Quan Zhou via 44Net 44net@mailman.ampr.org wrote:
Hi all, Sorry to bother you with a rant, but I'm feeling an urge to ask that what's happening on the AMPR/ARDC.
Thank you for your rant.
## Background A few weeks ago I have received a harsh email from Chris G1FEF accusing me for announcing a prefix was assigned to me. In that case, the claimed reason is that the prefix wasn't listed on the AMPR portal. I tried to clear things up by sending him the LOA from WB6CYT, which he claims that is NOT legitimate, also denied possibility there could a bug in the portal caused this. I have also complied with his demands on even more information including all conversations between me and Brian regarding that the assignment. Eventually he continued to ask for even more personal information without justification, threatening that not complying may cause "close of account".
## Questions
- Has all previous assignment by WB6CYT been overruled? Or am I singled out?
Previous assignments by Brian (WB6CYT) have not generally been overruled. Brian took very seriously his duty to both make space available to real amateur radio operations and to deny space to opportunists trying to poach the space for commercial, personal, spam/malware or other purposes.
Many people requested assignments, and most of them received assignments. Those assignments are and were recorded in the ARDC portal, which was initially programmed by Chris (G1FEF), and operated and evolved by both Brian and Chris. The data in it was supplied by Brian, by net44 users who register to receive allocations, and by the volunteer regional coordinators who make allocations.
Any collection of detailed allocations too complicated to fit in one person's memory or on the back of an envelope needs a definitive register that provides the collective memory of all the past decisions. The portal was and remains that definitive register.
If your allocation is not in that register, then we'd need to figure out why it isn't. The ARDC Board has access to some of Brian's stored email, as well as backup dumps of the Portal databases, so we can do some searching among those if needed. So far, your rant did not mention the particular IP address allocations involved, so we have had little information to start from.
Most allocations are made via country-based and region-based volunteer coordinators, who all have portal accounts with permission to make sub-allocations in their region; Brian did not have to adjudicate most of these.
Apparently your allocation is from the China subnet, and apparently Brian was still handling those allocations. My guess is that he did not have a volunteer coordinator for China who both had sufficient experience and that Brian trusted to do the job well.
- What are the current rules on allocation now? A snapshot of the latest version of ToS is at: https://web.archive.org/web/20190731094938/https://www.ampr.org/terms-of-ser... -- It does not requires personal information beyond ASN addresses.
The current rules on allocation have not changed. However, Brian is no longer with us to make decisions based on years of expertise. So anyone who would take over that job will make a number of mistakes as they gain similar expertise. Some of those mistakes will be in allocating addresses to requesters who don't deserve them. Some of the mistakes will be in denying addresses to requesters who do deserve them, or in demanding more scrutiny than is warranted when requests are made.
An allocation of 768 IP addresses, such as yours, which has considerable monetary value if used commercially, will naturally get more scrutiny than a typical request for a /29 that only has 8 addresses and can't be routed via BGP.
The Chinese agency that licenses amateur radio operators, the State Radio Regulation of China (http://www.srrc.org.cn) does not appear to provide an English-language portal for looking up amateur radio licenses. This currently makes it a more manual process to verify the license status of Chinese hams. See:
https://en.wikipedia.org/wiki/Amateur_radio_licensing_in_China
(I hope some 44net users from Asia will improve that Wikipedia page, which is still mostly a stub page.)
- What is G1FEF's role in the allocation, which are the rights that ARDC holds has been delegated to this guy along.
G1FEF has been informally trying to continue providing service to amateurs while the ARDC board and other volunteers scramble to pick up the work that Brian was doing during his lifetime.
ARDC and G1FEF have been negotiating a contract that would specify just what rights and powers ARDC would delegate to G1FEF, and which ARDC would retain for exercise by its board (and eventually by a hired staff, which we have been trying to hire the first person of). The first draft contract was full of legalese that one side or the other didn't like, and it also raised some more complex issues such as international privacy practices, so we are re-drafting, consulting lawyers, and continuing to negotiate.
- The holding-the-ID-in-a-photo-of-you practice is pretty common when dealing with financial institutions and websites frequently deals with fraudsters. Since LIR, RIR, and BGP upstream also requires and validates these ID, Why this is necessary to do it again?
People who get legacy 44.x.y.z IP addresses from 44net don't have to get addresses from an LIR or RIR, so LIR/RIR practices don't provide any safeguard for 44net addresses.
Our previous policy, created and enforced by Brian, was not to demand such identity documents of everyone. But Brian did reserve the right to ask more questions and collect more information when he encountered a situation that he thought was questionable, and to use his own judgment in deciding whether to make an allocation. And he sometimes consulted with the board about how to resolve such situations.
- Is Chris Smith, G1FEF capable of handling sensitive personal data? He's handling data as natural person, or an legal entity that ARDC approves?
At the moment, as a natural person; he's a volunteer. One of the issues being negotiated in the draft contract, and with lawyers, is to what extent ARDC will collect sensitive personal data, how it would safeguard that data that it does collect, and to what extent ARDC will be subject to privacy controls such as the European GDPR. These issues have been handled informally up to the time that Brian died.
The current situation is that when Chris requests identification photos or documents, he examines them and then deletes them after approval.
- If there's another change, do anyone with a allocation has to go through the same process again?
Since we haven't defined any changes yet, we also haven't decided that issue.
I see that we already have a problem with transparency, now we got bureaucracy? Also it's not my problem that the assignment wasn't added to the portal.
It is fortunate that small, informal organizations still have room to operate in today's world, and can provide positive benefits to society. ARDC under Brian's leadership was such an organization; the board helped him around the edges, but he was our leader, and he also did most of the work. Now we have no leader experienced in exactly what Brian did. As organizations grow and become more formal, the world expects a degree of impartiality, predictability, and adherence to rules that reduces the flexibility of the informal processes.
Quan, you are simultaneously asking that you be given the benefit of an informal process that provided you with the allocation you claim, and yet also asking that we provide predictable rules and adhere to them, rather than continuing informally. There is clearly a tension between these extremes. The ARDC board (all volunteers) and the technical volunteers such as Chris and the regional coordinators are trying to chart a middle course. Thank you for your help in pointing out some of the implications of the choices we are trying to make.
It DOES seem to be your problem that the assignment wasn't added to the portal. If your assignment was in the portal, then your allocation would not be getting the scrutiny it is currently getting. As the wiki says in the "Requesting a block" page:
https://wiki.ampr.org/wiki/Requesting_a_block
"You must request an amprnet block direct from the Portal. First you must create your account at the Portal. Once you do, you must login..."
https://wiki.ampr.org/wiki/Announcing_your_allocation_directly
"Apply for your AMPRNet allocation via the Portal. Check the Direct box to indicate that your connection will be using a direct announcement of the subnet (via the BGP protocol).
"Upon verification and approval, the AMPRNet administrator will provide authorization to your ISP allowing them to announce your allocation."
If only one of your three /24 allocations is in the portal, then how did Brian, the very meticulous AMPRNet administrator end up providing you with a Letter of Authorization for the others?
Best Regards, Quan
Best regards back to you,
John Gilmore, W0GNU ARDC board member
John,
Some time back the concept of authenticating hams using the P12 certificates such as the ARRL's Logbook of the World was discussed on this list. I'm bringing that up again in light of this recent issue, and also in case you weren't around when that was discussed on this list.
In my mind, it kind would kind of alleviate the manual scrutiny part, as it would be the certificate issuer's responsibility. (The ARRL typically mails a post card with a code to the license address) It might help filter out some of the bogus requests.
Steve, KB9MWR
The Chinese agency that licenses amateur radio operators, the State Radio Regulation of China (http://www.srrc.org.cn) does not appear to provide an English-language portal for looking up amateur radio licenses. This currently makes it a more manual process to verify the license status of Chinese hams. See:
Ja, I second with this!
Just FYI that the process is a bit different overseas, you send a mail with scanned documents from your local post office to the AARL mailbox, wait a few weeks and voila.
see: https://lotw.arrl.org/lotw-help/authentication/
it looks like they also accepts emails now.
Quan, BH1XQV
On 2/23/20 12:08 PM, Steve L via 44Net wrote:
John,
Some time back the concept of authenticating hams using the P12 certificates such as the ARRL's Logbook of the World was discussed on this list. I'm bringing that up again in light of this recent issue, and also in case you weren't around when that was discussed on this list.
In my mind, it kind would kind of alleviate the manual scrutiny part, as it would be the certificate issuer's responsibility. (The ARRL typically mails a post card with a code to the license address) It might help filter out some of the bogus requests.
Steve, KB9MWR
The Chinese agency that licenses amateur radio operators, the State Radio Regulation of China (http://www.srrc.org.cn) does not appear to provide an English-language portal for looking up amateur radio licenses. This currently makes it a more manual process to verify the license status of Chinese hams. See:
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On 23/02/20 16:03, Quan Zhou via 44Net wrote:
Ja, I second with this!
Just FYI that the process is a bit different overseas, you send a mail with scanned documents from your local post office to the AARL mailbox, wait a few weeks and voila.
see: https://lotw.arrl.org/lotw-help/authentication/
it looks like they also accepts emails now.
Yeah, the snail mail requirement of the past was a major barrier for me, but email is doable. I'll have to consider it, since it's becoming more likely that I'll be using LoTW for everything except logging. :)
On Sun, Feb 23, 2020 at 2:36 PM Tony Langdon via 44Net 44net@mailman.ampr.org wrote:
Yeah, the snail mail requirement of the past was a major barrier for me, but email is doable. I'll have to consider it, since it's becoming more likely that I'll be using LoTW for everything except logging. :)
Glad I am not the only one who hasn't ever used it for its intended purpose :-)
Anyway I was thinking for sake of the coordinators peace of mind, if the portal/request showed the requesters status as "verified" (indicating their P12 certificate has been uploaded) , this might be helpful.
In the swedish part of AMPRNet, which has an agreement with ARDC to announce its allocated adress space via the points of presence of the Swedish University Netwok (www.sunet.se), we are working on implementing the edugain framework, used by research and education organisations and many public authorities all over the world, for authentication. Edugain is based on Identity Federations (https://wiki.geant.org/display/eduGAIN/Identity+Federations+and+eduGAIN). We have an agreement with SSA, the Swedish national ham organisation to use the official database for an Identity Provider authenticating hams.
Once we have this operational we will be able not only to authenticate hams, but also be able to negotiate access to great services like Eduroam (https://www.eduroam.org/) https://www.eduroam.org/, have a model for single sign on (SSO) to all services complying with this standard, etc.
Any ohers that are working on this?
One good method might not have to exclude another though.
Bjorn, sa0bxi
On 2020-02-23 07:08, Steve L via 44Net wrote:
John,
Some time back the concept of authenticating hams using the P12 certificates such as the ARRL's Logbook of the World was discussed on this list. I'm bringing that up again in light of this recent issue, and also in case you weren't around when that was discussed on this list.
In my mind, it kind would kind of alleviate the manual scrutiny part, as it would be the certificate issuer's responsibility. (The ARRL typically mails a post card with a code to the license address) It might help filter out some of the bogus requests.
Steve, KB9MWR
Thank you for you kind explanation. I'll add some of my own for the situation I'm facing.
On 2/23/20 4:45 AM, John Gilmore via 44Net wrote:
Previous assignments by Brian (WB6CYT) have not generally been overruled. Brian took very seriously his duty to both make space available to real amateur radio operations and to deny space to opportunists trying to poach the space for commercial, personal, spam/malware or other purposes.
Many people requested assignments, and most of them received assignments. Those assignments are and were recorded in the ARDC portal, which was initially programmed by Chris (G1FEF), and operated and evolved by both Brian and Chris. The data in it was supplied by Brian, by net44 users who register to receive allocations, and by the volunteer regional coordinators who make allocations.
Any collection of detailed allocations too complicated to fit in one person's memory or on the back of an envelope needs a definitive register that provides the collective memory of all the past decisions. The portal was and remains that definitive register.
If your allocation is not in that register, then we'd need to figure out why it isn't. The ARDC Board has access to some of Brian's stored email, as well as backup dumps of the Portal databases, so we can do some searching among those if needed. So far, your rant did not mention the particular IP address allocations involved, so we have had little information to start from.
Maybe I can provide some insights on this.
At the time the allocation I've requested on portal was under 44.190/16, because a) I wanted to use the prefixes for anycast, and it's not really country bound; b) The portal says "The owner of the network you have selected has chosen not to allow allocation requests. " even on today.
Brian asked me why I'm not requesting from the CN list, it explained and eventually received the 44.159.66.0/23.
An allocation of 768 IP addresses, such as yours, which has considerable monetary value if used commercially, will naturally get more scrutiny than a typical request for a /29 that only has 8 addresses and can't be routed via BGP.
I can understand this, and again, I promise I will follow the ToS.
But please also understand that, the 44net assignments has leaser's personal name all over it. It'd be very unwise to use it for commercial purpose. It is very clear to me that those addresses are tightly tied to my call-sign, which is also publicly linked to my name, and address. This holds me personally liable for anything happened in the requested prefixes.
Even though, I got rejected by several providers when trying to setup the BGP for 44/8 prefixes. Vultr is the only one accepts my leased prefix, and Packet did so only after that prefixes are registered on RADb by Vultr. Smaller providers won't even take a look at LOA or RADb.
I think that everyone in the field for long enough agrees that the internet, and routing world is rather bizarre and messy, actually it took me great amount of courage to apply for the addresses in the first place.
The Chinese agency that licenses amateur radio operators, the State Radio Regulation of China (http://www.srrc.org.cn) does not appear to provide an English-language portal for looking up amateur radio licenses. This currently makes it a more manual process to verify the license status of Chinese hams. See:
https://en.wikipedia.org/wiki/Amateur_radio_licensing_in_China
(I hope some 44net users from Asia will improve that Wikipedia page, which is still mostly a stub page.)
I looked into that page, and yes, it's lame. I will improve it asap.
At the moment, as a natural person; he's a volunteer. One of the issues being negotiated in the draft contract, and with lawyers, is to what extent ARDC will collect sensitive personal data, how it would safeguard that data that it does collect, and to what extent ARDC will be subject to privacy controls such as the European GDPR. These issues have been handled informally up to the time that Brian died.
The current situation is that when Chris requests identification photos or documents, he examines them and then deletes them after approval.
My day job is an operations engineer at an incubator, and frequently deal with compliance & abuse issues. Starting from last year, my blood pressure gets to the rooftop every time a pm or a programmer wants to store some photo ID, Passport, etc. in the cloud. I usually turn down the request, and/or direct them at our legal department. The verification process they wanted, eventually goes to some eligible third-party that costs some serious $$$.
The example I just gave maybe applies to China only, but at least can tell that even as an LLC., there's still too much risk to handle the PII by ourselves.
It is fortunate that small, informal organizations still have room to operate in today's world, and can provide positive benefits to society. ARDC under Brian's leadership was such an organization; the board helped him around the edges, but he was our leader, and he also did most of the work. Now we have no leader experienced in exactly what Brian did. As organizations grow and become more formal, the world expects a degree of impartiality, predictability, and adherence to rules that reduces the flexibility of the informal processes.
Yes, I understand this, it's the part where I appreciate in the "free world". But today it's even harder, and the trend is likely to be even harder to survive in the future.
Quan, you are simultaneously asking that you be given the benefit of an informal process that provided you with the allocation you claim, and yet also asking that we provide predictable rules and adhere to them, rather than continuing informally. There is clearly a tension between these extremes. The ARDC board (all volunteers) and the technical volunteers such as Chris and the regional coordinators are trying to chart a middle course. Thank you for your help in pointing out some of the implications of the choices we are trying to make.
Sorry I did not realize this. Informal is good. But to my credit, the process as G1FEF asked me to comply is as formal as applying a credit card from my bank.
Also, as a foreign national and paypal account owner, every year, they to the KYC again, but they just want three things, proof of address, passport photo, and an ITIN number.
I think that he might thinks that I'm a fraudster or something worse.
It DOES seem to be your problem that the assignment wasn't added to the portal. If your assignment was in the portal, then your allocation would not be getting the scrutiny it is currently getting. As the wiki says in the "Requesting a block" page:
https://wiki.ampr.org/wiki/Requesting_a_block
"You must request an amprnet block direct from the Portal. First you must create your account at the Portal. Once you do, you must login..."
https://wiki.ampr.org/wiki/Announcing_your_allocation_directly
"Apply for your AMPRNet allocation via the Portal. Check the Direct box to indicate that your connection will be using a direct announcement of the subnet (via the BGP protocol).
"Upon verification and approval, the AMPRNet administrator will provide authorization to your ISP allowing them to announce your allocation."
If only one of your three /24 allocations is in the portal, then how did Brian, the very meticulous AMPRNet administrator end up providing you with a Letter of Authorization for the others?
I believe it is best to put the /23 in the portal, fix the problem. Anyway, it wasn't my fault that the address wasn't in portal.
Best Regards, Quan
Best regards back to you,
John Gilmore, W0GNU ARDC board member _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
Bjorn Pehrson -
John Gilmore -
Quan Zhou -
Steve L -
Tony Langdon