Anti‑Abuse Working Group
24th November 2021
10:30 (UTC + 1)
BRIAN NISBET: Hello and good morning, RIPE 83. How are we all this morning? So, my name is Brian Nisbet, and, along with Tobias and Alireza, we are your co‑chairs for the Anti‑Abuse Working Group, and I'm going to share some slides.
We have a reasonable number of things to get through this morning ‑ and I will just share these slides ‑ over the next certainly no more than 90 minutes. So first off, as I said welcome to all of you. I hope you are enjoying this RIPE meeting, virtual as it may be, and we'll talk about the future in a bit. The first thing I am going to do is update people, I am going to put on my Programme Committee hat. Those of who you are desperately wanting to vote in the PC election over these couple of days, we have had two candidates for the PC elections and we have two seats. So we won't be having an election. We will be announcing those names on Friday, and we'll also be talking a little bit about why we think we only had two candidates, etc. But we'll talk about that in the Plenary on Friday morning. So if you are desperately wondering and hoping to vote, you won't have to at this meeting.
Back to the Anti‑Abuse Working Group. So, first of all, thanks to all of the NCC staff who are supporting us in this meeting, whether it's scribing, looking at chat, the non‑NCC staff but ever‑wonderful stenographers, and, of course, the NCC staff who are managing Meetecho and live‑stream, and I just want to say a repeated thank you to all of them for the huge support they have given to us over now our fourth virtual Anti‑Abuse Working Group session and indeed fourth virtual RIPE meeting.
So this is interactive. If you do wish to engage, there is a chat box, but that's the chat, it's recorded, it's a part of the meeting, but we're not going to be looking at it for questions to either ourselves or to any of the speakers. If you wish to ask a question, you may do so by requesting audio or video in Meetecho, or by putting something into the question‑and‑answer box, and then we'll read that out. So, please use one of those two methods. If you put a question in just the normal chat box, it may well pass on by and not be seen.
You can rate the talks in this Working Group. This is a Working Group, it's not a set of presentations, but if you do have feedback for us, then that will be great and you can give it via the talk‑rating mechanism in the main RIPE 83 website. And also, of course, you can mail us. These are all things you can do.
So, the minutes from RIPE 82 were sent out and I don't think there was much response. If there is any comments that anybody has now about those minutes, then you should say something. I'm not seeing anybody requesting anything or say anything, I'll give it a moment just in case people are typing slowly. No. That seems very much like an approved set of minutes at this point in time. So thank you very much.
Finalised agenda. I think we have one as published. I am going to check my e‑mail again just very briefly to make sure that last‑minute ‑‑ no, that last‑minute potential talk did not appear, so we'll worry about that at the next meeting, hopefully. So, the agenda is finalised.
So the last bit of administrative matters we have is the Working Group Chair selection. So both Tobias and Alireza, their three‑year terms come to an end at this meeting. As you will have seen from the mailing list, Tobias put himself forward again and Tobias is the only person who put himself forward again. Unfortunately, life is happening to Alireza and he won't be able to continue as a co‑chair, but I would like to thank him very much for the work he has done over the last three years for the Working Group.
This means we have two co‑chairs, which is a perfectly fine situation. It also means that there is a slot free if somebody in the community wishes to get involved, wishes to become a co‑chair of the Anti‑Abuse Working Group. I didn't get any other responses on the mailing list, which is a bit of a pity, even some expressions of interest, but we can run with two quite happily, this will not diminish the Working Group, but if somebody does, either today or at some point in the future, suddenly have a wish to get involved, then please mail the Chairs and we can talk and we can talk to the mailing list about that.
So, once again, thanks to Alireza and Tobias and I will soldier on in that regard.
So I think that's all the administrivia out of the way. So we shall move on.
So this is our standard agenda item. It's a question of whether there is anything to discuss about recent list discussion. I personally have nothing I want to raise or talk about, but does anybody else have anything they want to discuss here about things that were on the list since RIPE 82? Again, seeing no requests for the mic, nor seeing nothing in the Q&A, I will move on.
So, what are we moving on to? We are moving on to what we said we'll call our interactions in this meeting. So, first off, I will ask Gerardo to give your presentation, please, on the potential RIPE NCC abuse handling training.
GERARDO VIVIERS: Good morning, thank you, Brian. Let me see if I can share my slides, I have a set of slides to support me on my chit‑chat.
By the way, there will be no weird sounds, except my voice. So, good morning, everybody. My name is Gerardo Vivers and I am from the learning and development department of the RIPE NCC, and I am going to be talking about a project that was originated by the Anti‑Abuse Working Group, and that's why it's called About a Training and Anti‑Abuse Working Group Quest.
Now, the thing is that we were approached by the Anti‑Abuse Working Group with the question, if there was any way we could help, and we said okay, help with what? Well with an anti‑abuse training. Okay. Sounds like something new for us, because we're not really into the anti‑abuse activity, but we talked a lot with people from the Working Group, and we said okay, I think we can help. It's going to be quite easy because actually the Working Group already took the first step and that was making sure that there is a point of contact where people can report their abuse complaints. So the abuse‑c policy that the Working Group put out was actually the first step. This is something that is facilitating for us, because we don't have to explain to people well, where do you send your abuse reports? That's already taken care of by the policy. Everybody should have one abuse‑c by now in the Ripe Database for all their objects, and if you don't, well you can always talk to Registry Services, who can help you do that, of course; go to the service hub.
Now, the thing where we stand to think about okay, what should we do next, is, well, how to handle the complaints. We have no direct experience, because we do learning and development, not anti‑abuse, and so when people get an abuse complaint, we don't really know what to do first. Well, of course, read it, and then what to do next? What's the next step? What do you do now? Does everybody do the same thing? Should there be a best practices? Maybe there is a best common practices out there? We don't know, we have to look into that. We got a lot of information already from the Working Group, but we need to know some more.
So what we can do to help is to provide this training about what is abuse, how to handle abuse, point them to some useful resources out there. We got quite a lot already from the Working Group beforehand. And, of course, trying to create a dialogue in the community. It's not about telling people this is what you should do, this is what you shouldn't do, but, okay, this is what people out there are doing, and why don't you talk to each other and figure out how to get this to work.
Our next actions now, besides launching this project, is to do the analysis, what information that we received is relevant for LIRs and what is not. What is useful for them and what is maybe just a nice to know. And for that, we of course want to get your input. We already have quite a lot of people from the Working Group signed on, and we just recently heard that there is other people from ‑‑ who are interested also in participating, like from the SIDN, Mark ‑ from the SIDN, he offered to help. That's great. If you also think that you have something to give us, well of course, feel free to contact us.
Now, the first thing that we're going to do, and this is because it's quick to develop, is create a webinar. That's easy because we just need a good slide‑set with information that we have to transfer, and then we just present it. At this moment, we can't do a face‑to‑face course, of course, but a webinar serves perfectly fine. Now, we'd also like to hear from you if there is any other formats that you would like, like maybe we could split up the content in several micro‑learnings, maybe we should do 2001 module or two or three of an e‑learning course, something like that. So we'd like to hear from you, but whatever you prefer, what's your preferred vehicle.
And if you'd like to, of course tell us now.
Well, that was kind of like it. I don't really have much more to say. We're off to a great start. We're really excited to start tackling this and we hope to keep hearing from you. So, if there is any other questions, you can always reach me at my e‑mail, which is there, otherwise of course you can send a question and/or open up the mic, of course.
BRIAN NISBET: Thank you for that. And yeah, you know, I think obviously we have discussed this at length and we'd really like to see this come to fruition, but, as you say, it's really important that we get feedback from the people who do, you know, who are involved, who do want this. So, is there any feedback from people, even if you have ideas of what would be needed here and it doesn't ‑‑ you know, I think sort of it's fair to say even kind of second stage things, if there are people who are saying well this might be something to consider for, you know, the next stage of the training or otherwise.
GERARDO VIVIERS: Yeah. Even just a sums‑up is good.
ERIK BAIS: Good morning. Gerardo, I was one of the people that provided some inputs in the, in this whole idea. The focus that I had on this is to, at least, teach people where to get started in the anti‑abuse management. So, setting up an IPAM, something like NetBox, setting up a simple anti‑abuse system so that you can do ‑‑ automate the initial stuff, really the practical stuff that people may not have thought about to get started with, which I think could be easily in a workshop kind of setting. I'm not saying that this is going to be the solution and the end goal, but definitely a good start to get started with.
Talking about that part of the training that at least I would like to see, which I think the community would benefit a lot from, any plans or planning on when ‑‑ you know, when are we going to see something like that, if at all?
GERARDO VIVIERS: Planning is always a little bit difficult because things always pop up. So, priorities shift here and there. But I'd like to promise quarter 2, 2022, to have something to show.
ERIK BAIS: Oh, nice. All right. Excellent. I'd love to hear what the other people of the Working Group are looking forward into, you know, the trainings for their anti‑abuse staff, but yeah, definitely interested in this. Thanks.
BRIAN NISBET: Erik, before you go, one thing, and one thing that could be part of all of this, obviously in the hope that we return to the hybrid meetings, might be a workshop at a RIPE meeting as well, I mean where we do have that space. I mean, that's ‑‑ that obviously that would be a once‑off, but it's something that we could record as well. It's just ‑‑ I mean, it's just a notion that literally just popped in a my head that could be part of this, and that might be, you know, kind of maybe a next stage, or along with the webinar or something like that. As I said, it's just a ‑‑
ERIK BAIS: Yeah, it's ‑‑ especially providing people some playgrounds to, you know, why don't you just set up something like NetBox, what you need to do to get the right information in there and how will that match with the rest of the network, and the software provisions that you have in your environment. Doing that in a workshop‑like environment and basically put people behind a computer to, you know, let's do this for, you know, two hours, so that you can ask questions, stuff like that, it's very helpful. If that needs to be on a RIPE meeting itself, we may limit ourself a bit too much because we're basically preaching to the choir.
BRIAN NISBET: I mean, maybe, but I suppose there are people, and I suppose it's kind of see what the world is like when we get to May of next year or even October or November of next year, we do know that there are people who come to RIPE meetings, especially new LIRs, with their ‑‑ maybe it's the only RIPE meeting they come to with their tickets, and I assume there'll be quite a few of those built up over the last two years, potentially. Again, I don't know. This is me just thinking out loud, but we do know there are people who come, you know, for the first time, small LIRs who will come to a RIPE meeting. We do know there are new people every year and we see that in the stats. I think what is it, 40% ‑‑ last time I looked at the stats, about 40% of the people who were coming to a RIPE meeting hadn't been to one before. So, it's something we can talk about over the winter, maybe.
ERIK BAIS: Definitely. Thanks.
GERARDO VIVIERS: I see a question.
BRIAN NISBET: Which I am going to read out now. And it's going to be...
Maximilian Beiche, who is a lawyer, says: "Hello, thank you for your presentation. Unfortunately, I think simply referring to the abuse‑c is too simplistic. At the latest since the GDPR anonymisation service providers are used for almost all information. A website owner can therefore hide very well. At the same time, there are host providers who react to the abuse e‑mail but who do not take any action. Getting hold of the upstream providers is also very difficult and can usually only be a short‑term solution. Therefore, I am of the opinion that RIPE issuing much deeper in the abuse resolution even if this is perhaps still in it's infancy. What are your views on this?"
So, I don't think it's particularly fair to ask you that question, but if you have ‑‑
GERARDO VIVIERS: Very simply, we are not the Internet police. So we can given training, we can give guidance, but we don't have any mandate to take any action regarding the abuse. That's actually, I think, the responsibility of the LIRs and the network operators, right.
BRIAN NISBET: So, indeed the NCC has the mandate that the community give them, and Maximilian, and you are more than welcome to request audio or video, I'm not sure how much of the last ten years of conversation you have been following on this, and I accept there is a lot, but this has been ‑‑ cool, we'll give you audio ‑‑ but this has been one of the core pieces of conversation in the anti‑abuse community over the last decade, if not more.
MAXIMILIAN BEICHE: Thank you so much for giving me the audio. Unfortunately I can't provide a video right now, so first, sorry for maybe asking this question to the wrong person. It took me a while to write it down since I'm not a native speaker and I had to make it look fine. So, no, of course I'm not following the last ten years, and I am only 29, so, when this started, I guess I was not so much into it, however I was facing some really heavy character assassination campaigns in the last few months and, in this particular cases, I also often was talking to the RIPE and yeah, like I said, they don't have the mandate right now to handle those abuses. But what are the reasons that we cannot extend this mandate to actually make the RIPE NCC able to face those abuse resolutions? Right now, this situation is really frustrating for anybody who is defamed or something like that on the Internet.
BRIAN NISBET: So, I want to be very careful here, because absolutely ‑‑ and thank you for the question. I wish we had a five‑minute primer on the conversations over the last ten years, and I understand you're coming in, and absolutely new people are coming in all the time and this is a very valid question. It's also a very complex one. As the people who have been involved in the Working Group for a while now know, even getting abuse‑c in place was quite a struggle, the verification of abuse‑c also quite a struggle, the attempts to have more from the community to ‑‑ and I say this entirely neutrally, because this is as the Chair ‑‑ to bring in more results of not responding or otherwise, didn't happen, the policies and the pieces were never passed by the community, or reached consensus by the community, and there was a lot of conversations with boards and things like that. The ability of the NCC, or the RIPE community, to tell providers what to do at the core of this and whether they should or shouldn't, and you can see some of the comments in the chat about this, not the Internet police, etc., that's a debate that's going to continue to go on.
Of course, there is also the difference between the website hosting and the ISP provision and all of that. We could spend a lot of time talking about this, and I would like to come back to the training because this is the core piece. But, Max, what I would ask, I know there is more things being put into chat there around how to handle some of the abuse. Also, please, after this meeting, if you want to reach out to the Working Group Chairs, we can talk through some of this with you, and try to give more explanation for ‑‑ I mean, where we are at this point in time and what the possible future or not might be.
SPEAKER: Thank you very much for your answer, and when I just read the chat, it seems that I hit a soft spot there and I am sorry if I have offended anyone about this but I think those topics need to be addressed, and that's why I spoke.
BRIAN NISBET: Do not ‑‑ please don't apologise, but yeah, it is one of the core pieces of what this Working Group has been talking about over the last decade, so, yeah. Thank you.
So, are there any other questions for Gerardo? Are there people like Erik, you know, and the other people who came to us on the mailing list, want to say yes, I want to be involved in this, I want to give input to this training? I mean, thankfully we have people, but..
GERARDO VIVIERS: Well, we are planning on setting up some kind of way of communicating with us, not only e‑mails, and so we have been talking about setting up maybe a forum for the RIPE NCC, so I'd like to maybe set aside ‑‑
BRIAN NISBET: Oh, God, sorry, things didn't scroll properly. Thank you, Chris, for pointing that out. That's my own fault for not having a big enough window. We have a bunch more questions, I am sorry. So we're going to go from the start from where we're here. And please, come back to that communication when we finish. Sorry.
So, Leo Vegoda has a question: "Erik's comment made me think is the training intended to help a person handle an abuse report or to guide an organisation about what they need to do? If the latter, perhaps it needs to discuss integrating abuse report management into overall planning and continuous improvement processes."
GERARDO VIVIERS: Yeah. I think that the training will help with that. I mean, we're just going to try to guide people into what is abuse, how to handle these abuse complaints, ways to facilitate so that it's not such a hard task and, you know, that threshold of actually taking action might be passed much sooner. But, yeah, thanks for the input and we'll see about putting that focus also into the training.
BRIAN NISBET: Okay. Pablo Nieto, with no affiliation, says: "One of the main problems I can see is there really isn't a standardised way to report abuses. It would be nice to have some kind of template apart from reports from failed to ban an example. Any plan to do something about that?"
GERARDO VIVIERS: Well, we'll see about that. That's why we were asking the question. Does everybody do the same thing? Does everybody handle abuse in the same way? When we're finished with the analysis, what it is that everybody kind of does? We'll try to extrapolate the main concepts and that's what we'll try to put into the training, to help people also make their own decisions, how they want to handle abuse. We're going to tell people this is what's out there, these are the possibilities and now you choose.
BRIAN NISBET: Yeah, and I think the thing about standards, I mean, there are obviously some standards for some things, but, you know, you build three standards, you have four ways of doing things. But there are standards for some pieces, there are certainly standards there around reporting spam and things, and certainly there are pieces of software which help with all of this as well.
One last question, or possibly comment, from Yuriy Bogdanov from NTX: "The RIPE NCC should keep correct registry with valid WHOIS information. The RIPE NCC is outside of LIR to LIR or LIR to customer or LIR to other organisation communication. Anti‑Abuse Working Group make presentations some best practices for new LIRs and how to manage abuse."
I think that's exactly what this training is intended to be, especially for new LIRs and how to manage abuse, so...
GERARDO VIVIERS: Exactly. You got it right, Yuriy.
BRIAN NISBET: Okay. That is actually a clear question queue at this point in time. So, unless there is anything else. So, you want to ‑‑ sorry, I cut you off about what the plan or the next steps.
GERARDO VIVIERS: The next steps is to open up some kind of place or a way, method of getting input from the community and then the Internet community at large. So, we have heard the word "forum" going around a little bit and we're thinking maybe a forum is a great place to gather up this information. So, we'll make more announcements nearby in the future once we are sure of what we're going to do.
BRIAN NISBET: Niall, do you want to?
NIALL O'REILLY: I just ‑‑ sorry, audio problems. Can you hear me?
BRIAN NISBET: Yes, we can.
NIALL O'REILLY: Sorry for the glitch. I just ‑‑ sorry, I am Niall O'Reilly. I work for a small campus company in Dublin called Tolerant Networks and I am also the Vice‑Chair of RIPE and I am concerned that we don't marginalise some of the people who might be interested in abuse‑handling training by focusing only on LIRs. Other people who need to cope with abuse, abuse handling and abuse management who aren't necessarily LIRs, so let's make sure we keep all of the community in our focus and not just the members of the NCC.
GERARDO VIVIERS: Point taken.
NIALL O'REILLY: Thank you.
BRIAN NISBET: Okay. So, thank you very much. We look forward the announcement of the forum and getting people into that and working on this training, and I think, you know, I really hope, see what the first bit looks like and let's go on from there, definitely. So...
GERARDO VIVIERS: Thank you for the time and thank you for listening and I hope to also be able to present soon.
BRIAN NISBET: Great stuff. Thank you very much.
So next up, also under interactions, we hopefully have Denis. Yes, we do indeed have Denis. Denis Walker, one of the co‑chairs of the Database Working Group, asked to talk about some of his thoughts on the database purposes in the 2020s and beyond. So, Denis, please take it away.
DENIS WALKER: Hi.
Okay. I want to have a quick chat about the purposes of the Ripe Database in the 2020s and beyond. I did a pre‑recorded presentation, which I released last week, and it's linked from the Database Working Group agenda. The Database Working Group is now following on from the work that's been done over the last two years by the Database Task Force. The Database Task Force recently published their final document, but they only based the document on the historical purposes of the database which were developed over the ‑‑ based throughout the 1990s. So we're looking at 20 to 30 years ago.
The database terms and conditions includes two additional purposes, referencing LEAs and disputes, which didn't feature in the Database Task Force's document. The terms and conditions, which has these extra two purposes listed in them, they had a community consensus in 2011, and that's basically the last time we had a community consensus on what the purposes of the Ripe Database are. Even that's ten years ago.
So so what are the database purposes now in the 2020s and looking forwards?
And I'm going to be presenting in the Database Working Group, which is the next session. What I want to focus on here is more the aspect from the people who deal with abuse in crime issues. And basically what I want to ask you, what do you use the Ripe Database for? How do you use it? What data in the database is important, or even absolutely essential for you to do the work that you do? And so many times in policy discussions, this argument comes up time and time again, where someone will say it's not the purpose of the RIPE database to do A, B, C. And quite often, this argument is brought up to use as a big club to beat down somebody else's argument that they don't agree with. So I think now is the moment to address these two issues.
Basically, we have two sheets of paper: One of them has these historical purposes listed on it, with or without those extra two in the terms and conditions; the other sheet of paper is completely blank. It's up to the community to decide if anything else should be written on that second sheet of paper.
Now, it's not about inventing new purposes. It's about documenting the existing purposes, which are perhaps unwritten and undefined. The trouble with having purposes or things which people believe are a purpose of the database, which are not acknowledged and not given consensus. If somebody over in another corner of the room puts forward some proposal which could fundamentally change the database, the only consideration ‑‑ I mean, they may have perfectly valid reasons for doing that, given the current accepted purposes of the Ripe Database. But if some of these unwritten and undefined purposes were actually acknowledged, and we had a consensus on them, that might have an influence on some future policy proposal. But as long as they remain in this kind of grey murky area on the fringes, we can't really take them into account. You can't say, well, I don't agree with this proposal because it conflicts with this purpose, because someone else is going to say, well, that isn't agreed that that's a purpose.
So, we need to get anything that people believe is a purpose of the database written down, discussed, agreed or not, and then we can move forward.
And another interesting aspect is: Should abuse issues be specifically defined as a purpose of the Ripe Database? And if so, what kind of purpose would you define for that? How would you word such a purpose?
There is this catchall phrase that's been thrown around for decades, it's down to agreed Internet operational purposes. Now, that's fine, except that nobody has agreed what any of these operational purposes are. So, again, we're straight back into those sort of grey, murky areas on the fringes. Somebody will say, yeah, this is an operational purpose, and somebody else will say, well, I don't agree, it isn't.
So, what we want to do now, following on from what the task force has done, is to put everything on the table as far as a purpose is concerned. Let's have an open, public discussion on what people believe the database is, and we need a new consensus on what this product and service is in the 2020s and beyond.
So, if you have any questions, I'd be happy to take them.
BRIAN NISBET: So. Thank you, Denis, and, you know, acknowledging that the Database Working Group is where the majority of this should happen, but, you know, we really want to talk about it as well. So thank you for coming to us with it. First up in the queue I have Mirjam.
MIRJAM KUHNE: Hi. I think I am on. Thanks, Denis, for putting this forward, and I watched the video as well that you have for the Database Working Group. I have mostly a question ‑‑
BRIAN NISBET: Mirjam, just because I know who you are.
MIRJAM KUHNE: My name is Mirjam Kuhne, I am the RIPE Chair, that's all I do at the moment. I don't have any side jobs. And thanks for proffering this forward, Denis, and I also watched the video and this is probably also come up in the next session. I have mostly a question, and a suggestion for the process, because, as you mentioned, the Database Task Force has been working on pretty much that, you know, defining ‑‑ looking at the purpose and the requirements of the Ripe Database and that have been working on this together with the community and they have just published their report with a number of very concrete recommendations, and they are now ‑‑ you know, they are presenting the recommendations in various Working Groups, not in this one, but in pretty much all the other Working Groups they have a speaking slot, and I am wondering ‑‑ so I am really suggesting we are looking at the report, looking at the recommendations that came out of the report, and then deciding, as a community, if you want to address them, and, you know, how to address them, and should one or more of these requirements, or these recommendations, maybe require some more fundamental, you know, thinking or bird's eye view on the purpose or maybe some of the purposes are missing, as you are suggesting. I suggest you do that in the context of the task force report, rather than kind of brushing aside the work that they have been doing, possibly, and starting from scratch.
So I am just wondering how you see how that would fit together?
DENIS WALKER: I agree entirely. I mean, we want to build on the work the task force has done. But, I think during the last two years, comments have been made that possibly there are other things that should be considered as a purpose, and so we all know that the database is used by many different people in many different ways. Just because they use it doesn't necessarily mean that is or should be defined as a purpose. But I just wanted to get a discussion from the community and a consensus, because that's the bit I think that is missing. We haven't had that open discussion with the community since 2011 on what exactly is the purpose of the database. Are there any other things which have come up in the last 10 or 20 years which should be now be acknowledged as a purpose, and when you look at the recommendations the task force has made, some of those ‑‑ to be able to make a decision on them and come to a consensus on the recommendation, we perhaps do need to consider whether anything else should now be regarded as a purpose in addition to the ones they considered. So it's just basically that kind of final push with the community to get anything else on the table that they consider as a purpose and get a consensus on it.
MIRJAM KUHNE: Okay. Well, I believe that's what the task force has been doing and working with the community to define a purpose, and requirements for the database. But if you are talking about the terms and conditions, which I think that's what was agreed in 2011, maybe that's a different discussion. I just find it a little confusing how we would address the two things in parallel and I suggest we actually look at the report and the recommendations.
DENIS WALKER: Absolutely, yes.
BRIAN NISBET: Yes, and, I mean, absolutely, and this is not the Working Group to make any decisions on. We have a whole separate one. I think, you know ‑‑ and I understand where you are coming from, Mirjam, absolutely. I think it's useful to ask these questions and to remind the Anti‑Abuse Working Group that, I think most people are fully aware, but that the database is there, especially in the context of what we're using, look at the conversations with ‑‑ around WHOIS and GDPR and all of those pieces around what that's used for and access to those things and all the rest. But I think, if we can get some input, but I would agree that, you know, we don't want to diverge from or run any parallel things with the task force's work there. So...
So we do have a question from Rudiger Volk, which is: "Please elaborate on your view on the relation between purposes and requirements. My understanding would be that requirements cannot be identified without understanding purposes."
DENIS WALKER: Yes, I would perhaps agree with that. But like I said, the task force took a set of purposes and they built the requirements. We're just trying to wrap that up now and say: Are there any other purposes which people feel should be considered?
BRIAN NISBET: Okay. And I suppose and understanding the context of this ‑‑ and we have Shane in the queue, so...
SHANE KERR: Hello. Hi, Denis. I was one of the people that was on ‑‑
BRIAN NISBET: Shane, again, who are you, etc., etc.?
SHANE KERR: I was just about to say that. I was one of the people that was on the Database Requirements Task Force. I am Shane Kerr. I currently work for NS1, and I am also the co‑chair of the RIPE DNS Working Group. None of that is relevant for my comment, except for being on the Task Force. Right. So, I think it's a bit unfortunate the ordering of these two Working Group sessions, because we're going to talk about a report in the next session, and hopefully give a lot more context and background to everything that's going on. So, I think for this Working Group, probably I would say that I think your point, Denis, about not feeling constrained by the requirements and existing way that the database works, does make a lot of sense. I think certainly if the anti‑abuse community in RIPE decides that there is a certain policy or certain type of work that needs to be done or a work‑flow or training or anything that they feel is important, they shouldn't feel constrained by not having support for that functionality in the database. That's absolutely true. So, that was never the intent of the work that has gone on before. Having said that, I do think we did lay out a lot of purposes which can support anti‑abuse and a lot more stuff as well. So, I guess that's all I want to say in the context of this Working Group. And we'll be talking a lot more in a couple of hours about ‑‑
DENIS WALKER: Yes, I think the point is that, like you said, you mentioned many other things that could be purposes, but it's a question whether the community acknowledges that they are purposes of the database, and whether we have a consensus on that. Because, again, that phrase that's been around for years about agreed Internet operational purposes, nobody has ever defined it, nobody has ever agreed anything. So, yes, it's a catchall phrase, but it actually doesn't mean anything.
SHANE KERR: I want to avoid getting into a trap of obsessing about definitions. I think that's a great way to slow down actual progress and get distracted from things that are important. Of course it's important to have good definitions in order to make sure you are discussing the same things, but I think, in general, I feel splitting hairs is about whether something is, you know, heavy or very heavy, this kind of thing, it's like what are we trying to get done and how can we best do that? I think that's where I'd like to see the energy being spent. As you noted in your video presentation, which I did watch, there is very limited energy within the community for getting work done, and so we need to be very careful about how we focus that.
DENIS WALKER: Yeah.
BRIAN NISBET: Okay. And I think, again, I would encourage everybody to go to the Database Working Group after lunch and have further ‑‑ and this is, again, this is not something we're going to settle this morning by any stretch of the imagination, but thank you, Shane. So, we have Niall also in the queue.
NIALL O'REILLY: Back again, Niall O'Reilly, mainly as RIPE Vice‑Chair and also as concerned member of the community, the usual mask for everything. I think one of the things we must be careful about in documenting the purposes of the database is to recognise that it's not going to be ever a closed list. If, on its mailing list or at RIPE 84, this Working Group, the Anti‑Abuse Working Group, comes back with a request, wouldn't it be nice if the database could do this for us? That should not be excluded because we have a closed list of purposes. The list of purposes is something that becomes attached ‑‑ that grows in relation to the needs of the community and the resource that is the database is just a resource to meet the purposes and goals that the community sets for itself. I don't think it's about closing ‑‑ but I'm glad to hear those two syllables, Denis; probably, we're on the same page then.
DENIS WALKER: Yeah, that's the whole point. It isn't a closed list, but the only ones we have defined is basically the historical purposes and a couple of extra ones that were mentioned 10 years ago. So the point is, has the database evolved over the last 10 or 20 years and should anything be acknowledged as a purpose? And that's the key point. Nobody acknowledges a lot of these things. It's talked about in shadowy circles, whether it is the ‑‑ that phrase that comes up in so many policy discussions, it's not the purpose of the database to do this, that or the other, and some people think it is, some people think it isn't. So we need ‑‑
BRIAN NISBET: Okay, I am going to say, again, and because Denis ‑‑
NIALL O'REILLY: Different Working Group.
BRIAN NISBET: You came with a purpose and I would like to leave to that purpose and leave the broader conversation to the Database Working Group at this point in time. I would also say, I think the smoke‑filled room or shadowy circles or otherwise, I think we're a lot ‑‑ it's very different even to how it was when I joined this community many years ago, thankfully, but yeah. I have got one more question here and then ‑‑ so one more comment here, but then I think, unless there are actually people with direct inputs or answers to Denis's question for anti‑abuse, we're going to move on.
NIALL O'REILLY: Thanks, Brian.
BRIAN NISBET: Thank you, Niall. Jordi Palet Martinez, from himself, just says: "Fully agree with Niall, it's impossible to close the list of purposes. We don't know what else we would have in the future. It should be clear that in addition to the pre‑defined or historical, policies in any working group may need others."
I think we are all acknowledging and agreeing with this.
So I think, as I said, unless there is any specific input, which I am not seeing, thank you for raising this, Denis, and we'll move on at this point in time.
DENIS WALKER: Thank you.
BRIAN NISBET: Cool. Thanks. Okay, now we have a presentation to the Working Group, which may well still provide some conversation and discussion, and this is a presentation from, and I apologise if I get this very wrong, from Tianxaing Dai from the University in Darmstadt on the HItchhiker's Guide to the Galaxy Off‑Path taking over Internet Resources.
TIANXAING DAI: Okay. Great. Thank you for the invitation and for the introduction. So my name is Tianxaing Dai, I am a researcher for German National Research Centre and Institute for Information Technology in Darmstadt, Germany.
Here, I am to present our work of the Hitchhiker's Guide to the Galaxy of Off‑Path taking over Internet Resources.
And in this talk, I will briefly introduce what digital resources are and how they are managed by providers and which providers and customers are considered in our work. Then we will have a look at how to take over the customer accounts and hijack the results.
I will show how many customers and how the resources are vulnerable. As an example I will also present some potential resources manipulations once gets hacked. In the end, I will propose that a few cut measures and conclude.
So, what are digital resources? By saying digital resources, we mean the resources you can own digitally; for example, domain name, IP address, Cloud converting and service certificates. Normally these resources cannot be created on your own. To get the resources you have to go to certain providers and purchase from them. Typically, you will have a card to the provider to that you can manage your resources there. In our work we consider four types of providers:
IRR, from whom you buy your purchase; registers; Cloud providers, such as Amazon; and certificate authorities, or CA, where you get the certificates such as digital cert.
We also provide customer measurements, we provide 75% of the customers of the RIRs and of the top 100,000, domains for our customer database.
So, how do you attack the providers? So we designed an attacker by taking over customer cards from all class of password recovery. The first attacker does DNS cache poisoning, not DNS server, and it tries to point the customer's e‑mail server to attacker server. That triggers a password recovery e‑mail for the customer card account. As the provider's DNS server is already poisoned so the provider will send the e‑mail to attacked server. Thus, the attacker can reset the customer password. Afterwards, he can log in and manipulate the resources.
One uses BGP sub‑route hijacking. Another one uses side channel. The last one uses IP fragmentation. We find that DHCP prefix hijacking and IP frags sayings the majority of providers we tested were vulnerable. From the side channel only a few were vulnerable.
On the other side, how many customers are vulnerable to the attack? So, for a customer to be vulnerable, it has to have two properties. First, the customer's logging information. That's a prerequisite that you trigger password recovery. We find that most providers we only need the e‑mail address. Or maybe just unlikely, we have the WHOIS database, it's publicly available. So, it contains lots of the information and many of the resources, so are to the customer database, we can get to the contact e‑mail for 75% of the ASes and 11% of the domains. Even if you can't find the information in WHOIS, sometimes you can suggest the account. For example some use classical e‑mails like a domain at a company or web master at a company. The other property where the customer needs to find the name server of the configuration of the e‑mail's domain, meets the requirements of the cache methods.
We find that around 50% of the customers are vulnerable to BGP sub‑k‑root hijacking, around 10% are side channel and 20% are vulnerable to IP fragmentation.
Since so many customers' accounts were vulnerable, so are the resources. By making customer accounts to the digital resources, especially Ipv4 and domains, we get how many resources are vulnerable. Even though that's only around 50% of vulnerable already proved majority of the resources in danger. We find that 93% of the IPv4 addresses and 65% of the domains are vulnerable. They indicate that large customers are even more vulnerable than smaller ones.
So, regardless of the scary numbers, so, let's see how we can (inaudible ‑ connection lost) ‑‑ on the RIPE as example. First, the attacker can manipulate the IP status, he can modify the airways. So he can either disrupt the propagation of the BGP announcement or expose the RPKI network to BGP hijacking. Can also manipulate the Ripe Database or the WHOIS Database. This would allow him to be a representative or affect a network of connectivity. Some of the BGP routers use WHOIS Database.
Account management. The attacker can create some new users with a domain rights so that he can still have access even if the account has claimed back. He can modify the data and ‑‑ so this would the physical contact between the provider and the customer. He can even terminate the membership which can delete all the resources. And lastly, the attacker can possibly transfer some resources to a certain party.
For some other type of providers, an attacker can do some resource manipulation too. For example, if he can assess the account, he can easily revoke certificates or re‑issue some certificates. If he gets a domain owner's account, he can delegate the whole domain to malicious name servers.
And how can we counter‑measure these attacks. We propose it in two categories. First, to make it harder to take over accounts. The account details should be better hidden. Captures and the DNSSEC would also help. Another category is to make it harder to manipulate resources. So, for example, two factor authentication and account notification should always get activated.
More manual review or longer waiting time could also improve malicious transactions.
Conclusion: So we find that resource databases are poorly protected. Adversaries can take over the accounts and manipulate them. We also showed that attacks against accounts are practical. Large fraction of the providers and the customers are vulnerable to certain attacks. That's even much easier for on‑path attackers. There are already many measures and most of them are not involved, so higher security or strict authentication lower the usability, so which would drive the customers away.
That's it. If you are interested in this, you can check out paper and that's the joint work with these people here. Thank you so much and any questions are welcome.
BRIAN NISBET: Thank you very much. So, we have one question to start off from Cynthia Revstrom:
"You said something about being able to issue certificates, but I didn't quite hear the entire sentence. What did you mean by that?"
TIANXAING DAI: Did you mean the manipulation path? So if you get access, if you get access to a customer account out of the CAs, you can re‑issue the certificate. That's what I mean. So, it may be harder to get ‑‑ issue a new certificate under that domain because you need two passes, a domain validation path, but if you re‑issue the existing certificate, that's quite easy. Some CAs don't require you to do anything, so they will just send you a new certificate as is. Is that what you are asking?
BRIAN NISBET: Yes. Yes, she noted that was it. Thank you.
So, one thing I would say: Are you seeing a lot of situations where 2 Factor Authentication isn't required by the database or otherwise to work on things?
TIANXAING DAI: Actually, during our test, for all the providers we tested 2 Factor Authentication, they are all disabled by default, so none of them require it. So our recommendation is to try to enable it because, for example, when you try to do some modification on the database, do some transaction, try to always ask you to do the 2 Factor Authentication. I think that's the secure way to do it. It makes the system much harder to use, yes of course.
BRIAN NISBET: I mean, if you are not using 2FA at this point in time, please use it. That's the single biggest thing. So we do have somebody in the audio queue here. Rudiger.
RUDIGER VOLK: Well, okay, kind of the ‑‑
BRIAN NISBET: Again, who are you always?
RUDIGER VOLK: Rudiger Volk, working for my own unorganised self. And yes, kind of for RPKI, let me point out one ‑ technically. The host at RPKI, at RIPE, does not allow you to deal with certificates, you are just doing EE objects. But, yes, kind of the protection of the RPKI there, of the hosted RPKI, quite obviously is ‑‑ security is limited by the security of the LIR portal and does not require 2 Factor Authentication, that's true, but one other small point there, kind of the accounts for the LIR portal are not really documented in the database publicly. The accounts actually are handled, as far as I understand it, with potentially different addresses in the private RIPE database.
TIANXAING DAI: Yes. We considered that, that's why we see ‑‑ we suggest that we hide the account details. If it's already protected ‑‑ were protected, that's fine. But as we say, there is lots of other providers that didn't protect them. For example, the information just to publish it in the WHOIS database, so you have ‑‑ for example, you have the attacker domain or the attacker domain or the owner domain, owner contact information, that's the e‑mail address, so you just try to test, the attacker can do a test and get the password recovery page and put the e‑mail address there and tried to test if there is something happening or not. I mean, if it's already well‑protected, that's good, but if not, we suggest to ‑‑ like to separate the system and to better protect the accounts. That's what I mean.
BRIAN NISBET: Okay. So we have got two questions and then we'll go back to the audio queue.
So, well one is a comment from Gert Döring: "2FA is not a panacea either, I recently had an Android device die on me and recovering the 2FA secrets to the new device was fairly painful."
Speaking purely personally, that's one of the biggest concerns around changing your mobile device and the 2 Factor Authentication, and I think you, in your presentation, alluded to the fact that ‑‑ or in the comment that yes, from a user point of view, 2FA can often be complex for the user. I don't know if you have any other comments on that.
TIANXAING DAI: For that, I actually, for me, I don't have an issue with that, because also I ‑‑ for the 2 Factor Authentication, I use the app from Microsoft. I think there is also another one from Google. So basically, if you log‑in, so all the things are synchronised, if you move to a new phone, you just need to log in and get everything on that. That's my experience.
BRIAN NISBET: They are improving that. I mean, I know how you did the first time. The first time I ever had to change phone with 2FA on it it was codes and reentering and all the rest. I think they are improving that, and I see Google authenticator is now offering support to paper QR option and, as Robert points out, there is a difference between a planned and unplanned change of device. I think that's the big thing of, you know, losing your phone.
There is a couple of other questions. So two from the NCC, I think. So we have Marco Schmidt from the RIPE NCC:
"I want to clarify that getting access to an SSO account will not be sufficient to perform significant actions like transfer resources, modify sensitive LIR organisation details or close LIR accounts. The RIPE NCC has additional due diligence checks in place to prevent this. It's still important to have a strongly protected SSO account and we urge all our members to do so."
TIANXAING DAI: Yes. So that's why I say the potential results of manipulations. We did actually run them because some of them require lack a larger check and especially for the transfer of the resources, transfer of the IP resources, they need to send some documentation to sign (inaudible ‑ connection lost) identity something like that. But it depends on how are these, like, transaction is performed, how it is in fact, and also we don't know how to work that with some other providers, if it's easier, because some provider may just want to make business easier, but that just messes makes their customers less secure. We just want to show there is a potential like (inaudible ‑ connection lost) we urge just (inaudible ‑ connection lost)
BRIAN NISBET: You are gone away there for a moment. I am just going to ‑‑ we have a little bit more time. So, once Tianxaing comes back, I am going to take Emile's question and then going to the audio queue. Are you there? We lost you there for the last 30 seconds or so, so... and we have lost you again. You're back.
TIANXAING DAI: I think I am now back.
BRIAN NISBET: Absolutely. So I think could I summarise your point, I suppose, that this is not you saying that the Ripe Database or the NCC is particularly vulnerable; it's the general?
TIANXAING DAI: Yeah, so I suggest, we have an account at RIPE, so that's why we take this as an example. So we go to check what we can do if we got into the account and some of the actions we didn't go to the end, because we didn't actually (inaudible ‑ connection lost) ‑‑
BRIAN NISBET: We may have to ‑‑ we may have to move on. I think that's ‑‑ I hope, his connection.
We can hear you certainly, so maybe ‑‑
TIANXAING DAI: Maybe I turn off video, it makes things easier.
BRIAN NISBET: Let's just work through the last couple of questions we have here, or points.
So, Emile Aben from the RIPE NCC: "What I understood from your slides is that all RIRs are vulnerable to prefix hijacking. I am surprised by this. RPKI deployment should make this hard, if not impossible. Did you test this or is it a theoretical possibility of doing this?"
TIANXAING DAI: (Inaudible ‑ connection lost) ‑‑
BRIAN NISBET: And I think possibly even your audio is not great.
TIANXAING DAI: I think ‑‑ so, the whole RPKI thing there, the whole you this ‑‑ were deployed and every like every radio is validated, it's fine, it... suggest prefix hijacking, but it seems that it's not widely deployed and we have other projects, like validating how many ASes is deployed and how many ROAs is validated, it's not really that much. So, that's why we say the subject of hijacking is still a threat to the Internet.
BRIAN NISBET: Okay. And I am going to close, we have got three questions and we have got one in the audio and I am going to close it there, but I am going to go to Denis now.
DENIS WALKER: Hi. On a kind of related note ‑‑ Denis Walker, Co‑Chair of the Database Working Group. I have been saying for years that the whole issue of security should not be public in the RIPE Database. The idea of publishing maintainer objects which lists all your different ways of protecting your data, whether you have passwords, BGP keys, SSR accounts, I don't know of any other service anywhere on the Internet where the service provider publishes all the details about how people maintain or protect their accounts. But to make any sort of change in this area would be quite a significant effort, but I think it's something that certainly should be looked at.
BRIAN NISBET: Okay. Thank you. Do you have any comment there, Tianxaing?
TIANXAING DAI: Not much. I completely agree with that, yeah, we just need more instructions and also it helps ‑‑ so I think there should be like even training for customers, or maybe they should attend passwords or a questionnaire to make something known about everything.
BRIAN NISBET: I mean, there is certainly training offered by the NCC, but it's not mandatory on the database. But, Cynthia, I interpret your comment around given how sadly and even ticket handling is sometimes, the RIPE NCC, in my experience, I think it's fair to point out, is that in reference to Marco's comment about the protections there? Okay. Cool. Well, then, so noted.
So two last questions here.
First, from Christian Bretterhofer: "Why should this contact information not open? This is needed for operations. MFA needs to protect but the contact needs to be accessible."
So that's in the DB or other WHOIS or other similar databases.
TIANXAING DAI: I think we can do something like non‑migration, like what we do with the domain gestures, like you got an anonymised e‑mail address which was handled by the providers and which actually we'll forward the e‑mail to you, that we're kind of protect ‑‑ makes the operation of the malware and also protects the privacy information ‑‑ protected the account details. I think that's the option, because it works quite well after the GDPR, so most of the European domains are quite protected, so you can't get any information.
BRIAN NISBET: In the name space, yeah, absolutely. So, what am I going to do? I am just going to read one comment from chat because it's important, which is the current RIPE NCC access solution is limited now, but they do plan to review it in 2022 so that the NCC can provide more authentication options.
So, one last question, which I don't think is for you, but I'm going to read it out and if somebody from the NCC wishes to comment, then that's fine. But Yuriy Bogdanov asks: "What the RIPE NCC do in case of prefix hijacking in the RIPE region?"
And I suspect I know the answer, but I'm not the person who should say anything. Erik doesn't work for the NCC either, but I'm going to give him the video. I see Emile also in the queue. I would prefer the official answer from the NCC there, no offence to your good self, Erik, but I am going ‑‑ tell you what, I won't take away your video, I am going to grant audio to Emile there, and indeed video...
EMILE ABEN: I may not have the authority ‑‑ I am Emile from the RIPE NCC. I don't have the authoritative answer, but what we hear is, we are not the Internet police, so we don't police the Internet. But what I wanted to say, which I think is very important, is that we provide transparency to the routing system by running a system called RIS, the Routing Information Service, so because ‑‑ and BGP doesn't have an inherent security, it's very important that we actually have transparency there, and that people can develop tools and have visibility into when bad things happen on the Internet and can take action themselves. That's one that I think that we do, do.
BRIAN NISBET: Thank you. Erik, then we're going to have to stop. But go ahead.
ERIK BAIS: Erik Bais, AZB Internet, and also Co‑Chair for Address Policy. One of the things that the NCC has in their procedures is that there is an option to dispute the transfer that's being done by one of the directors of the leaving organisation, so if your resources are hijacked, one way or the other, there is always an option to dispute that at the RIPE NCC, and there are policies for that in place and it will refer, if the claim is valid, they will refer back to the original state.
BRIAN NISBET: Cool. Thank you.
So I think that is that from the point of view of questions or comments. So, Tianxaing, thank you very much for your presentation this morning.
TIANXAING DAI: Thank you for the questions and the work. Thank you so much.
BRIAN NISBET: Thank you. So, that is ‑‑ I am just going to ‑‑ no, wait sorry, I wish to share pre‑load slides. Just go through this again.
So, in my own AOB, there is a piece I forgot which is, you know, of our own procedure. So I mentioned earlier Tobias is willing to do another term as Co‑Chair of the Working Group. What I didn't do, rather vitally, was ask the Working Group if you're happy with that. Nobody objected, but it would be nice to get some sort of positive affirmation for him being reflected as a Working Group Chair. I am happy for this in chat or for people to say something, but it would be good to get something there. And that's a yeah from Remco, which is ‑‑ and apparently everybody loves Tobias. Indeed. And I ‑‑ you know, it's one of the things that Tobias and I talk about.
So, cool, okay, that is sufficient. That is enough affirmation of same. So, thank you for that.
Does anybody else have any other AOB? Not seeing anything. Then, this was definitely one of those anti‑abuse ‑‑ the fun of planning an Anti‑Abuse Working Group agenda is that you are never sure if something is going to take five minutes or half an hour. It is ‑‑ it's a fun time.
So, that is the end of our session. I will remind people about thinking about agenda items, be they work items, other things for RIPE 84, which, if the gods are kind to us, will be hybrid in Berlin, back to our hopefully improved hybrid RIPE meetings, and I very much look forward to standing in a room with full loads of booster shots and everything else with a number of you in Berlin in spring, May of next year, that would be wonderful. But, for now, I think that is the end of this session. So thank you so the participants, to the speakers, to the NCC staff, to our wonderful stenographers, and again, to all of you and we shall talk to you, hopefully, in Berlin and online, because hybrid is important at RIPE 84, so thank you all very much, enjoy your lunch and see some of you in SpatialChat.