I would insist that this customer get with the RIR and resolve ownership of the account and prove that they did so. I would leave the burden on the RIR to figure out who is the rightful owner and not make any changes until that is done. Do you have a record of what the RIR account contact was when you began announcing the block? The fact that the requester has the RIR account and the email of the account contact makes me wonder if your customer did not renew with the RIR or something else that caused them to lose ownership of the net block. I could see this happen during an acquisition or change of ownership of a company or entity. I would give the customer a short period of time to open a dispute with the RIR and then hold the changes until the RIR makes a determination. I think that protects you from a legal perspective more than deciding on your own. Of course, keep a good record of all communications on this subject especially with the RIR, this could get ugly. Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Sean Pedersen Sent: Tuesday, March 13, 2018 9:23 AM To: nanog@nanog.org Subject: RE: Proof of ownership; when someone demands you remove a prefix
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. >Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a >technical angle would be great.
In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the assignee's RIR account and made >some object updates (e-mail, country, etc.) that they could use to "prove" they had authority to make the request. I assume their offer of proof would >have been to send us an email from the dubious @yahoo.com account they had listed as the admin contact.
I agree with a private response that I received that at some point lawyers probably need to take over if a technical solution to verification is not >reached.
I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is limited to authenticating the >announcement of resources to prevent route hijacking. If you've authorized a 3rd party to announce your routes, could you assign a certificate to that >3rd party for a specific resource and then revoke it if they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account >and revokes the certificate? This would assume protocol compatibility, that everyone is using it, etc.