You are here: Home > Participate > Policy Development > Policy Proposals > Initial Certification Policy in the RIPE NCC Service Region

Changes to Initial Certification Policy in the RIPE NCC Service Region

Legend (+) Added (-) Deleted
Changed Tag Added Tag Deleted
delete: <div class="bold">

delete: <b> Summary of Proposal: delete: </b>

delete: </div> delete: <div> delete: <p> The RIPE NCC plans to deploy a certification service that can be used to secure uniqueness of resources. insert: <p>

This proposal lays out guidelines for how LIRs can receive Resource Public Key Infrastructure (RPKI) certificates over their Provider Aggregatable (PA) address space holdings and how these certificates should be maintained.

delete: </div> delete: <div class="bold">

delete: <b> Policy Text: delete: </b>

delete: </div> delete: <div> delete: <p> delete: <b> insert: <p>

a. New delete: </b> delete: <br /> insert: </p>

insert: <p>

Following guidelines are to apply only for certification of Provider Aggregatable (PA) address space allocations that are held by the Local Internet Registries (LIRs) within the RIPE NCC service region. RIPE NCC members in good standing.

The RIPE NCC issues will issue certificates upon request for RIPE NCC supplied Provider Aggregatable (PA) address space allocations. delete: </p> delete: <p> The requester must be a RIPE NCC member allocations to the LIR holding Provider Aggregatable (PA) address space allocations. delete: <br /> delete: <br /> When the RIPE NCC receives a certification request, they may ask for further details to ensure that the requester is the legitimate that is the registered holder of the resource. that space.

The certificate will be issued via a secure channel that the RIPE NCC maintains for its members (at the time of this proposal this is the LIR Portal) channel. insert: </p>

insert: <p>

Certificates will be issued with a validity period of up to 18 months. delete: </p> delete: <p> Renewal months or other maintenance of certificates will be available to LIRs with valid RIPE NCC membership or other appropriate contractual relationship. Certificates will be revoked when allocations are returned or withdrawn. as otherwise stated in the RIPE NCC Certificate Practice Statement. insert: </p>

insert: <p>

In the event of revocation due to security breach or similar, new certificates will be issued with a validity period equal to the remaining validity of the revoked certificate. Maintenance and renewal of certificates will be tied to contractual relationship insert: </p>

insert: <p>

Certificates will at all times reflect the registration status of the LIR with the RIPE NCC. In cases of continuing non-payment, cessation of contract and/or closing of the LIR, existing certificates may be revoked by the RIPE NCC. Notification and a grace period will be provided before the RIPE NCC revokes or ceases renewal of any certificates. delete: </p> delete: </div> resource. insert: </p>

delete: <b> Rationale: delete: </b>

delete: <div> delete: <p> delete: <b> insert: <h3>

a. Arguments Supporting the Proposal delete: </b> delete: </p> insert: </h3>

The RIPE Certification Task Force (CA-TF) was formed at RIPE 53 to advise, review and to provide feedback about a certification system. More details about the CA-TF can be found at: delete: <br /> http://www.ripe.net/ripe/tf/certification/index.html insert: </p>

insert: <p>

insert: <a class="internal-link" href="resolveuid/18d1101480a735c8d5cd71ef20eff092" data-val="18d1101480a735c8d5cd71ef20eff092" data-linktype="internal"> http://www.ripe.net/ripe/groups/tf/certification insert: </a>

Since RIPE 53, the CA-TF has been looking at the system from several angles such as benefits and usefulness of it as well as operational, business and policy implications that it may bring. As these issues were narrowed down for discussion, CA-TF has reported to the community at regular intervals.

This proposal is a product of the work done by the CA-TF. The task force has studied possible policy implications and decided that a short initial policy will be useful that will be a guideline for a certification system for the RIPE community to discuss.

At this stage, a policy only for LIRs holding PA address space is proposed. The CA-TF believes that the system should cover PA resources initially, as this is the simplest case for the system. Once a policy for PA resources for LIRs has been discussed and the community has agreed on guidelines, then the CA-TF will consider more complicated scenarios, such as PI address space and ERX and legacy address space. This phased development is also inline with the technical implementation of the system, as certificates for PA allocations will be are the first real cases for the certification system when it launches. system. Certification of other resources will be implemented later on.

It is proposed that the validity of certificates is tied to membership the registration status of an LIR. This is inline with the other services that the RIPE NCC provides to its members. In order to minimise any operational impact caused the resource. Rules and processes for deregistration of resources by the revocation or non-renewal of certificates, a grace period will be incorporated into RIPE NCC procedures. delete: </p> delete: </div> delete: <div> delete: <p> delete: <b> RIPE NCC are being clarified by a new draft document from RIPE NCC “Draft: Closure of LIR and Deregistration of Internet number resource” presented at RIPE 61 Services WG: insert: </p>

insert: <p>

insert: <a class="internal-link" href="resolveuid/f0fa13817d056f90d4fd7b6c795d4ba7" data-val="f0fa13817d056f90d4fd7b6c795d4ba7" data-linktype="internal"> http://www.ripe.net/lir-services/ncc/legal/ClosureofLIRandderegistrationofINRs_finaldraft.pdf insert: </a> insert: </p>

insert: <h3>

b. Arguments Opposing the Proposal delete: </b> delete: </p> insert: </h3>

None.

delete: </div> insert: <h2>

insert: <b> Impact Analysis: insert: </b> insert: </h2>

insert: <p>

Note: In order to provide additional information related to the proposal, details of an impact analysis carried out by the RIPE NCC are documented below. The projections presented in this analysis are based on existing data and should be viewed only as an indication of the possible impact that the policy might have if the proposal is accepted and implemented. insert: </p>

insert: <p>

insert: <b> insert: </b> insert: </p>

insert: <h3>

insert: <b> A. RIPE NCC's Understanding of the Proposed Policy insert: </b> insert: </h3>

insert: <p>

This proposal directs the RIPE NCC to supply to its members, upon request, a certificate for their IPv4 PA Allocations. insert: </p>

insert: <p>

insert: <b> insert: </b> insert: </p>

insert: <p>

This proposal only applies to IPv4 ALLOCATED PA blocks that were issued by the RIPE NCC and excludes early registration and legacy space, as well as blocks marked as ALLOCATED UNSPECIFIED or ALLOCATED PI. insert: </p>

insert: <p>

Also excluded are other types or resources, such as IPv6 and AS numbers. insert: </p>

insert: <p>

If resources are returned to or reclaimed by the RIPE NCC, any certificates issued for them will be revoked when the relevant objects are deleted from the RIPE DB. insert: </p>

insert: <h3>

insert: <b> B. Impact of Policy on Registry and Addressing System insert: </b> insert: </h3>

insert: <p>

insert: <b> Address/Internet Number Resource Consumption: insert: </b> insert: </p>

insert: <p>

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented. insert: </p>

insert: <p>

insert: <b> Fragmentation/Aggregation: insert: </b> insert: </p>

insert: <p>

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented insert: </p>

insert: <h3>

insert: <b> C. Impact of Policy on RIPE NCC Operations/Services insert: </b> insert: </h3>

insert: <p>

insert: <b> Registration Services: insert: </b> insert: </p>

insert: <p>

The internal procedures for implementing this policy have not been finalised yet. It is therefore not possible to assess the precise impact that this will have on the Registration Services Operations. As certification is not mandatory for RIPE NCC members, it is not possible to accurately predict the workload increase for the RIPE NCC. insert: </p>

insert: <p>

insert: <b> Billing/Finance Department: insert: </b> insert: </p>

insert: <p>

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented. insert: </p>

insert: <p>

insert: <b> RIPE Database: insert: </b> insert: </p>

insert: <p>

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented. insert: </p>

insert: <h3>

insert: <b> D. insert: </b> insert: <b> Legal Impact of Policy insert: </b> insert: </h3>

insert: <p>

After analysing the data that is currently available, the RIPE NCC does not anticipate that the implementation of this proposed policy will cause any significant legal implications. insert: </p>

insert: <p>

However for clarification purposes the following points should be emphasised: insert: </p>

insert: <p>

insert: <b> 1. Legal framework considerations insert: </b> insert: </p>

insert: <p>

The legal framework around this service is in line with existing policies and procedures regarding registration. Please note that the details of the service are outlined in: insert: </p>

insert: <ul> insert: <p>

  insert: </p>

insert: <p>

insert: <b> 2. Law Enforcement Agencies’ intervention insert: </b> insert: </p>

insert: <p>

According to the existing legal framework the possibilities for LEAs to order revocation of certificates are extremely limited. Given that certificates reflect the registration status of the resources, for a certificate to be revoked the resources must be deregistered. The introduction of certificates as such does not have any additional impact on the level of possible LEA intervention. insert: </p>

insert: <h3>

Abstract insert: </h3>

insert: <p>

This policy lays out guidelines for how LIRs can receive Resource Public Key Infrastructure (RPKI) certificates over their Provider Aggregatable (PA) address space holdings and how these certificates should be maintained. insert: <b> insert: </b> insert: </p>

insert: <h3>

Contents insert: </h3>

insert: <p>

1.0 insert: <a class="anchor-link" href="#-b-----certification-of-provider-aggregatable--pa--allocation--b-"> Certification of Provider Aggregatable (PA) Allocation insert: </a> insert: </p>

insert: <p>

2.0 insert: <a class="anchor-link" href="#-b-----attribution--b-"> Attribution insert: </a> insert: </p>

insert: <p>

insert: <b> insert: </b> insert: </p>

insert: <h3>

insert: <a name="-b-----certification-of-provider-aggregatable--pa--allocation--b-"> insert: </a> insert: <b> 1.0 Certification of Provider Aggregatable (PA) Allocation insert: </b> insert: </h3>

insert: <p>

insert: <b> insert: </b> insert: </p>

insert: <p>

Following guidelines are to apply only for certification of Provider Aggregatable (PA) address space allocations that are held by the RIPE NCC members in good standing. insert: </p>

insert: <p>

The RIPE NCC will issue certificates upon request for RIPE NCC supplied Provider Aggregatable (PA) address space allocations to the LIR that is the registered holder of that space. insert: </p>

insert: <p>

The certificate will be issued via a secure channel. insert: </p>

insert: <p>

Certificates will be issued with a validity period of up to 18 months or as otherwise stated in the RIPE NCC Certificate Practice Statement. insert: </p>

insert: <p>

In the event of revocation due to security breach or similar, new certificates will be issued with a validity period equal to the remaining validity of the revoked certificate. insert: </p>

insert: <p>

Certificates will at all times reflect the registration status of the resource. insert: </p>

insert: <h3>

insert: <a name="-b-----attribution--b-"> insert: </a> insert: <b> 2.0 Attribution insert: </b> insert: </h3>

insert: <p>

This document is compiled from policies developed by the RIPE community. insert: </p>

insert: <p>

The following people actively contributed by making proposals through the RIPE Policy Development Process: insert: </p>

insert: <p>

Nigel Titley insert: </p>

Initial Certification Policy for Provider Aggregatable Address Space Holders
The RIPE NCC plans to deploy a certification service that can be used to secure uniqueness of resources. This proposal lays out guidelines for how LIRs can receive certificates over their Provider Aggregatable (PA) address space holdings and how these certificates should be maintained.
Get Involved

The Address Policy Working Group develops policies relating to the allocation and registration of Internet number resources (IPv4 and IPv6 addresses and ASNs) by the RIPE NCC and its members. Anyone with an interest in Internet numbering issues is welcome to observe, participate and contribute to the WG. To post a message to the list, send an email to address-policy-wg@ripe.net. Please note that only subscribers can post messages.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum

Please contact if you need more information.

Stay up to date!

Follow @PDO_RIPE_NCC on Twitter.