On Tue, Aug 13, 2019 at 5:44 PM John Curran <jcurran@arin.net> wrote:
On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
... The last time I looked, RPKI adoption was sitting at around a grand total of 15% worldwide. Ah yes, here it is...
https://rpki-monitor.antd.nist.gov/
I've asked many people and many companies why adoption remains so low, and why their own companies aren't doing RPKI. I've gotten the usual assortment of utterly lame excuses, but the one that I have had the hardest time trying to counter is the one where a network engineer says to me "Well, ya know, we were GOING to do that, but then ARIN... unlike the other four regional authorities... demanded that we sign some silly thing indemnifying them in case of.... something.
Interestingly enough, those same indemnification clauses are in the registration services agreement that they already signed but apparently they were not an issue at all when requesting IP address space or receiving a transfer. You might want want to ask them why they are now a problem when they weren’t before (Also worth noting that many of these ISP's own contracts with their customers have rather similar indemnification clauses.)
Hi John, There are things companies will sign when their backs are up against the wall that they will balk at signing when it is for an optional geek-ish extra. IP addresses are the lifeblood of the tech industry. If you don't have an IP address, you don't exist on the Internet. (Apologies to those of us who still have modems configured to call and retrieve mail addressed with UUCP bang paths). So, companies will grudgingly and with much hand-wringing sign the RSA necessary to get IP space. Without, they die. Rather like oxygen; if we had to sign a license agreement in order to receive air to breathe, you'd find most people would sign pretty horrific terms of service agreements. Slip those same terms in front of someone as a requirement for them to buy beer, and you'll likely discover a whole lot of people are just fine drinking something else instead. So too with the RSA terms versus the RPKI terms. As companies, we can't survive without IP addresses. We'll sign just about anything to stay alive. RPKI is a geek toy. It's not at all required for a business to stay alive on the Internet, so companies feel much safer in saying "no way will we sign that!". Now, at the risk of bringing down the ire of the community on my head...ARIN could consider tying the elements together, at least for ARIN members. Add the RPKI terms into the RSA document. You need IP number resources, congratulations, once you sign the RSA, you're covered for RPKI purposes as well. That doesn't solve the issue for out-of-region folks who don't have an RSA with ARIN; but that's no worse than you are today; and by bundling the RPKI terms in with the rest of the RSA, you at least get everyone in the ARIN region that wants^Wneeds to maintain their IP number resources in order to stay in business on the Internet covered in terms of being able to use the RPKI data. If you've got them by the short and curlies already, might as well bundle everything in while they've got the pen in their hand. ^_^; Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
legal framework to see if any improvements can be made < https://www.arin.net/vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf> – I will provide further updates once it is completed.
Best of luck! I know we'll all be watching carefully to see how it goes. :) Matt
Thanks! /John
John Curran President and CEO American Registry for Internet Numbers