JD
Great point, I am more than happy to have a couple of people from ARIN or
RIPE as guests at the next MAAWG in SFO or the subsequent one in Barcelona.
Mike
That's one hell of a stretch. Registry services aren't needed if they don't have the IP space, so saying that the service the end user is buying that justifies the IP assignment is 'registration services' is a circular argument.
Wouldn't that be kind of pointless? ARIN policies are proposed by the public, not ARIN staff or board members.
https://www.arin.net/policy/pdp.html
Policy proposals may be submitted by anyone in the global Internet
community except for members of the ARIN Board of Trustees or the ARIN
staff.
[…]
I am sure that your interpretation was the original intent of the policy
text. However, the wording could also be read in a way that allows an LIR to
just provide registry services, without providing any connectivity services.That's one hell of a stretch. Registry services aren't needed if they
don't have the IP space, so saying that the service the end user is buying
that justifies the IP assignment is 'registration services' is a circular
argument.
Of course - but if you wanted to provide services to spammers and their friends it's the sort of stretch you'd find yourself making.
Regards,
Leo
I expect the ARIN and RIPE folks may be influential and as such, it could be a good idea for them to attend.
Mike
Why should I or anyone else do that? It will cost us, personally,
a great deal of time and money and hassle and -- as far as I can tell --
will achieve nothing.
Let me explain why I say that.
The senior people working in the anti-abuse area aren't hard to find.
We hang out on spam-l, or funsec, or in various blogs, and
we publish comments/reports/essays pointing out what we observe.
(Well, at least some of it. I've learned to keep much of what
I find back, as it often reveals too much about my methods.
And there's been retaliation from time to time, some of it
disruptive and expensive.)
If ARIN and/or RIPE and/or ICANN and/or anyone else were truly interested
in making a dent in the problem, then they would have already paid
attention to our collective work product. And they would have
already blacklisted certain individuals/organizations -- permanently --
and revoked all their resources. (I trust everyone is painfully
aware than all lesser steps have already failed miserably and
will of course fail miserably in the future. This is not a set of
problems that can be addressed with half-measures: those are really
not worth anyone's time or effort. Even the approach I'm suggesting
may well not be sufficient, but it's clearly necessary.)
I see no sign that these organizations are taking any such measures,
nor any sign that they're even open to the possibility of doing so.
Yet this is what must be done if any substantial impact is to be
achieved. Bad actors have quite thoroughly gamed the system
and have long since provided overwhelming proof that while their
tactics may change, their strategy will always be to profit by
as much abuse they can possibly manage. They'll never stop,
they'll only adapt as old methods cease to work and new ones
become available; it's their "career". The only recourse we
have is to cut them off for life.
---Rsk
If ARIN and/or RIPE and/or ICANN and/or anyone else were truly
interested in making a dent in the problem, then they would have
already paid attention to our collective work product.
the rirs, the ietf, the icann, ... each think they are the top of the
mountain. we are supposed to come to them and pray. more likely that
the itu will come to them and prey.
randy
If ARIN and/or RIPE and/or ICANN and/or anyone else were truly
interested in making a dent in the problem, then they would have
already paid attention to our collective work product.the rirs, the ietf, the icann, ... each think they are the top of the
mountain. we are supposed to come to them and pray. more likely that
the itu will come to them and prey.
I thought the ITU is the owner of the mountain or pretends to be...
Jorge
Randy Bush <randy@psg.com> writes:
If ARIN and/or RIPE and/or ICANN and/or anyone else were truly
interested in making a dent in the problem, then they would have already
paid attention to our collective work product.the rirs, the ietf, the icann, ... each think they are the top of the
mountain. we are supposed to come to them and pray. more likely that
the itu will come to them and prey.
ARIN (an RIR) does not think in terms of mountains. the staff and company
does what members and the elected board and elected advisory council ask.
ARIN is a 501(c)(6) and sticks to its knitting, which thus far means no
distinguished role in "spammers and their infrastructure" but that could
change if someone writes a policy proposal which is adopted after the
normal policy development process.
please do consider whether ARIN could help with "spammers and their
infrastructure" and if so, write a policy draft to that effect. ARIN is
responsive to community input, and has well established and well publicized
mechanisms for receiving and processing community input. nobody has to
come and pray, but likewise, nobody should expect ARIN to look for mission
creep opportunities. ARIN will go on doing what the community asks, no
less, no more. ARIN has no mechanism, as a company, for "[paying]
attention to [your] collective work product". our members, and the public
at large who participates in ARIN's policy development process, do that.
One might say the same about the IETF, which Randy likes to lampoon. Not sure how it comes up in this context, as (as Randy loves to remind us) while many operators attend, it is not first-and-foremost an operational community. As to ICANN, I think Rich may be talking about the registries and registrars for their DNS names, but not the agency that coordinates them. At most, ICANN can give them suggestions. And as for addresses, they get them from their local ISPs.
What ICANN and many of the registries have in fact done is make an issue of domain name "tasting", which is a means by which some forms of abusers change names rapidly to evade filters. That is a matter of having the fox guard the henhouse, however; the registries make money on names being sold, and "tasting" is a means of making a lot of sales. So while some have good efforts there, not all are motivated to fight abuse.
As to addresses, we can point to at least one entire ISP shut down as most of the traffic coming from it was abusive. But for ISPs, it becomes at least in part a matter of the amount of trouble they cause their immediate neighbors. If they can link to other ISPs, who they sell their services too is somewhat opaque to the wider world. And since the abusers are not above "owning" systems, every network has some subset of its subscribers to think about.
I agree with your sentiment, Rich, and empathize with your frustration. Writing comments in blogs doesn't get the hard work of tools and policy done, though. You have to take the next step.
At the Montevideo ICANN meeting, in August, 2001, I was surprised, and disapointed, that the ISP Constituency had reduced to ... a couple of IP attorneys.
So, as a point of departure, were one going to advocate policy which affects ISPs as ISPs, as opposed to ISPs as trademark portfolio managers, one would first have to, as Shakespeare put it, kill all the lawyers.
Well, perhaps it would be sufficient to inform the lawyers the ISPs do send, who are nice enough people, that ISPs have operational issues other than protecting their brand portfolios.
At the Paris meeting two years ago there was a charming presentation on GNSO constituency voting behavior, which showed that on the order of all the time less noise, the ISP Constituency, voted indistinguishably from the Intellectual Property Constituency.
Of course, the same result was shown for the Business Constituency, but there I wouldn't bother to inform the incumbents of the end of their tenure, should real business ever take an interest in policy formation at ICANN.
I agree with Fred, IETF has use case requirements such as providing competitors with a means to create standards without risk of competition policy complications, as well as more benign requirements that fit on the backs of tee shirts.
Where the chain of delegation Paul mentions, by way of inviting NANOG contributors to do more than suggest ARIN do something, of addresses, and the chain of delegation Fred mentions, commenting on registries, registrars, and the Add Grace Period (AGP) exploit (aka "domain tasting"), or domains, share an anchor is in the IANA function. I've mentioned this previously, the delegation of trust down the BGP bunny trail and the delegation of trust down the DNS bunny trail, are an area where delegation of trust, as a policy issue, is common to both the numbers and the names operators.
The back of the envelope for the AGP exploit is that it contributed a substantial part of the 35,000,000 monitized domains registrations. With that assumption, and using the dominant pricing (.COM), this means on the order of $6 to the registries and their operators, on the order of $1 to the registrars, and on the order of $0.20 to ICANN. That is $100m to COM/NET/ORG (VGRS and PIR/Afilias), and $35m to eNom, Moniker, Directi, ... and $6m to ICANN, per year, recurring, for quite a few years to come.
NOTE WELL: As a registry operator CORE does not allow, and as a registrar, CORE does not pursue AGP exploits.
Where Fred errs is in characterizing the AGP exploit as a means to provide operational agility to spammers. Of course it was used that way, but the entire point of agility is not avoiding a $6 cost of asset, it is having an asset that for some number of weeks, recently days, now hours, which allows each particular exploit to meet its ROI goals. The overwhelming use case for the AGP exploit was to acquire static, recurring revenue resources, monitized by advertizing, and a mature market in these assets exists. Greater agility arises from flux and double flux, exploits of the rapid update property Paul, and I, commented on back in August 2004.
In a nutshell, domainers need low cost means to discover low marginal cost to acquire strings exceeding some low multiple of $6/year gross recurring revenue.
Spammers (and other rational economic actors, e.g., the Conficker .C rendezvous mechanism author(s)) create value in excess of some low multiple of $6/day non-recurring revenue through arbitrary string registration.
Domainers are not the same as spammers, and I've written a draft section here (http://wampum.wabanaki.net/vault/2009/12/005462.html, a contribution to a Bolt techlaw paper in progress) that there is at least one frame of reference other than trademark interest to view domain name speculation as harmful to public policy goals, in particular, IPv4 address exhaustion. I'd be grateful for informed comments on that note.
It does take more than writing blog posts, and outcomes are not a given. I am, at year's end, very disappointed in the registries as a constituency, and very disappointed in the registrars as a constituency, and profoundly concerned that the ICANN Board has been successfully mobbed by domainers moving up the food chain to registry applicants. This will either mean "four eyes and more" on deltas to the IANA root become a thing of the past, or applications like the Catalan application in 2004 will be served after the last monitization exploit, and the last brand name, has been stuffed into the anything-for-a-dollar-or-a-laugh root. The only thing remotely "good" to come out of ICANN is bidi (Arabic and Hebew scripts) and Cyrillic and CJK strings, as a presentation layer hack (IDNAbis), as TLDs, enabling root-to-leaf script consistency, for some 40 ccTLD operators and their user bases.
The bulk of the 100 or so non-shell registrars [1] were not AGP exploiters, and the CAT, COOP, and MUSEUM registries and their operators, do not pursue secondary revenue exploits.
Randy suggests the ITU may prey on ICANN. I'm sorry to say that I see more likelihood of failure of the mostly private system now then I did prior to the transition from the MoU to the AoJ regimes, though not because of any change innate to these as legal regimes, but through institutional capture by private interest, naturally excluding addressing and protocol interests, and unrelated, the executive, Board and some staff preference for large for-profit corporations, possibly linked to status and individual career choices.
My New Year's resolution is to spend the first week of the year coding, and to pick up my old OSF RI work, mk++, like knitting, as therapy.
Eric
CTO, CORE
IANA Registrar ID 15 http://iana.org/assignments/registrar-ids/registrar-ids.xhtml
operator, .CAT http://iana.org/reports/2005/cat-report-18nov2005.html
operator, .MUSEUM http://iana.org/reports/2001/museum-report-30oct01.html
[1] shell registrars exist for another exploit, to maximize race contention results for the VGRS drop pool, the acquisition of expired names which have "name" value or residual traffic monitization value. Four companies control 318 US domiciled ICANN accreditations: eNom (116), Directi/PDR (47), Dotster (51), and Snapnames (104). Source: http://www.knujon.com/registrars/
The obvious change RIRs could make would be to make sure the contracts
they allocate resources under give them the latitude to cancel those
contracts if certain boundaries of behavior are breached.
YES I REALIZE EASIER SAID THAN DONE.
But just as allocation of resources is not a transfer of ownership to
the allocatee by the same reasoning cancellation of that allocation
for breach of contract is just a withdrawal of said license, not a
"taking".
What's difficult is establishing a system of reasonable due process
within which to assert breaches, particularly given the many
jurisdictions involved.
ICANN is certainly building a model just like this with the UDRP etc.
so perhaps that's something to follow.
Barry Shein wrote:
The obvious change RIRs could make would be to make sure the contracts
they allocate resources under give them the latitude to cancel those
contracts if certain boundaries of behavior are breached.YES I REALIZE EASIER SAID THAN DONE.
But just as allocation of resources is not a transfer of ownership to
the allocatee by the same reasoning cancellation of that allocation
for breach of contract is just a withdrawal of said license, not a
"taking".
Cool. Then you just have to figure out how to unilaterally withdraw a resource that doesn't have a centralized automated verification system. Taking you out of whois doesn't automatically take you out of people's BGP tables, after all.
-Paul
From: Paul Timmins [paul@telcodata.us]
Cool. Then you just have to figure out how to unilaterally withdraw a
resource that doesn't have a centralized automated verification system.
Taking you out of whois doesn't automatically take you out of people's
BGP tables, after all.
That's step two of the problem - enforcement. Enforcement may seem "hard", but it's impossible without a policy. If there is no policy clearly violated, enforcement cannot happen.
Regards,
Alex Lanstein
Cool. Then you just have to figure out how to unilaterally withdraw a
resource that doesn't have a centralized automated verification system.
Taking you out of whois doesn't automatically take you out of people's
BGP tables, after all.That's step two of the problem - enforcement. Enforcement may seem "hard", but it's impossible without a policy. If there is no policy clearly violated, enforcement cannot happen.
You are right, without a policy there is not what to enforce, but on
the other hand even with a policy you need somebody with police powers
to enforce the policy.
Then who do we want (if we do, which I don't believe we do) to play
the net-police role ?
ICANN ? the RIRs ? the ISPs ? ITU ? X invaders ? three letter agency
of your choice ? local law enforcement ?
I truly believe that if many service providers (access, domain,
hosting, etc) reduce just a notch the profit making greed and start to
close some doors for the bad guys we may be able to mitigate some
problems.
Time for new year resolutions ...
Cheers
Jorge
While not at all touching the accuracy of knujon's stats with a
bargepole, it would be interesting if some process were developed to
deaccredit or otherwise kill off the shell registrars .. and the bogus
LIRs (which is how the thread started).
... it would be interesting if some process were developed to
> deaccredit or otherwise kill off the shell registrars
Suresh, Why?
ICANN accreditation provides the registrar with a right to attempt OT&E with registries, the Verisign operated .com registry in particular, and with that, the right to specify a range of addresses from which the .com registy EPP server must accept connections.
That is the asset.
Every day "mumble.com" is dropped by the .com registry and every day registrars "race" to register "mumble.com". For some reason "mumble.com" has value not present in "mumble.bar", where "bar" takes on some 20 values other than "com", possibly because "mumble" is a generic or hyphenated concatenation of a generic and some other string, possibly also a generic, possibly because strlen("mumble") is less than 5.
If every registrar has the right to a fixed number of connections, or "threads", at the .com registry, then the probability of acquisition of "mumble.com" is 1/N, where N is the number of registrars competing to register "mumble.com". Note that this might not be sufficient to motivate investment in a "secondary market", in the abstract, however the verisign registry, and others, identified the "secondary market" as having high value and attempted to obtain non-random distribution of secondary registrations.
Therefore, while the value of "threads" was significantly greater than the cost of ICANN accreditation (a subject of note in its own right), it was a rational economic activity to form registrar legal entities, obtain ICANN accreditation, and rent the "threads" to entities which specialized in the "secondary market", that is, in collecting "back orders" on "mumble.com" from entities seeking to become the registrant of "mumble.com", presumably ranked by value (bids at auction), and execution of registrations for "mumble.com" in a race environment.
That's auction to 3pm minus some delta, and race at 3pm minus some epsilon to 3pm plus some epsilon. So, a well-ordered sequence sensor and slots on a roulette wheel. Clearly, the more slots on the roulette wheel, the greater the likelihood of winning.
So, the root cause for shell registrars is the value of expired names, and the association of acquisition resources with accreditation.
Value arises from (a) strings which can be repurposed economically (I claim that should Qualcom forget to renew "q.com" that "q.com" can be repurposed as something other than a domain name for a communications goods and services vendor), and (b) strings which cannot be repurposed economically, but have some fungible value, aka "traffic".
Now, shell registrars are a pain in the ass, not for operational reasons, but because every time someone wants to say something stupid and get away with it they say "<some large number> of registrars".
For example, at the ICANN Seoul meeting an unidentified male (in the transcript) who I recall was Dan Halloran, ICANN's Deputy General Counsel, said, while discussing the proposed new gTLD registry agreement (note, it isn't called a contract):
"... the central idea is still there that ICANN does retain the right to modify the agreement..."
and a minute later
"... the point is there's 900 registrars and ... We don't have to go individually and negotiate bilaterally with each registrar."
Source, transcript [1].
So the number of shell registrars is offered, by ICANN's DGC, and presumably by ICANN's GC (John Jeffrey) as well, as an absolute bar to contractual distinguishment.
Registrars can be "bad" because they fail to pay ICANN (the commonest form of registrar deaccreditation) or because they aren't responsive to email or because they are claimed to be in breech of some specific term in the current accreditation agreement. Other than that, it is ICANN's consistent position of record that registrars cannot be distinguished in contract since the divestiture of Network Solutions (registrar) by Verisign (registry).
Now to me (Eric Brunner-Williams, hat=="operator of ICANN accredited registrar #439 and CTO of ICANN accredited registrar #15 and operator of the sponsored gTLD .cat and .museum" registries for their respective ICANN contracted sponsors), the inability to distinguish, in contract, between an application advanced by the RBN and the IRC is ... a pain in the ass.
CORE's "business" is socially useful, socially responsible registries, its been our business since Jon Postel and others [2] drew up the IAHC-MOU [3], forming CORE. We'd like to see a contract for .com's clones, where "policy" is completely defined by first $6 offered, and a contract for .cat's kittens, where "policy" is consistent with the language in section 3, subsection 2, of RFC 1591.
The IRC contacted CORE (thanks to the ICANN staffer who suggested us to them!) for a .red-{cross,crescent} (Latin and Arabic scripts) but because ICANN won't create contractual constructs now, having done so in the past (the initial 7-10 round was partitioned between what is now called "standard" (biz/info/name/pro) and "sponsored" (aero/coop/museum), and the 2003 round was sponsored), the IRC (and CORE, and all of CORE's other registry partners, from the Provincial Government of Quebec to the Government of the City of Paris) has to wait until ICANN's crafted an evaluation process capable of evaluating every currently imagined scheme the RBN (or any other rational economic actor) puts forward.
Oddly enough, this appears to require unbounded time, and naturally enough, someone on NANOG will opine that one or more of, particularly the last item of this list -- {dnssec, ipv6, idns for ccTLDs, new gTLDs (ADH or IDN)} is "a bad thing". As an Indian, I will simply observe that the partition of Indian Countries into "Canada", "US", ... is suboptimal, and the further partition into "native" namespaces under each of the iso3166 associated namespaces is also suboptimal. We could do better, but even if the nsn.us namespace, to pick one well-ignored example, were turned over to me personally, that wouldn't meet all the needs of two of the three tribes I have cultural and/or political association with, which exist "in" both the United States and Canada. That is, I offer the claim that at least one TLD ought to exist, a claim made to Jon prior to the Green and White Papers. I expect the time from request to delegation will be 20 years, assuming the unbounded time requirement becomes bounded in 5 or so years from the present.
Shell registrars are not, generally, the source of primary registrations of arbitrarily abusive intent. That problem lies elsewhere and is adequately documented.
> .. and the bogus
> LIRs (which is how the thread started).
This has been a tutorial on why shell registrars are not the source of operational issues that could reasonably be characterized as problems. Problematic use of the DNS exists, but the registrar association is otherwise than to shell registrars. These are different exploits.
Eric
[1] http://sel.icann.org/meetings/seoul2009/transcript-gtld-registries-constituency-1-27oct09-en.pdf at pages 32 and 33, respectively.
[2] ISOC, IANA, IAB, FNC, ITU, INTA, WIPO
[3] http://www.gtld-mou.org/
... it would be interesting if some process were developed to
deaccredit or otherwise kill off the shell registrarsSuresh, Why?
My comment was more in the context of this thread's original topic -
killing off bogus spam / botnet operations that become registrars
(and/or registrar resellers) who buy an outsourced instance of one of
the "registrar in a box" services, and are immediately in business.
Though, you might want to prevent shell registrars for the same
reasons that auctions try to weed out shill bidders.
And while it is a rational economic idea for a bidder to game an
auction by setting up shills, the auctioneer and the other bidders
lose out in the end.
Now, shell registrars are a pain in the ass, not for operational reasons,
but because every time someone wants to say something stupid and get away
with it they say "<some large number> of registrars".
That too of course. Reminds you of Tammanny Hall sometimes? 
Shell registrars are not, generally, the source of primary registrations of
arbitrarily abusive intent. That problem lies elsewhere and is adequately
documented.
Wasn't talking about shell entities setup by various registrars for
drop catching and such. Though as I pointed out, those could be
weeded out for fairly sensible economic reasons, for the same reasons
such practices are discouraged in elections, auctions, rationing
systems (like the depression era / WW-II food stamps system) etc.
Was talking about totally bogus registrars that are "spammer sets up
an LLC, said LLC submits all the paperwork to become a registrar,
rents an instance of a DIY registrar service .. and starts doing
roaring business with just one customer - the spammer)
--srs