[arin-discuss] Important Update Regarding Resource Certification

[John Curran]

On Jan 6, 2011, at 9:32 AM, George, Wes E [NTK] wrote:

> There have been some threads about this on NANOG in the last few days. Can
> we get a bit clearer explanation of what the specific security concerns are
> and why they are delaying things? It may also make sense for someone from
> ARIN to post to NANOG with an explanation as well. If there are security
> concerns, it is something that the community should be aware of in case
> other RIRs or the SIDR WG need to be considering those issues as well.
> 
> Thanks, 
> Wes George

George - 
 
   The security concerns are not specificly related to the RPKI
   protocol, but inherent implications of any service that might 
   be heavily relied upon for real-time network operations, i.e.
   I don't think it's a SIDR WG matter, but simply part of the
   due diligence associated with the service as noted below.

   While the RIRs presently provide services which are used to 
   support operations (such as WHOIS and Reverse DNS services),
   failure of RIR resource certification services could have 
   some very significant consequences, particularly in the case
   of incorrect data as opposed to simply unavailable data.  
   There are some potential liability implications of operating 
   such a service that ARIN is presently reviewing in depth.  I 
   need to also note that these issues exist even in the case of 
   a perfectly secure and operational service, in that an error
   by an ISP using ARIN's services (e.g. having entered the wrong 
   AS number into a ROA for a major customer) could result in 
   ARIN needing to readily "prove" the integrity of its resource 
   certification system as well as fidelity of performance against 
   the operators request.

   This has led ARIN to consider some aspects of its resource 
   certification design, specifically to mitigate potential risks
   in the areas of non-repudiation and multi-party controls. Even
   so, the ultimate decision in these matters lies with the ARIN 
   Board, as there is always going to be residual risk associated
   with any operations-related service provided by ARIN (note also
   that we have also discussed these issues with the other RIRs, 
   but as they don't operate in ARIN's highly-litigous region, it   
   is not necessarily a similar priority for their consideration)

   To the extent that ARIN offering resource certification services 
   is important to your plans, it would good to express such needs
   on the arin-discuss mailing list. This helps us gauge the demand
   which obviously is another important factor to be considered in
   making the final determination on offering these services.

   We intend to have more detailed information out later this month
   once the plans for finalized, but I hope the above information
   provides some insight into the process at this point.  I will 
   post this to the NANOG list for the community's information.

Thanks!
/John

John Curran
President and CEO
ARIN

p.s.  I'm presently on a Caribbean cruise ship on a bona fide 
      family vacation, so please recognize that replies may 
      be deferred to off hours so that my laptop isn't thrown 
      overboard... ;-)