[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

[Owen DeLong]

On Dec 5, 2012, at 11:36 AM, John Curran <jcurran at arin.net> wrote:

> On Dec 5, 2012, at 1:53 PM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
> 
>> oops, I was snip-happy previously... it's probably interesting to note
>> that today some folks depend on (probably a LOT more than expect so)
>> upon the IP infrastructure that is the 'Internet' (manning will jump
>> in here...yes 'the internet') to transact business which is life/death
>> related. I don't think there have been court cases which dragged in IP
>> providers previously for routing problems, or hijacks even, that have
>> affected said services.
> 
> First, those parties are generally under service agreements with ISPs
> which require them effectively to defend, indemnify and hold harmless 
> the ISPs for use of the service.  So if a business is unavailable to 
> its business partner, the business can't hold its ISP liable, and it
> is highly likely that the business partner has a similar situation 
> with its service provider. Neither have a direct relationship with
> the others ISP, not receive or make use directly of any information
> or service from the other's ISP.

I, as a Hurricane Electric customer, often depend on services provided
by $OTHER_ISP to reach sites critical to my business. Consider the following
scenario:

$ME <-> $MY_ISP <-> $TRANSIT_ISP_1 <-> $TRANSIT_ISP_2 <-> $OTHER_ISP <-> $WEBSITE

It's possible that I have indemnified $MY_ISP. It's possible that $WEBSITE
has indemnified $OTHER_ISP.

It's very unlikely that either of us has indemnified $TRANSITE_ISP_1 or
$TRANSIT_ISP_2 or has a contract with either of them at all.

I may not be able to hold $MY_ISP liable, but that doesn't necessarily
prevent me from suing any of the other ISPs down the chain. Of that
chain, the only one likely to be indemnified by the $WEBSITE I'm
trying to reach would be $OTHER_ISP.

> Contrast this with RPKI, where ARIN's CA may be depended upon by many
> parties which otherwise have no relationship with ARIN, i.e. the business
> partner who is harmed by RPKI usage by either their own failure or by
> an upstream ISP not following best practices could easily be validating
> routes via information obtained from ARIN's CA. If the business entered 
> the wrong AS in a ROA (but denies it after the fact), ARIN could face 
> significant legal action just proving that we performed correctly. Hence, 
> there is a real need for both system capabilities (in areas such as non-
> repudiation) as well as appropriate legal protections.

I guess the question boils down to this…

1.	Do we want RPKI to get deployed? If so, then we need to accept
	some risks in doing so, because the RPA is likely to be an
	insurmountable barrier to deployment.

2.	Are there alternative ways ARIN could mitigate the risks?
	(e.g. Create a separate corporation that is contracted by
	ARIN to administer the RPKI and CA infrastructures such that
	ARIN as a shareholder is not liable. The corporation would
	not have enough assets to be worth suing.)

Owen