[ncc-services-wg] Resource Certification for non-RIPE NCC Members

Hi Erik, Community,

a couple of general comments before potentially going into details on the
Services WG.

Whether we need a formal "policy" or just an agreement (amongst the members
of the NCC) to a Service Description and a review of the CPS as maintained
by the NCC is a sideline issue, imho.


For now using the framework of the PDP maybe useful and appropriate.


I concur with other comments already, that - at the moment - there is, and
probably shouldn't be - a different colour related to PA, PI, ERX, v4, v6,
you name it. So, whatever we come up with should be "the same", technically.


Looking at the proposed text for discussion, I sense a mindset of "the NCC is
the sole source of the Certificates". This may be reasonable for those paries,
which do have a direct Service Contract with the NCC (Direct End User, Legacy).

For all the others, there is - or structurally, will be - a managed foodchain
and Hierarchy.

This may be
° the path of NCC - LIR for PA (v4+v6) - assignments, or
° the path of NCC - LIR - contract for DER (Direct Enduser Resources).

In the end we SHOULD, imo, structure the service definition *and* the
implementation to be congruent to this structe. I.e. the LIRs SHOULD be the
parties issuing the certificates for those resources which are held by their
users/customers, and for which there is a contract.

Trying to bypass the LIRs and/or messing around with some sort of backdoor
structure for cert.creation, and "verification" by the NCC, would become
messy. We (my team) DO have real life experience, that such a disjunct and
artificial mechanism is a pain, and a source for inconsistencies.


And, last but not least, in order to potentially, in the (near?) future,
overcome the "single point of failure thing" (that we are creating now by
building a "proper" tree structure!), removing any and all notion of the
Service Region would have my *strong* support. Not just because it will be
difficult to find a proper definition of "reside within", but more so because
it would open the chance to actually acquire certificates from more than one
"root", aka CA.

These multiple roots/CAs could either (preferably?) be the set of RIRs, but
other parties as well. This would take away most of my worries and reservation
related to the proliferation of the RPKI.

Sorry for the long text ;-)
Wilfried.

Erik Bais wrote:

> Dear community members of the AP – WG and the NCC Services WG, 
> 
> As you may have seen, I’ve created a policy proposal to ask the RIPE NCC to
> allow Resource Certification for non-RIPE NCC member resource holders. (IXP
> / Legacy space and PI space holders)  
> 
> Currently we are in the phase:  Discussion – Open for discussion 
> 
> And I would like to invite you to the service wg mail list for your support
> for this policy and a discussion on wording of the policy. 
> For those that are not subscribed to the NCC Services mail-list -=>
> http://www.ripe.net/mailman/listinfo/ncc-services-wg/ 
> 
> During the creation of the policy I made a small error in the intention to
> limit the policy to entities in the RIPE NCC service region and the policy
> currently states:
> 
> • The Internet resources reside within the RIPE NCC service region
> 
> I’ll update this in the review phase. I’m not sure yet if we need to skip
> that part entirely or change it to the actual intention. 
> 
> Your input and stated support on the NCC Services WG mail list would be
> highly appreciated. 
> 
> Kind regards,
> Erik Bais 
> 
> Link to the policy proposal:
> https://www.ripe.net/ripe/policies/proposals/2013-04 
> 
>