On 1 Oct 2018, at 9:44 AM, Nick Hilliard <nick@foobar.org> wrote:
John Curran wrote on 01/10/2018 00:21:
There is likely some on the nanog mailing list who have a view on this matter, so I pose the question of "who should be responsible" for consequences of RPKI RIR CA failure to this list for further discussion.
other replies in this thread have assumed that RPKI CA failure modes are restricted to loss of availability, but there are others failure modes, for example:
- fraud: rogue CA employee / external threat actor signs ROAs illegitimately
- negligence: CA accidentally signs illegitimate ROAs due to e.g. software bug
- force majeure: e.g. court orders CA to sign prefix with AS0, complicated by NIR RPKI delegation in jurisdictions which may have difficult relations with other parts of the world.
Nick - Agreed… My question was specific to liability consequential to an operational outage of an RIR CA, since the community’s view of the proper allocation of liability from loss of availability will significantly shape the necessary legalities. (Liability from fraud or gross negligence is unlikely to respect such terms in any case)
Otherwise, as other people have pointed out, catastrophic systems failure at the CA is designed to be fail-safe. I.e. if the CA goes away, ROAs will be evaluated as "unknown" and life will continue on. If people misconfigure their networks and do silly things with this specific failure mode, that's their problem.
One would expect as much (i.e. it’s their problem for networks doing silly things), but we’ve heard some folks suggest it should be the RIR's problem (given the RIR CA's role in triggering events by going unavailable.) Thanks! /John John Curran President and CEO ARIN