Software installation tools retrieving ARIN TAL (was: Re: ARIN RPKI TAL deployment issues)

Job Snijders job at ntt.net
Sat Oct 13 13:48:17 UTC 2018


Dear John,

I'd like to thank you and the ARIN team for these efforts - in doing so
I feel that ARIN recognises issues & concerns related to the
distribution of the ARIN RPKI TAL. Acknowledging a problem is the first
step to solving it!

On Sat, Oct 13, 2018 at 09:35:36AM -0400, John Curran wrote:
> On 25 Sep 2018, at 3:34 PM, Job Snijders <job at ntt.net> wrote:
> > ...
> > What I'm hoping for is that there is a way for the ARIN TAL to be
> > included in software distributions, without compromising ARIN's
> > legal position.
> > 
> > Perhaps an exception for software distributors would already go a
> > long way?
> 
> While not exactly what you seek, we can get a bit closer to the goal –
> i.e. by eliminating the need for the user installing a software
> package to first go get the ARIN TAL and put it in the right place
> prior to running the installation software. 
> 
> To that end, the ARIN TAL page
> https://www.arin.net/resources/rpki/tal.html has been revised with
> specific guidance –
> 
> 	Software Installation Tools
> 
> 	Software installation tools may download the ARIN TAL on behalf of a
> 	user after the user has confirmed their acceptance of the ARIN
> 	Relying Party Agreement (RPA) on the ARIN website.  This acceptance
> 	must require "agreement to the ARIN Relying Party Agreement
> 	(https://www.arin.net/resources/rpki/rpa.pdf)" and obtain a
> 	non-ambiguous affirmative action by clicking on, or the entry of, a
> 	word of agreement (such as  "yes" or "accept")
> 
> Example: Attention: This package requires the download of the ARIN TAL
> and agreement to the ARIN Relying Party Agreement (RPA)
> (https://www.arin.net/resources/rpki/rpa.pdf). Type "yes" to agree,
> and you can proceed with the ARIN TAL download: yes

In this approach I still observe an institutional barrier. If we take
DNSSEC as analogous concept, when installing & starting BIND, unbound,
NSD, knot, Microsoft DNS, or PowerDNS, no affirmative actions are
required.

It is also not clear to me how in context of fully automated
installation & deployment the paradigm of 'non-ambiguous affirmative
action' can exist. If we instruct orchastration software to say 'yes' to
whatever questions pop up what does that actually mean? It certainly no
longer adheres to the spirit of whatever it is that ARIN seeks.

Lastly - having to download a file ('requiring specific network
connectivity') in context of installation & deployment is always
inferior compared to bundling all required pieces into coherent software
packages.

> We will continue to explore mechanisms for making ARIN’s RPKI
> repository more accessible to the community, but felt that this
> interim step could be accomplished promptly and was worth noting in a
> timely manner to those distributing RPKI software.

Yes - please do. Providing guidance to software distributors does not
change some of the challenging contents of the RPA, nor does it address
the fundamental institutional barrier that separates the ARIN TAL from
the other RIR TALs.

Kind regards,

Job



More information about the NANOG mailing list