[ARIN-consult] Reminder on ARIN Consultation on RPKI/BGP

[Owen DeLong]

> On Feb 20, 2024, at 16:55, John Curran <jcurran at arin.net> wrote:
> 
> 
>> On Feb 20, 2024, at 6:17 PM, Michael Richardson <mcr+ietf at sandelman.ca> wrote:
>> ...
>> I understand that legacy holders do not get access to the ARIN trust anchors,
>> and so can't verify.  That's one direction of trust, and I think it's unfortunate.
>> I think that if they started to see benefit from RPKI, they might wonder why
>> they aren't involved, and consider joining.
> 
> Michael  – 
> 
> Alas, the challenge is that there are legacy resource holders who have made a conscious decision 
> over the years that they are better off not entering into a registration services agreement with ARIN – 
> the same agreement that every other resource holder has & with the same terms and conditions – 
> and thus they decline to receive the full set of services as every other registry customer.   While it is
> possible that the benefits of RPKI will impact their consideration of the matter, it’s not at all assured.

In its current state, RPKI is at best a cryptographically signed hint at how to best spoof an advertisement.

At worst, it is fast becoming a cudgel that can be used to drive certain behaviors.

For now (and this is largely a good thing) there aren’t many providers rejecting RPKI UNKNOWN announcements.
However, there are some that are rejecting RPKI unknown for IRR (not RIR) records more recent than a certain date.

There are many legitimate reasons that a legacy registration that is decades old might end up with a more recent
date on their IRR entry (changing from RADB to ALTDB or vice versa as an example).

This can result in significant connectivity problems for legitimate legacy holders, to which the general response
from these (large) providers is to attempt to bully the legacy holder into joining an RIR.

> As for the reason why, we’ve heard it asserted by some legacy resource holders that they hold 
> unspecified and/or unproven rights to their number resource entries in the ARIN registry, and 
> furthermore that entry into an ARIN registration services agreement would impact those rights.  
> While ARIN has changed the registration agreement several times to reduce the probability of 
> any conflict, it is a realistic concern given the otherwise indeterminate nature of the assertions. 

In my case, I entered into the ARIN Legacy RSA based on a set of conditions that were not expected to change. The
ARIN board chose to change those conditions over my objections, but would not give me the option of retaining my
resources and going back to an uncontracted state. Fortunately, I found a loophole by transferring my resources to
the RIPE NCC as uncontracted legacy resources, so my only relationship with ARIN regards my IPv6 /48.

> ARIN was formed to take on full responsibility for the Internet number registry that was previously 
> administered under USG direction, and to provide a clear voice to this community on how these 
> number resources are managed.  We have provided this community with the ability to elect its own 
> governing body for ARIN (the ARIN Board of Trustees) and that body has consistently held for over 
> 25 years that that ARIN should provide legacy holders with the same basic registry services that they 
> were receiving at ARIN’s formation without cost or contract.  However, we have also heard consistent  
> community demand for equitable treatment of _all_ ARIN customers in terms of agreements and fees; 
> this should not be surprising given that the ARIN registry exists in service to the entire community. 

No, you have provided the membership, not the community, with the ability to elect the BOT and the AC.

Please note that the membership consists solely of those who have both opted in to some form of RSA and expressed a desire to participate in ARIN governance.

Further, the holding of the BoT that ARIN should provide those services to legacy holders without contract or cost is widely understood to be a promise ARIN made to the resource holding community at or near the time that it was awarded with that responsibility.


> The present situation is the result of balancing those two principled positions:  ARIN legacy resource
> holders continue to receive basic registry services (and many member-funded enhancements such as 
> online registry management, DNSSEC support for reverse DNS zones, etc.) without contract or fee. 
> They also enjoy full participation in the policy development process, the ARIN consultation process, etc. 

The present situation is the current place in the evolution of how ARIN has balanced those two positions.

Full participation in the PDP is open to anyone with an email address, not just the resource holders. (well, except the part where the AC is elected, that’s members only).

> However, if they want to receive all of services that have been funded by the ARIN members – such as 
> authenticated IRR and RPKI – then they have to agree to the same registry terms as everyone else. 
> Doing so is quite simple, but does require being comfortable with being treated the same as every other 
> ARIN member – a problematic requirement for some given that they hold inherently inequitable beliefs
> regarding their number resources in the ARIN registry. 

IMHO, this is a derogatory and unfair characterization of the legacy holders who have, for various reasons, chosen not to adopt the ARIN RSA.

Owen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20240220/6fdf7bf6/attachment-0001.htm>