[arin-ppml] Revisit RPKI TAL Relying Party Agreement?

Job Snijders job at ntt.net
Mon Jan 30 15:14:00 EST 2017

Dear John,

On Mon, Jan 30, 2017 at 07:49:57PM +0000, John Curran wrote:
> > On 30 Jan 2017, at 3:42 AM, Job Snijders <job at ntt.net<mailto:job at ntt.net>> wrote:
> > 
> > What stands out to me is that (as example) the RIPE NCC RPKI Validator
> > ships with materials from all the RIRs, except ARIN. The RPKI Validator
> > is a commonly used software package to interact with the RPKI.
> > 
> >    https://github.com/RIPE-NCC/rpki-validator/tree/master/rpki-validator-app/conf/tal
> >    (notice that LACNIC, AfriNIC, APNIC, RIPE NCC are all there)
> > 
> > As such, the RPKI Validator (out of the box) is not complete. I
> > attribute this to ARIN's RPA. This phenomenon puts a burden on every
> > organisation wishing to use RPKI.
> > 
> > I view this as a shortcoming of the ecosystem and detrimental to our
> > efforts maintain a secure routing system.
> > 
> > Of course any party can read the RPA and (if they agree) download the
> > ARIN TAL and add it to their RPKI Validator installation, but I strongly
> > prefer an ecosystem which out-of-the-box is operating in a secure mode.
> > I'd argue that ARIN has an obligation to its members to make these
> > materials unencumbered by legal constraints and freely available to
> > anyone.
> > 
> Job -
> In order to better understand your request regarding the differences
> between ARIN and the other RIR’s re how the TAL is made available, I
> need to inquire about your assertion that ARIN should "make these
> materials unencumbered by legal constraints and freely available to
> anyone”
> Is it your belief that other RIRs presently make these materials
> available without legal constraints?

No. Though I see room for improvement outside the ARIN region,
discussing that would perhaps seem out of scope for this mailing list.

> Is it the presence of legal constraints that it is the concern, or the
> fact that ARIN requires explicit downloading (and thus awareness of
> this fact) that is the issue?

Both are a concern. Please note that I am not advocating that all legal
constraints should be lifted, for me its the results that matter: at
this point in time it appears that ARIN's TAL is not bundled with common
RPKI tools, and that to me is a problem.

Having said that, the ICANN/IANA approach of making the relevant public
key materials freely available, without agreements or other barriers,
has my preference.

> Note that wee did streamline access to the TAL recently (by making it
> a simple download from the web rather than requiring explicitly
> agreement acceptance and download via email link); in this manner,
> getting ARIN’s TAL should not be much more difficult then obtaining
> the typical software library.

The typical software library can be downloaded from thousands of
mirrors, or obtained by ordering a DVD containing a full software
distribution. Also, the typical software package is not subject to
ARIN's RPA. It is my desire to be able to treat any of the RPKI TAL's as
a "typical software library".

We seek to reduce friction down to the point of:
    `sudo apt-get install -y arin-rpki-magic`,
or that the RIPE NCC RPKI Validator can add the TAL directly to its
source code repository.

Is this something you can commit to helping transpire?

Kind regards,


More information about the ARIN-PPML mailing list