On Mon, Feb 26, 2024 at 1:20 PM Joe via NANOG <nanog@nanog.org> wrote:
One thing that I recently read on this mailing list, is that at least in the US, a transmitting a fraudulent LOA is a federal crime - wire fraud. [0] Being able to hopefully charge and convict someone performing fraud is a useful deterrent.
This would be just as true of an Emailed declaration signed with the sender's name or other digital representation of a signature. If there is a fraudulent scheme, then deliberately providing a false emailed declaration of authorization just as criminal. My suggestion would be that a LOA should only ever be used as a Supportive document, it could be used for that, and Verifying the data using IRR or RPKI after would still be necessary. An LOA on its own should never be enough. An LOA can still be Incorrect or Wrong due to a Typo'd ASN or IP number, but Not fraudulent. And even if the information is deliberately wrong it might not meet the conditions for fraud. It is also possible the sender of the LOA can send an erroneous document and have No legal responsibility for the results of incorrectly including some IP or AS number on the form. Surely a network service provider must have some level of duty to verify the authenticity of information furnished on the LOAs and confirm that the IP numbers are Not incorrectly entered, for example clerical errors in processing the document.
-joe -- -J