ARIN's RPKI Relying agreement

George, Wes at
Thu Dec 4 18:17:45 UTC 2014

>>On Thu, Dec 4, 2014 at 7:51 AM, Bill Woodcock <woody at> wrote:
>> > All the specific legal feedback I’ve heard is that this is a
>> > liability
>> > nightmare, and that everyone wants ARIN to take on all the
>> > liability, but
>> > nobody wants to pay for it.

WG] Has there been any actual discussion about how much "nobody" would
have to pay for ARIN (or another party) to fix the balance of liability
and provide a proper SLA that led to "no, I don't want to pay for that"
responses from those who are expressing the concern, or is this just
conjecture on your part? I know that despite being fairly vocal on the
matter, I've not been party to any such discussion, though I know that
ARIN fees and what services they provide for those fees is an ongoing
discussion in other forums.
The problem with free services is that often you get what you pay for when
it comes to support, warranty, etc. There are plenty of models where you
take something free, say FOSS, and then pay someone (Red Hat, ISC) to
support it in order to manage the risk associated with putting it in the
middle of your business-critical system. It gives you some determinism
about what happens when it breaks or you need a feature, and recourse when
it goes pear-shaped. I think there's room for discussion around how much
an SLA-backed RPKI service might be worth to its potential customers,
given its ability to either protect or badly break global routing.

On 12/4/14, 11:33 AM, "Jay Ashworth" <jra at> wrote:

>Lawyers believe that their job is to tell you what not to do.
>Their *actual job* is to tell where risks lie, so that you can make
>informed business decisions about which risks to take, and how to
>allow for them

WG] FWIW, I believe that my lawyers did their "actual" job. But as I said
in my presentation, the combination of technical fragility and liability
risk I incur if it breaks in a way that impacts my customers led me to
decide that I'm not yet willing to bet my continued gainful employment on
Route Origin Validation working well enough that the benefit of having it
outweighs the risks.
INAL, YMMV, void where prohibited, caveat lector, of course.
Fixing the liability issues certainly removes one barrier to entry, but
it's not the only one, and the technical issues are being worked in

Wes George

Anything below this line has been added by my company’s mail server, I
have no control over it.

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

More information about the NANOG mailing list