[arin-ppml] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI

Adam Thompson athompson at merlin.mb.ca
Thu Oct 24 14:43:50 EDT 2019

This makes sense to me.
However, the recent changes ARE still a step in the right direction.  And they may be enough to let me start using RPKI… that’s not 100% clear yet, a more in-depth review needs to happen.

Adam Thompson
Consultant, Infrastructure Services
[[MERLIN LOGO]]<https://www.merlin.mb.ca/>
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athompson at merlin.mb.ca<mailto:athompson at merlin.mb.ca>

From: ARIN-PPML <arin-ppml-bounces at arin.net> On Behalf Of David Farmer
Sent: Monday, October 21, 2019 2:35 PM
To: John Curran <jcurran at arin.net>
Cc: arin-ppml <arin-ppml at arin.net>
Subject: Re: [arin-ppml] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI


I am encouraged by these changes, however, I don't think they go far enough.

I've been thinking about these issues for a while now, particularly the issue of requiring a valid and binding Relying Party Agreement (RPA) on a global basis. In my opinion, this seems to run counter to at least the spirit of ICP-2. While ICP-2 deals with the formation of new RIR's, it says, "each region should be served by a single RIR."  This seems to strongly imply, that an LIR (ISPs) should only have to contract with or otherwise do business with the RIR(s) for which the LIR operates within the service regions of the RIR(s).

Furthermore, if the other RIR's have similar requirements as ARIN for valid and binding RPAs on a global basis, whether through a formal contract as with ARIN or through terms expressed in the Certificate or Certificate Practice Statement (CPS) this would mean I would need to convince the lawyers at the University of Minnesota that we needed binding contracts with each of the five RIRs. To be honest, I doubt this would be achievable, and ICP-2 seems to imply this should not be necessary as we only operate our network within the ARIN service region. However, even though we only operate a network within the ARIN service region the University of Minnesota has assets around the globe, which makes the risks of contracting with the other RIRs difficult to determine but probably quite sizable.

Further, if it is truly necessary to have binding agreements with each of the RIR's or that all operators globally need to contract with ARIN in order to validate RPKI then I think we need to rethink RPKI or at least rethink how RPKI is currently deployed. Maybe the RIRs need to contract with each other on behalf of their members and resign each other's certificates, so a binging RPA is only necessary with your home RIR, and you only need the TAL of your home RIR to validate ROA's on a global basis.

Thank you.

On Mon, Oct 21, 2019 at 1:01 PM John Curran <jcurran at arin.net<mailto:jcurran at arin.net>> wrote:

Begin forwarded message:

From: ARIN <info at arin.net<mailto:info at arin.net>>
Subject: [arin-announce] ARIN Announces New Relying Party Agreement (RPA) To Spur Use of RPKI
Date: 21 October 2019 at 10:52:40 AM PDT
To: <arin-announce at arin.net<mailto:arin-announce at arin.net>>

Today, ARIN published a new Relying Party Agreement (RPA) for RPKI.

Visit: https://www.arin.net/resources/manage/rpki/rpa.pdf

Background: In response to feedback from the community, ARIN had
previously updated its processes to allow organizations to directly
download our Trust Anchor Locator (TAL) from our website, noting that by
doing so they were agreeing to be bound by the RPA. This was intended to
accommodate and overcome claimed barriers to RPKI adoption.

Visit: https://www.arin.net/resources/manage/rpki/tal/

Today’s new RPA includes modifications to address constructive
suggestions that have been raised by members of the community both
publicly and directly with ARIN. ARIN has included the following changes
in the RPA:

 *  The ability to make available the ARIN RPKI information to any
third party for informational purposes (e.g. reporting, educational,
research, summary or statistical purposes) has been expanded to allow
for distribution in machine-readable formats; and

 *  The RPA’s indemnification clause has been more narrowly scoped to
exclude the indemnification of possible ARIN misconduct.

ARIN has also now made a Redistributor RPA available for qualified
organizations that wish to distribute RPKI-related data for purposes not
covered in this standard RPA, including but not limited to distribution
for real-time routing purposes. Interested organizations should contact
ARIN via the information available on the Trust Anchor Locator page on
our website.

Visit: https://www.arin.net/resources/manage/rpki/rpa_redistributor.pdf

ARIN hopes that these additional changes to the RPA, alongside
simplified access to the TAL, will encourage organizations’ adoption of
RPKI to secure Internet routing.


John Curran
President and CEO
American Registry for Internet Numbers (ARIN)

You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML at arin.net<mailto:ARIN-PPML at arin.net>).
Unsubscribe or manage your mailing list subscription at:
Please contact info at arin.net<mailto:info at arin.net> if you experience any issues.

David Farmer               Email:farmer at umn.edu<mailto:Email%3Afarmer at umn.edu>
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20191024/5ac23a7f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2381 bytes
Desc: image001.png
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20191024/5ac23a7f/attachment-0001.png>

More information about the ARIN-PPML mailing list