nanog mailing list archives
Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation
From: JORDI PALET MARTINEZ via NANOG <nanog () nanog org>
Date: Fri, 26 Apr 2019 21:11:30 +0200
El 26/4/19 20:25, "NANOG en nombre de Matt Harris" <nanog-bounces () nanog org en nombre de matt () netfire net> escribió: On Fri, Apr 26, 2019 at 12:49 PM William Herrin <bill () herrin us> wrote: I personally support the petition. I think the out of scope reasoning is flawed. By enforcing minimum assignment sizes, ARIN has long acted as a gatekeeper to the routing system, controlling who can and can not participate. For better or worse, that puts the proposal in scope. I personally think it's for worse. I oppose the proposal itself. I'd just as soon ARIN not act as a gatekeeper to BGP and certain don't want to see it expand that role. A couple of things spring to mind here now that I've given this a few more minutes' thought. I agree with your reasoning as to why it makes sense for this to be considered in scope for ARIN. As far as expanding roles goes... Over the past few decades, we've all watched as the internet became less and less "wild wild west" and more and more controlled (sometimes centrally, sometimes in a more or less decentralized way) by various organizations and entities. In various and sundry ways, bad actors could get away with plenty of things in 1990 that they cannot so easily today. It may be the case that this problem will be "solved" in some way by someone, but that "someone" may end up being a less engaged community or a less democratic organization than ARIN is. Ultimately, ARIN does a better job than some other internet governance bodies of promoting stakeholder and community interaction and some degree of democracy. We have to consider the question: if some organization is going to expand into this role, is it better that ARIN be the organization to do so instead of one which may be ultimately less democratic and more problematic? Exactly, one of our thoughts (as co-authors) is: if we do nothing, some other governmental bodies will take care of it, even courts, taking irrational judgments. One major problem with the proposal, having given it a couple of minutes thought, that I can see as of now would be enforcement being dependent on knowing whom the perpetrator is. If I decide to announce to some other networks some IP space owned by Carlos, but I prepend Bill's ASN to my announcement, how does Carlos know that I'm the bad actor and not Bill? Having good communication between network operators to determine where the issue actually lies is critical. Unfortunately, that doesn't always happen. When we talk about leveraging ARIN's authority or potentially applying penalties of any sort to bad behavior, we have to be able to be certain whom the bad actor is so that the penalties are not inappropriately applied to an uninvolved or innocent third party. The proposal is “guarantor”, or at least that’s our intent. Is not ARIN taking the decision, is the community by means of experts. We have improved it in the v2 that will be posted in a matter of days in RIPE, but we can’t improve it in ARIN because simply discussing it is not allowed by the AC decision. One thing to clarify, is that the policy is basically saying something that is written in all the RIRs documents: “if you get resources from us, you have the exclusive right to use them or your authorized customers”. Now if another ARIN member is misusing your resources (not by an operational mistake, but repeatedly), ARIN is not going to do anything about it? In any membership association, members are bound to the rules (policies in the case of RIRs), and members can’t act against the rights of OTHER members. If you don’t follow the rules, you can get a warning, or even lose your membership. If you go to courts because you lost your membership, courts will confirm “you have not followed the rules, so the association has the right to get you out”. Is not a problem or ARIN becoming the “routing police”. This has been completely misunderstood by the AC. Is about ARIN making sure that the rights of the members are respected by other members. And again, it must be clear that it is intentional, not a mistake, not fat fingers. Without clear rules, other members can do whatever they want with resources allocated to another member. Additionally, a question of scope does arise with regard to which resources ARIN would be able to enforce any such policy with regard to. Indeed, the proposal as written currently calls for a "pool of worldwide experts" despite being a proposal submitted to an RIR which is explicitly not worldwide in scope. For example, if a network with an ASN assigned by ARIN is "hijacking" address space that is allocated by APNIC (or any other RIR) to an entity outside of ARIN's region, would this be an issue for ARIN to consider? What if ARIN-registered address space is being "hijacked" by an entity with a RIPE ASN and which is not located within ARIN territory? I suspect that for this proposal to have any meaningful enforcement mechanisms, it would require inter-RIR cooperation on enforcement, and that's a very large can of worms. Not one that is impossible to overcome, but likely one which will require several years of scrutiny, discussion, and negotiation prior to any real world implementation. This has been clarified in v2 that I mention before, to be publish in RIPE. The idea is that the claim is done in the region where the hijacker is a member (assuming that we get the policy going thru all the regions). Note that we are submitting the same policy proposal adapted to each of the 5 RIRs. Ultimately, I don't think I can support a proposal this vague, either. For something like this I think we need a lot more objective language and a lot more specifics and details. We must make policies easy to comply with, and at all costs avoid vagueness which may allow for anything less than completely fair and objective enforcement - regardless of how simple the concept may seem to us on the outset. Right, we have a more complete v2 with many procedural details, which we can’t even discuss in ARIN, and obviously the idea of the PDP is to allow the policy proposals to be discussed until we reach a text that we can agree. So please, if you want to get this discussion going on in the right place subscribe to ARIN PPML (https://lists.arin.net/mailman/listinfo/arin-ppml) and respond to the attached email, just to support the discussion (no need to agree at all now with the text). Thanks! Jordi Take care, Matt ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
--- Begin Message --- From: JORDI PALET MARTINEZ via ARIN-PPML <arin-ppml () arin net>
Date: Fri, 26 Apr 2019 17:22:17 +0200
Hi all, The AC should have already accepted “ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation” as a Draft Policy. The authors petition to move the proposal text forward for discussion on the list and at the next Public Policy Meeting. Please support moving this proposal forward now by posting statements in support of the petition to this list. Proposal text: https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/ Regards, Carlos (FCT | FCCN) & Jordi (The IPv6 Company) (proposal co-authors) El 25/4/19 20:19, "ARIN-PPML en nombre de ARIN" <arin-ppml-bounces () arin net en nombre de info () arin net> escribió: > In accordance with the Policy Development Process (PDP), the Advisory Council met on 10 April 2019. > > The AC has rejected the following Proposal due to scope: > > * ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation > > Per ARIN's PDP: > > "Policy Proposals that are determined by the AC to be out of scope (e.g. for not addressing a clearly defined existing or expected problem, or that propose solutions involving other than number resource policy in the region) are rejected." > > Anyone dissatisfied with this decision may initiate a petition. The deadline to begin a petition will be five business days after the AC's draft meeting minutes are published. The draft minutes of the 10 April AC minutes have been published at: https://www.arin.net/about/welcome/ac/meetings/2019_0410/ The petition deadline for the rejection of ARIN-prop-266 is 30 April 2019, five days from today. For more information on petitions, see: https://www.arin.net/participate/policy/pdp/#part-three-pdp-petition-process Regards, Sean Hopkins Policy Analyst American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML () arin net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact info () arin net if you experience any issues. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML () arin net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact info () arin net if you experience any issues.
--- End Message ---
Current thread:
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd), (continued)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd) Joe Provo (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd) Jared Mauch (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation JORDI PALET MARTINEZ via NANOG (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation Jared Mauch (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation JORDI PALET MARTINEZ via NANOG (Apr 27)
- Regarding the ARIN Advisory Council and ARIN PDP (was: Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation) John Curran (Apr 27)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd) Joe Provo (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd) Matt Harris (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation (fwd) Carlos Friaças via NANOG (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation JORDI PALET MARTINEZ via NANOG (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation Owen DeLong (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation William Herrin (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation Owen DeLong (Apr 26)
- Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation Hank Nussbacher (Apr 27)