On Jan 29, 2011, at 10:26 AM, Alex Band wrote: > John, > > Thanks for the update. With regards to offering a hosted solution, as you > know that is the only thing the RIPE NCC currently offers. We're developing > support for the up/down protocol as I write this.
Alex - Yes, congrats on rolling out that offering! Also, I wish the folks at the very best on the up/down protocol work, since (as you're likely aware) ARIN is planning to leverage that effort in our up/down service development. :-) > I realize a hosted solution is not ideal, we're very open about that. But at > least in our region, it seems there are quite a number of organizations who > understand and accept the security trade-off of not being the owner of the > private key for their resource certificate and trust their RIR to run a > properly secured and audited service. So the question is, if the RIPE NCC > would have required everyone to run their own certification setup using the > open source tool-sets Randy mentions, would there be this much certified > address space now? For many organizations, a hosted service offers the convenience that would make deployment likely. The challenge that ARIN faces isn't with respect to whether our community trusts us to run a properly secured and audited service, but the potential implied liability to ARIN if a party alleges that the hosted service performs incorrectly. It is rather challenging to show that a "relying party" is legally bound to the terms of service in certificate practices statement, and this means that there are significant risks in the offering the service (even with it performing perfectly), since much of the normal contractual protections are not available. Imagine an organization that incorrectly enters its AS number during a ROA generation, and succeeds in taking itself off their air for a prolonged period. Depending on the damages the organization suffered as a result, it may want to claim that ARIN's Hosted RPKI system performed "incorrectly", as may those folks who were impacted by not being able to reach the organization. While ARIN's hosted system would be performing perfectly, the risk and costs to the organization in trying to defend against such (spurious) claims could be very serious. Ultimately, the ARIN Board needs to weigh such matters of benefit and risk in full against the mission and determine the appropriate direction. > Looking at the depletion of IPv4 address space, it's going to be crucially > important to have validatable proof who is the legitimate holder of Internet > resources. I fear that by not offering a hosted certification solution, real > world adoption rates will rival those of IPv6 and DNSSEC. Can the Internet > community afford that? The RPKI information regarding valid address holder is effectively same as that contained in the WHOIS, so readily available evidence of resource holder is available today. Parties already use information from the RIRs from WHOIS and routing registries to do various forms of resource & route validation; resource certification simply provides a clearer, more secure & more consistent model for this information. I'm not saying that resource certification isn't important, but do not think that characterizing its need as crucial specifically due to IPv4 depletion is the complete picture. ARIN recognizes the importance of resource certification and hence its commitment to supporting resource certification for resources in the region via Up/Down protocol. There is not a decision on a hosted RPKI offer at this time, but that is because we want to be able to discuss the benefits and risks with the community at our upcoming April meeting to make sure there is significant demand for service as well as appropriate mechanisms for safely managing the risks involved. I hope this clarifies the update message that I sent out earlier, and provides some insight into the considerations that have led ARIN's position on resource certification. Thanks! /John John Curran President and CEO ARIN
