Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Hello everyone, Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs. An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources. RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes. Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic. Survey Link: https://www.surveymonkey.com/r/JCHLWBB Thanks, Christopher Hawker
Hi Christopher, No. Why would your survey take an additional 6.5 minutes to fill out? -- Niels. * chris@thesysadmin.dev (Christopher Hawker) [Thu 16 Nov 2023, 15:20 CET]:
Hello everyone,
Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs.
An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources.
RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes.
Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic.
Survey Link: https://www.surveymonkey.com/r/JCHLWBB
Thanks, Christopher Hawker
On Thu, 16 Nov 2023 03:47:43 +0000 Christopher Hawker <chris@thesysadmin.dev> wrote:
Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs.
There is similar work also being done in the NETSEC SIG in FIRST.org. Aftab may be aware of that and possibly this is where it seems from. Started by Carlos Friacas (fccn.pt) there is a blog post in the works that begins by raising questions about when and whether to accept a LoA as the primary means of agreeing to announce a prefix. The answer is not so cut and dry. If anyone wants to comment on the draft before it gets published, which should be imminently, let me know and I'll put you in touch with Carlos and a draft. John
In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN)
Not really. On Thu, Nov 16, 2023 at 9:19 AM Christopher Hawker <chris@thesysadmin.dev> wrote:
Hello everyone,
Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs.
An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources.
RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes.
Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic.
Survey Link: https://www.surveymonkey.com/r/JCHLWBB
Thanks, Christopher Hawker
On Thu, Nov 16, 2023 at 10:22 AM Tom Beecher <beecher@beecher.cc> wrote:
In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN)
Not really.
<citation required> I would think there are a few uses of LOA in the telco/SP world, at least: 1) 'can I make this cross-connect happen?' 2) 'can I do some work on this link/path/fiber/conduit on behalf of <customerX> where the entity to be worked on is <providerY> infrastructure' 3) 'Please accept this internet number resource from <customerX> when the number resource is authorized for use by <entityA>' I would love to see ROA take over the 3rd of those, since it's a clear indicator that: "RIR authorizes LIR to use <number resource>, LIR authorizes AS-OWNER to originate <number resource>" and by 'clear indicator' I mean: "has some cryptographic/PKI backing you can follow to the RIR in an automated fashion" Where 'LOA' generally is a xerox of a photocopy of a fax of a dot-matrix printed MS-Word templated document which perhaps has an X on the 'signature' line... -chris
<citation required>
In a decade working on the SP side of the world, I worked with prob 20 different upstream carriers. I can only think of one that required LOA to accept prefixes via BGP. Everyone else was via RIR methods, or nothing. There are of course providers out there that do, but not nearly as many to state it's a "primary use case", especially relative to #1 and #2 on your list. On Thu, Nov 16, 2023 at 11:18 AM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Nov 16, 2023 at 10:22 AM Tom Beecher <beecher@beecher.cc> wrote:
In the service provider industry, its primary use is for advertising
address resources (IPv4/v6 and ASN)
Not really.
<citation required>
I would think there are a few uses of LOA in the telco/SP world, at least:
1) 'can I make this cross-connect happen?' 2) 'can I do some work on this link/path/fiber/conduit on behalf of <customerX> where the entity to be worked on is <providerY> infrastructure' 3) 'Please accept this internet number resource from <customerX> when the number resource is authorized for use by <entityA>'
I would love to see ROA take over the 3rd of those, since it's a clear indicator that: "RIR authorizes LIR to use <number resource>, LIR authorizes AS-OWNER to originate <number resource>"
and by 'clear indicator' I mean: "has some cryptographic/PKI backing you can follow to the RIR in an automated fashion" Where 'LOA' generally is a xerox of a photocopy of a fax of a dot-matrix printed MS-Word templated document which perhaps has an X on the 'signature' line...
-chris
Hi Christopher and Tom, I'll reply to you together, as they seem to be along the same lines. For the purposes of this survey/research, a reference to an LOA is a reference to an LOA for the advertisement/filtering of IP space. I agree, the acronym LOA has multiple uses in the world of IT for things such as datacentre cross-connects, however given what we are looking into, I believe its quite clear that any references to an LOA is a reference to a Letter of Authorisation for the advertisement/filtering of IP space. Other facility providers (such as Equinix, see https://docs.equinix.com/en-us/Content/Interconnection/DiLOA/xc-Loa.htm) have already started looking into the realm of digital LOAs for services such as cross-connects. While they are not the same as traditional LOAs, in my belief they are designed to reduce the timeframes in issuing them, having them sent across and completed. Regards, Christopher Hawker ________________________________ From: Christopher Morrow <morrowc.lists@gmail.com> Sent: Friday, November 17, 2023 3:18 AM To: Tom Beecher <beecher@beecher.cc> Cc: Christopher Hawker <chris@thesysadmin.au>; nanog@nanog.org <nanog@nanog.org> Subject: Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins) On Thu, Nov 16, 2023 at 10:22 AM Tom Beecher <beecher@beecher.cc> wrote:
In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN)
Not really.
<citation required> I would think there are a few uses of LOA in the telco/SP world, at least: 1) 'can I make this cross-connect happen?' 2) 'can I do some work on this link/path/fiber/conduit on behalf of <customerX> where the entity to be worked on is <providerY> infrastructure' 3) 'Please accept this internet number resource from <customerX> when the number resource is authorized for use by <entityA>' I would love to see ROA take over the 3rd of those, since it's a clear indicator that: "RIR authorizes LIR to use <number resource>, LIR authorizes AS-OWNER to originate <number resource>" and by 'clear indicator' I mean: "has some cryptographic/PKI backing you can follow to the RIR in an automated fashion" Where 'LOA' generally is a xerox of a photocopy of a fax of a dot-matrix printed MS-Word templated document which perhaps has an X on the 'signature' line... -chris
On 2023-11-15 21:47, Christopher Hawker wrote:
Hello everyone,
Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs.
An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources.
I've found WHOIS is a good enough resource for this purpose. The SPs that are delegating prefixes are good about using SWIP to show assignment. North American SPs are motivated to keep SWIP assignments up to date because of ARIN's requirement to demonstrate usage of IP resources for IP block transfers. I think I've needed to request an LOA from a customer for this purpose just once in the past 10 years because the SWIP wasn't done. IIRC the assigning provider did a SWIP instead.
RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes.
Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic.
Survey Link: https://www.surveymonkey.com/r/JCHLWBB
Thanks, Christopher Hawker
-Brian
participants (7)
-
Brian Knight -
Christopher Hawker -
Christopher Hawker -
Christopher Morrow -
John Kristoff -
Niels Bakker -
Tom Beecher