Re: ARIN's RPKI Relying agreement

["George, Wes" <wesley.george () twcable com>]

> > On Thu, Dec 4, 2014 at 7:51 AM, Bill Woodcock <woody () pch net> wrote:
>
> > > All the specific legal feedback I’ve heard is that this is a
> > > liability
> > > nightmare, and that everyone wants ARIN to take on all the
> > > liability, but
> > > nobody wants to pay for it.

WG] Has there been any actual discussion about how much "nobody" would
have to pay for ARIN (or another party) to fix the balance of liability
and provide a proper SLA that led to "no, I don't want to pay for that"
responses from those who are expressing the concern, or is this just
conjecture on your part? I know that despite being fairly vocal on the
matter, I've not been party to any such discussion, though I know that
ARIN fees and what services they provide for those fees is an ongoing
discussion in other forums.
The problem with free services is that often you get what you pay for when
it comes to support, warranty, etc. There are plenty of models where you
take something free, say FOSS, and then pay someone (Red Hat, ISC) to
support it in order to manage the risk associated with putting it in the
middle of your business-critical system. It gives you some determinism
about what happens when it breaks or you need a feature, and recourse when
it goes pear-shaped. I think there's room for discussion around how much
an SLA-backed RPKI service might be worth to its potential customers,
given its ability to either protect or badly break global routing.


On 12/4/14, 11:33 AM, "Jay Ashworth" <jra () baylink com> wrote:


> Lawyers believe that their job is to tell you what not to do.
>
> Their *actual job* is to tell where risks lie, so that you can make
> informed business decisions about which risks to take, and how to
> allow for them

WG] FWIW, I believe that my lawyers did their "actual" job. But as I said
in my presentation, the combination of technical fragility and liability
risk I incur if it breaks in a way that impacts my customers led me to
decide that I'm not yet willing to bet my continued gainful employment on
Route Origin Validation working well enough that the benefit of having it
outweighs the risks.
INAL, YMMV, void where prohibited, caveat lector, of course.
Fixing the liability issues certainly removes one barrier to entry, but
it's not the only one, and the technical issues are being worked in
parallel.


Wes George


Anything below this line has been added by my company’s mail server, I
have no control over it.
-----------


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, 
confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the 
individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby 
notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments 
to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the 
sender immediately and permanently delete the original and any copy of this E-mail and any printout.