LoA (Letter of Authorization) for Prefix Filter Modification?
Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service. Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. Regards, Mauricio Rodriguez FPL Fibernet, LLC
On Tue, 16 Sep 2008, Rodriguez, Mauricio wrote:
Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service.
Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient.
It's not unheard of. Most providers don't require it, but I have run into a few who do. It's a minor PITA compared to the web interfaces some providers make you use to request filter updates. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. Christian On Tue, Sep 16, 2008 at 9:56 AM, Jon Lewis <jlewis@lewis.org> wrote:
On Tue, 16 Sep 2008, Rodriguez, Mauricio wrote:
Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service.
Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient.
It's not unheard of. Most providers don't require it, but I have run into a few who do. It's a minor PITA compared to the web interfaces some providers make you use to request filter updates.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, 16 Sep 2008, Christian Koch wrote:
I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you.
IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
good point... :) On Tue, Sep 16, 2008 at 10:24 AM, Jon Lewis <jlewis@lewis.org> wrote:
On Tue, 16 Sep 2008, Christian Koch wrote:
I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you.
IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party.
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, 16 Sep 2008, Christian Koch wrote:
I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you.
IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party.
How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? Look at what people are willing to go through with paper checks to increase the chances of authenticity. Google Abagnale. The real world already has ways of dealing with fraud and forgery, and while the paper is certainly CYA for the provider, it does provide an actual trail back that can probably be followed to some party. To refer to it as an "illusion" is only vaguely true. It is an illusion in that it will not prevent all cases of hijacking. Of course. However, it is another step that makes it significantly more difficult for someone to just start announcing random bits of IP space. It's just like physical security, in many ways. Given a sufficiently determined attacker, any door can be broken. Wood door? May require only my boot. Steel door? Prybar. Bank vault? Explosives. Etc. The thing is, as you increase the level of protection, the ease of countermeasures typically decreases (I wear my boots almost 100% of the time, I may have a prybar nearby, but I am unlikely to be carrying explosives at any time.) So let's not trivialize improvements such as LoA's which reduce the ease of hijackings, eh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote:
How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's.
How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc?
what about using a digital signation of e.g. a pdf version of a scan? cheers, raoul -- ____________________________________________________________________ DI (FH) Raoul Bhatia M.Sc. email. r.bhatia@ipax.at Technischer Leiter IPAX - Aloy Bhatia Hava OEG web. http://www.ipax.at Barawitzkagasse 10/2/2/11 email. office@ipax.at 1190 Wien tel. +43 1 3670030 FN 277995t HG Wien fax. +43 1 3670030 15 ____________________________________________________________________
Joe Greco wrote:
How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's.
How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc?
what about using a digital signation of e.g. a pdf version of a scan?
Try putting that up next to an apparently legitimate but actually subtly modified paper contract with signatures, in a court of law, and feel free to inform us of which one the court finds more compelling. In an environment where there's an established history and standard procedures, they're typically going to prefer the familiar method. In our world, if we were to have some sort of crypto-based way to have a netblock owner sign something like that, yeah, that'd be great, and it would mean that the community would generally be able to manage the issue without having to resort to faxed-around LoA's, etc., but we don't have that infrastructure, or even a common/widespread LoA system. Sigh. I'm not arguing that some sort of technical/crypto infrastructure for authorizing the advertisement of space shouldn't be developed, and in fact I think it should. However, as an interim step, things like LoA's are much better than nothing at all, and worrying about the authenticity of an LoA is probably not worth the time and effort, given the way these things tend to work out. If there's cause for concern, those who are receiving the LoA's will ramp up the paranoia. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
I use RWHOIS for proof of who we assign and allocate address space to. I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis. In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site. And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked. My 2 cents Marla Azinger Frontier Communications -----Original Message----- From: Joe Greco [mailto:jgreco@ns.sol.net] Sent: Wednesday, September 17, 2008 9:22 AM To: Raoul Bhatia [IPAX] Cc: nanog@nanog.org Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification?
Joe Greco wrote:
How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's.
How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc?
what about using a digital signation of e.g. a pdf version of a scan?
Try putting that up next to an apparently legitimate but actually subtly modified paper contract with signatures, in a court of law, and feel free to inform us of which one the court finds more compelling. In an environment where there's an established history and standard procedures, they're typically going to prefer the familiar method. In our world, if we were to have some sort of crypto-based way to have a netblock owner sign something like that, yeah, that'd be great, and it would mean that the community would generally be able to manage the issue without having to resort to faxed-around LoA's, etc., but we don't have that infrastructure, or even a common/widespread LoA system. Sigh. I'm not arguing that some sort of technical/crypto infrastructure for authorizing the advertisement of space shouldn't be developed, and in fact I think it should. However, as an interim step, things like LoA's are much better than nothing at all, and worrying about the authenticity of an LoA is probably not worth the time and effort, given the way these things tend to work out. If there's cause for concern, those who are receiving the LoA's will ramp up the paranoia. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Azinger, Marla wrote:
I use RWHOIS for proof of who we assign and allocate address space to. I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis. In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site. And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked.
How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf? It is not unreasonable for your upstreams to ask for some proof _from the holder_ rather than simply trusting you. For all they know, you're just hijacking random address space and putting it in your RWHOIS server. Would you be happy if some random Tier 1 started letting _their_ customers advertise _your_ address space, just because those customers had put up an RWHOIS server claiming it was theirs? This is not about asking you for an LoA for your own address space, which any moron can follow in a reasonably trustworthy chain from ARIN to you. It's about address space that is _not_ directly registered to the company trying to get a filter exception. S
Stephen Sprunk <stephen@sprunk.org> writes:
Azinger, Marla wrote:
I use RWHOIS for proof of who we assign and allocate address space to.
How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf?
At least in my case, it's not *my* rwhois server. My first ISP lists me as the owner/user/whatever in *their* rwhois server, and my second ISP considers that authoritative. seph
On 9/19/08 5:53 PM, "seph" <seph@directionless.org> wrote:
Stephen Sprunk <stephen@sprunk.org> writes:
Azinger, Marla wrote:
I use RWHOIS for proof of who we assign and allocate address space to.
How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf?
At least in my case, it's not *my* rwhois server. My first ISP lists me as the owner/user/whatever in *their* rwhois server, and my second ISP considers that authoritative.
Wouldn't it be interesting if every service provider would query the RIR's to find out who owns the block and then do some due diligence to make sure the block is being advertised by the right person. Mike
Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient.
Regards, Mauricio Rodriguez FPL Fibernet, LLC
Cogent AFAIK have been doing this for years. Not many others require this unless there is a serious question over the request. Randy
participants (10)
-
Azinger, Marla -
Christian Koch -
Joe Greco -
Jon Lewis -
Michael K. Smith -
Randy Epstein -
Raoul Bhatia [IPAX] -
Rodriguez, Mauricio -
seph -
Stephen Sprunk