This makes sense to me. However, the recent changes ARE still a step in the right direction. And they may be enough to let me start using RPKI… that’s not 100% clear yet, a more in-depth review needs to happen. -Adam
Adam Thompson Consultant, Infrastructure Services [[MERLIN LOGO]]<https://www.merlin.mb.ca/> 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) [email protected]<mailto:[email protected]> www.merlin.mb.ca<http://www.merlin.mb.ca/> From: ARIN-PPML <[email protected]> On Behalf Of David Farmer Sent: Monday, October 21, 2019 2:35 PM To: John Curran <[email protected]> Cc: arin-ppml <[email protected]> Subject: Re: [arin-ppml] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI John, I am encouraged by these changes, however, I don't think they go far enough. I've been thinking about these issues for a while now, particularly the issue of requiring a valid and binding Relying Party Agreement (RPA) on a global basis. In my opinion, this seems to run counter to at least the spirit of ICP-2. While ICP-2 deals with the formation of new RIR's, it says, "each region should be served by a single RIR." This seems to strongly imply, that an LIR (ISPs) should only have to contract with or otherwise do business with the RIR(s) for which the LIR operates within the service regions of the RIR(s). Furthermore, if the other RIR's have similar requirements as ARIN for valid and binding RPAs on a global basis, whether through a formal contract as with ARIN or through terms expressed in the Certificate or Certificate Practice Statement (CPS) this would mean I would need to convince the lawyers at the University of Minnesota that we needed binding contracts with each of the five RIRs. To be honest, I doubt this would be achievable, and ICP-2 seems to imply this should not be necessary as we only operate our network within the ARIN service region. However, even though we only operate a network within the ARIN service region the University of Minnesota has assets around the globe, which makes the risks of contracting with the other RIRs difficult to determine but probably quite sizable. Further, if it is truly necessary to have binding agreements with each of the RIR's or that all operators globally need to contract with ARIN in order to validate RPKI then I think we need to rethink RPKI or at least rethink how RPKI is currently deployed. Maybe the RIRs need to contract with each other on behalf of their members and resign each other's certificates, so a binging RPA is only necessary with your home RIR, and you only need the TAL of your home RIR to validate ROA's on a global basis. Thank you. On Mon, Oct 21, 2019 at 1:01 PM John Curran <[email protected]<mailto:[email protected]>> wrote: FYI, /John Begin forwarded message: From: ARIN <[email protected]<mailto:[email protected]>> Subject: [arin-announce] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI Date: 21 October 2019 at 10:52:40 AM PDT To: <[email protected]<mailto:[email protected]>> Today, ARIN published a new Relying Party Agreement (RPA) for RPKI. Visit: https://www.arin.net/resources/manage/rpki/rpa.pdf Background: In response to feedback from the community, ARIN had previously updated its processes to allow organizations to directly download our Trust Anchor Locator (TAL) from our website, noting that by doing so they were agreeing to be bound by the RPA. This was intended to accommodate and overcome claimed barriers to RPKI adoption. Visit: https://www.arin.net/resources/manage/rpki/tal/ Today’s new RPA includes modifications to address constructive suggestions that have been raised by members of the community both publicly and directly with ARIN. ARIN has included the following changes in the RPA: * The ability to make available the ARIN RPKI information to any third party for informational purposes (e.g. reporting, educational, research, summary or statistical purposes) has been expanded to allow for distribution in machine-readable formats; and * The RPA’s indemnification clause has been more narrowly scoped to exclude the indemnification of possible ARIN misconduct. ARIN has also now made a Redistributor RPA available for qualified organizations that wish to distribute RPKI-related data for purposes not covered in this standard RPA, including but not limited to distribution for real-time routing purposes. Interested organizations should contact ARIN via the information available on the Trust Anchor Locator page on our website. Visit: https://www.arin.net/resources/manage/rpki/rpa_redistributor.pdf ARIN hopes that these additional changes to the RPA, alongside simplified access to the TAL, will encourage organizations’ adoption of RPKI to secure Internet routing. Regards, John Curran President and CEO American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]<mailto:[email protected]>). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected]<mailto:[email protected]> if you experience any issues. -- =============================================== David Farmer Email:[email protected]<mailto:email%[email protected]> Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
_______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
