police in Russia have access to a lot of information and databases, which he doesn’t like. He suggested that unless the RIPE Community updates their policies now and on their own, regulations will be imposed nationally, which might not be thought out technically. With the OSI standards, the European Commission has already impeded creation.

Tatiana responded that it is not good to say “If you don’t like what is in the RIPE Database, don’t use it!”. She encouraged the RIPE Community to meet law enforcement in the middle otherwise there will be regulation. She advised that bad peace is better than good war.

Chris Lewis-Evans pointed out that even though sometimes law enforcement comes to the technical community for information, sometimes they come because someone in the technical community is the victim and they need to treat them as such and give them support.

Nurani Nimpuno (Asteroid International) suggested we need to update the purpose of the RIPE Database so that it fits today’s legislative environment. Even though she is not sure what the specific solution is, she encourages the RIPE Community to be practical about it.

Friso Feenstra (Rabobank) talked of the benefits of not all addresses being visible in the RIPE Database. If, for example, the addresses are used by a company to get connectivity to third parties: by the connection not being publicly visible the company can get security by obscurity. So far this has been very effective - they have not experienced any DDoS attacks on their non-published IP space.

Spencer Payton responded that at all times there should be a valid and accurate contact so that, if there is a problem, the person responsible for that space can be reached. An audience member not on the microphone suggested that is the ISP. Spencer agreed.

Malcolm Hutty (LINX) talked of the policy development process and law enforcement’s concerns that when a policy is put forward a limited number of members dominated the process and the motion of consensus. He encouraged them to look at the document RIPE 723. While it still leaves the chairs with considerable room for judgement when determining if consensus has been reached, it also includes an extensive set of principles and discussion as well as how the guidelines should be applied by the chairs.

Hans Petter Holen summarised that the recently created Task Force (which has participants from Europol, Peter Koch and others), is already looking at redefining the purpose of the Database and well as looking into the RIPE policy development process and its fitness for purpose. He is looking forward to seeing their outcome and what they will present during the RIPE Community Plenary the next day. He encouraged the audience to use the RIPE Community Plenary to discuss some of these fundamental issues.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum