[ppml] 2003-1a: Required Performance of Abuse Contact: Good - ARIN Should Not Define Abuse or Mediate Disputes

Owen DeLong owen at delong.com
Wed Mar 12 13:16:01 EST 2003 

> I've been thinking about this since the revised policy proposal came out.
> I wasn't sure how I felt about it at first, but I've come to this
> conclusion.
>
> 1) The part that deals with required and *usable* abuse contacts is a good
> one.
>
Thanks!

> 2) The part that attempts to deal with revocation of IP space due to abuse
> is bad.
>
Hmmm... If the first part of your statement were true, I'd be forced to 
agree
with the second part, too.  However, it was not my intent for the policy
to deal with revocation due to abuse.  it was my intent to provide for
revocation due to lack of response to an abuse complaint.  There is little
point to requiring a usable abuse contact without this.  Afterall, what
happens if the abuse contact is unusable?

The stuff about defining abuse was intended to prevent ARIN getting swamped
with complaints about unreachable or unresponsive abuse contacts in the
absence of any abuse, and, to prevent providers from getting swamped with
"abuse contact tests" in the absence of abuse.

I think the policy will be significantly less effective without an ability
for ARIN to revoke resources due to failure to comply with the policy.
The defined steps for ARIN to take were intended to specify that ARIN would
not simply revoke space due to a third-party complaint without first
verifying that the ABUSE contact was, indeed, "unusable".

As such, I think my intent was to specify a system for doing exactly what
you say makes sense below.  If the wording in my proposal doesn't meet
that need, I'd certainly appreciate your assistance in improving it.

> I don't think it is practical nor desirable for ARIN to try to attempt to
> settle abuse situations.  That really should be left up to a court.  Even
> if ARIN did attempt to deal with severe abuse situations it would probably
> end up in court any way.
>
Agreed.  I don't want ARIN settling abuse complaints.  I do think ARIN has
a role facilitating communications between the two ORGs in question (victim
and alleged abuser) and in making sure that both ORGs have up to date usable
contact information.  If the parties in question cannot agree, then the
matter must be referred to the court.  ARINs involvement should end when
one party responds to the other.

Perhaps the confusion comes from my use of the term adequate response.  An
adequate response to abuse does not mean that the alleged abusive action
must terminate for purposes of this policy (I'll clarify this with another
amendment).  What it means is that an actual person at the alleged abuser
ORG has reviewed the complaint and informed the complainant of what actions
they intend to take with respect to this abuse.  An autoresponder, auto-
attendent, or other automoton which simply spouts "It is our policy not
to address your concerns" or some functional equivalant is _NOT_ an
adequate response.  It will take me some time to develop the wording to
define that in policy terms, and I'd certainly welcome any suggestions.

> However, it makes complete sense for ARIN to "revoke" IP space for not
> having accurate and usable points of contact listed.
>
That _WAS_ the intenet of the policy.

> If an abused party is able to contact the IP space holder by the abuse
> contacts listed, ARIN has fulfilled it's role.  At that point the abused
> party can discuss the situation with the offending party and take it to
> court if they need to.
>
Yes.  However, I wanted to go a little further and require that the alleged
abuser actually RESPOND to the abused party.  Afterall, absent that, you
could maintain a voice mailbox pointed at /dev/null.  Technically, since
I phoned that  box and left a message on /dev/null, I contacted the
alleged abuser.  Personally, I don't think that constitutes a valid, usable
abuse contact.  However, requiring a response was, in my opinion, the end
of ARINs role.  Anything further belongs between the parties and/or the
court(s).

> If the abused party is unable to contact the offending party using the
> abuse contact information listed they can ask ARIN to intercede.  If ARIN
> is also unable to contact the IP space holder, ARIN will revoke the IP
> space.
>
Right.  I think we're in relatively complete agreement.  However, the crux
of the perceived disagreement seems to come from lack of clarity on what
constitutes contact.  I attempted to define the requirements in terms of
bidirectional communication.  If you simply use the term contact, then it
leaves a lot of legal wiggle-room for the /dev/null approach I described
above.

> I think the main crux of the original policy was to require a real
> response from abuse contacts.  This is good.  To define the grey lines of
> abuse and mediate disputes should not be ARIN's responsibility.
>
I absolutely agree.  However, I didn't want ARIN to have to chase a bunch
of "This guy is unresponsive even though he hasn't done anything wrong."
complaints.  That's why I specifically tried to avoid defining abuse, but
still support the following possible constraints on the policy:

	1.	Any definition of abuse which may come from IETF in the	
		future (there are efforts underway on this).

and/or

	2.	A published AUP from the complainants network which is defined
		in terms that should allow the alleged abusing network to
		prevent violations relatively easily.

The intent of this was to keep ARIN _OUT_ of the defining abuse business and
to give ARIN a way to avoid resources chasing complaints about non-abusing
networks.

I will reiterate that I welcome any suggested wording changes to bring this
more in line with our mutual intent.

Thanks for your feedback!

Owen

> On Wed, 12 Mar 2003, Dr. Jeffrey Race wrote:
>
>> On Tue, 11 Mar 2003 12:38:51 -0700, John M. Brown wrote:
>>
>> > Do you REALLY think a RIR can do the job better ??  I certainly
>> > dont, and dont even want them to think they can, or to try.
>> >
>> > Its *NOT* their job.
>>
>> I believe the thrust of the proposal is that the system is now
>> broken because it is no one's job to enforce discipline, and
>> therefore someone must be assigned the job.  The lesson from
>> the way the rest of society works is that the body which allocates
>> the resources withdraws them if they are not used according to
>> the allocation agreement.    Some (small) amount of resources
>> must be devoted to the discipline mechanism.   If it is known
>> that discipline will be fast and ruthless, practically no
>> resources need be devoted because no one will dare to violate
>> the allocation agreements.  At the beginning you have to execute
>> a very few offenders 'pour encourager les autres'.
>>
>> Viewing the big picture, I believe we can reasonably conclude
>> that whatever resources the RIRs devote to discipline will be
>> repaid hundreds, thousands or millions of times in reduced
>> costs to the Internet as a whole.   We can also conclude that
>> unless a discipline mechanism is adopted, problems of viruses,
>> trojans, spam and ddos will continue to multiply, as they are
>> now. The rising numbers for all of these metrics show the system as
>> now operated is broken.
>>
>> Jeffrey Race
>>
>>
>>
>
>
>

More information about the ARIN-PPML mailing list