[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

[John Curran]

On Dec 5, 2012, at 1:53 PM, Christopher Morrow <morrowc.lists at gmail.com> wrote:

> oops, I was snip-happy previously... it's probably interesting to note
> that today some folks depend on (probably a LOT more than expect so)
> upon the IP infrastructure that is the 'Internet' (manning will jump
> in here...yes 'the internet') to transact business which is life/death
> related. I don't think there have been court cases which dragged in IP
> providers previously for routing problems, or hijacks even, that have
> affected said services.

First, those parties are generally under service agreements with ISPs
which require them effectively to defend, indemnify and hold harmless 
the ISPs for use of the service.  So if a business is unavailable to 
its business partner, the business can't hold its ISP liable, and it
is highly likely that the business partner has a similar situation 
with its service provider. Neither have a direct relationship with
the others ISP, not receive or make use directly of any information
or service from the other's ISP.

Contrast this with RPKI, where ARIN's CA may be depended upon by many
parties which otherwise have no relationship with ARIN, i.e. the business
partner who is harmed by RPKI usage by either their own failure or by
an upstream ISP not following best practices could easily be validating
routes via information obtained from ARIN's CA. If the business entered 
the wrong AS in a ROA (but denies it after the fact), ARIN could face 
significant legal action just proving that we performed correctly. Hence, 
there is a real need for both system capabilities (in areas such as non-
repudiation) as well as appropriate legal protections.

FYI,
/John

John Curran
President and CEO
ARIN