Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On 9/19/08 5:53 PM, seph [EMAIL PROTECTED] wrote: Stephen Sprunk [EMAIL PROTECTED] writes: Azinger, Marla wrote: I use RWHOIS for proof of who we assign and allocate address space to. How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf? At least in my case, it's not *my* rwhois server. My first ISP lists me as the owner/user/whatever in *their* rwhois server, and my second ISP considers that authoritative. Wouldn't it be interesting if every service provider would query the RIR's to find out who owns the block and then do some due diligence to make sure the block is being advertised by the right person. Mike
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
Stephen Sprunk [EMAIL PROTECTED] writes: Azinger, Marla wrote: I use RWHOIS for proof of who we assign and allocate address space to. How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf? At least in my case, it's not *my* rwhois server. My first ISP lists me as the owner/user/whatever in *their* rwhois server, and my second ISP considers that authoritative. seph
RE: LoA (Letter of Authorization) for Prefix Filter Modification?
I use RWHOIS for proof of who we assign and allocate address space to. I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis. In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site. And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked. My 2 cents Marla Azinger Frontier Communications -Original Message- From: Joe Greco [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 9:22 AM To: Raoul Bhatia [IPAX] Cc: nanog@nanog.org Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification? Joe Greco wrote: How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? what about using a digital signation of e.g. a pdf version of a scan? Try putting that up next to an apparently legitimate but actually subtly modified paper contract with signatures, in a court of law, and feel free to inform us of which one the court finds more compelling. In an environment where there's an established history and standard procedures, they're typically going to prefer the familiar method. In our world, if we were to have some sort of crypto-based way to have a netblock owner sign something like that, yeah, that'd be great, and it would mean that the community would generally be able to manage the issue without having to resort to faxed-around LoA's, etc., but we don't have that infrastructure, or even a common/widespread LoA system. Sigh. I'm not arguing that some sort of technical/crypto infrastructure for authorizing the advertisement of space shouldn't be developed, and in fact I think it should. However, as an interim step, things like LoA's are much better than nothing at all, and worrying about the authenticity of an LoA is probably not worth the time and effort, given the way these things tend to work out. If there's cause for concern, those who are receiving the LoA's will ramp up the paranoia. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
Azinger, Marla wrote: I use RWHOIS for proof of who we assign and allocate address space to. I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis. In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site. And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked. How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf? It is not unreasonable for your upstreams to ask for some proof _from the holder_ rather than simply trusting you. For all they know, you're just hijacking random address space and putting it in your RWHOIS server. Would you be happy if some random Tier 1 started letting _their_ customers advertise _your_ address space, just because those customers had put up an RWHOIS server claiming it was theirs? This is not about asking you for an LoA for your own address space, which any moron can follow in a reasonably trustworthy chain from ARIN to you. It's about address space that is _not_ directly registered to the company trying to get a filter exception. S
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
Joe Greco wrote: How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? what about using a digital signation of e.g. a pdf version of a scan? cheers, raoul -- DI (FH) Raoul Bhatia M.Sc. email. [EMAIL PROTECTED] Technischer Leiter IPAX - Aloy Bhatia Hava OEG web. http://www.ipax.at Barawitzkagasse 10/2/2/11 email.[EMAIL PROTECTED] 1190 Wien tel. +43 1 3670030 FN 277995t HG Wien fax.+43 1 3670030 15
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
Joe Greco wrote: How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? what about using a digital signation of e.g. a pdf version of a scan? Try putting that up next to an apparently legitimate but actually subtly modified paper contract with signatures, in a court of law, and feel free to inform us of which one the court finds more compelling. In an environment where there's an established history and standard procedures, they're typically going to prefer the familiar method. In our world, if we were to have some sort of crypto-based way to have a netblock owner sign something like that, yeah, that'd be great, and it would mean that the community would generally be able to manage the issue without having to resort to faxed-around LoA's, etc., but we don't have that infrastructure, or even a common/widespread LoA system. Sigh. I'm not arguing that some sort of technical/crypto infrastructure for authorizing the advertisement of space shouldn't be developed, and in fact I think it should. However, as an interim step, things like LoA's are much better than nothing at all, and worrying about the authenticity of an LoA is probably not worth the time and effort, given the way these things tend to work out. If there's cause for concern, those who are receiving the LoA's will ramp up the paranoia. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On Tue, 16 Sep 2008, Rodriguez, Mauricio wrote: Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service. Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. It's not unheard of. Most providers don't require it, but I have run into a few who do. It's a minor PITA compared to the web interfaces some providers make you use to request filter updates. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. Christian On Tue, Sep 16, 2008 at 9:56 AM, Jon Lewis [EMAIL PROTECTED] wrote: On Tue, 16 Sep 2008, Rodriguez, Mauricio wrote: Recently, one of our Transit providers has started requiring a Letter of Authorization for addition of any of our own Transit customers' prefixes to their filters. The verbiage of the LoA basically states that the owner of the assignment or allocation (not necessarily our customer) allows us to advertise their prefixes through our service. Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. It's not unheard of. Most providers don't require it, but I have run into a few who do. It's a minor PITA compared to the web interfaces some providers make you use to request filter updates. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: LoA (Letter of Authorization) for Prefix Filter Modification?
Is this a common practice? Our past experience indicates that a simple request to a NOC or update of a routing registry usually is sufficient. Regards, Mauricio Rodriguez FPL Fibernet, LLC Cogent AFAIK have been doing this for years. Not many others require this unless there is a serious question over the request. Randy
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
good point... :) On Tue, Sep 16, 2008 at 10:24 AM, Jon Lewis [EMAIL PROTECTED] wrote: On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? Look at what people are willing to go through with paper checks to increase the chances of authenticity. Google Abagnale. The real world already has ways of dealing with fraud and forgery, and while the paper is certainly CYA for the provider, it does provide an actual trail back that can probably be followed to some party. To refer to it as an illusion is only vaguely true. It is an illusion in that it will not prevent all cases of hijacking. Of course. However, it is another step that makes it significantly more difficult for someone to just start announcing random bits of IP space. It's just like physical security, in many ways. Given a sufficiently determined attacker, any door can be broken. Wood door? May require only my boot. Steel door? Prybar. Bank vault? Explosives. Etc. The thing is, as you increase the level of protection, the ease of countermeasures typically decreases (I wear my boots almost 100% of the time, I may have a prybar nearby, but I am unlikely to be carrying explosives at any time.) So let's not trivialize improvements such as LoA's which reduce the ease of hijackings, eh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
RE: LoA (Letter of Authorization) for Prefix Filter Modification?
It is only a good audit trail if the audit log can be trusted, though. Given how secure things like faxes are, well, that's a thing for another day, I suppose. Very few things out there in today's interconnected world really provide hard security, instead of security theatre/CYA/minor deterrants/keeping honest people honest. That is not to say that these things have zero inherent value, at least in my mind, but they are not IMO to be confused with high security (as in military grade versus making a few clever [socially engineered] phone calls). Even so, much of the modern day business world relies on these things to some degree or another. - S -Original Message- From: Joe Greco [EMAIL PROTECTED] Sent: Tuesday, September 16, 2008 11:15 To: Jon Lewis [EMAIL PROTECTED] Cc: Rodriguez Mauricio [EMAIL PROTECTED]; nanog@nanog.org nanog@nanog.org Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification? On Tue, 16 Sep 2008, Christian Koch wrote: I dont mind, i think it is another good step towards 'good filtering' but...i think the PITA part is downstream 'clueless' customers, who may need an explanation on prefix hijacking and the state of the internet today, and that these are all just combined efforts to minimize the risk of accepting allocations that don't belong to you. IMO, it's just an illusion of added security and is really just CYA for the provider. When I fax TWTelecom an LOA that a customer faxed to me, how does TWTelecom verify the authenticity of that LOA? I doubt they try. I suspect it's just filed, and will only be pulled out if the advertisement is challenged by some 3rd party. How do you verify the authenticity of anything? This is a common problem in the Real World, and is hardly limited to LoA's. How do you prove that what was on Pages 1 to (N-1) of an N page contract contained the words you think they said? I knew a guy, back in the early days, who habitually changed the SLA's in his contracts so that he could cancel a contract for virtually no reason at all ... the folly of mailing around contracts as .doc files in e-mail. But even failing that, it's pretty trivial to reprint a document, so where do you stop, do you use special paper, special ink, watermarking of documents, initial each page, all of the above, etc? Look at what people are willing to go through with paper checks to increase the chances of authenticity. Google Abagnale. The real world already has ways of dealing with fraud and forgery, and while the paper is certainly CYA for the provider, it does provide an actual trail back that can probably be followed to some party. To refer to it as an illusion is only vaguely true. It is an illusion in that it will not prevent all cases of hijacking. Of course. However, it is another step that makes it significantly more difficult for someone to just start announcing random bits of IP space. It's just like physical security, in many ways. Given a sufficiently determined attacker, any door can be broken. Wood door? May require only my boot. Steel door? Prybar. Bank vault? Explosives. Etc. The thing is, as you increase the level of protection, the ease of countermeasures typically decreases (I wear my boots almost 100% of the time, I may have a prybar nearby, but I am unlikely to be carrying explosives at any time.) So let's not trivialize improvements such as LoA's which reduce the ease of hijackings, eh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
It is only a good audit trail if the audit log can be trusted, though. Given how secure things like faxes are, well, that's a thing for another day, I suppose. Very few things out there in today's interconnected world really provide hard security, instead of security theatre/CYA/minor deterrants/keeping honest people honest. That is not to say that these things have zero inherent value, at least in my mind, but they are not IMO to be confused with high security (as in military grade versus making a few clever [socially engineered] phone calls). Even so, much of the modern day business world relies on these things to some degree or another. As I said, there are already ways to deal with these issues. Unfortunately, most of them are reactive in nature. Despite that fact, I would much prefer to see a LoA, which will have some significant deterrent value, rather than nothing at all. The security of faxes has very little to do with it. If twtelecom finds that Jon Lewis over at Atlantic.net is sending in LoA's that turn out to be fraudulent, it is very likely that the level of scrutiny for future LoA's will suddenly increase, maybe involving calls to ARIN, the contact information for the organization in question, etc., to try to further determine the authenticity. On the flip side, if Jon has sent in a hundred LoA's, and none have ever been questioned, the level of scrutiny is likely to be reasonably low. Risk assessment in this environment isn't *that* rough, and worrying about whether or not the trail can be audited/ authenticated, security of faxes, etc., may be excessively paranoid. We do not have an Internet that is designed with hard security in mind, so worrying about the easily attacked portions is certainly worthwhile, but let's be thoughtful, rather than obsessive, about it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
