Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

[John Curran <jcurran () arin net>]

On 14 Aug 2019, at 11:15 AM, Valdis Klētnieks <valdis.kletnieks () vt edu> wrote:
> On Wed, 14 Aug 2019 02:42:09 -0000, John Curran said:
>
> > You might want want to ask them why they are now a problem when they weren’t
> > before (Also worth noting that many of these ISP's own contracts with their
> > customers have rather similar indemnification clauses.)
>
> Actually, it's probably ARIN that should be doing the asking, and seeing if
> they can change the wording and/or rephrase the issue to allay concerns.
>
> It sounds to me like ARIN's *intent* was "if you get sued by your customers because
> you screw the pooch on deployment, it's your screw-up to clean up and not our
> problem". Or at least I *hope* that was the intent (see next paragraph)

That is indeed the intent - please deploy routing validation using best practices, so that you & your customers don’t 
suffer any adverse impact when ARIN's repository is not available.

> But I suspect a lot of companies are reading it as: "If a spammer sues you for using
> a block list that prevents them from spamming your customers, you can't end up
> owing money to the block list maintainers.  But if you rely on the ARIN TAL, and get
> sued by an address hijacker, you could end up owing money to ARIN”.

It’s is not “you owe money to ARIN’, but it could be “you need to defend both yourself and ARIN from your customers’ 
litigation should you get it wrong."

> (Having said that, John, it takes a special sort of CEO to stand out and be seen
> in situations like this, and the world could probably use more CEO's like that…)

<chuckle> fairly easy to do if one has a thick skin… ;-)

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Attachment: signature.asc
Description: Message signed with OpenPGP