Nothing is stopping the perpetrator of a BGP hijack as a result of a forged or otherwise illegitimate LOA from facing civil litigation as a result of revenue loss or other harm done.

This thread and others like it highlight that there is absolutely some negligence here and could very well find itself in an evidence pile at some point in the future.

So there IS liability, but the lack of solid precedent means that the bean counters can't assign a dollar amount to the risk associated with blindly accepting LOAs, and therefore it might as well not exist.

Someday, somebody will have the pants sued off them because they let their new customer hijack the hell out of a government entity, bank, oil company, etc. and we'll start to see better processes.

-Matt

On Mon, Apr 19, 2021 at 11:59 AM Sean Donelan <sean@donelan.com> wrote:

On Mon, 19 Apr 2021, Peter Beckman wrote:
> And while it would be nice if everyone "independently verified every LOA"
> the cost of doing so in the far-too-many edge cases is business-endingly
> high.

If carriers faced legal liability, with appropriate incentatives, I'd bet
they would solve the verification problem -- quickly, cheaply.

No liability -- no reason to solve the problem.