RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

• Previous message (by thread): RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)
• Next message (by thread): RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <06570278-E1AD-4BB0-A9FC-11A77BED76E1 at arin.net>, 
John Curran <jcurran at arin.net> wrote:

>Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
>legal framework to see if any improvements can be made <https://www.arin.net/
>vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf>  – I will
>provide further updates once it is completed. 

This is an excellent presentation John, and I'm real glad to see that you
have done such a nice job on it and touched on all of the important points.

In particular, I'm glad that you clarified that if everyone is just doing
what they ought to be doing, i.e. following best practices, then even if
RPKI central and all of its sister satellites should all be simultaneously
hit by metorites, then in theory at least, nobody should be any worse off
than they already are today.

And yes, I can't argue and won't argue that some folks aren't going to be
bozos and screw up their RPKI deployment, and then some of them -may-
possibly want to blame ARIN for -their- screw ups, but I continue to have
trouble envisioning how this would ever traslate into a lawsuit that
wouldn't simply be laughed out of court in about five seconds if handled
properly.

Some arguably proximate historical analogs might be relevant here.

In the past, there have occasionally been problems when one or more of
the root name servers have been DDoSd or have otherwise had issues.
I don't recall anybody lining up to sue ICANN in those instances.

Spamhaus and other public anti-spam services publish their stuff to all
comers, without demanding indemnification.  Yes, they have been sued
from time to time, but none of that has ever resulted in any meaningful
damages, and if the company itself had just been more consistant in
obtaining sound legal advice, none of those events would even have been
all that bothersome.

So, what makes ARIN so special that it can't do what these others are doing
and just simply publish some information?  ARIN is in the State of Virginia
the last time I checked, and I do believe that the First Amendment still
applies in the State of Virginia, and indeed in all 50 states.  I mean it
isn't as if ARIN is going to go around yelling "Fire!" in a crowded theater
for God's sake!

So, you just slap a label on the whole bloody RPKI thing that says "Use at
your own risk" and that ought to do it, I think.  I understand that Steve
Ryan may not see it that way, but it's his job not to see it that way.
In practice, there is no need for -both- belt -and- suspenders.


Regards,
rfg


P.S.  Proactive failure testing (slide #15) is an excellent idea.  You could
and probably should fail the whole thing deliberately for 24 hours once a
year, just as a way of shaking the trees to see what idiots fall out.  It
would be like DNS Flag Day, on steroids.

• Previous message (by thread): RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)
• Next message (by thread): RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]