Initial Certification Policy for Provider Aggregatable Address Space Holders
Summary of Proposal:
The RIPE NCC plans to deploy a certification service that can be used to secure uniqueness of resources. This proposal lays out guidelines for how LIRs can receive certificates over their Provider Aggregatable (PA) address space holdings and how these certificates should be maintained.
Following guidelines are to apply only for certification of Provider Aggregatable (PA) address space allocations that are held by the Local Internet Registries (LIRs) within the RIPE NCC service region.
The RIPE NCC issues certificates upon request for Provider Aggregatable (PA) address space allocations.
The requester must be a RIPE NCC member LIR holding Provider Aggregatable (PA) address space allocations.
When the RIPE NCC receives a certification request, they may ask for further details to ensure that the requester is the legitimate holder of the resource.
The certificate will be issued via a secure channel that the RIPE NCC maintains for its members (at the time of this proposal this is the LIR Portal) with a validity period of up to 18 months.
Renewal or other maintenance of certificates will be available to LIRs with valid RIPE NCC membership or other appropriate contractual relationship. Certificates will be revoked when allocations are returned or withdrawn. In the event of revocation due to security breach or similar, new certificates will be issued with a validity period equal to the remaining validity of the revoked certificate. Maintenance and renewal of certificates will be tied to contractual relationship status of the LIR with the RIPE NCC. In cases of continuing non-payment, cessation of contract and/or closing of the LIR, existing certificates may be revoked by the RIPE NCC. Notification and a grace period will be provided before the RIPE NCC revokes or ceases renewal of any certificates.
a. Arguments Supporting the Proposal
The RIPE Certification Task Force (CA-TF) was formed at RIPE 53 to advise, review and to provide feedback about a certification system. More details about the CA-TF can be found at:
Since RIPE 53, the CA-TF has been looking at the system from several angles such as benefits and usefulness of it as well as operational, business and policy implications that it may bring. As these issues were narrowed down for discussion, CA-TF has reported to the community at regular intervals.
This proposal is a product of the work done by the CA-TF. The task force has studied possible policy implications and decided that a short initial policy will be useful that will be a guideline for a certification system for the RIPE community to discuss.
At this stage, a policy only for LIRs holding PA address space is proposed. The CA-TF believes that the system should cover PA resources initially, as this is the simplest case for the system. Once a policy for PA resources for LIRs has been discussed and the community has agreed on guidelines, then the CA-TF will consider more complicated scenarios, such as PI address space and ERX and legacy address space. This phased development is also inline with the technical implementation of the system, as certificates for PA allocations will be the first real cases for the certification system when it launches. Certification of other resources will be implemented later on.
It is proposed that the validity of certificates is tied to membership status of an LIR. This is inline with the other services that the RIPE NCC provides to its members. In order to minimise any operational impact caused by the revocation or non-renewal of certificates, a grace period will be incorporated into RIPE NCC procedures.
b. Arguments Opposing the Proposal