Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins)
> On Nov 17, 2023, at 07:02, Tom Beecher wrote: > >> Therefore, Cogent currently does not have and is not member of ARIN. It >> refuses to sign contract with ARIN and currently Cogent is not bound by this >> RUD rules and regulations. >> >> There is one downfall to not being ARIN member, Cogent cannot currently >> issue ROAs or RPKIs. They only update RIR in ROADB database for the leased >> out IP addresses. > > Not entirely accurate. > > Cogent Communications is already a General Member of ARIN. You can see that > for yourself here : https://account.arin.net/public/member-list . > *Membership* is not a prerequisite for anything RPKI. Membership is not, but… You can’t have ARIN resources under contract without also getting membership along with them any more, so, effectively, you can’t get RPKI without membership. However, just because you are a member doesn't mean you can get RPKI for all of your resources… Indeed, you can only get RPKI for your resources under ARIN contract. > ARIN requires an RSA or LRSA in place covering a number resource before they > will be the trust anchor for that number resource. In the design of RPKI, > this should make logical sense. Many legacy resource holders have their own > reasons on why they chose not to sign an LRSA for those resources, so there > is a chicken/egg problem here. Interestingly, RIPE-NCC will issue RPKI for non-contracted resources if they have a sponsoring LIR. Generally this means paying 70-100EU/year/resource to some RIPE member (who ends up passing 50EU of that to RIPE as part of their annual fees). LIR Prices vary greatly, so be prepared to negotiate. Or just don’t bother with RPKI, you’re not really missing anything. Owen
Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins)
> > Therefore, Cogent currently does not have and is not member of ARIN. It > refuses to sign contract with ARIN and currently Cogent is not bound by > this RUD rules and regulations. > > There is one downfall to not being ARIN member, Cogent cannot currently > issue ROAs or RPKIs. They only update RIR in ROADB database for the leased > out IP addresses. > Not entirely accurate. Cogent Communications is already a General Member of ARIN. You can see that for yourself here : https://account.arin.net/public/member-list . *Membership* is not a prerequisite for anything RPKI. ARIN requires an RSA or LRSA in place covering a number resource before they will be the trust anchor for that number resource. In the design of RPKI, this should make logical sense. Many legacy resource holders have their own reasons on why they chose not to sign an LRSA for those resources, so there is a chicken/egg problem here. Cogent can participate in RPKI with any non-legacy resources without a problem, as anything non-legacy is covered by an RSA. On Fri, Nov 17, 2023 at 8:13 AM George Toma wrote: > There is IPV4 exhaustion and many ISPs lease IPV4 space from other > entities, such as brokers and other providers. One of the biggest IPv4 > lessors is Cogent. By Cogent having legacy IP space from IANA which it > inherited when it acquired PSInet, Cogent was not required to sign a > contract when RIR ARIN was created. > > Therefore, Cogent currently does not have and is not member of ARIN. It > refuses to sign contract with ARIN and currently Cogent is not bound by > this RUD rules and regulations. > > There is one downfall to not being ARIN member, Cogent cannot currently > issue ROAs or RPKIs. They only update RIR in ROADB database for the leased > out IP addresses. > > By implicitly requiring ROA or RPKI for IPv4 space leased from Covent, > about 70% of small ISPs that were created after IPv4 space exhaustion, > would not be able to route their IPV4 traffic, because currently they lease > IPv4 space from Cogent, and as we mentioned, by Cogent refusing to become > ARIN member, it cannot issue ROAs or RPKIs, and therefore ISPs using this > leased IPV4 space can only use LOAs for validation. >
Re: Your Input Needed: Can ROA Replace LOA? ? Short Survey (7 mins)
There is IPV4 exhaustion and many ISPs lease IPV4 space from other entities, such as brokers and other providers. One of the biggest IPv4 lessors is Cogent. By Cogent having legacy IP space from IANA which it inherited when it acquired PSInet, Cogent was not required to sign a contract when RIR ARIN was created. Therefore, Cogent currently does not have and is not member of ARIN. It refuses to sign contract with ARIN and currently Cogent is not bound by this RUD rules and regulations. There is one downfall to not being ARIN member, Cogent cannot currently issue ROAs or RPKIs. They only update RIR in ROADB database for the leased out IP addresses. By implicitly requiring ROA or RPKI for IPv4 space leased from Covent, about 70% of small ISPs that were created after IPv4 space exhaustion, would not be able to route their IPV4 traffic, because currently they lease IPv4 space from Cogent, and as we mentioned, by Cogent refusing to become ARIN member, it cannot issue ROAs or RPKIs, and therefore ISPs using this leased IPV4 space can only use LOAs for validation.
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Hi Christopher and Tom, I'll reply to you together, as they seem to be along the same lines. For the purposes of this survey/research, a reference to an LOA is a reference to an LOA for the advertisement/filtering of IP space. I agree, the acronym LOA has multiple uses in the world of IT for things such as datacentre cross-connects, however given what we are looking into, I believe its quite clear that any references to an LOA is a reference to a Letter of Authorisation for the advertisement/filtering of IP space. Other facility providers (such as Equinix, see https://docs.equinix.com/en-us/Content/Interconnection/DiLOA/xc-Loa.htm) have already started looking into the realm of digital LOAs for services such as cross-connects. While they are not the same as traditional LOAs, in my belief they are designed to reduce the timeframes in issuing them, having them sent across and completed. Regards, Christopher Hawker From: Christopher Morrow Sent: Friday, November 17, 2023 3:18 AM To: Tom Beecher Cc: Christopher Hawker ; nanog@nanog.org Subject: Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins) On Thu, Nov 16, 2023 at 10:22 AM Tom Beecher wrote: >> >> In the service provider industry, its primary use is for advertising address >> resources (IPv4/v6 and ASN) > > > Not really. I would think there are a few uses of LOA in the telco/SP world, at least: 1) 'can I make this cross-connect happen?' 2) 'can I do some work on this link/path/fiber/conduit on behalf of where the entity to be worked on is infrastructure' 3) 'Please accept this internet number resource from when the number resource is authorized for use by ' I would love to see ROA take over the 3rd of those, since it's a clear indicator that: "RIR authorizes LIR to use , LIR authorizes AS-OWNER to originate " and by 'clear indicator' I mean: "has some cryptographic/PKI backing you can follow to the RIR in an automated fashion" Where 'LOA' generally is a xerox of a photocopy of a fax of a dot-matrix printed MS-Word templated document which perhaps has an X on the 'signature' line... -chris
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On 2023-11-15 21:47, Christopher Hawker wrote: Hello everyone, Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs. An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources. I've found WHOIS is a good enough resource for this purpose. The SPs that are delegating prefixes are good about using SWIP to show assignment. North American SPs are motivated to keep SWIP assignments up to date because of ARIN's requirement to demonstrate usage of IP resources for IP block transfers. I think I've needed to request an LOA from a customer for this purpose just once in the past 10 years because the SWIP wasn't done. IIRC the assigning provider did a SWIP instead. RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes. Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic. Survey Link: https://www.surveymonkey.com/r/JCHLWBB Thanks, Christopher Hawker -Brian
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
> > > In a decade working on the SP side of the world, I worked with prob 20 different upstream carriers. I can only think of one that required LOA to accept prefixes via BGP. Everyone else was via RIR methods, or nothing. There are of course providers out there that do, but not nearly as many to state it's a "primary use case", especially relative to #1 and #2 on your list. On Thu, Nov 16, 2023 at 11:18 AM Christopher Morrow wrote: > On Thu, Nov 16, 2023 at 10:22 AM Tom Beecher wrote: > >> > >> In the service provider industry, its primary use is for advertising > address resources (IPv4/v6 and ASN) > > > > > > Not really. > > > > I would think there are a few uses of LOA in the telco/SP world, at least: > > 1) 'can I make this cross-connect happen?' > 2) 'can I do some work on this link/path/fiber/conduit on behalf of > where the entity to be worked on is > infrastructure' > 3) 'Please accept this internet number resource from > when the number resource is authorized for use by ' > > I would love to see ROA take over the 3rd of those, since it's a clear > indicator that: > "RIR authorizes LIR to use , LIR authorizes > AS-OWNER to originate " > > and by 'clear indicator' I mean: "has some cryptographic/PKI backing > you can follow to the RIR in an automated fashion" > Where 'LOA' generally is a xerox of a photocopy of a fax of a > dot-matrix printed MS-Word templated document which perhaps has an X > on the 'signature' line... > > -chris >
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On Thu, Nov 16, 2023 at 10:22 AM Tom Beecher wrote: >> >> In the service provider industry, its primary use is for advertising address >> resources (IPv4/v6 and ASN) > > > Not really. I would think there are a few uses of LOA in the telco/SP world, at least: 1) 'can I make this cross-connect happen?' 2) 'can I do some work on this link/path/fiber/conduit on behalf of where the entity to be worked on is infrastructure' 3) 'Please accept this internet number resource from when the number resource is authorized for use by ' I would love to see ROA take over the 3rd of those, since it's a clear indicator that: "RIR authorizes LIR to use , LIR authorizes AS-OWNER to originate " and by 'clear indicator' I mean: "has some cryptographic/PKI backing you can follow to the RIR in an automated fashion" Where 'LOA' generally is a xerox of a photocopy of a fax of a dot-matrix printed MS-Word templated document which perhaps has an X on the 'signature' line... -chris
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
> > In the service provider industry, its primary use is for advertising > address resources (IPv4/v6 and ASN) Not really. On Thu, Nov 16, 2023 at 9:19 AM Christopher Hawker wrote: > Hello everyone, > > Aftab Siddiqui is currently exploring the possibility of using Route > Object Authorisations (ROAs) as a potential replacement to LOAs. Separate > to this (and unknowing of Aftab's research), I had started a discussion on > the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) > discussing the usage of ROAs instead of LOAs. > > An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal > document granting permission for third parties to take specific actions > regarding network resources or services. In the service provider industry, > its primary use is for advertising address resources (IPv4/v6 and ASN). > When an organization intends to announce its IP prefixes through its own or > a transit provider's ASN to the global internet, it typically needs to > provide an LOA to their transit provider, confirming their custodianship or > ownership of the resources. > > RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin > Authorization," is part of a security framework designed to validate the > authenticity of internet routing information. It involves a digitally > signed object that specifies which Autonomous Systems (ASes) are permitted > to announce specific IP address prefixes. > > Could you please take a moment to fill out our brief survey? Your feedback > will play a crucial role in our understanding of this topic. > > Survey Link: https://www.surveymonkey.com/r/JCHLWBB > > Thanks, > Christopher Hawker >
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On Thu, 16 Nov 2023 03:47:43 + Christopher Hawker wrote: > Aftab Siddiqui is currently exploring the possibility of using Route > Object Authorisations (ROAs) as a potential replacement to LOAs. > Separate to this (and unknowing of Aftab's research), I had started a > discussion on the RPKI Community guild on Discord > (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead > of LOAs. There is similar work also being done in the NETSEC SIG in FIRST.org. Aftab may be aware of that and possibly this is where it seems from. Started by Carlos Friacas (fccn.pt) there is a blog post in the works that begins by raising questions about when and whether to accept a LoA as the primary means of agreeing to announce a prefix. The answer is not so cut and dry. If anyone wants to comment on the draft before it gets published, which should be imminently, let me know and I'll put you in touch with Carlos and a draft. John
Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Hi Christopher, No. Why would your survey take an additional 6.5 minutes to fill out? -- Niels. * ch...@thesysadmin.dev (Christopher Hawker) [Thu 16 Nov 2023, 15:20 CET]: Hello everyone, Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Separate to this (and unknowing of Aftab's research), I had started a discussion on the RPKI Community guild on Discord (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead of LOAs. An LOA, or "Letter of Authority" / "Letter of Authorization," is a formal document granting permission for third parties to take specific actions regarding network resources or services. In the service provider industry, its primary use is for advertising address resources (IPv4/v6 and ASN). When an organization intends to announce its IP prefixes through its own or a transit provider's ASN to the global internet, it typically needs to provide an LOA to their transit provider, confirming their custodianship or ownership of the resources. RPKI ROA, stands for "Resource Public Key Infrastructure Route Origin Authorization," is part of a security framework designed to validate the authenticity of internet routing information. It involves a digitally signed object that specifies which Autonomous Systems (ASes) are permitted to announce specific IP address prefixes. Could you please take a moment to fill out our brief survey? Your feedback will play a crucial role in our understanding of this topic. Survey Link: https://www.surveymonkey.com/r/JCHLWBB Thanks, Christopher Hawker