Send sanog mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sanog.org/mailman/listinfo/sanog
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sanog digest..."
Today's Topics:
1. Your Input Needed: Can ROA Replace LOA? ? Short Survey (7
mins) (Aftab Siddiqui)
2. Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey
(7 mins) (Randy Bush)
3. Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey
(7 mins) (Aftab Siddiqui)
4. Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey
(7 mins) (Randy Bush)
----------------------------------------------------------------------
Message: 1
Date: Thu, 16 Nov 2023 12:47:24 +1100
From: Aftab Siddiqui <[email protected]>
To: APNIC TALK <[email protected]>
Cc: SANOG <[email protected]>, [email protected]
Subject: [SANOG] Your Input Needed: Can ROA Replace LOA? ? Short
Survey (7 mins)
Message-ID:
<CAK5YLgfn1mxTdGrLPvuZGSj8aHC6vk6JrNYW=eor18fnonh...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Dear Network Operators,
We are exploring the possibility of using Route Origin Authorizations (ROA)
as a potential replacement for Letters of Authorization (LOA) in internet
routing security and would like to understand Network Operators' point of
view.
An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal
document granting permission for third parties to take specific actions
regarding network resources or services. In the service provider industry,
its primary use is for advertising address resources (IPv4/v6 and ASN).
When an organization intends to announce its IP prefixes through its own or
a transit provider's ASN to the global internet, it typically needs to
provide an LOA to their transit provider, confirming their custodianship or
ownership of the resources.
RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin
Authorization," is part of a security framework designed to validate the
authenticity of internet routing information. It involves a digitally
signed object that specifies which Autonomous Systems (ASes) are permitted
to announce specific IP address prefixes.
Could you please take a moment to fill out our brief survey? Your feedback
will play a crucial role in our understanding of this topic.
Survey Link: https://www.surveymonkey.com/r/JCHLWBB
[apologies for cross posting]
Regards,
Aftab A. Siddiqui
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20231116/f5e3a03a/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 15 Nov 2023 18:33:31 -0800
From: Randy Bush <[email protected]>
To: Aftab Siddiqui via sanog <[email protected]>
Cc: APNIC TALK <[email protected]>, [email protected]
Subject: Re: [SANOG] Your Input Needed: Can ROA Replace LOA? ? Short
Survey (7 mins)
Message-ID: <[email protected]>
Content-Type: text/plain; charset=US-ASCII
you may find rfc 9255 helpful in this regard, particularly the third
prargraph of the intro
It has been suggested that one could authenticate real-world business
transactions with the signatures of INR holders. For example, Bill's
Bait and Sushi (BB&S) could use the private key attesting to that
they are the holder of their AS in the RPKI to sign a Letter of
Authorization (LOA) for some other party to rack and stack hardware
owned by BB&S. Unfortunately, while this may be technically
possible, it is neither appropriate nor meaningful.
randy
------------------------------
Message: 3
Date: Thu, 16 Nov 2023 13:54:07 +1100
From: Aftab Siddiqui <[email protected]>
To: Randy Bush <[email protected]>
Cc: Aftab Siddiqui via sanog <[email protected]>, APNIC TALK
<[email protected]>, [email protected]
Subject: Re: [SANOG] Your Input Needed: Can ROA Replace LOA? ? Short
Survey (7 mins)
Message-ID:
<CAK5YLgez=-bfj6rfwq9qtheuu382eey+tcgrnyevi6kn_vj...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Thanks Randy, yes I read that paragraph and found it accurate in terms of
business decisions, no technology can trump that :) but still wants to
understand if these decisions are based on certain legal practices or just
because its been happening like this.
Regards,
Aftab A. Siddiqui
On Thu, 16 Nov 2023 at 13:33, Randy Bush via sanog <[email protected]> wrote:
> you may find rfc 9255 helpful in this regard, particularly the third
> prargraph of the intro
>
> It has been suggested that one could authenticate real-world business
> transactions with the signatures of INR holders. For example, Bill's
> Bait and Sushi (BB&S) could use the private key attesting to that
> they are the holder of their AS in the RPKI to sign a Letter of
> Authorization (LOA) for some other party to rack and stack hardware
> owned by BB&S. Unfortunately, while this may be technically
> possible, it is neither appropriate nor meaningful.
>
>
> randy
> _______________________________________________
> sanog mailing list
> [email protected]
> https://lists.sanog.org/mailman/listinfo/sanog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.sanog.org/pipermail/sanog/attachments/20231116/d97e92ae/attachment-0001.htm>
------------------------------
Message: 4
Date: Wed, 15 Nov 2023 20:05:13 -0800
From: Randy Bush <[email protected]>
To: Aftab Siddiqui <[email protected]>
Cc: Aftab Siddiqui via sanog <[email protected]>, APNIC TALK
<[email protected]>, [email protected]
Subject: Re: [SANOG] Your Input Needed: Can ROA Replace LOA? ? Short
Survey (7 mins)
Message-ID: <[email protected]>
Content-Type: text/plain; charset=US-ASCII
> Thanks Randy, yes I read that paragraph and found it accurate in terms
> of business decisions, no technology can trump that :) but still wants
> to understand if these decisions are based on certain legal practices
> or just because its been happening like this.
it is because
There is a false notion that Internet Number Resources (INRs) in the
RPKI can be associated with the real-world identity of the 'holder'
of an INR. This document specifies that RPKI does not associate to
the INR holder.
it is not an accident that the title of RFC 9255 is "The 'I' in RPKI
Does Not Stand for Identity."
that an AS RPKI resources has signed some blob gives ZERO, again ZERO,
information or assurance that any real world entity signed it.
randy
------------------------------
Subject: Digest Footer
_______________________________________________
sanog mailing list
[email protected]
https://lists.sanog.org/mailman/listinfo/sanog
------------------------------
End of sanog Digest, Vol 140, Issue 4
*************************************
