Why are paper LOAs still used?

Tue Feb 27 08:39:50 UTC 2024

Hi,
(please see inline)

On Mon, 26 Feb 2024, Tom Samplonius wrote:

>
>  There is one purpose:  to facilitate IP fraud, and maintain currently fraudulently routed IPs.

Yes!

>  Anyone can dummy up a LOA.  And there is still quite a lot of unrouted 
> IP space.

Yes. But the endgame is not always the same, when miscreants push fake 
LOAs (for routing).

I was recently made aware about https://loa.tools

This is how easy it gets......

> VPS providers know this, and know their customers are submitting fake 
> LOAs.

Then it's a good idea to require cryptographic evidence of 
ownership/authorization, by resorting to RPKI/ROV.

> But it is sort of the business VPS providers are in.

That can by true for some. I hope it isn't true for the majority of them.

>  Is it some sort of serious crime in the US though?  Well, just submit 
> the LOA from outside the US.  Plus, the entity being defrauded is the IP 
> holder, not the VPS provider or their customer.  If you are an IP 
> holder, good luck getting the VPS provider to give you a copy of the 
> fake LOA.  It is not in their interest to throw their customers under 
> the bus.  You would have to give them a court order.  So if you look 
> for unrouted IP space, registered to a non-US organization (ex. Canada), 
> and submit a fake LOA from another country (London, UK for instance), 
> you are unlikely to get tracked down for wire fraud.

Good example, but there are also some less central 
jurisdictions/coutries/territories, where local law enforcement 
cooperation is even harder to get. And miscreants know this very well.

> And you might ask, well, why would a VPS provider accept an LOA from 
> the UK for an IP block registered to a Canadian organization?  Well, 
> clearly it isn?t in the VPS provider?s interest to look into the LOAs 
> too much.

While it doesn't change anything in the "interest" vector, resorting to 
RPKI/ROV would probably be less work.

> As long as the IP space is unrouted, they will approve it.  The LOA is 
> basically just a liability shield for the VPS provider.  It is not a 
> crime to be deceived, though the due diligence beggars belief.

Even if the IP space is routed, can't anycast be invoked...? :-)))

>  So I had this happen.  There was a /24 being hijacked by a VPS 
> provider.  I told them this was fraud, and they asked me if I wanted to 
> ?rescind the LOA?.  I told them I never gave them a LOA.  They dropped 
> the /24 immediately.  They refused to provide a copy of the LOA.  So 
> pretty hard to pursue any sort of wire fraud charges.

That's the thing with LOAs for routing, the only way to be sure is to 
check if there is a valid ROA with the prefix, length and ASN. :-)

If the customer can't make a valid ROA, or make the legitimate owner 
produce one, then the claim on the LOA is bogus...

>  So a VPS provider asking for a paper LOA is basically asking you to 
> lie to them, to protect them from liability.  They will just drop the IP 
> prefix if there is any contact from the actual IP holder.

If the legitimate IP holder has closed shop, there will not be a contact. 
And miscreants also know this very well...

Cheers,
Carlos

> Tom
>
>
>
>> On Feb 26, 2024, at 10:57 AM, Seth Mattinen via NANOG <nanog at nanog.org> wrote:
>>
>> Why do companies still insist on, or deploy new systems that rely on paper LOA for IP and ASN resources? How can this be considered more trustworthy than RIR based IRR records?
>>
>> And I'm not even talking about old companies, I have a situation right now where a VPS provider I'm using will no longer use IRR and only accepts new paper LOAs. In the year 2024. I don't understand how anyone can go backwards like that.
>>
>> ~Seth
>
>