These are unedited transcripts and may contain errors.
Anti?Abuse Working Group
Thursday, 15 May, 2014, at 4 p.m.:
BRIAN NISBET: Hello. Good afternoon. I had like to welcome you to the RIPE 68 edition of the Anti?Abuse Working Group. Apparently we are all adopting, super Ks, co?op is the coolest ?? so I assume that makes us, I don't know, the edgy ones or something, crime and darkness, and all that sort of thing.
I am Brian Nisbet, the co?chair is Tobias and we'd like to billion come you all here.
First of all, thank you to the NCC staff who will be scribing and jabberring and other such things and of course as always with my national bias to our lovely stenographers. If you do wish to say anything at the microphone, please say who you are and where you are from or, you know, in certain people's cases whatever random collection of words you would like to put after your name at that point in time.
But yes, who you are and where you are from, this is all being webcast and recorded so that information is important.
So we have a lot of things on the agenda for today, and I have threatened all the speakers with shepherd's hooks to pull them off stage if they are running over, especially those from the NCC. So things we need to do:
Approve minutes of both RIPE 66 and 67. Apologies for the late delivery of the 66 and 67 minutes to the mail list. Are there any comments on these at this point in time? They have been circulated. No. Cool.
And are there any additions to the agenda that anyone wishes to make at this point in time? Apparently I am taller than any of the previous co?chairs and I am knot now appropriately blinded. Thank you.
We will go on with the agenda as it stands, so.
So, recent list discussion has been primarily about the abuse?c matters which are covered in not one but two presentations later on in the meeting. So unless anybody has anything they particularly wish to raise now, that can be covered under the presentations later on? And I see no one rushing to the mic. So I will assume that that is all good there.
There was the charter which again we will discuss in a minute. Is there anything else that anyone feels was discussed on the list that they wish to bring up here, talk about? Again, no. I know it's been a long week so far. But you have just had coffee and plus we have the excellent news of, for the first time ever, two women being elected to the NCC board so this should be enlivening ?? I thought I said two, yes. So it's now one?third women, which is fantastic and motion towards.
So, the charter. I circulated some text. There has been some discussion so far. I'm happy to leave that discussion, well?run if anybody continues to make any comments or to peter out and just to come up with an appropriate form of wording that will keep everybody happy. I don't think ?? you know, there was a form of words e?mailed quite recently which looks like it could well be an appropriate compromise for what we are trying to do which is just to acknowledge the fact that some of the piece that is we wrote in the initial charter as being outside the remit of the Working Group are things we have actually dealt with in the Working Group since then. So, we want to acknowledge that and it's now a case /WHR?F there are any other comments and we would like to keep that discussion on the list but if anyone wants to say anything in the room right now, they should feel free to do so. OK.
There you go then.
Please, please go ?? please do go the list, take a look at it. The charter is important. We haven't talked about it in a while so it was about the right time to do it and this was an action item from RIPE 66 ?? 67, possibly 66 as well, actually, to be honest with you so it's important we do look at it and everybody is happy with it, it's not a huge set of changes from what was there previously.
We have no policies at the moment, so there you go.
Interactions: Those of you who were in the database Working Group yesterday, may recall me saying that, yes, we plan to do some work on the data verification policy but it is pending. And we were very nice to Nigel and Wilfried yesterday and told them they could take it off their action item list. Myself and Tobias still plan to do this but we don't have a time?line right now. If anyone else wants to beat us to the punch, cool, go ahead, but the plan is to put that policy into database when it finally exists.
Proof of identity discussions. So, this came up on the address policy mailing list. It was discussed in address policy on, whatever day it was, yesterday, yesterday morning, it seems like so far away, in address policy it was brought up in NCC services yesterday afternoon. I don't know, I mean we want contributions from this community, from the Anti?Abuse Working Group on what level of proof of identity you think the NCC should be looking for from especially in this particular case, it's PI holders who are acting through sponsoring LIRs. There was some discussion, I mean Athena, you were the person presenting this, there was some discussion in AP. There was no discussion at all in NCC services, so I don't know, I mean, it's what ?? if you want to talk about what you are kind of looking for here very briefly or whether you want to address that point, if you have specific questions that you wish to address to this Working Group?
Athena: Yes, indeed there was a discussion yesterday morning in the Address Policy Working Group. I cannot talk on behalf of the Working Group, of course, but my impression was that there weren't like objections ?? at the end there weren't like many concerns on the way we handled things, of course this is an open discussion, right, and if you feel that we overdo it or we do it a little we are always open to change our procedures.
BRIAN NISBET: So, are there any comments from the room, is there anyone here who feels the NCC should be doing less? Should be doing more? Should be looking for entire family histories back to the tenth generation or they should be trusting the sponsoring LIRs to say yes, these are real people? Please, Jim.
JIM REID: Just speaking for myself. I am kind of thinking the best thing to do is pretty much leave things kind of where they are at the moment. My personal feeling is, it's is very, very, very very bad idea to be collecting personal data, unless you have got a really strong need to have that data. However, I appreciate the dynamic that the NCC is working in and certain cases for law enforcement and other aspects of anti?abuse, you do know want to who the individual is at the the end of some IP address and that would be useful for other reasons, if you have got a reasonable degree of confidence that you know who it is, it's got some chunk of PI space or any other space, that has to be done in a way which has a degree of authenticity or verification about it.
BRIAN NISBET: Personally, as someone who was in AP and has looked at the discussion, I would tend to agree with you, but it's a question of whether this particular company has any comments to make that weren't made elsewhere. If not, cool. So I think ?? as you say, Athena, I think we would agree that the general feeling is yeah, it's OK to keep going the way you are going at the moment. OK. Getting through all of this very quickly. Each speaker may have an additional 30 seconds.
Speaking of speakers, as previously mentioned at this community, the interactions between the RIPE community and law enforcement are channelled, for want of a better word, through this Working Group in the same way the interactions of governments go through the Cooperation Working Group, and in the same way, way, well in much shorter way than Paul's updates on external relations interaction update with government, Marco is going to give us a brief update on interactions with law enforcement.
MARCO HOGEWONING: I work in the RIPE NCC external relations team. My full job title didn't fit on the slide, somewhere it says technical advisor. To give you a brief overview of what we do and why. We often take questions like why do you take such an active approach towards law enforcement? Well, we saw previous years, and that is about three, four years back, a bit of an increase in the amount of inquiries and the amount of calls we got from law enforcement and it's no surprise, the Internet is getting bitter and crime is getting bigger and priorities change. Quite often we get questions for information we don't have. Often, very specific (bigger) I want to know who this user is, that is information we don't have. Often from foreign parties and not via official ways signed by the Dutch authorities, which we can't handle. We operate within Dutch law, we have to draw a line somewhere. And quite often, if we do receive information that we have, our databases are public so they can go and look up that information themselves. Basic idea, save both time and cost on both sides. It also helps with the announce levels and when people get annoyed that is never a good start in discussions. And also to increase the quality of the information, the quality of the requests we get so we can get more specific requests that actually make sense.
So what do you start doing? Well you start doing capacity building. Main goal: Create awareness about our tools, of who we are and what we can and cannot provide either via public or subpoenas. So we started participating in all kind of events that we know are attended by law enforcement, both public and closed events from law enforcement community themselves, working with international organisations such as Interpol, Europol, we /SR?L a wonderful relationship with these guys, they help us on getting outreach to the right people at the right time and help us to distribute that information.
So, we attach ourselves to their outreach programmes and their education. For a few years now we do an annual meeting that is a closed meeting that is specifically tar let's law enforcement, we will do that in London, and I will come back to that. And we decide to offer dedicated trainings for law enforcement professionals, field agents. We do that upon request if there is enough interest, we did a few with Interpol and some in the Arab States and together with Dubai and Emirates police force. They are not that many, but we have material available if they want us, we can come over and do that.
So, our annual meeting that is in cooperation with called the national crime agency, changed their name from SOCA, we do that in conjunction with the London e?crime congress, we know that is a well attended event so last one we did was on March 14. We had about 80 representatives from law enforcement from all over the globe. So it wasn't only Europe, we saw Russians, we had people from Middle East and we had people from South America and from Asia there.
That being said, it's still a RIPE NCC organised event but we do cooperate closely there with our colleagues from the other RIRs. This year AfriNIC joined the party, thanks again Adele for coming over, and we give them a rundown of what see happening in our space that we think is interesting. And nowadays, we also get a bit of a rundown from law enforcement on what they happen so one of the presentations included there was they took us step by step through all the hoops they have to jump through when requesting information like who owns this Twitter account.
A really lively discussion and I think it's a very interesting way of communicating with these people, like I said it's all about trust. Some things are operationally relevant so they do like us to keep those meetings closed, we do get Brian in and occasionally get people from the community to interact with them. It's not an open meeting and we can't up to detail report about it.
What are the topics discussed. I can give you a high level overview. There are shared concerns about increase in resource hijacking and erosion of data. It's all about making sure that transfers get properly registered, it's about making sure that address space is not get stolen.
Carrier grade net and other IPv4 sharing techniques that has huge impact for law enforcement, Geoff Huston gave a rundown of what it is about, how it works and how it worked in the past and what things get lost when you apply multiple levels of NAT. They found it really interesting.
We do a lot of questions and follow?ups and there was a bit of thing going on about the recent denial of services using amplification, so DNS NTP, the traditional UTP style amplification attacks and basic question: What is the technical community doing about it, is there something they can do about it, so we informed them about BGP 38 and source address filtering. You invest all that money. Does it work?
Well, also we introduced last year there is a transparency report for the second year. The information is all in there, RIPE 6934/2012 from 2013, this is just bottom line snippet of the information we got. We see the requests go down, and the requests that we do get are better informed. We get less requests for RFC ?? information we don't have. To that extent, yes, I think it's working. I have got a good feeling, again we have very good cooperation with these people and they know how to find us in a good sense, quite often we just get pinged about information like, hey, is this information, can I get that from the RIPE database, how do I do that or can you explain what is going on here?
So, I am very happy to continue. And of course, we are open for feedback. So, any questions? My question slide lost a picture, apparently, but it's got a question?mark.
BRIAN NISBET: It's the minimalist NCC question site, is it?
AUDIENCE SPEAKER: I like to ask questions. You mentioned it was a closed meeting and you cannot disclose the details of this. Is it possible for Dutch membership organisation to join closed meetings and not reveal information which was in such meeting?
MARCO HOGEWONING: I think we can. My legal ?? I am pretty sure we can and actually we organised this meeting and in ??
AUDIENCE SPEAKER: Why is it closed? Maybe you drank vodka the whole day.
MARCO HOGEWONING: It's not a State secret, it's not like fully confidential, people don't design ?? we appropriately rules, no, no Tweets ??
AUDIENCE SPEAKER: We want to know what happened. As I mentioned before, what I would like to ask RIPE NCC, maybe it's my Russian ?? with KGB and so on in history, if you are interaction law enforce, please name rank and position. In Russia, there couldn't be any interaction with law enforcement, if you want to stay free. Please no secrets. It's no such secret things. If they ??
BRIAN NISBET: The point is made.
MARCO HOGEWONING: Let me clarify that this is law enforcement, this is not intelligence community, that is a different group. I have to make that clear because that is definitely, that is something different.
AUDIENCE SPEAKER: Name, rank and position will show us it's not intelligence.
MARCO HOGEWONING: We are looking at way to improve the reporting but we have to work with law enforcement to what detail we can provide information about this meeting. And I have to get back, I will take it into account for next meetings, to suggest that maybe we can publish attendees list or at least give more information of which agencies were represented there. I will take it as an action point. I can't make any promises right now. We have to work with law enforcement here to remain ?? retain the trust level.
AUDIENCE SPEAKER: I work with law enforcers in Russia because they request, they much more stupid ?? you answer, you want ?? I want the European interaction to be more clear.
AUDIENCE SPEAKER: I think I just shortly want to comment, I think Marco's suggestion is quite good. Joacim from the RIPE NCC and I think we are invited by them to their meetings and we invite Brian so he can see what is going on and can provide community input.
To be honest, I don't think the content is that secret at all. A lot of times we have the same presentation we have here, but however, there is people in the room who feel their identity is their own and they want to keep that to themselves.
BRIAN NISBET: Yes, I mean I have actually been asked in a separate meeting by someone from the NCA to remove their name from a public agenda that we had because a lot of their friends and family don't actually know who they work for. They know they work for someone in New Scotland Yard but they don't know who they work for ?? I do not organise this meeting, I do not organise ?? I am an invited guest, we would not get a lot of cooperation if we looked to publish a full membership list. I have legal that to the NCC but I think that would be the situation.
MALCOLM HUTTY: I have some experience on being of both sides that have secrecy divide and often it is the secrecy that engenders a lot more distrust than is really warranted. With a bit of planning, however, you can often get around it to satisfy all parties reasonably.
I am quite sure that if you think in advance of the sort of things that you might want to be able to say to the community, and prepare that in advance, and then ask the parties what, could we, for example, provide the agenda and this basic description of the nature of the things that were discussed? Keep it away from anything that were operational, if there were anything operational discussed or even reporting that there was nothing operational discussed would be something that would add transparency. When it comes to individuals I can quite imagine that individual officers' names they would want to keep off but lists of organisations, ask them if it's OK to list the organisations. With a bit of work in advance thinking that this community would like to know what kind of ?? what is the nature of the interaction here, and working co?operatively with the agencies concerned, you might make everybody happy.
BRIAN NISBET: Personally I am all for as much as transparency as possible. It's just what the balance is, as you say.
JIM REID: Malcolm has pretty much hit the nail on the head here. Perhaps with a little bit of more forward planning we could find some kind of halfway house that will address some of the concerns that are being expressed in this room around issues around transparency, what is being discussed and what kind of participation is going on, but tame, we /SHR?S to respect the fact from those attending the meetings they have got a reasonable expectations of secrecy of privacy because of all sorts of things and as Malcolm pointed out we cannot discuss anything of an operational nature or the fact that nothing of an operational was discussed at that particular meeting and I think it would be very, very wrong to saying I must have the name, rank and identity of an organisation of everybody that is attending in that room because that of itself could also disclose operational details.
BRIAN NISBET: Yes, so I think the action you have already taken is the action we would like to see, to see what /KEBG do about more transparency.
MARCO HOGEWONING: We will take this back to law enforcement and work with them on future events to get better reporting.
BRIAN NISBET: Thank you very much, Marco.
(Applause)
So we now have a number of presentations, discussion starters, whatever one of those, there is abuse?c and a few other ones. We are going to start with the ?? a view from the messaging world in MAAWG and Jerome has to come to us from MAAWG, the mail and messaging and ?? what is the third one? ?? messaging, malware and mobile. Anti?Abuse Working Group who ?? this is the professional operators who are working on all this and it's extremely important that we, as the network operators, have good communication and good ties with the messaging, the people who do the mail, and the mobile and malware as much as possible. Thank you very much for joining us.
JEROME CUDELOU: Thank you. Good afternoon. I am vice chairman of MAAWG and it's a pleasure to be with you today. And I would like to thank Brian and Tobias and for giving me the opportunity to present to you.
What is MAAWG? It means messaging, malware and mobile Anti?Abuse Working Group.
So MAAWG is a global industry and public policy organisation created in 2004, so we are ten years old this year. Its goal is to work against on?line exploitation and mobile abuse. In order to contribute to make the Internet safer for consumers. MAAWG is both a technological neutral and non?political working body. This is important things. We address all aspects of messaging abuse through three ways mainly: Through technology approach, industry collaboration, and public policy.
Today, MAAWG covers over one billion in?boxes with more than 200 member companies.
So, when MAAWG was created, its main subjective focus was spam, trying to help the customer to inboxes to keep clean. Messaging is, therefore, one of our main subjective concerns. And it's still the core subject of MAAWG. However, spam has evolved, so MAAWG evolved too. Back in 2004 most of the spam was mainly sent by individuals through their own computers, but right now, things evolved and all the spam is spent through BotNets. So MAAWG decided to extend its expertise to malware, so this is the second M of MAAWG. And finally, now that we have more and more smart phones and that mobiles communications are getting cheaper and cheaper, we observe more and more abuse targeting mobile users or originating through mobile platforms. Mobiles has become another subjective focus for MAAWG, so this is the third M.
About our membership. MAAWG is driven by ?? mainly by ISPs, but memberships is very diversified. MAAWG memberships includes a lot of major companies involved in on?line communications and security. Here on the slide I listed a number of companies that are member of MAAWG. I won't go through all of them but you will notice that there are lots of ISPs, all the major US ISPs, but also some European ones, all the major e?mail providers like Google and Microsoft, some mobile operators, too; the social networking companies, like Facebook, LinkedIn, Twitter and the leading hardware and software vendors.
Our membership included also many nonprofit members, including, for example, Spamhaus, the ISOC, the ISC, just to give you some names. But also some government entities, some law enforce. I will mention London action plan because we have quite close relationship with London Action Plan. We sometimes developed core document with them and we co?host some meetings with them. And our members comes from North America, but also from Europe, Asia, Russia. We try to reach China and India but I will come back to this later on.
So what MAAWG does and what MAAWG doesn't:
MAAWG believe that the two keys for an efficient fight against on?line abuses is, first, to adopt BCPs. This is an important point. And second one is to encourage collaboration ?? industry collaboration. So, for the first point, we developed and published best common practices and position statements. It's important to notice that we don't develop standards. It's a recommendation, not rules. So, as an example of a BCP that had a very great impact on the reduction of spam, I can mention our port 25 management best common practice. Having said that, we don't develop standards, that doesn't mean we don't work with the standardisation bodies, and especially, for example, the IETF and some of our documents are referenced in standards. I gave the example here of our bought mitigation BCP and feedback loop BCP.
We also provide technical and operational guidance to those who develop new Internet policies and legislation, and we also have some papers referencing government reports.
So, here is a list of a few examples of MAAWG papers. We have much more than that but it gives you an idea. You can find all the documents on our website. They are all available. You can notice that some of them are available in different languages, some of them have been translated in chin ease, French, Spanish or Arabic, not all of them unfortunately but at least some of them.
So, the second point beside document is mobile, so provide trusted forum for open discussions. We have three meetings a year; one taking place in Europe every year, this year it will be in Brussels in June. These meetings provides the opportunity to network and share information and ?? for example, through our open round table sessions. And during these meetings, MAAWG also proposes some trainings. These trainings are provided by widely recognised experts and are very popular among our members. I give you here some of the topics that over recent trainings. And some of the trainings are available on videos on MAAWG website or on YouTube. So if you are interested, you can go to see them.
Another goal of MAAWG is to propose its help and expertise to fast developing Internet countries, and in ?? for example, in 2011, MAAWG was involved in two initiatives with the east/west institute; one in China, our chairman spoke at China national computer network emergency response team annual conference, and one in India. These two countries seem to be very fast developing countries. And therefore, it work in both India and China, MAAWG was awarded by east west institute with cyber security award in 2013.
MAAWG also decided to create a foundation called messaging, malware and mobile anti?abuse foundation and this foundation is dedicated to anti?abuse training in developing countries like Africa. You can find out more information, if you are interested, on the website.
So, beside work done in messaging, malware, mobile areas, MAAWG has also a number of new initiatives, mainly due to the wide development of cheap VoIP services, telephony is becoming another Internet medium for cyber criminals to exploit. So, therefore, MAAWG decided to create a new special?interest group called VTA for Voice and Telephone Abuse, to deal with these new types of abuse. And this SIG first met in San Francisco this year, in February, and we will have a second meeting in Montreal in June.
Hosting services becoming more and more popular. So MAAWG created a special?interest group for that. And to the goal of this special?interest group is to deal with issues with Cloud storage security. MAAWG ?? pervasive monitoring, SIG has been created to evaluate the technical aspect of higher security levels that may also reduce the ability to mitigate abuse.
I also mentioned our abuse desk special?interest group which is not new but who has been revived recently, due to a strong interest of our members that includes a lot of abuse desk managers. And we also in the process to update the OECD best practice that we could have ?? London Action Plan and deal with on?line and mobile threats. So that is our new areas of work.
So, as a conclusion, I'd like to invite those of you who would be interested in MAAWG's work to find more information on our website or to ask me if you have any questions, and just a point to tell you that we will have a meeting in Brussels in June, so you can find the date on the slide, and I'd like to invite you, if you are interested, you are more than welcome to attend this meeting, and if you are interested, please contact Gerry Upton, our executive director, will arrange everything for your attendance.
Having said that, I think I would like to thank you for your interest and I will take questions if you have.
BRIAN NISBET: Great. Thank you. And faster than expected so we now have lots of time. Are there any questions? I suppose from my own point of view, I have a couple.
Do you have any ideas on ?? I mean, I suppose other than just going to each other's meetings, on ways that the operator community, especially the smaller operators who wouldn't be the very big players, could interact with yourselves or, you know, areas of mutual engagement or things that we could work together on?
JEROME CUDELOU: You mean without being members?
BRIAN NISBET: Well, I mean, yes I suppose without being members, initially anyway.
JEROME CUDELOU: Yeah. First, I think that is the best way is to become members, of course. But anyway, you can attend meetings, especially small ? always welcome, we invite small operators to attend our meetings sometimes. So for that, please contact Gerry up tonne, who will be happy to see that. And otherwise, yeah, everybody has access to our documentations and everything so it's easy to find the work we have done and to interact with us.
BRIAN NISBET: And is there any possibility for non?members to contribute to those documents or is that ?? I mean it's cool if it, I am just wondering, I am not...
JEROME CUDELOU: I don't think it's easy to do.
BRIAN NISBET: OK.
JEROME CUDELOU: It's better to be a member.
RUEDIGER VOLK: Deutsche Telekom. I wonder can you point us to some document or parts of document that you have done that would explain what is expected from abuse contact?
JEROME CUDELOU: I am not sure we have ?? this document right now. But I think this is a document that is under discussion, right now.
AUDIENCE SPEAKER: My name is Vincent Schonau, I am with ?? I co?chair of the training committee at MAAWG. There is the abuse desk best practices document that is now a few years old, the abuse desk special?interest group has revived and going to refresh that in the coming meetings.
BRIAN NESBITT: That will, again the aim would be they would produce a document then which would be available.
AUDIENCE SPEAKER: Alex de Joode from Lease Webb, we are not a member of MAAWG but we are participating in the hosting SIG and abuse SIG so yes you can participate without becoming a member.
BRIAN NISBET: And how did you go about that?
AUDIENCE SPEAKER: You send a message to Gerry Upton and get a free invitation.
BRIAN NISBET: All things to all people.
JEROME CUDELOU: It's a bit special statement. It's possible.
AUDIENCE SPEAKER: Sam in a from ?? Netherlands. I wonder do you work also with research institute or university, we are working on banking malware, also mobile malware so if you share data with us?
JEROME CUDELOU: Yeah, we work a lot with academia and researches and we have a special membership status for them which I think it's a free for academia. So yeah, we have lots of researchers among our members. I don't know from ?? stands for lots of universities involved in malware research.
BRIAN NISBET: Cool.
AUDIENCE SPEAKER: Maybe I could add. Vincent Schonau again. In general, if there hesitation about the membership requirements, in general definitely for the European meetings but also for emerging groups like the hosting SIG for companies that haven't attended MAAWG before, there is a very open policy about inviting people to come to the meetings so if you are considering participating or if you want to participate for a shorter period of time you should definitely consider contacting Gerry or you can talk to Jerome or myself to get an invitation for the upcoming meetings.
BRIAN NISBET: But we would have to cc Gerry.
AUDIENCE SPEAKER: We will forward it.
BRIAN NISBET: I mean, I know from my own point of view, and I am going to randomly ask some NCC members in the audience a question in a moment. The NCC, along with myself, went to a meeting in Barcelona a number of years ago ?? it was Barcelona ?? I went to Barcelona, I don't know where you were. I am not sure if there has been any interaction since then?
AUDIENCE SPEAKER: I don't remember when ?? where we went first. We have been to Barcelona and then to Paris. And then to Paris.
BRIAN NISBET: I am trying to figure out if there was ?? if it is germane for there to be another visit, almost reciprocal visit again or otherwise.
AUDIENCE SPEAKER: It's funny you mention that because I think we will try to come to Brussels especially since it's quite nice and close. It sort of makes sense. Yeah, so I think we did find it quite useful as a meeting and to engage, see the community there and get input. I mean, it was quite an open thing for us.
BRIAN NISBET: Cool. It's a good thing. OK. Anything else? No. In which case, thank you very much for coming along Jerome and hopefully we will continue the dialogue and the interaction.
(Applause)
So, obviously abuse?c has been a big thing that we have been talking about in this community, and in other locations for some time, and there is the good and the bad involved in it, I think it's fair to say. I mean, I am a big fan but then again, I am one LIR, we send very little spam, it's great, but what we have today is a user experience of some of the, I think the good things, the bad things and indeed possibly some of the ugly things involved in deploying abuse?c and using it and we decided to put this before the discussion, the NCC?led discussion on abuse?c so everyone had some ammunition.
So, I'd like to ask Bengt Gorden to talk to us about his experiences of abuse?c.
BENGT GORDEN: Hi. I am as you can probably read my name there, or pronounce it from today. It's a hard to pronounce because it's Swedish and you don't have the acute accent in English. I work as the company called Resilance, sort of resilience we call it. And we have had some experiences of the abuse?c for a few ?? for about a year ago now, so ?? and it's been, as Brian said here, it's been good and bad, not that ugly but a little bit.
Yes. The abuse?c is a service as I see it, to the end user so they actually can get in contact with the resource holder, because that is the only way you can get things done, and I like the abuse?c, I want it to be employed ?? deployed much more, so I want it to be all over the RIRs, all over the world actually. I think this is a good thing, we need it.
And our customers should have this ?? they should have their own abuse contact information inside in this, but we have a lot of customers so it takes some time. In the meantime, we have deployed it for all our customers, so we have had ?? we have some intermediate e?mail access so we can actually distinguish which it is so it's an e?mail address that goes to the customer but it lands in our ticket system, just so we can take care of it and we can just push the user to do something with the problem that has arisen.
And of course, we have an acceptable use policy, the AUP is when we contact the customer, they should answer in 24 hours and there is no hard limits but we want them to do this, otherwise they actually risk withdrawal of their resources that we have delegated to them. Because we feel that abuse is something that should be taken really, really, really serious. We have a lot of bad things happen on the Internet.
So, our abuse policy is just, we don't tolerate unsolicited commercial spam, you know the drill and we do not tolerate all these worms, viruses, that is just abuse. So we started to deploy this in early spring 2013 so we could ?? we thought that this is a good thing, we need to do this as fast as possible and we need to get in the abuse contact information from our customers and such, so we started to do it as fast as possible so it would be implemented. And I was sort of 1,000 role objects, give or take something, anyway. And we created automatically role objects for the customer didn't reply with their own.
In the late summer, we started to get more and more abuse complaints from all over the world, sort of. Not much, but anyway, it was some, and actually, to this date we have had sort of 370 abuse complaints, and we have taken care of them, we have quite small backlog. That was about spam, viruses, DDos, harvesting e?mails and dictionary attacks and such things. And I was wondering: Where did this actually come from? Why didn't we see this before? Why haven't we got this? We have an abuse address to resilience networks so why didn't we see this before, so obviously this had something to do with the abuse?c so I started to gather some statistics and I saw that this ?? this I did in the late summer and beginning of autumn and I got it running sort of, yeah ?? got it running in October late ?? early November, and you see we had a lot of spam and abuse but this is mostly spam, actually. So we had sort of 75 on an average, 20, maybe, 15, 20, 25 a day that we saw. And before we hadn't had these e?mails to us, there was some complaints but not very much but now it just sort of rained. And I analysed this and saw of course this is ?? here is the detailed statistics and you see the ?? this is the pointer ?? you see here, it's the harvesting e?mails, e?mail spam, dictionary attacks and comment spam and you see how it is mostly spam ?? mostly spam and it's ?? after we have analysed everything and we got to sort it out, we more or less got rid of it and then we have a steady stream of let's say one, maybe two, a day, from about million addresses. So I think it's quite fair. It's good enough, it is. We sorted this out in December.
We had a lot of work to, with different organisations out on the Internet. There was actually, they didn't ?? the most of them, they cached the information so they didn't care that we had changed things from information in the abuse, in the role object. We started out with a lot of automated that went to us, but then they just cached it and then they still send it to us from the cached data instead. And the most ?? a lot of them did actually just, they just send out this automated request for something. You have a spammer on your network, please deal with it, and they don't want a reply, they just send it from ?? they don't want a reply, so nothing in the e?mail says that we can reply to them. Sometimes they have a telephone number but that doesn't work.
And a lot of them, they don't do the on?line interface with dash B. They have systems so they have UNIX systems a lot of them, but they can't do the dash B to get the abuse information, actually. But that was really the relevation, sort of. And of course, then it says that they should go to the web app instead. Anyway. Many of them had cached the old abuse addresses.
The worst offenders was all these copyright holders ?? I abused it ?? anyway, the worst offenders was the copyright holders with the music video stuff and things like that, they didn't do anything; you can't talk to them, just send out loads of e?mails, they do. So I got them to respond when I actually e?mailed all the board members in the companies and they started to respond. There was ?? that was a good thing. I should have a database of that, of these e?mails.
And I don't change the cached contact when we try to talk to them that to say they changed ?? they can't. They just do it ?? they have gotten a database from another so they just use it. And they sure don't ?? they don't know what LIR is, so we can't explain to them that they should talk to the other because we don't have the resources to do anything with the customers.
So, this brings me to what actually happens after this. When they ?? when they send a lot of e?mails, eventually it's going to end up in a blacklist, somewhere. And the resource holders don't respond to complaints; they run the risk of ending up in blacklist, as I said, and I can say that there are loads of blacklists out there. I know about 203 of them and they are in 117 domains and that is what I know of. I am sure there are a lot more. And you see it's all month Python there, it's spam spam spam. And the most well?known is Spamhaus and spam cop and Spamhaus is what I believe is the largest in this respect.
The blacklist from Spamhaus, they are five and they are e?mail and exploits and things like that.
SBL is what ?? it's mostly e?mail spam the abuse actually, so SBL is their biggest ?? is their largest blacklist. I think it's a good service, actually. I really do. This is nice and it should be ?? but it has to be correctly run, and to get delisted from that you have to ?? you have to request the removal and they do this manually.
We ran into very complicated situation where we had ?? I couldn't see this in the other trap systems, this is funny for me, but anyway Spamhaus says this. On February 27th, 2004, they blocked three /16, three /19, without warning, without warning our customers, nothing. They just blocked them. And of course, they ?? yeah, it has a big impact on our small form. We are just seven people so it's ?? all over the Swedish country and from abroad, they called us, and a lot of customers ended up as collateral damage in this. This was really bad because the spamers was just a few and that happens. I mean, so what did we try to do? We asked to talk with them over the phone and invited them to come to us, we were prepared to go to them, we did ask for feeds, we can be proactive next time, to come to RIPE meetings, all turned down, probably ignored. So we had to wait for them to read our e?mail but they had blocked that. So that was a bad situation there.
I have an example here how it actually went down: They said these five ?? this is not an unusual example; this is an examples from the big problem here ?? it was five addresses that someone used to spam from. And logically, they locked 194.71.8.0/24 when it was 192 instead. And this just goes on with this. I have another one, this is the funny one. The problem is this is a dirty block, huge range given to spamers as they say, it's a /24 and it was given to the city government of Gothenburg in 1993. So and it's actually not even routed, that is why I brought this up, because it's quite funny. So, was it hijacked? No I looked in all the BGP archives I could find, nothing. I looked in the RIPE BGP play, no not there.
So, that brings me: Is this SBL actually correct in any sense? Well, you can check for yourself. Just go there and put in ?? take one of these and put in the RIPE, ARIN, APNIC, LACNIC, do a domain in whatever you like to do, you can download this from my presentation and try that and you will see that there are a lot of networks that Spamhaus thinks is RIPE's problem, not the end user; this is RIPE and RIPE NCC, and a lot of them are not routed, as you see. This is not routed, this is not routed, this is not routed, that is, that is routed, and almost 500 and these are not small blocks; some of them are quite huge. They are /10, /14,/15, /16, /17, it goes on. So ?? and here you see, and they are old; I mean, this is not just yesterday. It's back to 2002, nothing happens.
So, what are they actually doing? They are fighting spam with a deliberate denial of service attack for the collateral damage. And this is, for me, it's a denial of service attack, actually, and this is an abuse from the guys who says they want to fight abuse.
So we made an incident report, you can read it. It's on?line and a few days later Spamhaus did the same, of course our views aren't the same but feel free to read it.
So, what should we do? I think we actually need something, we need some legal certainty for this because this hurt us if we couldn't get in contact with them, our customers is going away. I mean, and most of them, I sort of 99% was collateral damage. And they till for all you want, we don't care. If you think you are spam haven, there you are, you can't get out of their database.
So I have a few suggestions, I am not really sure that this is the way to go, but anyway; I think we need some arbitrational blocked IP resources, and hopefully, RIPE NCC would be a party in that. In Sweden, we have this national board for consumer disputes and they don't ?? they are into the court but they have sort of recommendation, non?binding recommendations, and this thought of to be a very good place and just a few organisations don't follow that, and they are actually ?? they are name and shame if they don't follow it, so mostly they follow, so I think that could be a way.
Another way is that we do this ourselves, instead, we present a real good blacklist instead. And the last thing that I started out with, I actually think that abuse?c is a very good thing and we should enforce it all over RIRs. But is it possible?
AUDIENCE SPEAKER: Was your message to abuse?c of Spamhaus successful?
A. No. Questions about that?
AUDIENCE SPEAKER: Some remarks, I think this happens to nic.at, the domain registry, it happened to, I think, Estonia or Latvia, one of those countries which I always confuse and this happened again, very often, turned out that since we have multiple cases now Spamhaus has been bullying people on the Internet and one funny joke that I just happened to hear from somebody is, like, you might have ?? I don't know, a claim, a copyright infringement or trademark infringement with the name Spamhaus and send it to.org.
BENGT GORDEN: That would work.
AUDIENCE SPEAKER: That would be pretty nasty as well.
BENGT GORDEN: It's the way they work.
AUDIENCE SPEAKER: It's the same way. So it was a joke now of course, it was very good that you came up and spoke about that because we as Internet community need to make sure that things are balanced out, somehow, and so I want to thank you for your presentation.
BENGT GORDEN: Thank you.
AUDIENCE SPEAKER: Eric, ATB Internet. So, we have been in the same situation. It's been well?documented.
BENGT GORDEN: I read it.
AUDIENCE SPEAKER: We actually did the complete name and shame, full disclosure with Spamhaus, we filed a police complaint which they actually thought was funny and was false. And they actually blocked about that on their websites. We responded on ours and basically we just disclosed all e?mail conversations with Spamhaus. This is not the first, this is not the last. These guys have no idea about collateral damage and they don't care.
BENGT GORDEN: No
AUDIENCE SPEAKER: They really don't care. And they will even go as far to your upstream providers, they will put the e?mail servers from your transit providers on the blacklist just to force you to do their bidding, and we have had, so far, no way to actually take them to court or nowhere to actually take legal actions to them, and they, as you said, we also invited them to come to this Working Group, have a panel here, discuss about proper policies, and they just refused. They do not want to communicate on those kind of things.
BRIAN NISBET: Unfortunately, the relations between this Working Group and Spamhaus are perhaps not as good as we would like them to be. However, I also remember when this talk was about abuse?c, rather than being about Spamhaus to that degree.
AUDIENCE SPEAKER: Yes. So on the topic basically on the abuse?c, we did a couple of transfers for some of our blocks and it was interesting to actually, days after the transfer we got replies from copyright infringements and peer to peer and spam and something like that and it took a while before those copyright companies update their issue, and their local cache databases and some, still, you know, even after half a year, they still e?mail our abuse mailbox for blocks that we don't own any more, and we kind of see this more specifically with more transfers, blocks moving around. You know, if somebody would actually just use the database that is there on the Internet, the RIPE database because that is where the actual most accurate info should be, and that is ?? you know, there is ?? how do we get them to actually make ?? update their shit because this will happen more and more?
BENGT GORDEN: I think we as a community, actually, needs to work together to get this, and that is why I suggest that we actually have something. It doesn't need to be any legal thing but the larger we are, the more we ?? it's going to be listened to.
AUDIENCE SPEAKER: I think it's a good time to remember that Spamhaus does not block mail in any way. There are neters that use Spamhaus to eventually block mail and if you believe you can manage a better list you should try it because there is always a need for more. Thank you.
BENGT GORDEN: They have their block list as default in spam is default in lot of smaller software and it's turned on with blocklist. So you can't do anything.
AUDIENCE SPEAKER: No way invalidates my point.
BRIAN NISBET: OK.
PETER KOCH: DENIC. Could you go back to that slide with the suggestions. Thank you. So on the first two points I guess, without honing again on this particular provider, what you are requesting is a governance debate for a village anti?group that seem to be a contradiction in terms and I would follow up on what the previous speaker said, that the education probably needs to go into the other direction as opposed to trying to convince whatever fanatics.
The second one, I am somehow, even though I heard your presentation, I missed the link to the third. I ask for the clarification and I interrupted you sorry about that.
BENGT GORDEN: You mean get the rest of the RIR to adopt similar as abuse?c. I think it's a way to get this working so that everyone sees that they should use real information and not just cache everything, because if we do this, it works better.
AUDIENCE SPEAKER: I saw a slight contradiction because you were giving not really a success story but a suffering story and said based on this it should be expanded as opposed to quote, I told you so.
BENGT GORDEN: On the contrary.
AUDIENCE SPEAKER: It's my I told you so because we are in a situation right now where the abuse?c was designed and developed for long time and there was lots of guessing about what people would make in a wrong way and we need to help the people that have no clue and so on and so forth and they are inventtive. And maybe it's time to actually get over this and not try to optimise a thing for an audience that is not, I don't know what, not educatable or something, thank you.
BRIAN NISBET: Tobias you know more about this, there are a number of similar policies in other regions. You did quite a bit of work on that.
Tobias: Yes. There is, the policy about abuse?c was also brought in at RIPE ?? not at RIPE, sorry, at APNIC two years ago in a little different way, and the same was done by AfriNIC as well. So it was slightly different, they choose different ways to implement it, but at the end it was all about having an abuse contact in Whois database, whoever it looks, but single space, single place where you can get the abuse contact.
BENGT GORDEN: I tried to get abuse contact for Spamhaus, it didn't work.
AUDIENCE SPEAKER: I am Alex deodour, we have similar experiences with a lot of those blacklists. Spamhaus is a regular attendee of MAAWG so if you want to meet you should go to Brussels. I would like to ask everybody here who has the same experience to come to MAAWG and see if we can set up some sort of best practice for blacklists.
BRIAN NISBET: OK. It has to be very brief because we are running over.
AUDIENCE SPEAKER: I think ask there is a best practices document that has come out of MAAWG.
BRIAN NISBET: It exists. Thank you very much.
(Applause)
So, next we have Denis and Christian from the NCC to, just Christian first to talk about some of the discussion about abuse?c and the next steps.
CHRISTIAN TEUSCHEL: RIPE NCC. And well, I am doing that presentation together with a colleague, Denis Walker, and yeah, we would like to present some ideas about how abuse?c could be improved.
So the first one is address validation. So I mean, as you all know, RIPE 563, the policy, describes that all of the resources should have dedicated abuse?c contact. But it doesn't really tell you something about the quality of that contact. I mean, the e?mail addresses sin that theically checked but it could be e?mail address that doesn't exist, and that defies basically the purpose of the the abuse contact. So, what could we do about that that would be a validation of that e?mail address? I mean there are different forms of technical solution, and I wouldn't like to discuss it right now; I mean it could be call back verification or we could do it even on a higher level. I mean, sending an e?mail to that person and well ? with something that needs to be clicked so we know the mailbox is being read or something like that. This is more about what we should do with that data and that is, in a way, a question for you. I mean, what should we do with the results of such a test?
So, I mean, we could, in case that ?? in case that the test is negative, so people are not replying to e?mail address, we could privately send an e?mail to the resource holder telling them that, OK, the e?mail address doesn't really work, or what we could also do, present this data on our API, so abuse contact finder, if you look up IP address and you you get abuse contact, we could also tell you the results of hey, that e?mail address doesn't really work. Yeah, that is one point.
Another is related to the collaboration with national CSIRTS. And that is also some kind of limitation from ?? for the abuse?c, from the RIPE?563 policy, because it doesn't really tell you or it doesn't enforce anything where you could expect if you report any abuse.
So, from some of the user feedback we realise that more and more reported abuse cases are not properly handled, so it could be that the e?mail basically bounces so we could cover in the address validation. It could also be the e?mails are just ignored, and we thought about that, and solution for that could be that we provide the user with additional way, because if you can't reach someone by phone, what are you going to do? You try to phone someone around it. So that you get a grip on someone.
And yeah, we came up with, or what we found is that the national CS IRT, I think the two terms can be used interchangeably, so national CS IRT S, they are doing that, they are taking care of any abuse that could happen in information systems. So our idea right now is ?? I mean we will still provide abuse contact, but as alternative we could also provide the national cert that is responsible for that resource and how how would we find the national, we could do that based on RIR stats, we know which countries got which resources so by looking up that in the RIR stats we could find what is the appropriate national cert for that and provide contact details to the person or to the entity or the person that will report the abuse.
What do we expect from that? First of all, some kind of analysers and assessment of the incident. Then, the CS IRT can efficiently contact the responsible team that manages that network where the abuse is coming from, and another responsibility of national certificates is to share information so they could advise them what to do in a specific case.
So, what are the big benefits of that? I mean, we know and we heard a lot about abuse?c creates a lot of extra effort for the results holders and that is totally understandable because we, as the RIPE NCC, we are going to show up in many cases when people get a message from the firewall, and they look it up in search engine, then they get, somehow, a link to the RIPE NCC and they think we are going to ?? are causing that abuse and I mean, of course, that is not the case. But I think it's very important that we have some kind of filter for these kind of abuse reports, because in this case, the resource holders can efficiently act on something that is important and they don't really have to waste so much time on dealing with abuse cases that basically are not really relevant. And I think that is a mutual benefit, because for the certificates it's also very good good to get information there is something going on so that could be another benefit.
OK. Another improvement, I would say, for the abuse?c, is extending the role object, because we got a request from from the computer security community that the single abuse contact might not be efficient enough to report abuse, because there are different forms of abuse. I mean, it could be related to copyright infringements, it could be spamming, hacking and I think for some people, it would be interesting to have a dedicated abuse contact that could be used in cases when you are dealing with copyright infringement or with hacking and one idea is to go along the way with the abuse?c and that would mean that we just extend the role object with something that ?? I mean right now we use the abuse mailbox for abuse?c but it could also be something like copyright abuse mailbox so the people could provide this information to report copyright related abuse.
So, and the next part is handling more specifics and that is going to be done by Denis.
DENIS WALKER: The business analyst for the database team. The deployment of the abuse?c currently in progress for PI holders, we currently have 33% of the IPv4 and 44% of IPv6 PI objects covered by abuse?c. The deadline for doing this is end of September this year. After the deadline, the LIRs abuse contact will be added to any remaining PI assignments that don't have one. After the deadline we will start a clean?up. The old abuse mailbox was allowed in five different object types. The ones currently in the person, organisation, we can go ahead and /R* remove them. In the role objects, if it's not referenced by abuse?c we will assume it's the old ones left lying around and we will clean those up.
/TOURPBG more specifics, two issues were raised over the last few months or year, one is when the same organisation has different subnets with different abuse?c needs and other end user organisations handle their own abuse contacts.
For the subnets we don't see this being a very high number value. So we already have a construct with the MNT routes where you can provide a prefix after the maintainer name and the software already exists for parsing this and handling this construct. We were thinking we could do the same construction here in the organisational object if you have multiple subnets and you want different abuse handlers, you can add extra abuse?c contacts within your organisational objects and specify which prefix they will work with, as well as having the default, which covers everything.
For the end users, the requirement is to create an organisation object and create the role object and reference the abuse ?? organisation object in the end user assignment.
If that is lot of trouble for to you set it up, we can provide you with wizards which will accept some basic information and create these objects for you. If they stop handling the abuse, the same wizard can remove these again when they are not referenced. This is the way it's being handled so we would like to help to you develop it.
Just one quick point about this. I know a lot of people are saying it's a lot of has toll do this but what people are for getting this is actually the model of the database that was agreed ten years ago, it was 2004 we introduced the organisation object and the whole point of this organisation object was to define the who; we already had the what, we had resources defined in the database but who manages those resources and the reason for the organisation object was to define that very point. Where the management of the resource is split between multiple organisations the idea was to have multiple organisations and this just doesn't apply to abuse?c. If you put MNT into routes, how are people expected to contact the people who managing the routing if you are on MNT routes there. If there is no objection object defining who these people are you have no way of contacting them, you have a writing issue. And the same goes for abuse?c. This was the way the database model was defined. So basically, if the model isn't working, then maybe we should change the model. If it's too much hassle to build the objects you need to work with this model, we can provide you with the tools. But I think one thing that we shouldn't do is work around the model and break the model just because it's too much trouble to actually do it. So, you know, in if the model is wrong we fix it, but let's not break it. So that is basically ?? questions.
BRIAN NISBET: So, just before we take questions, I am going to say that obviously we can't spend the next ?? Ruediger is first ?? the next hour?and?a?half talking about this but we can have absolutely some discussion now and discuss other things on the mailing list as well. I think it would be probably useful if this presentation, if could you send it this to the mailing list or a link to it after the meeting.
RUEDIGER VOLK: Curmudgeon general for DT. And I can divide my half hour into a couple of segments. First segment addresses immediately Denis' last remarks. I am not aware of anything that explains clearly what you are assuming as, well, OK, how org objects should be used. Is that explained anywhere?
DENIS WALKER: This is one of the big problems we have with this database.
RUEDIGER VOLK: OK. If there is no documentation and explanation of a data model that you say we should be following.
DENIS WALKER: There were no business rules built into the software to actually enforce any of this. And there was no guidelines written down to explain to people how it should be used.
RUEDIGER VOLK: If you claim there is a data architecture that we should follow, it is not acceptable to us to follow something that is not written down and agreed upon.
DENIS WALKER: It probably only exists in the e?mail on the Working Groups from ten years ago.
RUEDIGER VOLK: It needs to be kind of an architecture rale document. We do not want to ask the 10,000 members that have now joined to go through all the archives, maybe if documentation can be produced by you by pulling out the short, relevant things that are conclusive description of the architecture, but, well OK, I am not quite sure whether you like to work.
DENIS WALKER: Do you want to us produce an architecture document?
RUEDIGER VOLK: If you want us to work with the database, following your idea of the architecture ??
DENIS WALKER: Not my idea ??
RUEDIGER VOLK: I would like to see the architecture explained. I am not willing to say, well, OK, I am following your advice, today you are pointing to me that, well, OK, your sophisticated extensions are well within the architecture; I don't know what the architecture is.
BRIAN NISBET: OK. I think ?? and thank you. So, the question there is, he says looking at Nigel, is, is this part of the conversation that we should be throwing over the wall to database? We only interact briefly with the database here.
DENIS WALKER: Nigel, do you want to borrow the hood?
PETER KOCH: Peter Koch, DENIC. I represent the salvation army and a salon full of John Wayne types occasionally. First of all, I would like to say I appreciate that hard work that you guys have been putting into this following demands of the community, and the following is no criticism and nothing personal at all.
Second pre?remark: The, say, crazy policy development process that we have requires one to object early and object often, so be prepared for some repetition, and I apologise for that but that is how that crazy PDP is interpreted.
So to the points:
I think we are really at the risk of going completely overboard here in a variety of aspects. Validation, great idea, fun discussions in ICANN circles, and I would like to suggest that there be a stronger connect between those people who do the governance debates and follow the data protection discussions and so on, and those that try to enforce ?? sorry, try to develop the tools that might be used to enforce data policy. I am violently opposed to kind of Sal a.m. me tactics here. And I, since the lines are growing there, I will come to my last point another aspect, which is along the lines of what Ruediger said: On the model, I think you got 180 degrees in the wrong direction, I am sorry, Denis. What I saw on this slide, we have an OG object and hang off there the addresses, I cannot even find a document that describes it that way. I can't even imagine one. The database model that I know was built around the objects you asked for, and the information that was attached to these objects in other objects. The break in the model was to hang off the abuse?c mailbox again the wrong attribute actually, off a separate object which is the org object. So I think I agree with your recommendation or suggestion to reconsider the model, but I would like to see the ?? maybe less sub?optimal additions or changes to the model reconsidered.
And to Brian's point of throwing this over the wall into the database group, I think that only partly helps; there needs to be more close. It doesn't help, really, to do this over there because there is ?? there ?? it's not closed but it's a core group, say, that has this model in mind and then there are additions or changes proposed from here and if they are not compatible in the long?term, we are screwed forever.
BRIAN NISBET: I absolutely agree there. What I meant with that was, if there are issues with the architecture and the business rules and the statement of how things should be done in the database, then this is not the working Working Group to interact with the NCC to get that documentation done and written. I am more than happy for the ?? I am more than happy, I can't speak for the Chairs of the database Working Group, for us to work together, but it's once that has been ?? if there is questions under that fundamental point then they need to be addressed first before we can proceed on the other points, is what I was ?? the fundamental point that I was going should be done over there, absolutely this Working Group needs to work more closely with the database Working Group on that.
PETER KOCH: One sentence going a step back. Looking at these proposals and looking at the weight that the topic of abuse and abuse contact is about to gather, I wonder whether it's time to reconsider or actually reconfirm in whatever direction the actual mission of the database. It should not become a compliance stick for LIRs or resource holders.
BRIAN NISBET: OK.
CHRISTIAN TEUSCHEL: Peter, just about the validation, what do you mean with the salami tactic? I don't know. It wasn't so clear to me.
PETER KOCH: You suggested that ?? and we had this discussion before because we had this exact discussion, having a mailbox there doesn't mean mail is deliverable or mail is read and doesn't mean made is replied to. So, the next slice of the salami is validate so that mail can be expected to be deliverable, and I would imagine three months after that we will see a proposal to say, well, maybe it shouldn't only be deliverable, there should be a reply in such time.
CHRISTIAN TEUSCHEL: Exactly. That is what we proposed for. It's improving the data quality, right ?? otherwise you don't need e?mail address at all.
AUDIENCE SPEAKER: There is a.
PETER KOCH: There is a fine line to cross between the data quality and that is a topic for the admin?c and especially for the resource holder, between the data quality and the behaviour of the holders or anyone contracted to the holder of a resource, and that is what I meant with compliance stick here. There is no doubt from my perspective that the data should be correct because that is the core mission.
RUMY KANIS: Rumy Kanis from RIPE NCC. I have a question on Jabber here. Actually one question and two comments: Sorry. He did apologise for being lengthy. You mentioned collaboration with C certificates, however the existing are becoming more and more invisible which is a contradiction. If that trend continues would it be possible to reference an IRT from the abuse?c or at least add the useful IRT features like BGP keys to the abuse?c.
About extended attributes, I'd love to see relaxed constraints like copyright abuse mailbox, no, for signalling one should not expect an answer to that specific kind of messages.
And finally, please do not touch the IRT objects without discussing it in the Working Group. Volume which Working Group?
DENIS WALKER: We have been talking a lot with ?? Wilfried has been with the C certs and security people, we realise that the IRT object really isn't very popular, no one understands it, and and we have been asked to put a proposal to the community people initially on how we could make the IRT more useful and then that will come back to the database and this Working Group for further review. So, yes we want to look at it again and see how we can make that easier to use.
AUDIENCE SPEAKER: Just two comments/questions. First of all, about this copyright abuse mailbox. I love this, especially when we have that report from the nice guy that does ?? those guys taking care of the corporates doesn't care ?? sorry, that is wrong direction. I have the same experience, they don't care about abuse mailbox, about the abuse?c. If we put another point of contact for them, they will ?? they really don't care because they were told that those are the data, those are the e?mails they should maintain as we had. So, don't follow that path. Or at least that is my advice.
If you go to the CS IRT, I love the idea about national responsibility. Have you checked among the RIPE NCC service region that all member countries do have such a national responsibility. No. At least in Poland we do not have such. There is cert.peer, very good recognition among the certs throughout the world, and we have cert.gov which is responsible for governments and ?? responsible for our NREN and so on and so on and so on. So, did you really consider that ?? know such thing like national responsibility, and do you ask those guys if they will be happy with such amount of reports and with probably still limited resources, especially staff ones. And should she stop now or move to another question?
BRIAN NISBET: I am not quite sure how you manage both.
AUDIENCE SPEAKER: The presentation is four parts.
BRIAN NISBET: Please.
AUDIENCE SPEAKER: So the validation. I don't like that, sorry. There should be policing about that. As far as I understand, during the walk of the abuse contact task management force or before that was set up, there was three policies one about the abuse?c, the other about the validation, the third one was I think the about the sponsoring LIR, so right now, we have the sponsoring LIR being adopted, abuse?c is right now in the database. So guys, wait for the policy. Don't invent your own ideas in terms of validation or something like that. We have been discussing that a few years ago and I am pretty much such that Tobias will pop up with that kind of idea. If the community will be happy about that, about that validation, I suppose described by Peter Salami strategy, then we will ask you to follow that, and sorry, not the other way. I think that is all. Or at least I forgot the rest. Thank you.
CHRISTIAN TEUSCHEL: I mean basically, validation and extending the role object, I think that should go through the policy process. I think that's ??
BRIAN NISBET: I think it must go through the policy process.
CHRISTIAN TEUSCHEL: Sorry, yes. I think that was right just now on presentation introduction to these ideas. The extending of the role object was a request from the community, so we can ?? we can decide on that if we want to do it or not. That is totally fine.
The validation as well. Just about the national ?? as far as I know, there could be ?? I mean there are some countries with more than one national cert, that is true. But I think that sort of implementation details how we are going to do that, I mean I think we do do it like that if someone is requesting the abuse contact for specific resource and it happens that this country has more than one national cert, then we are going to provide the list of contact details for all of them. Again, we are trying to work together with them in case that the abuse?c fails and we are hoping that that is not the case in many times. Then, about the other question, if we talked about ?? if we talked with the national certificates about that, we did that, not with all, yet but with all the national certs we talked and had enact with these totally happy to receive these incident reports.
BRIAN NISBET: You had a request from the community? I have just ?? I am surprised, I think this is the first, where did that request for the community come from. I am not looking for specks, I just you, was it on the mailing list or it was ??
CHRISTIAN TEUSCHEL: It was not on the mailing list, no. I mean, we went to a meeting of the computer security community, national cert meeting and they were asking for a contact address that could be a bit more fine grained and just the abuse?c contact.
Kaveh: RIPE NCC. Mainly this thing came up first in the survey so actually providing more proper abuse contact was really high on the survey result that we did last year so that started the whole thing and we went to the security conferences.
BRIAN NISBET: Ruediger, the last point on this, I think.
RUEDIGER VOLK: One short hearing question, Christian, do you say the C certs were happy about getting this or unhappy
CHRISTIAN TEUSCHEL: Happy.
RUEDIGER VOLK: Happy to getting flooded by copyright abuse reports? And where are those going? Well OK, I am surprised. Well, I am not entirely surprised but I should be surprised, but well, OK, that kind of the first thing that should come to your mind as an answer to a question, how can we improve this? It seems not to be we should provide some guidelines to the people that we will point into at the mailbox what to expect. Maybe some guidelines on what is expected of them as a reaction, that is not there, and actually the RIPE NCC's tools coercing people to put some specific, at least some tactically correct e?mail address into certain places with no document and guidelines, what this means, I think should be expected to create a situation where, once in a while, the expectations of people sending something to those mailboxes, and what comes out as a response, do not really match. For the ongoing, for the ongoing population of a database and potential automatic creation of attribute fields, actually, my comment is you are doing over all a disservice by coercing something to be put there without guidelines. When the issue of what should be there for any organisation comes up first, that is the point where you really should provide the information. If you get back to them, half a year later or three years later, and tell them, no ?? now, we have guidelines, maybe, actually, we have enforced ?? we actually intend to put their enforceable policy. Those people, well, OK, in some cases will be confused and, well, OK, at least this is not a correct way to work in a community, and certainly it is not an efficient way of getting of the right contacts and the right forwarding paths established in organisations early on and overall.
DENIS WALKER: If I can make a comment about these guidelines if you want the RIPE NCC to provide guidelines to people as to what kind of reports to send to abuse contact and how people should respond to those reports and then I think the community should provide the text of those guidelines.
RUEDIGER VOLK: Denis, I am completely with you. When you are investigating the question and working on the question what can be done to ?? as an improvement, I think, for everybody, my hint should come up pretty early. I completely agree with you the task for developing and setting those guidelines is rather with the Working Group than with the NCC.
BRIAN NISBET: OK. So, a whole bunch of stuff there. And he says, glibly. I think that it's right to say that the, some of the steps there are not massively welcomed by the room but I think the discussion should be taken to the mailing list for that. It's interesting to see that the C certs said they were happy to do that. It's surprising, I will be very honest with you, but it's ?? it's potentially useful but as I said, there is an awful lot of countries that don't have a cert or it wouldn't be possible to do that in.
I think that certainly you are right, if ?? to issue those guidelines and we should have those guidelines and it's up to the Working Group to write those. It's possible we can steal some information from some of those lovely MAAWG folk or ?? and/or, what I will do is I will put out a call for some volunteers unless some people want to stand up right now, to potentially work on some guidelines for that and see how that goes. Ruediger, we don't have any more time. I am sorry. Unless you are about to volunteer.
RUEDIGER VOLK: I just ask someone who might have had guidelines.
BRIAN NISBET: So those guidelines ?? it's out there. So, you know, we will look and try and work on that for you, but as I said, if we can do this discussion on the mailing list, I think that will be very useful. It's ??
RUEDIGER VOLK: Half a sentence. Without guidelines doing validation beyond just mechanics is meaningless.
BRIAN NISBET: That is full sentence but OK. Point taken, absolutely. So, as I said, I will send that mail and see if we can get some volunteers to work on that and we will work with you on that and see what we can find. So, thank you very much.
(Applause)
Right. The last piece is going to be very short, because it's one page I have been told, so just if you be bring that up.
AARON KAPLAN: I work at cert.at which is national cert, as Christian explained before and we are part of nic.at, .at registry. So basically I was asked by Christian, who attended one of our cert meetings to explain a little bit how we do contact look?ups and you can see there are a couple of databases here involved, basically read it from top to bottom, and yes, to answer to Ruediger explicitly, I would be happy to get more reports because ?? you don't have to jump up now ?? because actually, we get probably a handful of reports of copyright infringements and basically, those got delivered to the network owners and that is and they can decide what to do with it. A national cert is usually just a router for abuse contact information and such as a router for that we developed different approaches in different countries, different approaches on how to deliver these abuse reports to the correct person. And very often you will find that this correct person is somebody, especially in smaller countries, whom we know personally, who has a track record of actually being the right person for that specific incident case, for example, there is a route hijacking somewhere. We will know whom to contact, and this person won't be and his private phone number won't be in the RIPE database because he wouldn't want to get contacted for trivial things like copyright infringements. That is what the national CERT is good at. Depending on the case, if you go to the top right thing, we have a name based resource, a domain lookup, for example, there the ?? a URL is there and the website got defaced and hacked and it's spreading malware and so on so we got a report like that. So basically we have a choice, we could either go and look up maybe there is a TI database, FIRST.org or CERT.org, a national CERT database, that is in the middle or we could go further and get host by name lookup and go to the IP address because we see that is just one of many, many defaced websites, and we see many of these defaced websites are on the same IP address, so it would make sense to actually, do they get host by name call and go to the number based lookup and to the ASN and inform the network owner, let's say it's a hoster and a hoster on a set of IP addresses has 500 defaced websites. So that would be one path. It needs some intelligence and some scripts who check things. And that is what we are good at, we do ?? when there are a couple of reports which exceed our threshold of being acceptable to handle them manually, we script them away. And we follow sort of this lookup, contact lookup data flow as described here.
Other cases would be, for example, we want to extract the ccTLD if it's a ccTLD domain lookup and when we could again go to the country code and look up the national CERT if it's not us, if it's not our country, look up the national CERT in the CERT.org national CERT database and send them in bulk to there because they know more specifically whom to contact.
And basically, the flow here ends up with some e?mail address. Sometimes also phone number. And if it's really important, it will be a phone call. Maybe even at, I don't know, 10:00 in the evening, because it's important right now. So there is some ?? my point is, there is some ?? quite a lot of intelligence on how to do that properly at the national CERTS. And I think it's actually a good thing that they know, usually in smaller countries, they know very specifically whom to contact and they have their own databases in addition which they usually basically that is just ?? just a database, a text file, could be a text file like ASN e?mail address, phone number, something like that, very simple but it's works and this is maintained on a regular basis by meeting the network operators, by meeting the security guys at the network operators, having common trainings, exchanging cards, exchanging private phone numbers, and no this data won't be probably in the RIPE database but it's important to know if you want to, depending on the case, send something to a national CERT, usually at least for most countries in Europe which have a national CERT it will end up at very specific person at a network operator and I think that is a good thing. Me personally, now, just to give you feedback to the RIPE database people, I would like to have, you know, IRT objects, abuse?c, whatever is there, as specific and updated as possible because it will help me but I will just take it as another input in this complex lookup set?up and it might that be just, you know, if it's not in my country, I will just send it to the national CERT because they have their own lookup process. That is basically my input for this community here and I think, really, if you want to know more about that and you want to include stuff from the national CERTS, I think Christian and Mirjam made a great step to go there to these meetings and just get the input and I think it's just more complex than just having any set of attributes in the RIPE database, those will help and I really support them and it gives people a choice, but it really also depends on the case. That is my whole point. OK. Thanks.
BRIAN NISBET: Thank you. One remark that was made, just this page or whatever, where this comes from?
A.
AARON KAPLAN: That is a document on GitHub.
BRIAN NISBET: Would it be possible for you to e?mail the list with the URL for that?
A.
AARON KAPLAN: That is part of a document that Christian and Mirjam and Wilfried started. The first step was to document how we do that and just maybe as an input for the community here and it's also connected to a GitHub project called GitHub.com/CERT tools and that is contact cache/contact database for national CERTS so that they can build on that process.
BRIAN NISBET: OK. And perhaps at a future RIPE meeting we could have a longer conversation about this. That would be appreciated.
AARON KAPLAN: I don't care if we get copywrites, we are just a router and will pass them through, it ends up with network owners and their policies, if they care about copyright infringement or not, that is not us to judge. But we can optimise that routing process actually.
BRIAN NISBET: Thank you very much. So, the very exciting last slide. This one. I doubt it, but is there any other business? In which case I will take this opportunity ?? Rumy, do you want to say what you want to say?
AUDIENCE SPEAKER: No.
MARCO HOGEWONING: Sorry, you might have already that announcement, I want to point out we have a few students here on a fellowship and those students are presenting at RACI BoF which I think starts about 40 seconds downstairs in the main room. When that is ended, I found a note that ?? to point you to the dinner tonight if you are attending the dinner, please take your tickets. You can either walk there, it's about 12 minutes' walk, buses will leave this hotel between seven and quarter past seven that will take you to the venue and return buses will be provided after 10:30.
BRIAN NISBET: Cool. And ?? and my always reminder about agenda items for RIPE 69 in London. So please think about those and we will try and have a slightly shorter Working Group session that time but it's not bad now and again and there was so much to discuss, thank you for your time, to the scribes and stenographers and everybody else and to the speakers and to all the discussion and we will see you in London. Thank you very much.
(Applause)