[ARIN-consult] Reminder on ARIN Consultation on RPKI/BGP

[Richard Laager]

On 2024-02-14 14:55, Theo de Raadt wrote:
 >> You (Bill) have indicate it's not B

 > I can't find that anywhere in the thread.

I was referring to this:

On 2024-02-14 14:25, William Herrin wrote:
 > On another tangent - no one proposes (or at the least, I did not
 > propose) providing RPKI service to anyone for free.

On 2024-02-14 15:01, William Herrin wrote:
> On Wed, Feb 14, 2024 at 12:42 PM Richard Laager <rlaager at wiktel.com> wrote:
>> Which is the (major) issue:
>>
>> A) Legacy registrants can't be bothered to do anything.
>> B) Legacy registrants don't want to pay the same fees.
>> C) Legacy registrants don't want to give up the idea that they might
>> "own" the resources.
>>
>> You (Bill) have indicate it's not B. Also, if it was B, then they should
>> have already signed under the older LRSA that capped their fee increases.
>>
>> So it seems to me that it's either A, C, or something else.
> 
> Hi Richard,
> 
> Let me answer your question with a question: how many registrants have
> to fall into category C before RPKI would be more useful to you if
> they published ROAs? 10? 100? 1000?

In a pedantically literal sense, I suppose 1 is "more useful". As a 
practical matter, I'm not sure where the realistic breakpoint is.

In this subthread, we are talking about whether a legacy resource holder 
can issue ROAs for their legacy space, not whether others honor my ROAs. 
So the risk this helps mitigate is the legacy resource holder's space 
being hijacked. By definition, to whatever extent that risk affects me 
(my traffic to them being hijacked), it affects them too, symmetrically. 
The impact to them is thus the sum of the impacts to everyone else 
trying to talk to them. So they have far more incentive.


There are many times that other networks do things that cause me 
problems. Such things are incredibly frustrating, but there's only so 
much I can do about them. I find that in many of those cases, the actual 
issue is "A". They simply can't be bothered to care. If that's the case 
here, it doesn't matter if ARIN lets legacy resource holders have RPKI 
for free without an RSA.


If the issue is "B", then quite frankly, they are trying to extort "us" 
(non-legacy ARIN members). They want non-legacy members to continue to 
subsidize the costs of operating ARIN. That's just wrong; we should all 
pay our fair share. While I may find myself forced to accept that some 
will get away with not paying their fair share, I certainly don't have 
to agree with / condone / support that bad behavior.


It seems to me that if the concern is "C", we have to be close to the 
point where that largely stops mattering, for at least a couple of reasons:

First off is the economic argument. If I'm a legacy resource holder 
sitting on excess IPv4 space, it seems to me that the right play is to 
sell now or soon. At some point (hopefully soon), we're (hopefully) 
going to reach peak IPv4 value. Once a legacy resource holder sells, the 
new owner is going to be subject to an RSA, which moots concern C anyway.

Second is the RPKI deployment argument. All it would take is one large 
network to say, "RPKI or we're not going to route it" (or the U.S. FCC 
to mandate that) and then that'd be it. Legacy resource holders would 
have to work things out with ARIN. And, at that point, the legacy 
resource holders would have significantly decreased leverage, so it 
seems unlikely that ARIN would suddenly loosen their stance.

All that said...

On 2024-02-14 15:31, John Curran wrote:
 > There are some organizations that that believe that they may have
 > rights that exceed those expressed in the RSA – while I find that
 > rather fanciful

Would it be possible for ARIN to modify the LRSA in some way to placate 
this concern? Effectively saying that ARIN takes no position on those 
claims? What would be the practical difference; if they stop paying 
their ARIN bill, the difference would be reclaiming those resources vs. 
just stopping providing any services?

-- 
Richard