From ripencc-management at ripe.net Mon Feb 11 14:55:27 2013 From: ripencc-management at ripe.net (Axel Pawlik) Date: Mon, 11 Feb 2013 14:55:27 +0100 Subject: [news] RPKI and PI End Users Proposal - Feedback Requested Message-ID: <856266A8-169E-4E62-99DF-7583CEC547E3@ripe.net> [Apologies for duplicate emails] Dear colleagues, Since the launch of the RIPE NCC resource certification (RPKI) system on 1 January 2011, more than 1,300 RIPE NCC members have requested a resource certificate. Together, they have created statements about BGP routing for over 3,000 prefixes, covering more than five /8 blocks. Currently, this system is only applicable to Provider Aggregatable (PA) address space held by RIPE NCC members. The functionality that we most commonly receive requests for is to make address space held by Provider Independent (PI) End Users eligible for certification. During the RIPE 65 Meeting in Amsterdam, there were discussions on this and the RIPE NCC Executive Board extensively deliberated the issue. Based on these discussions, the Executive Board now submits this proposal for consideration and discussion to you, the RIPE NCC membership and the RIPE community. One of the most important considerations when issuing a resource certificate is that it be given to the legitimate holder of the address space. This is fundamental to the reliability and trustworthiness of the system and to the goal of making our registry as robust as possible. To ensure that the resource certificate retains its authoritative value over time, it is important that the RIPE NCC periodically verifies the association between the resource and its holder. With our members, this is a straightforward process because we have direct contact with them at least once a year. Under current RIPE Policy, PI End Users who are not RIPE NCC members must have a contractual agreement with a sponsoring LIR (as detailed in ripe-452). Periodic verification of the resource holder could be handled by the sponsoring LIR. Also note that the RIPE NCC cannot enter into any contractual agreement with PI End Users, other than the "RIPE NCC Standard Service Agreement" (ripe-435). Therefore, the Executive Board proposes that PI End Users in the RIPE NCC service region who want to certify their resources be given both of the following two options: 1. Sign an agreement with their sponsoring LIR (a RIPE NCC member) to have the resources certified by the RIPE NCC via the sponsoring LIR. In this case, the sponsoring LIR would be responsible for periodically verifying that the PI End User is the legitimate holder of the resources. However, the RIPE NCC will in all cases be responsible for issuing the resource certificate and providing access to the RPKI management interface. Therefore, PI End Users should, at all times, be able to change from one sponsoring LIR to another while still retaining the same certificate for the resources that they hold. The cost associated with this option lies in building a framework in the LIR Portal to facilitate the process, some administrative overhead, and the additional burden on the RPKI infrastructure, that would not be funded by the direct beneficiary of the resource certification service. These costs would come out of the general RIPE NCC budget and would therefore be funded by all RIPE NCC members, however it is unlikely that this would have any direct impact on future membership fees. Alternatively a PI End User may choose to: 2. Become a RIPE NCC member, pay the full annual membership fee and receive a certificate directly through the RIPE NCC. The Executive Board feels that offering both of these options will result in relatively little impact on membership fees while offering all PI End Users the opportunity to certify their Internet number resources without being forced to become a member of the RIPE NCC. For the sake of completeness, we also present a third scenario discussed by the Executive Board that would involve giving PI End Users that have received resources through a sponsoring LIR the option to deal directly with the RIPE NCC without becoming a RIPE NCC member or needing to make contact with their sponsoring LIR. They could do this by authenticating the relevant INETNUM object using their MNTNER, and supplying additional information directly to the RIPE NCC (company registration papers, business address details, contact email, etc.) on a periodic basis (probably every 12-18 months). This option would not entail any fee or contractual agreement for the PI End User. However the Executive Board does not see this as a viable option, as the amount of resources required to check the necessary supporting documentation and other administrative overheads would be too large a financial burden on the RIPE NCC membership. The lack of a periodically-renewed contractual relationship with the PI End User, while providing them this service, may also cause complications. *IMPORTANT* Your opinions and feedback on this proposal are vital in shaping a resource certification system that best suits your needs. We encourage you to discuss this matter on the RIPE NCC members-discuss mailing list. Following approximately six weeks of discussion (ending on 30 March 2013), the Executive Board will consider feedback from the list and propose options on moving forward on this matter which will be properly communicated. Kind regards, Axel Pawlik Managing Director RIPE NCC From randy at psg.com Mon Feb 11 15:55:36 2013 From: randy at psg.com (Randy Bush) Date: Mon, 11 Feb 2013 06:55:36 -0800 Subject: [news] RPKI and PI End Users Proposal - Feedback Requested In-Reply-To: <856266A8-169E-4E62-99DF-7583CEC547E3@ripe.net> References: <856266A8-169E-4E62-99DF-7583CEC547E3@ripe.net> Message-ID: other issues aside (am busy hacking) this seems to omit the equivalent of option 2.4 in 2012-07, to quote 2.4 Option to engage directly with the RIPE NCC A Legacy Internet Resource Holder whose circumstances match those described in section 2.3 above, but cannot find a Sponsoring LIR with which a mutually satisfactory contract of the kind mentioned in that section, may opt to enter a non-member service contract with the RIPE NCC for the purposes of registering the Legacy Resources involved, subject to the conditions defined in Section 3 below. randy