Resource Certification for non-RIPE NCC Members
This proposal intends to allow the RIPE NCC to issue resource certificates for non-members, such as Provider Independent End Users and Legacy address space holders, who reside in the the RIPE NCC Service Region.
Summary of Proposal
Currently, the RIPE NCC Resource Certification (RPKI) service is only available for RIPE NCC members. This proposal intends to allow the RIPE NCC to issue resource certificates for non-members, such as Provider Independent End Users and Legacy address space holders, which reside in the RIPE NCC Service region.
New policy text
[Following text will result in a new RIPE Policy Document “Policy for Resource Certification for non-RIPE NCC Members”, if the proposal reaches consensus]
This policy allows the RIPE NCC to issue resource certificate for non-RIPE NCC members such as Provider Independent (PI) End Users and Legacy Address Space holders.
2.0 Certification of resources held by non-RIPE NCC members
When requested, the RIPE NCC will issue a certificate for Internet resources held by non-RIPE NCC member organisations, provided that:
- The organisation proves that they are the legitimate holder of the resources
- The Internet resources are registered in the RIPE registry.
In order to be eligible for resource certification, PI End Users must comply with the RIPE policy “Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region” . The contract with the sponsoring LIR must be verified and approved by the RIPE NCC.
PI End Users can optionally have their sponsoring LIR to act as an intermediary in this process.
This document is developed by the RIPE community.
The following people actively contributed by making proposals through the RIPE Policy Development Process:
Arguments supporting the proposal
Resource Certification (RPKI) – and specifically the BGP Origin Validation functionality that it provides – is only a viable solution if all address space that falls under the authority of the RIR can be covered by a certificate and a Route Origin Authorisation (ROA). A partial implementation is as useful in the real world as no implementation at all.
As it stands, around 9000 address space holders in the RIPE NCC service region can make use of the functionality that RPKI currently offers and about 18,000 other resource holders who are not members can't.
Arguments opposing the proposal
Resource Certification could be regarded as a member-only service. This means every address space holder in the RIPE NCC service region who wishes to use the Resource Certification service should become a RIPE NCC member.
However there are cases known where for instance current PI holders can’t enter into a member agreement with the RIPE NCC, which would exclude them from using Resource Certification.
In order to provide additional information related to the proposal, details of an impact analysis carried out by the RIPE NCC are documented below. The projections presented in this analysis are based on existing data and should be viewed only as an indication of the possible impact that the policy might have if the proposal is accepted and implemented.
A. RIPE NCC's Understanding of the Proposed Policy
It is the RIPE NCC’s understanding that if the policy proposal is accepted, non-RIPE NCC members will be granted access to the RIPE NCC Certification (RPKI) service.
“Non-RIPE NCC members” are understood to be:
- Provider Independent (PI) End Users
- Legacy address space holders
B. Impact of Policy on Registry and Addressing System
Address/Internet Number Resource Consumption:
C. Impact of Policy on RIPE NCC Operations/Services
In order for the RIPE NCC to provide access to the RIPE NCC Certification (RPKI) service to non-members, The RIPE NCC will need to develop a solution where the following informational elements are cross-referenced with each other:
- The authoritative control over the address space (i.e. the ability to authenticate against the relevant objects in the RIPE Database)
- The End User Assignment Agreement that was submitted and verified by the RIPE NCC
- The RIPE NCC Access credentials for accessing the certification management interface
Depending on the requirements of the Community, building an implementation would take four to twelve weeks. If the proposal is accepted, the implementation options will be put forward to the community for guidance. The basic functionality for non-members with Provider Independent address space would allow these End Users to request a resource certificate through their sponsoring LIR. They could then either manage the resource certificate and related Route Origin Authorisation (ROA) objects themselves, or delegate this task to their sponsoring LIR. This would cost the least amount of time to implement.
A more sophisticated implementation would allow PI End Users to request a resource certificate directly from the RIPE NCC, without needing to go through their sponsoring LIR. This, along with the functionality to facilitate random periodic audits or verification of every application, would result in higher implementation and running costs for the RIPE NCC.
The RIPE community is currently engaged in separate policy discussions to determine RIPE NCC services to legacy resource holders. The implementation options for legacy holders will depend on the outcome of these discussions.
D. Legal Impact of Policy
The proposal allows the RIPE NCC to provide access to the RIPE NCC Certification (RPKI) service to non-members upon request.
Resources Eligible for Certification
The proposal gives two examples of non-members:
- Provider Independent (PI) End Users
- Legacy address space holders
The proposal therefore looks at specific resources, rather than whether the non-member has an account with the RIPE NCC. Because of this, if the proposal is accepted, the RIPE NCC will be able to issue certificates for PI and legacy resources held by both members and non-members, subject to the RIPE NCC Activity Plan.
Before being provided with certification, non-members must meet the following preconditions:
- They must prove they are the legitimate holder of the resources that are to be certified
- The resources to be certified must be registered in the RIPE registry
PI End Users must additionally comply with the RIPE Policy “Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region”.
If this proposal becomes policy, the RIPE NCC will have to revise the RIPE NCC Certification Service Terms and Conditions so that they apply to non-members, and will have to amend the appropriate RIPE NCC procedural documents to reflect this change.
Although the proposal does not provide any further requirements for legacy holders, the RIPE community is currently involved in policy discussions to regulate the services the RIPE NCC provides to legacy resource holders (as mentioned above). This, and other future discussions could lead to one or more new policies that would define the requirements for legacy holders to be provided with certification. If the proposal is accepted, it may be affected when the RIPE NCC takes into account the requirements set by any future policies relating to legacy holders.