RIPE 81.
.
Anti‑Abuse Working Group session
.
29 October 2019
.
10 a.m. CET
BRIAN NISBET: Good morning. It is 10 UTC plus 1 on the 29th, so we're just going to give people a minute or two, which is the analogued people coming into the room, but it's the first session of the today, we'll give people a moment or two longer, albeit I think one of the things that I have discovered, and I am sure many other people have as well, is that meetings start a lot more on time when they are video conferencing.
.
So thankfully the whether in Dublin means that the gardeners we have in at the moment will not be doing lots of heavy concrete‑making in the window outside that I'm in.
200 people, that seems like a good number to start at.
.
Good morning. My name is Brian Nisbet and I am one of the co‑chairs of the Anti‑Abuse Working Group, and with me this morning are Tobias Knecht and Alireza Vaziri as the three co‑chairs.
.
And we would like to welcome you to this session.
.
We have an agenda, as was published, which we'll work our way through.
.
We are your chairs for today. We don't have a lot of content, the agenda calls were not met with overwhelming people needing to talk to us, but we'll go through it and we'll see how we get on.
.
As per this wonderful Meetecho platform, there is a Q&A piece where you can write in your questions, or you can request microphone access, which can be granted, and then it is a wonderful thing. If you are ‑‑ as always, all the other requirements still apply. If you are wishing to ask a question or make a comment or otherwise, then please state your name and affiliation, again you can make it up if you really want, to but we'll leave that to your own cognisance.
.
So let's kick on into the administrivia.
.
Indeed welcome, the second virtual session. I'd like to thank all the support people, the NCC technical staff, the scribe, who is Andrea, we have ‑‑ who did pass by, and I missed it, so Elina is taking the questions there, those pieces, our wonderful stenographers, and of course the live stream is there so you have a choice between this Meetecho platform or indeed just the straight live stream, whichever you desire. I have already mentioned, I think, the chat etiquette. I should say you have the ability to ability to rate the various pieces of this session via the RIPE 81 website, and certainly myself and the co‑chairs very much welcome any feedback you have on the session, and that can be done via that system, which is great. You can also e‑mail us, you can e‑mail the list. Again, I think the important point to remember is that this is a working group, this is not just myself and Tobias and Alireza doing lots of things and pushing us all forward. We are here to Chair and to facilitate, but the group is ‑‑ the aim is to be doing the working.
.
I would also say in regards to actually the RIPE website, I would remind you that there are PC elections on, to get more people in for the Programme Committee which is responsible for the Plenary, etc. So please do take a look at that and please consider putting yourself forward for the Programme Committee at a future RIPE meeting if you have not already done so. We are certainly very eager to have lots of new voices. When I say new, people who are new on the Programme Committee, rather than necessarily people who are new to the RIPE committee, although we very, very much welcome that as well.
.
So, minutes from RIPE 80. These were circulated in July, which is apparently a month that happened this year. Are there any comments on those minutes before they are deemed to be final?
.
No. Okay. Hearing and seeing none. We shall deem them final.
.
Thank you very much.
.
And again, thanks to the NCC staff who produced them, to Anthony who produced them.
.
And are there additions to our quite short agenda today? We put out a couple of calls for agenda items, and we didn't really get much response, and please see previous comments about the Working Group. So there are no additional items for the agenda. Then we shall proceed with the agenda that we have.
.
So, recent list discussion, which is ‑‑ I'm sure there are Working Groups where this is a very boring item on the agenda and there is, in fact, no need particularly to call it out. Unfortunately, here we are in Anti‑Abuse again with some commentary that needs to be made.
.
The first thing that I will say is that, thankfully, the majority of the content which has gone to the list, certainly since RIPE 80, has been positive and useful and informative, and obviously we'll talk about 2019‑04 in a few minutes' time. I would say, unfortunately, we have had some strange content in the list and we have had a need to put somebody into long‑term moderation, and I think that's a thing that we're all aware of and I don't particularly wish to dwell on it this morning, but I would again say to everybody that it's ‑‑ we'd like to take best intent in conversations and remember that text is a dubious medium at best, even though we have been organising the Internet via it for many decades now. It's just worth considering before you hit send, and I think that we continually need to remind all of ourselves of that.
.
So what else has been there?
.
Well, there's been useful conversation, there's been useful informative pieces there and I'd love to continue to encourage members of the Working Group to share things that are going on in the world with the Working Group, share useful information that they have, experiences, and indeed reach out to see if others can help them and those are the kind of things which are definitely very useful in regards to the Working Group. But also, you know, those technical and non‑technical pieces around fighting Internet abuse. Unfortunately, I don't think we're any closer to a definition of "abuse" than we were. Whether we will ever be...
.
And, you know, it's a strange one and it will both be something that would be wonderful to achieve and also something that seems impossible to achieve. So, we are where we are with that, and it will be something I think which will continue in the background of the Working Group for some time, and you know, different ‑‑ I know this was being discussed yesterday in Cooperation and it was being discussed in other locations around regulation, around what different places consider to be abuse. Indeed, we had a conversation during the General Meeting yesterday about, you know, what counts as fraud in one location and not, and not in another location. These things are fraught when one has a service region which spans a reasonable percentage of the globe, and as is often cited, 70‑ish countries, which greatly complicates things.
But that is kind of where we are with that. Are there any other pieces ‑‑ and again we will be touching ‑‑ we'll be talking a lot about 2019‑04 and policy proposals just in a moment, but are there any other items from the list or anything around that that anyone would like to talk about, would like to discuss or share or raise?
.
Take this moment to have some of that tea while people are discussing...
.
While I know that it is not the ‑‑ I'm not the person who is up earliest in this Working Group, it's still just only past nine o'clock in Dublin. Okay, I'm not seeing anything, so, again, we shall continue.
.
So, this is the kind of the meat of the agenda, which is around the policy work that's being done, and again, a sort of an open discussion and I'm hoping we will get some discussion on this piece, so 2019‑04, which is over a year old at this point in time. After a lot of discussion and a lot of forwarding and backwards, and a lot of very useful discussion, and thank you very much to the Working Group for this, the co‑chairs declared a lack of consensus and, you know, I'd like to thank again the policy development office in the NCC for all their help with this, and indeed I'd like to, as was announced yesterday, I'd like to thank Petrit, especially and in particular his work on this, and now that he is moving to another position in the NCC, I'd like to ‑‑ I'd very much like to thank him for that work, and wish him luck in his new position, so thank you very much to him and certainly we look forward to working with Angela as the new PDO.
.
So, yes, 2014 was declared as not having reached consensus. This was sent to an appeal, Jordi of course, as everybody does, has the right to appeal such decisions, it was sent to the Working Group Chairs for an appeal, which was very strange to be part of that collective and obviously be the first group of people recused from any involvement in the conversation. When people are sending out doodle polls, maybe it's just me, I'm not clicking on a slot because, well, you are not involved, was interesting. And that the results of that appeal were rendered either on Friday or Monday, I think, what is time, and that has been published on the website, it's been published to the Policy Announced mailing list. The overall decision there was that the chairs were correct in their declaration of a lack of consensus for the policy.
.
Now, what we said at that point in time is ‑‑ and we will have a moment to talk about this in a second, I just want to get a book‑end to this piece ‑‑ what we said at that point in time is that we did not feel that any further tweaks or changes to 2019‑04 or going back to another discussion phase with a change in text was a useful way of proceeding, because it really seemed that that was the feedback we were getting from a portion of the Working Group and it just seemed like it had gone through, it had gone through a lot.
.
So, what we have said in our decision was that we do not feel that further work on 2019‑04 is the right way forward. Now, obviously the co‑chairs will look at any suggestion of a proposal or changes or tweaks, and we'll discuss that, and this is where we're talking about next, but I think it's important, you know, we really feel that that's not the right way forward to achieve the aims of ‑‑ well, of any kind of proposers at this point in time.
.
So, that is where we stand with 2019‑04. It has ‑‑ there was no consensus, so it has been withdrawn, and the appeal to the Working Group Chairs upheld that decision of lack of consensus.
.
That's a long preamble, I apologise. But, obviously if anybody has any questions about that, about that decision, obviously neither myself nor Alireza or Tobias can speak to the Working Group Chairs' collective appeal. But, we can certainly talk about 2019‑04 and the decision there if there are any remaining questions. So, with that, Michele.
MICHELE NEYLON: My first time playing around with this platform. Michele Neylon from Blacknight. I think the decision that the Working Group co‑chairs made was the correct decision. There was no consensus, it doesn't matter how you define "consensus", it did not exist. Now, I think the ‑‑ what I find to be troubling is that, instead of the proposal being withdrawn, that rejection being accepted and that something fresh was proposed, instead we're now dealing with this kind of backwards and forwards kind of endless circle of complaints about how the entire process was handled. I think that's rather depressing, because I think the decision was clear, it was the correct decision and we just need to move on. Thanks.
BRIAN NISBET: I mean, I would say the PDP very clearly has an appeal mechanism built in there, and people should be able to use that. But this is why I'm kind of, and I think the co‑chairs are trying to book‑end 2019‑04 now post‑appeal and say, right, let's look at what's next. But we don't want ‑‑ I mean, while obviously we agree there wasn't consensus, we definitely do not wish to suggest that people shouldn't be able to use the appeals process that is there. First time as well actually, this is the first time the appeals process was used, Anti‑Abuse Working Group achieving yet another first.
.
I would also say that this is a really good time, and we're going to try and be more clear, we really are ‑‑ we have learned some lessons from this, from this process, around being clear about what is expected in each phase of the process, and also I think we have to be clear again, and we mentioned it on the mailing list, we didn't get into it too deeply, this is not a vote. But I am going to say it again because it did come up again: This is not a vote, this is not ‑‑ you know, there was a question raised about, well, we never voted on this, that's because that's not what we do here, we discuss and attempt to reach rough consensus. So ‑‑ but the co‑chairs are always happy to discuss either off‑list or on‑list, we live for it, to discuss the PDP and to explain that further.
.
Are there any other comments about 2019‑04 or otherwise, or can we move on and say right, you know, that's where we are at this point in time? I'm not seeing anybody wanting to say anything. So, okay, we shall move on.
And I suppose this is the piece where we find out whether everybody gets a very long coffee break and gets to go back to bed for 15 minutes or to join SpatialChat or to deeply consider who they would like to see on the PC or we chat for a while.
.
What I really wanted to say was look, this is where we are with that. People still seem to be unhappy with the abuse‑c or some part ‑‑ not unhappy ‑‑ well, I'm sure there are some people who are unhappy with abuse‑c, but unhappy with the validation. There are some, I know there is some people thinking about ways of pushing that forward again. But I suppose I wanted to give this forum to just say: Are there thoughts? You know, are there ideas that could be shared or people saying I have thoughts about this, contact me, to provide this forum to say are there things that people want to do? Are there next steps or are we kind of, are we just going to work away and have a think about it for a while? So this is the thing. While obviously Tobias and Alireza may say say things at this point in time, the co‑chairs don't have an agenda for this part of the meeting, we don't a plan, we don't even have particular outcomes. We are desiring, we really wanted to throw it out to be an open mic or open question piece to discuss. Having said that, we have somebody in the microphone queue, so, let's go with that and see where we get on.
.
Michele. This time we cannot hear anything from you.
AUDIENCE SPEAKER: Oh, that was me, Brian. You could have said my name, it would have been helpful.
BRIAN NISBET: I did, but anyway.
AUDIENCE SPEAKER: Michele again from Blacknight. I think the thing really is, I think there needs to be a kind of a reset and a change of track. The last couple of years we have seen the introduction of the abuse‑c contact, which was positive, it was great and I think most people are happy about that, I haven't heard people complain it anyway. Unfortunately, some reporters don't know how to use it but that's another conversation entirely. The reality is that I don't think people actually wanted to validate the abuse‑c contact anyway. That's not what they were interested in. Now, what they are actually interested in was getting the abuse contacts to respond to reports, and I assume take action where appropriate.
.
So maybe the Working Group needs to be looking at something that could actually help towards that rather than focusing on something that there is never going to be consensus.
.
So, I mean, in that vein, I mean, maybe the Working Group could be looking at what service providers require in a good abuse report or something like that's tangible, that ‑‑ I mean, I'm sure there is going to be disagreement, but it's ‑‑ it might help to kind of draft up some kind of basic principles around what we in the community consider to be a good abuse report, something that people can act on, whereas a lot of the abuse reports we always see are completely useless and inactionable because there isn't enough in it or they are not specific enough. Like telling us to take action against a website that has 300,000 pages, but without actually telling us which page is allegedly infringing on somebody's rights is completely unreasonable. I don't know if that's of any interest to anybody. But just something tangible.
BRIAN NISBET: I would ask you a question, and this is a thing, and absolutely, Michele, I think this is one of the things that is in the charter of the Working Group and which we'd love to see more people to take up and do some work on, there are some documents like that around the place, and I would ‑‑ I suppose one of the questions I would ask there, and I think this would be very useful, but if we published such a document which was aimed at people making reports, do we think that is something that people would read and absorb or actually, you know, take into account before contacting your good selves or anybody else who operates a network, or otherwise, to make a report?
MICHELE NEYLON: The short answer, yes. I mean, the experience we have had with dealing with law enforcement and others is that things like our law enforcement guidelines for reporting stuff to us and other companies who publish similar documents, that law enforcement agencies do collate those, and, sure, you are always going to have the issue where a law enforcement agent who hasn't bothered to actually check with the proper portal of the agency, or whatever, might still go off and do something silly. But the ones who are using the correct portals and correct information do read those documents and do act on them. And it's just ‑‑ it's overall where you are able to actually set kind of reasonable expectations, because I think the issue that we all face is that if we're not careful, we will end up being heavily regulated, and there's been stuff in the last few weeks and months where, you know, various governments are rattling their sabres again about various forms of regulation. If you like at what's happening in the US in section 230, the only way that we in industry can continue to keep doing what we do is if we step up to the plate and be seen to actually take action to kind of help people within the greater ecosystem. There is always going to be outliers. That's the reality. But I think calling out some of those outliers is also something more people need to do and just make it clear that some people are not ‑‑ they do not represent the broader Internet infrastructure community and just because they are not good actors does not reflect on the rest of it, or at least it shouldn't.
BRIAN NISBET: Okay. Thank you. So, next we have Erik.
ERIK BAIS: Good morning, Brian. I wanted to add on what Michele was saying. Perhaps we're looking at this the wrong way. Is it not the form that we are getting various abuse messages but rather the lack of automation with a lot of the networks of their abuse handling? And I think it is worth considering can we provide more training, presentations about, you know, how can you automate your IPAM system? How can you link that to your abuse system so that the handling of the majority of your abuse messages are going to be automated and fully forwarded to the actual owner of the IP address? And there are plenty of examples of tools available, some Open Source, some for a minor fee, that can help with things like that. You know, there is Abuse‑EO, it's an Open Source tool, Abuse‑IX in Germany is providing tools that can automate your complete business flow for your abuse handling. I would love to see more into that and put effort into training and providing good tutorials on how to do this. You know, this only takes a couple of hours to set up and people just don't know where to get started, especially new networks, and I think there is a lot more that we can do on that side, and that will probably help enormous on what we can do.
.
Next to that an example on how can we standardise our information‑sharing ‑‑
BRIAN NISBET: Erik, can I just stop you there because I have a question just on the first piece you talked about there. Before you move onto the second piece, I just want to capture this.
.
When you're talking about that, are you ‑‑ are we then talking essentially about some technical documentation which would contain potentially ‑‑ bear in mind when we say all of this, somebody still has to write this and somebody has to put their hand on it ‑‑ are you saying that maybe something that said here are some general principles in regards to automating your abuse handling and here is a list of people who ‑‑ here is a list of either pieces of Open Source software or businesses that can provide this? You know, that kind of thing, is that what we're talking about?
ERIK BAIS: If you look at what has been done on getting people to actually implement RPKI validation, for instance, on their routers, the thing is, put people in a room and do this as a workshop. Let's get some webinars online for this is how you do it, this is what you need to do, and provide that as an online tutorial. I think that will help a lot of ‑‑ you know, networks to offload the majority of their incoming abuse message handling, and actually that they are actually going to do something with it. Because they have no idea where to get started, and I think if we look at more training and, you know, taking them by the hand on doing that, and I'm sure the training department of the NCC might actually be able to help with that ‑‑
BRIAN NISBET: That was a thought that was entering my head, yes, certainly.
ERIK BAIS: I think this is ‑‑ you know, we have been dealing with this topic now for so many years, and it is mind‑blowing to see how, you know, this has only been done by the more professional or the larger networks because they can't handle it any more, but I think this is also something for the smaller networks.
BRIAN NISBET: I realised I was the one who stopped you with the question, but I am also conscious of time and there being other people in the queue, but the second point you wanted to make.
ERIK BAIS: In the Netherlands, there is the anti‑abuse network, it's a coalition of people in the industry, public and private, ISPs, people from government, people that are doing responsible disclosure and they are actually working together and work as a front towards the industry to, you know, get the information sharing further, it's on abuse.nl, and most of the site is in Dutch, but it gives a good indication on what we're trying to do in the Netherlands on this particular topic. That was it. Thanks.
BRIAN NISBET: That's a Dutch network. Okay. Thank you, Erik. I think there is probably an action there on the co‑chairs, albeit again, we'd prefer not to take too many actions onto ourselves, but we'll take this one, or at least a suggestion that we will, we might a chat with the NCC ‑‑ well, we will have a chat with the NCC training department and see what that might look like. I think it's a very good idea. And gather more data, gather more information and possibilities on that and see if that's something that we can look at. But we would, if that was to happen, and I suspect the NCC training department would turn around and say okay, we need some experts to help with that. But, we'll see where we go.
.
Jordi.
JORDI PALET MARTINEZ: Three points I want to quickly comment. The first question is, you mentioned at the beginning about an abuse definition. I don't think we must or should find a definition and I don't think that's possible at all. Why? Because it may depend on the jurisdiction and it may depend on your own perception when there is a lack of jurisdiction, and what is an abuse for me may be not an abuse for you. And the important thing here is not if we agree on what is an abuse; for me, an abuse will be something so simple as anything that I don't wish to have in my network because it's creating any kind of problem, to me or to my customers, that's a very simple definition. But even with that simple definition, maybe somebody don't agree with that on the other side of the world, clearly. The problem here is not having a definition. The problem here is, can I talk with the other counterparty that I believe is creating an abuse to my network to see if we can resolve it or not? If we can contact among us, and cannot reach an agreement, that's a different problem. That's a simple as, then I might decide to filter that network. But I need to be able to contact that other network before going into direct filtering of the network, because I may be doing something that is not good for many other users and maybe if we can chat together we can resolve that.
.
So that was my first point.
.
The second point is, to something that Michele said about finding a standard way to report abuses, that's done already. The reason and a standard in IETF which is X‑ARF, RFC 5965 and 6650, that is telling us how to report any kind of abuse and there are a lot of work done in commercial products and Open Source products to do that.
.
So, maybe what we are missing here is forcing the abuse reports to be using that standard format. The same way we ask in our policies to use our standards. There is nothing different there. That's the point. So first we should have a real validated contact, which today is not true. Second, we should have a standard format. So we don't enter into discussion of, can we set in nails or should we set forms or anything like that.
.
And then what we are probably missing is, as Erik said, training regarding that, because I feel that a lot of people is lacking the knowledge about this is the standard format that already exists, so maybe the training should be focused in a standard format. What it will not make any sense is to try to mend the will here in RIPE and other regions using a standard format. Maybe the training should be in that direction.
.
And, of course, if we find any problem with X‑ARF, then we should try to come back to IETF to improve it. I don't think it's necessary, but this always can happen, right.
.
So, the main problem that we have here is that, while we don't have validated contacts, we are actually helping the bad guys, those that don't care that their networks or customers are doing abuses to damage all the Internet, so that's the problem. And that's what I wanted to say.
BRIAN NISBET: Okay. Cool. And thank you. And look, I think you know, the piece, the technical pieces on those ways of reporting abuse are certainly part of that, but I suspect, given Tobias clicked his audio on at that point, there is something you want to say, Tobias.
TOBIAS KNECHT: Just a correction. There is a standard, the abuse reporting format, which is IETF‑approved, X‑ARF, the extended abuse reporting format at this point is not an IETF standard, we're working towards that, but it's not. But it's an open project that everybody can participate in so that's just the correction on that.
.
Which does matter, because X‑ARF is used more than ARF, as far as we see it out in the wild.
.
The second thing is, what I totally agree with is there is a lack of training, and that's what we're seeing when we're talking to potential customers as well, that there is absolutely not a lot of information out there that can be helpful on how to even start. So we're discussing, still, things about abuse desks and security teams in ISPs that are very, very surprised that there is an abuse‑c, and they have not seen that and the networking guys have not told them that this is there and so this is this kind of completely disconnect because the abuse operations teams in companies are usually very, very fresh and new. They haven't been there for 25 years, they are here for ‑‑ usually, there is none, and then suddenly it gets born and then they have to do stuff.
.
So I totally agree with that notion of that, that training is necessary. I am happy to help in that regard if wanted. I always have to be careful with the two hats. But if that's something that's wished, yeah, I am happy to help in this regard.
BRIAN NISBET: Cool. Thank you. Hans Petter.
HANS PETTER HOLEN: Thank you. I heard here that the Working Group or some people in the Working Group would like the RIPE NCC to help out with this, and of course we're happy to do so, but I think I would encourage the Working Group first to work out the content, the best common practices or exactly what you want to be in the training. We have expertise in how to make the courses, but I don't think that the RIPE NCC, based on what I have heard today, can go out and make a training course in either how to report abuse or handle abuse. I think that should come from the Working Group in some best practice and then of course we can be part of ‑‑ see how we can operationalise that. But I think that from my previous experience as working as chief information security officer, I kind of have two observations:
First of all, abuse handling did not exist in my security professional's vocabulary. They were not looking at the security incidents as abuse; they were looking at them as security incidents. There may be a need there for actually explaining what is meant with "abuse" so that people can actually take that to the managers and get awareness in the organisation that this is something that needs to be handled, or maybe this is part of the security work. I never understood that completely. But I think that one of my colleagues really took the approach, when he wanted something to happen, was to give the people doing the work tools to do it. So I think I would very much support that line of thought that let's see if we can help people to do a better job rather than force them into to do a better job by having tools and knowledge on how to do that.
.
So tools does not only have to be software, but also even documentation and things to read on actually how to deal with it. Thank you.
BRIAN NISBET: And thank you. I would say, and to be clear on my intent, and my expectation, is that we would not go to the NCC and go, make us this course, make it wonderful and beautiful. Your point is well taken. The intent of having the conversation is, okay, if we're putting a course together, speak to the training department on what is needed, what would that look like, have an initial conversation and then the Working Group absolutely would have to, you know, would be very involved in providing that information and working on that course. But it's trying to find out kind of the requirements as much as anything else. But certainly there would be no expectation in just asking the NCC to create a course.
HANS PETTER HOLEN: Thanks for that clarification.
BRIAN NISBET: Cool. So, we are 43 minutes past the hour. So, it means that we're actually, you know, we have 45 minutes for this slot. So, unless there are any other ‑‑ there is no written questions. There is nobody else in the mic queue, I think there's been some useful things there, but, look, this is a much bigger conversation, we'll hopefully manage to continue it on the mailing list, and maybe take some of the synthesis of these minutes and try and work out one or two actions to progress this and try and move it along, and I think we have a clear implication there that, again, the documentation and training, which has been part of the charter of this Working Group since day one, is still the thing, but we do still also need people to put their hands up and get involved in it. It can't just be the co‑chairs and it can't just be the NCC.
.
So, moving along then. In that case, is there any other business? Is there anything else that people wanted to raise, given they had plenty of opportunity to do so? Again, seeing nobody in the queue, seeing no written questions. We shall assume not.
.
In which case, I will again remind people that the agenda is something that is formed by the Working Group. It's not just what myself, Alireza and Tobias come up with of a conversation of an evening. Please do consider things that you would like to raise in this meeting, in the spring RIPE meeting, RIPE 82. Obviously the mailing list is always there, for discussion, proposal, etc., that Working Group Chairs, if you have a policy proposal you would like to talk about or otherwise, the Working Group Chairs and the NCC policy development office are here to help and support and you don't need to know everything to write a proposal. The whole idea is, have an idea and we'll talk to you about it.
.
So, with all of that being said, I would like to thank you for the discussion today. I'd like to thank the NCC support staff, the technical, the chat monitor, the minute‑taker. I'd like to thank, as always, the steno folks, and that, I think, is that for the Anti‑Abuse Working Group for RIPE 81, and I look forward to seeing you either via a platform like this or in real life, whatever ends up happening, or indeed possibly both, at RIPE 82.
.
So thank you all very much. Have a good day. We have a coffee break now and then the next session is starting at 11 a.m. UTC plus 1.
Thank you all very much.
.
(Coffee break)