Hi, Is there a common practice of providers to vet / validate requests to advertise blocks? Who is the "authority" when it comes to determining if a request for routing is valid? Is it the WHOIS data maintained by the various RIR? It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for. If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers? Some practical advice would be appreciated. -- Jim Mercer Reptilian Research jim@reptiles.org +1 416 410-5633 "He who dies with the most toys is nonetheless dead"
On 11/12/12, Jim Mercer <jim@reptiles.org> wrote:
Hi, > Is there a common practice of providers to vet / validate requests to advertise > blocks?
Who is the "authority" when it comes to determining if a request for routing > is valid? Defined by routing policy of the provider considering the request, and
There is a common practice of providers to require an initial Letter of authorization from the org listed in WHOIS when first setting up, and manual request to allow the prefix or entry of the route in an internet routing registry, for end users to originate prefixes. their upstreams.
Is it the WHOIS data maintained by the various RIR? WHOIS data is often used for that purpose; the basic information about the organization listed as registrant of the block is considered authoritative, in general.
It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for.
It would probably help to submit to them in writing, that the org responsible for the block never authorized the space to be announced by the provider originating it, inform that their unauthorized announcement is causing network issues and costing money, and request that they suppress it. If that's not the case, e.g. if at any time there was bonafide authorization, then the dispute is something to be discussed with the downstream org. still routing the block. If their peers question them about it, they might have the prior LOA on file to show the peers; it is not as if such things expire, or can necessarily be easily withdrawn, it depends on the agreement that allowed the advertisement to be authorized, in that case. Listing of an e-mail address in WHOIS as an admin contact, does not necessarily imply authority that a provider is entitled to rely upon, to tell a peer to shutdown the network.
If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers?
It's an option. Their peers may summarily ignore the request to disrupt the network by "shutting down" a customer's announcements, though, on the word of an email, if it's not very obvious that they are bad announcements. You may need to email and call, and possibly fax and mail.
Some practical advice would be appreciated. -- Jim Mercer Reptilian Research jim@reptiles.org +1 416 410-5633 -- -JH
On 2012-11-12, at 14:43, Jim Mercer <jim@reptiles.org> wrote:
Is there a common practice of providers to vet / validate requests to advertise blocks?
Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line. Once you have one of those babies in your file, no lawyer can touch you. Joe
On 2012-11-12, at 14:43, Jim Mercer <jim@reptiles.org> wrote:
Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Some providers ask for route objects and appropriate import/export
On 11/14/12 2:40 PM, Joe Abley wrote: policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read.
Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line.
Once you have one of those babies in your file, no lawyer can touch you.
Joe
Careful though cause the crayons must be crayola approved Sent from my iPhone On 2012-11-14, at 5:28 PM, "joel jaeggli" <joelja@bogus.com> wrote:
On 2012-11-12, at 14:43, Jim Mercer <jim@reptiles.org> wrote:
Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Some providers ask for route objects and appropriate import/export
On 11/14/12 2:40 PM, Joe Abley wrote: policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read.
Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line.
Once you have one of those babies in your file, no lawyer can touch you.
Joe
Another big-name-big-$$$ vendor whose name begins with "C". Sounds like a "c"onspiracy to me............ On 11/14/2012 5:09 PM, Mark Gauvin wrote:
Careful though cause the crayons must be crayola approved
Sent from my iPhone
On 2012-11-14, at 5:28 PM, "joel jaeggli" <joelja@bogus.com> wrote:
On 2012-11-12, at 14:43, Jim Mercer <jim@reptiles.org> wrote:
Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Some providers ask for route objects and appropriate import/export
On 11/14/12 2:40 PM, Joe Abley wrote: policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read.
Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line.
Once you have one of those babies in your file, no lawyer can touch you.
Joe
"..for some blocks I've taken over admin for." Make sure you are visibly listed as a Point of Contact on those records in the appropriate RIR, so that folks who get your request can verify you. Even better, register in your RIR's RPKI program and generate a ROA for it. Info about ARIN's here: https://www.arin.net/resources/rpki/index.html Then yes, notify their upstreams/peers if needed and post here if things get really desperate - have your records in order first. --Heather -----Original Message----- From: Jim Mercer [mailto:jim@reptiles.org] Sent: Monday, November 12, 2012 2:44 PM To: nanog@nanog.org Subject: "authority" to route? Hi, Is there a common practice of providers to vet / validate requests to advertise blocks? Who is the "authority" when it comes to determining if a request for routing is valid? Is it the WHOIS data maintained by the various RIR? It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for. If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers? Some practical advice would be appreciated. -- Jim Mercer Reptilian Research jim@reptiles.org +1 416 410-5633 "He who dies with the most toys is nonetheless dead"
Jeez, isn't RPKI supposed to solve this problem? On Thu, Nov 15, 2012 at 10:36 AM, Schiller, Heather A <heather.schiller@verizon.com> wrote:
"..for some blocks I've taken over admin for."
Make sure you are visibly listed as a Point of Contact on those records in the appropriate RIR, so that folks who get your request can verify you. Even better, register in your RIR's RPKI program and generate a ROA for it. Info about ARIN's here: https://www.arin.net/resources/rpki/index.html
Then yes, notify their upstreams/peers if needed and post here if things get really desperate - have your records in order first.
--Heather
-----Original Message----- From: Jim Mercer [mailto:jim@reptiles.org] Sent: Monday, November 12, 2012 2:44 PM To: nanog@nanog.org Subject: "authority" to route?
Hi,
Is there a common practice of providers to vet / validate requests to advertise blocks?
Who is the "authority" when it comes to determining if a request for routing is valid?
Is it the WHOIS data maintained by the various RIR?
It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for.
If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers?
Some practical advice would be appreciated.
-- Jim Mercer Reptilian Research jim@reptiles.org +1 416 410-5633 "He who dies with the most toys is nonetheless dead"
-- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
I think Heather was pointing out that this would be a good time to actually use it. On Fri, Nov 16, 2012 at 12:55 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Thu, 15 Nov 2012 23:05:39 -0800, Kyle Creyts said:
Jeez, isn't RPKI supposed to solve this problem?
That would presume the existence of a deployed system that everybody actually used.
participants (10)
-
Jim Mercer
-
Jimmy Hess
-
Joe Abley
-
joel jaeggli
-
Kyle Creyts
-
Mark Gauvin
-
Richard Barnes
-
Robert Glover
-
Schiller, Heather A
-
Valdis.Kletnieks@vt.edu