[ARIN-consult] Reminder on ARIN Consultation on RPKI/BGP

John Curran jcurran at arin.net
Wed Feb 21 09:42:15 EST 2024 

On Feb 21, 2024, at 1:56 AM, Owen DeLong <owen at delong.com> wrote:
On Feb 20, 2024, at 16:55, John Curran <jcurran at arin.net> wrote:

Alas, the challenge is that there are legacy resource holders who have made a conscious decision
over the years that they are better off not entering into a registration services agreement with ARIN –
the same agreement that every other resource holder has & with the same terms and conditions –
and thus they decline to receive the full set of services as every other registry customer.   While it is
possible that the benefits of RPKI will impact their consideration of the matter, it’s not at all assured.

In its current state, RPKI is at best a cryptographically signed hint at how to best spoof an advertisement.

That is case only for those who do not perform RPKI ROV – as it is those who fail to perform ROV (or rely
on others that fail to perform ROV) that run the risk of routing impact by such spoofing… i.e., a self-inflicted
injury to some extent.

As for the reason why, we’ve heard it asserted by some legacy resource holders that they hold
unspecified and/or unproven rights to their number resource entries in the ARIN registry, and
furthermore that entry into an ARIN registration services agreement would impact those rights.
While ARIN has changed the registration agreement several times to reduce the probability of
any conflict, it is a realistic concern given the otherwise indeterminate nature of the assertions.

In my case, I entered into the ARIN Legacy RSA based on a set of conditions that were not expected to change. The
ARIN board chose to change those conditions over my objections, but would not give me the option of retaining my
resources and going back to an uncontracted state. Fortunately, I found a loophole by transferring my resources to
the RIPE NCC as uncontracted legacy resources, so my only relationship with ARIN regards my IPv6 /48.

That is not a “loophole” but rather a feature of the confederated nature of Internet numbers registry system –
each RIR community, through its own governance mechanisms, determines its own policies and services.

ARIN was formed to take on full responsibility for the Internet number registry that was previously
administered under USG direction, and to provide a clear voice to this community on how these
number resources are managed.  We have provided this community with the ability to elect its own
governing body for ARIN (the ARIN Board of Trustees) and that body has consistently held for over
25 years that that ARIN should provide legacy holders with the same basic registry services that they
were receiving at ARIN’s formation without cost or contract.  However, we have also heard consistent
community demand for equitable treatment of _all_ ARIN customers in terms of agreements and fees;
this should not be surprising given that the ARIN registry exists in service to the entire community.

No, you have provided the membership, not the community, with the ability to elect the BOT and the AC.

Note that when ARIN was first formed even that ability for the community to elect a Board wasn’t present –
we had to define the membership and provide it with the right to elect the Board and the AC.   Over time
we have continued to vest more authority in the ARIN membership, and this has included the member right
to remove trustees, to be consulted on governance bylaw changes, etc.

We have even gone as far as to place control over changes to the registration service agreement itself with
the members (as the latest RSA provides that ARIN may only modify its terms for a compelling need to due
to a discrete, identifiable change in relevant statute or caselaw, or upon recommendation of the Board with
a ratification by ARIN member vote.)

Please note that the membership consists solely of those who have both opted in to some form of RSA and expressed a desire to participate in ARIN governance.

To be clear, the membership now consists of all organizations receiving ARIN services for their Internet
number resources under contract (this includes IPv4, IPv6, and ASN holders), as these are all Service
Members.  Those that wish to participate in ARIN governance may opt to become ARIN General Members
(by agreeing to vote in elections, be published in the membership directory, contacted with governance
information, etc. )

The goal is a stable self-governing organization that allows those in the community that wish to participate
in governance to have a voice in the way that number resources are managed in the registry, and those
simply want to receive registry services to do so without the overhead of governance involvement.   One
doesn’t have to participate in ARIN governance, but you are still governed by the whatever those that do
participate end up deciding.

Further, the holding of the BoT that ARIN should provide those services to legacy holders without contract or cost is widely understood to be a promise ARIN made to the resource holding community at or near the time that it was awarded with that responsibility.

ARIN has continued provide such service to date, as it has been viewed as appropriate course by the
member-elected Board of Trustees.  Ultimately, however, ARIN is a membership organization, and it will
take whatever course of action is set by the ARIN membership who choose to participate in its governance.

...
However, if they want to receive all of services that have been funded by the ARIN members – such as
authenticated IRR and RPKI – then they have to agree to the same registry terms as everyone else.
Doing so is quite simple, but does require being comfortable with being treated the same as every other
ARIN member – a problematic requirement for some given that they hold inherently inequitable beliefs
regarding their number resources in the ARIN registry.

IMHO, this is a derogatory and unfair characterization of the legacy holders who have, for various reasons, chosen not to adopt the ARIN RSA.

Apologies, it was not my goal to cast aspersions on those who have chosen not to enter into a registration
services agreement, but rather to simply convey (in a clear and accurate manner) the inherent conflict between
their expectations and ARIN’s goals of a member-governed organization that provides equitable treatment of
all members.

I note that this thread, while perhaps informative on several related topics, has wandered a bit astray from the
original question of the community consultation – i.e., the proposal that we change the ARIN Online interface
for the Hosted RPKI service to provide additional information on current routing state to the user (as further
described here – https://www.arin.net/participate/community/acsp/consultations/2024/2024-1/)

To the extent that there is further feedback or suggestions regarding this proposed service change, please
provide it here on the list as soon as possible (as this consultation will close in just over one week’s time.)

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20240221/ec19d87d/attachment.htm>

More information about the ARIN-consult mailing list