Re: Accountable Use Registry was: How I deal with (false positive) IP-address blacklists...

[John C Klensin <john-ietf at jck.com>]

--On Thursday, 11 December, 2008 16:36 -0800 Douglas Otis
<dotis at mail-abuse.org> wrote:

> 
> On Dec 11, 2008, at 1:51 PM, John C Klensin wrote:
>> 
>> As soon as one starts talking about a registry of
>> "legitimate"   sources, one opens up the question of how
>...
> Perhaps I should not have used the word legitimate.  The
> concept of registry should engender a concept of
> accountability.
>...
> Counter to this, much of the email abuse has been squelched by
> third-parties who allow network providers a means to indicate
> what traffic of which they are accountable.  This is done in
> part by the assignment of address ranges as belonging to
> dynamically assigned users.  It does seem as though a more
> formalized method though a registry support by provider fees
> would prove extremely beneficial at reducing the scale of the
> IP address range problem raised by IPv6.  By formalizing a
> registration of accountable use, along with some type of
> reporting structure or clearinghouse, IPv6 would have a better
> chance of gaining acceptance.  It would also empower providers
> to say what potentially abused uses they which to support.

Again, while it is possibly that we are using different
vocabularies or not communicating for other reasons, as soon as
you say "support by provider fees", I hear "purchase a license
to be able to send mail".  I can imagine a number of
organizations who would be happy to operate suchFrom ietf-bounces at ietf.org  Fri Dec 12 05:38:53 2008
Return-Path: <ietf-bounces at ietf.org>
X-Original-To: ietf-archive at megatron.ietf.org
Delivered-To: ietfarch-ietf-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 8C0E03A6ACF;
	Fri, 12 Dec 2008 05:38:53 -0800 (PST)
X-Original-To: ietf at core3.amsl.com
Delivered-To: ietf at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 2613A3A6ACF
	for <ietf at core3.amsl.com>; Fri, 12 Dec 2008 05:38:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level: 
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5
	tests=[AWL=-0.078, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id AN1L-0ZRqu7t for <ietf at core3.amsl.com>;
	Fri, 12 Dec 2008 05:38:51 -0800 (PST)
Received: from bs.jck.com (ns.jck.com [209.187.148.211])
	by core3.amsl.com (Postfix) with ESMTP id 090363A679C
	for <ietf at ietf.org>; Fri, 12 Dec 2008 05:38:51 -0800 (PST)
Received: from [127.0.0.1] (helo=p3.JCK.COM)
	by bs.jck.com with esmtp (Exim 4.34)
	id 1LB8E7-000ALi-G8; Fri, 12 Dec 2008 08:38:43 -0500
Date: Fri, 12 Dec 2008 08:38:42 -0500
From: John C Klensin <john-ietf at jck.com>
To: Douglas Otis <dotis at mail-abuse.org>
Subject: Re: Accountable Use Registry was: How I deal with (false
	positive) IP-address blacklists...
Message-ID: <B27100805086D860001BA273 at p3.int.jck.com>
In-Reply-To: <9DCA9B4E-4AEC-4F05-A5B7-9362B5831E0A at mail-abuse.org>
References: <01N2VWXW3J4M00007A at mauve.mrochek.com>
	<C0F2465B4F386241A58321C884AC7ECC09EB3C5F at E03MVZ2-UKDY.domain1.systemhost.net>
	<01N2VZWB0O8800007A at mauve.mrochek.com>
	<493EF43D.8020203 at network-heretics.com>
	<C86FCDE7-60F4-4FB4-AED6-E379F3B2F308 at mail-abuse.org>
	<EB3B4B29E29058B8BD946B12 at scan.jck.com>
	<9DCA9B4E-4AEC-4F05-A5B7-9362B5831E0A at mail-abuse.org>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Disposition: inline
Cc: ietf at ietf.org
X-BeenThere: ietf at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request at ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf at ietf.org>
List-Help: <mailto:ietf-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request at ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces at ietf.org
Errors-To: ietf-bounces at ietf.org



--On Thursday, 11 December, 2008 16:36 -0800 Douglas Otis
<dotis at mail-abuse.org> wrote:

> 
> On Dec 11, 2008, at 1:51 PM, John C Klensin wrote:
>> 
>> As soon as one starts talking about a registry of
>> "legitimate"   sources, one opens up the question of how
>...
> Perhaps I should not have used the word legitimate.  The
> concept of registry should engender a concept of
> accountability.
>...
> Counter to this, much of the email abuse has been squelched by
> third-parties who allow network providers a means to indicate
> what traffic of which they are accountable.  This is done in
> part by the assignment of address ranges as belonging to
> dynamically assigned users.  It does seem as though a more
> formalized method though a registry support by provider fees
> would prove extremely beneficial at reducing the scale of the
> IP address range problem raised by IPv6.  By formalizing a
> registration of accountable use, along with some type of
> reporting structure or clearinghouse, IPv6 would have a better
> chance of gaining acceptance.  It would also empower providers
> to say what potentially abused uses they which to support.

Again, while it is possibly that we are using different
vocabularies or not communicating for other reasons, as soon as
you say "support by provider fees", I hear "purchase a license
to be able to send mail".  I can imagine a number of
organizations who would be happy to operate such a syste a system and
collect those fees.  None of them make me very happy, especially
if they are unregulated, and some would raise grave privacy
concerns.

>...
> A registry of accountable use in conjunction with some type of
> reporting structure seems a necessity if one hopes to ensure a
> player can obtain the access that they expect.  In other
> words, not all things will be possible from just any IP
> address.  Providers should first assure the Internet what they
> are willing to monitor for abuse, where trust can be
> established upon this promise.  Not all providers will be
> making the same promise of stewardship.  Those providers that
> provide the necessary stewardship for the desired use should
> find both greater acceptance and demand.  Such demand may help
> avoid an inevitable race to the bottom.

Doug, we've got a worked example of a system that was intended
to provide protection against abuse by qualifying and certifying
providers in return for a fee.   The system was developed as the
result of a consensus process among those who could convince
others that they were stakeholders, not merely by a few
providers making rules for others, so it should have been off to
a good start.  That system is ICANN's registrar accreditation
process.  It has been, IMO, effective at two things: (i)
fattening ICANN's coffers and (ii) encouraging and developing a
whole new industry of bottom-feeders, including many of those
who contribute to the spam problem by supplying domain names to
phishers and promoters of other kinds of fraud and helping to
hide to ownership of those names.

Unless you have a plausible theory about how a registration
system can be run without falling victim to ICANN-like problems,
I can't consider the idea very credible.

   john



_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www.ietf.org/mailman/listinfo/ietf


m and
collect those fees.  None of them make me very happy, especially
if they are unregulated, and some would raise grave privacy
concerns.

>...
> A registry of accountable use in conjunction with some type of
> reporting structure seems a necessity if one hopes to ensure a
> player can obtain the access that they expect.  In other
> words, not all things will be possible from just any IP
> address.  Providers should first assure the Internet what they
> are willing to monitor for abuse, where trust can be
> established upon this promise.  Not all providers will be
> making the same promise of stewardship.  Those providers that
> provide the necessary stewardship for the desired use should
> find both greater acceptance and demand.  Such demand may help
> avoid an inevitable race to the bottom.

Doug, we've got a worked example of a system that was intended
to provide protection against abuse by qualifying and certifying
providers in return for a fee.   The system was developed as the
result of a consensus process among those who could convince
others that they were stakeholders, not merely by a few
providers making rules for others, so it should have been off to
a good start.  That system is ICANN's registrar accreditation
process.  It has been, IMO, effective at two things: (i)
fattening ICANN's coffers and (ii) encouraging and developing a
whole new industry of bottom-feeders, including many of those
who contribute to the spam problem by supplying domain names to
phishers and promoters of other kinds of fraud and helping to
hide to ownership of those names.

Unless you have a plausible theory about how a registration
system can be run without falling victim to ICANN-like problems,
I can't consider the idea very credible.

   john



_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www.ietf.org/mailman/listinfo/ietf