Re: ARIN RPKI TAL deployment issues

From: NANOG on behalf of John Curran Date: Wednesday, 26 September 2018 at 16:51 To: Tony Finch Cc: David Wishnick , nanog list , "b...@benjojo.co.uk" , Job Snijders Subject: Re: ARIN RPKI TAL deployment issues On 26 Sep 2018, at 11:02 AM, Tony Finch mailto:d...@dotat.at>&g

Re: Software installation tools retrieving ARIN TAL (was: Re: ARIN RPKI TAL deployment issues)

Is the ARIN TAL copyrighted? Is it even copyrightable? It has no creative value, which is a requirement in european law. Why would not RIPE just include it like they do for every other RIR TAL? lør. 13. okt. 2018 15.49 skrev Job Snijders : > Dear John, > > I'd like to thank you and the ARIN

Re: Software installation tools retrieving ARIN TAL (was: Re: ARIN RPKI TAL deployment issues)

Dear John, I'd like to thank you and the ARIN team for these efforts - in doing so I feel that ARIN recognises issues & concerns related to the distribution of the ARIN RPKI TAL. Acknowledging a problem is the first step to solving it! On Sat, Oct 13, 2018 at 09:35:36AM -0400, John Curran wrote:

Software installation tools retrieving ARIN TAL (was: Re: ARIN RPKI TAL deployment issues)

On 25 Sep 2018, at 3:34 PM, Job Snijders wrote: > ... > What I'm hoping for is that there is a way for the ARIN TAL to be > included in software distributions, without compromising ARIN's legal > position. > > Perhaps an exception for software distributors would already go a long > way? > >

Re: ARIN RPKI TAL deployment issues

On Wed, Sep 26, 2018 at 02:18:43PM -0700, Mark Milhollan wrote: > On Tue, 25 Sep 2018, Job Snijders wrote: > > >We really need to bring it back down to "apt install rpki-cache-validator" > > You say this as if no packager has a way to display and perhaps require > approval of the license nor

Re: ARIN RPKI TAL deployment issues

On 2018-09-26, Mark Milhollan wrote: > On Tue, 25 Sep 2018, Job Snijders wrote: > >>We really need to bring it back down to "apt install rpki-cache-validator" > > You say this as if no packager has a way to display and perhaps require > approval of the license nor any way to fetch something

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 5:18 PM, Mark Milhollan wrote: > On Tue, 25 Sep 2018, Job Snijders wrote: > >> We really need to bring it back down to "apt install rpki-cache-validator" > > You say this as if no packager has a way to display and perhaps require > approval of the license nor any way to

Re: ARIN RPKI TAL deployment issues

On Tue, 25 Sep 2018, Job Snijders wrote: >We really need to bring it back down to "apt install rpki-cache-validator" You say this as if no packager has a way to display and perhaps require approval of the license nor any way to fetch something remote as part of the installation process, e.g.,

Re: ARIN RPKI TAL deployment issues

On Sep 26, 2018, at 3:58 PM, Baldur Norddahl mailto:baldur.nordd...@gmail.com>> wrote: This seems silly. Please find a way to make RPKI useful also in the ARIN region. Baldur - RPKI in the ARIN region is useable (by definition, as there are indeed people in the region using it.) The question

Re: ARIN RPKI TAL deployment issues

ons. 26. sep. 2018 14.57 skrev John Curran : >In the case of ARIN, this does necessitate indemnification in order to > reduce risk exposure to the overall RIR mission. > > Thanks, > /John > > John Curran > President and CEO > ARIN > > Did you buy insurance? It is impossible to be immune from

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 11:02 AM, Tony Finch mailto:d...@dotat.at>> wrote: John Curran mailto:jcur...@arin.net>> wrote: From "CA Terms & Conditions APNIC’s Certification Authority (CA) services are provided under

Re: ARIN RPKI TAL deployment issues

John Curran wrote: > > From > > > "CA Terms & Conditions > > APNIC’s Certification Authority (CA) services are provided under the > following terms and conditions: ... > > • The recipient of any Digital

Re: ARIN RPKI TAL deployment issues

On Wed, Sep 26, 2018 at 03:29:33AM -0400, Jared Mauch wrote: > > > > On Sep 26, 2018, at 3:13 AM, John Curran wrote: > > > > On 26 Sep 2018, at 2:09 AM, Christopher Morrow > > wrote: > >> > >> (I'm going to regret posting this later, but...) > >> > >> On Tue, Sep 25, 2018 at 10:57 PM John

Re: ARIN RPKI TAL deployment issues

Hi, John. On Tue, Sep 25, 2018, 22:56 John Curran wrote: > > Indeed - In the process of complying with a different legal environment, > ARIN sometimes has to behave differently than RIRs that are located > elsewhere... > > [...] > > The significant difference for ARIN is that we operate under a

Re: ARIN RPKI TAL deployment issues

On Wed, Sep 26, 2018 at 6:42 AM Tony Finch wrote: > > Let's Encrypt does not require an agreement from relying parties (i.e. > browser users), whereas ARIN does. > > this was my point, sorry for muddying things. (see 'regret' comment earlier)

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 9:26 AM, Jared Mauch wrote: >> On Sep 26, 2018, at 7:16 AM, John Curran wrote: >> >> On 26 Sep 2018, at 3:29 AM, Jared Mauch wrote: >>> >>> The process for lets encrypt is fairly straightforward, it collects some >>> minimal information (eg: e-mail address, domain name)

Re: ARIN RPKI TAL deployment issues

> On Sep 26, 2018, at 7:16 AM, John Curran wrote: > > On 26 Sep 2018, at 3:29 AM, Jared Mauch wrote: >> >> The process for lets encrypt is fairly straightforward, it collects some >> minimal information (eg: e-mail address, domain name) and then does all the >> voodoo necessary. If ARIN

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 8:21 AM, Job Snijders mailto:j...@ntt.net>> wrote: ARIN and APNIC go further by having indemnification by parties using information in the CA; in ARIN’s case, this requires an explicit act of acceptance to be legally valid. Are you sure about APNIC? The APNIC TAL is available

Re: ARIN RPKI TAL deployment issues

On Wed, Sep 26, 2018 at 11:07:49AM +, John Curran wrote: > > Let's Encrypt does not require an agreement from relying parties > > (i.e. browser users), whereas ARIN does. > > That is correct; I did not say that they were parallel situations, > only pointing out that the Let’s Encrypt folks

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 3:29 AM, Jared Mauch wrote: > > The process for lets encrypt is fairly straightforward, it collects some > minimal information (eg: e-mail address, domain name) and then does all the > voodoo necessary. If ARIN were to make this request of the developers of > RPKI

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 6:42 AM, Tony Finch wrote: > > John Curran wrote: >> On 26 Sep 2018, at 2:09 AM, Christopher Morrow >> mailto:morrowc.li...@gmail.com>> wrote: >>> >>> how is arin's problem here different from that which 'lets encrypt' is >>> facing with their Cert things? >> >> The “Let’s

Re: ARIN RPKI TAL deployment issues

John Curran wrote: > On 26 Sep 2018, at 2:09 AM, Christopher Morrow > mailto:morrowc.li...@gmail.com>> wrote: > > > > how is arin's problem here different from that which 'lets encrypt' is > > facing with their Cert things? > > The “Let’s encrypt” subscriber agreement (current version 1.2, 15

Re: ARIN RPKI TAL deployment issues

> On Sep 26, 2018, at 3:13 AM, John Curran wrote: > > On 26 Sep 2018, at 2:09 AM, Christopher Morrow > wrote: >> >> (I'm going to regret posting this later, but...) >> >> On Tue, Sep 25, 2018 at 10:57 PM John Curran wrote: >> >> The significant difference for ARIN is that we operate

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 2:09 AM, Christopher Morrow mailto:morrowc.li...@gmail.com>> wrote: (I'm going to regret posting this later, but...) On Tue, Sep 25, 2018 at 10:57 PM John Curran mailto:jcur...@arin.net>> wrote: The significant difference for ARIN is that we operate under a different legal

Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 1:14 AM, Benson Schliesser wrote: > Without venturing too far off topic, can you briefly compare this situation > versus e.g. licensing of open source software? Often, such software is > (apparently) licensed without express agreement - using bundled license > files,

Re: ARIN RPKI TAL deployment issues

(I'm going to regret posting this later, but...) On Tue, Sep 25, 2018 at 10:57 PM John Curran wrote: > > The significant difference for ARIN is that we operate under a different > legal regime, and as a matter of US law, it appears that we cannot rely > only upon terms and conditions published

Re: ARIN RPKI TAL deployment issues

On 25 Sep 2018, at 7:11 PM, Jared Mauch wrote: > > Why is ARIN making it so hard for it’s members to get the benefits of the > global ecosystem for their RIR controlled space? What makes ARIN IP space so > unique in this sense? As part of a global ecosystem it’s incumbent of many > of us to

RE: ARIN RPKI TAL deployment issues

Jared, > Jared Mauch wrote : > Saying “nobody validates their prefixes” is patently false. You may not. I > may not, but there are a number of networks that are and have advertised that > they are. I did validate mine, but in the ARIN region I'm part of the only 2% that did, that's close

Re: ARIN RPKI TAL deployment issues

> On Sep 25, 2018, at 7:55 PM, Michel Py wrote: > > John, > >> John Curran wrote : >> 2) They could not agree to ARIN RPA agreement (for which the most cited >> reason is the indemnification clause, but perplexing given agreement to >> other indemnification clauses such as RIPE’s

RE: ARIN RPKI TAL deployment issues

John, > John Curran wrote : > 2) They could not agree to ARIN RPA agreement (for which the most cited > reason is the indemnification clause, but perplexing given agreement to other > indemnification clauses such as RIPE’s Certification services.) I would entertain that "could not agree to

Re: ARIN RPKI TAL deployment issues

> On Sep 25, 2018, at 4:28 PM, John Curran wrote: > > On 25 Sep 2018, at 3:34 PM, Job Snijders wrote: >> >> On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote: >>> On Sep 25, 2018, at 1:30 PM, Job Snijders wrote: """Using the data, we can also see that the providers

Re: ARIN RPKI TAL deployment issues

On 25 Sep 2018, at 5:51 PM, Job Snijders mailto:j...@ntt.net>> wrote: ... It may make sense to associate an implicit agreement (or perhaps a license?) with the ARIN TAL to limit risks to the ARIN organisation. "Use at your own risk"-style clauses are common and acceptable. Job - We did look at

Re: ARIN RPKI TAL deployment issues

On Tue, Sep 25, 2018 at 09:17:56PM +, John Curran wrote: > On 25 Sep 2018, at 5:04 PM, Job Snijders wrote: > >> It would be informative to know how many organizations potentially > >> have concerns about the indemnification clause in the RPA but > >> already agree to indemnification via RIPE

Re: ARIN RPKI TAL deployment issues

On 25 Sep 2018, at 5:04 PM, Job Snijders wrote: > >> It would be informative to know how many organizations potentially >> have concerns about the indemnification clause in the RPA but already >> agree to indemnification via RIPE NCC Certification Service Terms and >> Conditions. > > This seems

Re: ARIN RPKI TAL deployment issues

Dear John, On Tue, Sep 25, 2018 at 08:28:54PM +, John Curran wrote: > On 25 Sep 2018, at 3:34 PM, Job Snijders wrote: > > > > On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote: > >> On Sep 25, 2018, at 1:30 PM, Job Snijders wrote: > >>> > >>> """Using the data, we can also see

Re: ARIN RPKI TAL deployment issues

On 25 Sep 2018, at 3:34 PM, Job Snijders wrote: > > On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote: >> On Sep 25, 2018, at 1:30 PM, Job Snijders wrote: >>> >>> """Using the data, we can also see that the providers that have not >>> downloaded the ARIN TAL. Either because they

Re: ARIN RPKI TAL deployment issues

Sounds reasonable to me but IANAL, nor an RIR, nor an IXP. IXPs however do seem to be the sites of some number of recent mis-originations (putting it as charitably as possible). Let's try and make it harder for bad actors to do their mischief. Thanks, Tony On Tue, Sep 25, 2018 at 3:36 PM Job

RE: ARIN RPKI TAL deployment issues

> Job Snijders wrote : > (An example: a route server operator generally doesn't originate any BGP > announcements themselves, > but route servers are in an ideal position to perform RPKI based BGP Origin > Validation.) Indeed. Also, an IX should have an RPKI validator accessible by its members,

Re: ARIN RPKI TAL deployment issues

On Tue, Sep 25, 2018 at 03:07:54PM -0400, John Curran wrote: > On Sep 25, 2018, at 1:30 PM, Job Snijders wrote: > > > >"""Using the data, we can also see that the providers that have not > >downloaded the ARIN TAL. Either because they were not aware that > >they needed to, or could

Re: ARIN RPKI TAL deployment issues

On Sep 25, 2018, at 1:30 PM, Job Snijders wrote: > >"""Using the data, we can also see that the providers that have not >downloaded the ARIN TAL. Either because they were not aware that >they needed to, or could not agree to the agreement they have with >it. Job - Is it