On Mon, Feb 26, 2024 at 1:20 PM Joe via NANOG wrote:
>
> One thing that I recently read on this mailing list, is that at least in the
> US, a transmitting a fraudulent LOA is a federal crime - wire fraud. [0]
> Being able to hopefully charge and convict someone performing fraud is a
> useful
Hi,
(please see inline)
On Mon, 26 Feb 2024, Tom Samplonius wrote:
There is one purpose: to facilitate IP fraud, and maintain currently
fraudulently routed IPs.
Yes!
Anyone can dummy up a LOA. And there is still quite a lot of unrouted
IP space.
Yes. But the endgame is not
Hi All,
There is this blogpost from the FIRST netsec-sig group, about this topic,
available at
https://www.first.org/blog/20231222-Is-the-LoA-DoA-for-Routing
I totally agree with Christopher. The above blogpost ends with (for those
who don't like to follow links):
"With the current
Hi Seth,
LOAs can't be considered more trustworthy than IRR objects. The RIRs operate
IRRdb services as part of the services they offer which network operators
should be using instead of the free and paid non-authoritative IRRdb operators.
If you don’t mind, could you please reach out to me
We just switched over to IRR routing with Cogent, it is available. It's
just not on by default.
Best Regards,
Jason
On 2/26/24 3:14 PM, Aaron Wendel wrote:
I don't have any examples of anyone still using paper LOAs except for
Cogent.
Aaron
On 2/26/2024 12:57 PM, Seth Mattinen via NANOG
On 2/26/24 10:57, Seth Mattinen via NANOG wrote:
Why do companies still insist on, or deploy new systems that rely on
paper LOA for IP and ASN resources? How can this be considered more
trustworthy than RIR based IRR records?
* They're an authoritative signed document with legal penalties for
Also known as an cross-connect order form.
Why FAX a piece of paper?
Nobody cross-checks it, until after it goes wrong.
On Mon, 26 Feb 2024, Ren Provo wrote:
Most important parts on the LOA are the explicit ASN, the name to be found
in the cross-connect order portal and local contact data.
I don't have any examples of anyone still using paper LOAs except for
Cogent.
Aaron
On 2/26/2024 12:57 PM, Seth Mattinen via NANOG wrote:
Why do companies still insist on, or deploy new systems that rely on
paper LOA for IP and ASN resources? How can this be considered more
trustworthy than
There is one purpose: to facilitate IP fraud, and maintain currently
fraudulently routed IPs.
Anyone can dummy up a LOA. And there is still quite a lot of unrouted IP
space. VPS providers know this, and know their customers are submitting fake
LOAs. But it is sort of the business VPS
Most important parts on the LOA are the explicit ASN, the name to be found
in the cross-connect order portal and local contact data. Contractors need
that.
Global networks rarely have a contact appropriate for provisioning in a
public facing database.
On Mon, Feb 26, 2024 at 14:50 Sean Donelan
Authentication by letterhead?
Paper LOAs are unauthenticated documents, not worth the paper they are
written on. Usually FAXed, which is even less authenticatable (is that a
word?).
Prosecutors are capable of using digital documents. Do it all the time
with echecks, credit cards, ecommerce
I can’t speak for all providers but when it comes to some downstream
networks we will usually request an LOA as additional proof that the
customer is authorized to announce the prefixes, in addition to the IRR
objects and (where possible) RPKI ROAs. Mainly only a thing where RPKI is
not possible
Highly anecdotal, but we’ve always refused to provide them, and they’ve always
set it up without an LOA.
YMMV since we negotiate larger contracts, but we’ve only ever been asked maybe
twice? Both times they admitted they had no idea why they asked for it, so it
just seems like some process
One thing that I recently read on this mailing list, is that at least in the
US, a transmitting a fraudulent LOA is a federal crime - wire fraud. [0]
Being able to hopefully charge and convict someone performing fraud is a useful
deterrent.
-joe
[0] -
A paper LOA is a legally binding document, an IRR record is an IRR record.
Falsifying an LOA that is transmitted digitally is wire fraud and can
basically be handed right over to a DA for injunction and prosecution.
Falsifying IRR records on the other hand leaves more work for the ISP's
lawyers
On Mon, 26 Feb 2024 10:57:05 -0800
Seth Mattinen via NANOG wrote:
> Why do companies still insist on, or deploy new systems that rely on
> paper LOA for IP and ASN resources? How can this be considered more
> trustworthy than RIR based IRR records?
For routing, some have been proposing that
Perhaps the provider only had a single person maintaining the tooling they
used to interact with the IRR records, that person left/was laid off, and
it broke. Perhaps they don't have anyone else that can make it work again,
and they don't want to hire someone else, so they fell back to paper.
Why do companies still insist on, or deploy new systems that rely on
paper LOA for IP and ASN resources? How can this be considered more
trustworthy than RIR based IRR records?
And I'm not even talking about old companies, I have a situation right
now where a VPS provider I'm using will no
18 matches
Mail list logo
