Dear all, For many years now, the publication of ARIN's cryptographic RPKI materials has been a point of contention. See [1], [2], [3], and [4] as examples of the ongoing discussion.
Third parties who wish to validate BGP route announcements to protect their ARIN-region-based customers and partners, or to use RPKI data in provisioning processes (such as prefix-filters generation), must (implicitly) agree to the "Relying Party Agreement". >From https://www.arin.net/resources/rpki/tal.html: "ARIN publishes all Certificates, Certificate Revocation Lists (CRLs), and RPKI-signed objects in its Resource Public Key Infrastructure (RPKI) Repository. The ARIN Repository is available to anyone under the terms and conditions in the Relying Party Agreement." These materials are intended to be used by both ARIN members as well as non-ARIN affiliated organisations (who might not even have a presence in the ARIN region). What stands out to me is that (as example) the RIPE NCC RPKI Validator ships with materials from all the RIRs, except ARIN. The RPKI Validator is a commonly used software package to interact with the RPKI. https://github.com/RIPE-NCC/rpki-validator/tree/master/rpki-validator-app/conf/tal (notice that LACNIC, AfriNIC, APNIC, RIPE NCC are all there) As such, the RPKI Validator (out of the box) is not complete. I attribute this to ARIN's RPA. This phenomenon puts a burden on every organisation wishing to use RPKI. I view this as a shortcoming of the ecosystem and detrimental to our efforts maintain a secure routing system. Of course any party can read the RPA and (if they agree) download the ARIN TAL and add it to their RPKI Validator installation, but I strongly prefer an ecosystem which out-of-the-box is operating in a secure mode. I'd argue that ARIN has an obligation to its members to make these materials unencumbered by legal constraints and freely available to anyone. A comparison can be drawn with DNSSEC: ICANN (through the IANA) go above and beyond to publish the DNSSEC materials required for validation, and ensure distribution as widely as possible: https://www.iana.org/dnssec/files The strategy is described here: http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html Note that there is no mention of "Agreement" or "Indemnification". Imagine DNSSEC without trivial availability of public keys: it wouldn't work. I'd like to request that we revisit the topic of the RPKI TAL Relying Party Agreement, with the goal to make these cryptographic materials freely available in such a way that they can be bundled with software distributions. When ARIN's TAL can be bundled freely, I anticipate more innovation in the secure routing problem space. RPKI can play a significant role in not only as a defense mechanism, but also as part of provisioning processes. Unlimited distribution of the RPKI TALs is key. I consider the limited availability of the ARIN TAL a showstopper for global RPKI deployment. Kind regards, Job Snijders [1]: http://seclists.org/nanog/2016/Feb/84 [2]: http://seclists.org/nanog/2014/Dec/77 [3]: http://packetpushers.net/rpki-bgp-security-hammpered-legal-agreement/ [4]: http://markmail.org/message/ycbijxzgw24je5zn _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
