These are unedited transcripts and may contain errors.
Notice: Use of undefined constant steno - assumed 'steno' in /var/www/html/ripe-60/steno-transcripts.php on line 24
The anti?abuse Working Group commenced at 4pm, on the 6th of May, 2010, as follows:
BRIAN NISBET: Good afternoon, ladies and gentlemen. And welcome to the Anti?Abuse Working Group session for RIPE 60. Briefly for those who haven't joined us before, my name is Brian Nisbet and along with Richard Cox we are co?chairs of the Working Group. We have a fair bit of stuff to get through this afternoon, so we will try and do so and not delay you overly from your dinner this evening, those of you who are going to the RIPE dinner and that will be a truly terrible thing. So, the NCC staff have selected a describe as Fergal is missing in action somewhere. We will try not say anything too important. And we have someone monitoring the Jabber channel for those of you attending remotely. If you are saying something at the microphone, please do state your name and your affiliation so that those who are attending remotely can hear who you are because while my ears are very good they could be thousands of kilometres away. So, approving the minutes from RIPE 59, these were circulated ?? I shall give you a moment ?? we shall mock him later. Right, so minutes from RIPE 59, which were circulated some time ago. And there were no, possibly there was one minor correction but certainly there have been more no objection toss any corrected minutes so unless there are any comments now, we will consider them approve and entered into the official record. Nice and simple. And the agenda, there was some changes and some expansions to the agenda that we made this afternoon, no substantive changes, just changes in order and things, there have been a couple of items of AOB which we are aware of but there hasn't been anything else so unless anyone any things they want to mention or bring up or otherwise we shall consider that a suitable agenda to go forward on. So, we shall start then with Richard giving an a ?? an update on, giving abuse ?? no, the wrong thing ?? here is Fergal. Everyone say hello. Giving an update on current abuse trends and kind of some recent technical changes and things that have ilk.
Richard Cox: Right. Good afternoon, everybody. I am the other co?chair and I have a sort of Chinese wall between my roles as co?chair and my roles in the community which are with the Spamhaus project and also because that the action plan. I am going to be fairly brief in this part of my presentation, because we got a lot of the agenda and because I am coming back later with a couple of points under any other business where I want to look for the community's reaction to certain ideas we might want to go forward with.
Now, what is been going on? Well one of the things that is becoming increasingly clear over the last few months is the need to separate in people's minds cybercrime from abuse. They are both within the scope of this meeting, and Working Group. But they are different. And need to handle them differently. The trouble is they overlap which makes it difficult for everybody. So I mention that to start with because you will see that the parts of the problem as they are today do split out into the separate camps quite significantly. Let's start with abuse, spam primarily, obviously. We are seeing a fairly major problem caused by a small number of US based organisations, one of which seems to be quite extensively active in Europe and that brings it of course immediately under our area. Their role is to run what is called snow show spam, I don't know how familiar you are all are with the concept, but putting it simply, having a computer server that can send mail restating its IP address through anything up to typically a /20 or /19, which has been allocated and routed to a single computer or possibly two or three computers, are changing its hello based on the IP its on but no reverse DNS at least that is pervasive to allow you to spot the block of IPs and being probably abusive. This is causing a big problem because, so far, it's managed to get around just about every detecter out there. It doesn't trip the C BL or XBL or anything like that because there is no trojan an involved and what is interesting is where they started getting an IP block from an ISP and using that and when they get kicked off and move somewhere else, they realise it's part of the job so what they now do is have several blocks from several ISPs, terminate them on a server and that ?? what that server did you see simply tunnel the connectivity back to home base which is never visible and very difficult to get that shut down. Most of it is with a couple of fairly butt he will proof ISPs anyway.
So that is snow shoe and we are all seeing it and yes we have a new defector for it at Spamhaus and I am sure they will find a way around it fairly soon. It's an ongoing war and we all need your support in that.
Cybercrime side, it's becoming more important, because spam may be a dam nuisance and use of bandwidth, if somebody can empty your bank account that is going to do you more harm, in fact quite a lot of harm. The state?of?the?art at the moment involves primarily domain abuse, registering domains in the house, used basis of fake credit cards, that is credit cards that don't belong to the person using them. Usually they will belong to somebody whose name and address are used on the Whois so it all looks absolutely cosure, the e?mail address doesn't, but that is not easy to predict or specify, until ?? we will never get to a stage where you have got to meet a certain target to register a domain, the registrars will never impose that, so we are going to constantly see bogus and fraudulent payment systems used to register domains in their thousands and they will transmit mall wear transmission through those domains. Malware transmission is you receive a socially engineered email, that persuades you to go to a site and is not in any filter list because it hasn't been used until perhaps 12 hours previously, so you go to the list because you panic that something is wrong, that is usually the vector they use ?? when you go to that site, it downloads a trojan onto your machine, because you have clicked on something you have just authorised. That is bad, for starters. Your machine is now owned.
Next up in the process, however, is worse; they put a key logger on your machine, they log every key stroke and that means when you go to a financial site to make a transaction, it will log your password, it will log where you have been. OK, what happens next? Perhaps an hour or so later your computer is still on but you are not at it. They will, through this trojan, connect to the same financial website that you went to using the same password that you used and transfer some money to their account via a third party money mule. So the bank, whatever, can't identify this as a fraudulent transaction. It's a money mule, they never heard of them before. It's your IP, it's the IP address that transactions normally come from and it's your password. It's pretty sickening what can be done and the trouble is it's only recently becoming visible and governments generally are failing to collate data on this so we can't identify the harm. , you know, we can't go to the government and say what are you doing about X because they will say we don't know anything about X, what statistics have you got? Only police forces can amass these and if they are told not to, there are no statistics. In England, one of the problems we have got, is that the police have been told specifically not to deal with this type of crime but to refer it to the banks. Great, we really got a long way with that. The fox and hen house comes to mind. That is very simplified summary of where we are at at the moment. There are obviously worries about the deployment of IPv6 and traceability. That is something that is going to affect us as well as address and database Working Groups, probably hasn't got to the level of awareness to raise it yet but it's coming and ARIN and policy making body is well aware of this problem and is doing something about it so perhaps we may need to fairly soon. One other thing we are seeing in the UK, this is UK specific, there have been a number of take?overs of large organisations, you know, customer bases being sold from one company to another, and the new company, and there is one specific company in mind, has no intention of providing any precautions or filtering. Well, it makes me think that the best common practice that RIPE has may need review to ensure that this sort of thing is taken care of. I can't remember when we last edited it, Brian, it doesn't take into account any of the latest exploits. A very summary and thank you for your time.
(Applause)
BRIAN NISBET: I have a very light laptop instead. So, thank you for that, Richard. Unless there is any specific questions, if anyone has any specific questions now they wish to ask on any of that. No, we shall move on to the recent discussion I am being very lazy in not climbing up in the podium, it's not that big a room but there is a couple of things which have been raised recently on the list which we were asked to discuss at the meeting or which should be discussed at the meeting. And so we are bringing them up now. The first piece is a mail which was, well, a very long thread which started in early April, which was a mail sent by Frank Gadagast, about implementation of abuse monitor system. The short version of this for those of you who don't follow the mailing list and really, why don't you, is a system whereby one would be able to mail an e?mail addressed based on IP, an abusive IP, presumably, which would then be passed on through a clearing?house to the relevant LIR or PI space holder. So, if one dot one dot one dot was abusing your servers or network, you would e?mail one dot one dot one dot at blah and this would then go on to the suitable person. There has been extensive discussion on the list and there was no formal policy actually proposed, there was a pseudopolicy and Frank did promise a second draft, but no second draft has yet been forthcoming. I think it would be fair of me to say that the list was, in general, not in favour of the proposal. I think there were one or two comments in favour and many, many comments against. And this was before looking into the actual requirements that this would involve, especially as the implication was that any such system would be, the NCC would be asked to implement it, but there as yet has been no policy and no further commentary. So, I am leaving it open now for, if anyone has any comments based on this or comments they didn't make in the mailing list or anything they thought of since they came to the meeting about this policy, but unless there are any comments here, my consideration on this is that the list didn't think it was a wonderful idea and we will await any further proposals which are made on that basis.
The second piece which the ?? to discuss is from to be ice I can't, from abuse IX on abuse contact information policy proposal. This is a proposal which Tobias was going to leave until later in the year, but he said on list again that he had been asked to ?? he asked us to discuss this at the meeting. The proposal is a copy of proposals that he has already submitted to AfriNIC and APNIC and he has plans to submit similar proposals to the other RIRs. Again this has been posted to the list and the bones of his proposal were put out. There hasn't been a huge amount of discussion on that so far, but our plan is to discuss this with Dobias, the mail was sent on Monday when we had already got to the meeting and of course were working very hard. So our plan is to discuss this with Dobias and work with him to put together a formal RIPE proposal, to put it through the policy development process. There is some history on what he is talking about and this kind of thing has been floated in the database Working Group and in the Anti?Abuse Working Group previously, and no consensus has been reached on those proposals, but it's perhaps time to look at it again and certainly that is the plan. The very brief kind of header of the proposal is that "this is a proposal to introduce a mandatory reference to irrelevant objects in the INET numb 6 and ought numb objects, in the RIPE WhoIs database. It provides more accurate and efficient way, for abuse reports to reach the correct network contact and helps reporting institutions to find the correct abuse contact information more easily."
Now, the main body of discussion on this will take place ?? that is not supposed to happen ?? will take place on the mailing list, but what I'd said to Dobias myself was we would gather any responses from the room from those who wished to say if here and pass that back to himself and also use that in the formulation of the policy, the formal policy document. So I am wondering if anyone here has anything they'd like to say on that at the moment? There is a procedural question over exactly who ?? which ?? which Working Group this will eventually end up with, but the decision that has been made between the chairs of the Anti?Abuse Working Group and database is that we will start here and see where we go and if there is a decision it needs to move somewhere else, we will do that and if not we will continue to do it this way. Niall.
Niall: I am not suggesting that this question doesn't need to be opened, it may do, may not. I have nothing to say about that but some of the discussion about the irrelevant references in such objects and the abuse contact objects took place many years ago and I think it would be good to have a look in the mail archives and see what was said at the time and what was intended for how those attributes would be used and not go reinventing the wheel, unless it's necessary.
BRIAN NISBET: Well certainly what I can undertake to do, and I think this might be the best way of doing it, I will attempt to compile a best of, of the irrelevant discussion, either some links to it the archives or otherwise, and post them to the list for further reading.
Peter Koch: What he said, speaker is pointing at Niall O'Reilly. If I remember correctly, but I might cleatly be wrong so please correct me, there was some restrictions on getting an irrelevant in the database in the fares place, wasn't there vetting involved?
BRIAN NISBET: I suspect Wilifred. Wilifred said yes, there were restrictions but they are gone long aago. Are there any other comments. As Niall pointed out we did discuss this previously but I think our consensus as chairs it was long enough ago to look at this again and the situation indeed as Richard has pointed out, has changed and the result may or may not be the same but we shall see, and we shall investigate and also the remit of this Working Group has changed since that was first put forward.
So, the there was also some discussion on the mailing list about sanctions, things what could be done to people who abused networks. This, I am mentioning here, but there is a presentation from Jack deRudd and other other conversations which will take place later in the Working Group session which will address some of the area around this. One of the points which was repeatedly brought up is that there is no big red button which anyone can press, certainly legally, which can remove anyone from the Internet and this point had to be very clearly made as there is still occasionally a supposition that someone, somewhere, can log into a system and just, you know, you no you may no longer route. It is worth reiterating this does not exist. And finally, the one other point I wish to make because it's something which I think is worth making every now and again, we are no longer the anti?spam Working Group; if you came here looking for that, sorry, it's gone away. The ?? a number of the mails to the list ?? it's gone away ?? we put it in a box somewhere ?? no, we changed ?? we widened the foe cuffs the anti?spam Working Group to become the Anti?Abuse Working Group and we went through this over the course of a RIPE of RIPE meetings and many e?mails so I am not going to rehash it all but I just wanted to restate that the charter is now much wider than just spam and this is ?? and I think everyone was hopefully very happy with that. And it's ?? because a number of the mails that were being sent to the list were still very much focused on spam and I think it's something that is worth mentioning now and again.
So, that is all of that. So, we are going to move on to someone who isn't me or Richard speaking and Paul, if you want to so, we have a talk now from, again with my mispronounceiation, Paul Palse, from the RIPE NCC, to discuss in slightly more depth abuse finder tool which was mentioned earlier in the week and is part of the wonderful and growing number of tools that the NCC are putting together via RIPE Labs to hopefully make everyone's lives easier and better.
PAUL PALSE: I am the database group manager. So, at the database Working Group session this morning, I quickly explained one of the things we published to the RIPE Labs site was query API in the form of restful web services and while building this tool, we found that this tool needed to do some background logic like, for instance, filtering out duplicate objects, etc., etc.. and when we were thinking about the process that we had to go through, we thought we could actually do some additional queries in the background and actually construct an answer that would be more specific than just returning a long list of objects for any search. This is the slide about why we chose restful web services I won't really go into that unless you are very interested. So we came up with the concept of use case searches. So that gives a very precise answer to a specific question, and one of the better examples that we could come up with is the question: Who is ?? or what kind of data does the RIPE database hold for abuse handlers, for a specific AS or prefix. And instead of just returning a long set of objects and, as a result, having to do a lot of inspection, we will actually do that for you in the background and one additional benefit of this is that because the results that we returned don't contain any personal data, you wouldn't actually get blocked if you had a lot of queries, which normally our accounting system in the background doesn't allow to do unlimited queries for this data.
So, this is roughly how the tool works. You give it a prefix and it starts doing several queries, it drills down into a rather big set of results, and after, having constructed that set of results, it actually looks at things like the abuse mailbox, IRT object and also on a set of key words in remarks because we found that a lot of abuse handler details are stored in remarks within objects. And we will just return that particular data only.
So let me just show you how that works. So, and we have published this already so if you go to RIPE Labs, labs dot ripe.net, you will find a reference to this tool and many other fun projects, but, so this is the abuse finder tool. So actually it's very simple, search box looks like Google, so I will the tool to find me, and this of course is the danger of a live demo, is that it won't work. Well, actually it does. So, what we actually see here, basically it's a web service, so it's an API, you can develop scripts against it. This is actually a client using NAT API, and this parses out some H T mail. You find abuse mailbox reference and on top of that there is ?? below that there is some references to objects that actually hold free text, referring to abuse contact details. So if I would click on one of these links, you will see XML because at the end it's a web service, we can look at the remark lines and we can see that the ?? one of the key words we are looking for is "spam" and it's there and this way you could actually find or try to contact these people.
So, basically, because we do proxying the same actually should work for the APNIC and AfriNIC Whois as well. I can quickly show you the XML in the background. If you use this client you can exactly see from the original query what the statement was to get these results and you can just reconstruct those, basically.
So, today, or yesterday, we wrote a quick and dirty script that actually ran through approximately 14,000 prefixes and did some analysis on those, just to find out what is roughly the coverage of these kind of abuse details and we found that about 50% of all the allocations do not have any kind of abuse contact information in there, so basically, what we would like to you do is use this tool and give us some feedback and one hint is we actually combined the use of split files that you can download from the RIPE FTP side with this abuse finder tool, some scripting and you can do some cool stuff there. That is it. Questions?
BRIAN NISBET: Are there any questions for Paul? OK, I have a question for Paul. That is accessible via RIPE Labs?
PAUL PALSE: Yes it's a prototype but it should just perform fine.
BRIAN NISBET: Sorry, just what is the actual URL, I would like to have it just recorded I think.
PAUL PALSE: It's lab dot DB dot ripe.net and /portal, that gets you to all our prototype services that we have and it has a link under there that points to this service and we also are working on some API documentation to include this service but it's relatively straightforward, it just takes one primary key and then returns results on XML ??
BRIAN NISBET: The database group are lovely lovely people who will be more than happy to help you with any queries. There is only the one microphone in the room.
AUDIENCE SPEAKER: I just wanted to give you another URL, it might be easier to remember, labs dot ripe.net and you click on tools on the top, you see all these that Paul has developed and some other cool tools as well.
BRIAN NISBET: And especially the resource explainer is in there as well which I will keep on going on about to this Working Group as it is wonderful in all its ways.
PAUL PALSE: It's lucky I didn't go into sales.
Richard Cox: First of all, as I said in London, thank you. The question I have got to ask is, a bit like the one I asked this morning in database: What is the question that the user is trying to get the answer to? Now you have produced something which, if you like, goes and looks for theoretical teen a theoretical question, fine. Good starting point. What we need to work out what an investigator is actually trying to find and can we tune the system so he gets there quickly. I have got ideas but I don't claim for one minute to be the only person who has; I think that there needs to be an opportunity to interact with you to see how these ideas can be developed, what is achievable and hopefully give you an opportunity to produce a fully tuned product and which, if you are proxying for example, APNIC, we might follow and we might get a universal system where we actually get the answers. I mean, the question I would be looking at a system like this, OK I have identified this string, whatever it is, let's say Emule RIPE, I know it's the last possible type of situation where it will be needed, what other resources would give me that value in that location? If I have a problem with a resource, the first thing I want to know is what other resources might be subject to the same problem? I don't know how easy this is to do, but is it something you could look at, for example?
PAUL PALSE: Well, definitely, I mean that is the aim of this prototype and RIPE Labs in general is to get this kind of feedback, you know we try out something, something that we thought is is a first initial splendid idea and then we need to further develop this and again, I mean, this is the first iteration of it and with any feedback we will try and improve on it.
Richard Cox: If I want to know, for example, all the IPs assigned to 123383, and by the way, I do, I could go to University of argon and look it up to see what has been announced but that doesn't tell me what has been assigned. There may be stuff in the database that isn't being routed at this time. Or if I see a problem with that, and I do, then I might want to know what that maintainer is also maintaining, because in many cases the maintainer is the cause of the problem. So this is the sort of thing that would be, if I may say so, tremendously helpful to work towards.
Wilifred: First of all, I think the discussion would really be useful to have it on the labs. I think this tool is probably something we should try to use for actually collecting these ideas and collecting feedback and providing the RIPE NCC with suggestions like it would be much more useful if it would do A or B on top what have we have, so I have hope we can at least try to use the labs, and I'd suggest that even if we find out that the labs is not the best way of doing it, we might even come back with feedback about the facilities and the services which are available in the labs and in this context maybe even give you a little bit of ideas what the lab site could give us.
The second aspect here is that when I hear what you would like to do, I think there is two answers and one of those answers is that part of it sounds like a free text search service across all the data which is in the database one way or another. I am not really convinced this is a good idea to offer something like that in the street, but I may be wrong. The other aspect to that is that the ?? I guess about 80 or 90 percent of what you actually want to do is already possible right now with the regular machinery, sort of there is these things like inverse searches, like organisational objects, there is this thing like maintainers where you can ask the question, if I have got the maintainer identified, give me all the objects which are maintained by that particular maintainer, so I think most of those mechanisms are there and I guess it's mostly an issue of just finding out how to use them or how to combine them or maybe, and that might actually be something for the labs idea, maybe finding out ways to, what is the proper English term? ?? to merge or to correlate the results from query X with the results from query X plus 1. I could imagine that sometimes you sort of would get the idea, OK, let me query according to a particular criterion and with the stuff that came out of that rough sort, please do another search. I don't know whether this would be something like what do ?? palms
PAUL PALSE: Basically what this search does is drills down into a hierarchy of objects and tries to.
Denis Walker, RIPE NCC database department: Just to answer Richard's specific question, those two examples you gave can be done now with very simple queries. If you want to find all the IP addresses that routed by ?? inverse query of the origin of the route objects which gives you that. Also inverse queries on maintained by, you can find all maintained by a certain maintainer. One extra feature that we could do now, we can build wrappers around these simple queries so rather than say you must do Whois minus I origin AS number and get back a lot of information, we can provide you with a tool which says, give me the IP addresses that are routed by this AS, so we can make it in much more plain English and we understand the queries underneath which a lot of users may not understand, and also the point Wilifred made about complex; we can design any complex query you can imagine and put a little script behind it which will do all of these queries for you to all the correlations and cross?references and return with you a set of results that you are interested in. So that is when he we said in the database Working Group meeting this morning we are looking to you to give us cases for what it is you want to find from the RIPE database you tell us where you want to fine, we will write a little script for you that does it.
BRIAN NISBET: Sorry, I think certainly, and thank you very much, and I think certainly from my point of view, and I think from the ?? this, the constituency of this Working Group, so to speak, tends to be of a on average less than technical nature than the constitute enreceive the database group, I think that is a fair comment to make and one of the things I think that I would love to see is what you have just said there Denis and the tools and the queries we are looking at here is to make life easier for people who know what kind of information they want to get but have no idea what database flags or inverse queries or otherwise they need to put on to a query to get out, so hopefully we will be able to work with those elements of the community and, indeed, and almost work as a translator, OK you want to find that information and we can tell the database people, right, this is the kind of query we are trying to simulate here or rather we are trying to make easier, we are trying to make a click a button here and run this script, almost. So I think that kind of work and hopefully we can push that and members of the community will indeed feedback to you guys in database to help that.
Niall: I hope I am not not saying something everybody has understood already, I would like to emphasise for anybody who did miss the point, the whole point of a restful wrapper around the queries is you can make almost anything into a very natural shrink?wrapped query of whatever complexity and expose it to whoever wants it, whoever needs it in a very concise way and it makes it very powerful.
PAUL PALSE: Yes but this has a little bit of additional logic behind it, it's not just a client on top of this service, we know where to find the information and present it just as concise answer, resize answer, sorry.
BRIAN NISBET: Thank you very much, Paul.
(Applause)
So I have under kind of moving on, I have a note by says Working Group interaction, which is kind of there as, it's a place holder, almost, for things that crop up near to the meeting during the week, etc., etc.. I think all of the other Working Group interaction that we have, has either been covered or will be covered by other talks, certainly that with the database and possible with NCC services or otherwise has been touched on or will be so unless there is any other Working Group chairs in the room who have a thing they expect anti?abuse to talk about that I have forgotten, we shall move on.
Grand. So, the other interactions that the Anti?Abuse Working Group are involved in well, obviously still inside what we consider to be the RIPE community, certainly far, far away from Working Groups, and the largest one of late and it was mentioned in Lisbon, is interaction with law enforcement agencies. We have been doing, led by and kind of we have been almost tacking along but led by the NCC there has been an increasing amount of interaction with the law enforcement agencies and myself and Richard have represented the community in particularly our meetings in ways with these interactions to try and foster a greater understand and mutual respect to move along and to improve what we can do for the law enforcement agencies, they can do for us, and also, to attempt, as much as possible, to remove any sort of them and us sort of thinking, because there is, as has been shown, a large amount of lack of knowledge of what people want and what people can do, and I refer to comments about big red buttons what can I put people off. We have a couple of presentations now which I think are extremely important and well worth listening to and important to the entire community. So first up we have ?? give a lot more detail on that, just to clarify previously, there is obviously the Cooperation Working Group in the RIPE community and when the law enforcement interactions started, there was a lot of it started in the Cooperation Working Group but we have now kind of come to the arrangement that the Cooperation Working Group will deal with the governmental side of things, the IGF, all of that, all of that aspect and that the law enforcement interaction and cooperation will reside with anti?abuse, so that is why this is happening here now rather than cooperation.
JOCHEM DE RUIG: Thank you, Brian. Good afternoon, I am from the RIPE NCC. I normally present financial figures so if you see a figure popping up it may be just my deformation. I am standing here a bit because also I am responsible for legal within the RIPE NCC. And I am going to tell a bit about our cooperation with the law enforcement and to start off, I want to give a bit of framework, why are we doing this and it came about I think about four years ago when one of the law enforcement agencies approached us and said we have a problem with one of your registries. So we had quite some exchanges, meetings, etc., and it came actually to the crunch that they asked us to close down this registry. Well, by then, they also hadn't paid many bills so it was quite easy to say we close you down, I am quity happy to do that as financial manager, but all and all that kick?started sort of a thing and made us realise we don't really know what the needs, wants,, are from law enforcement, they clearly have a larger interest in us so we start engage more and several meetings here and there to also explain our position, where we are and what they want.
So why are we engaining? Well our public responsibility, it clearly fits within the coordination role, so we can talk to law enforcement and bring it back to the community and members. We want to gather support for the RIR system and self regulation system. I think so far, what I have noticed is most people are very positive about it, they think it functions very well, they are happy to participate and I think it shows that even some law enforcement are here today. And of course, we will take up the ?? or we will continue to have as a responsibility to represent the members and to feedback to the community only within our mandate.
Some MITs and misconceptions, what we ran to also from our side but one thing I really get highly annoyed about but every meeting I have to start, I don't do any names, I don't know anything about it and a lot of people, you do those domain names. No, I don't, and I don't know anything about it. So ?? we have to do some PR because they don't know how the Internet number resource world works, etc., so everyone knows domain names, oh every IP lawyer in the world knows how domain names work but they don't know a lot about our world.
Well, another mitt Brian mentioned it that red button in Axel's office and he pulse it off every now and then, but it's really not that well possible, of course we do close down members every now and again because of non?payment and it's a long process to talk to them and why why didn't you pay the bill, what has happened to you, sometimes they went bankrupt and we try to get these back to the RIPE NCC pool. Another one, and this was more from our side, we always were a bit under the impression, these people don't know anything. Well, I can tell you a lot of them are technically very skilled and also from the questions we get, we really notice the crowds are a lot more skilled than they used to be.
So, what are their main interests? Well, I have grouped them a bit and I think the main interest are quality of our data and especially the public data, the key thing that is mentioned, keep that database alive, up?to?date, alive, realtime, everything. So some details there. The due diligence, we perform on the members when they become a member and, etc., what we are doing there can we do a bit more, how does it work, etc.. the correct registration and to improve the quality of the data in the database. Are there measures we can take to improve that, and I think actually what Paul just showed, maybe there is also tools we can actually, the database that is available make it more accessible and easier accessible. The other big thing is of course when they have seen someone as clearly criminal, having ?? doing criminal activities, can they close down a registry or revoke their IP block? Well, it depends a bit on what level it is but we also have seen people who just become a member and the complete organisation are criminals. And the last item I want to mention is also we have seen there is quite some interest in analysing the criminal IPs. So what have they been doing, what kind of traffic have they generated, how does it work, who are they peering with, etc.. so we have achieved some things and I think the first two things are quite ?? yes, self?explanatory, thank you, Paul ?? I think doing this, we more and more got to know more people in law enforcement and with industry partners and we have actually been able to bring these people together, we had a very successful meeting recently in March with the other RIRs and there you see really that creates a very good atmosphere and people can exchange information, we can feed them everything we are doing, where we are, etc..
Also, I think one of the big achievements is we understand a lot better where we stand. We have been able to explain our position that there is no big red buttons, etc., but also they have explained their situation, and made us realise, OK, yes, what can we do and maybe there is things we can do within our mandate and within our structures.
And another thing is what we have been working quite hard on to improve the processes. More and more we get information requests from LEAs all over the world. I have to say majority comes out of one country, though, but I won't mention the name, but we always take that on, try to contact them, explain the situation, what we can do, what we can't do, public information, we always can give, non?public information, they need a Dutch court order, which then sort of stops the process quite a bit. But that is just how it is.
And the last thing I think that something we have start to acknowledge more and more, but actually we trying really to explain and aspire the public policy makers like the European Commission, people like that, what we are doing, that self regulatory policy making is working and that they can be involved, if they have issues they can bring it forward. So, long list of what we have been doing over the past years. Well, a lot of different things. I won't go into detail it, I just want to show you there has been quite some activity and I want to focus a bit on the second from the bottom, the RIRs law enforcement meeting in London. We had about 80 people in the room for the different countries law enforcement. Most RIRs were represented, it was a very good opportunity to exchange information, very successful and I think we will continue doing that because it's very good to be able to exchange information and to show us ?? to show law enforcement what we are working on and what we are doing. So what do we see as the way forward? We want to continue working together and to talk to policy makers, we want to continue to understand the law enforcement environment. Also now with this new tool a lot of times we don't really know what you are looking for or how you do your investigations, you don't have to share that with us but you can tell us what problems you run into and of course, we sort of ?? the linking pin between law enforcement and community and being able to bring issues back and forwards. And I think one big item on our agenda which has been something we really want to iron out is to improve the internal closure procedure, what do we do exactly and what is the timing and what do we do in revocation and how does it work precisely?
And that is about it.
BRIAN NISBET: Thank you.
(Applause)
Any questions? Wow. Slightly surprised. In which case, we shall move on from there, so the next speaker is from op at that in the Netherlands and the London action plan who has been very involved in all of this interaction as well and along with the NCC has been leading a lot of it from the law enforcement and regulatory side, so we are greatly indebted to him for coming today and presenting the other side of the conversation.
WOUT de NATRIS: Thank you, Brian. Thank you for your introduction. I work for op at that which is independent post and telecommunications regulator in the Netherlands and as such we have anti?spam and anti?male wear in our remit. To start out, I think it's important for you to understand I represent London action plan here at the moment and that is anti?spam worldwide informal organisation which actually has different sides of the perimeter present so that means law enforcement, on the one hand, but industry on the other handled and government and special interest groups like Spamhaus which Richard Cox is a member of the London Action Plan, for example.
To give you some introduction to that, we have some members in 24 countries, we have some strategies in place for the coming year which is intenseifying relations with have I so that is one of the reasons I am here. I am working on ?? we are working on relations with other law enforcement, police, consumer authority, and we want to develop best practices to have an example of what the best anti?spam software in the world could look at. My boss is paying me to be here, he is paying the bill, Opta, Spam aspira, and basically, we don't have this moment on two up to €1.1 million for spy wear spreading and on malware, I should say, in this case and we chair the cybercrime Working Group in the Netherlands which has all the law enforcement agencies present working on the Internet and we have done the BotNet task force.
But for some reason, I always seem to be at the end of the day and you already working for four days and I think I am the only one in between your next beer and the dinner tonight so I decided not to give a present, I am going to tell awe story. And this is the book. (You a). So once there were a mother and a father and they had a beautiful baby. And the baby grew into a toddler but the father somehow lost interest and he went away. That left the mother alone with the baby. And she, she did everything as well as she could and the child grew and did tremendous things at school and went to high school and got great, great but somehow along the way he got into some wrong friends and there was nothing that the mother could do about it to amen the child's ways and he was still doing great, went to university but still these friends remained and she was very concerned about it. And there was an evening that a doorbell rang and it was somebody standing there looking vaguely familiar, but she couldn't place him. But when he opened his mouth and said "you have been raising our child wrong" she knew it was the father who came back after something like 20 years. And how do you think the mother reacted to that? I think the mother got very angry, she felt resented and spiteful against the father, leaving for 20 years and then coming back saying "you have done everything wrong," and she just slammed the door, started crying, called the best friend and she said "just come on over" and this friend was a very wise woman, because she not only acknowledged the rage but also the sadness of the mother, she also got the mother talking and the mother understood after talking for a couple of hours that yes she had concerns about her child and how to go about it. She didn't really know. And she said maybe the child needs a father in this stage in his life. So what does the mother do? Still she felt resentful but this is going to be a story about cooperation and it has to be based on trust because otherwise they will get nowhere the mother and father, after 20 years all this happened and all the water that was passed under the bridge but they will have to set some common goals and try to find shared solutions and they will probably have to go across all sort of borders and barriers but of corks as you will understand, I am talking here about the Internet community, talk about law enforcement and governments and making the Internet, which is the child, safer for the end user.
So where are we? I think this is a very good example of where we are or where we were. I am putting this in because the task force on anti?spam which is I had the honour to participate in a couple of years back and which is going to be reviewed, I saw the e?mail today that they want some questions answered by the Internet community and by the law enforcement. Where are we? This is a great example and why is that? As we have heard today, already 2006 the OECD said also no silver bullet. And all parties involved have an important role to play, so let's look at them, which ?? mentioned them, they said about governments, you need to have a good anti?spam law, and you have to raise awareness of your end users of all the dangers which are out there and you have to create an enforcer which has to have a tool kit, get the means and is able to set priorities so that the enforcer can actually enforce, and how many countries do you know around the world that are actually doing that at this moment ??
AUDIENCE SPEAKER: Apart from the Netherlands.
SPEAKER: Of course, but I think I think mention about five which are seriousry working on this in the whole world which is fought exactly very much is it. Also looked at industry participated and they can take measure, development of best practices and yes you have because you have filters in place, you are doing all this work and it's doing part of the job, right? And the public should say the Internet in a safe way which they never do because nobody really understands thousand Internet works except for you and maybe a little bit by now guys like me. So that means if we do all this together, it doesn't seem to make much difference. Because still, we are out there. What has been happening in the past four years since 2006?
Obviously as we heard today also from Richard, the threats are changing and they are changing rapidly. We find some countries have been jail time for spamers and we have tried to disrupt a lot but still the threats are still out there, they seem to be going faster and adopting faster to severing we seem to be doing so the lesson is I think, and that is why I put it in red, individually we can't make a difference no, matter how many filters you build and disruptions you put in place or fines, have a law in place, it doesn't seem to matter very much to these guys. So I think it's time that we tried to look at general cooperation across the board. ?? I think you have to ask yourself a question: Have we found each other? Well, yes, I am here a couple of my colleagues are here, you are here, we have, but at least we are trying. But where to start?
Maybe start at the story for the father and the mother. So the suggestion is here to start something, let's try and call it cybercrime working party, but focus on the word "work" because it's not about talking, it's about doing something and changing whatever is needed to do that and I am not going to fill that in, I am deliberately not going to fill that in for you but let's look at some incentives. I think that they are there that industry does not profit from black hats, I think that is quite obviously in the whole society doesn't. And cooperation between law enforcement and the community may change policies where necessary, may, we don't know. The other thing we can say that society at large is letened. I think it's quite clear even when your food distribution, your fuel distribution, I don't think that even bridges close and open any more without the Internet, the possibilities of disputing society are pretty big nowadays and I think the criminals be stopped and even if possible get caught, and convicted, of course.
So could we look at when we talk about a sign ear crime working party. Additional benefits: I think that LEAs, let's start with them, meet constructively also. As we said at one of the focal points is strategy of the lab is meet other LEAs and I think this one is probably that it's a possibility. I think that if we get some sort of results that will trickle down to national levels. This is a worldwide initiative at least with the RIPE it's a big chunk of the world and results will trickle down. And as Jochem said we need to get a better understanding of each other's position, what do you need, want, what are mutual benefits, so what good it leads you in the sense of common efforts, understanding leads to common efforts. For industry benefit could be cost reduction and Bert use of Internet resources or bandwidth than is happening at the moment, a higher service to customers which is unique selling point maybe but also intelligence on both sides because industry and law enforcement or government improves positions.
So when we talk about goals you won't be surprised that they are matching what we mentioned before. So if we want to make the Internet safer, what do we need to do? I guess we need to work together, stand understanding each other, build trust, find common topics to discuss and work on and try and identify approaches to that solutions to create them, share information between each other, maybe even teaching or training each other and understanding each other's needs, like we have heard in presentations in this room today, and in the end, we will learn to understand each other and, from that, the world will change in one way or another.
We have been discussing this for a while because it's not the first time I am attending a RIPE meeting or a round table, and we try to identify topics which could lead to a common interest and a common goal to start with, and I think the first one we came up with is a contact list, I think that is ?? I think that make sure that we find each other and that is the first step towards getting to know ?? getting to know each other and work together. What we think is a good idea is to step up a technical training with the RIPE NCC people, for ?? for investigative purposes just like we have heard before, we have got this lab thing but we don't know what you guys need. Let's set some technical people together with digital investigators and see where that leads to. There will be a lot of feedback over in ?? across the table. Also we heard what would be of interest for RIPE NCC and maybe for the members also, is a template for information requests. If we can come up with a common piece of information which always gives the information you need to be able to cooperate with LEAs that would make everybody's life a lot easier and is something which is probably fairly easy to create, and even to translate into different languages. And in the end, as a fourth point we came, let's have an inventory of perceived problems and try from there to identify solutions.
As mentioned we were at the London meeting, the LEA RIR meeting on the 17th of March this year and several concerns were raised there, and identified. And I think they speak for themselves because if you see this hijacking of IPv4 ranges, enormous blocks of IPv6 ranges which concerns the LEA community a lot because do we ever hear from these people again? There is a lot of anonymity on the Internet which makes the bad guys operate in a very easy way, other ways to look at that. The terms of contract between customers and LIRs and RIRs, could they be changed so that, perhaps, resource revocation becomes easier, is that something we could discuss? So that other RIRs are also interested in these topics and looking at them. I have been invited to go to AfriNIC in November to give basically this presentation there. And the investigative material as we already discussed which is available at RIPE NCC is definitely of interest.
So, is this the end and happily ever after knew we have heard all this? What do you think? No. It's a story with an open ending, sorry there wasn't a title on the book and it's deliberate because we don't know where we are going. All of these topics, they are meant to build trust and develop a working relationship, get to understand each other, so who is on board here, who wants to be on board? We are going to write the rest of the story and that is something which I want to impress on you is not something that I can individually can do or you can do; it's something we are going to doing together. And this is the start, a blank page, this is where we are at this moment, they are just ideas; nothing is happening, but if we start working, we have to find out whether you agree that these are the identified topics, are they the correct ones, do we need others? Would you want to see others, would you like to give input? We will keep you informed on the Working Group list and that is basically what I have to say, so thank you for your attention and if you have any questions, this is the e?mail address and please send them to me and we will make sure you get an answer. Thank you.
(Applause)
BRIAN NISBET: Thank you very much. Just before we take questions, to clarify, the indeed, the Anti?Abuse Working Group will be the information channel between this particular part of the community and the law enforcement part, so we will be providing updates on these interactions both via the mailing list and indeed at future RIPE meetings so that is ?? and in addition to that, if you have any questions about this that you don't want to ask now or whatever, you can contact myself or Richard and we will provide that information exchange. So are there any questions?
AUDIENCE SPEAKER: Organised crime agency, I am one of the technical people that Jochem has been talking about, I even have a book on BGP although my girlfriend has been looking at me strangely. I would just like to say very quickly is revocation is one of the really important things that we are looking at, and also part of that revocation is the routing side of it, so even do you do revocation, how do we stop the routing of it, are one of the issues that really interested in looking at.
BRIAN NISBET: Well, I know from the RIPE community's point of view there are that ?? that question has been asked in a number of different ways and different places. I am not sure if you were in the Address Policy Working Group earlier today, there was some heated discussion especially between a couple of members of the community, talking about certified routing, revocation of those certificates, whether that would then have an impact on routing, and while I am not the ?? I am far from the best routing expert in the room, but certainly, right now, there is no way of doing that, because people route what they want to route, and without ?? and again this is always the kind of thing of this conversation we were having and ?? we were having it earlier today; the operator community has to be very careful to not automatically slam the door on that conversation and say "my network, my rules." Nor am I necessarily saying the operator community has to go yeah, cool,, whatever you want me to do, but again, I think the point is that there is more dialogue to come and certainly right now, there is no answer to that question unless, I don't know the chair of the Routing Working Group wants to come up and disagree with me or let Wilifred do it.
Wilifred: Well, just to get us ?? try to get us on to some common ground of understanding. I personally I fully appreciate the ?? your interest in getting a handle on the routing or in the registration. On the other hand, we have seen incidents in the past where fiddling with the routing layer and that was even sort of an accident, that fiddling with the routing layer can have a very sound impact on completely unrelated parties all over the globe, and given the experience of some of us who happen to be on the Internet one way or another for a couple of years or a little bit longer, we have seen the incidents where political interest is actually seen as more important than law and the right thing to do, and this is one of the things where I would ask all the law enforcement people to understand where the reluctance comes from because as soon as you install a red button, you will find people who want to use that red button and there is probably very little appreciation of whether this is right or wrong, because the definition of right or wrong is pretty different in different situations and is pretty different in different geographical regions so just to give you some feedback why we appreciate the interest and why we appreciate sort of the positive effect on the overall Internet, but, at the same time, why quite a few of us are very reluctant to give too easy to use handle to push a red button.
BRIAN NISBET: So I think this is why, just ?? why this is obviously something that both Jochem and route have said, this is one of the main topics.
ROB BLOKZIJL: Yes I want to point out a very interesting presentation earlier this week by Geoff Houston on measuring traffic on the Internet, which belongs to network number 1. That network has never been announced. There is an enormous amount of traffic on the Internet claiming to come from that network 1. Messages, there is a lot more going on than you think and just revoking an address block, which in practice, means we remove the information about that block from the registry database, that is all; that doesn't stop anything continuing using it; it does not serve your purpose, so I think we should, together, start thinking about tools that do work and do serve your purpose. I think in more ?? more in general, I would be very reluctant to create possibilities for third parties to tell us what we register or not, and I think the third parties should be more interested in a high quality complete and correct database than something that reminds me of piece of Swiss cheese with lots and lots of holes everywhere.
BRIAN NISBET: I think it's fair to say and, obviously you have identified and Jochem has been saying that that complete database is the ?? one of the really, really important things that is there.
Richard Cox: A few ideas about this big red button because it is a difficult topic. You heard Wout say earlier we do all this and still the abuse continues to flow, which is of course completely right, it's a problem. You have got to sit down and look at what is going on and try and work out a strategy to deal with it. Now, one of the biggest problems of prosecuting for spam or malware whatever, is it's increasely difficult to establish on the Internet what was the origin of the packet that caused the problem. I won't say it's nigh to impossible because there are a few stupid ones out there who didn't cover up their traffic completely, low hanging fruit we get the prosecutors practice at pros do you telling which is what we need because they haven't got much experience in it. So what we have to do and something we have tried to do for many years is to identify who contributed to the harm; if someone did something which they normally do, but looked the other way knowing perfectly well that this was being done with a harmful intent and I am being careful not the to use the word "criminal "here, here because codes vary from jurisdiction to jurisdiction but harm is more significant to us than crime, so, it's down to the law makers to decide what can be done when someone does something knowing that harm is going to result. I won't develop the point further, I think you will see where I am going. I don't want to see a situation where somebody can press a big red button and order somebody to stop routing. To start with, it would be pretty serious if they pressed the wrong red button and let's be honest, some of our legislators probably would, and ?? anybody dealt with lawyers around here? Exactly. Now, there is a solution, the solution is quite straightforward: We need to have a mechanism to identify what problems are associated with a particular routing and get that information to people who are handling the traffic and also identify who those people are that are handling the traffic. Downstream of that it's down to the community. The community can decide not to accept a route, and if 90 percent of the Internet decide not to accept a route, then it's harm is very limited. If harm is being done and they continue to accept that route then there could easily abcivil action or prosecution or whatever. That is a much better way to approach it. I would remind you of the old adage: Regulate yourselves or the government will do it for you and you won't like the results and nothing could be truer here.
BRIAN NISBET: So I think that there is obviously a lot more to be discussed on that matter and I think that will form one of the largest kind of pieces of whatever conversations we have. Now, I am conscious that it's ?? we are going to run a little over, I am going to warn you of that now, not very much, however, however, the dinner is not until 19:30 as opposed to whatever signs may have been saying earlier, I am not going to take up all two hours I assure you but it is a reminder for those of you going it does start at 19:30 just around the corner, there is a map on the meeting website which you should look at and it's well within walking distance but that is at 19:30. So is there anything else on that topic and again thank you very much for your contribution and to all who have fed into that process because it's not just ?? it's not just Jochem me and Richard and Wout, there is a whole huge amount of people kind of contributing to both sides of that conversation. And the very, very important thing to remember is, it's a conversation and as Wout said it's a conversation only really starting now and there is lots to learn. So there is a couple of other things I want to touch on under AOB, and Alex, if you want to talk about stuff now.
Alex. Alex: I don't have any slides and I will try to keep it short as possible. I work for RIPE NCC, registration services and this is an idea I have discussed over last few years and generally received positive comments so I now want to throw it out here and sue what you think. We mainly hand out IP resources but occasionally take some back as well because the company has disappeared or gone bankrupt or comes back voluntarily. We quarantine the resources for typically three months and then it goes back into the free pool and is quickly reassigned or reallocated. Occasionally we notice that these resources were then previously used by people who were maybe not the best Internet citizens, so that these IP addresss are listed in anti?abuse and anti?spam lists all over the Internet and once we reassign or reallocate these resources, the people that received them expecting to get some new shiny IP addresses are very disappointed. They then come back to us and we are not, it's a little bit difficult for us to fix this, we cannot track down all the lists and even if we do it may not get the desired results. If we start taking them back and giving them different ones it's also not really going to solve the problem and this is likely to get a lot worse very soon because we are approaching the last phase of the 2007?01 policy proposal implementation, which means that we may very soon be getting back hundreds if not thousands of address blocks and then it is going to be a much bigger problem, this will probably happen in a fairly short time. Now, I like, as registration services, I'd like to find a solution for this. One of the things I have thought up, thought of, is that while these resources are in our quarantine list which lasts typically three months which basically means they are returned to us and they are about to be returned to the free pool and we could publish this list in some way, in some fashion on the FTP site or something else, which could be used by this anti?spam services to maybe take it off their listing, but I'd like to hear what the community here thinks about that idea.
Richard Cox: Well, I have to say, this is something that we have been arguing for for some time, in fact Denis is here and I am sure he will confirm conversations he had with me two years ago when we proposed that there be a mechanism for this, now a lot of the people running anti?abuse lists of some form take a view, and I don't argue for or against it but it has validity, that if the organisation who has got this problem is doing something about the problem, then it's sensible to try and work towards helping them. So on the one hand I think a lot of people out there would expect the RIRs to say, OK, we need to see less allocations in these type of circumstances which immediately end up being blocked and I can quote a /14 in Romania which was blocked this week for that reason. A /14 is not small, it's a bogus LIR out. We can fix the problem with something called an RFC. Define a standard by which the information can be published by all the RIRs, publish that on a web page which is a standard web page for each RIR in the architecture of their website, allow that to be downloaded by all the people running the various lists as required and use that as a re?set mechanism to clear anything out on automatic basis. That will work perfectly as long as one thing happens, and that is you have got to it be able to be reasonably certain that the revocation is genuine and it's not a case of the resource hold Eircoming in, cancelling their allocation and then immediately reapplying for it under a different name, which is happening. We have got to fix that one. You fix that one, we will fix the rest for you.
Alex: I want to respond to your last point briefly. We generally don't allow an organisation to come in and point at a free address block and can can I have that one.
Richard: You don't but LIR does.
Alex: This is about resources being returned to the RIPE NCC, the /14 allocation that you have blocked recently, that would only appear on my lists, once that LIR disappears or goes bank result and the block comes back to us and it's then available for reuse for entirely different LIRs, only then would it appear on my list.
Richard. That. Needs documenting and that should solve the problem.
BRIAN NISBET: Yes, OK, so the short answer there is that there is a forum in which it would be good for RIPE and other RIRs to publish that information with the caveats you have mentioned.
Richard: It's easily fixable and we have been trying to get you to do it for two years.
ROB BLOKZIJL: Just coincidental just before this meeting, I was talking with John Curran, CEO of ARIN, about this specific problem and as far as I understand, ARIN has procedures in place and documentation of their procedures, I have two recommendations: Have a look at them because basically, they have answers to your questions and it's slightly different, you have three months, I think they have six?month period or so, but secondly, if possible, it would be very nice if all RIRs have exactly the same procedure in place because that makes it more attractive for people who run all sorts of silly blocking lists to be a bit better up?to?date with reality, and because that is a problem which I can see coming with ?? from the user site and if we don't do such a well?documented procedure, we will increase the problem.
Alex: This is clear.
BRIAN NISBET: Cars en
Carsten: From what you are saying, I understand it can be only unallocated address space be Naas, being put on that very list but specifically with ?? because, if it would be unassigned address space and still would sit with an LIR, right?
Alex: Unless we are talking about a block which has been set aside for PI space that would still be sitting with the RIPE NCC but now we are splitting hairs.
AUDIENCE SPEAKER: My initial reaction was maybe that already exists by just going through the database and doing this kind of like indirect calculation, just looking for all unallocated address space but you are even more asking for some kind like cool?off period tack to some kind of unallocated address space.
Alex: That is kind of what I am suggesting. I cannot remember ever having seen address space on such a list which has never been used before. It is always address space which was allocated and then came back to us and then was reallocated to someone else. And yes, you could go through our address space now and pick out the holes and take that off the list, that is thank could be done today, could be done at any time. That hasn't been done so that is why maybe this is a better way forward.
AUDIENCE SPEAKER: Peter Koch, DE?NIC, basically what Carsten said, I would be a bit uncomfortable if the RIPE NCC would come up with a blessed white list to override a black list, that sounds fishy to me. If your suggestion is meant to be a service that is kind of neutral in that it takes the holes punched in the allocated address space by stuff being given back, so basically what Carsten said, so it's a one?to?one translation without any further value in there, that might abway to go but that is a simple script, and again, the responsible, if that word is allowed in that context, operators of these lists could do that today, so the question is whether the ?? responsible/cooperative once ones, the question is whether we are having the same problem here as we have with these weird tool providers by grabbing random addresses out of there, despite all our aattempts to teach them how to find abuse addresses so who is the target audience.
Alex: For this would be people like Spamhaus and I think this list would make one very simple assertion about the addresses on it; it would not say oh these addresses are magically clean or whatever. The only assertion this list would make about the addresses on it is these aaddresss were in use by somebody, they don't have them any more now, and they will be in use by someone entirely different at some point in the future. That is the only assertion that would be made about the addresses on this list.
BRIAN NISBET: OK.
AUDIENCE SPEAKER: Paul Vixie, ARIN board of trustees. I want to be careful, I am not speaking so much of my own views or even of the ARIN board's views but you asked a question in your presentation, what will the black hole list operators do, how will they respond, and of course we have Richard here who can speak for Spamhaus, Spamhaus is extraordinarily sane and professional among black list operators. When these topics have come up in the ARIN region, I have heard from a much larger sweep of black list operators, not just Spamhaus, but many of their peers, some of whom are widely regarded as less sane than Spamhaus, and what I have heard characterised is the address space that is listed on a lot of different black hole lists such that as you said in your presentation, you don't know what lists it's on, therefore you don't exactly know who to contact, in other words it's widely black listed not just narrowly or you would simply call Richard and get the job handled. When address space is on a lot of black lists in that way it has the character of toxic way that is left on the landscape and is keeping other work from being done on that particular plot of land. The black list operators have told me that since the creation of that toxic waste is a very profitable activity, they will only assist in clean?up efforts for the toxic waste if there is no revolving door, in other words if the people who created that toxic waste cannot lose access to that plot of land and get another, then they will help clean up the waste, but if it's a revolving door and a matter of matter of cycling through different landscapes, polluting some and cleaning up, a lot of black list operators are going to say well that is is ARIN's problem or in this case RIPE's, you are allowing all of this toxic waste to be created and if that runs you out of land that is your problem, we are not going to help you with it. So that I think deserves some concentration in your policy consideration. Thank you.
BRIAN NISBET: I don't want to speak for the NCC obviously, I think this is a along with a large number of other things which are being discuss sod far this week, which have to do with reclamation and clean?up and best use and most efficient use of the scant remaining IPv4 resources that are left, so I don't think ?? I think it's to try and make it as easy as possible to do this rather than assure that this will solve all possible problems.
Richard: If I might respond to Peter Koch, we can't do it today, we care very much about the accuracy of our data and make sure it's not stale, one of our team is working almost 24/7 on this to remake sure we remove this type of thing from the list but some checks need to be made and takes up time. Organisations with less resource, and I think those are the ones primarily that Paul was referring to, don't have that capability, but if you give them a silver bullet, it does exist in this case, in the form of an RFC defined list which is available at a fixed place, then it is quite simple for them so set up an automated system providing the RIRs have agreed to a set of definitions. I am prepared to go forward with this and I have done half the work already, when we first started to speak to RIPE two years ago I had the whole thing pretty well set out in schema, so half the work is done, and the rest can be done quite easily, it just needs a bit of agreement and going to take a bit of agreement by the RIRs that there are certain definitions that have to apply, and one of those definitions, and again, Paul has highlighted exactly the problem, has got to refer to those people who are causing the pollution of that address space and RIPE has got to take a view as to whether the allocation of that address space was done properly and if it wasn't, whether it should still be allocating address space in the same way. This concept is going to come up in a number of situations so I mention it now in this connection as well.
BRIAN NISBET: I think there is a bunch of people who need to talk to a bunch of other people who have a basic idea of where we want to go from there.
Alex: I am going to talk to a bunch of people.
BRIAN NISBET: OK. So, Richard did you want to make ??
Richard Cox: The AOB bit. It's me again I am afraid. You know why I let Brian do the chairing. I just want to throw out into the community two propositions which we will inevitably need to discuss on the Working Group mailing list. But one of the things that came out from the meeting in London is that RIPE does need to make some changes in what it does to make it less easy for the signer criminals because some of them are very specifically coming to RIPE at the moment, the Russian business network is an obvious example, they are in the RIPE community but there are American gangs who are coming to RIPE in cloaks of Europeanism that are not entirely valid, because they see RIPE as more of a push?over than ARIN.
OK, two proposals are these: And they are not in PDP format at the moment, they are not in PDF format. First one: That we should ask the database Working Group to make available in Whois two additional fields, so that a standard, and I stress a standard Whois query with no switches will get data on the LIR whether is one that assigned a block, and data on the date of the most recent change of that block. Now, on that second point, I had a very interesting discussion with two ?? well with Brian and one of the other Working Group chairs last night where we said that the existing field can't be metaled with, it's got to stay there and the existing ?? it says changed gives ?? gives the change date and then the e?mail address associated with the change; that is personal data, that can't be sent out without the minus B switch, the minus B switch has got a counter associated with it very, very good reasons so that poses a problem. What we want is the date of the change made available, it's nice to see the date of allocation made available but the date of change is perhaps the most significant one and therefore it needs to go out under a different object if you like than the existing one to avoid breaking anything that exists at the moment. Obviously, whatever do you with the Internet you can't break what exists, although other people are quite good at that. That is the LIR data, in other words, at the moment you do IP Whois at RIPE, you will get the IP owner, you will get the AS number, which is very helpful, so it's ?? to answer the point that might be made, and one person has made, that we be giving out information that wasn't being asked for, we already do that with the ASN data and it's helpful and I believe for writing the LIR data is important and it's very helpful. The reason for this is if you gate pattern of problems and you are investigating and you want to see quickly which are LIRs are involved, so often there is immediately visible pattern. If it's available in Whois people will know where to go and quite a lot of the time the end user data is either bogus or meaningless, in other words no one is ever going to answer at that address. Street mail goes to a forwarding service, phone number goes to a voicemail box that never gets answered, that sort of thing. This is what the bad guys do. We are having to provide for the bad guys and they are a very small part of the community but they make one hell of problems for the rest of us.
The other idea I have is that there are, at the moment, quite a number of RIPE IP allocations that probably shouldn't have been made if the full facts were known at the time. Quite a lot of times done by LIR, and these need to be reviewed. The rubble is if you talk to (trouble) anybody in the NCC about reviewing RIPE's IPP allocations the first thing they mention is ERX and everybody groans and probably for good reason. There was a time when was targeted by hijackers, it's not fixed but a lot better than it was. So, we have got to look at more recent allocations. My question, I am really asking here, is, is the process within the NCC optimal for dealing with this sort of information and therefore, my suggestion that we discuss on the mailing list would be for the Anti?Abuse Working Group to recommend to NCC services that they look at this problem, they make provision for faster track handling of reports that come to RIPE suggesting that there may be a problem with an allocation and in some cases not just the allocation but the path by which it came to RIPE. It may well be that this would be helped if there was a published address that people could write to, I am not going to suggest abuse@ripe.net, I suspect that gets quite a lot of junk but there needs to be a review address@ripe.net where people can write and this will be used by the experienced people in the community who can tell the difference between something wrong with an allocation and somebody sending them a mail they didn't want, there is a hell of a difference, a lot of people haven't learned what that difference is. It may be that a closed group of members of the community could assist the NCC with this under NDA and it would have to be under that for privacy reasons. So I'd like to think that services would start to look at this anyway, but can we discuss on the mailing list and if anyone has got suggestions or thoughts on that, please let's hear them.
Wilifred: Could you elaborate a little bit on the NDA stuff? I am really worried hearing things like NDA in the RIPE environment.
BRIAN NISBET: I think that ?? I think that these ideas are fairly, I think it's fair to say fairly informed at this specific point in time and I think that the ?? the conversation we were having yesterday evening, the notion was that if there were a group of people who were outside NCC staff who were investigating allocations or otherwise, if such a situation was to exist, then data protection might necessitate ?? again we are looking, this requires much more conversation, but data protection would necessitate those people not just freely looking at what would be considered private information under the law. So, while I am not suggesting we have a large conversation about this now, not least because we are 15 minutes over time but because this is the beginning of an idea, it's far away interest the end and there has to be lots of conversation with the NCC and otherwise to see how that will go but I think Richard, is it fair to say you will write those two up in more detill and we can have a look at them and discuss them on the mailing list.
So, unless there is anything else, and I am keenly conscious of the fact that we have finished a very long day and I think the longest day of Working Group activities at the meeting. So if there is no further business, then I will thank you all very much our scribe, our wonderful stenographer and all of you and we shall see you hopefully at dinner this evening and in Rome at RIPE 61. Thank you very much.
LIVE CAPTIONING BY AOIFE DOWNES RPR
DOYLE COURT REPORTERS LTD, DUBLIN IRELAND.
WWW.DCR.IE