Search RPD Archives
[rpd] AFPUB-2019-V4-003-DRAFT02 - Resource Transfer Policy
lucilla fornaro
lucillafornarosawamoto at gmail.com
Mon Sep 28 11:44:00 UTC 2020
Hello everyone,
I will have to agree with Lamiaa*, *AFRINIC’s role is to ensure a complete
assent with needs-based policies and to update and preserve the efficiency
of the registry, we cannot promote policy concerning how clients then
transfer resources across an internetwork from a source to a destination
(routing).
AFRINIC encourages and defends the bottom-up policy process and unallocated
number resource pool, then the responsibility is entirely up to the one
holding the resources (member) on how to route them. I feel we are focusing
on and discussing something slightly different than the actual proposal.
For what concerns the potential fraud and abuse, I still think it would be
a better option to discuss a separate policy on fraud prevention. If you
believe fraud can happen, I assume you agree on the fact that it can also
potentially happens with 12 months of hold time. That’s why we need a
separate proposal and keep this one operating smoothly.
regards,
Lucilla
Il giorno lun 28 set 2020 alle ore 19:59 Lamiaa Chnayti <
lamiaachnayti at gmail.com> ha scritto:
> Hello Jordi,
>
> The salient point here is that AFRINIC only manages registration, not
> routing. We can make policies about registration of space, but not routing
> of the space.
>
> If their upstream decides to route a space that wasn't registered to them,
> it is entirely in their upstream's right to do so. If the operator chooses
> to route space that doesn't belong to them and their upstream is okay with
> it, it is entirely out of the AFRINIC community's scope - just like any
> hijacking is out of the scope for the AFRINIC community (the same reason
> many have told you that the hijacking as policy violation is out of scope).
>
> From AFRINIC's point of view, they have terminated the contract; they have
> changed the registration. What happens at the routing table isn't really
> AFRINIC's business nor their concern anymore.
>
> They do not need to get anything back; those spaces can be allocated to a
> different member. It is entirely up to the one holding the space to have
> other operators recognize it. Please do remember, AFRINIC is wholly based
> on the voluntary cooperation of operators; if someone does not recognize
> AFRINIC's database as the "right" registration database and then start one
> of their own, they can definitely do it as it is entirely within their
> rights to do so. So the difficulty you were talking about is really out of
> the scope of AFRINIC.
>
> Regards,
>
> Lamiaa
>
>
> Le lun. 28 sept. 2020 à 10:03, JORDI PALET MARTINEZ via RPD <
> rpd at afrinic.net> a écrit :
>
>> Hi Ekaterina,
>>
>>
>>
>> The termination of the contract is easy, but what happens if the operator
>> keeps using those resources? How you enforce it to stop? What happens if
>> the case is brought to the courts by any of the parties? How much time it
>> takes? Meanwhile AFRINIC doesn’t get the resources back, so it is not able
>> to redistribute them. This is not fantasy: we have a real case for millions
>> of IP addresses right now in AFRINIC!
>>
>>
>>
>> How much is the cost in terms of lawyers and wait time? Who is using
>> meanwhile the resources? The bad guys.
>>
>>
>>
>> **Partially** that may be resolved if we have the AS0 proposal, but even
>> in that case, that only works for the operators using the AS0 TAL!
>>
>>
>>
>> Even if the resources are recovered, do you understand that AFRINIC
>> procedure is to quarantine them for 12 months before coming back to the
>> pool?
>>
>>
>>
>> So, what is the gain vs having 12 months hold time? Easy, with the 12
>> months hold time the cost is much lower. I’m not talking only about money
>> cost for AFRINIC in case of disputes, human resources to tackle them, etc.,
>> but also the cost of not being able to use those resources during the
>> recovery time + the quarantine period.
>>
>>
>>
>> Again, that will be resolved, allowing to reduce the quarantine period,
>> if we have the “policy compliance dashboard”.
>>
>>
>>
>> A /22 can be obtained in AFRINIC just with a cost of 2.900 USD
>> (justifying an end-site, for example). You can easily sell this for 10
>> times more! So, it is a very small investment for a huge margin. Just think
>> if you can repeat that every year, or actually many times per year, just
>> creating a company for “only that”. How much it cost in the cheaper country
>> in AFRICA to create a company? You don’t need offices, or anything like
>> that, you can make a “fake” DC in your home.
>>
>>
>>
>> I don’t think it is a matter of the most “flexible and open” proposal. It
>> is about that one that **really works** and is **safer**. If you
>> followed the discussion on the first proposal (the one that I’ve presented
>> in 2018, with two approaches and several versions), across that discussion **the
>> community** asked me to have a “security seat belt”, so if something
>> goes wrong, it can be put in hold. I said it was not needed, but the
>> community insisted, so I did. Now the community don’t want that. This only
>> shows that the problem in developing policies, is that depending “who” is
>> speaking, the authors get crazy at every version. However, if the chairs
>> really consider only what are valid-objections this will not be an issue.
>> But the problem is that consensus is being decided even considering invalid
>> and refuted objections.
>>
>>
>>
>> May be some folks now understand better that when you do policy
>> proposals, you need to look **at a very broad context** and not only in
>> that specific RIR!
>>
>>
>>
>> It is impossible for an author to explain **all this** in each policy
>> proposal. It is impossible for an author to explain all this in a **8
>> minutes** presentation. There are **many** other aspects that you can’t
>> realize if you’re not operating networks and participating in all the RIRs.
>> Internet is global and you really need to consider everything. A specific
>> region business and cultural details, are very important for the policy
>> making process, but not forgetting the others!
>>
>>
>>
>> Regards,
>>
>> Jordi
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>> El 25/9/20 19:58, "Ekaterina Kalugina" <kay.k.prof at gmail.com> escribió:
>>
>>
>>
>> Dear Jordi, dear all,
>>
>>
>>
>> Jordi, could you please elaborate a bit more on your statement: "the cost
>> of “not-being-able to use those resources” for any number of providers is
>> actually *lower* than the cost of a single recovery case!"
>>
>> As far as I understood, the recovery is be achieved though the
>> termination of the contract. So what exactly is included in the recovery
>> costs?
>>
>>
>>
>> In regard to your argument on the history of fraud in all the RIRs, I do
>> not believe it is very relevant to the current discussion for a simple
>> reason that the maximum allocation space is currently /22. Proving the need
>> that is required for the allocation would cost thousands of dollars, so
>> there is simply no incentive for businesses to commit such fraud. It would
>> cost them way too
>>
>> much and bring way to little.
>>
>>
>>
>> In addition, I believe that our focus should be on passing the most
>> flexible and open transfer policy to incentivise the free flow of
>> resources in and out of the region that is necessary for a steady economic
>> development.
>>
>>
>>
>> If there are so many concerns concerning potential resource abuse and
>> fraud, perhaps a separate policy on fraud prevention ought to be
>> introduced. Let us not try to kill all the possible birds with one stone
>> and instead focus on solving one problem per policy. In my view, this is
>> they only way to ameliorate the duties of AFRINIC staff and ensure the
>> proper practical application of each policy.
>>
>>
>>
>> Best wishes,
>>
>>
>>
>> Kay
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, 24 Sep 2020, 13:14 JORDI PALET MARTINEZ <
>> jordi.palet at consulintel.es> wrote:
>>
>> Hi Ekaterina,
>>
>>
>>
>>
>>
>> El 24/9/20 12:25, "Ekaterina Kalugina" <kay.k.prof at gmail.com> escribió:
>>
>>
>>
>> Hey everyone,
>>
>>
>>
>> @JORDI PALET MARTINEZ <jordi.palet at consulintel.es> you said, and I quote:
>>
>> >"An ISP will not need to return even a /22 because he loses 1.024
>> customers as he can get them back, this is very common customer churn in a
>> matter of weeks (even days or hours for big ISPs)."
>>
>> In this case, ISP would not need to bother with resource transfer.
>>
>>
>>
>> [Jordi] At the beginning of the transfers in other regions, I was *
>> *against** that. In my opinion when operators don’t need the resources,
>> they should return them back to the RIR. BUT we all know, that people is
>> not so honest, and this will only happen in an utopic and idealistic world
>> and moreover, this will still need some “agreement” between different RIRs
>> to allow those resources that are returned to be “transferred” among RIRs.
>> Due to facts, afterwards I realized that this is a need for the global
>> community and that’s why I agreed with those policies, and even started to
>> work on them as an author.
>>
>>
>>
>> However, I believe a situation may occur when the ISP is unable to
>> distribute the allocated resources for whatever reason. Even if we
>> cannot predict the reason we must still account for such contingency. And,
>> in such case, it does not make sense to block these resources for 12 months
>> from being transferred to a place where they are actually needed. This
>> would be detrimental to everyone involved.
>>
>> [Jordi] I don’t agree. A transfer may take several weeks or even months.
>> It depends on many factors, like the justification time among the RIRs,
>> providing documents, etc. Even if you discover that in month 3 after you
>> have received a /22, you no longer need it (which I doubt it can be true),
>> this means that the resources will be “unused” during other 6-7 months. I
>> could agree that the hold time is just 6-8 months instead of 12, but non
>> zero is difficult, because the cost of “not-being-able to use those
>> resources” for any number of providers is actually **lower** than the
>> cost of a single recovery case!
>>
>>
>> In regard to your statement:
>> "However, a “bad guy” will easily use that as an excuse to transfer the
>> resources in days or weeks."
>> Like Anthony and Lucilla mentioned before, such action would be a clear
>> act of fraud.I do not see any reason why anyone would willingly commit such
>> a violation. "Bad guys" are not stupid, and if someone wants to take an
>> advantage of AFRINIC, they will, and I do not think the 12 months cap would
>> prevent that in any way.
>>
>> [Jordi] Just look at the histories of frauds in all the RIRs! This is
>> real life. Holding the resources for 12 months, breaks their business
>> model. It makes sense because it is quick money and you can do it with a
>> very tiny fraction of money, once and again and again, rotating among
>> different RIRs, etc.
>>
>>
>> The only thing it would achieve, in my view, is slow down the flow of
>> resources and create stagnations that could be more costly than any
>> retrieval procedures in case of fraud.
>>
>> [Jordi] To be objective, we will need to get statistics of “speed” of
>> transfers among different RIRs, number of frauds or fraud attempts, etc.,
>> etc., etc. and many of those details probably are sensitive and the RIRs
>> will not recognize that, even if anonymized. There have been fraud cases in
>> RIPE, which everybody knows by word of mouth, but it has never published …
>>
>>
>> But of course, staff assessment is needed to have full clarity of this
>> issue.
>>
>>
>>
>> Best,
>>
>>
>>
>> Kay
>>
>>
>>
>> On Thu, Sep 24, 2020 at 9:05 AM Gaby Giner <gabyginernetwork at gmail.com>
>> wrote:
>>
>>
>>
>> Hello guys,
>>
>>
>>
>> This discussion is very interesting seeing that it deals with the most
>> probable or likely outcome with those that would want to take advantage of
>> the system. We can only wish that the clients would be completely honest
>> with their need, but of course, if they are inclined to lie, there is no
>> mechanism that would stop them from doing so. I would suggest that the
>> proposal include a means or a way to authenticate the need but that would
>> be more trouble than it is worth and would not be entirely foolproof.
>>
>>
>>
>> Since we are dealing with finite and scarce resources, it's important
>> that the way they are doled out should be systematic and measured and not
>> just "I need this. I need this, give me this". Having said that, I think
>> having a time limit would also cause traffic for the "need". Regardless, as
>> Lucilla said, these are hypothetical scenarios and questions but they may
>> be worth getting into.
>>
>>
>>
>> I'm interested in what the staff/authors would have to say on this matter.
>>
>>
>>
>> Thanks, Gaby.
>>
>>
>>
>>
>>
>> On Thu, Sep 24, 2020, 2:59 PM JORDI PALET MARTINEZ via RPD, <
>> rpd at afrinic.net> wrote:
>>
>> I mean a non-realistic situation. An ISP will not need to return even a
>> /22 because he loses 1.024 customers as he can get them back, this is very
>> common customer churn in a matter of weeks (even days or hours for big
>> ISPs).
>>
>>
>>
>> However, a “bad guy” will easily use that as an excuse to transfer the
>> resources in days or weeks.
>>
>>
>>
>> Regards,
>>
>> Jordi
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>> El 24/9/20 8:29, "JORDI PALET MARTINEZ via RPD" <rpd at afrinic.net>
>> escribió:
>>
>>
>>
>> Exactly, if you really have that situation you can return them and be
>> fair.
>>
>>
>>
>> Anyway, the example that I’ve presented is a non-realistic suggestion. It
>> is not frequent that an operator loses customers in such way. It is just
>> the perfect excuse for “bad guys” to get resources and resell them.
>>
>>
>>
>> Remember also that in the actual exhaustion phase, they can only get a
>> maximum of a /22.
>>
>>
>>
>> Regards,
>>
>> Jordi
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>> El 24/9/20 4:03, "Fernando Frediani" <fhfrediani at gmail.com> escribió:
>>
>>
>>
>> We can make in another way: if someone justifies and receives resources
>> from AfriNic but afterwards realizes something changed and doesn't need
>> those addresses anymore it must give the addresses back to AfriNic so it
>> can re-distribute it in the most fair way to any other organization who
>> goes though the same justification process. Why is it difficult to think
>> about this fairness with all others in the region ?
>>
>> Fernando
>>
>> On 23/09/2020 22:22, lucilla fornaro wrote:
>>
>> Hello everyone,
>>
>>
>>
>> I agree with what concerns the problem of the time limit. Companies will
>> refrain from such behavior because it is too risky and indicative of
>> possible fraud.
>>
>>
>>
>> Jordi, Considering your example related to the customers' loss, I think
>> that it is adverse for the operator to wait 12 months before transferring
>> the addresses. What is the point in holding addresses that they will not be
>> able to use and deprive someone else of further resources? What if they
>> don’t get new customers? What if they lose even more customers? Too many
>> hypothetical questions, that is why I believe it is more straightforward
>> and more convenient for everyone to facilitate the process.
>>
>>
>>
>> I agree that recovery processes are expensive and time-consuming, but we
>> can say the same for those unused resources.
>>
>>
>>
>> As well as you, I would like to know the staff’s view on this.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Lucilla
>>
>>
>>
>> Il giorno mer 23 set 2020 alle ore 21:14 JORDI PALET MARTINEZ via RPD <
>> rpd at afrinic.net> ha scritto:
>>
>> Hi Anthony,
>>
>>
>>
>> I think **somehow** you’re right, clearly I overlooked this.
>>
>>
>>
>> We don’t need a time limit to transfer resrources because that will be a
>> demonstration of the “the need was not justified”.
>>
>>
>>
>> However, the problem of this approach is that if it happens, the staff **will
>> need to start a recovery process** which is long, costly and a big
>> trouble.
>>
>>
>>
>> What happens if the **false** justification for the transfer is: I had
>> the need 6 months ago, but then I lost customers and now I don’t need
>> anymore the space, so I’m transfering it.
>>
>>
>>
>> What happens if the same operator, repeat that after another 6 months?
>> There are ways to one and again **justify the need** and it is, instead,
>> very dificult for the staff to act on the RSA for recovery and member
>> closure in those cases.
>>
>>
>>
>> On the other way around, what is the “objection” if we have that hold
>> time? I can only see one: If the example above (I lost customers) happens,
>> the operator need to wait until month 12 before transfering the addresses.
>> Is that really so bad? Or it is good because he may get new customers again?
>>
>>
>>
>> I think the trade-off is to have a good balance and ensure that we avoid
>> this happening and requiring the staff to invest resources in an
>> investigation and recovery.
>>
>>
>>
>> Could the staff provide a view on this?
>>
>>
>>
>> Regarding the legacy. Yes, ARIN and RIPE don’t have it (I think APNIC has
>> it, LACNIC definitively has it). AFRINIC has it right now. We are removing
>> a very good thing.
>>
>>
>>
>> Why it is so good? Because legacy holders aren’t bound to the RIRs RSAs,
>> so that’s extremely bad for the overall community. They don’t pay for *
>> *services** that all the RIRs are doing for them, so all the members are
>> covering that part of the cost. They’re not bound to RIR policies, so they
>> can break the rules of the community all the time and we have no way to
>> react on that.
>>
>>
>>
>> I don’t agree on the point of the disputed resources, I’ve the feeling
>> that somehow in the process of editing the v2, it was removed by mistake
>> and we should have it back. The difference in between rightful holder and
>> having a dispute, is depending on who is saying that, in case of a dispute.
>> I will love also to have the staff opinion on that.
>>
>>
>>
>> As well, can the impact analysis be made clear? Is that all fine for the
>> staff after having checked with authors each point?
>>
>>
>>
>> Please, let’s make this happen!
>>
>>
>>
>> Regards,
>>
>> Jordi
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>> El 21/9/20 18:10, "Anthony Ubah" <ubah.tonyiyke at gmail.com> escribió:
>>
>>
>>
>> Hello Jordi,
>>
>> We can sight an instance with APNIC as a case study. APNIC has a transfer
>> policy that doesn’t have a time limit for retransferring resources and time
>> proves to us that it works.
>>
>> According to APNIC, the act of buying space and reselling it right after
>> the purchase seems to be highly unlikely because of two reasons.
>>
>> First of all, most companies buy space for their own use, and hence a
>> commodity trading type of business doesn’t exist in the IP space involved.
>>
>> Secondly, since the buyer is required to justify the need of a 12-month
>> usage, if he/she engages in an activity such as buying the space and then
>> reselling it right after, this indicative of fraud because it contravenes
>> the “NEED” which is a prerequisite for receiving such space. This simply
>> implies that the so-called “NEED” which they provided was fake. Hence,
>> companies will refrain from engaging in such behaviour.
>>
>> As for the legacy transfer, I believe both ARIN and RIPE have the cases
>> of a transferred legacy space remained as a legacy. APNIC may be different,
>> but I think this is just a different sort of opinion and should not be read
>> as an objection. Also, what matters the most is that if we follow ARIN, we
>> can receive space from them. Definitely this is a significant advantage.
>>
>> As for the disputed resources, since AFRINIC have to know who the
>> rightful holder of the spaces are before transferring them. I don’t think
>> this would be a concern because AFRINIC is not able to initiate a transfer
>> for space that is under dispute. However, this is a legal matter and is
>> already out of the scope of the policy.
>>
>> Best Regards,
>>
>> *Anthony Ubah*
>>
>> E-mail: anthony.ubah at goldspine.com <anthony.ubah at gloworld.com>.ng
>>
>>
>>
>>
>>
>> On Mon, Sep 21, 2020 at 10:00 AM <rpd-request at afrinic.net> wrote:
>>
>> Send RPD mailing list submissions to
>> rpd at afrinic.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.afrinic.net/mailman/listinfo/rpd
>> or, via email, send a message with subject or body 'help' to
>> rpd-request at afrinic.net
>>
>> You can reach the person managing the list at
>> rpd-owner at afrinic.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of RPD digest..."
>>
>>
>> Today's Topics:
>>
>> 1. AFPUB-2019-V4-003-DRAFT02 - Resource Transfer Policy
>> (JORDI PALET MARTINEZ)
>> 2. Re: Abuse Contact Policy (JORDI PALET MARTINEZ)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 21 Sep 2020 10:34:13 +0200
>> From: JORDI PALET MARTINEZ <jordi.palet at consulintel.es>
>> To: rpd List <rpd at afrinic.net>
>> Subject: [rpd] AFPUB-2019-V4-003-DRAFT02 - Resource Transfer Policy
>> Message-ID: <8873E491-A0A7-4506-A490-13C6B6E67A7D at consulintel.es>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi all,
>>
>>
>>
>> I will be happy to support this proposal and withdraw my own one, but
>> *before* I?ve some questions about this decision that need to be addressed
>> first (see below, in-line).
>>
>>
>>
>>
>>
>> 10. Resource Transfer Policy
>>
>> This proposal aims to introduce Inter RIR transfer. However, it has the
>> following opposition
>>
>> a. Issues with Legacy holder transfer is potentially
>> considered none-reciprocal by ARIN
>>
>> b. Potential abuse of AFRINIC free pool without the time
>> limit of receiving an allocation from AFRINIC.
>>
>> Chairs Decision: The proposal is the least contested of all the 3
>> competing proposals. However because of the community?s desire and clear
>> expression for the need for an Inter RIR transfer, we, the Co-chairs,
>> believe that in the interest of the community we should focus on a proposal
>> rather than several similar ones. This desire was clearly expressed at the
>> AFRINIC 31 meeting in Angola. Therefore, We suggest that the authors of
>> this proposal make the following amendments:
>>
>> ? 5.7.3.2 Source entities are not eligible to receive further
>> IPv4 allocations or assignments from AFRINIC for 12 months period after the
>> transfer.
>>
>>
>>
>> [Jordi] This is perfect, and in fact is what I?ve. Just different timing
>> to match phase 2 window x 2, but not a big issue. However, we are missing
>> something that was also objected by the community and I think is key to
>> avoid abuse. Actual text in the CPM ?5.7.3.3 Source entities must not have
>> received a transfer, allocation, or assignment of IPv4 number resources
>> from AFRINIC for the 12 months prior to the approval of transfer request.
>> This restriction excludes mergers and acquisitions transfers.?. This is no
>> longer considered by this proposal, and in my opinion it is a MUST. Doesn?t
>> make any sense that someone is getting resources from AFRINIC and being
>> able to transfer them immediately! Can please the chairs also address this
>> point.
>>
>> [Jordi] Can the staff explain the consequences from their perspective if
>> we don?t have such text or something similar? Is even possible that the
>> board will not ratify the policy because that, and we are wasting a
>> previous time?
>>
>>
>>
>> ? 5.7.4.3. Transferred legacy resources will still be regarded as
>> legacy resources.
>>
>> [Jordi] This is also a major issue. I?m not sure if the chairs have
>> understood what was the point about lack of reciprocity. We can?t enforce
>> ARIN to accept that outgoing (to ARIN from AFRINIC) resources will no
>> longer be legacy. However the actual CPM states ?5.7.4.3 Transferred IPv4
>> legacy resources will no longer be regarded as legacy resources.?. We must
>> keep that, because we should avoid legacy resources to keep being legacy as
>> much as possible, because they are NOT BIND to the CPM. If we accept the
>> chairs proposal, we are going *backwards* not forward and we may be
>> creating a discrimination with already done transfers within AFRINIC
>> (Intra-RIR, according to the current policy). The right text here must be
>> ?Transferred incoming or within AFRINIC IPv4 legacy resources will no
>> longer be regarded as legacy resources?.
>>
>>
>>
>> [Jordi] Finally, there were several severe comments from the staff that
>> need to be addressed. For example, resources under dispute. That?s a big
>> issue! There are a few others. I think here we need to see if the staff got
>> everything clear from the authors inputs and if the policy can be
>> implemented or there will be open questions that will not allow to be a
>> functional policy and again, even disallow the board to ratify it.
>>
>>
>>
>> Chairs Decision: Provided that the above are amended, the decisions is
>> Rough Consensus is achieved
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>> Jordi
>>
>> @jordipalet
>>
>>
>>
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://lists.afrinic.net/pipermail/rpd/attachments/20200921/81bf3b81/attachment-0001.html
>> >
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 21 Sep 2020 11:00:01 +0200
>> From: JORDI PALET MARTINEZ <jordi.palet at consulintel.es>
>> To: <rpd at afrinic.net>
>> Subject: Re: [rpd] Abuse Contact Policy
>> Message-ID: <491C1297-8C2D-4939-B339-EDAA80334B24 at consulintel.es>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi Lamiaa,
>>
>>
>>
>> 8.3 and 8.4 are making sure that you respond to an abuse case, *not* that
>> you *recognize* it as an abuse. It is your choice to tell the ?victim ISP?,
>> look for me this is not an abuse, so I will not do anything about it.
>>
>>
>>
>> AFRINIC can?t verify this automatically, because it doesn?t make sense
>> that AFRINIC is ?sending? fake abuse reports to see if they get a response.
>>
>>
>>
>> AFRINIC can only send an email for the validation of the mailbox. It is
>> an existing mailbox? I?m getting a response (for example, have they, once I
>> send the validation email, clicked the link or went into MyAfrinic to input
>> the validation code?).
>>
>>
>>
>> 8.4 also states the timing for the validation.
>>
>>
>>
>> 8.5 is the validation itself, so I guess, according to your response,
>> that you?re ok with this specific point. If we don?t have it, AFRINIC can?t
>> do a periodic validation.
>>
>>
>>
>> 8.6. is making sure that you don?t try to fake the validation. For
>> instance, you could respond only to AFRINIC validations and then discard
>> all the other emails. If we don?t have that, the policy may become useless.
>> Note also that in fact, if you follow the RSA, *anyone* could escalate
>> *any* lack of CPM compliance. So this is making sure that the policy text
>> is honest and transparent.
>>
>>
>>
>> Or do you prefer to be filtered because you don?t respond?
>>
>>
>>
>> Clearly this proposal is not asking AFRINIC to be a police. Is only
>> making sure that the parties *can talk*. Again: AFRINIC will not be
>> involved in ?how you handle the case?, but I least you should be able to be
>> contacted and respond.
>>
>>
>>
>> See this example:
>>
>> If AK or Moses customers are sending me spam, or trying to intrude my
>> network, and they have abuse contacts, I will be able to complain to them.
>> Then we have two cases:
>>
>> 1. Moses responds to me and say ?you?re right, this is against our AUP?
>> (is irrelevant what the law in Moses country say, it is the contract with
>> customers what says what is allowed or not). Let?s fix it. I will warn the
>> customer, and if they don?t stop, we will filter their email port, or even
>> cancel the contract (just examples, only Moses can decide what they do).
>>
>> 2. AK instead doesn?t care, or the mailbox is full or bouncing emails
>> or respond ?sorry in our network we allow that?. Then I can take my own
>> decision, filter only that IP address, or the complete AK network. I can
>> even see if this is allowed in his country and take legal actions (which
>> usually you don?t do because is costly and more of the regulations don?t
>> know ?anything? about abuse or even Internet!).
>>
>> AFRINIC will not take any measure if AK decides that is not an abuse. It
>> is our problem not AFRINIC problem. However, if the email is bouncing,
>> AFRINIC will revalidate the abuse-c and make sure that it works.
>>
>>
>>
>> Is like a phone book. You have there the phones and they must be correct,
>> or you need to update them every ?n? months. The phone book doesn?t tell
>> the purpose of each phone. If you don?t want to accept calls related to
>> ?ordering pizzas?, you tell the caller ?this number is not for that?, but
>> at least you must pick up the phone otherwise, you don?t know if it is
>> somebody calling by error or someone that you really want to talk. And this
>> is true for *every* whois contact.
>>
>>
>>
>>
>>
>>
>>
>> Can you let us know how do you handle it in the networks that you operate?
>>
>>
>>
>> Regards,
>>
>> Jordi
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>> El 21/9/20 10:00, "Lamiaa Chnayti" <lamiaachnayti at gmail.com> escribi?:
>>
>>
>>
>> Hi Fernando,
>>
>>
>>
>> I think you are very confused. I never said I have a problem with people
>> completing their registration. Keep registration---having an abuse contact
>> Email in the whois, just like tech contact or admin contact--I am perfectly
>> fine with it, and I think the current policy achieves 99% it, if you want
>> to add this contact as mandatory field I am fine with it as well.
>>
>>
>>
>> But the problem of this policy in 8.3-8.6, is that it requires AFRINIC
>> to monitor the members HOW to manage their abuse mailbox down to the
>> subject line, and that is out of the scope of AFRINIC, just read my last
>> email with logic in mind and you will understand. I suggest this policy
>> should be very simple, adding one line to the current policy-- abuse
>> contact is mandatory, and it's done, everything else should be deleted.
>>
>>
>>
>> And again, you are trying to use AFRINIC for something that is not in its
>> scope, how someone manages their mailbox is not in the scope of AFRINIC, it
>> is like you go to your local church to ask them to arrest your neighbour
>> who plays loud music at night when you should go to police instead. Same
>> thing for someone running an abusive network, as many already stated, it is
>> up to a local Jury to decide if it is simply at an annoying level or a
>> criminal offense, but either way please do go to your local police to
>> report it.
>>
>>
>>
>> As for the internet, we never tell you how to behave--you are entirely at
>> your rights in the internet to behave abusively, but it is also entirely in
>> everyone's rights to block you, that's how de-centralizing works, no
>> central governing, everyone plays nice because that's the only way for
>> everyone else to play with you, and this policy here asks AFRINIC to act
>> like a central government even down to manage people's mailbox's subject
>> line and that is way beyond what internet meant to be.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Lamiaa
>>
>>
>>
>> Le dim. 20 sept. 2020 ? 23:42, Fernando Frediani <fhfrediani at gmail.com>
>> a ?crit :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 19/09/2020 13:19, Lamiaa Chnayti wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> <clip>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> How is it in the scope of AFRINIC to decide how I manage my abuse
>> mailbox? If I want to reply only to a specific subject line of my abuse
>> box, it is entirely in my right to do. Even if I don't want to reply at the
>> abuse mailbox at all, that is my right to do so and if I think no action in
>> my network would be considered abuse (although unlikely), but it is still
>> from the internet community point of view, entirely in my right to do so.
>> You might choose to block me as a network, but that is also your right.
>>
>>
>>
>> The reason internet is called INTER-NET is because of its decentralized
>> nature, you have to play nice for others to play with you, but this
>> community never forces anyone to play nice, it is not in the scope of
>> AFRINIC to decide how members reply to their abuse mailbox, so if 8.3,8.4,
>> 8.5 and 8.6 are deleted in its entirety, I might consider supporting it.
>> Also Jordi, I feel you always have this central management type of
>> thinking, and that is so not internet.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> It is not in the scope of any RIR how anyone manage people's
>>
>> mailboxes.
>>
>>
>> Nobody exists alone in the Internet. If an organization
>>
>> hypothetically doesn't care at all and refuses to respond to abuse
>>
>> emails it probably should re-think its existence in the Internet
>>
>> business.
>>
>>
>>
>> The Internet is what is among many reasons because of the
>>
>> cooperation among its organizations, and there are certain rules
>>
>> that are agreed cooperatively and must be observed by everyone
>>
>> willing remain on it, otherwise it may in many cases cause serious
>>
>> damage to those willing to operate in serious manner and keep it a
>>
>> healthy place to most people who depend on it.
>>
>>
>>
>>
>> This forum is about setting rules on how registration information
>>
>> about resources are kept and it may be of the wish of the
>>
>> community to refuse keep registration for those who repetitively
>>
>> abuse of their individual rights.
>>
>>
>>
>> Fernando
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>> Lamiaa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Le ven. 18 sept. 2020 ? 09:23,
>>
>> JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> a ?crit :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi Lamiaa,
>>
>>
>>
>>
>>
>>
>>
>> I don?t agree. Internet doesn't depend on
>>
>> any jurisdiction; abuse is about what I (the victim
>>
>> operator) consider abuse. The RFC is clear about that,
>>
>> in short ?Inappropriate public behaviour? (is a
>>
>> mailbox so to be able to contact in case there is a
>>
>> possible inappropriate behaviour in the public
>>
>> Internet). If you want a clearer definition, abuse is
>>
>> *anything* that I don?t want to accept in my
>>
>> network because is in any way damaging it.
>>
>>
>>
>>
>>
>>
>>
>> If I don?t want to accept a DoS, or spam,
>>
>> or phising, DMCA, or whatever, this is abuse *for
>>
>> me*. I?ve the right to tell you because that
>>
>> abuse is coming from your network. If you believe that
>>
>> is not abuse (and here is your jurisdiction in some
>>
>> cases, in other just doesn?t exist, but it may be also
>>
>> your ?business? decision ? like operators that don?t
>>
>> care if their customers do spam or intrusion
>>
>> attempts), you?ve the right to tell me ?sorry, this is
>>
>> not abuse for us?, and then I?ve the right to decide
>>
>> if I should filter your network based on your
>>
>> response.
>>
>>
>>
>>
>>
>>
>>
>> Not having an abuse contact, means that
>>
>> I?m not able to contact you, so we can?t talk, we
>>
>> can?t investigate or agree if it is an abuse or not,
>>
>> so you (the offender operator) don?t have the chance
>>
>> to decide about it! Is bad for you, is bad for me. In
>>
>> those cases, my best choice is to filter you. This
>>
>> create problems for your customers and my customers.
>>
>>
>>
>>
>>
>>
>>
>> We can?t depend on jurisdictions, because
>>
>> then the policy will need to consider inter-relations
>>
>> among every possible ?pairs? of country worlds, and we
>>
>> will need to update the policy based on any
>>
>> jurisdiction change. The policy is not about that, is
>>
>> about having a valid responsible contact, not about
>>
>> deciding what is an abuse, which is among the two
>>
>> parties.
>>
>>
>>
>>
>>
>>
>>
>> Tell me what is different from AFRINIC
>>
>> than the rest of the world, because none of the RIRs
>>
>> have defined abuse in their policies. I even don?t
>>
>> recall that having appeared in the discussions!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> If
>>
>> you want, I?m happy to change the title of the
>>
>> proposal to ?supposed abuse contact?, that may be
>>
>> clearing your point?
>>
>>
>>
>>
>>
>>
>>
>> Again,
>>
>> this is not about defining what is abuse, this is
>>
>> among the parties. It is about making sure that
>>
>> there is a valid responsible contact in case of
>>
>> anyone needs to report what he considers an abuse.
>>
>> AFRINIC will not punish anyone that believes that
>>
>> his customer is not doing an abuse because in his
>>
>> country is not an abuse.
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jordi
>>
>>
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> El
>>
>> 18/9/20 9:59, "Lamiaa Chnayti" <lamiaachnayti at gmail.com>
>>
>> escribi?:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello
>>
>> Jordi,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> RFC2142
>>
>> only defines a tiny portion of the network abuse. In
>>
>> real world operation, abuse consists of a much
>>
>> boarder range : DMCA(copy rights) claims,
>>
>> unsolicited emails , phishing websites , trade mark
>>
>> disputes etc.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> All
>>
>> those are legal issues that vary vastly across
>>
>> different juridictions in which no one but each of
>>
>> the juridiction?s judges can decide if it is an
>>
>> abuse or an illegal activity. Claiming that RFC2142
>>
>> defines not even 1% of real world abuse is
>>
>> laughable.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Lamiaa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Le jeu.
>>
>> 17 sept. 2020 ? 15:51, JORDI PALET MARTINEZ via
>>
>> RPD <rpd at afrinic.net>
>>
>> a ?crit :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi
>>
>> Lamiaa,
>>
>>
>>
>>
>>
>>
>>
>> I?ve
>>
>> said this already. This policy doesn?t
>>
>> enforce abuse, it enforces that the abuse
>>
>> contact is there, and works.
>>
>>
>>
>>
>>
>>
>>
>> Today
>>
>> AFRINIC is paying for the cost of the
>>
>> abuse handling because only a tiny
>>
>> fraction of the members has the abuse
>>
>> contacts in place.
>>
>>
>>
>>
>>
>>
>>
>> If
>>
>> the contacts in the RIR database aren?t
>>
>> actual and accurate, this is a clear
>>
>> violation of the RSA. So what is
>>
>> unacceptable is not having the contacts,
>>
>> not on the other way around.
>>
>>
>>
>>
>>
>>
>>
>> Abuse
>>
>> is not defined by the RIRs, everybody
>>
>> knows it and this is the reason why NONE
>>
>> of the RIRs have re-defined it, because it
>>
>> is already stated in RFC2142. Can you
>>
>> justify why AFRINIC is different and need
>>
>> a definition?
>>
>>
>>
>>
>>
>>
>>
>> How
>>
>> you define it in the networks that you
>>
>> operate?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jordi
>>
>>
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> El 17/9/20
>>
>> 10:49, "Lamiaa Chnayti" <lamiaachnayti at gmail.com>
>>
>> escribi?:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello,
>>
>>
>>
>>
>>
>>
>>
>> I
>>
>> will have to agree with Lucilla on what
>>
>> she said and would like to add to it
>>
>> that :
>>
>>
>>
>> Firstly, Abuse
>>
>> enforcement is out of scope for RIRs.
>>
>>
>>
>> Secondly, RIRs
>>
>> have no ability to define what is
>>
>> ?abuse?, one abuse or even criminal
>>
>> activity could be entirely a legal
>>
>> operation in a different jurisdiction.
>>
>>
>>
>> Finally, making
>>
>> a member forcefully reply to abuse
>>
>> contact Emails are a waste of resources
>>
>> and totally pointless, it is entirely up
>>
>> to the member to define what they think
>>
>> is acceptable in their network operation
>>
>> and how they react to it. AFRINIC has no
>>
>> mandate to force any member to reply to
>>
>> an ?abuse?, since AFRINIC doesn?t even
>>
>> have the ability to identify what is
>>
>> considered an abuse.
>>
>>
>>
>> Therefore the
>>
>> entire policy is out of scope for the
>>
>> RIR operation.
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>>
>>
>> Lamiaa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Le jeu. 17
>>
>> sept. 2020 ? 07:42, JORDI PALET MARTINEZ
>>
>> via RPD <rpd at afrinic.net>
>>
>> a ?crit :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi Lucilla,
>>
>>
>>
>>
>>
>>
>>
>> Today we already have
>>
>> mnt-IRT, and everybody who operate
>>
>> networks understand what it is an
>>
>> abuse. If you operate networks you
>>
>> know that *anything* which
>>
>> is a non-authorized use of a
>>
>> network is an abuse.
>>
>>
>>
>>
>>
>>
>>
>> If you send spam,
>>
>> attack networks, try to intrude
>>
>> networks, etc., all those are
>>
>> abuse.
>>
>>
>>
>>
>>
>>
>>
>> What the policy ask
>>
>> is to make sure that in AFRINIC
>>
>> everybody has an abuse contact
>>
>> (today we have mnt-IRT, but is not
>>
>> mandatory, and as a results many
>>
>> African networks are filtered
>>
>> because lack of that ? and
>>
>> consequently they do not respond
>>
>> to abuse cases -, which exist in
>>
>> all the other regions of the
>>
>> world).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Not having an abuse
>>
>> means more chances of legal
>>
>> actions, more cost, for both the
>>
>> victims and the ISPs. Having
>>
>> that means that you have more
>>
>> chances to resolve it in
>>
>> goodfaith.
>>
>>
>>
>>
>>
>>
>>
>> One of the *most
>>
>> important* Afrinic
>>
>> missions is to have accuracy on
>>
>> the database, which includes
>>
>> accuracy on the contacts. We are
>>
>> not fulfilling that in this
>>
>> situation.
>>
>>
>>
>>
>>
>>
>>
>> Remember that *all*
>>
>> the other RIRs have already this
>>
>> kind of policy. This one is like
>>
>> the one that has been
>>
>> implemented in APNIC, and the
>>
>> accuracy of the contacts is now
>>
>> 87.5% as reported this month in
>>
>> the last APNIC meeting. In that
>>
>> report *none* of the
>>
>> members indicated any of the
>>
>> issues that you indicated
>>
>> (didn't happened as well in the
>>
>> other regions).
>>
>>
>>
>>
>>
>>
>>
>> You know who is
>>
>> interested in not having abuse
>>
>> contacts? Those that use their
>>
>> networks for doing abuse
>>
>> (hijacking, spam, DoS,
>>
>> intrusions, etc.).
>>
>>
>>
>>
>>
>>
>>
>> Can you explain if
>>
>> the network that you operate has
>>
>> an abuse contact an how if one
>>
>> of your customes is trying to
>>
>> penetrate my network or do a
>>
>> DoS, I will be able to contact
>>
>> you and if you will do anything
>>
>> or just ignore it?
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jordi
>>
>>
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> El
>>
>> 17/9/20 2:21, "lucilla fornaro"
>>
>> <lucillafornarosawamoto at gmail.com>
>>
>> escribi?:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Dear
>>
>> all,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I
>>
>> have some concerns about the
>>
>> ?Abuse Contact Policy?.
>>
>>
>>
>>
>>
>>
>>
>> First
>>
>> of all, it does not offer a
>>
>> specific and regulated
>>
>> description of the term
>>
>> ?abuse? and this opens the
>>
>> door to potentially bigger
>>
>> problems: a surplus of
>>
>> reports, discrimination/legal
>>
>> issues, and a waste of
>>
>> resources. Around the world,
>>
>> we can perceive what abuse is
>>
>> in very different ways.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Afrinic
>>
>> is not entitled to force
>>
>> members to report abuses and
>>
>> most importantly, this
>>
>> proposal does not represent
>>
>> Afrinic?s purpose.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I,
>>
>> therefore, oppose this policy.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Thank
>>
>> you,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Lucilla
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> RPD mailing list RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>> **********************************************
>>
>>
>> IPv4 is over
>>
>>
>> Are you ready for the new Internet ?
>>
>>
>> http://www.theipv6company.com
>>
>>
>> The IPv6 Company
>>
>>
>>
>>
>>
>> This electronic message contains
>>
>> information which may be privileged or
>>
>> confidential. The information is
>>
>> intended to be for the exclusive use
>>
>> of the individual(s) named above and
>>
>> further non-explicilty authorized
>>
>> disclosure, copying, distribution or
>>
>> use of the contents of this
>>
>> information, even if partially,
>>
>> including attached files, is strictly
>>
>> prohibited and will be considered a
>>
>> criminal offense. If you are not the
>>
>> intended recipient be aware that any
>>
>> disclosure, copying, distribution or
>>
>> use of the contents of this
>>
>> information, even if partially,
>>
>> including attached files, is strictly
>>
>> prohibited, will be considered a
>>
>> criminal offense, so you must reply to
>>
>> the original sender to inform about
>>
>> this communication and delete it.
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> RPD mailing list
>>
>>
>> RPD at afrinic.net
>>
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> **********************************************
>>
>>
>>
>>
>>
>> IPv4 is over
>>
>>
>>
>>
>>
>> Are you ready for the new Internet ?
>>
>>
>>
>>
>>
>> http://www.theipv6company.com
>>
>>
>>
>>
>>
>> The IPv6 Company
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> This electronic message contains information
>>
>> which may be privileged or confidential. The
>>
>> information is intended to be for the
>>
>> exclusive use of the individual(s) named above
>>
>> and further non-explicilty authorized
>>
>> disclosure, copying, distribution or use of
>>
>> the contents of this information, even if
>>
>> partially, including attached files, is
>>
>> strictly prohibited and will be considered a
>>
>> criminal offense. If you are not the intended
>>
>> recipient be aware that any disclosure,
>>
>> copying, distribution or use of the contents
>>
>> of this information, even if partially,
>>
>> including attached files, is strictly
>>
>> prohibited, will be considered a criminal
>>
>> offense, so you must reply to the original
>>
>> sender to inform about this communication and
>>
>> delete it.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>>
>>
>>
>> RPD mailing list
>>
>>
>>
>>
>>
>> RPD at afrinic.net
>>
>>
>>
>>
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Le jeu.
>>
>> 17 sept. 2020 ? 15:49, JORDI PALET MARTINEZ via
>>
>> RPD <rpd at afrinic.net>
>>
>> a ?crit :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi
>>
>> Lamiaa,
>>
>>
>>
>>
>>
>>
>>
>> I?ve
>>
>> said this already. This policy doesn?t
>>
>> enforce abuse, it enforces that the abuse
>>
>> contact is there, and works.
>>
>>
>>
>>
>>
>>
>>
>> Today
>>
>> AFRINIC is paying for the cost of the abuse
>>
>> handling because only a tiny fraction of the
>>
>> members has the abuse contacts in place.
>>
>>
>>
>>
>>
>>
>>
>> If the
>>
>> contacts in the RIR database aren?t actual
>>
>> and accurate, this is a clear violation of
>>
>> the RSA. So what is unacceptable is not
>>
>> having the contacts, not on the other way
>>
>> around.
>>
>>
>>
>>
>>
>>
>>
>> Abuse is
>>
>> not defined by the RIRs, everybody knows it
>>
>> and this is the reason why NONE of the RIRs
>>
>> have re-defined it, because it is already
>>
>> stated in RFC2142. Can you justify why
>>
>> AFRINIC is different and need a definition?
>>
>>
>>
>>
>>
>>
>>
>> How you
>>
>> define it in the networks that you operate?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jordi
>>
>>
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> El 17/9/20
>>
>> 10:49, "Lamiaa Chnayti" <lamiaachnayti at gmail.com>
>>
>> escribi?:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello,
>>
>>
>>
>>
>>
>>
>>
>> I
>>
>> will have to agree with Lucilla on what
>>
>> she said and would like to add to it that
>>
>> :
>>
>>
>>
>> Firstly, Abuse
>>
>> enforcement is out of scope for RIRs.
>>
>>
>>
>> Secondly, RIRs
>>
>> have no ability to define what is ?abuse?,
>>
>> one abuse or even criminal activity could
>>
>> be entirely a legal operation in a
>>
>> different jurisdiction.
>>
>>
>>
>> Finally, making
>>
>> a member forcefully reply to abuse contact
>>
>> Emails are a waste of resources and
>>
>> totally pointless, it is entirely up to
>>
>> the member to define what they think is
>>
>> acceptable in their network operation and
>>
>> how they react to it. AFRINIC has no
>>
>> mandate to force any member to reply to an
>>
>> ?abuse?, since AFRINIC doesn?t even have
>>
>> the ability to identify what is considered
>>
>> an abuse.
>>
>>
>>
>> Therefore the
>>
>> entire policy is out of scope for the RIR
>>
>> operation.
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>>
>>
>>
>>
>> Lamiaa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Le jeu. 17
>>
>> sept. 2020 ? 07:42, JORDI PALET MARTINEZ
>>
>> via RPD <rpd at afrinic.net>
>>
>> a ?crit :
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi
>>
>> Lucilla,
>>
>>
>>
>>
>>
>>
>>
>> Today
>>
>> we already have mnt-IRT, and
>>
>> everybody who operate networks
>>
>> understand what it is an abuse. If
>>
>> you operate networks you know that *anything*
>>
>> which is a non-authorized use of a
>>
>> network is an abuse.
>>
>>
>>
>>
>>
>>
>>
>> If
>>
>> you send spam, attack networks, try
>>
>> to intrude networks, etc., all those
>>
>> are abuse.
>>
>>
>>
>>
>>
>>
>>
>> What
>>
>> the policy ask is to make sure that
>>
>> in AFRINIC everybody has an abuse
>>
>> contact (today we have mnt-IRT, but
>>
>> is not mandatory, and as a results
>>
>> many African networks are filtered
>>
>> because lack of that ? and
>>
>> consequently they do not respond to
>>
>> abuse cases -, which exist in all
>>
>> the other regions of the world).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Not having an abuse
>>
>> means more chances of legal
>>
>> actions, more cost, for both the
>>
>> victims and the ISPs. Having that
>>
>> means that you have more chances
>>
>> to resolve it in goodfaith.
>>
>>
>>
>>
>>
>>
>>
>> One of the *most
>>
>> important* Afrinic missions
>>
>> is to have accuracy on the
>>
>> database, which includes accuracy
>>
>> on the contacts. We are not
>>
>> fulfilling that in this situation.
>>
>>
>>
>>
>>
>>
>>
>> Remember that *all*
>>
>> the other RIRs have already this
>>
>> kind of policy. This one is like
>>
>> the one that has been implemented
>>
>> in APNIC, and the accuracy of the
>>
>> contacts is now 87.5% as reported
>>
>> this month in the last APNIC
>>
>> meeting. In that report *none*
>>
>> of the members indicated any of
>>
>> the issues that you indicated
>>
>> (didn't happened as well in the
>>
>> other regions).
>>
>>
>>
>>
>>
>>
>>
>> You know who is
>>
>> interested in not having abuse
>>
>> contacts? Those that use their
>>
>> networks for doing abuse
>>
>> (hijacking, spam, DoS, intrusions,
>>
>> etc.).
>>
>>
>>
>>
>>
>>
>>
>> Can you explain if
>>
>> the network that you operate has
>>
>> an abuse contact an how if one of
>>
>> your customes is trying to
>>
>> penetrate my network or do a DoS,
>>
>> I will be able to contact you and
>>
>> if you will do anything or just
>>
>> ignore it?
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jordi
>>
>>
>>
>> @jordipalet
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> El
>>
>> 17/9/20 2:21, "lucilla fornaro"
>>
>> <lucillafornarosawamoto at gmail.com>
>>
>> escribi?:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Dear
>>
>> all,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I
>>
>> have some concerns about the
>>
>> ?Abuse Contact Policy?.
>>
>>
>>
>>
>>
>>
>>
>> First
>>
>> of all, it does not offer a
>>
>> specific and regulated
>>
>> description of the term ?abuse?
>>
>> and this opens the door to
>>
>> potentially bigger problems: a
>>
>> surplus of reports,
>>
>> discrimination/legal issues, and
>>
>> a waste of resources. Around the
>>
>> world, we can perceive what
>>
>> abuse is in very different ways.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Afrinic
>>
>> is not entitled to force members
>>
>> to report abuses and most
>>
>> importantly, this proposal does
>>
>> not represent Afrinic?s purpose.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I,
>>
>> therefore, oppose this policy.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Thank
>>
>> you,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Lucilla
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> RPD mailing list RPD at afrinic.net
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>> **********************************************
>>
>>
>> IPv4 is over
>>
>>
>> Are you ready for the new Internet ?
>>
>>
>> http://www.theipv6company.com
>>
>>
>> The IPv6 Company
>>
>>
>>
>>
>>
>> This electronic message contains
>>
>> information which may be privileged or
>>
>> confidential. The information is
>>
>> intended to be for the exclusive use of
>>
>> the individual(s) named above and
>>
>> further non-explicilty authorized
>>
>> disclosure, copying, distribution or use
>>
>> of the contents of this information,
>>
>> even if partially, including attached
>>
>> files, is strictly prohibited and will
>>
>> be considered a criminal offense. If you
>>
>> are not the intended recipient be aware
>>
>> that any disclosure, copying,
>>
>> distribution or use of the contents of
>>
>> this information, even if partially,
>>
>> including attached files, is strictly
>>
>> prohibited, will be considered a
>>
>> criminal offense, so you must reply to
>>
>> the original sender to inform about this
>>
>> communication and delete it.
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> RPD mailing list
>>
>>
>> RPD at afrinic.net
>>
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> **********************************************
>>
>>
>>
>>
>>
>>
>>
>>
>> IPv4 is over
>>
>>
>>
>>
>>
>>
>>
>>
>> Are you ready for the new Internet ?
>>
>>
>>
>>
>>
>>
>>
>>
>> http://www.theipv6company.com
>>
>>
>>
>>
>>
>>
>>
>>
>> The IPv6 Company
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> This electronic message contains information
>>
>> which may be privileged or confidential. The
>>
>> information is intended to be for the exclusive
>>
>> use of the individual(s) named above and further
>>
>> non-explicilty authorized disclosure, copying,
>>
>> distribution or use of the contents of this
>>
>> information, even if partially, including
>>
>> attached files, is strictly prohibited and will
>>
>> be considered a criminal offense. If you are not
>>
>> the intended recipient be aware that any
>>
>> disclosure, copying, distribution or use of the
>>
>> contents of this information, even if partially,
>>
>> including attached files, is strictly
>>
>> prohibited, will be considered a criminal
>>
>> offense, so you must reply to the original
>>
>> sender to inform about this communication and
>>
>> delete it.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>>
>>
>>
>> RPD mailing list
>>
>>
>>
>>
>>
>> RPD at afrinic.net
>>
>>
>>
>>
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Lamiaa
>>
>> CHNAYTI
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> **********************************************
>>
>>
>> IPv4 is over
>>
>>
>> Are you ready for the new Internet ?
>>
>>
>> http://www.theipv6company.com
>>
>>
>> The IPv6 Company
>>
>>
>>
>>
>>
>> This electronic message contains information which may be
>>
>> privileged or confidential. The information is intended to
>>
>> be for the exclusive use of the individual(s) named above
>>
>> and further non-explicilty authorized disclosure, copying,
>>
>> distribution or use of the contents of this information,
>>
>> even if partially, including attached files, is strictly
>>
>> prohibited and will be considered a criminal offense. If you
>>
>> are not the intended recipient be aware that any disclosure,
>>
>> copying, distribution or use of the contents of this
>>
>> information, even if partially, including attached files, is
>>
>> strictly prohibited, will be considered a criminal offense,
>>
>> so you must reply to the original sender to inform about
>>
>> this communication and delete it.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> RPD mailing list
>>
>>
>> RPD at afrinic.net
>>
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> RPD mailing list
>>
>> RPD at afrinic.net
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> RPD mailing list
>>
>> RPD at afrinic.net
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>> --
>>
>> Lamiaa CHNAYTI
>>
>>
>>
>> _______________________________________________ RPD mailing list
>> RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://lists.afrinic.net/pipermail/rpd/attachments/20200921/38d79b2f/attachment.html
>> >
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>> ------------------------------
>>
>> End of RPD Digest, Vol 168, Issue 143
>> *************************************
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>>
>> _______________________________________________
>>
>> RPD mailing list
>>
>> RPD at afrinic.net
>>
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>> _______________________________________________ RPD mailing list
>> RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>> _______________________________________________ RPD mailing list
>> RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>>
>> **********************************************
>> IPv4 is over
>> Are you ready for the new Internet ?
>> http://www.theipv6company.com
>> The IPv6 Company
>>
>> This electronic message contains information which may be privileged or
>> confidential. The information is intended to be for the exclusive use of
>> the individual(s) named above and further non-explicilty authorized
>> disclosure, copying, distribution or use of the contents of this
>> information, even if partially, including attached files, is strictly
>> prohibited and will be considered a criminal offense. If you are not the
>> intended recipient be aware that any disclosure, copying, distribution or
>> use of the contents of this information, even if partially, including
>> attached files, is strictly prohibited, will be considered a criminal
>> offense, so you must reply to the original sender to inform about this
>> communication and delete it.
>>
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200928/a5ef1cb7/attachment-0001.html>
More information about the RPD
mailing list