Re: authority to route?
On Thu, 15 Nov 2012 23:05:39 -0800, Kyle Creyts said: Jeez, isn't RPKI supposed to solve this problem? That would presume the existence of a deployed system that everybody actually used. pgpSBbgRGoEqE.pgp Description: PGP signature
Re: authority to route?
I think Heather was pointing out that this would be a good time to actually use it. On Fri, Nov 16, 2012 at 12:55 PM, valdis.kletni...@vt.edu wrote: On Thu, 15 Nov 2012 23:05:39 -0800, Kyle Creyts said: Jeez, isn't RPKI supposed to solve this problem? That would presume the existence of a deployed system that everybody actually used.
RE: authority to route?
..for some blocks I've taken over admin for. Make sure you are visibly listed as a Point of Contact on those records in the appropriate RIR, so that folks who get your request can verify you. Even better, register in your RIR's RPKI program and generate a ROA for it. Info about ARIN's here: https://www.arin.net/resources/rpki/index.html Then yes, notify their upstreams/peers if needed and post here if things get really desperate - have your records in order first. --Heather -Original Message- From: Jim Mercer [mailto:j...@reptiles.org] Sent: Monday, November 12, 2012 2:44 PM To: nanog@nanog.org Subject: authority to route? Hi, Is there a common practice of providers to vet / validate requests to advertise blocks? Who is the authority when it comes to determining if a request for routing is valid? Is it the WHOIS data maintained by the various RIR? It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for. If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers? Some practical advice would be appreciated. -- Jim Mercer Reptilian Research j...@reptiles.org+1 416 410-5633 He who dies with the most toys is nonetheless dead
Re: authority to route?
Jeez, isn't RPKI supposed to solve this problem? On Thu, Nov 15, 2012 at 10:36 AM, Schiller, Heather A heather.schil...@verizon.com wrote: ..for some blocks I've taken over admin for. Make sure you are visibly listed as a Point of Contact on those records in the appropriate RIR, so that folks who get your request can verify you. Even better, register in your RIR's RPKI program and generate a ROA for it. Info about ARIN's here: https://www.arin.net/resources/rpki/index.html Then yes, notify their upstreams/peers if needed and post here if things get really desperate - have your records in order first. --Heather -Original Message- From: Jim Mercer [mailto:j...@reptiles.org] Sent: Monday, November 12, 2012 2:44 PM To: nanog@nanog.org Subject: authority to route? Hi, Is there a common practice of providers to vet / validate requests to advertise blocks? Who is the authority when it comes to determining if a request for routing is valid? Is it the WHOIS data maintained by the various RIR? It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for. If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers? Some practical advice would be appreciated. -- Jim Mercer Reptilian Research j...@reptiles.org+1 416 410-5633 He who dies with the most toys is nonetheless dead -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: authority to route?
On 2012-11-12, at 14:43, Jim Mercer j...@reptiles.org wrote: Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line. Once you have one of those babies in your file, no lawyer can touch you. Joe
Re: authority to route?
On 11/14/12 2:40 PM, Joe Abley wrote: On 2012-11-12, at 14:43, Jim Mercer j...@reptiles.org wrote: Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Some providers ask for route objects and appropriate import/export policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read. Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line. Once you have one of those babies in your file, no lawyer can touch you. Joe
Re: authority to route?
Careful though cause the crayons must be crayola approved Sent from my iPhone On 2012-11-14, at 5:28 PM, joel jaeggli joe...@bogus.com wrote: On 11/14/12 2:40 PM, Joe Abley wrote: On 2012-11-12, at 14:43, Jim Mercer j...@reptiles.org wrote: Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Some providers ask for route objects and appropriate import/export policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read. Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line. Once you have one of those babies in your file, no lawyer can touch you. Joe
Re: authority to route?
Another big-name-big-$$$ vendor whose name begins with C. Sounds like a conspiracy to me On 11/14/2012 5:09 PM, Mark Gauvin wrote: Careful though cause the crayons must be crayola approved Sent from my iPhone On 2012-11-14, at 5:28 PM, joel jaeggli joe...@bogus.com wrote: On 11/14/12 2:40 PM, Joe Abley wrote: On 2012-11-12, at 14:43, Jim Mercer j...@reptiles.org wrote: Is there a common practice of providers to vet / validate requests to advertise blocks? Yes, most providers whose customers request a particular route to be pointed towards them will ask for ambiguous instructions, written on letterhead with crayon, and signed illegibly by someone who may or may not have authority to do so but who in any case cannot be identified clearly by their scrawl. Some providers ask for route objects and appropriate import/export policy in RADB. that fandamently no higher quality an attestation than a LOA but it's a lot easier to read. Ideally the letterhead should be crudely constructed in photoshop and then faxed across a noisy analogue line. Once you have one of those babies in your file, no lawyer can touch you. Joe
Re: authority to route?
On 11/12/12, Jim Mercer j...@reptiles.org wrote: Hi, Is there a common practice of providers to vet / validate requests to advertise blocks? There is a common practice of providers to require an initial Letter of authorization from the org listed in WHOIS when first setting up, and manual request to allow the prefix or entry of the route in an internet routing registry, for end users to originate prefixes. Who is the authority when it comes to determining if a request for routing is valid? Defined by routing policy of the provider considering the request, and their upstreams. Is it the WHOIS data maintained by the various RIR? WHOIS data is often used for that purpose; the basic information about the organization listed as registrant of the block is considered authoritative, in general. It seems I'm playing whack-a-mole to get some routes shut down for some blocks I've taken over admin for. It would probably help to submit to them in writing, that the org responsible for the block never authorized the space to be announced by the provider originating it, inform that their unauthorized announcement is causing network issues and costing money, and request that they suppress it. If that's not the case, e.g. if at any time there was bonafide authorization, then the dispute is something to be discussed with the downstream org. still routing the block. If their peers question them about it, they might have the prior LOA on file to show the peers; it is not as if such things expire, or can necessarily be easily withdrawn, it depends on the agreement that allowed the advertisement to be authorized, in that case. Listing of an e-mail address in WHOIS as an admin contact, does not necessarily imply authority that a provider is entitled to rely upon, to tell a peer to shutdown the network. If I email the contacts for the AS in WHOIS, and get no response, or a negative response, should I start going to their peers? It's an option. Their peers may summarily ignore the request to disrupt the network by shutting down a customer's announcements, though, on the word of an email, if it's not very obvious that they are bad announcements. You may need to email and call, and possibly fax and mail. Some practical advice would be appreciated. -- Jim Mercer Reptilian Research j...@reptiles.org+1 416 410-5633 -- -JH
