Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On Tue, Dec 26, 2023 at 10:04 AM Brandon Butterworth wrote: > > On 26/12/2023, 13:21:18, "Christopher Hawker" > wrote: > > [ clip ] > > >Further, a DC operator should never be accepting and processing an order > >for a cross-connect without confirming the request with the Z-side. That's > >just common netsec process, and I'd be highly surprised if it were not. > > Agreed, if they bothered confirming then the LOA would not be needed. > We're doing things a little differently over here in New UK. We're taking the data center out of the way since they're always the limiting factor. Open meet-me-rooms fit out with video, access and other security to keep everyone honest. No LOA's or CFA's required. You can only reach the patch panel, not the equipment. We feel if you're going to pay a cross connect fee you should get something for it. So does the DC operator. If you don't like it, you can pay for a locked cabinet and you can do the escorting. We've totally removed ourselves and changed our role from gatekeeper to guard. But this is far off topic. In this example, ROA has zero value in this part of the transaction. Warm regards, -M'<
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On Tue, Dec 26, 2023 at 05:03 Christopher Hawker wrote: > In my experience dealing with cross-connect LOAs at Equinix SY1/2, SY3, > SY4, SY5 and ME1, Equinix have always requested an LoA from the Z-side. > Never heard of an LoA not being required for a cross-connect otherwise, how > would they know it's a legit request? However, cross-connect LoAs are > beyond the scope of this topic. > Agree. That's LOA to execute carrier facilities assignment (CFA).That's a three party transaction that is the A and Z ends telling the third party, $facilityTech, how to run the patch cable and provide evidence for billing. ROA would have zero impact here and as you note beyond the scope of the topic. > I've also only seen this with smaller customers requesting their upstreams > allow the route through their filters. If upstreams don't ask, how do they > validate you (or your customer) have the authority to originate the prefix? > I understand there comes a point where a T1 network has to accept any route > that is advertised to it, however, ROAs (and ASPA when it becomes > mainstream) I believe can help secure routing, even at a T1 level. > For prefix advertisements on my behalf, twice. In both cases I thought why? The prefix contacts are in whois and they could email and ask. It would've taken more time to object than to write the sentence to 'please allow temporary use of X.X.0.0./16 until revoked'. And then I can't ever recall sending the 'revoked' letter after moving on from the provider. The project is harmless. Perhaps in other parts of the work there's more paper shuffling like that? Warm regards, -M<
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Transit providers normally build a prefix list from the data in the ripe database, in 25+ years I have never been asked for a LOA other than cross connects and even that is rare. I think you are trying to solve an issue that doesn’t exist Regards Darren Sent from Outlook for iOS<https://aka.ms/o0ukef> From: uknof on behalf of Christopher Hawker Sent: Tuesday, December 26, 2023 10:03:11 AM To: Martin Hannigan Cc: [email protected] ; James Bensley Subject: Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins) Some people who received this message don't often get email from [email protected]. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> CAUTION: This email originated from outside of Orbital Internet Group. Do not click links or open attachments unless you recognise the sender and know the content is safe. In my experience dealing with cross-connect LOAs at Equinix SY1/2, SY3, SY4, SY5 and ME1, Equinix have always requested an LoA from the Z-side. Never heard of an LoA not being required for a cross-connect otherwise, how would they know it's a legit request? However, cross-connect LoAs are beyond the scope of this topic. I've also only seen this with smaller customers requesting their upstreams allow the route through their filters. If upstreams don't ask, how do they validate you (or your customer) have the authority to originate the prefix? I understand there comes a point where a T1 network has to accept any route that is advertised to it, however, ROAs (and ASPA when it becomes mainstream) I believe can help secure routing, even at a T1 level. Regards, Christopher Hawker On Tue, 26 Dec 2023 at 10:49, Martin Hannigan mailto:[email protected]>> wrote: Im sailing past 30 years (like a few others here!) and I’ve only had to do this twice. Never for cross connects. Data centers wouldn’t want to hold up a cross connect fee. HTH Warm regards, -M< On Mon, Dec 25, 2023 at 05:42 James Bensley via uknof mailto:[email protected]>> wrote: On Monday, November 27th, 2023 at 05:03, Christopher Hawker mailto:[email protected]>> wrote: Hello everyone, Aftab Siddiqui is currently exploring the possibility of using Route Object Authorisations (ROAs) as a potential replacement to LOAs. Hi Christopher, This survey was sent to the NANOG list and there someone responded saying that they have been in the service provider world for 10 years and only had to send a LoA once, with regards to authorisation for IP announcements. I have been working in the SP world for 15-ish years and I have worked with all Tier 1's at different points, and I have never had to send a LoA. My only experiences with LoA's is for DC cross-connects (in this context I have sent and received many). So the survey seems flawed in that the first question should be something like "do you send and accept LoA's regarding prefix announcements" because, the survey is based on the assumption that everyone is using LoAs for this, I think this initial assumption needs clarifying. Cheers, James.
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On 26/12/2023, 13:21:18, "Christopher Hawker" wrote: If "paying money is usually a good enough sign of being legit" for the purpose of ordering a cross-connect, then one needs to significantly consider the security and processes of their network and their DC provider's operations. I'd never use a DC provider who would accept cash as proof of a cross-connect request being legitimate. But you do accept a letter provided by the attacker and not confirmed by the victim? To me one is no more trustworthy than the other. I prefer instead the Z confirms by email/portal method, if you want security then it needs to involve the victim and give them an opportunity to defend. You already trust cash as proof of legitimacy, allowing an attacker to enter the facility and gain access to the area around your rack where they could connect to your equipment with less chance of anyone knowing who did it. Ordering an xcon puts on record who did it (or was compromised to enable it) and puts their DC presence at stake if found out so they are staking everything on that one attack, if you are worth that you probably need more than a LOA to defend you. Further, a DC operator should never be accepting and processing an order for a cross-connect without confirming the request with the Z-side. That's just common netsec process, and I'd be highly surprised if it were not. Agreed, if they bothered confirming then the LOA would not be needed. brandon
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
If "paying money is usually a good enough sign of being legit" for the purpose of ordering a cross-connect, then one needs to significantly consider the security and processes of their network and their DC provider's operations. I'd never use a DC provider who would accept cash as proof of a cross-connect request being legitimate. Further, a DC operator should never be accepting and processing an order for a cross-connect without confirming the request with the Z-side. That's just common netsec process, and I'd be highly surprised if it were not. Regards, Christopher Hawker On Tue, 26 Dec 2023 at 23:44, Brandon Butterworth wrote: > > > > On 26/12/2023, 10:03:11, "Christopher Hawker" > wrote: > > >In my experience dealing with cross-connect LOAs at Equinix SY1/2, SY3, > >SY4, SY5 and ME1, Equinix have always requested an LoA from the Z-side. > > I think it has spread from being an Equinix USA thing to global, we > never > needed them but over the last few years they have become more common > incluging > DCs that never used to care. Some required the Z to ack by email which > is > more secure but held up connections, that LOA replaced email shows how > much the > DCs care about the LOA authenticity. > > >Never heard of an LoA not being required for a cross-connect otherwise, > how > >would they know it's a legit request? > > Who cares? Paying money is usually a good enough sign of being legit. > What is > the worst that can happen? They are paying for a xcon they will never be > able > to use. I guess they could play minesweeper and hope to hit one that is > connected > to a live port that is configured in some manner they could leverage. > That is > an expensive attack and the alerts for new connections going live should > be > sufficient to tip off the victim. > > brandon > >
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Again (to be clear on the subject), we are not trying to "solve" anything, nor are we advocating for or against anything. We are looking into possible ways to use existing systems for new purposes that may be beneficial to the community. For example, ROA + ASPA has the ability to help secure routing end-to-end. This may or may not eliminate the need for IRR objects, however it's way too early to tell and still requires a lot more work. Regards, Christopher Hawker On Tue, 26 Dec 2023 at 23:05, Darren Brown wrote: > Transit providers normally build a prefix list from the data in the ripe > database, in 25+ years I have never been asked for a LOA other than cross > connects and even that is rare. I think you are trying to solve an issue > that doesn’t exist > > > Regards > Darren > > > Sent from Outlook for iOS <https://aka.ms/o0ukef> > -- > *From:* uknof on behalf of Christopher > Hawker > *Sent:* Tuesday, December 26, 2023 10:03:11 AM > *To:* Martin Hannigan > *Cc:* [email protected] ; James Bensley < > [email protected]> > *Subject:* Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short > Survey (7 mins) > > Some people who received this message don't often get email from > [email protected]. Learn why this is important > <https://aka.ms/LearnAboutSenderIdentification> > > CAUTION: This email originated from outside of Orbital Internet Group. Do > not click links or open attachments unless you recognise the sender and > know the content is safe. > > In my experience dealing with cross-connect LOAs at Equinix SY1/2, SY3, > SY4, SY5 and ME1, Equinix have always requested an LoA from the Z-side. > Never heard of an LoA not being required for a cross-connect otherwise, how > would they know it's a legit request? However, cross-connect LoAs are > beyond the scope of this topic. > > I've also only seen this with smaller customers requesting their upstreams > allow the route through their filters. If upstreams don't ask, how do they > validate you (or your customer) have the authority to originate the prefix? > I understand there comes a point where a T1 network has to accept any route > that is advertised to it, however, ROAs (and ASPA when it becomes > mainstream) I believe can help secure routing, even at a T1 level. > > Regards, > Christopher Hawker > > On Tue, 26 Dec 2023 at 10:49, Martin Hannigan wrote: > > > Im sailing past 30 years (like a few others here!) and I’ve only had to do > this twice. Never for cross connects. Data centers wouldn’t want to hold > up a cross connect fee. > > HTH > > Warm regards, > > -M< > > > > On Mon, Dec 25, 2023 at 05:42 James Bensley via uknof < > [email protected]> wrote: > > On Monday, November 27th, 2023 at 05:03, Christopher Hawker < > [email protected]> wrote: > > Hello everyone, > > Aftab Siddiqui is currently exploring the possibility of using Route > Object Authorisations (ROAs) as a potential replacement to LOAs. > > > > Hi Christopher, > > This survey was sent to the NANOG list and there someone responded saying > that they have been in the service provider world for 10 years and only had > to send a LoA once, with regards to authorisation for IP announcements. > > I have been working in the SP world for 15-ish years and I have worked > with all Tier 1's at different points, and I have never had to send a LoA. > > My only experiences with LoA's is for DC cross-connects (in this context I > have sent and received many). So the survey seems flawed in that the first > question should be something like "do you send and accept LoA's regarding > prefix announcements" because, the survey is based on the assumption that > everyone is using LoAs for this, I think this initial assumption needs > clarifying. > > Cheers, > James. > >
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On 26/12/2023, 10:03:11, "Christopher Hawker" wrote: In my experience dealing with cross-connect LOAs at Equinix SY1/2, SY3, SY4, SY5 and ME1, Equinix have always requested an LoA from the Z-side. I think it has spread from being an Equinix USA thing to global, we never needed them but over the last few years they have become more common incluging DCs that never used to care. Some required the Z to ack by email which is more secure but held up connections, that LOA replaced email shows how much the DCs care about the LOA authenticity. Never heard of an LoA not being required for a cross-connect otherwise, how would they know it's a legit request? Who cares? Paying money is usually a good enough sign of being legit. What is the worst that can happen? They are paying for a xcon they will never be able to use. I guess they could play minesweeper and hope to hit one that is connected to a live port that is configured in some manner they could leverage. That is an expensive attack and the alerts for new connections going live should be sufficient to tip off the victim. brandon
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
On 25/12/2023, 15:56:17, "Mitchell Southgate - 39D IT Services" wrote: With the LOA I currently hold a /24 in 44.X.X.X range which is amprnet (amateur radio / ham radio). I am familiar with it and the arguments over if it should ever be routed widely on the internet from back in 1995 when I ran a (maybe the only) UK wormhole (vpn) to tunnel the UK back to UCSD. I have had many discussions with carriers over the fact I cannot do ROA. They still issue us a LOA which some carriers accept and others do not. If ROA are to be the only source of authority it is a flaw that they are not availaible to all that need them so LOA carry on being used to bypass them, though LOA prove nothing (who checks you didn't write it yourself) and are not evenly accepted. The issue here is it treat as legacy space and as such I cannot control it in ARIN The fix is for ARIN to not exclude legacy if ROA are to be the only mechanism, or not have the RIR monopoly but that would persist alternative IRRs. I can understand ARIN only wanting to provide hosted RPKI to full members but it should be possible for a legacy holder to run self hosted as that is the price of ARIN membership. brandon
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
In my experience dealing with cross-connect LOAs at Equinix SY1/2, SY3, SY4, SY5 and ME1, Equinix have always requested an LoA from the Z-side. Never heard of an LoA not being required for a cross-connect otherwise, how would they know it's a legit request? However, cross-connect LoAs are beyond the scope of this topic. I've also only seen this with smaller customers requesting their upstreams allow the route through their filters. If upstreams don't ask, how do they validate you (or your customer) have the authority to originate the prefix? I understand there comes a point where a T1 network has to accept any route that is advertised to it, however, ROAs (and ASPA when it becomes mainstream) I believe can help secure routing, even at a T1 level. Regards, Christopher Hawker On Tue, 26 Dec 2023 at 10:49, Martin Hannigan wrote: > > Im sailing past 30 years (like a few others here!) and I’ve only had to do > this twice. Never for cross connects. Data centers wouldn’t want to hold > up a cross connect fee. > > HTH > > Warm regards, > > -M< > > > > On Mon, Dec 25, 2023 at 05:42 James Bensley via uknof < > [email protected]> wrote: > >> On Monday, November 27th, 2023 at 05:03, Christopher Hawker < >> [email protected]> wrote: >> >> Hello everyone, >> >> Aftab Siddiqui is currently exploring the possibility of using Route >> Object Authorisations (ROAs) as a potential replacement to LOAs. >> >> >> >> Hi Christopher, >> >> This survey was sent to the NANOG list and there someone responded saying >> that they have been in the service provider world for 10 years and only had >> to send a LoA once, with regards to authorisation for IP announcements. >> >> I have been working in the SP world for 15-ish years and I have worked >> with all Tier 1's at different points, and I have never had to send a LoA. >> >> My only experiences with LoA's is for DC cross-connects (in this context >> I have sent and received many). So the survey seems flawed in that the >> first question should be something like "do you send and accept LoA's >> regarding prefix announcements" because, the survey is based on the >> assumption that everyone is using LoAs for this, I think this initial >> assumption needs clarifying. >> >> Cheers, >> James. >> >>
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Im sailing past 30 years (like a few others here!) and I’ve only had to do this twice. Never for cross connects. Data centers wouldn’t want to hold up a cross connect fee. HTH Warm regards, -M< On Mon, Dec 25, 2023 at 05:42 James Bensley via uknof < [email protected]> wrote: > On Monday, November 27th, 2023 at 05:03, Christopher Hawker < > [email protected]> wrote: > > Hello everyone, > > Aftab Siddiqui is currently exploring the possibility of using Route > Object Authorisations (ROAs) as a potential replacement to LOAs. > > > > Hi Christopher, > > This survey was sent to the NANOG list and there someone responded saying > that they have been in the service provider world for 10 years and only had > to send a LoA once, with regards to authorisation for IP announcements. > > I have been working in the SP world for 15-ish years and I have worked > with all Tier 1's at different points, and I have never had to send a LoA. > > My only experiences with LoA's is for DC cross-connects (in this context I > have sent and received many). So the survey seems flawed in that the first > question should be something like "do you send and accept LoA's regarding > prefix announcements" because, the survey is based on the assumption that > everyone is using LoAs for this, I think this initial assumption needs > clarifying. > > Cheers, > James. > >
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
--- Begin Message --- With the LOA I currently hold a /24 in 44.X.X.X range which is amprnet (amateur radio / ham radio). I have had many discussions with carriers over the fact I cannot do ROA. They still issue us a LOA which some carriers accept and others do not. Where we do not technically own the range but lease them for free to us. The issue here is it treat as legacy space and as such I cannot control it in ARIN Mitchell Southgate The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. -Original Message- From: uknof [mailto:[email protected]] On Behalf Of Brandon Butterworth Sent: 25 December 2023 13:29 To: Christopher Hawker ; James Bensley Cc: [email protected] Subject: Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins) LOA are a charade enabling blame dissipation when events demonstrate those involved should have carried out proper diligence. So ROA would appear to be an advance on that and if there was one it would be silly to accept a LOA that conflicted it. Do those requesting LOA check for a ROA? >> My only experiences with LoA's is for DC cross-connects Which are a total waste of time. brandon --- End Message ---
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
LOA are a charade enabling blame dissipation when events demonstrate those involved should have carried out proper diligence. So ROA would appear to be an advance on that and if there was one it would be silly to accept a LOA that conflicted it. Do those requesting LOA check for a ROA? My only experiences with LoA's is for DC cross-connects Which are a total waste of time. brandon
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
Hi James, This survey wasn't targeted at larger Tier 1 or similar networks. We acknowledge that not all transit providers request an LoA, and this has been factored into this. Our research is around the viability of replacing LOAs with using ROAs for those who may still use LOAs to prove they are authorised to use prefixes assigned/allocated to them. I was not the original author of the survey so I can't speak as to why questions were worded the way they were, however, I believe that it was designed to look at the upstream relationship from the customer to the transit provider and the questions worded accordingly. It's not designed to be an exhaustive source of information. Naturally, this would not be usable for legacy IP space that don't have access to RPKI and would have to use LOAs if required, however that's a whole different discussion. Regards, Christopher Hawker P.S. Merry Christmas :) On Mon, 25 Dec 2023 at 21:39, James Bensley wrote: > On Monday, November 27th, 2023 at 05:03, Christopher Hawker < > [email protected]> wrote: > > Hello everyone, > > Aftab Siddiqui is currently exploring the possibility of using Route > Object Authorisations (ROAs) as a potential replacement to LOAs. > > > > Hi Christopher, > > This survey was sent to the NANOG list and there someone responded saying > that they have been in the service provider world for 10 years and only had > to send a LoA once, with regards to authorisation for IP announcements. > > I have been working in the SP world for 15-ish years and I have worked > with all Tier 1's at different points, and I have never had to send a LoA. > > My only experiences with LoA's is for DC cross-connects (in this context I > have sent and received many). So the survey seems flawed in that the first > question should be something like "do you send and accept LoA's regarding > prefix announcements" because, the survey is based on the assumption that > everyone is using LoAs for this, I think this initial assumption needs > clarifying. > > Cheers, > James. > >
Re: [uknof] Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)
--- Begin Message --- On Monday, November 27th, 2023 at 05:03, Christopher Hawker wrote: > Hello everyone, > > Aftab Siddiqui is currently exploring the possibility of using Route Object > Authorisations (ROAs) as a potential replacement to LOAs. Hi Christopher, This survey was sent to the NANOG list and there someone responded saying that they have been in the service provider world for 10 years and only had to send a LoA once, with regards to authorisation for IP announcements. I have been working in the SP world for 15-ish years and I have worked with all Tier 1's at different points, and I have never had to send a LoA. My only experiences with LoA's is for DC cross-connects (in this context I have sent and received many). So the survey seems flawed in that the first question should be something like "do you send and accept LoA's regarding prefix announcements" because, the survey is based on the assumption that everyone is using LoAs for this, I think this initial assumption needs clarifying. Cheers, James.--- End Message ---
