Re: A way that ARIN can help encourage RPKI adoption

[Alex Band <alex () nlnetlabs nl>]

In case people would like to compare notes to the way this is arranged in the RIPE NCC service region, here is the 
Resource Certification for non-RIPE NCC Members policy which has been in place since 2013:

https://www.ripe.net/publications/docs/ripe-596

This resulted in the implementation documented here:

https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/resource-certification-rpki-for-provider-independent-end-users

It essentially means that Provider Independent End Users and Legacy End Users can log into the RIPE NCC equivalent of 
ARIN Online and *only* manage RPKI, without having access to any other options.

-Alex


> On 13 Apr 2022, at 06:56, John Curran <jcurran () arin net> wrote:
>
> > On 12 Apr 2022, at 11:38 PM, Doug Barton <dougb () dougbarton us> wrote:
> >
> > On 4/6/22 10:55 AM, John Curran wrote:
> > > Interesting philosophy - historically ARIN customers have asked for simplicity in the relationship; i.e. a single 
> > > fee that encompasses all of the services - in this way, an organization can utilize something without having to 
> > > “get new approval” and there’s no financial or service disincentive for deployment of IPv6, IRR, RPKI, etc.
> > > Feel free to propose an alternative structure if you think it makes sense - the suggestion process would be a good 
> > > step (but feel free to run for the ARIN Board of Trustees if you want to really advocate for a different approach.)
> >
> > John,
> >
> > I think you raise an interesting point here. From an outside perspective it seems to me that ARIN is using RPKI 
> > participation as leverage to get legacy space holders to sign an LRSA. You have mentioned in past messages that this 
> > is at least in part based on the desire to recover costs related to providing that service. So let's look creatively 
> > at the cost issue.
> >
> > Taking that claim at face value, I wonder if it's possible for ARIN to compromise slightly here, in the interest of 
> > encouraging the adoption of RPKI to the benefit of the Internet community. My suggestion is to open participation in 
> > RPKI to anyone with legacy space who is paying ARIN a fee for service, regardless of LRSA status.
> >
> > Someone else mentioned creating a lightweight agreement for legacy space holders who want RPKI, which I think is a 
> > good idea. I'm not up on the current contents of the LRSA, but I imagine that there is an indemnification clause. I 
> > would be surprised if your lawyers didn't want that for the situation I'm proposing as well. Being lawyers, I 
> > imagine that they can come up with other things too. :) But given that you're already contracting with these parties 
> > for other services, a "rider" for RPKI should be easily accomplished.
>
> Doug, we’re not contracting with these parties to provide any other services…i.e. there’s nothing to "add a rider to”.
> (Those who have any registration services agreement with ARIN already have access to all services incl. RPKI) 
>
> Based on feedback received over the years, we’ve revised the terms of RSA and LRSA several times to provide for 
> friendlier terms and conditions - at this point they’re actually the same agreement (See 
> https://www.arin.net/vault/announcements/2015/20151007.html) 
>
> We remain open to suggestions for improving the registration services agreement for all of ARIN’s customers – if the 
> community comes up with further changes, we can incorporate (but that will need to be per a member vote since we 
> also, per community request, locked down the agreement so it couldn’t be unilaterally changed by the ARIN.) 
>
> ARIN’s RSA is structured appropriately for a not-for-profit membership organization in which members have open 
> participation and governance mechanisms that help them shape the services, policies and fees that will be provided. 
> If one looks at the RSA expecting it to be a commercial services agreement (e.g., such as one would receive for 
> domain name hosting) then indeed it is quite different, but that’s because the RiRs are structured as five 
> cooperating not-for-profit membership organizations that instantiate the cooperation within the network operator 
> community for a globally unique Internet number registry, with agreements that have everyone joining the registry 
> system for that purpose. This works extremely well and meets the expectations of many of the registry customers 
> globally – but such a model doesn’t align with the expectations voiced by some legacy resource holders. 
>
> I also would like to see RPKI more widely deployed, and happy to work on making the RSA “more lightweight” for all 
> ARIN customers to the extent possible, but that requires clearly articulated feedback on changes that need to be 
> made, including the reasoning. Those with legacy resources have been receiving free basic services for nearly 25 
> years, and even now have a very favorable cap on their annual ARIN fees if they do enter into an RSA – i.e., there 
> are incentives in place, and the situation for a legacy resource holder who signed an RSA is actually more favorable 
> than the 15000+ other ARIN customers who don’t receive the more favorable terms. 
>
> The good news is that this is ultimately in the hands of the ARIN membership, so engagement with that community on 
> further desired changes for legacy resource holders is the best path forward. 
>
> Thanks,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers