[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Marilson Mapa marilson.mapa at gmail.com
Fri May 3 00:32:50 EDT 2019


Jordi, your interlocutor has just described paradise on Earth. It's all
perfect, ARIN customers represent what's most ethical in mankind, ARIN is
the ultimate perfection of efficiency and bad clients can be counted on the
fingers of one hand. Throw away your prop-266 because it's totally
unnecessary.

Your interlocutor always begins his speech of defending the status quo with
the phrase: "Speaking only for myself"
This prologue is enough to understand his real function in this list. He
sounds like the official ARIN spokesperson. If this is the position of the
administrators of this RIR I would not hesitate to call the ARIN of ex-RIPE
- which was ripe but rotted.

Surely your interlocutor will say that I am also putting words in his
mouth. But just read what he wrote to see that my exaggeration "is very
nearly 0".
It is missing to define in which planet is the paradise that he painted,
because in planet Earth the Internet of his peers is rotten.

I could not estimate the number of hijacking incidents being committed by
members, but I can say that over the course of five years denouncing
countless illicit acts "is very nearly 0" the number of providers that did
not protect real and invented scammers.

Marilson

Em qui, 2 de mai de 2019 às 17:03, Owen DeLong <owen at delong.com> escreveu:

>
>
> On May 2, 2019, at 3:30 AM, JORDI PALET MARTINEZ via ARIN-PPML <
> arin-ppml at arin.net> wrote:
>
> Hi Owen,
>
> El 2/5/19 11:23, "Owen DeLong" <owen at delong.com> escribió:
>
> Speaking only for myself...
>
>
> On May 2, 2019, at 00:55 , JORDI PALET MARTINEZ via ARIN-PPML <
> arin-ppml at arin.net> wrote:
>
> Hi Owen,
>
> I think that the comparison with a property is not good, so I'm top
> posting to make it simple.
>
> ARIN is providing a registration service for unique and exclusive rights
> for resources, following a membership organization model.
>
>
> What are these exclusive rights? What are these resources?
>
> I know we refer to them as number resources, but in reality, a number is
> just a number until you put meaning to it.
>
> I think we all know that we are discussing about ASN and IPv4 and IPv6
> allocated to a given RIR member.
>
>
> Yes, but my point is that they are simply integers. The value is not in
> the integers themselves, but in the registration of those integers for
> uniqueness for a particular purpose.
>
>
> Take, for example 5. Nobody has any particular exclusive rights to 5 in
> and of itself. Almost anyone can use it to count their digits on an
> appendage.
>
> On a private network or even an internet not connected to “the internet”
> (for however you define that), anyone is free to use 5 unless that network
> is governed by some organization or owner who exercises some control over
> such things.
>
> On “the internet”, ARIN has no such control. ARIN nor any other RIR cannot
> control who uses a set of numbers for addressing their hosts. What ARIN can
> do is say that among cooperating entities, these numbers are registered to
> this entity. That’s what they do.
>
> So, you’re saying that if an ARIN member is **acting** against the
> exclusive rights of use resources allocated to other members, not by
> accident, and repeatedly, is just **fine** and ARIN should not even
> remind the member that he is acting against the rules?
>
>
> Please don’t put words in my mouth. That is not at all what I am saying.
>
> I am saying that ARIN has no ability to convey the “exclusive right of
> use” that you are claiming, let alone enforce it.
>
> All ARIN can do is register numbers for uniqueness among cooperating
> parties for an agreed purpose.
>
> You keep assuming that the bad actors are RIR members. The majority of bad
> actors are not.
>
>
> They don’t grant exclusive rights in those numbers other than the right to
> maintain the registry data and the right to transfer said registration to a
> third party in so far as the transfer complies with registry policy.
>
> So, the right to use the allocated resources is not exclusive for the time
> they are allocated?
>
>
> If there is such a right, then perhaps it is or perhaps it is not. ARIN
> cannot convey such a right. The conveyance of such a right can only be done
> by those who accept or do not accept routing announcements as they control
> whether or to such numbers can or cannot be utilized in the specified
> manner on their networks.
>
>
> ARIN does not control (many) routers and any network that wishes to accept
> the advertisement of a particular prefix from someone other than the ARIN
> registered resource holder is under no legal obligation to respect the ARIN
> registration unless they’ve signed some form of contract to that effect.
>
> And nobody asked for that control (in our proposal). We just say “it is
> against the rules to misuse the resources from other members”.
>
>
> It’s already against the rules, but you’re asking ARIN to create an
> elaborate procedure and take other actions against non-contracted parties
> and trying to call it “number resource
> Policy”.
>
>
> Let's take another similar "association membership model". Please, note
> that I'm not a lawyer and my reading from US laws may be different as what
> we have in Spain.
>
>
> Neither of us is a lawyer, and I haven’t a clue about Spanish law.
>
>
> Let's suppose it is a sports club and you can request that at some time in
> the week, the tennis court is allocated to member A, at another time to B,
> and another time to X. Member X decides to ignore that allocation and uses
> the court. Even more, X is doing from time to time the same with the
> allocation to member B, and many others. This is clearly against the rules
> *and* repeatedly against the rights of other association members.
>
>
> This is flawed… The sports club owns the tennis court. ARIN does not own
> the Internet.
>
> No, it may be a public tennis court, but the club has the right to manage
> that for a certain number of years. It is a very similar case to the RIRs
> one. It doesn’t matter who owns the resource, what it matters is the use is
> for a given member, and all the other members must follow the rules and
> respect the rights of the rest of the members. None of the members has the
> right to act in bad faith.
>
>
> Nope… In the case of the public tennis court in your above version, then
> the owner of the public tennis court has conveyed that right of management
> to the tennis club. Since it is impossible to own integers, the analogy
> breaks down quickly.
>
>
> If ARIN owned the Internet, then you’d have a valid example. Since ARIN
> doesn’t, you don’t.
>
> It’s more like a bunch of people got together and agreed that they wanted
> to cooperate with a third party about scheduling the public tennis court
> down the street. So those people that are cooperating register their
> schedules with the SchedOrg they created and SchedOrg takes care of making
> sure everyone who is involved has a unique slot on the schedule. Along
> comes a third party who isn’t in a contract with SchedOrg who chooses to
> ignore the schedule and use the tennis courts on a first come first served
> basis.
>
> A third party is a different case. We are talking here to have the parties
> that agreed to participate in SchedOrg. They must respect the rules.
>
>
> But your proposal is to kick them out of SchedOrg, leaving them free to
> break as many of the rules as they choose.
>
>
> When we talk (in the RIRs case) about legacy resources is another
> situation. But I expect that those legacy “owners” (which is a different
> discussion because as you said the Internet doesn’t belong to anyone), they
> may need ASNs, or IPv6, which means that they must be bound also to the RIR
> rules. Moreover, they still may need to use some services from the RIR
> (registration, reverse DNS, RPKI, whatever). So, if they do not follow the
> rules and respect the other members (for all the resources, even if are
> legacy), they are acting in bad faith.
>
>
> Since they are public tennis courts not owned by SchedOrg, SchedOrg can’t
> really do much about it unless the city that actually owns the tennis
> courts chooses to identify SchedOrg as the authoritative scheduling
> platform.
>
> In the case of ARIN, some cities (ISPs) have done so and will take down
> routes that don’t map to the originating entity in the ARIN database.
> Others won’t.
>
>
> The association clearly can tell X, we don't want you to be anymore a
> member. You've done this not just by mistake, it was a repetitive action in
> violation of our rules and not respecting other members rights.
>
>
> Right, _IF_ X is a member and _IF_ the association in question owns the
> tennis courts in question.
>
> In the case of much of the hijacking we see on a daily basis, X is not a
> member and ARIN most certainly doesn’t own the tennis courts (routers) X is
> using.
>
> Our goal is to have this in the 5 RIRs. If some of the regions decide not
> to go for it, they will have less credibility than those that go for it.
> I’ve already mention before about the legacy resources.
>
>
> I don’t agree. I don’t see how this proposal in any way grants additional
> credibility to any RIR that adopts it. In fact, I’d make the counter
> argument that the absurdity of the over-reach included in the proposal
> would discredit any RIR that adopted it.
>
>
> You can find other examples, such a shared property. You have a right to
> use a property for a week, and if another member is usurping that right for
> other members "time", they don't follow the rules.
>
>
> All of your other examples also involve either shared ownership of the
> property by the individual in question _OR_ ownership by the registering
> entity.
>
> That doesn’t map into the situation as it exists here.
>
>
> One more example, in Spain there have been many cases of pick-pockets that
> the public transport authority (and confirmed by courts if they complain),
> has denied using the public transport, just because they have been caught
> once and again.
>
>
> Once again, in this case, you have two things ARIN doesn’t have… 1. The
> public transit authority owns the public transit. (ARIN doesn’t own the
> routers). 2. The public transit authority is coupled with law enforcement
> as they are both agencies of the same government.
>
> Governments have law enforcement powers. ARIN has no ability to enforce a
> contract against someone who never signed one.
>
> All the RIR have administrative power on the resources. We aren’t asking
> for ARIN to interfere with routers. We are saying it must be clearly
> written that a member can’t hijack other members resources, and if that
> happens, ARIN should be able to take administrative decision on the
> membership.
>
>
> No, all the RIR have the authority to create registrations mapping
> entities to numbers in a database. The choice to treat those registrations
> as valid or meaningful is entirely up to the operators of networks and none
> of the RIRs have any direct power to perform any form of enforcement on
> those operators. There’s a tenuous (at best) balance of power here in that
> a functional internet depends on cooperating around uniqueness and so far,
> the RIRs are the most credible and effective mechanism for maintaining that
> uniqueness. If enough people running routers chose to deploy an alternative
> to the RIRs and follow it, then at best, you’d see the RIRs replaced as
> that mechanism, and at worst, you’d see some level of chaotic interplay
> between the two systems balkanizing and factionalizing various parts of the
> internet.
>
>
> A more extreme example. You can have a property, let's say your home, and
> there are some common areas (for example a garden, a small summer swimming
> pool, etc.). You are a member of the neigbourhood, that of course has rules
> about how the garden and swiming pool can be used. If you act against those
> rules, or act against the rights of other neighbours, you can get cancelled
> your rights to use those common areas. Even more, in an extreme case, a
> judge will even tell you (this is not a theory, there have been many
> cases), you can't anymore use your home: find another one, and you can rent
> this to someone else, because you demonstrated that you don't know how to
> follow the rules.
>
>
> Sure, but once again, the judge has law enforcement powers as a judiciary.
> The HOA has ownership of the common areas.
>
> ARIN doesn’t own the routers and isn’t a judiciary body.
>
> And again, we aren’t asking for that, but ARIN has administrative power
> that can enforce if a member doesn’t follow the rules and is acting in bad
> faith against others.
>
>
> But ALL of your examples justifying ARIN being able to take the actions
> you are requesting DEPEND on:
> 1. Ownership
> 2. Judiciary powers
>
> I’m not sure what this administrative power you refer to is supposed to
> be. The most ARIN can do if a member doesn’t follow the rules is take their
> registration out of the database and terminate their membership.
>
> If they do that and the entity in question continues to advertise the
> route, what effect has ARIN actually had on the matter?
>
> The entity in question is still hijacking the same space, likely with the
> same level of success.
>
>
> In all those cases, the membership organization has the right to state
> (according to the bylaws), what are the rules. If the rules are accepted
> by the members, they must be followed and respected.
>
>
> In all those cases the bad actor _IS_ a member of the organization and
> wouldn’t have any access if he were not.
>
> In this case, many of the hijackers are _NOT_ members of the organization.
>
> Even if there are some non-members (they don’t have any registration
> service from ARIN), and we only succeed to protect 70 or 80% of the cases
> (just making an example here, I’m not looking into real proportion of
> legacy vs non-legacy), is better than nothing, and because the transfers
> are happening, LESS and LESS legacy resources stay as legacy, so this
> problem is being reduced as time passes.
>
>
> I think in the ARIN region, the number of hijacking incidents being
> committed by members with anything to lose (that is members who have
> resources other than the ones they are stealing through registry fraud) is
> very nearly 0. It’s certainly nowhere near 70-80% and I’d be stunned if
> it’s more than 10% of cases.
>
> Most of the hijacking I’ve seen in the ARIN region is an arbitrary party
> simply deciding to route someone else’s block without any action in the
> ARIN database. Sadly, there are still ISPs where one can get away with
> this, at least for some period of time.
>
>
> In all those cases, there’s an entirely different ownership model in that
> the organization actually owns the resources being used. ARIN does not own
> the IP addresses, because IP addresses aren’t property, they’re just
> numbers.
>
>
> I think it is obvious that the RIRs provide the unique and exclusive
> rights to members. I thinkk it is obvious *even* if we don't have such
> explicit rule, that a member can't act against those unique and exclusive
> rights granted to other members.
>
>
> Yes, but use of a particular number in a router isn’t one of those rights…
>
> Section 1.3 of the NRPM is quite clear on this matter…
>
>
> 1.3. Routability
>
> The principle of routability guarantees that Internet number resources are
> managed in such a manner that they may be routed on the Internet in a
> scalable manner.
>
> While routing scalability is necessary to ensure proper operation of
> Internet routing, allocation or assignment of Internet number resources by
> ARIN in no way guarantees that those addresses will be routed by any
> particular network operator.
>
>
> Unique registration and the limited ability to transfer that registration
> in certain circumstances are the exclusive rights provided by an RIR. There
> may be others, but those are the primary ones.
>
>
> Our policies are there, some times, to state in an explicit way, what it
> may be considered obvious. This is what our policy proposal is tryint to do.
>
>
> IMHO, it utterly fails to do that because it is built on a flawed theory
> that RIRs are capable of granting rights of exclusive use of numbers on the
> internet.
>
> Are not? Then I think many of us get a wrong impression of the RIRs
> function and many of the policies are already breaking what are you saying …
>
>
> The difference is subtle, but important when we come to a discussion like
> this…
>
> The RIRs grad a registration for uniqueness in a database. That’s all they
> are able to grant.
>
> Any right of exclusive use comes from other people (those who actually run
> routers) choosing to treat the data in the ARIN database as a specification
> they follow in granting such rights on their networks and their equipment.
>
> The RIRs don’t grant the rights, technically… They maintain the database.
> RIR policies are about how the database is maintained and not about what
> one can or cannot do with the numbers that are registered to your entity
> pro what you can or cannot do with the numbers registered to some other
> entity.
>
> Yes, there is certain conduct specified in RIR policy which allows the RIR
> to delete your registration. These are community standards of behavior. But
> ARIN doesn’t take your routes out of the internet… They can’t. All they can
> do is remove the registration linking your entity in the database to a
> given set of numbers in the database.
>
> ISPs who choose to follow the ARIN database may remove your routes as a
> result of that change, or, it may take additional externalities to cause
> that to happen.
>
>
> A resource hijack, is violating other member rights, and is also violating
> the rules about how the resources should be *correctly* registered, even if
> this hijack is violating the rules only during a few minutes or hours, it
> is still violating the rules.
>
>
> Agreed… HOWEVER, those rights are a civil contract matter in this case and
> you can’t expect to enforce contractual obligations against a party that
> never signed a contract.
>
> Again, you’re mixing here legacy. We are talking about members.
>
>
> No, I’m not mixing legacy… NOT AT ALL. I’m saying that hijackers, for the
> most part in the ARIN region, aren’t contracted for any resources and are
> simply announcing whatever address range they found handy to announce on a
> given day without involving ARIN in any way in the process.
>
> Yes, there are plenty of attempts to take fraudulent ownership of number
> resources and there is already policy prohibiting that (not to mention that
> under US law, it’s fraud and is a felony).
>
>
> There is some wording in the RSA that talks about some relevant aspects to
> this discussion (coping only some of the text):
> 2. CONDITIONS OF SERVICE
> (1) The exclusive right to be the registrant of the Included Number
> Resources within the ARIN database;
> (2) The right to use the Included Number Resources within the ARIN
> database;
>
>
> Yes… note that both of those rights are constrained to what happens within
> the ARIN database. They don’t talk about use of the numbers on the global
> internet.
>
>
> However, I'm mising a more clear "unique and exlusive right to use" in 2.
>
>
> You’re not missing it, it doesn’t and cannot exist because ARIN has no
> power to grant or enforce such a rite.
>
>
> Also:
> (d) Prohibited Conduct By Holder. In using any of the Services, Holder
> shall not: (i) disrupt or interfere with the security or use of any of the
> Services; (ii) violate any applicable laws, statutes, rules, or
> regulations; or (iii) assist any third party in engaging in any activity
> prohibited by any Service Terms.
>
>
> Sure, but that provision is only binding on those that have signed the
> RSA. Most hijackers haven’t. Also, all of this is in the RSA which is not
> the purview of the PDP, so you’re kind of making the case for out of scope
> even if you could get the changes you want in the RSA.
>
> Already responded to this. If we are resolving the issue for members,
> that’s already an good path to improve.
>
>
> But you’re not resolving the issue for members. You’re resolving the issue
> only in cases where the perpetrator of the hijacking is a member which is
> nearly zero cases.
> Members are the victims here, not the perpetratiors in the vast majority
> of cases.
>
>
> Policies can increase that wording and make it more obvious and facilitate
> both the organization and the members to take actions if those are not
> accidental and if they become repetitive.
>
>
> Policies cannot change the wording of the RSA, actually. The Board has to
> do that and your best path to getting the board to do so would be through
> the ACSP.
>
> I guess I written it with the wrong wording. I don’t mean the policy can
> amend the RSA. I meant that policies can add details that aren’t in the
> RSA, because the RSA explicitly say that members must follow the rules
> (policies).
>
>
> But policies are limited to a set of guidelines that cover how the
> database is administered. Going beyond that is out of scope of the policy
> manual.
>
> I believe bylaws are not clear on this, but it may be because it is
> clearly illegal to act against the membership rights of other members, so
> you don't need to re-state it in bylaws, but making it clear in policies it
> is definitively a good thing.
>
>
> You are conflating illegal (actually against the law) with against policy
> (which does not have the force of law).
>
> It is RIR administrative power. In any association, there are member
> rights, and the association must protect those.
>
>
> Except that the administrative power you want to claim the RIRs have in
> this case doesn’t actually exist.
>
> I can’t speak for the entire AC, but from my perspective, that’s one of
> the reasons why I voted to abandon it as out of scope.
>
> It’s perfectly valid for you to explore several aspects of this proposal
> in an ACSP asking that the board update the RSA accordingly.
>
> Owen
>
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190503/53a57e38/attachment-0002.html>


More information about the ARIN-PPML mailing list