On Mon, 9 Jun 2003, Joe Abley wrote:
The ISP in Toronto asked for an LOA, and got one, neatly presented on company letterhead, and accompanied by e-mail from the tech contact for the block confirming that the request to advertise the block was authorised.
Is that enough justification to perform the announcement? Where exactly should the line be drawn?
Unfortunately, probably not. How do they know it was company letterhead? Had they ever seen the company's letterhead before? How do they know I didn't just create that LOA and letterhead in OpenOffice?
Maybe some service akin to a credit check is required.
"Hello, I have a request to accept an announcement of 203.97.0.0/17 from AS 4768." "That request is legitimate according to our records, here is your auth code."
Trouble is, how do you/they know if both the space and ASN have been hijacked?
"Hello, my new customer with the following contact details has asked me to originate 203.167.0.0/18 from AS 9327." "We cannot confirm the legitimacy of that request, and the listed contact for 203.167.0.0/18 has been informed of your request."
The listed contact may not be who ARIN [or other local RIR] thinks it is.
Since the RIRs contain the information required to answer those questions, you'd expect them (or their data) to be involved in the process of answering them.
They really don't. Thus far, when space is assigned, the RIRs have no way to later authenticate that an organization using the space is the same one that they assigned it to. As for the current state of BGP authentication/sanity checking, I can say 2 of my 4 upstreams take whatever I put in the routing registry. The other two require an email be sent requesting prefix filter updates. I was just told by one, that they'll accept whatever I request, only questioning it if someone complains to them about it. The other, I haven't asked, but I assume they work similarly. On the bright side, all of them are at least filtering. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________