[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Owen DeLong owen at delong.com
Fri May 3 03:24:49 EDT 2019



> On May 2, 2019, at 06:57 , JORDI PALET MARTINEZ via ARIN-PPML <arin-ppml at arin.net> wrote:
> 
> Hi Joe,
> 
> El 2/5/19 15:11, "Joe Provo" <ppml at rsuc.gweep.net <mailto:ppml at rsuc.gweep.net>> escribió:
> 
> 
>    [see Disclaimer]
> 
>    On Thu, May 02, 2019 at 12:30:38PM +0200, JORDI PALET MARTINEZ via ARIN-PPML wrote:
>    [snip]
>> So, you???re saying that if an ARIN member is *acting* against
>> the exclusive rights of use resources allocated to other members,
>> not by accident, and repeatedly, is just *fine* and ARIN should not
>> even remind the member that he is acting against the rules?
> 
>    No one says that, and your assertion that people are "with us 
>    on this specific formulation of this proposal or obviously support 
>    all forms of abuse" is both offensively polarizing and wildly 
> 
> I'm not native English speaker, so my wording may be not appropriate, but I don't think is difficult to interpret what I'm trying to say. It is a way of formulating a sentence with a generic assertion, and asking if "in general" you will agree or not that ARIN should act when members damage other members rights.
> 

IMHO, ARIN can only act to protect those rights granted by ARIN. Those rights relate to the entries in ARIN databases.

They do not relate to routing.

Any rights to routing granted to a block are granted by the owner of a given router or set of routers. ARIN cannot grant, revoke, modify, alter, enforce, bend, fold, spindle, or mutilate those rights.

This is the part you do not seem to be grasping.

ARIN grants the rights to registration in a database. That’s it.

ARIN doesn’t grant rights to routing. You keep trying to expand the scope of rights granted by ARIN beyond what they actually are.

Even when John Curran attempted to explain this to you, telling you that these were “additional rights” beyond the current scope, you told him that he was wrong and the rights already exist.

They may already exist, but they are NOT granted by ARIN.

>    incorrect. Existing process doesn't say that. Again, it is IMO 
>    outside the scope of policy, and handling such is covered under 
>    item 4 of the first paragraph of 
>    https://www.arin.net/reference/tools/fraud_report/ <https://www.arin.net/reference/tools/fraud_report/>
> 
>    "This reporting process is to be used to notify the American 
>     Registry for Internet Numbers, Ltd. (ARIN) of suspected Internet 
>     number resource abuse [...] or (4) hijacking of number resources 
>     in ARIN's database."
> 
> My reading on that is that it is only related to the "hijacking" of the database account or a similar way to alter the information, so it can be used by others. We have a similar text in RIPE as well.

Which is the only case your policy could possibly be effective against, even if it were enacted.

>    It seems that underlying the proposal is some form of unstated
>    dissatisfaction with that process, or the public reporting of 
>    results available on
>    https://www.arin.net/reference/tools/fraud_report/results/ <https://www.arin.net/reference/tools/fraud_report/results/>
> 
>    Perhaps there's something specific you can cite? Or that you'd 
>    be wanting to see more detail for some of the issues? Or that 
>    the actions don't go far enough?
> 
> I see the reports in that public reporting is not showing the details, so it is impossible to understand those cases. Most of them are marked as "out-of-scope". Having more information may help, clearly.

There was a presentation at a previous ARIN meeting where Registration Services explained that out-of-scope includes reports of SPAM and other “malicious activity” within an address block. While we may all agree that those activities are undesirable, they are an AUP/TOS matter between the address user(s) and their ISP, not something related to ARIN policy.

> 
>    [snip]
>> Our goal is to have this in the 5 RIRs. If some of the regions 
>> decide not to go for it, they will have less credibility than 
>> those that go for it.
> 
>    Since you aren't taking this through the Global Policy process,
>    you have chosen to work within the vagaries of different regional 
>    processes, which exist as a natural consequence of Global Policy 
>    ICP-2. I know you're specifically frustrated with these regional 
>    variances, but I'd caution you to reflect upon the the floor 
>    discussion from APNIC47 and overall reception for APNIC-prop-126 
>    before indicating that regions who operate differently are 
>    somehow "less credible".
> 
> I'm not sure to understand what is the relation here with APNIC-prop-126. I've explained in a previous email why I don't think a global policy makes sense here.

You should watch the videos or read the transcript of the floor debate of this proposal from APNIC 47. There are lessons to be learned here regarding your statement that an RIR that doesn’t implement your proposal will somehow be less credible.

Owen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190503/bac182eb/attachment-0002.html>


More information about the ARIN-PPML mailing list