[arin-ppml] RPKI Relying Agreement

David Huberman David.Huberman at microsoft.com
Thu Dec 4 11:24:59 EST 2014

The problem is straight forward I think:

If I spend the time to integrate route origination validation into my routing system (programming values into the actual configs), and for whatever reason:

- ARIN terminates my RPA, as the RPA allows ARIN to do; or
- ARIN's general RPKI framework is unavailable

... my routing decisions are affected and breakage happens.

ARIN needs to rep and warranty that the service will be up, and that the agreement will not be terminated without significant cause and lengthy notice.

David R Huberman
Microsoft Corporation
Principal, Global IP Addressing

From: John Curran <jcurran at arin.net>
Sent: Thursday, December 4, 2014 7:59:31 AM
To: David Huberman
Cc: Andrew Gallo; ARIN-PPML at arin.net
Subject: Re: [arin-ppml] RPKI Relying Agreement

On Dec 4, 2014, at 10:51 AM, David Huberman <David.Huberman at microsoft.com> wrote:
> Numerous members of the security and network engineering community and I have discussed this over the last 12 months, and the RPA is a show stopper for some of us.  Paragraphs 3 and 4 are the key. It's one way warranties (you -> ARIN), just like the RSA.
> It's thorny because if you put yourself in ARIN's shoes for a moment, you have to balance the risk of bankrupting the company with the responsibility of being a trust anchor.   Unfortunately, like many ARIN legal postures, the unwillingness to take on any risk at all is problematic.

Actually, the terms regarding indemnification and warrant disclaimer are nearly
identical to that contained in the other RIR's RPKI agreements; are those also
problematic, or is the difficultly that principally that ARIN agreeing to the
terms explicit rather than implicit?


John Curran
President and CEO

More information about the ARIN-PPML mailing list