Overcoming Legal Barriers to RPKI Adoption
To increase routing security, governance bodies have encouraged adoption of the Resource Public Key Infrastructure (RPKI). Despite this encouragement, adoption r …
Talk Title | Overcoming Legal Barriers to RPKI Adoption |
Speakers | David Wishnick, University of Pennsylvania, Christopher Yoo |
Conference | NANOG74 |
Conf Tag | |
Location | Vancouver, BC, Canada |
Date | Oct 1 2018 - Oct 3 2018 |
URL | Talk Page |
Slides | Talk Slides |
Video | Talk Video |
To increase routing security, governance bodies have encouraged adoption of the Resource Public Key Infrastructure (“RPKI”). Despite this encouragement, adoption rates are low, especially in North America. Our talk will present research into the hypothesis—widespread in the network operator community—that legal issues pose barriers to adoption. We will describe barriers highlighted by dozens of interviewees within the network operator community. We will describe how RPKI adoption typically proceeds within organizational context and discuss how law affects network engineers' options. We will break the barriers into two groups. The first will deal with access to RPKI informational repositories to support route-filtering. We will offer relatively jargon-free background on the legal framework governing access to RPKI repositories and advance five proposals for reform:
- The American Registry for Internet Numbers (“ARIN”) should consider removing the indemnification clause from its RPKI Relying Party Agreement (“RPA”). (However, contrary to the wishes of some members of the network operator community, it is reasonable for ARIN to maintain its RPA, in general.)
- ARIN should consider altering its RPA’s prohibited conduct clause to enable broader research and analysis.
- ARIN should consider revising that clause to enable transmission of machine-readable information to downstream parties for real-time routing.
- The network operator community should publicize ARIN’s policy of dropping indemnification and choice-of-law clauses for certain government entities.
- ARIN should consider publicizing concrete plans regarding RPKI service delivery. Our second group of barriers concerns access to RPKI private keys. We will describe and discuss them in detail. Centrally, we will propose that ARIN should consider enabling legacy holders to access private keys through a “non-member” services agreement that decouples the controversial issue of IP address space property rights from access to RPKI private keys.