NANOGers -
Changes in terms and conditions for ARIN’s RPKI service – more specifically being
changes in ARIN’s Relaying Party Agreement terms and related Trust Anchor Locator
management approach – see the attached announcement for details.
FYI,
/John
John Curran
President and CEO
American Registry for Internet Numbers
Hello John,
NANOGers -
Changes in terms and conditions for ARIN's RPKI service – more specifically being
changes in ARIN’s Relaying Party Agreement terms and related Trust Anchor Locator
management approach – see the attached announcement for details.
Considering that RP vendors and operators globally are hopefully using
the ARIN TAL and not everybody is a native english speaking lawyer,
can we simplify this a little further?
There appears to already be a disparity between different
interpretations regarding this change.
Here [1] an RP vendor claims "no additional steps are needed to use
the @TeamARIN TAL" (just like every other TALs).
Somebody else [2] appears to disagree.
The new section 9 appears to mandate that RP software checks to
confirm that the user has accepted the RPA (or another agreements with
those terms passed through "at least as protective of ARIN").
So lets put this in pseudocode for RP developers:
Previously, a setup/install helper could ask the user if ARIN RPA has
been agreed to, and in that case, download the ARIN TAL (487 byte
sized as of today).
Now a setup/install helper could ask the user if ARIN RPA has been
agreed to, and in that case, enable the use of the ARIN TAL which can
now be shipped with the product.
Can a RP validator ship and use the ARIN TAL by default, without
additional steps and confirmations by the user?
If not, what is the actual benefit of this change, other than the 487
byte download of the TAL file not being necessary any more?
Which issues of the 2019 paper "Lowering Legal Barriers to RPKI
Adoption" [3] in your opinion does this change address?
Thank you,
Lukas Tribus
[1] https://twitter.com/routinator3000/status/1574637298838376449
[2] https://twitter.com/sthen_/status/1574704553219571712
[3] Lowering Legal Barriers to RPKI Adoption by Christopher S. Yoo, David A. Wishnick :: SSRN
Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers
* jcurran@arin.net (John Curran) [Tue 27 Sep 2022, 13:26 CEST]:
Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.
I feel like you're just gaslighting us at this point.
"You have passed through terms that are at least as protective of ARIN ... via browse-wrap, clickwrap [...] for which such third party is legally obligated to said terms."
So, no, software developers cannot ship and use the ARIN TAL by default, which means without having to interrupt an installation process with a question about Articles 5, 6, and 7 and Sections 8(a), 8(b), and 8(f) of the ARIN RPA.
Why can't ARIN just grant distribution and use for any purpose rights like the other RIRs?
-- Niels.
Hi John,
It's clear enough from section 9 that an RP validator may NOT ship and
use the ARIN TAL without first adopting as its own the basic
brokenness of ARIN's legal process around the TAL.This change looks to
me like a swing and a miss.
Understand John, open source software operates on a license tender
basis. The user is presumed to have accepted the license contract on
the basis of their lack of authority to have made a copy any other
way. Placing additional restrictions is a poison pill.
Regards,
Bill Herrin
- jcurran@arin.net (John Curran) [Tue 27 Sep 2022, 13:26 CEST]:
Yes: the intent is that an RP validator may ship and use the ARIN TAL by default.
If that is not clear in the revised RPA, then the RPA agreement will updated again for clarity.I feel like you’re just gaslighting us at this point.
You suggest gaslighting by ARIN as as result of us indicating that if the RPA is unclear, it will be
corrected? That’s a interesting interpretation – I could certainly understand a gaslighting concern
if ARIN said “it’s fine and don’t worry about the words; it means what it means” but rather we are
acknowledging the language may still remain unclear and need to be promptly addressed.
Why can’t ARIN just grant distribution and use for any purpose rights like the other RIRs?
Not quite "use for any purpose”; for example – RIPE NCC - "Users shall be permitted to download the Repository and to access and use the data contained therein, only in order to validate Certificates, CRLs and RPKI-signed objects. Download of the Repository, access to or use of the data contained therein for any other purpose, including but not limited to identification purposes, advertising, direct marketing, marketing research or similar purposes, is strictly forbidden.”
However, your point is taken and ARIN shall endeavor to make terms and conditions for use
of the TAL and the ARIN repository clearer in this regard.
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers
However, your point is taken and ARIN shall endeavor to make terms and conditions for use
of the TAL and the ARIN repository clearer in this regard.
As alluded to above, the attached ARIN announcement from today notes that the ARIN RPA has now
been updated (again) specifically to improve its clarity regarding the ability to distribute the ARIN TAL.
FYI,
/John
John Curran
President and CEO
American Registry for Internet Numbers
However, your point is taken and ARIN shall endeavor to make terms and
conditions for use of the TAL and the ARIN repository clearer in this
regard.As alluded to above, the attached ARIN announcement from today notes
that the ARIN RPA has now been updated (again) specifically to improve
its clarity regarding the ability to distribute the ARIN TAL.
so carefully worded
the following is a binary question. yes or no, please
may i include the arin tal in my software product with neither i nor
the user of the product being encumbered, signing anything, ... as
with the other RIRs?
randy
Randy -
Yes.
From the revised RPA - "Notwithstanding the foregoing, You are specifically allowed to publicly distribute the ARIN TAL, including by embedding the ARIN TAL in relying party software;”
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers
may i include the arin tal in my software product with neither i nor
the user of the product being encumbered, signing anything, ... as
with the other RIRs?Yes.
excellent. thank you.
[ and arin might ask itself why and how it took O(decade) to come to
this simple position; just in case there are other mis-matches between
arin's positions and community needs ]
randy
…
may i include the arin tal in my software product with neither i nor
the user of the product being encumbered, signing anything, … as
with the other RIRs?Randy -
Yes.
From the revised RPA - "Notwithstanding the foregoing, You are specifically allowed to publicly distribute the ARIN TAL, including by embedding the ARIN TAL in relying party software;”
Randy -
Note that “as with the other RIRs” may be a key element of your question, since users
of the other RIRs RPKI repositories are also subject to the relevant terms and conditions
(e.g. “RIPE NCC Certification Repository Terms and Conditions” https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/legal/ripe-ncc-certification-repository-terms-and-conditions) To the extent that you rely on ARIN’s RPA to provide the right to publicly
distribute the TAL, you are also subject its terms and conditions. I don’t particularly
consider being subject to the terms and conditions of service that your choose as
making one “encumbered”, but for avoidance of doubt figured I should point that out.
Thanks,
/John
John Curran
President and CEO
American Registry for Internet Numbers
Randy -
It’s actually not a simple position at all, but a rather complicated set of
tradeoffs that the organization has to consider (and periodically review
based on changing conditions) by the Board of Trustees. Even now
there are significant differences in RPKI approaches among the RIRs,
and that’s to be expected given the different legal environments in which
operates.
Note also there’s a variety of views in the community on nearly any topic,
but ultimately the members have to elect those whose judgment they trust
to the Board if they wish to have outcomes that they trust – as it is the
trustees who have the fiduciary duty to organization and its community.
ARIN has recently been reviewing quite a bit of customer facing legal
agreements based on current conditions, and the result include both an
updated RPA, and also the recently announced update to the RSA/LRSA -
<New ARIN Registration Services Agreement - American Registry for Internet Numbers>) If you have further
suggestions for items you’d like reviewed, please drop me an email (or
submit into the ARIN Consultation and Suggestion process if you want
formal tracking - ARIN Consultation and Suggestion Process - American Registry for Internet Numbers)
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
>> may i include the arin tal in my software product with neither i nor
>> the user of the product being encumbered, signing anything, ... as
>> with the other RIRs?
> Yes.excellent. thank you.
[ and arin might ask itself why and how it took O(decade) to come to
this simple position; just in case there are other mis-matches between
arin's positions and community needs ]
Randy, did you sign the RPA?
I did not sign the RPA.
Am I allowed to use rpki software like this?
And am I in any way restricted in the use of the produced work below
from this RP software?
rpki-client -t /etc/rpki/arin.tal -d /tmp/a /tmp
rpki-client: https://rpki.sailx.co/rrdp/notification.xml: TLS handshake: certificate verification failed: certificate has expired
rpki-client: https://rpki.sailx.co/rrdp/notification.xml: load from network failed, fallback to rsync
rpki-client: rpki-rps.arin.net/repository/8a848adf8143bf6201823bd454752be6/0/267181B0A5DD38D60BCC22881342C64FFC8CBC1F.mft: no valid mft available
rpki-client: rpki-rps.arin.net/repository/8a848ade7fb71aa9017fdd9c5dd324c7/0/EB1DD8AA3E2B6864E06379C751DBFFFCC6418350.mft: no valid mft available
rpki-client: rpki-rps.arin.net/repository/8a848ade7fb71aa901800003287f4402/0/2BF7605B8927C87448B3B294A8B61D8E983248E0.mft: no valid mft available
rpki-client: rpki-rps.arin.net/repository/8a848adf7fb722e9017ffead9f534ac5/0/BFA2750976CA07F56A68976B0F01EB862F17C3B3.mft: no valid mft available
openrsync: warning: connect timeout: 208.82.103.214, rpki.sailx.co
openrsync: error: cannot connect to host: rpki.sailx.co
rpki-client: rsync rsync://rpki.sailx.co/repo failed
rpki-client: .rsync/rpki.sailx.co/repo: load from network failed, fallback to cache
rpki-client: rpki.sailx.co/repo/Sail-Internet-Inc/0/DFC5509768EA587E638D20680032E0FF122BD25A.mft: no valid mft available
Processing time 202 seconds (54 seconds user, 30 seconds system)
Skiplist entries: 0
Route Origin Authorizations: 56644 (0 failed parse, 0 invalid)
AS Provider Attestations: 0 (0 failed parse, 0 invalid)
BGPsec Router Certificates: 0
Certificates: 2878 (0 invalid)
Trust Anchor Locators: 1 (0 invalid)
Manifests: 2878 (5 failed parse, 0 stale)
Certificate revocation lists: 2873
Ghostbuster records: 0
Repositories: 16
Cleanup: removed 0 files, 2900 directories, 580 superfluous
VRP Entries: 81311 (75592 unique)
VAP Entries: 0 (0 unique)
# Processing time 202 seconds (54s user, 30s system)
# Route Origin Authorizations: 56644 (0 failed parse, 0 invalid)
# BGPsec Router Certificates: 0
# Certificates: 2878 (0 invalid)
# Trust Anchor Locators: 1 (0 invalid) [ /etc/rpki/arin.tal ]
# Manifests: 2878 (5 failed parse, 0 stale)
# Certificate revocation lists: 2873
# Ghostbuster records: 0
# Repositories: 16
# VRP Entries: 81311 (75592 unique)
roa-set {
3.0.0.0/15 source-as 16509 expires 1664683200
3.0.0.0/15 source-as 38895 expires 1664683200
3.0.0.0/10 maxlen 24 source-as 8987 expires 1664683200
3.0.0.0/10 maxlen 24 source-as 14618 expires 1664683200
3.0.0.0/10 maxlen 24 source-as 16509 expires 1664683200
3.2.1.0/24 source-as 16509 expires 1664683200
3.3.5.0/24 source-as 7224 expires 1664683200
3.4.1.0/24 source-as 7224 expires 1664683200
3.4.2.0/24 source-as 7224 expires 1664683200
3.4.4.0/24 source-as 7224 expires 1664683200
3.33.48.0/20 maxlen 24 source-as 7224 expires 1664683200
3.64.0.0/10 maxlen 24 source-as 8987 expires 1664683200
3.64.0.0/10 maxlen 24 source-as 14618 expires 1664683200
3.64.0.0/10 maxlen 24 source-as 16509 expires 1664683200
3.112.0.0/14 source-as 16509 expires 1664683200
3.128.0.0/10 maxlen 24 source-as 8987 expires 1664683200
3.128.0.0/10 maxlen 24 source-as 14618 expires 1664683200
3.128.0.0/10 maxlen 24 source-as 16509 expires 1664683200
3.192.0.0/10 maxlen 24 source-as 8987 expires 1664683200
3.192.0.0/10 maxlen 24 source-as 14618 expires 1664683200
3.192.0.0/10 maxlen 24 source-as 16509 expires 1664683200
4.128.0.0/12 source-as 8075 expires 1664769600
4.144.0.0/12 source-as 8075 expires 1664769600
4.160.0.0/12 source-as 8075 expires 1664769600
4.176.0.0/12 source-as 8075 expires 1664769600
4.192.0.0/12 source-as 8075 expires 1664769600
4.208.0.0/12 source-as 8075 expires 1664769600
4.224.0.0/12 source-as 8075 expires 1664769600
4.240.0.0/12 source-as 8075 expires 1664769600
8.2.120.0/24 source-as 20473 expires 1664683200
8.2.121.0/24 source-as 20473 expires 1664683200
8.2.122.0/24 source-as 20473 expires 1664683200
8.3.29.0/24 source-as 20473 expires 1664683200
8.6.8.0/24 source-as 20473 expires 1664683200
8.6.193.0/24 source-as 20473 expires 1664683200
8.7.233.0/24 source-as 20473 expires 1664683200
8.8.4.0/24 source-as 15169 expires 1664683200
8.8.8.0/24 source-as 15169 expires 1664683200
...
Randy, did you sign the RPA?
you're kidding, right?
I did not sign the RPA.
Am I allowed to use rpki software like this?
And am I in any way restricted in the use of the produced work below
from this RP software?
i am not a lawyer and do not play one on the net
randy