In case people would like to compare notes to the way this is arranged in the RIPE NCC service region, here is the Resource Certification for non-RIPE NCC Members policy which has been in place since 2013: https://www.ripe.net/publications/docs/ripe-596 This resulted in the implementation documented here: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/resource-c... It essentially means that Provider Independent End Users and Legacy End Users can log into the RIPE NCC equivalent of ARIN Online and *only* manage RPKI, without having access to any other options. -Alex
On 13 Apr 2022, at 06:56, John Curran <jcurran@arin.net> wrote:
On 12 Apr 2022, at 11:38 PM, Doug Barton <dougb@dougbarton.us> wrote:
On 4/6/22 10:55 AM, John Curran wrote:
Interesting philosophy - historically ARIN customers have asked for simplicity in the relationship; i.e. a single fee that encompasses all of the services - in this way, an organization can utilize something without having to “get new approval” and there’s no financial or service disincentive for deployment of IPv6, IRR, RPKI, etc. Feel free to propose an alternative structure if you think it makes sense - the suggestion process would be a good step (but feel free to run for the ARIN Board of Trustees if you want to really advocate for a different approach.)
John,
I think you raise an interesting point here. From an outside perspective it seems to me that ARIN is using RPKI participation as leverage to get legacy space holders to sign an LRSA. You have mentioned in past messages that this is at least in part based on the desire to recover costs related to providing that service. So let's look creatively at the cost issue.
Taking that claim at face value, I wonder if it's possible for ARIN to compromise slightly here, in the interest of encouraging the adoption of RPKI to the benefit of the Internet community. My suggestion is to open participation in RPKI to anyone with legacy space who is paying ARIN a fee for service, regardless of LRSA status.
Someone else mentioned creating a lightweight agreement for legacy space holders who want RPKI, which I think is a good idea. I'm not up on the current contents of the LRSA, but I imagine that there is an indemnification clause. I would be surprised if your lawyers didn't want that for the situation I'm proposing as well. Being lawyers, I imagine that they can come up with other things too. :) But given that you're already contracting with these parties for other services, a "rider" for RPKI should be easily accomplished.
Doug, we’re not contracting with these parties to provide any other services…i.e. there’s nothing to "add a rider to”. (Those who have any registration services agreement with ARIN already have access to all services incl. RPKI)
Based on feedback received over the years, we’ve revised the terms of RSA and LRSA several times to provide for friendlier terms and conditions - at this point they’re actually the same agreement (See https://www.arin.net/vault/announcements/2015/20151007.html)
We remain open to suggestions for improving the registration services agreement for all of ARIN’s customers – if the community comes up with further changes, we can incorporate (but that will need to be per a member vote since we also, per community request, locked down the agreement so it couldn’t be unilaterally changed by the ARIN.)
ARIN’s RSA is structured appropriately for a not-for-profit membership organization in which members have open participation and governance mechanisms that help them shape the services, policies and fees that will be provided. If one looks at the RSA expecting it to be a commercial services agreement (e.g., such as one would receive for domain name hosting) then indeed it is quite different, but that’s because the RiRs are structured as five cooperating not-for-profit membership organizations that instantiate the cooperation within the network operator community for a globally unique Internet number registry, with agreements that have everyone joining the registry system for that purpose. This works extremely well and meets the expectations of many of the registry customers globally – but such a model doesn’t align with the expectations voiced by some legacy resource holders.
I also would like to see RPKI more widely deployed, and happy to work on making the RSA “more lightweight” for all ARIN customers to the extent possible, but that requires clearly articulated feedback on changes that need to be made, including the reasoning. Those with legacy resources have been receiving free basic services for nearly 25 years, and even now have a very favorable cap on their annual ARIN fees if they do enter into an RSA – i.e., there are incentives in place, and the situation for a legacy resource holder who signed an RSA is actually more favorable than the 15000+ other ARIN customers who don’t receive the more favorable terms.
The good news is that this is ultimately in the hands of the ARIN membership, so engagement with that community on further desired changes for legacy resource holders is the best path forward.
Thanks, /John
John Curran President and CEO American Registry for Internet Numbers