ARIN RPKI TAL deployment issues

Jared Mauch jared at puck.nether.net
Wed Sep 26 07:29:33 UTC 2018



> On Sep 26, 2018, at 3:13 AM, John Curran <jcurran at arin.net> wrote:
> 
> On 26 Sep 2018, at 2:09 AM, Christopher Morrow <morrowc.lists at gmail.com> wrote:
>> 
>> (I'm going to regret posting this later, but...)
>> 
>> On Tue, Sep 25, 2018 at 10:57 PM John Curran <jcurran at arin.net> wrote:
>> 
>> The significant difference for ARIN is that we operate under a different legal regime, and as a matter of US law, it appears that we cannot rely only upon terms and conditions published in our website as evidence of informed agreement; i.e. within the US legal framework, we need a specific act of acceptance in order to have a binding agreement.  
>> 
>> how is arin's problem here different from that which 'lets encrypt' is facing with their Cert things?
> 
> Chris - 
> 
> The “Let’s encrypt” subscriber agreement (current version 1.2, 15 Nov 2018) includes "indemnify and hold harmless” clause, and parties affirmatively agree to those terms by requesting that ISRG issue a "Let’s Encrypt” Certificate to you.
> 
> (I don’t know whether that process is particularly more or less onerous technically than the effort to download the ARIN TAL.) 

The process for lets encrypt is fairly straightforward, it collects some minimal information (eg: e-mail address, domain name) and then does all the voodoo necessary.  If ARIN were to make this request of the developers of RPKI software, it would seem reasonable to have that passed to ARIN via some API saying “bob at example.com” typed “Agree” to the ARIN TAL as part of the initial installation of the software.

For me, this is about the friction involved in making it work and while the click-through page may not seem like a barrier, there are active measurements that demonstrate it is.  It may take time to communicate to the existing set of operators running RPKI validators they are missing the ARIN TAL, but I would like to ensure that new deployments don’t make this same mistake.

I think this thread/communication is part of that.  “Don’t forget about the extra step for ARIN”.  It’s also “ARIN, please help make it easier to use your service”.

With Google Maps, etc.. I may have to create an API key, it comes in multi-lingual systems in non-roman alphabet support, etc.  Being part of this global ecosystem and running an RIR comes with some extra effort compared to running a corner mom & pop shop.  Our actions and decisions have global consequences to the safety and security of how your and my traffic is routed.

Please work with the developers for a suitable method to include the ARIN TAL by default.  Come up with the click-accept legalese necessary.

Since you asked, here’s what they did with the CertBot that’s commonly used by Lets Encrypt:


    (The first time you run the command, it will make an account, and ask for an email and agreement to the Let’s Encrypt Subscriber Agreement; you can automate those with --email and --agree-tos)

    If you want to use a webserver that doesn’t have full plugin support yet, you can still use “standalone” or “webroot” plugins to obtain a certificate:

    ./certbot-auto certonly --standalone --email admin at example.com -d example.com -d www.example.com -d other.example.net

If you/ARIN could work closer with the developers of RPKI software to help make this happen that would be great.  If you need introductions, I’m happy to help make them.

- Jared


More information about the NANOG mailing list