[arin-discuss] Question about the ARIN Relying Party Agreement - RPKI 'everyone must sign' and such...

[Jesse D. Geddis]

As a hurricane electric customer? :D You meant employee of course.

http://www.linkedin.com/in/owendelong

Current Position - 
1. Hurricane Electric
2. ARIN
3. Santa Clara Emergency Wireless Network

Just "keepin' it real"


As far as creating shell companies with the intention of creating empty
vassels to hide liability it doesn't work. Everyone recognizes it for the
shell game it is and having been involved in enough lawsuits I can say
with experience I've blown through 3 separate shell companies to get to a
fourth in just one filing. Each one with thousands of pages of BS trying
to shield liability from the next.

The answer is to do the job you set out to and do it well. Cases that have
no merit generally don't get passed the first request for dismissal.

With that said, I think ARIN should do RPKI. As far as this silly legal
discussion there is much more liability in how open and lax the current
security is as far as mail-from and md5 passwords or whatever ;) ARIN is
already involved. I think we'd be fooling ourselves to say this is somehow
venturing into new territory for ARIN and increasing liability. ARIN
already provides a free RR. This is just added security that is sorely
needed.

-- 
Jesse D. Geddis

LA Broadband LLC
(626) 675-3176
AS 16602




On 12/5/12 11:52 AM, "Owen DeLong" <owen at delong.com> wrote:


On Dec 5, 2012, at 11:36 AM, John Curran <jcurran at arin.net> wrote:

> On Dec 5, 2012, at 1:53 PM, Christopher Morrow <morrowc.lists at gmail.com>
>wrote:
> 
>> oops, I was snip-happy previously... it's probably interesting to note
>> that today some folks depend on (probably a LOT more than expect so)
>> upon the IP infrastructure that is the 'Internet' (manning will jump
>> in here...yes 'the internet') to transact business which is life/death
>> related. I don't think there have been court cases which dragged in IP
>> providers previously for routing problems, or hijacks even, that have
>> affected said services.
> 
> First, those parties are generally under service agreements with ISPs
> which require them effectively to defend, indemnify and hold harmless
> the ISPs for use of the service.  So if a business is unavailable to
> its business partner, the business can't hold its ISP liable, and it
> is highly likely that the business partner has a similar situation
> with its service provider. Neither have a direct relationship with
> the others ISP, not receive or make use directly of any information
> or service from the other's ISP.

I, as a Hurricane Electric customer, often depend on services provided
by $OTHER_ISP to reach sites critical to my business. Consider the
following
scenario:

$ME <-> $MY_ISP <-> $TRANSIT_ISP_1 <-> $TRANSIT_ISP_2 <-> $OTHER_ISP <->
$WEBSITE

It's possible that I have indemnified $MY_ISP. It's possible that $WEBSITE
has indemnified $OTHER_ISP.

It's very unlikely that either of us has indemnified $TRANSITE_ISP_1 or
$TRANSIT_ISP_2 or has a contract with either of them at all.

I may not be able to hold $MY_ISP liable, but that doesn't necessarily
prevent me from suing any of the other ISPs down the chain. Of that
chain, the only one likely to be indemnified by the $WEBSITE I'm
trying to reach would be $OTHER_ISP.

> Contrast this with RPKI, where ARIN's CA may be depended upon by many
> parties which otherwise have no relationship with ARIN, i.e. the business
> partner who is harmed by RPKI usage by either their own failure or by
> an upstream ISP not following best practices could easily be validating
> routes via information obtained from ARIN's CA. If the business entered
> the wrong AS in a ROA (but denies it after the fact), ARIN could face
> significant legal action just proving that we performed correctly.
>Hence, 
> there is a real need for both system capabilities (in areas such as non-
> repudiation) as well as appropriate legal protections.

I guess the question boils down to thisŠ

1.	Do we want RPKI to get deployed? If so, then we need to accept
	some risks in doing so, because the RPA is likely to be an
	insurmountable barrier to deployment.

2.	Are there alternative ways ARIN could mitigate the risks?
	(e.g. Create a separate corporation that is contracted by
	ARIN to administer the RPKI and CA infrastructures such that
	ARIN as a shareholder is not liable. The corporation would
	not have enough assets to be worth suing.)

Owen

_______________________________________________
ARIN-Discuss
You are receiving this message because you are subscribed to
the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-discuss
Please contact info at arin.net if you experience any issues.