Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] LRSA

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] LRSA


Chronological Thread 
  • From: David Farmer <>
  • To:
  • Subject: Re: [Security-WG] LRSA
  • Date: Tue, 16 Apr 2019 20:24:28 -0500

RPKI, ROAs, and the RPA are different issues from the LRSA, but to sign ROAs for Legacy space you will need to sign the LRSA, in particular, a current RSA.

UMN signed the LRSA several years ago, I have not tackled updating our RSA and LRSA to a version that would allow us to sign ROAs, neither have I tackled the RPA yet. But I don't think there are fundamental issues for us, we already indemnify ARIN to the extent permissible by Minnesota Law.

The problem as I see it, is networks outside the ARIN region without any relationship with ARIN. If you have resources from ARIN you are already indemnifying ARIN or for government entities you indemnify ARIN to the extent allowed by the laws applicable to you. However, ARIN's current stance on the RPA creates a serious issue for networks outside our region, in order to protect us inside the region they need to indemnify ARIN, many are choosing not to and I'm not sure I blame them. If things were the other way around, I'm not sure I could convince my institution to indemnify RIPE under Dutch law, to protect networks in the RIPE region.

On Mon, Apr 15, 2019 at 8:51 PM Adair Thaxton <> wrote:
Dave: I think at the last TechEx, you were representing one of several
universities who have had legal concerns with the ARIN agreements that
have prohibited you from creating ROAs.  (I may be misphrasing that...)
Has your university's legal team found a way to move forward?  If so,
are you able to speak to that, or does your text below describe the
resolution reached?

More generally speaking, it is, of course, difficult to proscribe action
for our members that could have different legal ramifications in
different states.  We've heard for about a year now that the team of
compulawyers at Penn are working with ARIN to try to get some of these
roadblocks removed, but as with anything involving lawyers, it's slow
going.  That's why the "mini-step towards MANRS" that the WG decided on
at Global Summit was for institutions to run Spoofer.

Internet2 is investigating the possibility of standing up our own
validator service.  Last status I heard on that was we were waiting for
the lawyers to deal with ARIN's RPA so that we could provide information
to our members about their validation status.  To that end, we've thrown
some spaghetti at the wall, and... now we have a bunch of walls covered
in spaghetti.

Problem Statement #1: Many universities, and their lawyers, do not want
to sign ROAs with ARIN.  How can Internet2 help resolve this?  (Ideally,
without progressing to forming our own CA to complement ARIN in the .edu
space.)

Problem Statement #2: Getting ROAs signed and distributed and in the
right places can be a tall order.  What resources, outside of whois
queries and IRR Explorer, are helpful to show information to campus
admins about their RPKI status?  For our experts, what checklists,
web-based tutorials, and youtubes would you recommend to assist people
who are unfamiliar with RPKI to get them to a solid foundation?  What
resources could Internet2 add to help?

Problem Statement #3: What would you have us do with ROV?  AT&T is
dropping invalids - but there are two types of invalids, one where the
announcement comes from the incorrect AS (bad!) and one where there's a
more specific announcement than is currently covered by ROAs (perhaps
not malicious - maybe you've shifted this traffic to a DDoS mitigation
provider, but since ROA data is only published ~4 times a day, it could
be a while til the new ROA is valid, and in the meantime we'd just be
completing the DDoS).  I should note that when I asked AT&T's lead (a
week after they began dropping traffic) about DDoS mitigations causing
invalids, he said he hadn't yet heard of any problems being caused by
ROV, but it could happen.

Problem Statement #4: We all agree Internet2 could / should do
"something".  Narrowing down "something" to "these things" is harder,
though, especially taking into account the breadth of our membership.
What specific steps can we take to assist in this important and
necessary major undertaking?

We do have a Wiki space -
https://spaces.at.internet2.edu/display/RPKI/RPKI+Home - and Andrew has
made some contributions there in the past.  I would strongly encourage
those of you with experience in the RPKI process to contribute any
resources and information you can to help our other institutions feel a
bit more comfortable with it.

Grover and I are the RPKI / ROV project leads for Internet2.  If there's
anything you would like us to include or consider, please let us know,
on-list or off.

Hearts,
Adair





On 4/15/19 6:27 PM, David Farmer wrote:
>
>
> On Mon, Apr 15, 2019 at 4:36 PM Eldon Koyle <
> <mailto:>> wrote:
>
>     Just one problem with Internet2 requiring RPKI:  We are
>     unable/unwilling to sign an LRSA for our legacy resources with ARIN
>     because of the "No property rights" clause.  I don't have any
>     problems paying the fees or abiding by the rules... signing away our
>     rights without getting much of anything in return is not going to
>     fly with management (or myself, for that matter).  I suspect we are
>     not the only university in this situation.  No (L)RSA means no RPKI.
>
>
>     --
>
>     Eldon
>
>
> What rights do you think you are signing away? I would like to
> understand your reasoning.
>
> The following is something I prepared for someone who asked me if they
> should sign an LRSA. However, I note I'm not a lawyer and you should
> talk to one before signing any contract;
>
>     My recommendation is; if the only documentation for the allocation
>     or assignment for legacy IPv4 or ASN resources you have exists the
>     ARIN database (Whois), then you probably want to contractually bind
>     ARIN to keep those resources in their database and allocated or
>     assigned to you. Meaning if you don't have, or can't find, the
>     original documentation (letters or emails) making the assignments to
>     you.
>
>     Effectively this is what the LRSA does, it is a contract with ARIN
>     that recognizes that you are the legitimate resources holder for
>     those resources, with commitments from ARIN regarding those resources.
>
>     This is what some people don't like about the contract;
>
>         7. NO PROPERTY RIGHTS
>
>
>         Holder acknowledges and agrees that: (a) the Included Number
>         Resources are not property (real, personal, or
>
>         intellectual) of Holder; (b) Holder does not and will not have
>         or acquire any property rights in or to Included Number
>
>         Resources by virtue of this Agreement; (c) Holder will not
>         attempt, directly or indirectly, to obtain or assert any
>
>         patent, trademark, service mark or copyright in any number
>         resources in the United States or any other country; and
>
>         (d) Holder will transfer or receive Included Number Resources in
>         accordance with the Policies.
>
>
>     But in the contract ARIN grants the following rights;
>
>         2. CONDITIONS OF SERVICE
>
>         ...
>
>         (b) Provision of Services and Rights. Subject to Holder’s
>         on-going compliance with its obligations under the
>
>         Service Terms, including, without limitation, the payment of the
>         fees (as set forth in Section 4), ARIN shall (i)
>
>         provide the Services to Holder in accordance with the Service
>         Terms and (ii) grant to Holder the following
>
>         specified rights:
>
>
>         (1) The exclusive right to be the registrant of the Included
>         Number Resources within the ARIN database;
>
>         (2) The right to use the Included Number Resources within the
>         ARIN database; and
>
>         (3) The right to transfer the registration of the Included
>         Number Resources pursuant to the Policies.
>
>
>         Holder acknowledges that other registrants with ARIN have rights
>         that intersect or otherwise impact Holder’s
>
>         rights and/or use of the Included Number Resources, including,
>         but not limited to, other registrants benefiting
>
>         from visibility into the public portions of registrations of the
>         Included Number Resources as further described in
>
>         the Policies.
>
>
>     By the contract, you are granted certain exclusive rights to use
>     your numbers. However, others have certain non-exclusive rights to
>     use your numbers too; others have the right to use your numbers to
>     address traffic to you, they have the right to expect your numbers
>     to be registered in the database accurately, and they have the right
>     to expect you to follow the policies for our region.
>
>     This is different than property (real, personal, or intellectual);
>     property is a thing that you have or can have exclusive control
>     over, meaning you can exclude others use of it. However, for
>     Internet number resources, if the others don't have rights to use
>     your resources in certain ways, and further, if you don't have
>     rights to use their resources in certain ways, and if we all aren't
>     bound to follow the same policies, the Internet just doesn't work.
>     So basically, Internet number resources aren't property, at least,
>     real, personal, or intellectual property.
>
>     In my opinion, the people that are objecting to #7 above, don't want
>     to be bound by the same policies as everyone else, they think they
>     have some property right that means they don't have to follow the
>     policies established by the Internet community in our region. This
>     kind of thinking risks breaking the Internet.
>
>     So, I can't come up with good reasons not to sign the LRSA and there
>     are several compelling reasons to sign it, especially if you can't
>     find the original documentation for your assignments or allocations.
>
>
> Thanks
>
> --
> ===============================================
> David Farmer <mailto:>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================


--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================



Archive powered by MHonArc 2.6.19.

Top of Page