[arin-ppml] RPKI Relying Agreement

William Herrin bill at herrin.us
Fri Dec 5 15:09:49 EST 2014 

On Thu, Dec 4, 2014 at 2:56 PM, John Curran <jcurran at arin.net> wrote:
> On Dec 4, 2014, at 2:43 PM, William Herrin <bill at herrin.us> wrote:
> On Thu, Dec 4, 2014 at 1:53 PM, John Curran <jcurran at arin.net> wrote:
> >   Parties are likely to use RPKI services such that (as someone put
> >   it recently) - "routing decisions are affected and breakage happens”
> >
> >   While such impacts could happen with whois, parties would have to
> >   create the linkages themselves, whereas with RPKI it is recognized
> >   that the system is designed to provide information for influencing of
> >   routing decisions (a major difference, and one that a judge could be
> >   made to recognize if some service provider has a prolonged outage
> >   due to their own self-inflicted Whois data wrangling into routing
filters.)
>
> So along the risk line with whois at one end and spam RBLs at the other,
RPKI sounds almost identical to the risk of deploying DNSSEC. Or am I
missing something that makes RPKI more risky?
>
>
> Bill -
>
>     You asked for a comparison between whois and RPKI in terms of
>     risk profile and I provided that.   ARIN doesn’t run spam RBLs, but
>     you can seek out those who do and ask them why they think that
>     may be more risky than RPKI services, if you so wish.
>

Hi John,

Yes, I did, and thank you for the explanation. I guess what I'm looking for
-now- is a sanity-check on what I presume is counsel's advice that
publishing the relying party information absent a contract is too high risk
for ARIN to undertake.

>From my perspective, we're looking at one of two possibilities here:

1. The risk is overblown, ARIN counsel's version of "This product not
intended for use as a dental drill." That means: go tell counsel to give
you the best options available with publication to anonymous recipients as
a core requirement.

2. The risk is correctly assessed. McDonalds scalding coffee just waiting
for someone to get burned. Best guess, that means abandon RPKI altogether,
seek legislation protecting the publishers of RPKI data or cede the
function to a separate organization capable of managing the risk.

Which is it? Need a sanity check. That means finding precedent: some kind
of general publication comparable to RPKI relying party data which has been
around long enough to build up a record of litigation.


Candidate comparable: SPAM RBL. Publishes data indicating sources of
unsolicited bulk mail. Intentionally results in denial of service for those
sources. Have been sued. Mixed success for the litigants.  Comparable to
RPKI? Why or why not?

Candidate comparable: DNSSEC. Publishes data which identifies authentic
name to IP address lookups. Failure to use correctly results in the
effective failure of the effected service until the error is resolved.  No
record of any suit. Comparable to RPKI? Why or why not?

Candidate comparable: Passive hosting of third party content. Section 230
of the Communications Decency Act confers broad immunity to liability for
such publication regardless of the nature of the information published.
Some suits. Generally not successful. Comparable to RPKI? Why or why not?

Am I making sense?


Regards,
Bill Herrin



--
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
May I solve your unusual networking challenges?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20141205/ccd7a459/attachment.htm>

More information about the ARIN-PPML mailing list