You're ARIN a laugh: Critical internet org accused of undercutting security over legal fears

Analysis A key internet infrastructure organization is undercutting efforts to make the internet more secure by insisting ISPs accept a legal agreement before using a security framework, critics charge.

The org in question – US-based regional internet registry ARIN – argues that under American law, it has to have people consciously accept its terms and conditions for them to be legally binding. ARIN is worried that the kerfuffle could end up at the end of countless lawsuits if ISPs rely too heavily on this security framework and end up cutting off subscribers if its service goes down or awry.

At the heart of the issue is a relatively new system, known as Resource Public Key Infrastructure (RPKI), which was developed by the global regional internet registries (RIRs) that are responsible for overseeing and allocating IP addresses.

RPKI allows ISPs to compare their internet routing tables with validated routes known to ARIN and the other RIRs. If there is a conflict – in that, an unexpected and non-validated route for internet traffic opens up – then either someone has misconfigured their network, or they are purposefully misrepresenting themselves online, possibly to intercept or block packets.

The idea is to stop these kinds of BGP hijacks or misconfigurations, which can lead to netizens' connections running through slow links, into black holes, or through eavesdropping devices. With trusted entities, such as ARIN, maintaining a set of validated routes, this misdirection can be avoided.

We're simplifying it here for the sake of brevity: it involves cryptographic keys and signatures to check network routes. There's more background info here, though we hope you get the gist.

If it is configured correctly, RPKI will act as a flag to ISPs that something is wrong and so improve overall internet security. But if misconfigured, and an ISP's connectivity relies upon the RPKI system, the broadband provider risks cutting off its users entirely if the service breaks: something that is almost certain to happen at some point.

As such, ARIN is insisting on a legal agreement that effectively shifts liability for misconfiguration onto ISPs. And that has caused ISPs to worry about using the service, slowing adoption. As soon as someone is required to sign a legal agreement, especially in the US, they send it to the lawyers to look at and this has opened up a purely technical service to a much broader corporate review.

Open-source advocates were also furious with the legal agreement requirement as they argued it would hinder the automatic deployment of the system. ARIN says it's possible to automatically agree to the requirements when downloading and installing the materials necessary to use the RPKI framework.

Adoption

The end result of ARIN’s stance is that adoption of RPKI in North America is lower than other regions, and that has created a knock-on impact where ISPs are not signing up to the framework because others haven’t. Of the roughly 50,000 ISPs worldwide, only around 2,000 are currently signed up to the framework.

Earlier this month, in the face of widespread criticism and an in-depth report [PDF] into the issue, ARIN revised its “relying party agreement” (RPA) in order to “accommodate and overcome claimed barriers to RPKI adoption.”

It made it easier to share information with third parties, and reduced blanket liability terms to deal with the concerns of ISPs’ lawyers: “The RPA’s indemnification clause has been more narrowly scoped to exclude the indemnification of possible ARIN misconduct,” it explains.

But ARIN is sticking to its position that whoever uses the framework has to actively agree to its terms and conditions before using it.

Critics point out that the other RIRs have no such requirement, and the idea of having to agree to legal notices is highly unusual in the internet infrastructure world. ARIN has even privately admitted that the legal risk is currently quite low given limited uptake of the service.

But it is expected in the next few years that adoption will become widespread and with that, at least from ARIN’s perspective, so does the legal risk. It’s a chicken-and-egg situation.

In an effort to highlight what he sees as the ludicrousness of the situation, one internet architect – Job Snijders of giant telco NTT and a developer with free and open-source OpenBSD operating system – has produced a video demonstrating that you can download and run all kinds of internet software, including security add-ons like DNSSEC, without having to agree to terms and conditions.

Not moving

But ARIN’s CEO John Curran told The Register that the legal risk is simply too high in the US, land of the lawsuit, for it not to insist on a conscious agreement to its terms and conditions.

Curran told us in a statement: “ARIN has diligently worked to improve access to our RPKI services, as demonstrated by our recent Relying Party Agreement (RPA) update reflecting community suggestions.

"We do require the acceptance of ARIN’s RPA so that there are clear terms for access to these services, but note that includes allowing software installers that want to automatically handle that aspect to prompt for acceptance of the terms (as is common practice in the industry.) I note that approach is already being used by some routing validation software packages to access the ARIN RPKI repository quite successfully.”

There is a bigger picture: the internet was famously designed without built-in security and we have been playing catch-up ever since. A series of new and updated protocols – including SSL/TLS and DNS-over-HTTPS (DoH), among others – are changing how the internet works and who decides how it functions.

For example, ISPs are very unhappy with how DoH wraps DNS in encryption, preventing them from snooping on or manipulating it. And ARIN is worried that by hosting a service used to validate routing decisions, it could end up being held responsible when people are suddenly knocked offline.

The internet’s relationship to legal liability is changing – as made clear by pressure to revise Section 230 of the Communications Decency Act that would lift blanket protections on companies like Facebook for what their users’ post online.

The era of a safer, more responsible, and more secure internet is upon us. But no one wants to be held responsible for getting from where we are to where we want to be. ®