Re: [arin-announce] ARIN Resource Certification Update

[John Curran <jcurran () arin net>]

On Jan 29, 2011, at 10:26 AM, Alex Band wrote:
> John,
>
> Thanks for the update. With regards to offering a hosted solution, as you know that is the only thing the RIPE NCC 
> currently offers. We're developing support for the up/down protocol as I write this.

Alex - Yes, congrats on rolling out that offering!  Also, I wish the folks at the very best on the up/down protocol 
work, since (as you're likely aware) ARIN is planning to leverage that effort in our up/down service development.  :-)

> I realize a hosted solution is not ideal, we're very open about that. But at least in our region, it seems there are 
> quite a number of organizations who understand and accept the security trade-off of not being the owner of the 
> private key for their resource certificate and trust their RIR to run a properly secured and audited service. So the 
> question is, if the RIPE NCC would have required everyone to run their own certification setup using the open source 
> tool-sets Randy mentions, would there be this much certified address space now?

For many organizations, a hosted service offers the convenience that would make deployment likely.  The challenge that 
ARIN faces isn't with respect to whether our community trusts us to run a properly secured and audited service, but the 
potential implied liability to ARIN if a party alleges that the hosted service performs incorrectly.  It is rather 
challenging to show that a "relying party" is legally bound to the terms of service in certificate practices statement, 
and this means that there are significant risks in the offering the service (even with it performing perfectly), since 
much of the normal contractual protections are not available.

Imagine an organization that incorrectly enters its AS number during a ROA generation, and succeeds in taking itself 
off their air for a prolonged period.  Depending on the damages the organization suffered as a result, it may want to 
claim that ARIN's Hosted RPKI system performed "incorrectly", as may those folks who were impacted by not being able to 
reach the organization.  While ARIN's hosted system would be performing perfectly, the risk and costs to the 
organization in trying to defend against such (spurious) claims could be very serious.  Ultimately, the ARIN Board 
needs to weigh such matters of benefit and risk in full against the mission and determine the appropriate direction.

> Looking at the depletion of IPv4 address space, it's going to be crucially important to have validatable proof who is 
> the legitimate holder of Internet resources. I fear that by not offering a hosted certification solution, real world 
> adoption rates will rival those of IPv6 and DNSSEC. Can the Internet community afford that?


The RPKI information regarding valid address holder is effectively same as that contained in the WHOIS, so readily 
available evidence of resource holder is available today.  Parties already use information from the RIRs from WHOIS and 
routing registries to do various forms of resource & route validation; resource certification simply provides a 
clearer, more secure & more consistent model for this information.  I'm not saying that resource certification isn't 
important, but do not think that characterizing its need as crucial specifically due to IPv4 depletion is the complete 
picture.  

ARIN recognizes the importance of resource certification and hence its commitment to supporting resource certification 
for resources in the region via Up/Down protocol. There is not a decision on a hosted RPKI offer at this time, but that 
is because we want to be able to discuss the benefits and risks with the community at our upcoming April meeting to 
make sure there is significant demand for service as well as appropriate mechanisms for safely managing the risks 
involved.  I hope this clarifies the update message that I sent out earlier, and provides some insight into the 
considerations that have led ARIN's position on resource certification.

Thanks!
/John

John Curran
President and CEO
ARIN