Changes to Initial Certification Policy in the RIPE NCC Service Region

Summary of Proposal: delete: </b> delete: </h2> delete: </div> delete: <div> delete: <p> The RIPE NCC plans to deploy a certification service that can be used to secure uniqueness of resources. insert: </h3>

This proposal lays out guidelines for how LIRs can receive Resource Public Key Infrastructure (RPKI) certificates over their Provider Aggregatable (PA) address space holdings IP Resources and how these certificates should be maintained.

Policy Text: delete: </b> delete: </h2> delete: </div> delete: <div> insert: </h3>

a. New delete: </b> delete: <br /> Following insert: <br />
insert: <br />
insert: </b> insert: </p>

The following guidelines are to apply only for to certification of Provider Aggregatable (PA) address space allocations that are Internet number resources held by the Local RIPE NCC members in good standing. insert: <br />
insert: <br />
The RIPE NCC will issue certificates for Internet Registries (LIRs) within the RIPE NCC service region. delete: </p> delete: <p> number resources upon request to the registered holder of those resources. insert: <br />
insert: <br />
Initially, the following Internet number resources distributed by the RIPE NCC will be eligible for certification: insert: </p>

insert: <li>
• IPv4 resources with the status "ALLOCATED PA" and "ALLOCATED UNSPECIFIED" insert: </li>
insert: <li>
• IPv6 resources with the status "ALLOCATED-BY-RIR" insert: </li>
insert: </ul>

insert: <br />
The RIPE NCC will issue certificates upon request for RIPE NCC supplied Provider Aggregatable (PA) address space allocations IP Resources to the LIR that is the registered holder of that space. delete: </p> delete: <p> those resources. insert: <br />
The certificate will be issued via a secure channel. delete: </p> delete: <p> insert: <br />
insert: <br />
Certificates will be issued with a validity period of up to 18 months. delete: </p> delete: <p> Certificates will at all times reflect the registration status of the resource months or as otherwise stated in the Registry, as also reflected in the RIPE database. delete: </p> delete: <p> In practice this means a certificate may be issued to the registered holder of the PA resource at any time that a record of that holding exists in the RIPE database. Withdrawal of the record of that holding from the RIPE database will automatically result in the certificate being revoked. delete: </p> delete: <p> RIPE NCC Certificate Practice Statement [1]. insert: <br />
insert: <br />
In the event of revocation due to security breach or similar, new certificates will be issued with a validity period equal to the remaining validity of the revoked certificate.

Certificates will at all times reflect the registration status of the resource. insert: </p>

References insert: </h3>

[1] RIPE NCC RPKI (Resource Public Key Infrastructure) Certification Practice Statement, insert: <a class="internal-link" href="resolveuid/0abf5eab-ee86-4cb2-94c7-54f7fa896ede" target="_self" title="" data-val="0abf5eab-ee86-4cb2-94c7-54f7fa896ede" data-linktype="internal"> insert: <span> www.ripe.net/certification/cps.html insert: </span> insert: </a> insert: </p>

Rationale: delete: </b> delete: </h2> delete: <div> insert: </p>

a. Arguments Supporting the Proposal

The RIPE Certification Task Force (CA-TF) was formed at RIPE 53 to advise, review and to provide feedback about a certification system. More details about the CA-TF can be found at:

delete: <a href="http://www.ripe.net/ripe/tf/certification/index.html"> insert: <a class="external-link" href="http://www.ripe.net/ripe/tf/certification/index.html"> http://www.ripe.net/ripe/tf/certification/index.html

Since RIPE 53, the CA-TF has been looking at the system from several angles such as benefits and usefulness of it as well as operational, business and policy implications that it may bring. As these issues were narrowed down for discussion, CA-TF has reported to the community at regular intervals.

This proposal is a product of the work done by the CA-TF. The task force has studied possible policy implications and decided that a short initial policy will be useful that will be a guideline for a certification system for the RIPE community to discuss.

At this stage, a policy only for LIRs holding PA address space is proposed. The CA-TF believes that the system should cover PA these resources initially, as this is the simplest case for the system. Once a policy for PA resources for held by LIRs has been discussed and the community has agreed on guidelines, then the CA-TF will consider more complicated scenarios, such as PI address space and ERX and legacy address space. This phased development is also inline with the technical implementation of the system, as certificates for PA allocations will be LIR resource holders are the first real cases for the certification system when it launches. system. Certification of other resources will be implemented later on.

It is proposed that the validity of certificates is tied to the registration status of the resource in the registry as also reflected in the RIPE database. A full definition of registration status is awaited but for the purposes of this proposal it is defined as the existence of resource. Rules and processes for deregistration of resources by the RIPE NCC are being clarified by a record in the RIPE database showing the resource as being held by the certificate requestor. delete: </p> delete: </div> delete: <div> new document from RIPE NCC “Closure of LIR and Deregistration of Internet number resource” presented at RIPE 61 Services WG: insert: </p>

insert: <span> insert: <a href="./resolveuid/8b37dba1dbfadd870d8a9245b613c1a1" data-val="8b37dba1dbfadd870d8a9245b613c1a1" data-linktype="internal"> https://www.ripe.net/ripe/docs/ripe-517 insert: </a> insert: </span> insert: </p>

b. Arguments Opposing the Proposal

None.

Impact Analysis: delete: </h2> delete: <div> insert: </h3>

Note: In order to provide additional information related to the proposal, details of an impact analysis carried out by the RIPE NCC are documented below. The projections presented in this analysis are based on existing data and should be viewed only as an indication of the possible impact that the policy might have if the proposal is accepted and implemented.

A. RIPE NCC's Understanding of the Proposed Policy delete: </p> insert: </h3>

This proposal directs the RIPE NCC to supply issue to its members, upon request, a certificate for their IPv4 PA Allocations. IP Address allocations as registered in the RIPE Registry. insert: </p>

This proposal only applies to the following types of resources: insert: </p>

insert: <li>
• IPv4 ALLOCATED PA blocks that were issued by the RIPE NCC and excludes early registration and legacy space, as well as blocks marked as insert: </li>
insert: <li>
• IPv4 ALLOCATED UNSPECIFIED or ALLOCATED PI. delete: </p> delete: <p> Also excluded insert: </li>
insert: <li>
• IPv6 ALLOCATED-BY-RIR insert: </li>
insert: </ul>

Excluded are other types or resources, such as AS numbers, ANYCAST, IPv4 ALLOCATED PI, IPv6 and AS numbers. ASSIGNED, IPv6 ASSIGNED PI and EARLY-REGISTRATION blocks.

If resources are returned to or reclaimed by the RIPE NCC, any certificates issued for them will be revoked when the relevant objects are deleted from the RIPE DB. delete: </p> delete: <p> Registry. insert: </p>

B. Impact of Policy on Registry and Addressing System delete: </p> delete: <p> insert: </h3>

insert: <b> Address/Internet Number Resource Consumption: insert: </b>

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented.

insert: <b> Fragmentation/Aggregation: insert: </b>

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented

C. Impact of Policy on RIPE NCC Operations/Services delete: </p> insert: </h3>

Registration Services:

The internal procedures for implementing this policy have not been finalised yet. It is therefore not possible to assess the precise impact that this will have on the Registration Services Operations. As certification is not mandatory for RIPE NCC members, it is not possible to accurately predict the workload increase for the RIPE NCC.

Billing/Finance Department:

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented.

RIPE Database:

After analysing the data that is currently available, the RIPE NCC does not anticipate that any significant impact will be caused if this proposal is implemented. delete: </p> delete: <p> insert: <b> insert: </b> insert: </p>

D. Legal Impact of Policy delete: </p> delete: <p> insert: </h3>

After analysing the data that is currently available, the RIPE NCC does not anticipate that the implementation of this proposed policy will cause any significant legal implications. insert: <br />
insert: <br />
However for clarification purposes the following points should be emphasised: insert: <br />
insert: <br />
1. Legal framework considerations

The proposed policy introduces a new RIPE NCC service. Accordingly, the RIPE NCC should develop and document the details of this service and relevant procedures. The RIPE NCC will consider creating a legal framework around this service including the review of the RIPE NCC Standard Terms and Conditions. However, since the certificates are an enhancement to the existing registration services this legal framework should be is in line with existing policies and procedures regarding registration. Please note that the details of the service are outlined in: insert: </p>

insert: <li>
• the RIPE NCC Certification Service Terms and Conditions that refer to the relationship between the RIPE NCC and LIRs that make use of the certification service through the LIR insert: <br />
  insert: <a class="external-link" href="http://www.ripe.net/certification/legal/tc-service.html"> http://www.ripe.net/certification/legal/tc-service.html insert: </a> insert: </li>
insert: <li>
• the RIPE NCC Certification Repository Terms and Conditions that refer to the relationship between the RIPE NCC and anyone who makes use of the Repository (the relying parties) insert: <br />
  insert: <a class="external-link" href="http://www.ripe.net/certification/legal/tc-repository.html"> http://www.ripe.net/certification/legal/tc-repository.html insert: </a> insert: </li>
insert: </ul>

2. Law Enforcement Agencies Agencies’ intervention

According to the existing legal framework the possibilities for LEAs to order revocation of certificates are extremely limited. Given that certificates reflect the registration status of the resources, for a certificate to be revoked the resources must be deregistered. The introduction of certificates as such does not have any additional impact on the level of possible LEA intervention.

insert: <b> Abstract delete: </h2> delete: <p> This document describes the RIPE community’s current IPv4 address allocation and assignment policies. They were developed through a bottom-up, consensus driven, open policy development process insert: </b> insert: </h3>

The following guidelines apply only to certification of Internet number resources held by RIPE NCC members in the RIPE Address Policy Working Group (AP WG). The RIPE Network Coordination Centre (RIPE NCC) facilitates and supports this process. These policies apply to the RIPE NCC and the Local Internet Registries (LIRs) within the RIPE NCC service region. good standing. insert: </p>

insert: <b> Contents insert: </b> insert: </h3>

1.0 Certification of Internet Number Resources insert: </p>

2.0 References insert: </p>

3.0 Attribution insert: </p>

insert: <b> 1.0 Certification of Internet Number Resources insert: </b> insert: </h3>

The RIPE NCC will issue certificates for Internet number resources upon request to the registered holder of those resources. insert: <br />
insert: <br />
Initially, the following Internet number resources distributed by the RIPE NCC will be eligible for certification: insert: <br />
insert: <br />

• delete: <a class="internal-link" href="resolveuid/6a73933dbb6a4d9655588d6896c4c379" data-val="6a73933dbb6a4d9655588d6896c4c379" data-linktype="internal"> Information on the Address Policy WG delete: </a> IPv4 resources with the status "ALLOCATED PA" and "ALLOCATED UNSPECIFIED" insert: </li>
insert: <li>
• IPv6 resources with the status "ALLOCATED-BY-RIR"

insert: <br />
The RIPE NCC will issue certificates upon request for RIPE NCC supplied Provider Aggregatable (PA) address space allocations IP Resources to the LIR that is the registered holder of that space. delete: </p> delete: <p> those resources. insert: <br />
insert: <br />
The certificate will be issued via a secure channel. delete: </p> delete: <p> insert: <br />
insert: <br />
Certificates will be issued with a validity period of up to 18 months. Certificates will at all times reflect the registration status of the resource months or as otherwise stated in the Registry, as also reflected in the RIPE database. delete: </p> delete: <p> In practice this means a certificate may be issued to the registered holder of the PA resource at any time that a record of that holding exists in the RIPE database. Withdrawal of the record of that holding from the RIPE database will automatically result in the certificate being revoked. delete: </p> delete: <p> RIPE NCC Certificate Practice Statement [1]. insert: <br />
insert: <br />
In the event of revocation due to security breach or similar, new certificates will be issued with a validity period equal to the remaining validity of the revoked certificate. delete: </p> delete: <h3> insert: <br />
insert: <br />
Certificates will at all times reflect the registration status of the resource. insert: </p>

insert: <b> 2.0 References insert: </b> insert: </h3>

[1] RIPE NCC RPKI (Resource Public Key Infrastructure) Certification Practice Statement, insert: <a class="internal-link" href="resolveuid/0abf5eab-ee86-4cb2-94c7-54f7fa896ede" target="_self" title="" data-val="0abf5eab-ee86-4cb2-94c7-54f7fa896ede" data-linktype="internal"> insert: <span> www.ripe.net/certification/cps.html insert: </span> insert: </a> insert: </p>

insert: <b> 3.0 Attribution insert: </b>

This document is compiled from policies developed by the RIPE community.

The following people actively contributed by making proposals through the RIPE Policy Development Process: insert: </p>

Nigel Titley