Internet2 Network Security SIG

[Adair Thaxton <>]

Dave: I think at the last TechEx, you were representing one of several 
universities who have had legal concerns with the ARIN agreements that 
have prohibited you from creating ROAs.  (I may be misphrasing that...) 
Has your university's legal team found a way to move forward?  If so, 
are you able to speak to that, or does your text below describe the 
resolution reached?

More generally speaking, it is, of course, difficult to proscribe action 
for our members that could have different legal ramifications in 
different states.  We've heard for about a year now that the team of 
compulawyers at Penn are working with ARIN to try to get some of these 
roadblocks removed, but as with anything involving lawyers, it's slow 
going.  That's why the "mini-step towards MANRS" that the WG decided on 
at Global Summit was for institutions to run Spoofer.

Internet2 is investigating the possibility of standing up our own 
validator service.  Last status I heard on that was we were waiting for 
the lawyers to deal with ARIN's RPA so that we could provide information 
to our members about their validation status.  To that end, we've thrown 
some spaghetti at the wall, and... now we have a bunch of walls covered 
in spaghetti.

Problem Statement #1: Many universities, and their lawyers, do not want 
to sign ROAs with ARIN.  How can Internet2 help resolve this?  (Ideally, 
without progressing to forming our own CA to complement ARIN in the .edu 
space.)

Problem Statement #2: Getting ROAs signed and distributed and in the 
right places can be a tall order.  What resources, outside of whois 
queries and IRR Explorer, are helpful to show information to campus 
admins about their RPKI status?  For our experts, what checklists, 
web-based tutorials, and youtubes would you recommend to assist people 
who are unfamiliar with RPKI to get them to a solid foundation?  What 
resources could Internet2 add to help?

Problem Statement #3: What would you have us do with ROV?  AT&T is 
dropping invalids - but there are two types of invalids, one where the 
announcement comes from the incorrect AS (bad!) and one where there's a 
more specific announcement than is currently covered by ROAs (perhaps 
not malicious - maybe you've shifted this traffic to a DDoS mitigation 
provider, but since ROA data is only published ~4 times a day, it could 
be a while til the new ROA is valid, and in the meantime we'd just be 
completing the DDoS).  I should note that when I asked AT&T's lead (a 
week after they began dropping traffic) about DDoS mitigations causing 
invalids, he said he hadn't yet heard of any problems being caused by 
ROV, but it could happen.

Problem Statement #4: We all agree Internet2 could / should do 
"something".  Narrowing down "something" to "these things" is harder, 
though, especially taking into account the breadth of our membership. 
What specific steps can we take to assist in this important and 
necessary major undertaking?

We do have a Wiki space - 
https://spaces.at.internet2.edu/display/RPKI/RPKI+Home - and Andrew has 
made some contributions there in the past.  I would strongly encourage 
those of you with experience in the RPKI process to contribute any 
resources and information you can to help our other institutions feel a 
bit more comfortable with it.

Grover and I are the RPKI / ROV project leads for Internet2.  If there's 
anything you would like us to include or consider, please let us know, 
on-list or off.

Hearts,
Adair





On 4/15/19 6:27 PM, David Farmer wrote:
> 
> 
> On Mon, Apr 15, 2019 at 4:36 PM Eldon Koyle < 
> <>> wrote:
> 
>     Just one problem with Internet2 requiring RPKI:  We are
>     unable/unwilling to sign an LRSA for our legacy resources with ARIN
>     because of the "No property rights" clause.  I don't have any
>     problems paying the fees or abiding by the rules... signing away our
>     rights without getting much of anything in return is not going to
>     fly with management (or myself, for that matter).  I suspect we are
>     not the only university in this situation.  No (L)RSA means no RPKI.
> 
> 
>     -- 
> 
>     Eldon
> 
> 
> What rights do you think you are signing away? I would like to 
> understand your reasoning.
> 
> The following is something I prepared for someone who asked me if they 
> should sign an LRSA. However, I note I'm not a lawyer and you should 
> talk to one before signing any contract;
> 
>     My recommendation is; if the only documentation for the allocation
>     or assignment for legacy IPv4 or ASN resources you have exists the
>     ARIN database (Whois), then you probably want to contractually bind
>     ARIN to keep those resources in their database and allocated or
>     assigned to you. Meaning if you don't have, or can't find, the
>     original documentation (letters or emails) making the assignments to
>     you.
> 
>     Effectively this is what the LRSA does, it is a contract with ARIN
>     that recognizes that you are the legitimate resources holder for
>     those resources, with commitments from ARIN regarding those resources.
> 
>     This is what some people don't like about the contract;
> 
>         7. NO PROPERTY RIGHTS
> 
> 
>         Holder acknowledges and agrees that: (a) the Included Number
>         Resources are not property (real, personal, or
> 
>         intellectual) of Holder; (b) Holder does not and will not have
>         or acquire any property rights in or to Included Number
> 
>         Resources by virtue of this Agreement; (c) Holder will not
>         attempt, directly or indirectly, to obtain or assert any
> 
>         patent, trademark, service mark or copyright in any number
>         resources in the United States or any other country; and
> 
>         (d) Holder will transfer or receive Included Number Resources in
>         accordance with the Policies.
> 
> 
>     But in the contract ARIN grants the following rights;
> 
>         2. CONDITIONS OF SERVICE
> 
>         ...
> 
>         (b) Provision of Services and Rights. Subject to Holder’s
>         on-going compliance with its obligations under the
> 
>         Service Terms, including, without limitation, the payment of the
>         fees (as set forth in Section 4), ARIN shall (i)
> 
>         provide the Services to Holder in accordance with the Service
>         Terms and (ii) grant to Holder the following
> 
>         specified rights:
> 
> 
>         (1) The exclusive right to be the registrant of the Included
>         Number Resources within the ARIN database;
> 
>         (2) The right to use the Included Number Resources within the
>         ARIN database; and
> 
>         (3) The right to transfer the registration of the Included
>         Number Resources pursuant to the Policies.
> 
> 
>         Holder acknowledges that other registrants with ARIN have rights
>         that intersect or otherwise impact Holder’s
> 
>         rights and/or use of the Included Number Resources, including,
>         but not limited to, other registrants benefiting
> 
>         from visibility into the public portions of registrations of the
>         Included Number Resources as further described in
> 
>         the Policies.
> 
> 
>     By the contract, you are granted certain exclusive rights to use
>     your numbers. However, others have certain non-exclusive rights to
>     use your numbers too; others have the right to use your numbers to
>     address traffic to you, they have the right to expect your numbers
>     to be registered in the database accurately, and they have the right
>     to expect you to follow the policies for our region.
> 
>     This is different than property (real, personal, or intellectual);
>     property is a thing that you have or can have exclusive control
>     over, meaning you can exclude others use of it. However, for
>     Internet number resources, if the others don't have rights to use
>     your resources in certain ways, and further, if you don't have
>     rights to use their resources in certain ways, and if we all aren't
>     bound to follow the same policies, the Internet just doesn't work.
>     So basically, Internet number resources aren't property, at least,
>     real, personal, or intellectual property.
> 
>     In my opinion, the people that are objecting to #7 above, don't want
>     to be bound by the same policies as everyone else, they think they
>     have some property right that means they don't have to follow the
>     policies established by the Internet community in our region. This
>     kind of thinking risks breaking the Internet.
> 
>     So, I can't come up with good reasons not to sign the LRSA and there
>     are several compelling reasons to sign it, especially if you can't
>     find the original documentation for your assignments or allocations. 
> 
> 
> Thanks
> 
> -- 
> ===============================================
> David Farmer Email: <>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================