netsec-sig - [Security-WG] Email sent to UPenn Law Clinic
Subject: Internet2 Network Security SIG
List archive
- From: Andrew Gallo <>
- To:
- Subject: [Security-WG] Email sent to UPenn Law Clinic
- Date: Thu, 12 Dec 2019 13:51:13 -0600
Greetings:
Yesterday, I mentioned that I reached out to the team that wrote the RPKI legal analysis released earlier this year (https://scholarship.law.upenn.edu/faculty_scholarship/2035/)
Below is the email I sent to gauge interest in a similar review concerning issues around the RSA.
Greetings, Chris & David:
Hope all is well with you.
I had a thought I wanted to run by you and get your thoughts....
The analysis "Lowering Legal Barriers to RPKI Adoption" did an excellent
job of reviewing the topic of RPKI and why adoption in the ARIN region
lags behind others.
I think there is additional, and more fundamental work, that would be
helpful to our community. Specifically, a document that can bridge the
gap between network engineering/operations and institutional legal staff
and decision makers.
I have a hypothesis that the issue of whether or not to sign the Legacy
Registration Services Agreement isn't being discussed because, in many
cases, institutions either aren't aware of the issue, or those that are
don't know how to start the discussion.
Nothing in day-to-day network operations requires an agreement with
ARIN. At this point, RPKI is a nice-to-have feature. So, technical
staff aren't going to raise the issue. IT senior management, and
certainly institutional legal staff, probably aren't even aware of the LRSA.
Further, I don't think many network engineers have common language
approach legal staff to begin a review to make a decision (positive or
negative) concerning the LRSA.
I think it would be useful to have a neutral third party that has
expertise in technical law and policy answer the following:
What internet number resources (IP/IPv6, ASN) are.
- How are the procured/assigned?
- What is ARIN?
- How did ARIN's creation affect number resources?
- What does "legacy resource" mean?
- Are number resources intellectual property? Does a legacy holder 'own' number resources?
- Is there any case law around number resources, especially relating to having signed or not signed an agreement with ARIN?
- What are the impacts of signing the LRSA?
- Can someone (ARIN or otherwise) "take" number resources from a legacy holder?
- Can someone (ARIN or otherwise) "take" number resources from a if they're under an active agreement?
- What about indemnification?
I don't envision this document would make any recommendations, rather,
it would provide the background information so that an institution can
make its own decision.
Is this something your center at UPenn is interested in or could help with?
Thank you.
Hope all is well with you.
I had a thought I wanted to run by you and get your thoughts....
The analysis "Lowering Legal Barriers to RPKI Adoption" did an excellent
job of reviewing the topic of RPKI and why adoption in the ARIN region
lags behind others.
I think there is additional, and more fundamental work, that would be
helpful to our community. Specifically, a document that can bridge the
gap between network engineering/operations and institutional legal staff
and decision makers.
I have a hypothesis that the issue of whether or not to sign the Legacy
Registration Services Agreement isn't being discussed because, in many
cases, institutions either aren't aware of the issue, or those that are
don't know how to start the discussion.
Nothing in day-to-day network operations requires an agreement with
ARIN. At this point, RPKI is a nice-to-have feature. So, technical
staff aren't going to raise the issue. IT senior management, and
certainly institutional legal staff, probably aren't even aware of the LRSA.
Further, I don't think many network engineers have common language
approach legal staff to begin a review to make a decision (positive or
negative) concerning the LRSA.
I think it would be useful to have a neutral third party that has
expertise in technical law and policy answer the following:
What internet number resources (IP/IPv6, ASN) are.
- How are the procured/assigned?
- What is ARIN?
- How did ARIN's creation affect number resources?
- What does "legacy resource" mean?
- Are number resources intellectual property? Does a legacy holder 'own' number resources?
- Is there any case law around number resources, especially relating to having signed or not signed an agreement with ARIN?
- What are the impacts of signing the LRSA?
- Can someone (ARIN or otherwise) "take" number resources from a legacy holder?
- Can someone (ARIN or otherwise) "take" number resources from a if they're under an active agreement?
- What about indemnification?
I don't envision this document would make any recommendations, rather,
it would provide the background information so that an institution can
make its own decision.
Is this something your center at UPenn is interested in or could help with?
Thank you.
- [Security-WG] Email sent to UPenn Law Clinic, Andrew Gallo, 12/12/2019
Archive powered by MHonArc 2.6.19.