[arin-ppml] Revisit RPKI TAL Relying Party Agreement?
job at ntt.net
Mon Jan 30 15:14:00 EST 2017
On Mon, Jan 30, 2017 at 07:49:57PM +0000, John Curran wrote:
> > On 30 Jan 2017, at 3:42 AM, Job Snijders <job at ntt.net<mailto:job at ntt.net>> wrote:
> > What stands out to me is that (as example) the RIPE NCC RPKI Validator
> > ships with materials from all the RIRs, except ARIN. The RPKI Validator
> > is a commonly used software package to interact with the RPKI.
> > https://github.com/RIPE-NCC/rpki-validator/tree/master/rpki-validator-app/conf/tal
> > (notice that LACNIC, AfriNIC, APNIC, RIPE NCC are all there)
> > As such, the RPKI Validator (out of the box) is not complete. I
> > attribute this to ARIN's RPA. This phenomenon puts a burden on every
> > organisation wishing to use RPKI.
> > I view this as a shortcoming of the ecosystem and detrimental to our
> > efforts maintain a secure routing system.
> > Of course any party can read the RPA and (if they agree) download the
> > ARIN TAL and add it to their RPKI Validator installation, but I strongly
> > prefer an ecosystem which out-of-the-box is operating in a secure mode.
> > I'd argue that ARIN has an obligation to its members to make these
> > materials unencumbered by legal constraints and freely available to
> > anyone.
> Job -
> In order to better understand your request regarding the differences
> between ARIN and the other RIR’s re how the TAL is made available, I
> need to inquire about your assertion that ARIN should "make these
> materials unencumbered by legal constraints and freely available to
> Is it your belief that other RIRs presently make these materials
> available without legal constraints?
No. Though I see room for improvement outside the ARIN region,
discussing that would perhaps seem out of scope for this mailing list.
> Is it the presence of legal constraints that it is the concern, or the
> fact that ARIN requires explicit downloading (and thus awareness of
> this fact) that is the issue?
Both are a concern. Please note that I am not advocating that all legal
constraints should be lifted, for me its the results that matter: at
this point in time it appears that ARIN's TAL is not bundled with common
RPKI tools, and that to me is a problem.
Having said that, the ICANN/IANA approach of making the relevant public
key materials freely available, without agreements or other barriers,
has my preference.
> Note that wee did streamline access to the TAL recently (by making it
> a simple download from the web rather than requiring explicitly
> agreement acceptance and download via email link); in this manner,
> getting ARIN’s TAL should not be much more difficult then obtaining
> the typical software library.
The typical software library can be downloaded from thousands of
mirrors, or obtained by ordering a DVD containing a full software
distribution. Also, the typical software package is not subject to
ARIN's RPA. It is my desire to be able to treat any of the RPKI TAL's as
a "typical software library".
We seek to reduce friction down to the point of:
`sudo apt-get install -y arin-rpki-magic`,
or that the RIPE NCC RPKI Validator can add the TAL directly to its
source code repository.
Is this something you can commit to helping transpire?
More information about the ARIN-PPML