[Apologies for duplicate emails]
Dear colleagues,
Since the launch of the RIPE NCC resource certification (RPKI) system on
1 January 2011, more than 1,300 RIPE NCC members have requested a
resource certificate. Together, they have created statements about BGP
routing for over 3,000 prefixes, covering more than five /8 blocks.
Currently, this system is only applicable to Provider Aggregatable (PA)
address space held by RIPE NCC members.
The functionality that we most commonly receive requests for is to make
address space held by Provider Independent (PI) End Users eligible for
certification. During the RIPE 65 Meeting in Amsterdam, there were
discussions on this and the RIPE NCC Executive Board extensively
deliberated the issue. Based on these discussions, the Executive Board
now submits this proposal for consideration and discussion to you, the
RIPE NCC membership and the RIPE community.
One of the most important considerations when issuing a resource
certificate is that it be given to the legitimate holder of the address
space. This is fundamental to the reliability and trustworthiness of the
system and to the goal of making our registry as robust as possible.
To ensure that the resource certificate retains its authoritative value
over time, it is important that the RIPE NCC periodically verifies the
association between the resource and its holder. With our members, this
is a straightforward process because we have direct contact with them at
least once a year.
Under current RIPE Policy, PI End Users who are not RIPE NCC members
must have a contractual agreement with a sponsoring LIR (as detailed in
ripe-452). Periodic verification of the resource holder could be handled
by the sponsoring LIR.
Also note that the RIPE NCC cannot enter into any contractual agreement
with PI End Users, other than the "RIPE NCC Standard Service Agreement"
(ripe-435).
Therefore, the Executive Board proposes that PI End Users in the RIPE
NCC service region who want to certify their resources be given both of
the following two options:
1. Sign an agreement with their sponsoring LIR (a RIPE NCC member) to
have the resources certified by the RIPE NCC via the sponsoring LIR. In
this case, the sponsoring LIR would be responsible for periodically
verifying that the PI End User is the legitimate holder of the
resources. However, the RIPE NCC will in all cases be responsible for
issuing the resource certificate and providing access to the RPKI
management interface. Therefore, PI End Users should, at all times, be
able to change from one sponsoring LIR to another while still retaining
the same certificate for the resources that they hold.
The cost associated with this option lies in building a framework in the
LIR Portal to facilitate the process, some administrative overhead, and
the additional burden on the RPKI infrastructure, that would not be
funded by the direct beneficiary of the resource certification service.
These costs would come out of the general RIPE NCC budget and would
therefore be funded by all RIPE NCC members, however it is unlikely that
this would have any direct impact on future membership fees.
Alternatively a PI End User may choose to:
2. Become a RIPE NCC member, pay the full annual membership fee and
receive a certificate directly through the RIPE NCC.
The Executive Board feels that offering both of these options will
result in relatively little impact on membership fees while offering all
PI End Users the opportunity to certify their Internet number resources
without being forced to become a member of the RIPE NCC.
For the sake of completeness, we also present a third scenario discussed
by the Executive Board that would involve giving PI End Users that have
received resources through a sponsoring LIR the option to deal directly
with the RIPE NCC without becoming a RIPE NCC member or needing to make
contact with their sponsoring LIR. They could do this by authenticating
the relevant INETNUM object using their MNTNER, and supplying additional
information directly to the RIPE NCC (company registration papers,
business address details, contact email, etc.) on a periodic basis
(probably every 12-18 months). This option would not entail any fee or
contractual agreement for the PI End User.
However the Executive Board does not see this as a viable option, as the
amount of resources required to check the necessary supporting
documentation and other administrative overheads would be too large a
financial burden on the RIPE NCC membership. The lack of a
periodically-renewed contractual relationship with the PI End User,
while providing them this service, may also cause complications.
*IMPORTANT* Your opinions and feedback on this proposal are vital in
shaping a resource certification system that best suits your needs. We
encourage you to discuss this matter on the RIPE NCC members-discuss
mailing list. Following approximately six weeks of discussion (ending on
30 March 2013), the Executive Board will consider feedback from the list
and propose options on moving forward on this matter which will be
properly communicated.
Kind regards,
Axel Pawlik
Managing Director
RIPE NCC