LoA (Letter of Authorization) for Prefix Filter Modification?

Skywing Skywing at valhallalegends.com
Wed Sep 17 01:28:00 UTC 2008


It is only a good audit trail if the audit log can be trusted, though.  Given how "secure" things like faxes are, well, that's a thing for another day, I suppose.

Very few things out there in today's interconnected world really provide "hard" security, instead of security theatre/CYA/minor deterrants/"keeping honest people honest".

That is not to say that these things have zero inherent value, at least in my mind, but they are not IMO to be confused with high security (as in military grade versus making a few clever [socially engineered] phone calls).

Even so, much of the modern day business world relies on these things to some degree or another.

- S

-----Original Message-----
From: Joe Greco <jgreco at ns.sol.net>
Sent: Tuesday, September 16, 2008 11:15
To: Jon Lewis <jlewis at lewis.org>
Cc: Rodriguez Mauricio <Mauricio.Rodriguez at fpl.com>; nanog at nanog.org <nanog at nanog.org>
Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification?


> On Tue, 16 Sep 2008, Christian Koch wrote:
> > I dont mind, i think it is another good step towards 'good filtering'
> > but...i think the PITA part is
> > downstream 'clueless' customers, who may need an explanation on prefix
> > hijacking and the state
> > of the internet today, and that these are all just combined efforts to
> > minimize the risk of accepting allocations
> > that don't belong to you.
>
> IMO, it's just an illusion of added security and is really just CYA for
> the provider.  When I fax TWTelecom an LOA that a customer faxed to me,
> how does TWTelecom verify the authenticity of that LOA?  I doubt they try.
> I suspect it's just filed, and will only be pulled out if the
> advertisement is challenged by some 3rd party.

How do you verify the authenticity of anything?  This is a common problem
in the Real World, and is hardly limited to LoA's.

How do you prove that what was on Pages 1 to (N-1) of an N page contract
contained the words you think they said?  I knew a guy, back in the early
days, who habitually changed the SLA's in his contracts so that he could
cancel a contract for virtually no reason at all ... the folly of mailing
around contracts as .doc files in e-mail.  But even failing that, it's
pretty trivial to reprint a document, so where do you stop, do you use
special paper, special ink, watermarking of documents, initial each page,
all of the above, etc?

Look at what people are willing to go through with paper checks to
increase the chances of authenticity.  Google Abagnale.

The real world already has ways of dealing with fraud and forgery, and
while the paper is certainly CYA for the provider, it does provide an
actual trail back that can probably be followed to some party.  To refer
to it as an "illusion" is only vaguely true.  It is an illusion in that
it will not prevent all cases of hijacking.  Of course.  However, it is
another step that makes it significantly more difficult for someone to
just start announcing random bits of IP space.

It's just like physical security, in many ways.  Given a sufficiently
determined attacker, any door can be broken.  Wood door?  May require
only my boot.  Steel door?  Prybar.  Bank vault?  Explosives.  Etc.
The thing is, as you increase the level of protection, the ease of
countermeasures typically decreases (I wear my boots almost 100% of
the time, I may have a prybar nearby, but I am unlikely to be carrying
explosives at any time.)

So let's not trivialize improvements such as LoA's which reduce the ease
of hijackings, eh.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.





More information about the NANOG mailing list