In light of concerns expressed at one of our meetings recently, we think this is a good time to discuss what it means to be an IP address registry in today’s environment, and some of the challenges we face as an organisation.
Accountability has been a big part of Internet discussions over the past few years. This reflects the greater role that the Internet plays in our societies and the closer scrutiny that comes with this.
While there are debates to have about online anonymity, the consensus view of the RIPE community is that we (as the RIPE NCC) should know who we are allocating resources to and entering into contractual relationships with. While this does not seem overly controversial, lately we have been seeing more people trying to join the RIPE NCC or obtain independent resources under false identities.
Similarly, the emergence of a transfer market has altered our environment in quite fundamental ways. This has introduced new incentives for dishonest actors who want to get additional addresses from our pool (usually to sell) or to steal them from other networks that are using them for their business. There has been a marked increase in this activity since we reached our final IANA-allocated IPv4 block in 2012.
We needed to adapt quickly in response to this activity. We developed new capabilities for detecting fake IDs and manipulated documents. We also invested a lot of effort into evolving our processes and framework to keep one step ahead of the bad actors, who know our processes well and are skilled at finding ways to exploit them.
We are aware of the extra procedural burden this has created for our members, the majority of whom simply want to get on with the real business of running their networks. However, it is important to keep in mind that these efforts are primarily about protecting our members. The gratitude people express when we prevent someone from taking control of their resources makes us think this has been worthwhile.
After we first began seeing an increase in fraud and dishonest behaviour, we initiated a discussion with the RIPE community about fortifying our legal framework, which we presented on at RIPE 61 in 2010. This led to the publication of a procedural document in 2011 that gave clarity about why and how we would close a member, and which included the submission of falsified or misleading information as a reason. We later began to report an increase in fraud in 2013, around the time of RIPE 67. The greater number of closures since then represents both an overall increase in this activity, but also the fact that we have gotten much better at catching it.
“IPv4 Hijacking: Our Experiences”, presented at RIPE 68 (2014)
Why are we talking about this now?
Things recently came to a head at our RIPE NCC Day in Moscow. After we gave the usual update on our services, members at the microphones wanted to know what had changed: Why is the RIPE NCC suddenly closing down more of its members? And why does it seem that so many of them are Russian?
This was triggered by our closure of two Russian members for providing us with untruthful information. In the period leading up to the meeting, both organisations made public statements, both to the Russian technical community and in the media, that they had been closed without warning for a small mistake on their part. Many in the audience were worried that they could lose their IP resources because of an innocent mistake or error they had made. There were also concerns that we weren't being upfront about our intentions.
“RIPE NCC Operational Update”, presented at RIPE 69 (2014)
At the meeting, attendees claimed Russian members were being unfairly targeted and were disproportionately represented in the closure statistics. Our staff didn’t have the numbers close to hand at the time, but as you can see from the table below, this is not the case.
However, it is important to note that Russia has a relatively higher number of independent resources than other countries. Independent and legacy resources are often seen as easy targets by people looking to steal IP addresses, which means there is greater potential for instances of fraud targeting these resources in Russia.
Closures for Provision of Untruthful/Misleading Information
|2014||3||1 PL, 1 IR, 1 UA|
|2016||5||3 IR, 1 GR, 1 DM|
|2018||52||37 SC, 4 US, 3 UK, 3 HK, 2 CN, 2 RU, 1 AU|
|2019||7||4 RU, 1 HK, 1 KZ, 1 NL|
In the concluding session of the meeting, we said that what we were hearing was concern about a perceived lack of transparency on our part, and while there were limits to what we could say in some respects, we would take this as an action on us that we needed to communicate better. This article is a first step towards having that conversation. We want to start by outlining our position and exploring some of the difficulties we face around this issue.
“RIPE NCC Update”, presented at ENOG 10 (2015)
Trust is everything...
Trust is crucial to our role as an authoritative registry of who holds which IP addresses. While in one sense our function is a relatively minor and administrative one, we nevertheless take it very seriously, because it can ultimately determine whether a network is reachable on the Internet.
We serve a diverse region that spans 76 countries and contains a range of conflicts, geopolitical tensions and other divisions. For a membership spread across this region to trust us, we need to remain neutral and focused on our core mission – which is this registry function – in addition to supporting our members and the wider community in other ways.
Quite robust governance structures have been developed by our membership to make sure that we remain worthy of its trust: the RIPE community determines policy (not the RIPE NCC), our Executive Board is elected by the members to provide oversight, and the membership itself votes on key issues at the General Meetings held twice each year.
If a dispute arises between the RIPE NCC and one of our members, an independent Arbiters Panel is also there to review our decisions. In this process, arbiters review non-public information (including emails and other documentation) to determine whether we acted in a way that is consistent with our published procedures. You can find summaries of these rulings on our website.
"RIPE NCC Update", presented at RIPE 72 (2016)
The above could be understood as structural elements that support trust. Another part of how we retain trust is through transparency. This means being generally open in our communication and reporting, but also providing documentation that allows members to have certainty about our processes and procedures. This is always a work in progress with room for improvement – but when it comes to issues with legal ramifications such as closing members, things quickly become much more complicated.
For example, we have always avoided discussing specific cases involving our members. It is our responsibility to keep communication with our members confidential and we have never seen any indication that members want us to start sharing their information in a public setting. It shouldn’t be hard to see that while this approach protects our members, it also creates situations where we are unable to respond to public statements that are untrue or misleading. In these cases, we have traditionally assumed that our members will weigh any claims against our actions in the past and ask themselves if the story they’re hearing really adds up.
One suggestion we have seen is that we could provide certainty about how much and what kinds of untruthful information we will tolerate. It is hard to see how this would work – any such guide would have to be very broad, because it would need to cover any new situations we might encounter in the future. And if it was too precise, it would effectively become a manual for how to circumvent our procedures. But we do appreciate the need for guidelines – which is exactly why we developed our current documentation in the first place.
...but at some point, you'll need to trust for this to work
Aside from the fact that we are now better at catching dishonest activity and we ask for more supporting documentation, nothing much has changed with our fundamental approach. Comments from members concerned by the increase in closures often seem to recommend (unknowingly) that we stick with our current practice:
- We typically provide warnings and offer guidance when we find a problem – the seriousness of the case is the determining factor
- Innocent mistakes will not result in the closure of a network (though serious negligence will)
- In most cases we are looking for a pattern of untruthful or negligent behaviour before we make the decision to close a member
There’s a lot of room for value judgements in these points. And if we are unable to define what constitutes “serious”, or “innocent” or “a pattern” in our documentation, and if we are unable to share the details of every case, then how are members supposed to trust that we are getting it right?
This is where the wider structural elements we mentioned above come in: the Arbiters Panel to check that we followed our processes, and the Executive Board to provide guidance on our approach. As the RIPE NCC, we do all we can to support and demonstrate accountability, but it is impossible to create a system that provides absolute trust without requiring members to trust at some point.
"RIPE NCC Update", presented at RIPE NCC Day Moscow (2019)
We are not suggesting that members should blindly trust in the RIPE NCC. To some extent, it is probably the scrutiny of the membership that plays a large part in keeping us honest. But if our members are not willing to trust in us at all, and they are likewise unwilling to trust their elected Executive Board representatives or the independent arbiters, then it’s hard to imagine a realistic solution that will ever allow them to trust in the registry system.
We will end this section by noting that both of the Russian members mentioned above chose to enter into arbitration following their closure. In both cases, the arbiters ruled that we had followed our procedures, and a summary of the first case is now published on our website (the second will be published soon).
You are accountable too
During the discussion at Moscow, one participant asked if we thought it was fair that a member could be closed because they sent us a fake document as a joke. This was only a small part of their wider point, but it seems emblematic. We are not sure how to maintain an accountable registry system that allows space for these kinds of things. And we’re not sure that we should be reassuring members that this is okay (or are we supposed to accept this as an explanation, provided they let us in on the joke before we discover it on our own?)
So far, we’ve been trying to explain how we as the RIPE NCC try to remain accountable and worthy of the trust our members place in us. But what about our members? They are not our customers – they are part of an association of network operators, and part of the RIPE community as well. There are obligations that come with this.
By entering into contractual relationship with the RIPE NCC, you are agreeing to (among other things) follow the RIPE community’s policies and provide us with truthful information. And if you are sponsoring End Users, you are committing to carrying out the appropriate level of due diligence this requires. This does not seem overly complicated to us.
We can have this conversation
This article is an initial attempt to show that we can have this conversation. We will also be presenting on closures and our due diligence procedures in the RIPE NCC Services Working Group at RIPE 78 on 22 May.
Unless the amount of fraud suddenly decreases, we can expect to see more closures in 2019. Hopefully, by having this conversation with our members now, we can build an understanding that allows us to move forward without needing to revisit this topic with every closure. And, perhaps more importantly, we can reassure our members that if they are acting in good faith and fulfilling their responsibilities, they have nothing to fear. After all, keep in mind that while there has been a dramatic increase in fraudulent documents being sent to the RIPE NCC (whether deliberate or accidental), we are still talking about an extreme minority here, much less than 1% of our membership.
It may also be that there is more that we can do as the RIPE NCC to address the concerns of our members. We are open to exploring options, provided any proposals are realistic and mindful of the various constraints that come into play.
This article doesn't address every concern that our members have raised on this topic, but we are not trying to avoid anything and can address other points in later articles. Let us know in the comments below or on the mailing list (email@example.com) what you want to hear from us. We can’t guarantee that everything can answered directly, but we can promise to have this conversation in a way that is consistent with the values we share with the RIPE community: openness, transparency and a bottom-up approach.
Note: The table "Closures for Provision of Untruthful/Misleading Information" has been amended. This had an incorrect country code (HL) which has been updated to "HK".