Is the LoA DoA for Routing? - article at FIRST blog
FYI https://www.first.org/blog/20231222-Is-the-LoA-DoA-for-Routing This article introduces the idea that instead of using LoAs for routing purposes, people should instead rely on ROAs and ROV. Best Regards, Carlos Sent with [Proton Mail](https://proton.me/) secure email.
Hi, On Fri, Jan 19, 2024 at 08:24:32AM +0000, Carlos Friaças via anti-abuse-wg wrote:
FYI
https://www.first.org/blog/20231222-Is-the-LoA-DoA-for-Routing
This article introduces the idea that instead of using LoAs for routing purposes, people should instead rely on ROAs and ROV.
It's a good writeup to enlighten the unenlighted, but hardly a "novel approach" ("introduces the idea...") - this is how we've run our network for the last 20 years, or so. IRR filters based on RIPE route: objects, and later on ROA info. Paper never played any role in authorizing route announcements here (not even fax). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On Friday, 19 January 2024 at 08:36, Gert Doering <gert@space.net> wrote:
It's a good writeup to enlighten the unenlighted, but hardly a "novel approach" ("introduces the idea...") - this is how we've run our network for the last 20 years, or so. IRR filters based on RIPE route: objects, and later on ROA info.
Paper never played any role in authorizing route announcements here (not even fax).
Hi, Great for you and the networks you manage, unfortunately (in the ~75k networks/autonomous systems) there is still people around the world that accept and rely on simple signed papers by someone. Even if who signs it can't hold what they claim with the RIRs' trust anchors... ;-) ps: unfortunately i have not enabled IPv6 on something today (did my part long ago...), but last week i still received a LoA :-) so yes, some people are still pushing papers. Cheers, Carlos
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
In message <ABdrBB0jYhxc80IBnfktLZxf6YnapVQHxqKeJFoSIGBISKB6gMAPc7nSa1wR Va_v8BrYuk24D9cIkXWrobH5GP6glyx1OWikfNFwTb_jnBE=@protonmail.com>, Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net> writes
Great for you and the networks you manage, unfortunately (in the ~75k networks/autonomous systems) there is still people around the world that accept and rely on simple signed papers by someone. Even if who signs it can't hold what they claim with the RIRs' trust anchors... ;-)
A key point that the article misses is that yes, LOAs can (and have been) forged. However forging them is a criminal act (in the US it will be charged under "wirefraud" statutes) -- and numerous of the criminal proceedings which have been undertaken for theft of IP resources have used the wirefraud statutes. Yes, stealing a private key (or guessing a password to it) and then creating cryptographic signed objects is also likely to be criminal but it may be somewhat harder for courts to understand (and for the matter for prosecutors to identify suitable caselaw that makes the current case somewhat more open and shut). [[ Also, I have been told that some forgeries are laughably inept, whereas laughably weak passwords are a little harder to spot ]] -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
Greetings, On Friday, 19 January 2024 at 11:40, Richard Clayton <richard@highwayman.com> wrote:
A key point that the article misses is that yes, LOAs can (and have been) forged.
Yes, that didn't reach the final version in an explicit way... :-)
However forging them is a criminal act (in the US it will be charged under "wirefraud" statutes) -- and numerous of the criminal proceedings which have been undertaken for theft of IP resources have used the wirefraud statutes.
Luckly! :-)
Yes, stealing a private key (or guessing a password to it) and then creating cryptographic signed objects is also likely to be criminal but it may be somewhat harder for courts to understand (and for the matter for prosecutors to identify suitable caselaw that makes the current > case somewhat more open and shut).
I completely agree. And there is a fairly recent & notorious case...
[[ Also, I have been told that some forgeries are laughably inept, whereas laughably weak passwords are a little harder to spot ]]
Nonetheless, the key idea is that we should be turning to "cryptographic trust", instead of papers (forged or not). Best Regards, Carlos
-- richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 --
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Hello Carlos,
Even if who signs it can't hold what they claim with the RIRs' trust anchors
If you believe this is true, then you can forward a claim to the local authorities as signing a Fake LOA is a criminal offense which could end in imprisonment. Best Regards, Tomás
On 19 Jan 2024, at 08:52, Carlos Friaças via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
On Friday, 19 January 2024 at 08:36, Gert Doering <gert@space.net> wrote:
It's a good writeup to enlighten the unenlighted, but hardly a "novel approach" ("introduces the idea...") - this is how we've run our network for the last 20 years, or so. IRR filters based on RIPE route: objects, and later on ROA info.
Paper never played any role in authorizing route announcements here (not even fax).
Hi,
Great for you and the networks you manage, unfortunately (in the ~75k networks/autonomous systems) there is still people around the world that accept and rely on simple signed papers by someone. Even if who signs it can't hold what they claim with the RIRs' trust anchors... ;-)
ps: unfortunately i have not enabled IPv6 on something today (did my part long ago...), but last week i still received a LoA :-) so yes, some people are still pushing papers.
Cheers, Carlos
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Greetings, One can always go to the local authorities, then jurisdiction and how the local justice/court system works comes into play. The RIRs have an authoritative view about who owns what, and they share it with everyone, so to me that's the simplest way. Regards, Carlos On Friday, 19 January 2024 at 15:06, Tomás Leite de Castro via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Hello Carlos,
Even if who signs it can't hold what they claim with the RIRs' trust anchors
If you believe this is true, then you can forward a claim to the local authorities as signing a Fake LOA is a criminal offense which could end in imprisonment.
Best Regards,
Tomás
participants (4)
-
Carlos Friaças -
Gert Doering -
Richard Clayton -
Tomás Leite de Castro