ARIN RPKI services terms/conditions - Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service
NANOGers - Changes in terms and conditions for ARIN's RPKI service – more specifically being changes in ARIN’s Relaying Party Agreement terms and related Trust Anchor Locator management approach – see the attached announcement for details. FYI, /John John Curran President and CEO American Registry for Internet Numbers Begin forwarded message: From: ARIN <info@arin.net<mailto:info@arin.net>> Subject: [arin-announce] Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service Date: 26 September 2022 at 5:24:07 PM EDT To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" <arin-announce@arin.net<mailto:arin-announce@arin.net>> Effective 26 September 2022, ARIN is changing how we manage the ARIN Trust Anchor Locator (TAL). Users are no longer required to sign the ARIN Relying Party Agreement to redistribute information from ARIN’s Online Resource Certification PKI (“ORCP”) in a machine-readable format for network routing purposes. We are making this modification in response to feedback from the Internet community and in the hope that it will accelerate RPKI deployment in the ARIN region. We ask that developers of Relying Party software include the ARIN TAL in future releases. We encourage all participants in the RPKI community to download the ARIN TAL and add it to existing validator deployments where previously it has not been included. The Relying Party Agreement (RPA) has been updated to reflect the changes in the useage of the TAL. The change is the addition of Section 9 “Machine-Readable Format Distribution” to the RPA and the elimination of a separate Redistributor RPA. With this addition, a party to the RPA may make information from the ORCP Services available to third parties in a machine-readable format under certain circumstances. The updated RPA is available for review: RPA: https://www.arin.net/resources/manage/rpki/rpa.pdf RPA Redline: https://www.arin.net/announcements/2022/documents/rpa_092622_redline.pdf If you have any questions or issues, please email routing.security@arin.net<mailto:routing.security@arin.net> Regards, Brad Gorman Sr. Product Owner, Routing Security American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List (ARIN-announce@arin.net<mailto:ARIN-announce@arin.net>). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-announce Please contact info@arin.net if you experience any issues.
Hello John, On Mon, 26 Sept 2022 at 23:48, John Curran <jcurran@arin.net> wrote:
NANOGers -
Changes in terms and conditions for ARIN's RPKI service – more specifically being changes in ARIN’s Relaying Party Agreement terms and related Trust Anchor Locator management approach – see the attached announcement for details.
Considering that RP vendors and operators globally are hopefully using the ARIN TAL and not everybody is a native english speaking lawyer, can we simplify this a little further? There appears to already be a disparity between different interpretations regarding this change. Here [1] an RP vendor claims "no additional steps are needed to use the @TeamARIN TAL" (just like every other TALs). Somebody else [2] appears to disagree. The new section 9 appears to mandate that RP software checks to confirm that the user has accepted the RPA (or another agreements with those terms passed through "at least as protective of ARIN"). So lets put this in pseudocode for RP developers: Previously, a setup/install helper could ask the user if ARIN RPA has been agreed to, and in that case, download the ARIN TAL (487 byte sized as of today). Now a setup/install helper could ask the user if ARIN RPA has been agreed to, and in that case, enable the use of the ARIN TAL which can now be shipped with the product. Can a RP validator ship and use the ARIN TAL by default, without additional steps and confirmations by the user? If not, what is the actual benefit of this change, other than the 487 byte download of the TAL file not being necessary any more? Which issues of the 2019 paper "Lowering Legal Barriers to RPKI Adoption" [3] in your opinion does this change address? Thank you, Lukas Tribus [1] https://twitter.com/routinator3000/status/1574637298838376449 [2] https://twitter.com/sthen_/status/1574704553219571712 [3] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3308619
On 27 Sep 2022, at 7:21 AM, Lukas Tribus <lukas@ltri.eu<mailto:lukas@ltri.eu>> wrote: Can a RP validator ship and use the ARIN TAL by default, without additional steps and confirmations by the user? Yes: the intent is that an RP validator may ship and use the ARIN TAL by default. If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity. Thanks, /John John Curran President and CEO American Registry for Internet Numbers
* jcurran@arin.net (John Curran) [Tue 27 Sep 2022, 13:26 CEST]:
Yes: the intent is that an RP validator may ship and use the ARIN TAL by default. If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.
I feel like you're just gaslighting us at this point. "You have passed through terms that are at least as protective of ARIN ... via browse-wrap, clickwrap [...] for which such third party is legally obligated to said terms." So, no, software developers cannot ship and use the ARIN TAL by default, which means without having to interrupt an installation process with a question about Articles 5, 6, and 7 and Sections 8(a), 8(b), and 8(f) of the ARIN RPA. Why can't ARIN just grant distribution and use for any purpose rights like the other RIRs? -- Niels.
On 27 Sep 2022, at 10:33 AM, Niels Bakker <niels=nanog@bakker.net<mailto:niels=nanog@bakker.net>> wrote: * jcurran@arin.net<mailto:jcurran@arin.net> (John Curran) [Tue 27 Sep 2022, 13:26 CEST]: Yes: the intent is that an RP validator may ship and use the ARIN TAL by default. If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity. I feel like you're just gaslighting us at this point. You suggest gaslighting by ARIN as as result of us indicating that if the RPA is unclear, it will be corrected? That’s a interesting interpretation – I could certainly understand a gaslighting concern if ARIN said “it’s fine and don’t worry about the words; it means what it means” but rather we are acknowledging the language may still remain unclear and need to be promptly addressed. Why can't ARIN just grant distribution and use for any purpose rights like the other RIRs? Not quite "use for any purpose”; for example – RIPE NCC - "Users shall be permitted to download the Repository and to access and use the data contained therein, only in order to validate Certificates, CRLs and RPKI-signed objects. Download of the Repository, access to or use of the data contained therein for any other purpose, including but not limited to identification purposes, advertising, direct marketing, marketing research or similar purposes, is strictly forbidden.” However, your point is taken and ARIN shall endeavor to make terms and conditions for use of the TAL and the ARIN repository clearer in this regard. Thanks, /John John Curran President and CEO American Registry for Internet Numbers
On 27 Sep 2022, at 11:42 AM, John Curran <jcurran@arin.net<mailto:jcurran@arin.net>> wrote: However, your point is taken and ARIN shall endeavor to make terms and conditions for use of the TAL and the ARIN repository clearer in this regard. As alluded to above, the attached ARIN announcement from today notes that the ARIN RPA has now been updated (again) specifically to improve its clarity regarding the ability to distribute the ARIN TAL. FYI, /John John Curran President and CEO American Registry for Internet Numbers Begin forwarded message: From: ARIN <info@arin.net<mailto:info@arin.net>> Subject: [arin-announce] Change to Management of the Trust Anchor Locator for ARIN’s RPKI Service Date: 29 September 2022 at 4:07:55 PM EDT To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" <arin-announce@arin.net<mailto:arin-announce@arin.net>> On 26 September 2022, ARIN announced changes to the way we manage our Trust Anchor Locator (TAL), and specifically changes to our Relying Party Agreement (RPA) that support this change. Community members responded with questions about these changes as they relate to the ARIN TAL. The RPA has been updated once more to clarify that public distribution of the ARIN TAL, including by embedding the ARIN TAL in Relying Party software, is specifically allowed. The updated RPA is available for review: RPA: https://www.arin.net/resources/manage/rpki/rpa.pdf RPA Redline: https://www.arin.net/announcements/2022/documents/rpa_092922_redline.pdf We hope this addresses concerns raised by members of the community seeking clarification regarding the use of the ARIN TAL. Thank you to the community for the constructive feedback. If you have any questions or issues, please email routing.security@arin.net<mailto:routing.security@arin.net>. Regards, Brad Gorman Sr. Product Owner, Routing Security American Registry for Internet Numbers (ARIN)
However, your point is taken and ARIN shall endeavor to make terms and conditions for use of the TAL and the ARIN repository clearer in this regard.
As alluded to above, the attached ARIN announcement from today notes that the ARIN RPA has now been updated (again) specifically to improve its clarity regarding the ability to distribute the ARIN TAL.
so carefully worded the following is a binary question. yes or no, please may i include the arin tal in my software product with neither i nor the user of the product being encumbered, signing anything, ... as with the other RIRs? randy
On 29 Sep 2022, at 6:12 PM, Randy Bush <randy@psg.com> wrote:
However, your point is taken and ARIN shall endeavor to make terms and conditions for use of the TAL and the ARIN repository clearer in this regard.
As alluded to above, the attached ARIN announcement from today notes that the ARIN RPA has now been updated (again) specifically to improve its clarity regarding the ability to distribute the ARIN TAL.
so carefully worded
the following is a binary question. yes or no, please
may i include the arin tal in my software product with neither i nor the user of the product being encumbered, signing anything, ... as with the other RIRs?
Randy - Yes. From the revised RPA - "Notwithstanding the foregoing, You are specifically allowed to publicly distribute the ARIN TAL, including by embedding the ARIN TAL in relying party software;” Thanks, /John John Curran President and CEO American Registry for Internet Numbers
may i include the arin tal in my software product with neither i nor the user of the product being encumbered, signing anything, ... as with the other RIRs? Yes.
excellent. thank you. [ and arin might ask itself why and how it took O(decade) to come to this simple position; just in case there are other mis-matches between arin's positions and community needs ] randy
On 29 Sep 2022, at 6:30 PM, Randy Bush <randy@psg.com> wrote:
may i include the arin tal in my software product with neither i nor the user of the product being encumbered, signing anything, ... as with the other RIRs? Yes.
excellent. thank you.
[ and arin might ask itself why and how it took O(decade) to come to this simple position; just in case there are other mis-matches between arin's positions and community needs ]
Randy - It’s actually not a simple position at all, but a rather complicated set of tradeoffs that the organization has to consider (and periodically review based on changing conditions) by the Board of Trustees. Even now there are significant differences in RPKI approaches among the RIRs, and that’s to be expected given the different legal environments in which operates. Note also there’s a variety of views in the community on nearly any topic, but ultimately the members have to elect those whose judgment they trust to the Board if they wish to have outcomes that they trust – as it is the trustees who have the fiduciary duty to organization and its community. ARIN has recently been reviewing quite a bit of customer facing legal agreements based on current conditions, and the result include both an updated RPA, and also the recently announced update to the RSA/LRSA - <https://www.arin.net/announcements/20220912/>) If you have further suggestions for items you’d like reviewed, please drop me an email (or submit into the ARIN Consultation and Suggestion process if you want formal tracking - https://www.arin.net/participate/community/acsp/process/) Thanks! /John John Curran President and CEO American Registry for Internet Numbers
On Thu, Sep 29, 2022 at 03:30:55PM -0700, Randy Bush wrote:
may i include the arin tal in my software product with neither i nor the user of the product being encumbered, signing anything, ... as with the other RIRs? Yes.
excellent. thank you.
[ and arin might ask itself why and how it took O(decade) to come to this simple position; just in case there are other mis-matches between arin's positions and community needs ]
Randy, did you sign the RPA? I did not sign the RPA. Am I allowed to use rpki software like this? And am I in any way restricted in the use of the produced work below from this RP software?
rpki-client -t /etc/rpki/arin.tal -d /tmp/a /tmp rpki-client: https://rpki.sailx.co/rrdp/notification.xml: TLS handshake: certificate verification failed: certificate has expired rpki-client: https://rpki.sailx.co/rrdp/notification.xml: load from network failed, fallback to rsync rpki-client: rpki-rps.arin.net/repository/8a848adf8143bf6201823bd454752be6/0/267181B0A5DD38D60BCC22881342C64FFC8CBC1F.mft: no valid mft available rpki-client: rpki-rps.arin.net/repository/8a848ade7fb71aa9017fdd9c5dd324c7/0/EB1DD8AA3E2B6864E06379C751DBFFFCC6418350.mft: no valid mft available rpki-client: rpki-rps.arin.net/repository/8a848ade7fb71aa901800003287f4402/0/2BF7605B8927C87448B3B294A8B61D8E983248E0.mft: no valid mft available rpki-client: rpki-rps.arin.net/repository/8a848adf7fb722e9017ffead9f534ac5/0/BFA2750976CA07F56A68976B0F01EB862F17C3B3.mft: no valid mft available openrsync: warning: connect timeout: 208.82.103.214, rpki.sailx.co openrsync: error: cannot connect to host: rpki.sailx.co rpki-client: rsync rsync://rpki.sailx.co/repo failed rpki-client: .rsync/rpki.sailx.co/repo: load from network failed, fallback to cache rpki-client: rpki.sailx.co/repo/Sail-Internet-Inc/0/DFC5509768EA587E638D20680032E0FF122BD25A.mft: no valid mft available Processing time 202 seconds (54 seconds user, 30 seconds system) Skiplist entries: 0 Route Origin Authorizations: 56644 (0 failed parse, 0 invalid) AS Provider Attestations: 0 (0 failed parse, 0 invalid) BGPsec Router Certificates: 0 Certificates: 2878 (0 invalid) Trust Anchor Locators: 1 (0 invalid) Manifests: 2878 (5 failed parse, 0 stale) Certificate revocation lists: 2873 Ghostbuster records: 0 Repositories: 16 Cleanup: removed 0 files, 2900 directories, 580 superfluous VRP Entries: 81311 (75592 unique) VAP Entries: 0 (0 unique)
# Processing time 202 seconds (54s user, 30s system) # Route Origin Authorizations: 56644 (0 failed parse, 0 invalid) # BGPsec Router Certificates: 0 # Certificates: 2878 (0 invalid) # Trust Anchor Locators: 1 (0 invalid) [ /etc/rpki/arin.tal ] # Manifests: 2878 (5 failed parse, 0 stale) # Certificate revocation lists: 2873 # Ghostbuster records: 0 # Repositories: 16 # VRP Entries: 81311 (75592 unique) roa-set { 3.0.0.0/15 source-as 16509 expires 1664683200 3.0.0.0/15 source-as 38895 expires 1664683200 3.0.0.0/10 maxlen 24 source-as 8987 expires 1664683200 3.0.0.0/10 maxlen 24 source-as 14618 expires 1664683200 3.0.0.0/10 maxlen 24 source-as 16509 expires 1664683200 3.2.1.0/24 source-as 16509 expires 1664683200 3.3.5.0/24 source-as 7224 expires 1664683200 3.4.1.0/24 source-as 7224 expires 1664683200 3.4.2.0/24 source-as 7224 expires 1664683200 3.4.4.0/24 source-as 7224 expires 1664683200 3.33.48.0/20 maxlen 24 source-as 7224 expires 1664683200 3.64.0.0/10 maxlen 24 source-as 8987 expires 1664683200 3.64.0.0/10 maxlen 24 source-as 14618 expires 1664683200 3.64.0.0/10 maxlen 24 source-as 16509 expires 1664683200 3.112.0.0/14 source-as 16509 expires 1664683200 3.128.0.0/10 maxlen 24 source-as 8987 expires 1664683200 3.128.0.0/10 maxlen 24 source-as 14618 expires 1664683200 3.128.0.0/10 maxlen 24 source-as 16509 expires 1664683200 3.192.0.0/10 maxlen 24 source-as 8987 expires 1664683200 3.192.0.0/10 maxlen 24 source-as 14618 expires 1664683200 3.192.0.0/10 maxlen 24 source-as 16509 expires 1664683200 4.128.0.0/12 source-as 8075 expires 1664769600 4.144.0.0/12 source-as 8075 expires 1664769600 4.160.0.0/12 source-as 8075 expires 1664769600 4.176.0.0/12 source-as 8075 expires 1664769600 4.192.0.0/12 source-as 8075 expires 1664769600 4.208.0.0/12 source-as 8075 expires 1664769600 4.224.0.0/12 source-as 8075 expires 1664769600 4.240.0.0/12 source-as 8075 expires 1664769600 8.2.120.0/24 source-as 20473 expires 1664683200 8.2.121.0/24 source-as 20473 expires 1664683200 8.2.122.0/24 source-as 20473 expires 1664683200 8.3.29.0/24 source-as 20473 expires 1664683200 8.6.8.0/24 source-as 20473 expires 1664683200 8.6.193.0/24 source-as 20473 expires 1664683200 8.7.233.0/24 source-as 20473 expires 1664683200 8.8.4.0/24 source-as 15169 expires 1664683200 8.8.8.0/24 source-as 15169 expires 1664683200 ... -- :wq Claudio
Randy, did you sign the RPA?
you're kidding, right?
I did not sign the RPA. Am I allowed to use rpki software like this? And am I in any way restricted in the use of the produced work below from this RP software?
i am not a lawyer and do not play one on the net randy
On 29 Sep 2022, at 6:26 PM, John Curran <jcurran@arin.net<mailto:jcurran@arin.net>> wrote: ... may i include the arin tal in my software product with neither i nor the user of the product being encumbered, signing anything, ... as with the other RIRs? Randy - Yes. From the revised RPA - "Notwithstanding the foregoing, You are specifically allowed to publicly distribute the ARIN TAL, including by embedding the ARIN TAL in relying party software;” Randy - Note that “as with the other RIRs” may be a key element of your question, since users of the other RIRs RPKI repositories are also subject to the relevant terms and conditions (e.g. "RIPE NCC Certification Repository Terms and Conditions" https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/legal/ripe...) To the extent that you rely on ARIN’s RPA to provide the right to publicly distribute the TAL, you are also subject its terms and conditions. I don’t particularly consider being subject to the terms and conditions of service that your choose as making one “encumbered”, but for avoidance of doubt figured I should point that out. Thanks, /John John Curran President and CEO American Registry for Internet Numbers
On Tue, Sep 27, 2022 at 4:23 AM John Curran <jcurran@arin.net> wrote:
Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.
Hi John, It's clear enough from section 9 that an RP validator may NOT ship and use the ARIN TAL without first adopting as its own the basic brokenness of ARIN's legal process around the TAL.This change looks to me like a swing and a miss. Understand John, open source software operates on a license tender basis. The user is presumed to have accepted the license contract on the basis of their lack of authority to have made a copy any other way. Placing additional restrictions is a poison pill. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
participants (6)
-
Claudio Jeker
-
John Curran
-
Lukas Tribus
-
Niels Bakker
-
Randy Bush
-
William Herrin